K3S-Cluster/home-cluster-ops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

project restructure

Browse Source
This commit is contained in:
Edward Cheng
2024-06-10 12:20:26 +10:00
parent ae9be01baf
commit 6d1a3c677b
35 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
kubernetes/rpi5-cluster/apps.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: flux-system
spec:
interval: 10m0s
dependsOn:
- name: infrustructure
sourceRef:
kind: GitRepository
name: flux-system
path: ./kubernetes/apps
prune: true
wait: true
timeout: 5m0s

16
kubernetes/rpi5-cluster/apps/capacitor/capacitor.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: capacitor
namespace: flux-system
spec:
targetNamespace: flux-system
interval: 1h
retryInterval: 2m
timeout: 5m
wait: true
prune: true
path: "./"
sourceRef:
kind: OCIRepository
name: capacitor

4
kubernetes/rpi5-cluster/apps/capacitor/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- capacitor.yaml

10
kubernetes/rpi5-cluster/apps/capacitor/ocirepository.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: capacitor
namespace: flux-system
spec:
interval: 12h
url: oci://ghcr.io/gimlet-io/capacitor-manifests
ref:
semver: ">=0.1.0"

29
kubernetes/rpi5-cluster/apps/cert-manager/app/cert-manager-secrets.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: cert-manager-secrets
type: Opaque
stringData:
email: ENC[AES256_GCM,data:CWBTa/CLV0zm+iXsgHCPD5Z3SQ==,iv:fAEIbyjQGlMo6WMzjnTZwIHC4uF/SNKbVV8ipbrKW3U=,tag:y+zkPUEJ0gE2efcxz4ok4g==,type:str]
cert-manager-dns01: ENC[AES256_GCM,data:dAWpnTqAFr2WHd83zx+fgij0/phBKsTtQ5sVXGTnG8NX+hhtWNZjRA==,iv:dUnEzF/p2hPlzAkythNpnwFiigWDgFtikopbw4VZec4=,tag:ZdVu+zMbFC24QXylJcOFIg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d47q8mlty404pxx378q49hr93aqexca4mkeqtdm00w4gjd09xd0qhxcdcz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTFNzTWpPMDFPVTM5SkRR
d2dZWHNrKzFXa29KSW10MTVyaVJENDFHL3dVClFBWUJMVUVlWlp4c0FRMysvRGFW
Z2c5RFlPOXJpaFN4ekE2OTQrK0FWS0UKLS0tIHlESTRCOG1OOVE1V3Qvdm83OExM
MEg1WjQ3VVptNEdSWGV6L25yRjBIQ2sKrCPW35t09nMGXAoWuc2WFdsZGgCT8qQW
at1j2zrZ0MCD834Fy+mLFYoVmWJMm1fmdmK+upos3lS+BfjT2mEV1A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-10T01:17:17Z"
mac: ENC[AES256_GCM,data:njuB3Vjnww581iyVBJEqY5sovvB/pui0IJSPqkkUuSNfQ7FJzYI4PnLTfIUNGFqsxW7VrSP53PZVW0+Yb6ww5FWt7c8TCc7Fi1sogwBNkOozjsWnIJidGTL3EzK9P189SKvnao4goKVNocLGjAtr/ISwzrJxQL2kDXOXca8IIXE=,iv:NXgPVs4OQp9p/PRQA28>
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1

54
kubernetes/rpi5-cluster/apps/cert-manager/cert-manager.yaml
View File

@@ -1,54 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-secrets
namespace: flux-system
spec:
interval: 1h
path: ./kubernetes/rpi5-cluster/apps/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops
decryption:
provider: sops
secretRef:
name: sops-age
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/rpi5-cluster/templates/apps/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-issuers
namespace: cert-manager
spec:
interval: 1h
targetNamespace: cert-manager
path: ./kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops
dependsOn:
- name: cert-manager-secrets
- name: cert-manager
postBuild:
substituteFrom:
- kind: Secret
name: cert-manager-secrets

4
kubernetes/rpi5-cluster/apps/cert-manager/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cert-manager.yaml

13
kubernetes/rpi5-cluster/apps/cilium/cilium.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cilium-networkpolicies
namespace: kube-system
spec:
interval: 1h
path: ./kubernetes/rpi5-cluster/apps/cilium/networkpolicies
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops

4
kubernetes/rpi5-cluster/apps/cilium/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cilium.yaml

21
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/coredns.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: coredns
namespace: kube-system
spec:
endpointSelector:
matchLabels:
k8s-app: kube-dns
egress:
- toEntities:
- world
toPorts:
- ports:
- port: "53"
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"

19
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kube-dns.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-kube-dns
spec:
endpointSelector:
matchExpressions:
- key: rpi5.cluster.policy/egress-kube-dns
operator: NotIn
values:
- "false"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"

21
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-kubeapi.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-kubeapi
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
egress:
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"
- toEntities:
- kube-apiserver
toPorts:
- ports:
- port: "443"
- port: "6443"

11
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-namespace.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-namespace
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-namespace: "true"
egress:
- toEndpoints:
- {}

12
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-nodes.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-nodes
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-nodes: "true"
egress:
- toEntities:
- host
- remote-node

11
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world-with-lan.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-world-with-lan
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-world-with-lan: "true"
egress:
- toCIDRSet:
- cidr: 0.0.0.0/0

