feat: setup Gateway API

This commit is contained in:
Peter 2024-02-21 08:12:13 +01:00
parent ba06d96a2c
commit 80721ce1da
Signed by: prskr
GPG key ID: F56BED6903BC5E37
75 changed files with 20990 additions and 1271 deletions

View file

@ -0,0 +1,2 @@
extraArgs:
- --feature-gates=ExperimentalGatewayAPISupport=true

View file

@ -1,20 +1,7 @@
--- ---
coder: coder:
ingress: ingress:
enable: true enable: false
host: ide.icb4dc0.de
wildcardHost: "*.ide.icb4dc0.de"
annotations:
gethomepage.dev/description: Remote IDE
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: coder.png
gethomepage.dev/name: Coder
cert-manager.io/cluster-issuer: letsencrypt-production
tls:
enable: true
secretName: coder-ingress-tls
wildcardSecretName: coder-wildcard-ingress-tls
env: env:
- name: CODER_WILDCARD_ACCESS_URL - name: CODER_WILDCARD_ACCESS_URL
value: '*.ide.icb4dc0.de' value: '*.ide.icb4dc0.de'

View file

@ -5,13 +5,14 @@ namespace: coder
resources: resources:
- "resources/namespace.yaml" - "resources/namespace.yaml"
- "resources/http_routes.yaml"
helmCharts: helmCharts:
- name: coder - name: coder
repo: https://helm.coder.com/v2 repo: https://helm.coder.com/v2
releaseName: coder releaseName: coder
namespace: coder namespace: coder
version: "2.8.2" version: "2.8.3"
valuesFile: config/values.coder.yml valuesFile: config/values.coder.yml
skipTests: true skipTests: true

View file

@ -0,0 +1,51 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: coder-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- ide.icb4dc0.de
- "*.ide.icb4dc0.de"
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: coder-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- ide.icb4dc0.de
rules:
- backendRefs:
- name: coder
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: coder-https-wildcard
spec:
parentRefs:
- name: contour
sectionName: coder-port-forwards
namespace: projectcontour
hostnames:
- "*.ide.icb4dc0.de"
rules:
- backendRefs:
- name: coder
port: 80

8527
contour/crds/contour.yaml Normal file

File diff suppressed because it is too large Load diff

11763
contour/crds/gateway.yaml Normal file

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: projectcontour
images:
- name: contour
newName: ghcr.io/projectcontour/contour
newTag: v1.28.1
resources:
- crds/contour.yaml
- crds/gateway.yaml
- resources/namespace.yaml
- resources/rbac/service_account.yaml
- resources/rbac/roles.yaml
- resources/rbac/role_bindings.yaml
- resources/gateway_provisioner.yaml
- resources/gateway_class.yaml
- resources/default_gateway.yaml

View file

@ -0,0 +1,50 @@
---
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: contour
namespace: projectcontour
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
gatewayClassName: contour
listeners:
- name: ssh
protocol: TCP
port: 22
allowedRoutes:
kinds:
- kind: TCPRoute
namespaces:
from: All
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
hostname: "*.icb4dc0.de"
port: 443
protocol: HTTPS
allowedRoutes:
namespaces:
from: All
tls:
mode: Terminate
certificateRefs:
- name: wildcard-icb4dc0-de
- name: coder-port-forwards
hostname: "*.ide.icb4dc0.de"
port: 443
protocol: HTTPS
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
kubernetes.io/metadata.name: coder
tls:
mode: Terminate
certificateRefs:
- name: coder-port-forwards

View file

@ -0,0 +1,6 @@
kind: GatewayClass
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: contour
spec:
controllerName: projectcontour.io/gateway-controller

View file

@ -0,0 +1,39 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: contour-gateway-provisioner
name: contour-gateway-provisioner
namespace: projectcontour
spec:
replicas: 1
selector:
matchLabels:
control-plane: contour-gateway-provisioner
template:
metadata:
labels:
control-plane: contour-gateway-provisioner
spec:
containers:
- args:
- gateway-provisioner
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
command: ["contour"]
image: contour
imagePullPolicy: Always
name: contour-gateway-provisioner
resources:
requests:
cpu: 100m
memory: 70Mi
env:
- name: CONTOUR_PROVISIONER_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
serviceAccountName: contour-gateway-provisioner
terminationGracePeriodSeconds: 10

View file

@ -2,6 +2,6 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: homepage name: projectcontour
labels: labels:
prometheus: default prometheus: default

View file

@ -0,0 +1,27 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: contour-gateway-provisioner-leader-election
namespace: projectcontour
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-gateway-provisioner
subjects:
- kind: ServiceAccount
name: contour-gateway-provisioner
namespace: projectcontour
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: contour-gateway-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: contour-gateway-provisioner
subjects:
- kind: ServiceAccount
name: contour-gateway-provisioner
namespace: projectcontour

View file

@ -0,0 +1,214 @@
# The following ClusterRole and Role are generated from kubebuilder RBAC tags by
# generate-rbac.sh. Do not edit this file directly but instead edit the source
# files and re-render.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: contour-gateway-provisioner
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- namespaces
- secrets
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- secrets
- serviceaccounts
- services
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- backendtlspolicies
- gatewayclasses
- gateways
- grpcroutes
- httproutes
- referencegrants
- tcproutes
- tlsroutes
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- backendtlspolicies/status
- gatewayclasses/status
- gateways/status
- grpcroutes/status
- httproutes/status
- tcproutes/status
- tlsroutes/status
verbs:
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- create
- get
- update
- apiGroups:
- projectcontour.io
resources:
- contourconfigurations
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- projectcontour.io
resources:
- contourconfigurations
- extensionservices
- httpproxies
- tlscertificatedelegations
verbs:
- get
- list
- watch
- apiGroups:
- projectcontour.io
resources:
- contourconfigurations/status
- extensionservices/status
- httpproxies/status
verbs:
- create
- get
- update
- apiGroups:
- projectcontour.io
resources:
- contourdeployments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
- create
- delete
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: contour-gateway-provisioner
namespace: projectcontour
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update

