Centralize shared apps #3627
Open
Centralize shared apps #3627
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smurf-bot
bot
added
area/kubernetes
joryirving
force-pushed
the
feat/shared-apps
branch
from
b40577c to
a53ab0f
Compare
--- kubernetes/utility/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
+++ kubernetes/utility/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
@@ -1,36 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: reloader
- kustomize.toolkit.fluxcd.io/name: reloader
- kustomize.toolkit.fluxcd.io/namespace: kube-tools
- name: reloader
- namespace: kube-tools
-spec:
- chart:
- spec:
- chart: reloader
- sourceRef:
- kind: HelmRepository
- name: stakater
- namespace: flux-system
- version: 1.2.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- fullnameOverride: reloader
- reloader:
- podMonitor:
- enabled: true
- namespace: '{{ .Release.Namespace }}'
- readOnlyRootFileSystem: true
-
--- kubernetes/utility/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
+++ kubernetes/utility/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
@@ -1,144 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: onepassword
- kustomize.toolkit.fluxcd.io/name: onepassword
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: onepassword
- namespace: external-secrets
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- onepassword:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- api:
- env:
- OP_BUS_PEERS: localhost:11221
- OP_BUS_PORT: 11220
- OP_HTTP_PORT: 80
- OP_SESSION:
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword
- XDG_DATA_HOME: /config
- image:
- repository: docker.io/1password/connect-api
- tag: 1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 80
- initialDelaySeconds: 15
- periodSeconds: 30
- readiness:
- custom: true
- enabled: true
- spec:
- httpGet:
- path: /health
- port: 80
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- sync:
- env:
- OP_BUS_PEERS: localhost:11220
- OP_BUS_PORT: 11221
- OP_HTTP_PORT: 8081
- OP_SESSION:
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword
- XDG_DATA_HOME: /config
- image:
- repository: docker.io/1password/connect-sync
- tag: 1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 30
- readiness:
- custom: true
- enabled: true
- spec:
- httpGet:
- path: /health
- port: 8081
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroup: 999
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 999
- runAsNonRoot: true
- runAsUser: 999
- seccompProfile:
- type: RuntimeDefault
- persistence:
- config:
- globalMounts:
- - path: /config
- type: emptyDir
- service:
- app:
- controller: onepassword
- ports:
- http:
- port: 80
-
--- kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor HelmRelease: flux-system/capacitor
+++ kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor HelmRelease: flux-system/capacitor
@@ -1,75 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: capacitor
- kustomize.toolkit.fluxcd.io/name: capacitor
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: capacitor
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- uninstall:
- keepHistory: false
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- capacitor:
- containers:
- app:
- image:
- repository: ghcr.io/gimlet-io/capacitor
- tag: v0.4.8@sha256:c999a42cccc523b91086547f890466d09be4755bf05a52763b0d14594bf60782
- resources:
- limits:
- ephemeral-storage: 2Gi
- memory: 200Mi
- requests:
- cpu: 50m
- ephemeral-storage: 1Gi
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- strategy: RollingUpdate
- ingress:
- app:
- className: internal
- enabled: true
- hosts:
- - host: '{{ .Release.Name }}-utility.jory.dev'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- service:
- app:
- controller: capacitor
- ports:
- http:
- enabled: true
- port: 9000
- serviceAccount:
- create: true
- name: capacitor
-
--- kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor ClusterRole: flux-system/capacitor
+++ kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor ClusterRole: flux-system/capacitor
@@ -1,47 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: capacitor
- kustomize.toolkit.fluxcd.io/name: capacitor
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: capacitor
-rules:
-- apiGroups:
- - networking.k8s.io
- - apps
- - ''
- resources:
- - pods
- - pods/log
- - ingresses
- - deployments
- - services
- - secrets
- - events
- - configmaps
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - source.toolkit.fluxcd.io
- - kustomize.toolkit.fluxcd.io
- - helm.toolkit.fluxcd.io
- - infra.contrib.fluxcd.io
- resources:
- - gitrepositories
- - ocirepositories
- - buckets
- - helmrepositories
- - helmcharts
- - kustomizations
- - helmreleases
- - terraforms
- verbs:
- - get
- - watch
- - list
- - patch
-
--- kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor ClusterRoleBinding: flux-system/capacitor
+++ kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor ClusterRoleBinding: flux-system/capacitor
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: capacitor
- kustomize.toolkit.fluxcd.io/name: capacitor
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: capacitor
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: capacitor
-subjects:
-- kind: ServiceAccount
- name: capacitor
- namespace: flux-system
-
--- kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor ConfigMap: flux-system/capacitor-gatus-ep
+++ kubernetes/utility/apps/flux-system/capacitor/app Kustomization: flux-system/capacitor ConfigMap: flux-system/capacitor-gatus-ep
@@ -1,29 +0,0 @@
----
-apiVersion: v1
-data:
- config.yaml: |
- endpoints:
- - name: "capacitor"
- group: -guarded
- url: 1.1.1.1
- interval: 1m
- ui:
- hide-hostname: true
- hide-url: true
- dns:
- query-name: "capacitor.jory.dev"
- query-type: A
- conditions:
- - "len([BODY]) == 0"
- alerts:
- - type: discord
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: capacitor
- gatus.io/enabled: 'true'
- kustomize.toolkit.fluxcd.io/name: capacitor
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: capacitor-gatus-ep
- namespace: flux-system
-
--- kubernetes/utility/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/utility/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager
- namespace: cert-manager
-spec:
- chart:
- spec:
- chart: cert-manager
- sourceRef:
- kind: HelmRepository
- name: jetstack
- namespace: flux-system
- version: v1.16.3
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: cert-manager-helm-values-hgg6hf7kh2
-
--- kubernetes/utility/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
+++ kubernetes/utility/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
@@ -1,68 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager-rules
- namespace: cert-manager
-spec:
- groups:
- - name: cert-manager
- rules:
- - alert: CertManagerAbsent
- annotations:
- description: New certificates will not be able to be minted, and existing
- ones can't be renewed until cert-manager is back.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
- summary: Cert Manager has dissapeared from Prometheus service discovery.
- expr: |
- absent(up{job="cert-manager"})
- for: 15m
- labels:
- severity: critical
- - name: certificates
- rules:
- - alert: CertManagerCertExpirySoon
- annotations:
- description: The domain that this cert covers will be unavailable after {{
- $value | humanizeDuration }}. Clients using endpoints that this cert protects
- will start to fail in {{ $value | humanizeDuration }}.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
- summary: The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from
- expiry, it should have renewed over a week ago.
- expr: |
- avg by (exported_namespace, namespace, name) (
- certmanager_certificate_expiration_timestamp_seconds - time())
- < (21 * 24 * 3600)
- for: 15m
- labels:
- severity: warning
- - alert: CertManagerCertNotReady
- annotations:
- description: This certificate has not been ready to serve traffic for at least
- 15m. If the cert is being renewed or there is another valid cert, the ingress
- controller _may_ be able to serve that instead.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
- summary: The cert {{ $labels.name }} is not ready to serve traffic.
- expr: |
- max by (name, exported_namespace, namespace, condition) (
- certmanager_certificate_ready_status{condition!="True"} == 1)
- for: 15m
- labels:
- severity: critical
- - alert: CertManagerHittingRateLimits
- annotations:
- description: Depending on the rate limit, cert-manager may be unable to generate
- certificates for up to a week.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
- summary: Cert manager hitting LetsEncrypt rate limits.
- expr: |
- sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
- > 0
- for: 15m
- labels:
- severity: critical
-
--- kubernetes/utility/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
+++ kubernetes/utility/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- crds:
- enabled: true
- replicaCount: 1
- dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
- dns01RecursiveNameserversOnly: true
- prometheus:
- enabled: true
- servicemonitor:
- enabled: true
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager-helm-values-hgg6hf7kh2
- namespace: cert-manager
-
--- kubernetes/utility/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
+++ kubernetes/utility/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-operator
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: flux-operator
- sourceRef:
- kind: HelmRepository
- name: controlplaneio
- namespace: flux-system
- version: 0.13.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: flux-operator-helm-values-fb7h5gm7k8
-
--- kubernetes/utility/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
+++ kubernetes/utility/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- serviceMonitor:
- create: true
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-operator-helm-values-fb7h5gm7k8
- namespace: flux-system
-
--- kubernetes/utility/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
+++ kubernetes/utility/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
@@ -1,52 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: weave-gitops
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: weave-gitops
- sourceRef:
- kind: HelmRepository
- name: weave-gitops
- namespace: flux-system
- version: 4.0.36
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- adminUser:
- create: true
- createSecret: false
- username: admin
- ingress:
- className: internal
- enabled: true
- hosts:
- - host: gitops-utility.jory.dev
- paths:
- - path: /
- pathType: Prefix
- metrics:
- enabled: true
- networkPolicy:
- create: false
- podAnnotations:
- secret.reloader.stakater.com/reload: cluster-user-auth
- rbac:
- create: true
- impersonationResourceNames:
- - admin
-
--- kubernetes/utility/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
+++ kubernetes/utility/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: external-secrets
- namespace: external-secrets
-spec:
- chart:
- spec:
- chart: external-secrets
- sourceRef:
- kind: HelmRepository
- name: external-secrets
- namespace: flux-system
- version: 0.13.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: external-secrets-helm-values-h9g78hg67k
-
--- kubernetes/utility/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
+++ kubernetes/utility/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
@@ -1,34 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- installCRDs: true
- replicaCount: 1
- leaderElect: true
- image:
- repository: ghcr.io/external-secrets/external-secrets
- webhook:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- certController:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- serviceMonitor:
- enabled: true
- interval: 1m
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: external-secrets-helm-values-h9g78hg67k
- namespace: external-secrets
-
--- kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
+++ kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
@@ -1,35 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: flux-instance
- sourceRef:
- kind: HelmRepository
- name: controlplaneio
- namespace: flux-system
- version: 0.13.0
- dependsOn:
- - name: flux-operator
- namespace: flux-system
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: flux-instance-helm-values-9574f89kkd
-
--- kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
+++ kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
@@ -1,34 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance-rules
- namespace: flux-system
-spec:
- groups:
- - name: flux-instance.rules
- rules:
- - alert: FluxInstanceAbsent
- annotations:
- description: |
- The flux_instance_info metric for the Flux instance in namespace {{ $labels.exported_namespace }} is not available.
