Merge branch 'refs/heads/main' into infra/renovate

2024-07-10 19:09:47 +10:00
parent 8bd91062fb ab95034ce7
commit 5f33617589
16 changed files with 465 additions and 125 deletions
--- a/kubernetes/apps/qbittorrent/app/ingress.yaml
+++ b/kubernetes/apps/qbittorrent/app/ingress.yaml
@@ -16,6 +16,6 @@ spec:
            path: "/"
            backend:
              service:
-                name: qbittorrent
+                name: qbittorrent-qbittorrent-web
                port:
                  number: 8888
--- a/kubernetes/infrastructure/grafana-dashboards/dashboards/8919-node-exporter-20240520.yaml
+++ b/kubernetes/infrastructure/grafana-dashboards/dashboards/8919-node-exporter-20240520.yaml
@@ -1,113 +0,0 @@
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: flask-consul
-  namespace: consul
-  labels:
-    app: flask-consul
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: flask-consul
-  template:
-    metadata:
-      labels:
-        app: flask-consul
-    spec:
-      initContainers:
-        - name: wait-for-consul
-          image: busybox
-          command:
-            - sh
-            - '-c'
-            - >-
-              for i in \$(seq 1 60); do nc -z -w3 consul 8500 && exit 0 ||
-              sleep 5; done; exit 1
-          imagePullPolicy: IfNotPresent
-      containers:
-        - name: flask-consul
-          image: 'edeedeeed/flask_consul:v0.1.0'
-          ports:
-            - name: http-2026
-              containerPort: 2026
-              protocol: TCP
-          env:
-            - name: admin_passwd
-              value: ${dashboard_8919_admin_passwd}
-            - name: consul_token
-              value: ${dashboard_8919_consul_token}
-            - name: consul_url
-              value: 'http://consul:8500/v1'
-            - name: log_level
-              value: INFO
-            - name: TZ
-              value: Australia/Sydney
-          imagePullPolicy: Always
-      restartPolicy: Always
---
-kind: Service
-apiVersion: v1
-metadata:
-  name: flask-consul
-  namespace: consul
-  labels:
-    app: flask-consul
-spec:
-  ports:
-    - name: http-2026
-      protocol: TCP
-      port: 2026
-      targetPort: 2026
-  selector:
-    app: flask-consul
-  type: ClusterIP
---
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: nginx-consul
-  namespace: consul
-  labels:
-    app: nginx-consul
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: nginx-consul
-  template:
-    metadata:
-      labels:
-        app: nginx-consul
-    spec:
-      containers:
-        - name: nginx-consul
-          image: 'nicholasjackson/nginx-consul:v0.1.0'
-          ports:
-            - name: http-1026
-              containerPort: 1026
-              protocol: TCP
-          env:
-            - name: TZ
-              value: Australia/Sydney
-          imagePullPolicy: Always
-      restartPolicy: Always
---
-kind: Service
-apiVersion: v1
-metadata:
-  name: nginx-consul
-  namespace: consul
-  labels:
-    app: consul
-spec:
-  ports:
-    - name: nginx-consul
-      protocol: TCP
-      port: 1026
-      targetPort: 1026
-      nodePort: 31026
-  selector:
-    app: nginx-consul
-  type: NodePort
-  externalTrafficPolicy: Cluster
--- a/kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml
+++ b/kubernetes/infrastructure/grafana-dashboards/grafana-dashboards.yaml
@@ -4,6 +4,7 @@ metadata:
  name: grafana-dashboards-secrets
  namespace: flux-system
 spec:
+  suspend: true
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
@@ -28,6 +29,7 @@ metadata:
  name: grafana-dashboards
  namespace: prometheus
 spec:
+  suspend: true
  interval: 10m
  timeout: 1m30s
  retryInterval: 30s
--- a/kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml
+++ b/kubernetes/infrastructure/ingress-nginx/config/ingress-configmap.yaml
@@ -4,13 +4,13 @@ metadata:
  name: tcp-services
  namespace: ingress-nginx
 data:
-  "53": "flux-system/adguard-home:53"
-  "853": "flux-system/adguard-home:853"
+  "53": "adguard-home/adguard-home:53"
+  "853": "adguard-home/adguard-home:853"
  "5432": "postgresql/postgresql-primary:5432"
  "5433": "postgresql/postgresql-replica:5432"
-  "5443": "flux-system/adguard-home:5443"
-  "6060": "flux-system/adguard-home:6060"
-  "8388": "qbittorrent/qbittorrent-torrent:8388"
+  "5443": "adguard-home/adguard-home:5443"
+  "6060": "adguard-home/adguard-home:6060"
+  "8388": "qbittorrent/qbittorrent-qbittorrent-torrent:8388"
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -18,9 +18,9 @@ metadata:
  name: udp-services
  namespace: ingress-nginx
 data:
-  "53": "flux-system/adguard-home:53"
-  "67": "flux-system/adguard-home:67"
-  "68": "flux-system/adguard-home:68"
-  "853": "flux-system/adguard-home:853"
-  "5443": "flux-system/adguard-home:5443"
-  "8388": "qbittorrent/qbittorrent-torrent:8388"
