move cert-manager and progresql from apps to infrastructure

2024-06-26 13:00:08 +10:00
parent a8f17a910b
commit e72a6e482e
15 changed files with 15 additions and 6 deletions
--- a/kubernetes/apps/cert-manager/app/release.yaml
+++ b/kubernetes/apps/cert-manager/app/release.yaml
@@ -1,44 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  interval: 1h
-  driftDetection:
-    mode: enabled
-  chart:
-    spec:
-      chart: cert-manager
-      version: v1.15.0
-      sourceRef:
-        kind: HelmRepository
-        namespace: cert-manager
-        name: cert-manager
-      interval: 1h
-  install:
-    crds: Create
-  upgrade:
-    crds: CreateReplace
-  values:
-    installCRDs: true
-
-    podLabels:
-      rpi5.cluster.policy/egress-kubeapi: "true"
-      rpi5.cluster.policy/egress-namespace: "true"
-      rpi5.cluster.policy/egress-world: "true"
-      rpi5.cluster.policy/ingress-namespace: "true"
-    webhook:
-      podLabels:
-        rpi5.cluster.policy/egress-kubeapi: "true"
-    cainjector:
-      podLabels:
-        rpi5.cluster.policy/egress-kubeapi: "true"
-
-    global:
-      priorityClassName: system-cluster-critical
-
-    podDnsConfig:
-      nameservers:
-        - 1.1.1.1
-        - 1.0.0.1
--- a/kubernetes/apps/cert-manager/app/repository.yaml
+++ b/kubernetes/apps/cert-manager/app/repository.yaml
@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  interval: 1h
-  url: https://charts.jetstack.io
--- a/kubernetes/apps/cert-manager/cert-manager.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager.yaml
@@ -1,118 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  targetNamespace: cert-manager
-  path: ./kubernetes/apps/cert-manager/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system
---
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: clusterissuer-secrets
-  namespace: flux-system
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  targetNamespace: cert-manager
-  path: ./clusterissuer
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: home-cluster-ops-secrets
-  dependsOn:
-    - name: repositories
-      namespace: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
---
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: clusterissuer
-  namespace: cert-manager
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  targetNamespace: cert-manager
-  path: ./kubernetes/apps/cert-manager/clusterissuer
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system
-  dependsOn:
-    - name: clusterissuer-secrets
-      namespace: flux-system
-    - name: cert-manager
-      namespace: cert-manager
-  postBuild:
-    substituteFrom:
-      - kind: Secret
-        name: clusterissuer-secrets
---
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: certificate-secrets
-  namespace: flux-system
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  targetNamespace: cert-manager
-  path: ./certificates
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: home-cluster-ops-secrets
-  dependsOn:
-    - name: repositories
-      namespace: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
---
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: certificates
-  namespace: cert-manager
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  targetNamespace: cert-manager
-  path: ./kubernetes/apps/cert-manager/certificates
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system
-  dependsOn:
-    - name: certificate-secrets
-      namespace: flux-system
-    - name: cert-manager
-      namespace: cert-manager
-    - name: clusterissuer
-      namespace: cert-manager
-  postBuild:
-    substituteFrom:
-      - kind: Secret
-        name: certificate-secrets
--- a/kubernetes/apps/cert-manager/certificates/adguard-home.yaml
+++ b/kubernetes/apps/cert-manager/certificates/adguard-home.yaml
@@ -1,64 +0,0 @@
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: adguard-home-cert
-#  namespace: cert-manager
-#spec:
-#  # Secret names are always required.
-#  secretName: adguard-home.cluster.edward.sydney-tls
-#
-#  privateKey:
-#    algorithm: RSA
-#    encoding: PKCS1
-#    size: 2048
-#
-#  # keystores allows adding additional output formats. This is an example for reference only.
-#  keystores:
-#    pkcs12:
-#      create: true
-#      passwordSecretRef:
-#        name: adguard-home-tls-keystore
-#        key: ${adguard_home_certificate_tls_keystore_password}
-#      profile: Modern2023
-#
-#  duration: 2160h # 90d
-#  renewBefore: 360h # 15d
-#
-#  isCA: false
-#  usages:
-#    - server auth
-#    - client auth
-#
-#  subject:
-#    organizations:
-#      - edward.sydney
-#
-#  # The literalSubject field is exclusive with subject and commonName. It allows
-#  # specifying the subject directly as a string. This is useful for when the order
-#  # of the subject fields is important or when the subject contains special types
-#  # which can be specified by their OID.