- summary: Flux instance metric is missing
- expr: absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
- for: 15m
- labels:
- severity: critical
- - alert: FluxInstanceNotReady
- annotations:
- description: |
- The Flux instance in namespace {{ $labels.exported_namespace }} is not ready.
- Reason: {{ $labels.reason }}
- summary: Flux instance {{ $labels.name }} is not ready
- expr: flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
- for: 15m
- labels:
- severity: critical
-
--- kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: github-webhook-token
- namespace: flux-system
-spec:
- dataFrom:
- - extract:
- key: flux
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword
- target:
- name: github-webhook-token
- template:
- data:
- token: '{{ .FLUX_UTILITY_GITHUB_WEBHOOK_TOKEN }}'
-
--- kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
+++ kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: webhook-receiver
- namespace: flux-system
-spec:
- ingressClassName: external
- rules:
- - host: flux-webhook-utility.jory.dev
- http:
- paths:
- - backend:
- service:
- name: webhook-receiver
- port:
- number: 80
- path: /hook/
- pathType: Prefix
-
--- kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
+++ kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
@@ -1,27 +0,0 @@
----
-apiVersion: notification.toolkit.fluxcd.io/v1
-kind: Receiver
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: home-ops
- namespace: flux-system
-spec:
- events:
- - ping
- - push
- resources:
- - apiVersion: source.toolkit.fluxcd.io/v1
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- - apiVersion: kustomize.toolkit.fluxcd.io/v1
- kind: Kustomization
- name: flux-system
- namespace: flux-system
- secretRef:
- name: github-webhook-token
- type: github
-
--- kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-9574f89kkd
+++ kubernetes/utility/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-9574f89kkd
@@ -1,117 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- instance:
- distribution:
- # renovate: datasource=github-releases depName=fluxcd/flux2
- version: 2.4.0
- cluster:
- networkPolicy: false
- components:
- - source-controller
- - kustomize-controller
- - helm-controller
- - notification-controller
- sync:
- kind: GitRepository
- name: flux-system
- url: https://github.com/joryirving/home-ops.git
- ref: refs/heads/main
- path: kubernetes/utility/flux/cluster
- commonMetadata:
- labels:
- app.kubernetes.io/name: flux
- kustomize:
- patches:
- - # Add Sops decryption to 'flux-system' Kustomization
- patch: |
- - op: add
- path: /spec/decryption
- value:
- provider: sops
- secretRef:
- name: sops-age
- target:
- group: kustomize.toolkit.fluxcd.io
- kind: Kustomization
- - # Increase the number of workers
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --concurrent=10
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --requeue-dependency=5s
- target:
- kind: Deployment
- name: (kustomize-controller|helm-controller|source-controller)
- - # Increase the memory limits
- patch: |
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: all
- spec:
- template:
- spec:
- containers:
- - name: manager
- resources:
- limits:
- memory: 2Gi
- target:
- kind: Deployment
- name: (kustomize-controller|helm-controller|source-controller)
- - # Enable in-memory kustomize builds
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --concurrent=20
- - op: replace
- path: /spec/template/spec/volumes/0
- value:
- name: temp
- emptyDir:
- medium: Memory
- target:
- kind: Deployment
- name: kustomize-controller
- - # Enable Helm repositories caching
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-max-size=10
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-ttl=60m
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-purge-interval=5m
- target:
- kind: Deployment
- name: source-controller
- # Flux near OOM detection for Helm
- - patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --feature-gates=OOMWatch=true
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --oom-watch-memory-threshold=95
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --oom-watch-interval=500ms
- target:
- kind: Deployment
- name: helm-controller
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance-helm-values-9574f89kkd
- namespace: flux-system
-
--- kubernetes/utility/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
+++ kubernetes/utility/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
@@ -1,27 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: letsencrypt-production
- namespace: cert-manager
-spec:
- acme:
- email: jory@jory.dev
- privateKeySecretRef:
- name: letsencrypt-production
- server: https://acme-v02.api.letsencrypt.org/directory
- solvers:
- - dns01:
- cloudflare:
- apiTokenSecretRef:
- key: CLOUDFLARE_API_KEY
- name: cloudflare-secret
- email: jory@jory.dev
- selector:
- dnsZones:
- - jory.dev
-
--- kubernetes/utility/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
+++ kubernetes/utility/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
@@ -1,27 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: letsencrypt-staging
- namespace: cert-manager
-spec:
- acme:
- email: jory@jory.dev
- privateKeySecretRef:
- name: letsencrypt-staging
- server: https://acme-staging-v02.api.letsencrypt.org/directory
- solvers:
- - dns01:
- cloudflare:
- apiTokenSecretRef:
- key: CLOUDFLARE_API_KEY
- name: cloudflare-secret
- email: jory@jory.dev
- selector:
- dnsZones:
- - jory.dev
-
--- kubernetes/utility/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
+++ kubernetes/utility/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cloudflare-secret
- namespace: cert-manager
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword
- target:
- name: cloudflare-secret
- template:
- data:
- CLOUDFLARE_API_KEY: '{{ .CLOUDFLARE_API_KEY }}'
-
--- kubernetes/utility/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
+++ kubernetes/utility/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
- labels:
- app.kubernetes.io/name: onepassword-store
- kustomize.toolkit.fluxcd.io/name: onepassword-store
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: onepassword
- namespace: external-secrets
-spec:
- provider:
- onepassword:
- auth:
- secretRef:
- connectTokenSecretRef:
- key: token
- name: onepassword
- namespace: external-secrets
- connectHost: http://onepassword.external-secrets.svc.cluster.local
- vaults:
- Kubernetes: 1
-
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager
@@ -9,16 +9,16 @@
namespace: cert-manager
spec:
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager
interval: 30m
- path: ./kubernetes/utility/apps/cert-manager/cert-manager/app
+ path: ./kubernetes/shared/apps/cert-manager/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
timeout: 5m
- wait: true
+ wait: false
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-issuers
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-issuers
@@ -9,16 +9,16 @@
namespace: cert-manager
spec:
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager-issuers
dependsOn:
- - name: cert-manager
- namespace: cert-manager
+ - name: onepassword-store
+ namespace: external-secrets
interval: 30m
- path: ./kubernetes/utility/apps/cert-manager/cert-manager/issuers
+ path: ./kubernetes/shared/apps/cert-manager/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-tls
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-tls
@@ -14,13 +14,13 @@
dependsOn:
- name: cert-manager-issuers
namespace: cert-manager
- name: onepassword-store
namespace: external-secrets
interval: 30m
- path: ./kubernetes/utility/apps/cert-manager/cert-manager/tls
+ path: ./kubernetes/shared/apps/cert-manager/cert-manager/tls
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/external-secrets
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/external-secrets
@@ -9,13 +9,13 @@
namespace: external-secrets
spec:
commonMetadata:
labels:
app.kubernetes.io/name: external-secrets
interval: 30m
- path: ./kubernetes/utility/apps/external-secrets/external-secrets/app
+ path: ./kubernetes/shared/apps/external-secrets/external-secrets/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: external-secrets
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword
@@ -9,13 +9,13 @@
namespace: external-secrets
spec:
commonMetadata:
labels:
app.kubernetes.io/name: onepassword
interval: 30m
- path: ./kubernetes/utility/apps/external-secrets/onepassword/app
+ path: ./kubernetes/shared/apps/external-secrets/onepassword/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: external-secrets
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-store
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-store
@@ -12,13 +12,13 @@
labels:
app.kubernetes.io/name: onepassword-store
dependsOn:
- name: onepassword
namespace: external-secrets
interval: 30m
- path: ./kubernetes/utility/apps/external-secrets/onepassword/stores
+ path: ./kubernetes/shared/apps/external-secrets/onepassword/stores
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: external-secrets
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/capacitor
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/capacitor
@@ -1,29 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: capacitor
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: capacitor
- components:
- - ../../../../../shared/meta/components/gatus/guarded
- interval: 30m
- path: ./kubernetes/utility/apps/flux-system/capacitor/app
- postBuild:
- substitute:
- APP: capacitor
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- targetNamespace: flux-system
- timeout: 15m
- wait: false
-
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-operator
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-operator
@@ -9,13 +9,13 @@
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: flux-operator
interval: 30m
- path: ./kubernetes/utility/apps/flux-system/flux-operator/app
+ path: ./kubernetes/shared/apps/flux-system/flux-operator/app
prune: false
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-instance
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-instance
@@ -9,13 +9,18 @@
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: flux-instance
interval: 30m
- path: ./kubernetes/utility/apps/flux-system/flux-operator/instance
+ path: ./kubernetes/shared/apps/flux-system/flux-operator/instance
+ postBuild:
+ substitute:
+ CLUSTER: utility
+ TOKEN_KEY_NAME: FLUX_UTILITY_GITHUB_WEBHOOK_TOKEN
+ WEBHOOK_INGRESS: flux-webhook-utility
prune: false
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/weave-gitops
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/weave-gitops
@@ -9,13 +9,29 @@
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: weave-gitops
interval: 30m
- path: ./kubernetes/utility/apps/flux-system/weave-gitops/app
+ patches:
+ - patch: |-
+ apiVersion: helm.toolkit.fluxcd.io/v2
+ kind: HelmRelease
+ metadata:
+ name: weave-gitops
+ spec:
+ values:
+ ingress:
+ hosts:
+ - host: gitops-utility.jory.dev
+ rbac:
+ additionalRules:
+ - apiGroups: [ "infra.contrib.fluxcd.io" ]
+ resources: [ "terraforms" ]
+ verbs: [ "get", "list", "patch" ]
+ path: ./kubernetes/shared/apps/flux-system/weave-gitops/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: kube-tools/reloader
+++ kubernetes/utility/apps Kustomization: flux-system/cluster-apps Kustomization: kube-tools/reloader
@@ -9,13 +9,13 @@
namespace: kube-tools
spec:
commonMetadata:
labels:
app.kubernetes.io/name: reloader
interval: 30m
- path: ./kubernetes/utility/apps/kube-tools/reloader/app
+ path: ./kubernetes/shared/apps/kube-tools/reloader/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: kube-tools
--- kubernetes/utility/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
+++ kubernetes/utility/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: jory.dev
- namespace: cert-manager
-spec:
- commonName: jory.dev
- dnsNames:
- - jory.dev
- - '*.jory.dev'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: jory.dev-tls
-
--- kubernetes/utility/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
+++ kubernetes/utility/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
@@ -1,34 +0,0 @@
----
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: ${CLUSTER}-cluster-tls
- namespace: cert-manager
-spec:
- data:
- - match:
- remoteRef:
- property: tls.crt
- remoteKey: ${CLUSTER}-cluster-tls
- secretKey: tls.crt
- - match:
- remoteRef:
- property: tls.key
- remoteKey: ${CLUSTER}-cluster-tls
- secretKey: tls.key
- secretStoreRefs:
- - kind: ClusterSecretStore
- name: onepassword
- selector:
- secret:
- name: jory.dev-tls
- template:
- data:
- tls.crt: '{{ index . "tls.crt" | b64enc }}'
- tls.key: '{{ index . "tls.key" | b64enc }}'
- engineVersion: v2
-
--- kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
+++ kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-operator
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: flux-operator
+ sourceRef:
+ kind: HelmRepository
+ name: controlplaneio
+ namespace: flux-system
+ version: 0.13.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: flux-operator-helm-values-fb7h5gm7k8
+
--- kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
+++ kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ serviceMonitor:
+ create: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-operator-helm-values-fb7h5gm7k8
+ namespace: flux-system
+
--- kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager
+ namespace: cert-manager
+spec:
+ chart:
+ spec:
+ chart: cert-manager
+ sourceRef:
+ kind: HelmRepository
+ name: jetstack
+ namespace: flux-system
+ version: v1.16.3
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: cert-manager-helm-values-hgg6hf7kh2
+
--- kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
+++ kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
@@ -0,0 +1,68 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager-rules
+ namespace: cert-manager
+spec:
+ groups:
+ - name: cert-manager
+ rules:
+ - alert: CertManagerAbsent
+ annotations:
+ description: New certificates will not be able to be minted, and existing
+ ones can't be renewed until cert-manager is back.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
+ summary: Cert Manager has dissapeared from Prometheus service discovery.