+  "53": "adguard-home/adguard-home:53"
+  "67": "adguard-home/adguard-home:67"
+  "68": "adguard-home/adguard-home:68"
+  "853": "adguard-home/adguard-home:853"
+  "5443": "adguard-home/adguard-home:5443"
+  "8388": "qbittorrent/qbittorrent-qbittorrent-torrent:8388"
--- a/kubernetes/infrastructure/kustomization.yaml
+++ b/kubernetes/infrastructure/kustomization.yaml
@@ -8,7 +8,9 @@ resources:
  - ./ingress-nginx/ingress-nginx.yaml
  - ./ingress-nginx/ingress-nginx-config.yaml
  - ./local-path-provisioner/local-path-provisioner.yaml
+  - ./logstash/logstash.yaml
  - ./minio/minio.yaml
+  - ./mongodb/mongodb.yaml
  - ./namespaces/namespaces.yaml
  - ./postgresql/postgresql.yaml
  - ./prometheus/prometheus.yaml
--- a/kubernetes/infrastructure/logstash/app/ingress.yaml
+++ b/kubernetes/infrastructure/logstash/app/ingress.yaml
@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: logstash-ingress
+  namespace: logstash
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "omada.logstash.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: logstash
+                port:
+                  number: 8008
+    - host: "monitor.omada.logstash.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: logstash
+                port:
+                  number: 9600
--- a/kubernetes/infrastructure/logstash/app/pipelines.yaml
+++ b/kubernetes/infrastructure/logstash/app/pipelines.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: logstash-pipelines
+  namespace: logstash
+data:
+  pipelines.yaml: |
+    - pipeline.id: omada
+      path.config: "/opt/bitnami/logstash/config/omada.conf"
+    - pipeline.id: misc
+      path.config: "/opt/bitnami/logstash/config/misc.conf"
+  omada.conf: |
+    input {
+      tcp {
+        port => 1514
+        type => syslog
+      }
+      udp {
+        port => 1514
+        type => syslog
+      }
+      http {
+        port => 8008
+      }
+    }
+    output {
+      s3 { 
+        access_key_id => ${omada_s3_access_key_id}
+        bucket => "logstash"
+        canned_acl => "bucket-owner-read"
+        endpoint => "http://minio.minio.svc.cluster.local:19000"
+        prefix => "omada/%{+YYYY}/%{+MM}/%{+dd}"
+        region: "ap-southeast-2"
+        secret_access_key => ${omada_s3_secret_access_key}
+        time_file => 60
+      }
+    }
+  misc.conf: |
+    input {
+      file {
+        path => "/tmp/misc"
+      }
+    }
+    output {
+      stdout { }
+    }
--- a/kubernetes/infrastructure/logstash/app/release.yaml
+++ b/kubernetes/infrastructure/logstash/app/release.yaml
@@ -0,0 +1,67 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: logstash
+  namespace: logstash
+spec:
+  releaseName: logstash
+  chart:
+    spec:
+      chart: logstash
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    existingConfiguration: logstash-pipelines
+    serviceAccount:
+      name: logstash
+    containerPorts:
+      - name: omada-http
+        containerPort: 8008
+        protocol: TCP
+      - name: monitoring
+        containerPort: 9600
+        protocol: TCP
+      - name: omada-syslog-udp
+        containerPort: 1514
+        protocol: UDP
+      - name: omada-syslog-tcp
+        containerPort: 1514
+        protocol: TCP
+    podSecurityContext:
+      fsGroup: 1000
+    containerSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+    service:
+      type: LoadBalancer
+      ports:
+        - name: omada-http
+          port: 8080
+          targetPort: http
+          protocol: TCP
+        - name: monitoring
+          port: 9600
+          targetPort: monitoring
+          protocol: TCP
+        - name: omada-syslog-udp
+          port: 1514
+          targetPort: syslog-udp
+          protocol: UDP
+        - name: omada-syslog-tcp
+          port: 1514
+          targetPort: syslog-tcp
+          protocol: TCP
+    persistence:
+      enabled: true
+      existingClaim: logstash-pvc
+      size: 16Gi
+    volumePermissions:
+      enabled: true
+      securityContext:
+        runAsUser: 1000
--- a/kubernetes/infrastructure/logstash/app/volume.yaml
+++ b/kubernetes/infrastructure/logstash/app/volume.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: logstash-pv
+  namespace: logstash
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 16Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/logstash/data"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: logstash-pvc
+    namespace: logstash
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-1
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: logstash-pvc
+  namespace: logstash
+  labels:
+    name: logstash-pvc
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 16Gi
--- a/kubernetes/infrastructure/logstash/logstash.yaml
+++ b/kubernetes/infrastructure/logstash/logstash.yaml