View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: contour-gateway-provisioner
namespace: projectcontour

1
drone/.gitignore vendored
View file

@ -1 +0,0 @@
charts/

View file

@ -1,29 +0,0 @@
image:
tag: 1.8.3
replicaCount: 4
extraSecretNamesForEnvFrom:
- drone-runner-secrets
env:
DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
DRONE_RPC_PROTO: http
DRONE_RUNNER_CAPACITY: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- drone-runner-docker
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/arch: arm64

View file

@ -1,27 +0,0 @@
image:
tag: 1.8.3
extraSecretNamesForEnvFrom:
- drone-runner-secrets
env:
DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
DRONE_RPC_PROTO: http
DRONE_RUNNER_CAPACITY: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- drone-runner-docker
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/arch: amd64

View file

@ -1,44 +0,0 @@
image:
tag: 2.20.0
ingress:
enabled: true
annotations:
gethomepage.dev/description: CI/CD system
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: drone.png
gethomepage.dev/name: Drone CI/CD
hosts:
- host: drone.icb4dc0.de
paths:
- path: /
pathType: Prefix
service:
port: 8080
persistentVolume:
enabled: false
extraSecretNamesForEnvFrom:
- drone-secrets
env:
## REQUIRED: Set the user-visible Drone hostname, sans protocol.
## Ref: https://docs.drone.io/installation/reference/drone-server-host/
##
DRONE_SERVER_HOST: "drone.icb4dc0.de"
DRONE_SERVER_PROTO: https
DRONE_DATABASE_DRIVER: postgres
DRONE_GIT_ALWAYS_AUTH: true
DRONE_LOGS_DEBUG: true
DRONE_S3_ENDPOINT: https://2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
DRONE_S3_BUCKET: drone
DRONE_S3_PATH_STYLE: true
DRONE_S3_SKIP_VERIFY: true
AWS_REGION: us-east-1
AWS_DEFAULT_REGION: us-east-1
DRONE_REDIS_CONNECTION: redis://drone-session-cache-keydb:6379

View file

@ -1,31 +0,0 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.2
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 10m
memory: 60Mi
limits:
cpu: 100m
memory: 128Mi
serviceMonitor:
enabled: true
labels:
prometheus: default
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi

View file

@ -1,40 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: drone
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
commonAnnotations:
"helm.sh/resource-policy": keep
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: drone-session-cache
namespace: nocodb
version: "0.48.0"
valuesFile: config/values.keydb.yaml
- name: drone
repo: https://charts.drone.io
releaseName: drone
namespace: drone
version: "0.6.5"
valuesFile: config/values.drone.yaml
- name: drone-runner-docker
repo: https://charts.drone.io
releaseName: drone-kube-runner-arm64
namespace: drone
version: "0.6.2"
valuesFile: config/values.drone-runner-arm64.yaml
- name: drone-runner-docker
repo: https://charts.drone.io
releaseName: drone-kube-runner-x86-64
namespace: drone
version: "0.6.2"
valuesFile: config/values.drone-runner-x86-64.yaml

View file

@ -1,20 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
commonAnnotations:
"helm.sh/resource-policy": keep
resources:
- "base/"
- "resources/namespaces.yaml"
- "resources/sa.yaml"
- "resources/sa_secret.yaml"
- "resources/cluster_role.yaml"
- "resources/role_bindings.yaml"
generators:
- ./secret-generator.yaml

View file

@ -1,44 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: drone-deploy
rules:
- apiGroups: [""]
resources:
- secrets
- configmaps
- pods
- services
- persistentvolumeclaims
- serviceaccounts
verbs: ["*"]
- apiGroups: ["apps"]
resources:
- replicasets
- deployments
- statefulsets
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingresses
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- roles
- rolebindings
verbs: ["*"]
- apiGroups: ["monitoring.coreos.com"]
resources:
- podmonitors
- servicemonitors
verbs: ["*"]