+ expr: |
+ absent(up{job="cert-manager"})
+ for: 15m
+ labels:
+ severity: critical
+ - name: certificates
+ rules:
+ - alert: CertManagerCertExpirySoon
+ annotations:
+ description: The domain that this cert covers will be unavailable after {{
+ $value | humanizeDuration }}. Clients using endpoints that this cert protects
+ will start to fail in {{ $value | humanizeDuration }}.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
+ summary: The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from
+ expiry, it should have renewed over a week ago.
+ expr: |
+ avg by (exported_namespace, namespace, name) (
+ certmanager_certificate_expiration_timestamp_seconds - time())
+ < (21 * 24 * 3600)
+ for: 15m
+ labels:
+ severity: warning
+ - alert: CertManagerCertNotReady
+ annotations:
+ description: This certificate has not been ready to serve traffic for at least
+ 15m. If the cert is being renewed or there is another valid cert, the ingress
+ controller _may_ be able to serve that instead.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
+ summary: The cert {{ $labels.name }} is not ready to serve traffic.
+ expr: |
+ max by (name, exported_namespace, namespace, condition) (
+ certmanager_certificate_ready_status{condition!="True"} == 1)
+ for: 15m
+ labels:
+ severity: critical
+ - alert: CertManagerHittingRateLimits
+ annotations:
+ description: Depending on the rate limit, cert-manager may be unable to generate
+ certificates for up to a week.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
+ summary: Cert manager hitting LetsEncrypt rate limits.
+ expr: |
+ sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
+ > 0
+ for: 15m
+ labels:
+ severity: critical
+
--- kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
+++ kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ crds:
+ enabled: true
+ replicaCount: 1
+ dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+ dns01RecursiveNameserversOnly: true
+ prometheus:
+ enabled: true
+ servicemonitor:
+ enabled: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager-helm-values-hgg6hf7kh2
+ namespace: cert-manager
+
--- kubernetes/shared/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
+++ kubernetes/shared/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
@@ -0,0 +1,144 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: onepassword
+ kustomize.toolkit.fluxcd.io/name: onepassword
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: onepassword
+ namespace: external-secrets
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ onepassword:
+ annotations:
+ reloader.stakater.com/auto: 'true'
+ containers:
+ api:
+ env:
+ OP_BUS_PEERS: localhost:11221
+ OP_BUS_PORT: 11220
+ OP_HTTP_PORT: 80
+ OP_SESSION:
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword
+ XDG_DATA_HOME: /config
+ image:
+ repository: docker.io/1password/connect-api
+ tag: 1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 80
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ httpGet:
+ path: /health
+ port: 80
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ sync:
+ env:
+ OP_BUS_PEERS: localhost:11220
+ OP_BUS_PORT: 11221
+ OP_HTTP_PORT: 8081
+ OP_SESSION:
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword
+ XDG_DATA_HOME: /config
+ image:
+ repository: docker.io/1password/connect-sync
+ tag: 1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ httpGet:
+ path: /health
+ port: 8081
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 999
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 999
+ runAsNonRoot: true
+ runAsUser: 999
+ seccompProfile:
+ type: RuntimeDefault
+ persistence:
+ config:
+ globalMounts:
+ - path: /config
+ type: emptyDir
+ service:
+ app:
+ controller: onepassword
+ ports:
+ http:
+ port: 80
+
--- kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
+++ kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: external-secrets
+ namespace: external-secrets
+spec:
+ chart:
+ spec:
+ chart: external-secrets
+ sourceRef:
+ kind: HelmRepository
+ name: external-secrets
+ namespace: flux-system
+ version: 0.13.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: external-secrets-helm-values-h9g78hg67k
+
--- kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
+++ kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ installCRDs: true
+ replicaCount: 1
+ leaderElect: true
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ webhook:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ certController:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: external-secrets-helm-values-h9g78hg67k
+ namespace: external-secrets
+
--- kubernetes/shared/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
+++ kubernetes/shared/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: reloader
+ kustomize.toolkit.fluxcd.io/name: reloader
+ kustomize.toolkit.fluxcd.io/namespace: kube-tools
+ name: reloader
+ namespace: kube-tools
+spec:
+ chart:
+ spec:
+ chart: reloader
+ sourceRef:
+ kind: HelmRepository
+ name: stakater
+ namespace: flux-system
+ version: 1.2.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ fullnameOverride: reloader
+ reloader:
+ podMonitor:
+ enabled: true
+ namespace: '{{ .Release.Namespace }}'
+ readOnlyRootFileSystem: true
+
--- kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ExternalSecret: flux-system/cluster-user-auth
+++ kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ExternalSecret: flux-system/cluster-user-auth
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cluster-user-auth
+ namespace: flux-system
+spec:
+ dataFrom:
+ - extract:
+ key: weave-gitops
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: cluster-user-auth
+ template:
+ data:
+ password: '{{ .WEAVE_PASS_ENCODED }}'
+ username: '{{ .WEAVE_USER }}'
+
--- kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
+++ kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
@@ -0,0 +1,56 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: weave-gitops
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: weave-gitops
+ sourceRef:
+ kind: HelmRepository
+ name: weave-gitops
+ namespace: flux-system
+ version: 4.0.36
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ adminUser:
+ create: true
+ createSecret: false
+ username: admin
+ ingress:
+ className: internal
+ enabled: true
+ hosts:
+ - host: gitops-utility.jory.dev
+ metrics:
+ enabled: true
+ networkPolicy:
+ create: false
+ podAnnotations:
+ secret.reloader.stakater.com/reload: cluster-user-auth
+ rbac:
+ additionalRules:
+ - apiGroups:
+ - infra.contrib.fluxcd.io
+ resources:
+ - terraforms
+ verbs:
+ - get
+ - list
+ - patch
+ create: true
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
@@ -0,0 +1,35 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: flux-instance
+ sourceRef:
+ kind: HelmRepository
+ name: controlplaneio
+ namespace: flux-system
+ version: 0.13.0
+ dependsOn:
+ - name: flux-operator
+ namespace: flux-system
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: flux-instance-helm-values-222gc8mgd9
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
@@ -0,0 +1,34 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance-rules
+ namespace: flux-system
+spec:
+ groups:
+ - name: flux-instance.rules
+ rules:
+ - alert: FluxInstanceAbsent
+ annotations:
+ description: |
+ The flux_instance_info metric for the Flux instance in namespace {{ $labels.exported_namespace }} is not available.
+ summary: Flux instance metric is missing
+ expr: absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
+ for: 15m
+ labels:
+ severity: critical
+ - alert: FluxInstanceNotReady
+ annotations:
+ description: |
+ The Flux instance in namespace {{ $labels.exported_namespace }} is not ready.
