diff --git a/.drone.yml b/.drone.yml index efd305b..7f6b89e 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1,88 +1,89 @@ +--- kind: pipeline name: deploy steps: -- name: kustomize build dashboard (prod + staging) - image: git.ar21.de/aaron/kustomize-ci - commands: - - cd /deployment-repo - - git clone https://git.ar21.de/yolokube/core-deployments.git . - - cd /deployment-repo/dashboard/overlays/prod - - kustomize build -o /deployment-repo/dashboard/prod/dashboard.yaml - - cd /deployment-repo/dashboard/overlays/staging - - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml - volumes: - - name: deployment-repo - path: /deployment-repo - when: - branch: - - main - event: - - push -- name: kustomize build dashboard (staging) - image: git.ar21.de/aaron/kustomize-ci - commands: - - cd /deployment-repo - - git clone https://git.ar21.de/yolokube/core-deployments.git . - - cd /staging-repo - - git clone -b $DRONE_BRANCH https://git.ar21.de/yolokube/core-deployments.git . - - cd /staging-repo/dashboard/overlays/staging - - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml - volumes: - - name: deployment-repo - path: /deployment-repo - - name: staging-repo - path: /staging-repo - when: - branch: - exclude: + - name: kustomize build dashboard (prod + staging) + image: git.ar21.de/aaron/kustomize-ci + commands: + - cd /deployment-repo + - git clone https://git.ar21.de/yolokube/core-deployments.git . + - cd /deployment-repo/dashboard/overlays/prod + - kustomize build -o /deployment-repo/dashboard/prod/dashboard.yaml + - cd /deployment-repo/dashboard/overlays/staging + - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml + volumes: + - name: deployment-repo + path: /deployment-repo + when: + branch: - main - event: - - push -- name: kustomize push dashboard changes (prod + staging) - image: appleboy/drone-git-push - settings: - branch: main - remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git - path: /deployment-repo - force: false - commit: true - commit_message: "KUSTOMIZE BUILD: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} (done automagically via Drone pipeline) [CI SKIP]" - ssh_key: - from_secret: GITEA_SSH_KEY - volumes: - - name: deployment-repo - path: /deployment-repo - when: - branch: - - main - event: - - push -- name: kustomize push dashboard changes (staging) - image: appleboy/drone-git-push - settings: - branch: main - remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git - path: /deployment-repo - force: false - commit: true - commit_message: "KUSTOMIZE BUILD STAGING: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} [CI SKIP]" - ssh_key: - from_secret: GITEA_SSH_KEY - volumes: - - name: deployment-repo - path: /deployment-repo - when: - branch: - exclude: + event: + - push + - name: kustomize build dashboard (staging) + image: git.ar21.de/aaron/kustomize-ci + commands: + - cd /deployment-repo + - git clone https://git.ar21.de/yolokube/core-deployments.git . + - cd /staging-repo + - git clone -b $DRONE_BRANCH https://git.ar21.de/yolokube/core-deployments.git . + - cd /staging-repo/dashboard/overlays/staging + - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml + volumes: + - name: deployment-repo + path: /deployment-repo + - name: staging-repo + path: /staging-repo + when: + branch: + exclude: + - main + event: + - push + - name: kustomize push dashboard changes (prod + staging) + image: appleboy/drone-git-push + settings: + branch: main + remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git + path: /deployment-repo + force: false + commit: true + commit_message: "KUSTOMIZE BUILD: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} (done automagically via Drone pipeline) [CI SKIP]" + ssh_key: + from_secret: GITEA_SSH_KEY + volumes: + - name: deployment-repo + path: /deployment-repo + when: + branch: - main - event: - - push + event: + - push + - name: kustomize push dashboard changes (staging) + image: appleboy/drone-git-push + settings: + branch: main + remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git + path: /deployment-repo + force: false + commit: true + commit_message: "KUSTOMIZE BUILD STAGING: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} [CI SKIP]" + ssh_key: + from_secret: GITEA_SSH_KEY + volumes: + - name: deployment-repo + path: /deployment-repo + when: + branch: + exclude: + - main + event: + - push volumes: -- name: deployment-repo - temp: {} -- name: staging-repo - temp: {} + - name: deployment-repo + temp: {} + - name: staging-repo + temp: {} when: event: exclude: - - pull_request \ No newline at end of file + - pull_request diff --git a/app-files/apps.yaml b/app-files/apps.yaml index 1d25110..c7f8047 100644 --- a/app-files/apps.yaml +++ b/app-files/apps.yaml @@ -28,12 +28,12 @@ spec: project: default sources: - chart: woodpecker - repoURL: https://woodpecker-ci.org/ + repoURL: https://woodpecker-ci.org/ targetRevision: 1.6.0 helm: releaseName: woodpecker valueFiles: - - $values/woodpecker/values/values.yaml + - $values/woodpecker/values/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -45,7 +45,7 @@ spec: namespace: woodpecker syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -65,7 +65,7 @@ spec: namespace: paste syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: selfHeal: false prune: false diff --git a/app-files/core-deployments.yaml b/app-files/core-deployments.yaml index 3e71c20..d497169 100644 --- a/app-files/core-deployments.yaml +++ b/app-files/core-deployments.yaml @@ -13,7 +13,7 @@ spec: helm: releaseName: traefik valueFiles: - - $values/traefik/values.yaml + - $values/traefik/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -25,7 +25,7 @@ spec: namespace: traefik syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -43,7 +43,7 @@ spec: helm: releaseName: argo valueFiles: - - $values/argo/values.yaml + - $values/argo/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -55,7 +55,7 @@ spec: namespace: argocd syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: selfHeal: true prune: false @@ -70,11 +70,11 @@ spec: sources: - repoURL: https://charts.longhorn.io chart: longhorn - targetRevision: 1.7.1 # see Infos below, the CSI snapshotter needs to be updated too <-- version association can be found here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/enable-csi-snapshot-support/ + targetRevision: 1.7.1 # see Infos below, the CSI snapshotter needs to be updated too <-- version association can be found here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/enable-csi-snapshot-support/ helm: releaseName: longhorn valueFiles: - - $values/longhorn/values.yaml + - $values/longhorn/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -82,17 +82,17 @@ spec: targetRevision: HEAD path: longhorn - repoURL: https://github.com/kubernetes-csi/external-snapshotter.git - targetRevision: v6.3.2 # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/ + targetRevision: v6.3.2 # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/ path: client/config/crd - repoURL: https://github.com/kubernetes-csi/external-snapshotter.git - targetRevision: v6.3.2 # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/ + targetRevision: v6.3.2 # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/ path: deploy/kubernetes/snapshot-controller destination: server: https://kubernetes.default.svc namespace: longhorn-system syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -110,7 +110,7 @@ spec: helm: releaseName: prometheus valueFiles: - - $values/prometheus/values.yaml + - $values/prometheus/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -122,30 +122,30 @@ spec: namespace: prometheus syncPolicy: syncOptions: - - CreateNamespace=true - - ServerSideApply=true - - RespectIgnoreDifferences=true + - CreateNamespace=true + - ServerSideApply=true + - RespectIgnoreDifferences=true automated: prune: false ignoreDifferences: - - group: apps - kind: Deployment - jqPathExpressions: - - '.spec.template.spec.initContainers[]?.resources' - - '.spec.template.spec.containers[]?.resources' - - group: apps - kind: DaemonSet - jqPathExpressions: - - '.spec.template.spec.initContainers[]?.resources' - - '.spec.template.spec.containers[]?.resources' - - group: admissionregistration.k8s.io - kind: MutatingWebhookConfiguration - jqPathExpressions: - - '.webhooks[]?.clientConfig.caBundle' - - group: admissionregistration.k8s.io - kind: ValidatingWebhookConfiguration - jqPathExpressions: - - '.webhooks[]?.clientConfig.caBundle' + - group: apps + kind: Deployment + jqPathExpressions: + - '.spec.template.spec.initContainers[]?.resources' + - '.spec.template.spec.containers[]?.resources' + - group: apps + kind: DaemonSet + jqPathExpressions: + - '.spec.template.spec.initContainers[]?.resources' + - '.spec.template.spec.containers[]?.resources' + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' --- apiVersion: argoproj.io/v1alpha1 kind: Application @@ -161,7 +161,7 @@ spec: helm: releaseName: cilium-cni valueFiles: - - $values/cilium/values.yaml + - $values/cilium/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -173,22 +173,22 @@ spec: namespace: kube-cilium syncPolicy: syncOptions: - - CreateNamespace=true - - ServerSideApply=true - - RespectIgnoreDifferences=true + - CreateNamespace=true + - ServerSideApply=true + - RespectIgnoreDifferences=true automated: prune: false ignoreDifferences: - - group: apps - kind: Deployment - jqPathExpressions: - - '.spec.template.spec.containers[]?.resources' - - group: apps - kind: DaemonSet - jqPathExpressions: - - '.spec.template.spec.initContainers[]?.resources' - - '.spec.template.spec.containers[]?.resources' - - '.spec.template.metadata.annotations' + - group: apps + kind: Deployment + jqPathExpressions: + - '.spec.template.spec.containers[]?.resources' + - group: apps + kind: DaemonSet + jqPathExpressions: + - '.spec.template.spec.initContainers[]?.resources' + - '.spec.template.spec.containers[]?.resources' + - '.spec.template.metadata.annotations' --- apiVersion: argoproj.io/v1alpha1 kind: Application @@ -206,7 +206,7 @@ spec: namespace: node-labeler syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -226,7 +226,7 @@ spec: namespace: quota syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -246,7 +246,7 @@ spec: namespace: dashboard syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -266,7 +266,7 @@ spec: namespace: dashboard-staging syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -284,7 +284,7 @@ spec: helm: releaseName: loki valueFiles: - - $values/loki/values.yaml + - $values/loki/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -296,7 +296,7 @@ spec: namespace: logs syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -318,7 +318,7 @@ spec: namespace: logs syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -348,7 +348,7 @@ spec: namespace: kube-system syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -405,7 +405,7 @@ spec: helm: releaseName: cert-manager valueFiles: - - $values/cert-manager/values.yaml + - $values/cert-manager/values.yaml - repoURL: https://git.ar21.de/yolokube/core-deployments.git targetRevision: HEAD ref: values @@ -417,7 +417,7 @@ spec: namespace: cert-manager syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -437,7 +437,7 @@ spec: namespace: authentik syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false --- @@ -457,6 +457,6 @@ spec: namespace: thanos syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: prune: false diff --git a/app-files/tests.yaml b/app-files/tests.yaml index 4be36af..16d43d9 100644 --- a/app-files/tests.yaml +++ b/app-files/tests.yaml @@ -35,7 +35,7 @@ spec: namespace: test-deployments syncPolicy: syncOptions: - - CreateNamespace=true + - CreateNamespace=true automated: selfHeal: false diff --git a/argo/cm.yaml b/argo/cm.yaml index 6189393..b5fbe16 100644 --- a/argo/cm.yaml +++ b/argo/cm.yaml @@ -18,12 +18,12 @@ data: hs.status = "Healthy" return hs resource.exclusions: | - - apiGroups: - - cilium.io - kinds: - - CiliumIdentity - clusters: - - "*" + - apiGroups: + - cilium.io + kinds: + - CiliumIdentity + clusters: + - "*" url: https://argo.services.yolokube.de oidc.config: | name: aaronID diff --git a/argo/kustomization.yaml b/argo/kustomization.yaml index dd98dfe..2d115cb 100644 --- a/argo/kustomization.yaml +++ b/argo/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/argo/secret-generator.yaml b/argo/secret-generator.yaml index 32c8ea0..552987a 100644 --- a/argo/secret-generator.yaml +++ b/argo/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/argo/secret.yaml b/argo/secret.yaml index 40da13a..9f69c62 100644 --- a/argo/secret.yaml +++ b/argo/secret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/argo/sops-secret.yaml b/argo/sops-secret.yaml index 3cafd8f..1c379bf 100644 --- a/argo/sops-secret.yaml +++ b/argo/sops-secret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/argo/values.yaml b/argo/values.yaml index 7240092..3f60bf7 100644 --- a/argo/values.yaml +++ b/argo/values.yaml @@ -1,3 +1,4 @@ +--- global: domain: argo.services.yolokube.de configs: diff --git a/authentik/kustomization.yaml b/authentik/kustomization.yaml index b14a91c..5b14a71 100644 --- a/authentik/kustomization.yaml +++ b/authentik/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/authentik/manifest.yaml b/authentik/manifest.yaml index bf3dd05..63bb83b 100644 --- a/authentik/manifest.yaml +++ b/authentik/manifest.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: @@ -37,20 +38,20 @@ metadata: namespace: authentik spec: rules: - - host: "sso.services.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: authentik-outpost - port: - number: 9000 + - host: "sso.services.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: authentik-outpost + port: + number: 9000 tls: - - hosts: - - sso.services.yolokube.de - secretName: authentik-tls-key + - hosts: + - sso.services.yolokube.de + secretName: authentik-tls-key --- apiVersion: apps/v1 kind: Deployment @@ -76,21 +77,21 @@ spec: spec: containers: - env: - - name: AUTHENTIK_HOST - valueFrom: - secretKeyRef: - key: authentik_host - name: authentik-outpost-api - - name: AUTHENTIK_TOKEN - valueFrom: - secretKeyRef: - key: token - name: authentik-outpost-api - - name: AUTHENTIK_INSECURE - valueFrom: - secretKeyRef: - key: authentik_host_insecure - name: authentik-outpost-api + - name: AUTHENTIK_HOST + valueFrom: + secretKeyRef: + key: authentik_host + name: authentik-outpost-api + - name: AUTHENTIK_TOKEN + valueFrom: + secretKeyRef: + key: token + name: authentik-outpost-api + - name: AUTHENTIK_INSECURE + valueFrom: + secretKeyRef: + key: authentik_host_insecure + name: authentik-outpost-api image: ghcr.io/goauthentik/proxy:2024.8.3 name: proxy ports: @@ -104,22 +105,22 @@ spec: apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: - name: authentik - namespace: authentik + name: authentik + namespace: authentik spec: - forwardAuth: - address: http://authentik-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik - trustForwardHeader: true - authResponseHeaders: - - X-authentik-username - - X-authentik-groups - - X-authentik-email - - X-authentik-name - - X-authentik-uid - - X-authentik-jwt - - X-authentik-grafana-role - - X-authentik-meta-jwks - - X-authentik-meta-outpost - - X-authentik-meta-provider - - X-authentik-meta-app - - X-authentik-meta-version + forwardAuth: + address: http://authentik-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-grafana-role + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/authentik/secret-generator.yaml b/authentik/secret-generator.yaml index 486c4c1..7f9b73e 100644 --- a/authentik/secret-generator.yaml +++ b/authentik/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/authentik/secret.yaml b/authentik/secret.yaml index a76c6a3..850643a 100644 --- a/authentik/secret.yaml +++ b/authentik/secret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/cert-manager/issuer.yaml b/cert-manager/issuer.yaml index 0c7a26d..c31bee5 100644 --- a/cert-manager/issuer.yaml +++ b/cert-manager/issuer.yaml @@ -2,29 +2,29 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: letsencrypt-prod + name: letsencrypt-prod spec: - acme: - email: letsencrypt@ar21.de - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-prod-key - solvers: - - http01: - ingress: - class: traefik + acme: + email: letsencrypt@ar21.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-prod-key + solvers: + - http01: + ingress: + class: traefik --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: letsencrypt-staging + name: letsencrypt-staging spec: - acme: - email: letsencrypt@ar21.de - server: https://acme-staging-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: letsencrypt-staging-key - solvers: - - http01: - ingress: - class: traefik + acme: + email: letsencrypt@ar21.de + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-staging-key + solvers: + - http01: + ingress: + class: traefik diff --git a/cert-manager/namespace.yaml b/cert-manager/namespace.yaml index 16fc9b8..72ec2c4 100644 --- a/cert-manager/namespace.yaml +++ b/cert-manager/namespace.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: diff --git a/cert-manager/values.yaml b/cert-manager/values.yaml index e3e0b47..79b69c5 100644 --- a/cert-manager/values.yaml +++ b/cert-manager/values.yaml @@ -1,3 +1,4 @@ +--- namespace: cert-manager replicaCount: 3 podDisruptionBudget: diff --git a/cilium/values.yaml b/cilium/values.yaml index ee5f233..1fe969d 100644 --- a/cilium/values.yaml +++ b/cilium/values.yaml @@ -1,3 +1,4 @@ +--- encryption: enabled: false ipam: diff --git a/dashboard/base/dashboard.yaml b/dashboard/base/dashboard.yaml index 2656ea2..7095b57 100644 --- a/dashboard/base/dashboard.yaml +++ b/dashboard/base/dashboard.