View file

@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: drone-runner-secrets
namespace: drone
type: Opaque
stringData:
DRONE_RPC_SECRET: ENC[AES256_GCM,data:HEXPjEhzVd32+DrxgsZUj3wSX21QCuMjHiwR1P+OhOI=,iv:DWcpdvoO5x3pAbAYtHPC0t8CCzUV6EHBeM5pwNxH/yw=,tag:oLRLwOmbNMsOD2NclOQwFg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldVdpMWV2eW85bzJ2aDQr
a0dQcEtZZHRvdG5iTGlBc1dQRFRLbVVoZEJVCkluZnFqTkZoL2p5QUdReWtHVFlE
bzhMMldBNG83TzlhTlZrL1dLRi82aEEKLS0tIDBka2xPN2E0ZE1ZN2RYUlNFcmZu
eURnd1RpYzZ4NmdRSUN3aXVYVDYwWVUKeUhg2fbE+L1Dr4re0kuJ0Lhhf38lJiZ3
7D0szVTlCoIcFQFMOUNwpNdYGuBkyXhJgpSpyUhIuPGE5gxkrLZI1g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTWEyaWZXd3pSVFQ4NnV3
N3c2S2RUQTU1MDZwQ0tuVVk0bmxIU1NuY0hBCitQdE1JYm9MRjNrN2kzSmNOWUQ0
UCtZODZRaUhiTnhvSjBVUk94ZDFDWFkKLS0tIFo2bVlUbUFOUk9ESmdvKzkrQlY2
QzVTTjVsb0ovT1JNRUw2dXQrcnVJUm8KvQ4hyDw8ImxrSzn5qpo9xkkQnapDXwKl
lfV9wESEo23V5MO/ZMxGBl1S1RzR10abcwkuzpYNfDr5DW4wvKPdYA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-26T19:23:40Z"
mac: ENC[AES256_GCM,data:eFCDA4wsm056C1Vzjer5whxItNoZNk7w3c0VvcpIMN0qrP6u7vZjEezsrT9OGv/sh7DLvVRx6qmIKZ6tw8kc7cutZB7OqfqwYLTTkPcXbVPIwCubjc4LseyFeXGhPQmQH52c8SCtKM/Ft9WMdlE624mpACLUXp7aKvGuiRkwREs=,iv:Qbt+GkUyYeopknU+z4nQ96q6blmuKS3gShQ8GuZ/qFw=,tag:OpUHMsil1ij3FbWIe43FAQ==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -1,45 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: drone-secrets
namespace: drone
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:HWUsFOc2tD8CnEm4m4+2nuynOOW6lbUrtROLaPNgkmI=,iv:pmfvhL69opyb/MPlLRNjhjid5ORtE/E1B2/tCdOJKIc=,tag:xUVez9qJc4eBR14HeHyYmA==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:skSkCr5p1YpNqeiwUz1zTUstRb9wbaSUVOzCgyLJxf9kKXWpPjQOQxve7s5m6iNhwgxICBmjNgxA6f2wYXrF2w==,iv:h/kNCcbYfXDGyH1oUz1A2Nfeb/AM92msQQ65YXHu+o4=,tag:xv7tm2PtVOCBtJ45K6H/QA==,type:str]
DRONE_COOKIE_SECRET: ENC[AES256_GCM,data:zG8FSKnxIRVk7cCbtIP6VC2tbM+FfjFcg5Y6mTE19Tw=,iv:Ac50qD8l7CwtGxFFITl/0dMq1McHbztU7320v4pPWFs=,tag:JZCwGhJ+NQ/pdpULMzI+pQ==,type:str]
DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:j5sqt/EpuGOHQH2p+kuwm/CYIxT0DviopKST2MrTpXR+Jh20NRgiq9CnYFTzCIHQZaSsO16b4Gyu0ViXgYSEK5t0j0QNnEjo8/z+ko6mOYEMyAbdAUuBmS9i/vbCb0HaXTpoTy3RG7Vjxif3WqDf,iv:b1rssEhX4K/cHNEytIuLW8NZaOPSnOokmhH+kBggyN8=,tag:Ns4lIcSWntsT1zpKMNd7cg==,type:str]
DRONE_DATABASE_SECRET: ENC[AES256_GCM,data:qSNVcSzH0y0pCY07Y3yDjfMaPZFtPWEmf3tqq076n7o=,iv:XNJaU2kQJeS7iMJyIoAkwzVS3QdqLAZy/FbE3VFvYXU=,tag:FPYbmgQ8/VSkMexXko+7Nw==,type:str]
DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:jTR4bxuyrxt5llnRDuBHnughiIyzKQ2JEylh16wjZDIyWrid,iv:NrUudI15R+ZiaL3M/k70Mdfm20aerCWjDs6R0MHC4Hc=,tag:kfX4fNcCP4Xy//V72WzDrg==,type:str]
DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:0t8swJmx5qSvx7q9GsuRU+FOfcKxelIzDm5u16Nypfrqf5m9CbqmT39Uibj1wL8dWwx04Xo4mxc=,iv:agqn9RVuDq9WXly1AvckabpIyOqyK+0E89u4iItKRn4=,tag:KZLQlq+61QZtFGY/CnlQ2w==,type:str]
DRONE_GITEA_SERVER: ENC[AES256_GCM,data:BgMZnIL6OM5r4N+L4RU9t8Pf2XOEMYA=,iv:4dbpEY3iCMmwEOPwp40VDkOIYUOfCkOnRXsmf9P/acE=,tag:1Vb6R/s+sK1UnZBIkZXxKQ==,type:str]
DRONE_RPC_SECRET: ENC[AES256_GCM,data:dyaF1jehSfCk+3lbuPffibwpXEQCggb1O7YRNu1Li7Q=,iv:wBlkUev6z1F9n+BjDfa5NAXjBbGm94AEfdUqiwrxUek=,tag:y66eOgLjTnYA3ZYFgWMKTg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUXdoTlVUYW1kSEp1eVF6
OFVUbndGRjEvR0ppOW94K2ZEekpCTjNXQlU4ClpsRkVKd2JSTldacm9Ddm9OZ2N0
Q0dtRUpTMmdIZkRwaDBHNUpmbG1Wbk0KLS0tIHM2OW9MYUord0pTT1ZRSXQvLzlN
VWR5WmNSTUF4MWNnVW5kQnBKUVZWNkkKErKeKJge7brrhxxZqlE7SOxQVcRczPhH
yd/bmsHwg84yOOsJejwXTMAmZcEns6qIHpq6PE7icqnsm40H6Ms1zQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RGhBQmZxY3BVK1JyY2JF
SUZDbUpQbUliQUpGM0VPQ3J3Y2txNXVVZlU0Ck1KY0NoM3IycUNPV0pkeWliVVNM
KzA5a0trQTN2ZDFmZUV3ZnlNVFF5K0kKLS0tIGdJWFJrNUU4UHFZSnNCMWMwSW5S
VGN1VEJlL3RxOXVwNmo3RTk4aUhEb1EKtAHu3KqQ7EH7SQE/Dvc6gfuSmkcsy3+c
1xxDYh69cMHkV3q4Wfnqg/DyWUq6D7OE4tVAuzNfo1SzZuBHXXCdQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T18:21:47Z"
mac: ENC[AES256_GCM,data:Lblzygh5+S25J2c1bH+hlKE9DGkmYAzI+BcBfpoLs3uB16NIyIku833XN0jEerpxINSiJMClLBVzZ2uKCpDCfcxxz0rJIldtoUqOzKtxTtcziMt6VXoG3h5m9pPbILzGU27uzo/D7E9SbXAUAmTGYsEFLx/R7bZYWMCdhgCOO0I=,iv:tnjm+xhTCie9W8LPG4MYCK3KNMZBa8TJPmzpYxZ0HQc=,tag:R4W/OU/aNCz5S7pXHjIWbg==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -1,28 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: drone
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: inetmock
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: blog
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: buildr
labels:
prometheus: default