15
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/egress-world.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-world
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-world: "true"
egress:
- toCIDRSet:
- cidr: 0.0.0.0/0
except:
- 192.168.1.0/24
- 192.168.2.0/24
- 100.64.0.0/10

11
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-namespace.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-namespace
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-namespace: "true"
ingress:
- fromEndpoints:
- {}

65
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nginx.yaml
View File

@@ -1,65 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-ingress
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-ingress: "true"
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
egress:
- toEndpoints:
- matchLabels:
rpi5.cluster.policy/ingress-ingress: "true"
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: egress-ingress
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/egress-ingress: "true"
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: egress-nginx
namespace: ingress-nginx
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
ingress:
- fromEndpoints:
- matchLabels:
rpi5.cluster.policy/egress-ingress: "true"
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists

12
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-nodes.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-nodes
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-nodes: "true"
ingress:
- fromEntities:
- host
- remote-node

11
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/ingress-world.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-world
spec:
endpointSelector:
matchLabels:
rpi5.cluster.policy/ingress-world: "true"
ingress:
- fromEntities:
- world

16
kubernetes/rpi5-cluster/apps/cilium/networkpolicies/local-path-provisioner.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: local-path-provisioner
namespace: kube-system
spec:
endpointSelector:
matchLabels:
app: local-path-provisioner
egress:
- toEntities:
- host
- remote-node
toPorts:
- ports:
- port: "6443"

4
kubernetes/rpi5-cluster/apps/podinfo/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- podinfo.yaml

27
kubernetes/rpi5-cluster/apps/podinfo/podinfo.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 5m
url: https://github.com/stefanprodan/podinfo
ref:
branch: master
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: podinfo
namespace: podinfo
spec:
interval: 30m0s
path: ./kustomize
prune: true
retryInterval: 2m0s
sourceRef:
kind: GitRepository
name: podinfo
targetNamespace: default
timeout: 3m0s
wait: true

16
kubernetes/rpi5-cluster/flux-system/notification-controller/github-receiver.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
name: github-receiver
namespace: flux-system
spec:
type: github
events:
- "ping"
- "push"
secretRef:
name: receiver-token
resources:
- apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
name: home-cluster-ops-repo

26
kubernetes/rpi5-cluster/flux-system/notification-controller/slack-alerts.yaml
View File

@@ -1,26 +0,0 @@
---
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: slack-bot
namespace: flux-system
spec:
type: slack
channel: general
address: https://slack.com/api/chat.postMessage
secretRef:
name: slack-bot-token
---
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: release-success-notification
spec:
eventSources:
- kind: HelmRelease
name: '*'
inclusionList:
- ".*succeeded.*"
eventMetadata:
app.kubernetes.io/env: "home-rpi5-cluster"
app.kubernetes.io/cluster: "rpi5-cluster"

14
kubernetes/rpi5-cluster/flux-system/notification-controller/webhook-receiver.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: webhook-receiver
namespace: flux-system
spec:
type: LoadBalancer
selector:
app: notification-controller
ports:
- name: http
port: 8888
protocol: TCP
targetPort: 9292

14
kubernetes/rpi5-cluster/infrastructure.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infrustructure
namespace: flux-system
spec:
interval: 5m0s
sourceRef:
kind: GitRepository
name: flux-system
path: ./kubernetes/infrustructure
prune: true
wait: true
timeout: 5m0s

5
kubernetes/rpi5-cluster/infrastructure/kustomization.yaml
View File

@@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- repositories/repositories.yaml
- secrets/secrets.yaml

29
kubernetes/rpi5-cluster/infrastructure/repositories/repositories.yaml
View File

@@ -1,29 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: home-cluster-ops
namespace: flux-system
spec:
interval: 5m0s
ref:
branch: main
secretRef:
name: flux-system
timeout: 60s
url: https://github.com/3dwardch3ng/home-cluster-ops.git
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: home-cluster-ops-repo
namespace: flux-system
spec:
interval: 5m
path: ./kubernetes/rpi5-cluster/infrastructure/repositories
prune: true
sourceRef:
kind: GitRepository
namespace: flux-system
name: home-cluster-ops

45
kubernetes/rpi5-cluster/templates/apps/cert-manager/app/helmrelease.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
driftDetection:
mode: enabled
chart:
spec:
chart: cert-manager
version: v1.15.0
sourceRef:
kind: HelmRepository
namespace: cert-manager
name: cert-manager
interval: 1h
installCRDs: true
install:
crds: Create
upgrade:
crds: CreateReplace
values:
installCRDs: true
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
rpi5.cluster.policy/egress-namespace: "true"
rpi5.cluster.policy/egress-world: "true"
rpi5.cluster.policy/ingress-namespace: "true"
webhook:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
cainjector:
podLabels:
rpi5.cluster.policy/egress-kubeapi: "true"
global:
priorityClassName: system-cluster-critical
podDnsConfig:
nameservers:
- 1.1.1.1
- 1.0.0.1

8
kubernetes/rpi5-cluster/templates/apps/cert-manager/app/helmrepository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
url: https://charts.jetstack.io

4
kubernetes/rpi5-cluster/templates/apps/cert-manager/app/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

17
kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-dns01.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dns01
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-dns01
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cert-manager-secrets
key: cert-manager-dns01

15
kubernetes/rpi5-cluster/templates/apps/cert-manager/issuers/letsencrypt-http01.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-http01
namespace: cert-manager
spec:
acme:
email: ${email}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-http01
solvers:
- http01:
ingress:
class: nginx