-#  #
-#  # literalSubject: "O=jetstack, CN=example.com, 2.5.4.42=John, 2.5.4.4=Doe"
-#
-#  # At least one of commonName (possibly through literalSubject), dnsNames, uris, emailAddresses, ipAddresses or otherNames is required.
-#  dnsNames:
-#    - "${adguard_home_certificate_dns_name}"
-#    - "*.${adguard_home_certificate_dns_name}"
-#  emailAddresses:
-#    - ${adguard_home_certificate_email}
-#
-#  # Issuer references are always required.
-#  issuerRef:
-#    name: clusterissuer
-#    # We can reference ClusterIssuers by changing the kind here.
-#    # The default value is Issuer (i.e. a locally namespaced Issuer)
-#    kind: ClusterIssuer
-#    # This is optional since cert-manager will default to this value however
-#    # if you are using an external issuer, change this to that issuer group.
-#    group: cert-manager.io
-
-#The certificate request has failed to complete and will be retried:
-#  Failed to wait for order resource "adguard-home-cert-1-1931876784" to become
-#  ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited:
-#  Error creating new order :: too many certificates already issued for "edward.sydney".
-#  Retry after 2024-06-25T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/
--- a/kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml
+++ b/kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml
@@ -1,22 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: clusterissuer
-  namespace: cert-manager
-spec:
-  acme:
-    email: ${email}
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: cluster-issuer-account-key
-    solvers:
-      - dns01:
-          cloudflare:
-            email: ${email}
-            apiTokenSecretRef:
-              name: clusterissuer-secrets
-              key: cloudflare_api_token
-        selector:
-          dnsNames:
-            - "${cluster_cert_domain}"
-            - "*.${cluster_cert_domain}"
--- a/kubernetes/apps/kustomization.yaml
+++ b/kubernetes/apps/kustomization.yaml
@@ -3,7 +3,6 @@ kind: Kustomization
 resources:
  - ./adguard-home/adguard-home.yaml
  - ./capacitor/capacitor.yaml
-  - ./cert-manager/cert-manager.yaml
  - ./code-server/code-server.yaml
  - ./dokuwiki/dokuwiki.yaml
  - ./gitea/gitea.yaml
@@ -12,7 +11,6 @@ resources:
  - ./kavita/kavita.yaml
  - ./nexus/nexus.yaml
  - ./podinfo/podinfo.yaml
-  - ./postgresql/postgresql.yaml
  - ./qbittorrent/qbittorrent.yaml
  - ./redis/redis.yaml
  - ./snippet-box/snippet-box.yaml
--- a/kubernetes/apps/postgresql/app/ingress.yaml
+++ b/kubernetes/apps/postgresql/app/ingress.yaml
@@ -1,31 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: postgresql-ingress
-  namespace: postgresql
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: "postgres.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: postgresql-primary
-                port:
-                  number: 5432
-    - host: "replica.postgres.cluster.local"
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: postgresql-replica
-                port:
-                  number: 5432
--- a/kubernetes/apps/postgresql/app/pvc.yaml
+++ b/kubernetes/apps/postgresql/app/pvc.yaml
@@ -1,93 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: postgresql-primary-pv
-  namespace: postgresql
-  labels:
-    type: local
-spec:
-  storageClassName: local-path
-  volumeMode: Filesystem
-  capacity:
-    storage: 8Gi
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  local:
-    path: "/mnt/nfs/AppData/postgresql/primary"
-  claimRef:
-    apiVersion: v1
-    kind: PersistentVolumeClaim
-    name: postgresql-primary-pvc
-    namespace: postgresql
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - rpi5-cluster-node-3
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: postgresql-primary-pvc
-  namespace: postgresql
-  labels:
-    name: postgresql-primary-pvc
-spec:
-  storageClassName: local-path
-  volumeMode: Filesystem
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 8Gi
---
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: postgresql-replica-pv
-  namespace: flux-system
-  labels:
-    type: local
-spec:
-  storageClassName: local-path
-  volumeMode: Filesystem
-  capacity:
-    storage: 8Gi
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  local:
-    path: "/mnt/nfs/AppData/postgresql/replica"
-  claimRef:
-    apiVersion: v1
-    kind: PersistentVolumeClaim
-    name: postgresql-replica-pvc
-    namespace: postgresql
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - rpi5-cluster-node-3
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: postgresql-replica-pvc
-  namespace: postgresql
-  labels:
-    name: postgresql-replica-pvc
-spec:
-  storageClassName: local-path