+ Reason: {{ $labels.reason }}
+ summary: Flux instance {{ $labels.name }} is not ready
+ expr: flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
+ for: 15m
+ labels:
+ severity: critical
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: github-webhook-token
+ namespace: flux-system
+spec:
+ dataFrom:
+ - extract:
+ key: flux
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: github-webhook-token
+ template:
+ data:
+ token: '{{ .FLUX_UTILITY_GITHUB_WEBHOOK_TOKEN }}'
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: webhook-receiver
+ namespace: flux-system
+spec:
+ ingressClassName: external
+ rules:
+ - host: flux-webhook-utility.jory.dev
+ http:
+ paths:
+ - backend:
+ service:
+ name: webhook-receiver
+ port:
+ number: 80
+ path: /hook/
+ pathType: Prefix
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
@@ -0,0 +1,27 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: home-ops
+ namespace: flux-system
+spec:
+ events:
+ - ping
+ - push
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ - apiVersion: kustomize.toolkit.fluxcd.io/v1
+ kind: Kustomization
+ name: flux-system
+ namespace: flux-system
+ secretRef:
+ name: github-webhook-token
+ type: github
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-222gc8mgd9
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-222gc8mgd9
@@ -0,0 +1,117 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ instance:
+ distribution:
+ # renovate: datasource=github-releases depName=fluxcd/flux2
+ version: 2.4.0
+ cluster:
+ networkPolicy: false
+ components:
+ - source-controller
+ - kustomize-controller
+ - helm-controller
+ - notification-controller
+ sync:
+ kind: GitRepository
+ name: flux-system
+ url: https://github.com/joryirving/home-ops.git
+ ref: refs/heads/main
+ path: kubernetes/utility/flux/cluster
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: flux
+ kustomize:
+ patches:
+ - # Add Sops decryption to 'flux-system' Kustomization
+ patch: |
+ - op: add
+ path: /spec/decryption
+ value:
+ provider: sops
+ secretRef:
+ name: sops-age
+ target:
+ group: kustomize.toolkit.fluxcd.io
+ kind: Kustomization
+ - # Increase the number of workers
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --concurrent=10
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --requeue-dependency=5s
+ target:
+ kind: Deployment
+ name: (kustomize-controller|helm-controller|source-controller)
+ - # Increase the memory limits
+ patch: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: all
+ spec:
+ template:
+ spec:
+ containers:
+ - name: manager
+ resources:
+ limits:
+ memory: 2Gi
+ target:
+ kind: Deployment
+ name: (kustomize-controller|helm-controller|source-controller)
+ - # Enable in-memory kustomize builds
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --concurrent=20
+ - op: replace
+ path: /spec/template/spec/volumes/0
+ value:
+ name: temp
+ emptyDir:
+ medium: Memory
+ target:
+ kind: Deployment
+ name: kustomize-controller
+ - # Enable Helm repositories caching
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-max-size=10
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-ttl=60m
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-purge-interval=5m
+ target:
+ kind: Deployment
+ name: source-controller
+ # Flux near OOM detection for Helm
+ - patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --feature-gates=OOMWatch=true
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --oom-watch-memory-threshold=95
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --oom-watch-interval=500ms
+ target:
+ kind: Deployment
+ name: helm-controller
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance-helm-values-222gc8mgd9
+ namespace: flux-system
+
--- kubernetes/shared/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
+++ kubernetes/shared/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+ labels:
+ app.kubernetes.io/name: onepassword-store
+ kustomize.toolkit.fluxcd.io/name: onepassword-store
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: onepassword
+ namespace: external-secrets
+spec:
+ provider:
+ onepassword:
+ auth:
+ secretRef:
+ connectTokenSecretRef:
+ key: token
+ name: onepassword
+ namespace: external-secrets
+ connectHost: http://onepassword.external-secrets.svc.cluster.local
+ vaults:
+ Kubernetes: 1
+
--- kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
+++ kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
@@ -0,0 +1,27 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: letsencrypt-production
+ namespace: cert-manager
+spec:
+ acme:
+ email: jory@jory.dev
+ privateKeySecretRef:
+ name: letsencrypt-production
+ server: https://acme-v02.api.letsencrypt.org/directory
+ solvers:
+ - dns01:
+ cloudflare:
+ apiTokenSecretRef:
+ key: CLOUDFLARE_API_KEY
+ name: cloudflare-secret
+ email: jory@jory.dev
+ selector:
+ dnsZones:
+ - jory.dev
+
--- kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
+++ kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
@@ -0,0 +1,27 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: letsencrypt-staging
+ namespace: cert-manager
+spec:
+ acme:
+ email: jory@jory.dev
+ privateKeySecretRef:
+ name: letsencrypt-staging
+ server: https://acme-staging-v02.api.letsencrypt.org/directory
+ solvers:
+ - dns01:
+ cloudflare:
+ apiTokenSecretRef:
+ key: CLOUDFLARE_API_KEY
+ name: cloudflare-secret
+ email: jory@jory.dev
+ selector:
+ dnsZones:
+ - jory.dev
+
--- kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
+++ kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cloudflare-secret
+ namespace: cert-manager
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: cloudflare-secret
+ template:
+ data:
+ CLOUDFLARE_API_KEY: '{{ .CLOUDFLARE_API_KEY }}'
+
--- kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
+++ kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: jory.dev
+ namespace: cert-manager
+spec:
+ commonName: jory.dev
+ dnsNames:
+ - jory.dev
+ - '*.jory.dev'
+ issuerRef:
+ kind: ClusterIssuer
+ name: letsencrypt-production
+ secretName: jory.dev-tls
+
--- kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
+++ kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
@@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: ${CLUSTER}-cluster-tls
+ namespace: cert-manager
+spec:
+ data:
+ - match:
+ remoteRef:
+ property: tls.crt
+ remoteKey: ${CLUSTER}-cluster-tls
+ secretKey: tls.crt
+ - match:
+ remoteRef:
+ property: tls.key
+ remoteKey: ${CLUSTER}-cluster-tls
+ secretKey: tls.key
+ secretStoreRefs:
+ - kind: ClusterSecretStore
+ name: onepassword
+ selector:
+ secret:
+ name: jory.dev-tls
+ template:
+ data:
+ tls.crt: '{{ index . "tls.crt" | b64enc }}'
+ tls.key: '{{ index . "tls.key" | b64enc }}'
+ engineVersion: v2
+ |
--- kubernetes/main/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
+++ kubernetes/main/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
@@ -1,144 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: onepassword
- kustomize.toolkit.fluxcd.io/name: onepassword
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: onepassword
- namespace: external-secrets
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- onepassword:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- api:
- env:
- OP_BUS_PEERS: localhost:11221
- OP_BUS_PORT: 11220
- OP_HTTP_PORT: 80
- OP_SESSION:
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword
- XDG_DATA_HOME: /config
- image:
- repository: docker.io/1password/connect-api
- tag: 1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 80
- initialDelaySeconds: 15
- periodSeconds: 30
- readiness:
- custom: true
- enabled: true
- spec:
- httpGet:
- path: /health
- port: 80
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- sync:
- env:
- OP_BUS_PEERS: localhost:11220
- OP_BUS_PORT: 11221
- OP_HTTP_PORT: 8081
- OP_SESSION:
- valueFrom:
- secretKeyRef:
- key: 1password-credentials.json
- name: onepassword
- XDG_DATA_HOME: /config
- image:
- repository: docker.io/1password/connect-sync
- tag: 1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /heartbeat
- port: 8081
- initialDelaySeconds: 15
- periodSeconds: 30
- readiness:
- custom: true
- enabled: true
- spec:
- httpGet:
- path: /health
- port: 8081
- initialDelaySeconds: 15
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroup: 999
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 999
- runAsNonRoot: true
- runAsUser: 999
- seccompProfile:
- type: RuntimeDefault
- persistence:
- config:
- globalMounts:
- - path: /config
- type: emptyDir
- service:
- app:
- controller: onepassword
- ports:
- http:
- port: 80
-
--- kubernetes/main/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
+++ kubernetes/main/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-operator
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: flux-operator
- sourceRef:
- kind: HelmRepository
- name: controlplaneio
- namespace: flux-system
- version: 0.13.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: flux-operator-helm-values-fb7h5gm7k8
-
--- kubernetes/main/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
+++ kubernetes/main/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- serviceMonitor:
- create: true
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-operator-helm-values-fb7h5gm7k8
- namespace: flux-system
-
--- kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager
- namespace: cert-manager
-spec:
- chart:
- spec:
- chart: cert-manager
- sourceRef:
- kind: HelmRepository
- name: jetstack
- namespace: flux-system
- version: v1.16.3
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: cert-manager-helm-values-hgg6hf7kh2
-
--- kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
+++ kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
@@ -1,68 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager-rules
- namespace: cert-manager
-spec:
- groups:
- - name: cert-manager
- rules:
- - alert: CertManagerAbsent
- annotations:
- description: New certificates will not be able to be minted, and existing
- ones can't be renewed until cert-manager is back.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
- summary: Cert Manager has dissapeared from Prometheus service discovery.
- expr: |
- absent(up{job="cert-manager"})
- for: 15m
- labels:
- severity: critical
- - name: certificates
- rules:
- - alert: CertManagerCertExpirySoon
- annotations:
- description: The domain that this cert covers will be unavailable after {{
- $value | humanizeDuration }}. Clients using endpoints that this cert protects
- will start to fail in {{ $value | humanizeDuration }}.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
- summary: The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from
- expiry, it should have renewed over a week ago.
- expr: |
- avg by (exported_namespace, namespace, name) (
- certmanager_certificate_expiration_timestamp_seconds - time())
- < (21 * 24 * 3600)
- for: 15m
- labels:
- severity: warning
- - alert: CertManagerCertNotReady
- annotations:
- description: This certificate has not been ready to serve traffic for at least
- 15m. If the cert is being renewed or there is another valid cert, the ingress
- controller _may_ be able to serve that instead.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
- summary: The cert {{ $labels.name }} is not ready to serve traffic.
- expr: |
- max by (name, exported_namespace, namespace, condition) (
- certmanager_certificate_ready_status{condition!="True"} == 1)
- for: 15m
- labels:
- severity: critical
- - alert: CertManagerHittingRateLimits
- annotations:
- description: Depending on the rate limit, cert-manager may be unable to generate
- certificates for up to a week.
- runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
- summary: Cert manager hitting LetsEncrypt rate limits.
- expr: |
- sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
- > 0
- for: 15m
- labels:
- severity: critical
-
--- kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
+++ kubernetes/main/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- crds:
- enabled: true
- replicaCount: 1
- dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
- dns01RecursiveNameserversOnly: true
- prometheus:
- enabled: true
- servicemonitor:
- enabled: true
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager-helm-values-hgg6hf7kh2
- namespace: cert-manager
-
--- kubernetes/main/apps/flux-system/clickops/app Kustomization: flux-system/clickops HelmRelease: flux-system/clickops
+++ kubernetes/main/apps/flux-system/clickops/app Kustomization: flux-system/clickops HelmRelease: flux-system/clickops
@@ -1,108 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: clickops
- kustomize.toolkit.fluxcd.io/name: clickops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: clickops
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- clickops:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- app:
- env:
- __HOST: clickops.jory.dev
- __PORT: 3000
- TZ: America/Edmonton
- image:
- repository: ghcr.io/whazor/clickops
- tag: v0.0.2@sha256:ca764fc302afd14e0aa31b2195bc2ee1a9ddf53d32aa046abd6137973018865d
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ping
- port: 3000
- initialDelaySeconds: 5
- periodSeconds: 30
- timeoutSeconds: 10
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ping
- port: 3000
- initialDelaySeconds: 5
- periodSeconds: 30
- timeoutSeconds: 10
- resources:
- limits:
- memory: 300Mi
- requests:
- cpu: 25m
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- defaultPodOptions:
- automountServiceAccountToken: true
- securityContext:
- fsGroup: 100
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.jory.dev'
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: app
- port: http
- service:
- app:
- controller: clickops
- ports:
- http:
- port: 3000
- serviceAccount:
- create: true
- name: clickops
-
--- kubernetes/main/apps/flux-system/clickops/app Kustomization: flux-system/clickops ClusterRole: flux-system/clickops
+++ kubernetes/main/apps/flux-system/clickops/app Kustomization: flux-system/clickops ClusterRole: flux-system/clickops
@@ -1,70 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/name: clickops
- kustomize.toolkit.fluxcd.io/name: clickops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: clickops
-rules:
-- apiGroups:
- - ''
- resources:
- - '*'
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - helm.toolkit.fluxcd.io
- resources:
- - helmreleases
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - kustomize.toolkit.fluxcd.io
- resources:
- - kustomizations
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - source.toolkit.fluxcd.io
- resources:
- - gitrepositories
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - list
-- apiGroups:
- - helm.toolkit.fluxcd.io
- resources:
- - helmreleases
- verbs:
- - patch
-- apiGroups:
- - ''
- resources:
- - pods
- verbs:
- - delete
-
--- kubernetes/main/apps/flux-system/clickops/app Kustomization: flux-system/clickops ClusterRoleBinding: flux-system/clickops
+++ kubernetes/main/apps/flux-system/clickops/app Kustomization: flux-system/clickops ClusterRoleBinding: flux-system/clickops
@@ -1,19 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/name: clickops
- kustomize.toolkit.fluxcd.io/name: clickops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: clickops
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: clickops
-subjects:
-- kind: ServiceAccount
- name: clickops
- namespace: flux-system
-
--- kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
+++ kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
@@ -1,35 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: flux-instance
- sourceRef:
- kind: HelmRepository
- name: controlplaneio
- namespace: flux-system
- version: 0.13.0
- dependsOn:
- - name: flux-operator
- namespace: flux-system
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: flux-instance-helm-values-d9g4894mc6
-
--- kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
+++ kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
@@ -1,34 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance-rules
- namespace: flux-system
-spec:
- groups:
- - name: flux-instance.rules
- rules:
- - alert: FluxInstanceAbsent
- annotations:
- description: |
- The flux_instance_info metric for the Flux instance in namespace {{ $labels.exported_namespace }} is not available.