View file

@ -1,42 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-blog
namespace: blog
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-inetmock
namespace: inetmock
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-buildr
namespace: buildr
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io

View file

@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-deploy
namespace: drone

View file

@ -1,9 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: drone-deploy
namespace: drone
annotations:
kubernetes.io/service-account.name: drone-deploy
type: kubernetes.io/service-account-token

View file

@ -1,12 +0,0 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: drone-secrets-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/drone-secrets.enc.yaml
- ./resources/drone-runner-secrets.enc.yaml

View file

@ -19,6 +19,11 @@ spec:
image: external-dns image: external-dns
args: args:
- --source=ingress - --source=ingress
- --source=gateway-httproute
- --source=gateway-tlsroute
- --source=gateway-tcproute
- --source=gateway-udproute
- --gateway-namespace=projectcontour
- --domain-filter=icb4dc0.de - --domain-filter=icb4dc0.de
- --zone-id-filter=ee5cd581559fcf20384856ed5b1b2f0b - --zone-id-filter=ee5cd581559fcf20384856ed5b1b2f0b
- --provider=cloudflare - --provider=cloudflare

View file

@ -4,7 +4,7 @@ metadata:
name: external-dns name: external-dns
rules: rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["services","endpoints","pods"] resources: ["services","endpoints","pods", "namespaces"]
verbs: ["get","watch","list"] verbs: ["get","watch","list"]
- apiGroups: ["extensions","networking.k8s.io"] - apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"] resources: ["ingresses"]
@ -12,3 +12,6 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["nodes"] resources: ["nodes"]
verbs: ["list", "watch"] verbs: ["list", "watch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways","httproutes","tlsroutes","tcproutes","udproutes"]
verbs: ["get","watch","list"]

View file

@ -1,32 +1,11 @@
image: image:
rootless: true rootless: true
service:
ssh:
type: NodePort
nodePort: 32022
strategy: strategy:
type: Recreate type: Recreate
ingress: ingress:
enabled: true enabled: false
annotations:
gethomepage.dev/description: where to code goes to
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: forgejo.png
gethomepage.dev/name: Forgejo
cert-manager.io/cluster-issuer: letsencrypt-production
hosts:
- host: code.icb4dc0.de
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- code.icb4dc0.de
secretName: forgejo-ingress-tls
resources: resources:
limits: limits:

View file

@ -15,6 +15,7 @@ images:
newTag: "nightly" newTag: "nightly"
resources: resources:
- resources/routes.yaml
- resources/dragonfly.yml - resources/dragonfly.yml
- resources/runners/act-runner-arm64.yaml - resources/runners/act-runner-arm64.yaml
- resources/runners/act-runner-amd64.yaml - resources/runners/act-runner-amd64.yaml

View file

@ -0,0 +1,48 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: forgejo-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- code.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: forgejo-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- code.icb4dc0.de
rules:
- backendRefs:
- name: forgejo-http
port: 3000
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: forgejo-ssh
spec:
parentRefs:
- name: contour
sectionName: ssh
namespace: projectcontour
rules:
- backendRefs:
- name: forgejo-ssh
port: 22

1
ghostcms/.gitignore vendored
View file

@ -1 +0,0 @@
charts/

View file

@ -1,33 +0,0 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.3
nodes: 3
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 250m
memory: 256Mi
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi
serviceMonitor:
enabled: true
labels:
prometheus: default

View file

@ -1,32 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ghostcms
images:
- name: ghostcms
newName: docker.io/ghost
newTag: 5.79.3-alpine
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- resources/namespace.yaml
- resources/db.yaml
- resources/pvc.yaml
- resources/deployment.yaml
- resources/service.yaml
- resources/ingress.yaml
generators:
- ./secret-generator.yaml
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: ghostcms-keydb
namespace: ghostcms
version: "0.48.0"
valuesFile: config/values.keydb.yaml