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: @@ -21,17 +22,17 @@ spec: app: dashboard spec: containers: - - name: dashboard - image: git.ar21.de/yolokube/dashboard:latest - imagePullPolicy: Always - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 4 - periodSeconds: 3 + - name: dashboard + image: git.ar21.de/yolokube/dashboard:latest + imagePullPolicy: Always + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 4 + periodSeconds: 3 --- apiVersion: v1 kind: Service @@ -55,17 +56,17 @@ metadata: namespace: dashboard spec: rules: - - host: "dashboard.services.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: dashboard-service - port: - number: 80 + - host: "dashboard.services.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: dashboard-service + port: + number: 80 tls: - - hosts: - - dashboard.services.yolokube.de - secretName: dashboard-tls-key + - hosts: + - dashboard.services.yolokube.de + secretName: dashboard-tls-key diff --git a/dashboard/base/kustomization.yaml b/dashboard/base/kustomization.yaml index 0ffad88..26e2f2c 100644 --- a/dashboard/base/kustomization.yaml +++ b/dashboard/base/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- dashboard.yaml \ No newline at end of file + - dashboard.yaml diff --git a/dashboard/overlays/prod/kustomization.yaml b/dashboard/overlays/prod/kustomization.yaml index 2b3fb31..48e0f4b 100644 --- a/dashboard/overlays/prod/kustomization.yaml +++ b/dashboard/overlays/prod/kustomization.yaml @@ -1,9 +1,10 @@ +--- resources: -- ../../base + - ../../base apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: -- name: git.ar21.de/yolokube/dashboard - newName: git.ar21.de/yolokube/dashboard - newTag: "96" + - name: git.ar21.de/yolokube/dashboard + newName: git.ar21.de/yolokube/dashboard + newTag: "96" namespace: dashboard diff --git a/dashboard/overlays/staging/kustomization.yaml b/dashboard/overlays/staging/kustomization.yaml index 4868413..e0291ab 100644 --- a/dashboard/overlays/staging/kustomization.yaml +++ b/dashboard/overlays/staging/kustomization.yaml @@ -1,31 +1,32 @@ +--- resources: -- ../../base + - ../../base apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: -- name: git.ar21.de/yolokube/dashboard - newName: git.ar21.de/yolokube/dashboard - newTag: staging-95 + - name: git.ar21.de/yolokube/dashboard + newName: git.ar21.de/yolokube/dashboard + newTag: staging-95 namespace: dashboard-staging patches: -- patch: |- - - op: replace - path: /spec/rules/0/host - value: "dashboard-staging.services.yolokube.de" - target: - kind: Ingress - name: dashboard-ingress -- patch: |- - - op: replace - path: /spec/tls/0/hosts/0 - value: "dashboard-staging.services.yolokube.de" - target: - kind: Ingress - name: dashboard-ingress -- patch: |- - - op: replace - path: /spec/replicas - value: 1 - target: - kind: Deployment - name: dashboard-deployment + - patch: |- + - op: replace + path: /spec/rules/0/host + value: "dashboard-staging.services.yolokube.de" + target: + kind: Ingress + name: dashboard-ingress + - patch: |- + - op: replace + path: /spec/tls/0/hosts/0 + value: "dashboard-staging.services.yolokube.de" + target: + kind: Ingress + name: dashboard-ingress + - patch: |- + - op: replace + path: /spec/replicas + value: 1 + target: + kind: Deployment + name: dashboard-deployment diff --git a/examples/example-deployment.yaml b/examples/example-deployment.yaml index 3cf0995..4473340 100644 --- a/examples/example-deployment.yaml +++ b/examples/example-deployment.yaml @@ -37,17 +37,17 @@ spec: app: example spec: containers: - - name: example - image: testcontainers/helloworld - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: "/var/www/html" - name: example-volume + - name: example + image: testcontainers/helloworld + ports: + - containerPort: 8080 + volumeMounts: + - mountPath: "/var/www/html" + name: example-volume volumes: - - name: example-volume - persistentVolumeClaim: - claimName: example-pvc + - name: example-volume + persistentVolumeClaim: + claimName: example-pvc --- apiVersion: v1 kind: Service @@ -75,17 +75,17 @@ metadata: namespace: example spec: rules: - - host: "example.apps.