- summary: Flux instance metric is missing
- expr: absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
- for: 15m
- labels:
- severity: critical
- - alert: FluxInstanceNotReady
- annotations:
- description: |
- The Flux instance in namespace {{ $labels.exported_namespace }} is not ready.
- Reason: {{ $labels.reason }}
- summary: Flux instance {{ $labels.name }} is not ready
- expr: flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
- for: 15m
- labels:
- severity: critical
-
--- kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: github-webhook-token
- namespace: flux-system
-spec:
- dataFrom:
- - extract:
- key: flux
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword
- target:
- name: github-webhook-token
- template:
- data:
- token: '{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}'
-
--- kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
+++ kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: webhook-receiver
- namespace: flux-system
-spec:
- ingressClassName: external
- rules:
- - host: flux-webhook.jory.dev
- http:
- paths:
- - backend:
- service:
- name: webhook-receiver
- port:
- number: 80
- path: /hook/
- pathType: Prefix
-
--- kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
+++ kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
@@ -1,27 +0,0 @@
----
-apiVersion: notification.toolkit.fluxcd.io/v1
-kind: Receiver
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: home-ops
- namespace: flux-system
-spec:
- events:
- - ping
- - push
- resources:
- - apiVersion: source.toolkit.fluxcd.io/v1
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- - apiVersion: kustomize.toolkit.fluxcd.io/v1
- kind: Kustomization
- name: flux-system
- namespace: flux-system
- secretRef:
- name: github-webhook-token
- type: github
-
--- kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-d9g4894mc6
+++ kubernetes/main/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-d9g4894mc6
@@ -1,117 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- instance:
- distribution:
- # renovate: datasource=github-releases depName=fluxcd/flux2
- version: 2.4.0
- cluster:
- networkPolicy: false
- components:
- - source-controller
- - kustomize-controller
- - helm-controller
- - notification-controller
- sync:
- kind: GitRepository
- name: flux-system
- url: https://github.com/joryirving/home-ops.git
- ref: refs/heads/main
- path: kubernetes/main/flux/cluster
- commonMetadata:
- labels:
- app.kubernetes.io/name: flux
- kustomize:
- patches:
- - # Add Sops decryption to 'flux-system' Kustomization
- patch: |
- - op: add
- path: /spec/decryption
- value:
- provider: sops
- secretRef:
- name: sops-age
- target:
- group: kustomize.toolkit.fluxcd.io
- kind: Kustomization
- - # Increase the number of workers
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --concurrent=10
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --requeue-dependency=5s
- target:
- kind: Deployment
- name: (kustomize-controller|helm-controller|source-controller)
- - # Increase the memory limits
- patch: |
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: all
- spec:
- template:
- spec:
- containers:
- - name: manager
- resources:
- limits:
- memory: 2Gi
- target:
- kind: Deployment
- name: (kustomize-controller|helm-controller|source-controller)
- - # Enable in-memory kustomize builds
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --concurrent=20
- - op: replace
- path: /spec/template/spec/volumes/0
- value:
- name: temp
- emptyDir:
- medium: Memory
- target:
- kind: Deployment
- name: kustomize-controller
- - # Enable Helm repositories caching
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-max-size=10
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-ttl=60m
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-purge-interval=5m
- target:
- kind: Deployment
- name: source-controller
- # Flux near OOM detection for Helm
- - patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --feature-gates=OOMWatch=true
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --oom-watch-memory-threshold=95
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --oom-watch-interval=500ms
- target:
- kind: Deployment
- name: helm-controller
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance-helm-values-d9g4894mc6
- namespace: flux-system
-
--- kubernetes/main/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
+++ kubernetes/main/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: external-secrets
- namespace: external-secrets
-spec:
- chart:
- spec:
- chart: external-secrets
- sourceRef:
- kind: HelmRepository
- name: external-secrets
- namespace: flux-system
- version: 0.13.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: external-secrets-helm-values-h9g78hg67k
-
--- kubernetes/main/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
+++ kubernetes/main/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
@@ -1,34 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- installCRDs: true
- replicaCount: 1
- leaderElect: true
- image:
- repository: ghcr.io/external-secrets/external-secrets
- webhook:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- certController:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- serviceMonitor:
- enabled: true
- interval: 1m
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: external-secrets-helm-values-h9g78hg67k
- namespace: external-secrets
-
--- kubernetes/main/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
+++ kubernetes/main/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
@@ -1,36 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: reloader
- kustomize.toolkit.fluxcd.io/name: reloader
- kustomize.toolkit.fluxcd.io/namespace: kube-tools
- name: reloader
- namespace: kube-tools
-spec:
- chart:
- spec:
- chart: reloader
- sourceRef:
- kind: HelmRepository
- name: stakater
- namespace: flux-system
- version: 1.2.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- fullnameOverride: reloader
- reloader:
- podMonitor:
- enabled: true
- namespace: '{{ .Release.Namespace }}'
- readOnlyRootFileSystem: true
-
--- kubernetes/main/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
+++ kubernetes/main/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
- labels:
- app.kubernetes.io/name: onepassword-store
- kustomize.toolkit.fluxcd.io/name: onepassword-store
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: onepassword
- namespace: external-secrets
-spec:
- provider:
- onepassword:
- auth:
- secretRef:
- connectTokenSecretRef:
- key: token
- name: onepassword
- namespace: external-secrets
- connectHost: http://onepassword.external-secrets.svc.cluster.local
- vaults:
- Kubernetes: 1
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager
@@ -9,13 +9,13 @@
namespace: cert-manager
spec:
commonMetadata:
labels:
app.kubernetes.io/name: cert-manager
interval: 30m
- path: ./kubernetes/main/apps/cert-manager/cert-manager/app
+ path: ./kubernetes/shared/apps/cert-manager/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-issuers
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-issuers
@@ -12,13 +12,13 @@
labels:
app.kubernetes.io/name: cert-manager-issuers
dependsOn:
- name: onepassword-store
namespace: external-secrets
interval: 30m
- path: ./kubernetes/main/apps/cert-manager/cert-manager/issuers
+ path: ./kubernetes/shared/apps/cert-manager/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-tls
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: cert-manager/cert-manager-tls
@@ -14,13 +14,13 @@
dependsOn:
- name: cert-manager-issuers
namespace: cert-manager
- name: onepassword-store
namespace: external-secrets
interval: 30m
- path: ./kubernetes/main/apps/cert-manager/cert-manager/tls
+ path: ./kubernetes/shared/apps/cert-manager/cert-manager/tls
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/external-secrets
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/external-secrets
@@ -9,13 +9,13 @@
namespace: external-secrets
spec:
commonMetadata:
labels:
app.kubernetes.io/name: external-secrets
interval: 30m
- path: ./kubernetes/main/apps/external-secrets/external-secrets/app
+ path: ./kubernetes/shared/apps/external-secrets/external-secrets/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: external-secrets
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword
@@ -9,13 +9,13 @@
namespace: external-secrets
spec:
commonMetadata:
labels:
app.kubernetes.io/name: onepassword
interval: 30m
- path: ./kubernetes/main/apps/external-secrets/onepassword/app
+ path: ./kubernetes/shared/apps/external-secrets/onepassword/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: external-secrets
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-store
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: external-secrets/onepassword-store
@@ -12,13 +12,13 @@
labels:
app.kubernetes.io/name: onepassword-store
dependsOn:
- name: onepassword
namespace: external-secrets
interval: 30m
- path: ./kubernetes/main/apps/external-secrets/onepassword/stores
+ path: ./kubernetes/shared/apps/external-secrets/onepassword/stores
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: external-secrets
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/clickops
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/clickops
@@ -1,24 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: clickops
- namespace: flux-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: clickops
- interval: 30m
- path: ./kubernetes/main/apps/flux-system/clickops/app
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- targetNamespace: flux-system
- timeout: 5m
- wait: false
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-operator
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-operator
@@ -9,13 +9,13 @@
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: flux-operator
interval: 30m
- path: ./kubernetes/main/apps/flux-system/flux-operator/app
+ path: ./kubernetes/shared/apps/flux-system/flux-operator/app
prune: false
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-instance
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-instance
@@ -9,13 +9,18 @@
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: flux-instance
interval: 30m
- path: ./kubernetes/main/apps/flux-system/flux-operator/instance
+ path: ./kubernetes/shared/apps/flux-system/flux-operator/instance
+ postBuild:
+ substitute:
+ CLUSTER: main
+ TOKEN_KEY_NAME: FLUX_MAIN_GITHUB_WEBHOOK_TOKEN
+ WEBHOOK_INGRESS: flux-webhook
prune: false
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/weave-gitops
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/weave-gitops
@@ -9,18 +9,33 @@
namespace: flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: weave-gitops
dependsOn:
- - name: authentik
- namespace: security
- name: onepassword-store
namespace: external-secrets
interval: 30m
- path: ./kubernetes/main/apps/flux-system/weave-gitops/app
+ patches:
+ - patch: |-
+ apiVersion: helm.toolkit.fluxcd.io/v2
+ kind: HelmRelease
+ metadata:
+ name: weave-gitops
+ spec:
+ values:
+ ingress:
+ annotations:
+ gethomepage.dev/enabled: "true"
+ gethomepage.dev/group: Infrastructure
+ gethomepage.dev/name: Weave-gitops
+ gethomepage.dev/icon: https://raw.githubusercontent.com/joryirving/home-ops/main/docs/src/assets/icons/weave.png
+ gethomepage.dev/description: Flux Dashboard
+ hosts:
+ - host: gitops.jory.dev
+ path: ./kubernetes/shared/apps/flux-system/weave-gitops/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: kube-tools/reloader
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: kube-tools/reloader
@@ -9,13 +9,13 @@
namespace: kube-tools
spec:
commonMetadata:
labels:
app.kubernetes.io/name: reloader
interval: 30m
- path: ./kubernetes/main/apps/kube-tools/reloader/app
+ path: ./kubernetes/shared/apps/kube-tools/reloader/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: kube-tools
--- kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
+++ kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
@@ -1,27 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: letsencrypt-production