View file

@ -1,41 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: ghostcms-secret-config
type: Opaque
stringData:
database__client: ENC[AES256_GCM,data:sr6EfhI=,iv:pOo9u6/twN/F7O9B2TDoB5Zs5FC60vyLYtvJVDMUtV0=,tag:v2CLpeiV5CVzLK7pKAFbKA==,type:str]
database__connection__host: ENC[AES256_GCM,data:f8eQyV/1OvXQdHs/DtW6q1NbHqLIqbMi,iv:F0ChUjxJunyuKG2hKwHjylaHTDLA9SgMNMMX93aHo7c=,tag:4DcCiD1JRSqPd/KQSsyHsg==,type:str]
database__connection__user: ENC[AES256_GCM,data:zq6qSDV2N18=,iv:Pdt16Av6sw6iAEBPDu6W06AFsgBq7wkhTaxkyQahhac=,tag:RJesMhyVRK5VFFsJQsWeoA==,type:str]
database__connection__password: ENC[AES256_GCM,data:irsrzl+G4+HHosntR8/Y6BEuHmi5WAJEsZf+jwzlsbo=,iv:29BoRix+4CpMIjcFKFFDXTxEaQjHwERUTvxWwUgkLas=,tag:WoB18ym4MxO20oAnqxP5GQ==,type:str]
database__connection__database: ENC[AES256_GCM,data:+tiIhcFt06I=,iv:kwX/n8+4LW5eKmST3wxhdvPcmZoxtEh6zJ+spbvccPM=,tag:ZlwXxLRfZ6XpGE3hRga/2g==,type:str]
url: ENC[AES256_GCM,data:iNCEULqcDoiGhvAA1y80mbL0+lOzCxo=,iv:lw+5Sk1tRPJFOqIKH1MaQn7RvG02Hg0kmLTIT7JSeNE=,tag:vGNQVyRrnu1kBLYNEdNIzA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRkFMcWRyNE9tMU5NVkVs
UmNsSFVDN3k4SDJxK2tva1Rza2xuR2ExcUhVCndua28xNUZBaVlGeTJ0TG0xMlpo
cTB5ZTBkMzZ4NW03T1ZacmVGRnZMUXMKLS0tIEYyVGdMZlVCTHREdnBOR3h3NU4x
UzBWYXdMS3RadXpEQmN6cVBBUUpHWkUKugUfHbVc5+0597P5r8k8bAIcXHx2BfFe
DVdOoxLasWTXvz1GWTFuzvin3Z42GB9zCnjfzkEnwXbATwQy26MhaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndE9JcHB5NWtBRDZLYTQ4
QXhJRG93bEtXYUlmRWhKWC93Mng2YUtDN2ljCmE3RklOdTN2dE42Q0RSc0djSXpX
UzBkdXRPVHJ2YUFDR0REeSt5YS9NNEUKLS0tIGJGR0pBWUp3Vm5tMVNneUtaQ1NB
UnE2NTVSSUp1OEVFVDd5bHJYOEZpaVkKqmw9GLZavqaPQOJjGhLqXo4ggfmFDgXz
C9HNxeDVr2kY452gleVS/YFTPWo0QPevl0SjpZg2gvnz28qLDSNXYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-02T19:37:36Z"
mac: ENC[AES256_GCM,data:W1Q9cRmdgxtpREVPzbI9kF3wEFFkF9vWTek8n6sNEDyYd2sew9FQ0gaqoA2bSKro8ff4iLBpwChQIhM7AZbiw5CP0OjUZMWbcjw8YeJEwowIZ+jp3D4qrMuAfjdqhoAJf2G75RyWsChsRG2fPyQ0rVU0sPJf3haiA0MziZi97xM=,iv:yghPQbr5/CLZIeltIGPXYozs08KdcmypSOTO+OrZiHk=,tag:nIh+ntR5wcLJm2AihwhQ9A==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -1,37 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: ghostcms-db-creds
type: Opaque
stringData:
root-password: ENC[AES256_GCM,data:tCCuYiHneNQMbWk9JYBOQT0fq+M3yjSJpg5MeMVl7Bw=,iv:EAX8seGBIUtaG2/S5SDUKYBkY57g4UKJdMFjCTBBZIs=,tag:giYe8hiyk8dSbcNT9fHJhQ==,type:str]
password: ENC[AES256_GCM,data:ae7q5C9RyPZJEpMSYc11Rdx0fgyxZSdW0QPrrhd4EXU=,iv:PZd/tVfoh3xetvov/BVdRPeev2MKRG+6uVLmi1YkHRA=,tag:H2fe2T0TWLV93yhcNheYhg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFREpwa1VjOHZOa1Rmc3M3
R001d0cxZjNYMUNLeGdxODlmMWI2bVVJd0RBCmxuOVl2cGg1dHpHU2tSMDJGSVpQ
TU5udWpEdjZZQVR5RnE3djFxZWcyRHMKLS0tICtCK1k5V0JTVy9PamViL3BtYTZk
WEo0RU5seTZvR2E2ZnhwdTNwUGF4K00KHItzwS/FL1N3iB5880SqBCAzogk2mvJo
frkb2ysHPA3e6mC/iYEJwENYTjHqi4tfkwYQmYErAFnNeD28690q1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaHJPb1FORk5NL2Q3Y2Fx
S3FzQjBmUmNTdVRiYkJqOE94THB6Q0ZwU3pzCmtLT0ZsZ2NEQVVVSy9IMFEyTnNN
QUVCQ1IxQjYvVGV5U1lHcUJveHk5ZU0KLS0tIFo5eWZIUzFma3BYWnlaZ08xVFkv
Y2YwMThRcUlTSVJmSDArbzdudGs3a1UKqfdWZlKDD3qsYAAKYts51XS41a52O5w1
Rivz1sRaMg7deBAMcERU9ACH7NmatWSTvehkKBWpGdkQuiGIcMCEBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-31T14:40:10Z"
mac: ENC[AES256_GCM,data:mK71CK+Cp/BbobMrCr5nHpb/bdXQLFB1mxhq1vzw8FZqGQzvYQ2X5pQFeJe8Z3jOYBaR+EUIETdWnBqp7kpaci0QLYw7DnrANpAPmQxczyvITh2m1RNgkHiQxkzF7ywmmdQjr8jrm79p7viy488HLgyrCuiB5zcSW6Cu1D3RT+Y=,iv:Hsafop14fyk3cKpI9TJKHwBjVDR7v92vcHB72Qf14Nw=,tag:eM2QkUKJVN9h27ccw3Zt1w==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -1,51 +0,0 @@
---
apiVersion: mariadb.mmontes.io/v1alpha1
kind: MariaDB
metadata:
name: ghostcms-db
spec:
rootPasswordSecretKeyRef:
name: ghostcms-db-creds
key: root-password
image: mariadb:11.1.2
port: 3306
database: ghostcms
username: ghostcms
passwordSecretKeyRef:
name: ghostcms-db-creds
key: password
volumeClaimTemplate:
storageClassName: hcloud-volumes
resources:
requests:
storage: 10Gi
accessModes:
- ReadWriteOnce
securityContext:
allowPrivilegeEscalation: false
livenessProbe:
exec:
command:
- bash
- -c
- mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;"
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
exec:
command:
- bash
- -c
- mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;"
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 5

View file

@ -1,69 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ghostcms
spec:
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: ghostcms
template:
metadata:
labels:
app.kubernetes.io/name: ghostcms
spec:
initContainers:
- name: plugins
image: ghostcms
imagePullPolicy: Always
command:
- /bin/ash
- -c
- '-'
args:
- |
if [ ! -d "/var/lib/ghost/content/adapters/storage/s3" ]; then
npm install --prefix /tmp ghos3
mkdir -p /var/lib/ghost/content/adapters/storage/s3
cp -r /tmp/node_modules/ghos3/* /var/lib/ghost/content/adapters/storage/s3
fi
volumeMounts:
- name: ghost-content
mountPath: /var/lib/ghost/content
containers:
- name: ghostcms
image: ghostcms
imagePullPolicy: Always
envFrom:
- secretRef:
name: ghostcms-secret-config
ports:
- containerPort: 2368
env:
- name: NODE_ENV
value: production
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL
privileged: false
resources:
limits:
memory: "384Mi"
cpu: "100m"
volumeMounts:
- name: ghost-content
mountPath: /var/lib/ghost/content
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
runAsNonRoot: true
volumes:
- name: ghost-content
persistentVolumeClaim:
claimName: ghost-content