@@ -0,0 +1,50 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: logstash-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: logstash
+  path: ./logstash
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: logstash
+  namespace: logstash
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/logstash/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: logstash-secrets
+      namespace: flux-system
+    - name: local-path-provisioner
+      namespace: local-path-storage
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: logstash-secrets
--- a/kubernetes/infrastructure/minio/app/release.yaml
+++ b/kubernetes/infrastructure/minio/app/release.yaml
@@ -29,3 +29,8 @@ spec:
        console: 19001
    persistence:
      existingClaim: "minio-pvc"
+    containerSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+    podSecurityContext:
+      fsGroup: 1000
--- a/kubernetes/infrastructure/mongodb/app/release.yaml
+++ b/kubernetes/infrastructure/mongodb/app/release.yaml
@@ -0,0 +1,82 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mongodb
+  namespace: mongodb
+spec:
+  releaseName: mongodb
+  chart:
+    spec:
+      chart: mongodb
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  interval: 1h
+  install:
+    remediation:
+      retries: 3
+  values:
+    architecture: replicaset
+    auth:
+      rootPassword: ${root_password}
+      usernames:
+        - edward
+        - anysync
+      passwords:
+        - ${edward_password}
+        - ${anysync_password}
+      databases:
+        - edward
+        - anysync
+    automountServiceAccountToken: true
+    replicaCount: 2
+    containerSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+    startupProbe:
+      enabled: true
+    externalAccess:
+      enabled: true
+      service:
+        type: LoadBalancer
+      autoDiscovery:
+        enabled: true
+    persistence:
+      name: "datadir-mongodb-0"
+      resourcePolicy: "keep"
+      storageClass: "local-path"
+      size: "32Gi"
+      labels:
+        name: datadir-mongodb-0
+      volumeClaimTemplates:
+        selector:
+          matchLabels:
+            name: mongodb-pv
+    persistentVolumeClaimRetentionPolicy:
+      enabled: true
+    backup:
+      enabled: true
+      cronjob:
+        schedule: "@daily"
+        containerSecurityContext:
+          runAsUser: 1000
+          runAsGroup: 1000
+        storage:
+          resourcePolicy: "keep"
+          storageClass: "local-path"
+          volumeClaimTemplates:
+            selector:
+              matchLabels:
+                name: mongodb-backup-pv
+    serviceAccount:
+      create: true
+      name: mongodb
+    rbac:
+      create: true
+
+
+
+
+
+
--- a/kubernetes/infrastructure/mongodb/app/volume.yaml
+++ b/kubernetes/infrastructure/mongodb/app/volume.yaml
@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mongodb-pv
+  namespace: mongodb
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 32Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/mongodb"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: datadir-mongodb-0
+    namespace: mongodb
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-1
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mongodb-backup-pv
+  namespace: mongodb
+  labels:
+    type: local
+spec:
+  storageClassName: local-path
+  volumeMode: Filesystem
+  capacity:
+    storage: 8Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: "/mnt/nfs/AppData/mongodb/backup"
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    name: mongodb-mongodump
+    namespace: mongodb
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - rpi5-cluster-node-1
--- a/kubernetes/infrastructure/mongodb/mongodb.yaml
+++ b/kubernetes/infrastructure/mongodb/mongodb.yaml
@@ -0,0 +1,53 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: mongodb-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: mongodb
+  path: ./mongodb
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: namespaces
+      namespace: flux-system
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: mongodb
+  namespace: mongodb
+spec:
+  suspend: true
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/infrastructure/mongodb/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: mongodb-secrets
+      namespace: flux-system
+    - name: namespaces
+      namespace: flux-system
+    - name: local-path-provisioner
+      namespace: local-path-storage
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: mongodb-secrets
--- a/kubernetes/infrastructure/namespaces/namespaces/logstash.yaml
+++ b/kubernetes/infrastructure/namespaces/namespaces/logstash.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: logstash
--- a/kubernetes/infrastructure/namespaces/namespaces/mongodb.yaml
+++ b/kubernetes/infrastructure/namespaces/namespaces/mongodb.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mongodb