- namespace: cert-manager
-spec:
- acme:
- email: jory@jory.dev
- privateKeySecretRef:
- name: letsencrypt-production
- server: https://acme-v02.api.letsencrypt.org/directory
- solvers:
- - dns01:
- cloudflare:
- apiTokenSecretRef:
- key: CLOUDFLARE_API_KEY
- name: cloudflare-secret
- email: jory@jory.dev
- selector:
- dnsZones:
- - jory.dev
-
--- kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
+++ kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
@@ -1,27 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: letsencrypt-staging
- namespace: cert-manager
-spec:
- acme:
- email: jory@jory.dev
- privateKeySecretRef:
- name: letsencrypt-staging
- server: https://acme-staging-v02.api.letsencrypt.org/directory
- solvers:
- - dns01:
- cloudflare:
- apiTokenSecretRef:
- key: CLOUDFLARE_API_KEY
- name: cloudflare-secret
- email: jory@jory.dev
- selector:
- dnsZones:
- - jory.dev
-
--- kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
+++ kubernetes/main/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cloudflare-secret
- namespace: cert-manager
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword
- target:
- name: cloudflare-secret
- template:
- data:
- CLOUDFLARE_API_KEY: '{{ .CLOUDFLARE_API_KEY }}'
-
--- kubernetes/main/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
+++ kubernetes/main/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: jory.dev
- namespace: cert-manager
-spec:
- commonName: jory.dev
- dnsNames:
- - jory.dev
- - '*.jory.dev'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: jory.dev-tls
-
--- kubernetes/main/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
+++ kubernetes/main/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
@@ -1,34 +0,0 @@
----
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/name: cert-manager-tls
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: ${CLUSTER}-cluster-tls
- namespace: cert-manager
-spec:
- data:
- - match:
- remoteRef:
- property: tls.crt
- remoteKey: ${CLUSTER}-cluster-tls
- secretKey: tls.crt
- - match:
- remoteRef:
- property: tls.key
- remoteKey: ${CLUSTER}-cluster-tls
- secretKey: tls.key
- secretStoreRefs:
- - kind: ClusterSecretStore
- name: onepassword
- selector:
- secret:
- name: jory.dev-tls
- template:
- data:
- tls.crt: '{{ index . "tls.crt" | b64enc }}'
- tls.key: '{{ index . "tls.key" | b64enc }}'
- engineVersion: v2
-
--- kubernetes/main/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ExternalSecret: flux-system/cluster-user-auth
+++ kubernetes/main/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ExternalSecret: flux-system/cluster-user-auth
@@ -1,24 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cluster-user-auth
- namespace: flux-system
-spec:
- dataFrom:
- - extract:
- key: weave-gitops
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword
- target:
- name: cluster-user-auth
- template:
- data:
- password: '{{ .WEAVE_PASS_ENCODED }}'
- username: '{{ .WEAVE_USER }}'
-
--- kubernetes/main/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
+++ kubernetes/main/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
@@ -1,65 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: weave-gitops
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: weave-gitops
- sourceRef:
- kind: HelmRepository
- name: weave-gitops
- namespace: flux-system
- version: 4.0.36
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- adminUser:
- create: true
- createSecret: false
- username: admin
- ingress:
- annotations:
- gethomepage.dev/description: Flux Dashboard
- gethomepage.dev/enabled: 'true'
- gethomepage.dev/group: Infrastructure
- gethomepage.dev/icon: https://raw.githubusercontent.com/joryirving/home-ops/main/docs/src/assets/icons/weave.png
- gethomepage.dev/name: Weave-gitops
- className: internal
- enabled: true
- hosts:
- - host: gitops.jory.dev
- paths:
- - path: /
- pathType: Prefix
- metrics:
- enabled: true
- networkPolicy:
- create: false
- podAnnotations:
- secret.reloader.stakater.com/reload: cluster-user-auth,oidc-auth
- rbac:
- additionalRules:
- - apiGroups:
- - infra.contrib.fluxcd.io
- resources:
- - terraforms
- verbs:
- - get
- - list
- - patch
- create: true
-
--- kubernetes/main/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ClusterRoleBinding: flux-system/wego-admin-oidc
+++ kubernetes/main/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ClusterRoleBinding: flux-system/wego-admin-oidc
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/name: weave-gitops
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: wego-admin-oidc
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: wego-admin-cluster-role
-subjects:
-- apiGroup: rbac.authorization.k8s.io
- kind: Group
- name: Infrastructure
-
--- kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager
+ namespace: cert-manager
+spec:
+ chart:
+ spec:
+ chart: cert-manager
+ sourceRef:
+ kind: HelmRepository
+ name: jetstack
+ namespace: flux-system
+ version: v1.16.3
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: cert-manager-helm-values-hgg6hf7kh2
+
--- kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
+++ kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager PrometheusRule: cert-manager/cert-manager-rules
@@ -0,0 +1,68 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager-rules
+ namespace: cert-manager
+spec:
+ groups:
+ - name: cert-manager
+ rules:
+ - alert: CertManagerAbsent
+ annotations:
+ description: New certificates will not be able to be minted, and existing
+ ones can't be renewed until cert-manager is back.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
+ summary: Cert Manager has dissapeared from Prometheus service discovery.
+ expr: |
+ absent(up{job="cert-manager"})
+ for: 15m
+ labels:
+ severity: critical
+ - name: certificates
+ rules:
+ - alert: CertManagerCertExpirySoon
+ annotations:
+ description: The domain that this cert covers will be unavailable after {{
+ $value | humanizeDuration }}. Clients using endpoints that this cert protects
+ will start to fail in {{ $value | humanizeDuration }}.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
+ summary: The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from
+ expiry, it should have renewed over a week ago.
+ expr: |
+ avg by (exported_namespace, namespace, name) (
+ certmanager_certificate_expiration_timestamp_seconds - time())
+ < (21 * 24 * 3600)
+ for: 15m
+ labels:
+ severity: warning
+ - alert: CertManagerCertNotReady
+ annotations:
+ description: This certificate has not been ready to serve traffic for at least
+ 15m. If the cert is being renewed or there is another valid cert, the ingress
+ controller _may_ be able to serve that instead.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
+ summary: The cert {{ $labels.name }} is not ready to serve traffic.
+ expr: |
+ max by (name, exported_namespace, namespace, condition) (
+ certmanager_certificate_ready_status{condition!="True"} == 1)
+ for: 15m
+ labels:
+ severity: critical
+ - alert: CertManagerHittingRateLimits
+ annotations:
+ description: Depending on the rate limit, cert-manager may be unable to generate
+ certificates for up to a week.
+ runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
+ summary: Cert manager hitting LetsEncrypt rate limits.
+ expr: |
+ sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
+ > 0
+ for: 15m
+ labels:
+ severity: critical
+
--- kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
+++ kubernetes/shared/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ crds:
+ enabled: true
+ replicaCount: 1
+ dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+ dns01RecursiveNameserversOnly: true
+ prometheus:
+ enabled: true
+ servicemonitor:
+ enabled: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager-helm-values-hgg6hf7kh2
+ namespace: cert-manager
+
--- kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
+++ kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: external-secrets
+ namespace: external-secrets
+spec:
+ chart:
+ spec:
+ chart: external-secrets
+ sourceRef:
+ kind: HelmRepository
+ name: external-secrets
+ namespace: flux-system
+ version: 0.13.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: external-secrets-helm-values-h9g78hg67k
+
--- kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
+++ kubernetes/shared/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ installCRDs: true
+ replicaCount: 1
+ leaderElect: true
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ webhook:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ certController:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: external-secrets-helm-values-h9g78hg67k
+ namespace: external-secrets
+
--- kubernetes/shared/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
+++ kubernetes/shared/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
@@ -0,0 +1,144 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: onepassword
+ kustomize.toolkit.fluxcd.io/name: onepassword
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: onepassword
+ namespace: external-secrets
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ onepassword:
+ annotations:
+ reloader.stakater.com/auto: 'true'
+ containers:
+ api:
+ env:
+ OP_BUS_PEERS: localhost:11221
+ OP_BUS_PORT: 11220
+ OP_HTTP_PORT: 80
+ OP_SESSION:
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword
+ XDG_DATA_HOME: /config
+ image:
+ repository: docker.io/1password/connect-api
+ tag: 1.7.3@sha256:0601c7614e102eada268dbda6ba4b5886ce77713be2c332ec6a2fd0f028484ba
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 80
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ httpGet:
+ path: /health
+ port: 80
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ sync:
+ env:
+ OP_BUS_PEERS: localhost:11220
+ OP_BUS_PORT: 11221
+ OP_HTTP_PORT: 8081
+ OP_SESSION:
+ valueFrom:
+ secretKeyRef:
+ key: 1password-credentials.json
+ name: onepassword
+ XDG_DATA_HOME: /config
+ image:
+ repository: docker.io/1password/connect-sync
+ tag: 1.7.3@sha256:2f17621c7eb27bbcb1f86bbc5e5a5198bf54ac3b9c2ffac38064d03c932b07d5
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /heartbeat
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ httpGet:
+ path: /health
+ port: 8081
+ initialDelaySeconds: 15
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 999
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 999
+ runAsNonRoot: true
+ runAsUser: 999
+ seccompProfile:
+ type: RuntimeDefault
+ persistence:
+ config:
+ globalMounts:
+ - path: /config
+ type: emptyDir
+ service:
+ app:
+ controller: onepassword
+ ports:
+ http:
+ port: 80
+
--- kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
+++ kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-operator
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: flux-operator
+ sourceRef:
+ kind: HelmRepository
+ name: controlplaneio
+ namespace: flux-system
+ version: 0.13.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: flux-operator-helm-values-fb7h5gm7k8
+
--- kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
+++ kubernetes/shared/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ serviceMonitor:
+ create: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-operator-helm-values-fb7h5gm7k8
+ namespace: flux-system
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
@@ -0,0 +1,35 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: flux-instance
+ sourceRef:
+ kind: HelmRepository
+ name: controlplaneio
+ namespace: flux-system
+ version: 0.13.0
+ dependsOn:
+ - name: flux-operator
+ namespace: flux-system
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: flux-instance-helm-values-222gc8mgd9
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
@@ -0,0 +1,34 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance-rules
+ namespace: flux-system
+spec:
+ groups:
+ - name: flux-instance.rules
+ rules:
+ - alert: FluxInstanceAbsent
+ annotations:
+ description: |
+ The flux_instance_info metric for the Flux instance in namespace {{ $labels.exported_namespace }} is not available.