View file

@ -1,23 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ghostcms
annotations:
gethomepage.dev/description: GhostCMS blog
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: ghost.png
gethomepage.dev/name: GhostCMS
spec:
rules:
- host: blog.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: ghostcms
port:
number: 2368

View file

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ghostcms
labels:
prometheus: default

View file

@ -1,13 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ghost-content
spec:
storageClassName: hcloud-volumes
resources:
requests:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce

View file

@ -1,12 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: ghostcms
spec:
selector:
app.kubernetes.io/name: ghostcms
ports:
- protocol: TCP
port: 2368
targetPort: 2368

View file

@ -1,12 +0,0 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: ghostcms-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/db-cred.enc.yaml
- ./resources/creds.enc.yaml

View file

@ -18,7 +18,7 @@ resources:
- "resources/namespace.yaml" - "resources/namespace.yaml"
- "resources/deployment.yaml" - "resources/deployment.yaml"
- "resources/service.yaml" - "resources/service.yaml"
- "resources/ingress.yaml" - "resources/http_routes.yaml"
generators: generators:
- ./secret-generator.yaml - ./secret-generator.yaml

View file

@ -0,0 +1,34 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: hedgedoc-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- md.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: hedgedoc-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- md.icb4dc0.de
rules:
- backendRefs:
- name: hedgedoc
port: 3000

View file

@ -1,28 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hedgedoc
annotations:
gethomepage.dev/description: Markdown scratch pad
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: https://md.icb4dc0.de/icons/android-chrome-192x192.png
gethomepage.dev/name: HedgeDoc
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: md.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: hedgedoc
port:
number: 3000
tls:
- hosts:
- md.icb4dc0.de
secretName: hedgedoc-ingress-tls

View file

@ -1,11 +0,0 @@
OAUTH2_PROXY_PROVIDER=github
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Forgejo
OAUTH2_PROXY_REDIRECT_URL=https://home.icb4dc0.de/oauth2/callback
OAUTH2_PROXY_LOGIN_URL=https://code.icb4dc0.de/login/oauth/authorize
OAUTH2_PROXY_REDEEM_URL=https://code.icb4dc0.de/login/oauth/access_token
OAUTH2_PROXY_VALIDATE_URL=https://code.icb4dc0.de/api/v1/user
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_UPSTREAMS=http://127.0.0.1:3000
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:3001
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true

View file

@ -1,36 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: homepage
images:
- name: homepage
newName: ghcr.io/gethomepage/homepage
newTag: "v0.8.8"
- name: oauth2-proxy
newName: quay.io/oauth2-proxy/oauth2-proxy
newTag: v7.6.0
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- "resources/namespace.yaml"
- "resources/sa.yaml"
- "resources/sa_secret.yaml"
- "resources/cluster_role.yaml"
- "resources/cluster_role_binding.yaml"
- "resources/deployment.yaml"
- "resources/service.yaml"
- "resources/ingress.yaml"
generators:
- ./secret-generator.yaml
secretGenerator:
- name: oauth2-proxy-base-config
envs:
- "config/oauth2-proxy.env"

View file

@ -1,49 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
- ingressroutes/status
verbs:
- get
- list
- apiGroups:
- metrics.k8s.io
resources:
- nodes
- pods
verbs:
- get
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list

View file

@ -1,15 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: homepage
subjects:
- kind: ServiceAccount
name: homepage
namespace: default