-  volumeMode: Filesystem
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 8Gi
--- a/kubernetes/apps/postgresql/app/release.yaml
+++ b/kubernetes/apps/postgresql/app/release.yaml
@@ -1,57 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: postgresql
-  namespace: postgresql
-spec:
-  releaseName: postgresql
-  chart:
-    spec:
-      chart: postgresql
-      sourceRef:
-        kind: HelmRepository
-        name: bitnami
-        namespace: flux-system
-  interval: 1h
-  install:
-    remediation:
-      retries: 3
-  values:
-    auth:
-      postgresPassword: ${postgres_password}
-      username: ${username}
-      password: ${password}
-      database: ${database}
-      replicationPassword: ${replication_password}
-    architecture: "replication"
-    replication:
-      synchronousCommit: "on"
-      numSynchronousReplicas: 1
-      applicationName: "postgres_repl"
-    primary:
-      podSecurityContext:
-        fsGroup: 1000
-      containerSecurityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-      podLabels:
-        name: "postgresql-primary"
-      persistence:
-        existingClaim: postgresql-primary-pvc
-        selector:
-          matchLabels:
-            name: postgresql-primary-pvc
-    readReplicas:
-      name: "replica"
-      podSecurityContext:
-        fsGroup: 1000
-      containerSecurityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-      podLabels:
-        name: "postgresql-replica"
-      persistence:
-        existingClaim: postgresql-replica-pvc
-        selector:
-          matchLabels:
-            name: postgresql-replica-pvc
--- a/kubernetes/apps/postgresql/postgresql.yaml
+++ b/kubernetes/apps/postgresql/postgresql.yaml
@@ -1,47 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: postgresql-secrets
-  namespace: flux-system
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  targetNamespace: postgresql
-  path: ./postgresql
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: home-cluster-ops-secrets
-  dependsOn:
-    - name: repositories
-      namespace: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
---
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: postgresql
-  namespace: postgresql
-spec:
-  interval: 10m
-  timeout: 1m30s
-  retryInterval: 30s
-  path: ./kubernetes/apps/postgresql/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system
-  dependsOn:
-    - name: postgresql-secrets
-      namespace: flux-system
-  postBuild:
-    substituteFrom:
-      - kind: Secret
-        name: postgresql-secrets
-
--- a/kubernetes/apps/postgresql/scripts/ingress-nginx-svc-controller-patch.yaml
+++ b/kubernetes/apps/postgresql/scripts/ingress-nginx-svc-controller-patch.yaml
@@ -1,10 +0,0 @@
-spec:
-  ports:
-    - name: postgresql-tcp
-      port: 5432
-      targetPort: 5432
-      protocol: TCP
-    - name: postgresql-repl--tcp
-      port: 5433
-      targetPort: 5433
-      protocol: TCP
--- a/kubernetes/apps/postgresql/scripts/patch-ingress-nginx.sh
+++ b/kubernetes/apps/postgresql/scripts/patch-ingress-nginx.sh
@@ -1,4 +0,0 @@
-#!/bin/bash
-set -e
-
-kubectl patch service ingress-nginx-controller -n ingress-nginx --patch "$(cat ingress-nginx-svc-controller-patch.yaml)"
--- a/kubernetes/apps/prometheus-operator/app/release.yaml
+++ b/kubernetes/apps/prometheus-operator/app/release.yaml
@@ -1,47 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: prometheus-operator
-  namespace: prometheus-operator
-spec:
-  releaseName: prometheus-operator
-  chart:
-    spec:
-      chart: prometheus-operator
-      sourceRef:
-        kind: HelmRepository
-        name: truecharts
-        namespace: flux-system
-  interval: 5m
-  install:
-    remediation:
-      retries: 3
-  values:
-    service:
-      main:
-        enabled: true
-        ports:
-          main:
-            enabled: true
-
-    workload:
-      main:
-        enabled: true
-
-    portal:
-      open:
-        enabled: true
-
-    operator:
-      register: true
-
-    kps:
-      ## Install Prometheus Operator CRDs
-      ##
-      crds:
-        enabled: true
-
-      ## Manages Prometheus and Alertmanager components
-      ##
-      prometheusOperator:
-        enabled: true
--- a/kubernetes/apps/prometheus-operator/prometheus-operator.yaml
+++ b/kubernetes/apps/prometheus-operator/prometheus-operator.yaml
@@ -1,15 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: prometheus-operator
-  namespace: prometheus-operator
-spec:
-  suspend: true
-  interval: 1h
-  targetNamespace: flux-system
-  path: ./kubernetes/apps/prometheus-operator/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    namespace: flux-system
-    name: flux-system