+ summary: Flux instance metric is missing
+ expr: absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
+ for: 15m
+ labels:
+ severity: critical
+ - alert: FluxInstanceNotReady
+ annotations:
+ description: |
+ The Flux instance in namespace {{ $labels.exported_namespace }} is not ready.
+ Reason: {{ $labels.reason }}
+ summary: Flux instance {{ $labels.name }} is not ready
+ expr: flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
+ for: 15m
+ labels:
+ severity: critical
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: github-webhook-token
+ namespace: flux-system
+spec:
+ dataFrom:
+ - extract:
+ key: flux
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: github-webhook-token
+ template:
+ data:
+ token: '{{ .FLUX_MAIN_GITHUB_WEBHOOK_TOKEN }}'
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/webhook-receiver
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: webhook-receiver
+ namespace: flux-system
+spec:
+ ingressClassName: external
+ rules:
+ - host: flux-webhook.jory.dev
+ http:
+ paths:
+ - backend:
+ service:
+ name: webhook-receiver
+ port:
+ number: 80
+ path: /hook/
+ pathType: Prefix
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/home-ops
@@ -0,0 +1,27 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: home-ops
+ namespace: flux-system
+spec:
+ events:
+ - ping
+ - push
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ - apiVersion: kustomize.toolkit.fluxcd.io/v1
+ kind: Kustomization
+ name: flux-system
+ namespace: flux-system
+ secretRef:
+ name: github-webhook-token
+ type: github
+
--- kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-222gc8mgd9
+++ kubernetes/shared/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-222gc8mgd9
@@ -0,0 +1,117 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ instance:
+ distribution:
+ # renovate: datasource=github-releases depName=fluxcd/flux2
+ version: 2.4.0
+ cluster:
+ networkPolicy: false
+ components:
+ - source-controller
+ - kustomize-controller
+ - helm-controller
+ - notification-controller
+ sync:
+ kind: GitRepository
+ name: flux-system
+ url: https://github.com/joryirving/home-ops.git
+ ref: refs/heads/main
+ path: kubernetes/main/flux/cluster
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: flux
+ kustomize:
+ patches:
+ - # Add Sops decryption to 'flux-system' Kustomization
+ patch: |
+ - op: add
+ path: /spec/decryption
+ value:
+ provider: sops
+ secretRef:
+ name: sops-age
+ target:
+ group: kustomize.toolkit.fluxcd.io
+ kind: Kustomization
+ - # Increase the number of workers
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --concurrent=10
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --requeue-dependency=5s
+ target:
+ kind: Deployment
+ name: (kustomize-controller|helm-controller|source-controller)
+ - # Increase the memory limits
+ patch: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: all
+ spec:
+ template:
+ spec:
+ containers:
+ - name: manager
+ resources:
+ limits:
+ memory: 2Gi
+ target:
+ kind: Deployment
+ name: (kustomize-controller|helm-controller|source-controller)
+ - # Enable in-memory kustomize builds
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --concurrent=20
+ - op: replace
+ path: /spec/template/spec/volumes/0
+ value:
+ name: temp
+ emptyDir:
+ medium: Memory
+ target:
+ kind: Deployment
+ name: kustomize-controller
+ - # Enable Helm repositories caching
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-max-size=10
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-ttl=60m
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-purge-interval=5m
+ target:
+ kind: Deployment
+ name: source-controller
+ # Flux near OOM detection for Helm
+ - patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --feature-gates=OOMWatch=true
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --oom-watch-memory-threshold=95
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --oom-watch-interval=500ms
+ target:
+ kind: Deployment
+ name: helm-controller
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance-helm-values-222gc8mgd9
+ namespace: flux-system
+
--- kubernetes/shared/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
+++ kubernetes/shared/apps/kube-tools/reloader/app Kustomization: kube-tools/reloader HelmRelease: kube-tools/reloader
@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: reloader
+ kustomize.toolkit.fluxcd.io/name: reloader
+ kustomize.toolkit.fluxcd.io/namespace: kube-tools
+ name: reloader
+ namespace: kube-tools
+spec:
+ chart:
+ spec:
+ chart: reloader
+ sourceRef:
+ kind: HelmRepository
+ name: stakater
+ namespace: flux-system
+ version: 1.2.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ fullnameOverride: reloader
+ reloader:
+ podMonitor:
+ enabled: true
+ namespace: '{{ .Release.Namespace }}'
+ readOnlyRootFileSystem: true
+
--- kubernetes/shared/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
+++ kubernetes/shared/apps/external-secrets/onepassword/stores Kustomization: external-secrets/onepassword-store ClusterSecretStore: external-secrets/onepassword
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+ labels:
+ app.kubernetes.io/name: onepassword-store
+ kustomize.toolkit.fluxcd.io/name: onepassword-store
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: onepassword
+ namespace: external-secrets
+spec:
+ provider:
+ onepassword:
+ auth:
+ secretRef:
+ connectTokenSecretRef:
+ key: token
+ name: onepassword
+ namespace: external-secrets
+ connectHost: http://onepassword.external-secrets.svc.cluster.local
+ vaults:
+ Kubernetes: 1
+
--- kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
+++ kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-production
@@ -0,0 +1,27 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: letsencrypt-production
+ namespace: cert-manager
+spec:
+ acme:
+ email: jory@jory.dev
+ privateKeySecretRef:
+ name: letsencrypt-production
+ server: https://acme-v02.api.letsencrypt.org/directory
+ solvers:
+ - dns01:
+ cloudflare:
+ apiTokenSecretRef:
+ key: CLOUDFLARE_API_KEY
+ name: cloudflare-secret
+ email: jory@jory.dev
+ selector:
+ dnsZones:
+ - jory.dev
+
--- kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
+++ kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ClusterIssuer: cert-manager/letsencrypt-staging
@@ -0,0 +1,27 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: letsencrypt-staging
+ namespace: cert-manager
+spec:
+ acme:
+ email: jory@jory.dev
+ privateKeySecretRef:
+ name: letsencrypt-staging
+ server: https://acme-staging-v02.api.letsencrypt.org/directory
+ solvers:
+ - dns01:
+ cloudflare:
+ apiTokenSecretRef:
+ key: CLOUDFLARE_API_KEY
+ name: cloudflare-secret
+ email: jory@jory.dev
+ selector:
+ dnsZones:
+ - jory.dev
+
--- kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
+++ kubernetes/shared/apps/cert-manager/cert-manager/issuers Kustomization: cert-manager/cert-manager-issuers ExternalSecret: cert-manager/cloudflare-secret
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/name: cert-manager-issuers
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cloudflare-secret
+ namespace: cert-manager
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: cloudflare-secret
+ template:
+ data:
+ CLOUDFLARE_API_KEY: '{{ .CLOUDFLARE_API_KEY }}'
+
--- kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ExternalSecret: flux-system/cluster-user-auth
+++ kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops ExternalSecret: flux-system/cluster-user-auth
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cluster-user-auth
+ namespace: flux-system
+spec:
+ dataFrom:
+ - extract:
+ key: weave-gitops
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: cluster-user-auth
+ template:
+ data:
+ password: '{{ .WEAVE_PASS_ENCODED }}'
+ username: '{{ .WEAVE_USER }}'
+
--- kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
+++ kubernetes/shared/apps/flux-system/weave-gitops/app Kustomization: flux-system/weave-gitops HelmRelease: flux-system/weave-gitops
@@ -0,0 +1,53 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/name: weave-gitops
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: weave-gitops
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: weave-gitops
+ sourceRef:
+ kind: HelmRepository
+ name: weave-gitops
+ namespace: flux-system
+ version: 4.0.36
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ adminUser:
+ create: true
+ createSecret: false
+ username: admin
+ ingress:
+ annotations:
+ gethomepage.dev/description: Flux Dashboard
+ gethomepage.dev/enabled: 'true'
+ gethomepage.dev/group: Infrastructure
+ gethomepage.dev/icon: https://raw.githubusercontent.com/joryirving/home-ops/main/docs/src/assets/icons/weave.png
+ gethomepage.dev/name: Weave-gitops
+ className: internal
+ enabled: true
+ hosts:
+ - host: gitops.jory.dev
+ metrics:
+ enabled: true
+ networkPolicy:
+ create: false
+ podAnnotations:
+ secret.reloader.stakater.com/reload: cluster-user-auth
+ rbac:
+ create: true
+
--- kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
+++ kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls Certificate: cert-manager/jory.dev
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: jory.dev
+ namespace: cert-manager
+spec:
+ commonName: jory.dev
+ dnsNames:
+ - jory.dev
+ - '*.jory.dev'
+ issuerRef:
+ kind: ClusterIssuer
+ name: letsencrypt-production
+ secretName: jory.dev-tls
+
--- kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
+++ kubernetes/shared/apps/cert-manager/cert-manager/tls Kustomization: cert-manager/cert-manager-tls PushSecret: cert-manager/${CLUSTER}-cluster-tls
@@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/name: cert-manager-tls
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: ${CLUSTER}-cluster-tls
+ namespace: cert-manager
+spec:
+ data:
+ - match:
+ remoteRef:
+ property: tls.crt
+ remoteKey: ${CLUSTER}-cluster-tls
+ secretKey: tls.crt