View file

@ -1,43 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: homepage-config
type: Opaque
stringData:
bookmarks.yaml: ENC[AES256_GCM,data:EpNhM/Uaoo/zGpsbsrmLvNSSAplc1pUrOA1LP2wZY4zh3fgHc/f47e95j59Wa9YScGbEx3/+nzUbvQmW2i1zjV+9pLQRcBg6RsBWhRcwLlmcTA==,iv:5pxGhroFCqv1jaDQY0FZN1ReJ3H6HSrdaQFWzekKczU=,tag:ebhZM3Ux5SwbXupEA+qsHw==,type:str]
custom.css: ""
custom.js: ""
docker.yaml: ""
kubernetes.yaml: ENC[AES256_GCM,data:I+/V1rEWrQ5AH7mt8g==,iv:hMiXMxRKXLaJItecxULvDkzV0pdF1VwridsfgvG6pKU=,tag:9c9lLvSsHPqPZnBbWcm0/Q==,type:str]
services.yaml: ENC[AES256_GCM,data:3d8SWZ/mmKnAkaC3IHpsuz8pbB2+XA5dKb+skTbpnxOhJmEHpTVpzEPS7s7AdaPZbuHPSN2HMgURKF3/tgwNSje7a20W+ApUc1nNfqBnCldzz14gVJp9X4JVtY/9COc3lmSBgkFoQTv/HmLlxtIps3eYfUU2lfabZiMMYWKKvJ9kpIDamsQCwmwP2w/scf5bUXs7xmmq7tLZHuEY4R3e1cuZrlukF3ZhIyIugCb6G7J8zAPZxMnaQ+shewLaRijcPqk+Oj8GgucPnr8IGLC83QXpbbE5XhSCYNNSWYDXyDukuBoulQuzJTR3UfmmdiqKCT+U2m06p+JeEnXOtOe0ovjMc/cb2e9UruBp4NqMBKw0ZaXKJBb4dRkDgBr8KZm5iHFFqO9b6aVDQR8g/CB4dMJ+2F6uXf2nGdEoMTW9x3Jdzgssvu1E8GIGA69l5CaDfY02n1s9pJQnSewK5oft2f9VKKbXVZ+C3Hbvfo/hLi6hGQCuwLYABPYfSlTXbc4w1mNHjMH79axO0lQfra3RPHdl9zfLc8yvaAMn4JGSb4m4yk/85ymX46QHrQL7OWoM8zpiknCrbRmty9hSRQ0j2IoKXBeZf/xuzhukZqJbJztfOs7RrALZg33z/U/xmGnNdTKVpBf3gF6Oltvt1alzfnWSjpBUAgpVtpUdXPtqm7EiCCwDbk7qWGm/hJpY9gfl+GLRZ5iieUroycGahqFMJV3u20/DD8vAjf1H30a1uenDfmiEqdqRCUFndsY/hWAMik+dZKu1RBrWNp1v/CJqxJ8=,iv:KBXZ45bV9tosXm8isbs+twA9ghQ5T++6NUOt+zzaC/4=,tag:19ivPWPlJP8kI2qeRUVvqw==,type:str]
settings.yaml: ENC[AES256_GCM,data:yvYu7VrWPeDZWEeiLCx7ow76HRgmEWVAfczOkZFlpc1Yrq5ASISiXhk=,iv:2s0Kz25YMh7yZ6CotJhFdLEiAbvEFYNzp3ghksbWm28=,tag:q1bl1+s24KGgj8N7cpEjVw==,type:str]
widgets.yaml: ENC[AES256_GCM,data:ph9yvrX38L1RqCi8L0fjPQF7BmNNksdBiZdhBUoomw+xjF+99Nn+fj6AQVo2WvFy8LKsx++lT36eAO1WJR4i1HvTjTcIPSzMcVeM7TxvEsNEX9ZVzxqaneo7w3/R6FcjnAHLqMbDya9oqmEVUkBiwXcfQevWEZLff0KLWBeDdH8ILRGY0DLwSteWw2bwnkhsJkUahMbNihA6x4aKGMTQwQjJOGlh8WGDEC9fvq+BVu0bfJ5Oqy4eO2pynI6sGdHlX30456puDFxhha3Hc/Okckoek2+G6CfMFC1u5NSfatqqSNaWmgRFtJlRkDuAoGupMQhlocKrlHWG9KyLwAp75PiK5/P1bu9+5YlkBHipiJMQaeqnh+3E7BRY/QL7Q4dsgVA1c+lRwgh2iY+6snWIlPfxGHYt5aJIPjdGynDZCS6lO5eUhjvRzYFDUjjVUhllLTwJodqTYBqZj3sqMnIjlV1AN0eKDilAD7A3ovMFGeFaqXAMkJ1qqTO98Q0EtqlC1m7TLnbuuYT24R3t7F35jvFMAkapIAoE4kTaChwq5FRwtWSf25IDXhfK0Yc30j9374fYZ6Hj95sf1GtRp/n2Hv9mVZ7RN13uelHJAqK+QBdIGNGLE7eamMhrOjcI8LkQMc7doMWsqgAFgdrZ1rp2HLayVa0cxCU7tTcJn2qCamTYFRquEO/oNaCwdNHTsKWH/phzEwz9BEz/c0vNEc0xLn3cXIUbwL0/C9DFyA+HHLNiAP/KkRAa+cWNnCyihkdSGTK82p9yiAZG74c+ZJPWFOi2XakTmSM=,iv:hUKLr3J6G660sUJbHx7y40q4sU2Zve64KAHdVxe8nGg=,tag:dIRk9SulLYfE0Th3eX12xA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQVVaUUl4NjV6RkdpTzh3
WEZIR3hScC9RaDlHMnJscjdWN1RZMXVmSEhNCnZsUGtuOGV6MWVadHdZcGpjOU9j
UDNPNW1WRXdWT0Z3SndDeWkxWEQ5SkUKLS0tIEsrSXZyTHI5dmt2dktsZDFrTm92
VTVlZTNqUFR3eXNBVW1DMVVLSzZJSkUKPy0xO7yQuuy+fzngITe71drKxsRvZUoI
je3yUDNG0oNk/vVLityGc0p+4K0YBTCwQbNReEtG3gaNytcM75zcGw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K2lNaUgvZjJqV3V5MzVy
ald4MTVIUWU1WG1ES1Yza0JhaWhFTDFCMVNnClRqajloVm51WnZsNG9SSGFDUG5S
YnZwZ2NGVlowaTJIcGtid0crVlZ2a2MKLS0tIHNuaEhtd3VXcDNKYzUxZjE1ZEkv
dWZHWXNNQlBIRTA1dFZXdXM1ZzlFSXMK3BJyrwoIRldG3lrGpNKiMA0QWNQA1jt1
zEqT2pgENYG8SZLXHKH3Ywrb9fNjHYPajLC6bYxkwTqTSIziNiwmaQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-25T19:41:17Z"
mac: ENC[AES256_GCM,data:bsjhBINLZxZUB+KUMKmJ1gFD+bkzZ9xSX0iClGRmBZb7dh2rMNPKjCfPGRdYkLEcVbREbbHYPgw74RrHYlc7cjDWiNQEB2i8xkPCScE5B8xQxmHQOIkWW4u2IR26vqPhslXI5ucYi9ojO6I5vrtbuIdxvVAdHUyqjNOz1o4/vFY=,iv:cwMx4ItAph0ETcJf6MJhIDd49eK7G7Bk9bGCksNhF0M=,tag:uv8Qd8jbnTRQKiz8BhXSOg==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -1,74 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: homepage
template:
metadata:
labels:
app.kubernetes.io/name: homepage
spec:
serviceAccountName: homepage
automountServiceAccountToken: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
containers:
- name: homepage
image: homepage
volumeMounts:
- mountPath: /app/config
name: homepage-config
readOnly: true
- mountPath: /app/config/logs
name: logs
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 512Mi
cpu: 200m
- name: oauth2-proxy
image: oauth2-proxy
envFrom:
- secretRef:
name: oauth2-proxy-base-config
- secretRef:
name: oauth2-proxy-secret-config
ports:
- name: http
containerPort: 3001
protocol: TCP
resources:
requests:
memory: 50Mi
cpu: 10m
limits:
memory: 100Mi
cpu: 20m
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
volumes:
- name: homepage-config
secret:
secretName: homepage-config
- name: logs
emptyDir: {}