+ - match:
+ remoteRef:
+ property: tls.key
+ remoteKey: ${CLUSTER}-cluster-tls
+ secretKey: tls.key
+ secretStoreRefs:
+ - kind: ClusterSecretStore
+ name: onepassword
+ selector:
+ secret:
+ name: jory.dev-tls
+ template:
+ data:
+ tls.crt: '{{ index . "tls.crt" | b64enc }}'
+ tls.key: '{{ index . "tls.key" | b64enc }}'
+ engineVersion: v2
+ |
joryirving
force-pushed
the
feat/shared-apps
branch
from
4972afb to
9f957a1
Compare
--- HelmRelease: flux-system/weave-gitops ClusterRole: flux-system/wego-admin-cluster-role
+++ HelmRelease: flux-system/weave-gitops ClusterRole: flux-system/wego-admin-cluster-role
@@ -86,7 +86,15 @@
- imageupdateautomations
verbs:
- get
- list
- watch
- patch
+- apiGroups:
+ - infra.contrib.fluxcd.io
+ resources:
+ - terraforms
+ verbs:
+ - get
+ - list
+ - patch
--- HelmRelease: flux-system/weave-gitops ClusterRole: flux-system/weave-gitops
+++ HelmRelease: flux-system/weave-gitops ClusterRole: flux-system/weave-gitops
@@ -8,14 +8,12 @@
- ''
resources:
- users
- groups
verbs:
- impersonate
- resourceNames:
- - admin
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
--- HelmRelease: flux-system/weave-gitops Role: flux-system/wego-admin-role
+++ HelmRelease: flux-system/weave-gitops Role: flux-system/wego-admin-role
@@ -60,7 +60,15 @@
- terraforms
verbs:
- get
- list
- watch
- patch
+- apiGroups:
+ - infra.contrib.fluxcd.io
+ resources:
+ - terraforms
+ verbs:
+ - get
+ - list
+ - patch
--- HelmRelease: flux-system/weave-gitops Ingress: flux-system/weave-gitops
+++ HelmRelease: flux-system/weave-gitops Ingress: flux-system/weave-gitops
@@ -9,15 +9,8 @@
app.kubernetes.io/managed-by: Helm
spec:
ingressClassName: internal
rules:
- host: gitops-utility.jory.dev
http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: weave-gitops
- port:
- number: 9001
+ paths: null
--- HelmRelease: flux-system/capacitor ServiceAccount: flux-system/capacitor
+++ HelmRelease: flux-system/capacitor ServiceAccount: flux-system/capacitor
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: capacitor
- labels:
- app.kubernetes.io/instance: capacitor
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: capacitor
-secrets:
-- name: capacitor-default-sa-token
-
--- HelmRelease: flux-system/capacitor Service: flux-system/capacitor
+++ HelmRelease: flux-system/capacitor Service: flux-system/capacitor
@@ -1,22 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: capacitor
- labels:
- app.kubernetes.io/instance: capacitor
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: capacitor
- app.kubernetes.io/service: capacitor
-spec:
- type: ClusterIP
- ports:
- - port: 9000
- targetPort: 9000
- protocol: TCP
- name: http
- selector:
- app.kubernetes.io/component: capacitor
- app.kubernetes.io/instance: capacitor
- app.kubernetes.io/name: capacitor
-
--- HelmRelease: flux-system/capacitor Deployment: flux-system/capacitor
+++ HelmRelease: flux-system/capacitor Deployment: flux-system/capacitor
@@ -1,54 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: capacitor
- labels:
- app.kubernetes.io/component: capacitor
- app.kubernetes.io/instance: capacitor
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: capacitor
-spec:
- revisionHistoryLimit: 3
- replicas: 1
- strategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/component: capacitor
- app.kubernetes.io/name: capacitor
- app.kubernetes.io/instance: capacitor
- template:
- metadata:
- annotations:
- checksum/secrets: f9a2edb516d89dc9e0af00dcf3d13ae57cbe1bc631c4b35d393a497ef218d929
- labels:
- app.kubernetes.io/component: capacitor
- app.kubernetes.io/instance: capacitor
- app.kubernetes.io/name: capacitor
- spec:
- enableServiceLinks: false
- serviceAccountName: capacitor
- automountServiceAccountToken: true
- hostIPC: false
- hostNetwork: false
- hostPID: false
- dnsPolicy: ClusterFirst
- containers:
- - image: ghcr.io/gimlet-io/capacitor:v0.4.8@sha256:c999a42cccc523b91086547f890466d09be4755bf05a52763b0d14594bf60782
- name: app
- resources:
- limits:
- ephemeral-storage: 2Gi
- memory: 200Mi
- requests:
- cpu: 50m
- ephemeral-storage: 1Gi
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
-
--- HelmRelease: flux-system/capacitor Ingress: flux-system/capacitor
+++ HelmRelease: flux-system/capacitor Ingress: flux-system/capacitor
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: capacitor
- labels:
- app.kubernetes.io/instance: capacitor
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: capacitor
-spec:
- ingressClassName: internal
- rules:
- - host: capacitor-utility.jory.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: capacitor
- port:
- number: 9000
- |
--- HelmRelease: flux-system/weave-gitops ClusterRole: flux-system/wego-admin-cluster-role
+++ HelmRelease: flux-system/weave-gitops ClusterRole: flux-system/wego-admin-cluster-role
@@ -86,15 +86,7 @@
- imageupdateautomations
verbs:
- get
- list
- watch
- patch
-- apiGroups:
- - infra.contrib.fluxcd.io
- resources:
- - terraforms
- verbs:
- - get
- - list
- - patch
--- HelmRelease: flux-system/weave-gitops Role: flux-system/wego-admin-role
+++ HelmRelease: flux-system/weave-gitops Role: flux-system/wego-admin-role
@@ -60,15 +60,7 @@
- terraforms
verbs:
- get
- list
- watch
- patch
-- apiGroups:
- - infra.contrib.fluxcd.io
- resources:
- - terraforms
- verbs:
- - get
- - list
- - patch
--- HelmRelease: flux-system/weave-gitops Deployment: flux-system/weave-gitops
+++ HelmRelease: flux-system/weave-gitops Deployment: flux-system/weave-gitops
@@ -15,13 +15,13 @@
matchLabels:
app.kubernetes.io/name: weave-gitops
app.kubernetes.io/instance: weave-gitops
template:
metadata:
annotations:
- secret.reloader.stakater.com/reload: cluster-user-auth,oidc-auth
+ secret.reloader.stakater.com/reload: cluster-user-auth
labels:
app.kubernetes.io/name: weave-gitops
app.kubernetes.io/instance: weave-gitops
app.kubernetes.io/part-of: weave-gitops
weave.works/app: weave-gitops-oss
spec:
--- HelmRelease: flux-system/weave-gitops Ingress: flux-system/weave-gitops
+++ HelmRelease: flux-system/weave-gitops Ingress: flux-system/weave-gitops
@@ -15,15 +15,8 @@
gethomepage.dev/name: Weave-gitops
spec:
ingressClassName: internal
rules:
- host: gitops.jory.dev
http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: weave-gitops
- port:
- number: 9001
+ paths: null
--- HelmRelease: flux-system/clickops ServiceAccount: flux-system/clickops
+++ HelmRelease: flux-system/clickops ServiceAccount: flux-system/clickops
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: clickops
- labels:
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: clickops
-secrets:
-- name: clickops-default-sa-token
-
--- HelmRelease: flux-system/clickops Service: flux-system/clickops
+++ HelmRelease: flux-system/clickops Service: flux-system/clickops
@@ -1,22 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: clickops
- labels:
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: clickops
- app.kubernetes.io/service: clickops
-spec:
- type: ClusterIP
- ports:
- - port: 3000
- targetPort: 3000
- protocol: TCP
- name: http
- selector:
- app.kubernetes.io/component: clickops
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/name: clickops
-
--- HelmRelease: flux-system/clickops Deployment: flux-system/clickops
+++ HelmRelease: flux-system/clickops Deployment: flux-system/clickops
@@ -1,85 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: clickops
- labels:
- app.kubernetes.io/component: clickops
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: clickops
- annotations:
- reloader.stakater.com/auto: 'true'
-spec:
- revisionHistoryLimit: 3
- replicas: 1
- strategy:
- type: Recreate
- selector:
- matchLabels:
- app.kubernetes.io/component: clickops
- app.kubernetes.io/name: clickops
- app.kubernetes.io/instance: clickops
- template:
- metadata:
- annotations:
- checksum/secrets: f9a2edb516d89dc9e0af00dcf3d13ae57cbe1bc631c4b35d393a497ef218d929
- labels:
- app.kubernetes.io/component: clickops
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/name: clickops
- spec:
- enableServiceLinks: false
- serviceAccountName: clickops
- automountServiceAccountToken: true
- securityContext:
- fsGroup: 100
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- hostIPC: false
- hostNetwork: false
- hostPID: false
- dnsPolicy: ClusterFirst
- containers:
- - env:
- - name: TZ
- value: America/Edmonton
- - name: __HOST
- value: clickops.jory.dev
- - name: __PORT
- value: '3000'
- image: ghcr.io/whazor/clickops:v0.0.2@sha256:ca764fc302afd14e0aa31b2195bc2ee1a9ddf53d32aa046abd6137973018865d
- livenessProbe:
- failureThreshold: 3
- httpGet:
- path: /ping
- port: 3000
- initialDelaySeconds: 5
- periodSeconds: 30
- timeoutSeconds: 10
- name: app
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /ping
- port: 3000
- initialDelaySeconds: 5
- periodSeconds: 30
- timeoutSeconds: 10
- resources:
- limits:
- memory: 300Mi
- requests:
- cpu: 25m
- memory: 100Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
-
--- HelmRelease: flux-system/clickops Ingress: flux-system/clickops
+++ HelmRelease: flux-system/clickops Ingress: flux-system/clickops
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: clickops
- labels:
- app.kubernetes.io/instance: clickops
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: clickops
-spec:
- ingressClassName: internal
- rules:
- - host: clickops.jory.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: clickops
- port:
- number: 3000
- |
joryirving
force-pushed
the
feat/shared-apps
branch
3 times, most recently
from
1c1b112 to
4cea8f8
Compare
joryirving
force-pushed
the
feat/shared-apps
branch
from
4cea8f8 to
720a6d1
Compare
joryirving
force-pushed
the
feat/shared-apps
branch
from
720a6d1 to
102767a
Compare
joryirving
force-pushed
the
main
branch
7 times, most recently
from
19d7ea0 to
19261c1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Low hanging fruit are apps that are identical between clusters