View file

@ -1,30 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
annotations:
gethomepage.dev/description: THE home page
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: homepage.png
gethomepage.dev/name: Homepage
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: "home.icb4dc0.de"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: homepage
port:
number: 3000
tls:
- hosts:
- "home.icb4dc0.de"
secretName: homepage-ingress-tls

View file

@ -1,9 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
secrets:
- name: homepage

View file

@ -1,10 +0,0 @@
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
annotations:
kubernetes.io/service-account.name: homepage

View file

@ -1,16 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
annotations: {}
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: homepage

View file

@ -1,11 +0,0 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: homepage-config-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/config.enc.yaml

View file

@ -17,7 +17,7 @@ resources:
- "resources/namespace.yaml" - "resources/namespace.yaml"
- "resources/deployment.yaml" - "resources/deployment.yaml"
- "resources/service.yaml" - "resources/service.yaml"
- "resources/ingress.yaml" - "resources/http_routes.yaml"
generators: generators:
- ./secret-generator.yaml - ./secret-generator.yaml

View file

@ -0,0 +1,34 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: linkwarden-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- links.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: linkwarden-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- links.icb4dc0.de
rules:
- backendRefs:
- name: linkwarden
port: 3000

View file

@ -1,28 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: linkwarden
annotations:
gethomepage.dev/description: Store links to find them later
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: linkwarden.png
gethomepage.dev/name: Linkwarden
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: links.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: linkwarden
port:
number: 3000
tls:
- hosts:
- links.icb4dc0.de
secretName: linkwarden-ingress-tls

View file

@ -19,7 +19,7 @@ resources:
- resources/pvc.yaml - resources/pvc.yaml
- resources/deployment.yaml - resources/deployment.yaml
- resources/service.yaml - resources/service.yaml
- resources/ingress.yaml - resources/http_routes.yaml
generators: generators:
- ./secret-generator.yaml - ./secret-generator.yaml

View file

@ -0,0 +1,34 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nocodb-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- noco.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nocodb-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- noco.icb4dc0.de
rules:
- backendRefs:
- name: nocodb
port: 8080

View file

@ -1,28 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nocodb
annotations:
gethomepage.dev/description: Data workspace
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: nocodb.png
gethomepage.dev/name: NocoDB
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: noco.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: nocodb
port:
number: 8080
tls:
- hosts:
- noco.icb4dc0.de
secretName: nocodb-ingress-tls

View file

@ -19,7 +19,7 @@ resources:
- "resources/pvc.yaml" - "resources/pvc.yaml"
- "resources/deployment.yaml" - "resources/deployment.yaml"
- "resources/service.yaml" - "resources/service.yaml"
- "resources/ingress.yaml" - "resources/http_routes.yaml"
generators: generators:

View file

@ -0,0 +1,34 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vaultwarden-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- pw.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vaultwarden-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- pw.icb4dc0.de
rules:
- backendRefs:
- name: vaultwarden
port: 8080

View file

@ -1,28 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden
annotations:
gethomepage.dev/description: Safe haven for all your secrets
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: vaultwarden.png
gethomepage.dev/name: Vaultwarden
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: pw.icb4dc0.de
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: vaultwarden
port:
number: 8080
tls:
- hosts:
- pw.icb4dc0.de
secretName: vaultwarden-ingress-tls

View file

@ -24,7 +24,7 @@ resources:
- resources/api/service.yaml - resources/api/service.yaml
- resources/ui/deployment.yaml - resources/ui/deployment.yaml
- resources/ui/service.yaml - resources/ui/service.yaml
- resources/ingress.yaml - resources/http_routes.yaml
generators: generators:
- ./secret-generator.yaml - ./secret-generator.yaml

View file

@ -0,0 +1,45 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vikunja-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- todo.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vikunja-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- todo.icb4dc0.de
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: vikunja-ui
port: 8080
- matches:
- path:
type: PathPrefix
value: /api/v1
backendRefs:
- name: vikunja-api
port: 3456

View file

@ -1,35 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vikunja
annotations:
gethomepage.dev/description: ToDos
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: vikunja.png
gethomepage.dev/name: Vikunja
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: todo.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: vikunja-ui
port:
number: 8080
- pathType: Prefix
path: /api/v1
backend:
service:
name: vikunja-api
port:
number: 3456
tls:
- hosts:
- todo.icb4dc0.de
secretName: vikunja-ingress-tls

View file

@ -18,7 +18,7 @@ resources:
- "resources/namespace.yaml" - "resources/namespace.yaml"
- "resources/deployment.yaml" - "resources/deployment.yaml"
- "resources/service.yaml" - "resources/service.yaml"
- "resources/ingress.yaml" - "resources/http_route.yaml"
generators: generators:
- ./secret-generator.yaml - ./secret-generator.yaml

View file

@ -0,0 +1,34 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: zipline-http
spec:
parentRefs:
- name: contour
sectionName: http
namespace: projectcontour
hostnames:
- share.icb4dc0.de
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: zipline-https
spec:
parentRefs:
- name: contour
sectionName: https
namespace: projectcontour
hostnames:
- share.icb4dc0.de
rules:
- backendRefs:
- name: zipline
port: 3000

View file

@ -1,28 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: zipline
annotations:
gethomepage.dev/description: Sharing is caring
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: zipline.png
gethomepage.dev/name: Zipline
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
rules:
- host: share.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: zipline
port:
number: 3000
tls:
- hosts:
- share.icb4dc0.de
secretName: zipline-ingress-tls