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: example-service - port: - number: 80 + - host: "example.apps.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: example-service + port: + number: 80 tls: - - hosts: - - example.apps.yolokube.de - secretName: example-tls-key + - hosts: + - example.apps.yolokube.de + secretName: example-tls-key diff --git a/ingress/values.yaml b/ingress/values.yaml index a8011f0..6745572 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -1,3 +1,4 @@ +--- controller: enableSnippets: true hostNetwork: true diff --git a/loki/kustomization.yaml b/loki/kustomization.yaml index c04c4da..4127167 100644 --- a/loki/kustomization.yaml +++ b/loki/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/loki/namespace.yaml b/loki/namespace.yaml index 6762d8b..7883093 100644 --- a/loki/namespace.yaml +++ b/loki/namespace.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: diff --git a/loki/secret-generator.yaml b/loki/secret-generator.yaml index 486c4c1..7f9b73e 100644 --- a/loki/secret-generator.yaml +++ b/loki/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/loki/secret.yaml b/loki/secret.yaml index 8ea6ad1..f1e180a 100644 --- a/loki/secret.yaml +++ b/loki/secret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/loki/values.yaml b/loki/values.yaml index 61a42d4..c55acc6 100644 --- a/loki/values.yaml +++ b/loki/values.yaml @@ -1,3 +1,4 @@ +--- loki: auth_enabled: false persistence: diff --git a/longhorn/kustomization.yaml b/longhorn/kustomization.yaml index 589339e..164aea3 100644 --- a/longhorn/kustomization.yaml +++ b/longhorn/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/longhorn/namespace.yaml b/longhorn/namespace.yaml index 824ec10..092c93f 100644 --- a/longhorn/namespace.yaml +++ b/longhorn/namespace.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: diff --git a/longhorn/recurringjobs.yaml b/longhorn/recurringjobs.yaml index 1c07053..ac2f051 100644 --- a/longhorn/recurringjobs.yaml +++ b/longhorn/recurringjobs.yaml @@ -1,3 +1,4 @@ +--- apiVersion: longhorn.io/v1beta1 kind: RecurringJob metadata: diff --git a/longhorn/secret-generator.yaml b/longhorn/secret-generator.yaml index 486c4c1..7f9b73e 100644 --- a/longhorn/secret-generator.yaml +++ b/longhorn/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/longhorn/secret.yaml b/longhorn/secret.yaml index 69c0fcd..6b0475a 100644 --- a/longhorn/secret.yaml +++ b/longhorn/secret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: @@ -7,11 +8,11 @@ type: Opaque data: AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:78iskasj0MX32r8qp4LCmTsf5q8r3W5nCs7BrA==,iv:dQFU/Pm+bQQKWfWKq7c63XTW2+czjOeIZuoL2mrPKbM=,tag:we+rZ+YoMpeiAve7zcH6pg==,type:str] AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:zR3LNrmweWn9ONkpOlgNGfJ0ERJeNgNsurvBcsX7JZox/vyaZRb6lt4VEjdBDMdTZ+dWRvtvHUw=,iv:CCLoHHixnzVaT0SX3uOjyb7SCNyAe5H30acmMEIgubI=,tag:c7nWPRTZQXqgp8jVgtU57g==,type:str] - #ENC[AES256_GCM,data:p1aNW086iJ/xbZGc3A9VFitml4AB0ly8BOyJztOoIBd9I7Ld,iv:5um8w4PL9EfHcCHlfIW0Yr6aqvgs5FVh4Y54RDQDOLY=,tag:17ELSDORVx0aj2hzFDaxUA==,type:comment] + # ENC[AES256_GCM,data:p1aNW086iJ/xbZGc3A9VFitml4AB0ly8BOyJztOoIBd9I7Ld,iv:5um8w4PL9EfHcCHlfIW0Yr6aqvgs5FVh4Y54RDQDOLY=,tag:17ELSDORVx0aj2hzFDaxUA==,type:comment] AWS_ENDPOINTS: ENC[AES256_GCM,data:Cm4ISXx3mosAwVCzFqK5461gFIAqWtSwazvhfe/01blpOLOGpEW7b7S00fnRMviR,iv:Zflw/1JEQjcKarQPOrpBSpCprdL/2Ry6FH74K3/NfFo=,tag:l6idxnQStu2ycr0og2/otw==,type:str] - #ENC[AES256_GCM,data:0QVDgxSYpM+pFAiXf2+xcAnZath1zSzyZDy/zS8L36kZrSQnBSDN91OwAKLYpOb1m+cbex6lWN9OYFRYcIhUjA==,iv:Cm7bwYZS6F4XkRFaqUcBehXUQXmUI/48l+cDBPjlao8=,tag:jBUadTKqWJbPqpljshBoRg==,type:comment] - #ENC[AES256_GCM,data:oxfKvt9xbus8la9hJGLOCVBfyQMCP4wpD4QZcEIw/SFWysMm2NaFzUHtUH39QAG2kCw1C5gKtTQ5EhJ1C2bgxVB6qlC6DUhO5uwlIoXtDqNsfhnsyWuIvJMH5jnPwAfO8Y+plLk2g4dV3aMmYt8Hfg==,iv:Ai/0l0GDbJzTaVy7Xhp1offyaqKD/Ge/oU9YDiGXC28=,tag:wIGYy7TBnCZYrbKDd1y7xQ==,type:comment] - #ENC[AES256_GCM,data:6IieK5gwtUr+u3PjRjOXs5fJafO3N14yLmDCxBdU5VBfgOpIV4P5nX07DJ5jXw9BJgr6nqsQA0tlgeddT0vnO/cQNKJFBeQXVCzjxLHlrNv7JLg6EbtXZoO/eNow0XBGCLyg6Mq+6S83J2p8pix4tEae4YQrwveQ+dD0A15hK7n5gWOdFz50qE5IImbZsm9aR3ymxs1o9fjkZYTNycsneWe069SNCdb2gFtf4Q==,iv:N30tKPf2ajQT2s0/GYZPV8ipy1Qkkfh+dAlJ4pdGm9M=,tag:qtfr6TY8nyAoMykRONC3kQ==,type:comment] + # ENC[AES256_GCM,data:0QVDgxSYpM+pFAiXf2+xcAnZath1zSzyZDy/zS8L36kZrSQnBSDN91OwAKLYpOb1m+cbex6lWN9OYFRYcIhUjA==,iv:Cm7bwYZS6F4XkRFaqUcBehXUQXmUI/48l+cDBPjlao8=,tag:jBUadTKqWJbPqpljshBoRg==,type:comment] + # ENC[AES256_GCM,data:oxfKvt9xbus8la9hJGLOCVBfyQMCP4wpD4QZcEIw/SFWysMm2NaFzUHtUH39QAG2kCw1C5gKtTQ5EhJ1C2bgxVB6qlC6DUhO5uwlIoXtDqNsfhnsyWuIvJMH5jnPwAfO8Y+plLk2g4dV3aMmYt8Hfg==,iv:Ai/0l0GDbJzTaVy7Xhp1offyaqKD/Ge/oU9YDiGXC28=,tag:wIGYy7TBnCZYrbKDd1y7xQ==,type:comment] + # ENC[AES256_GCM,data:6IieK5gwtUr+u3PjRjOXs5fJafO3N14yLmDCxBdU5VBfgOpIV4P5nX07DJ5jXw9BJgr6nqsQA0tlgeddT0vnO/cQNKJFBeQXVCzjxLHlrNv7JLg6EbtXZoO/eNow0XBGCLyg6Mq+6S83J2p8pix4tEae4YQrwveQ+dD0A15hK7n5gWOdFz50qE5IImbZsm9aR3ymxs1o9fjkZYTNycsneWe069SNCdb2gFtf4Q==,iv:N30tKPf2ajQT2s0/GYZPV8ipy1Qkkfh+dAlJ4pdGm9M=,tag:qtfr6TY8nyAoMykRONC3kQ==,type:comment] sops: kms: [] gcp_kms: [] diff --git a/longhorn/storageclass.yaml b/longhorn/storageclass.yaml index 5e45901..79d2c70 100644 --- a/longhorn/storageclass.yaml +++ b/longhorn/storageclass.yaml @@ -1,3 +1,4 @@ +--- # this is the storageclass manifest for the logs and metrics volumes kind: StorageClass apiVersion: storage.k8s.io/v1 @@ -12,4 +13,4 @@ parameters: staleReplicaTimeout: "30" fromBackup: "" fsType: "ext4" - dataLocality: "disabled" \ No newline at end of file + dataLocality: "disabled" diff --git a/longhorn/values.yaml b/longhorn/values.yaml index 9fdce3c..cc4d5c2 100644 --- a/longhorn/values.yaml +++ b/longhorn/values.yaml @@ -1,3 +1,4 @@ +--- persistence: recurringJobSelector: enable: true diff --git a/longhorn/volumesnapshotclass.yaml b/longhorn/volumesnapshotclass.yaml index ce41f7e..b4692d9 100644 --- a/longhorn/volumesnapshotclass.yaml +++ b/longhorn/volumesnapshotclass.yaml @@ -1,3 +1,4 @@ +--- kind: VolumeSnapshotClass apiVersion: snapshot.storage.k8s.io/v1 metadata: @@ -16,4 +17,4 @@ metadata: driver: driver.longhorn.io deletionPolicy: Delete parameters: - type: snap \ No newline at end of file + type: snap diff --git a/node-labeler/node-labeler.yaml b/node-labeler/node-labeler.yaml index a8e389d..e129ee3 100644 --- a/node-labeler/node-labeler.yaml +++ b/node-labeler/node-labeler.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: @@ -78,4 +79,4 @@ subjects: roleRef: kind: ClusterRole name: worker-node-labeler-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/paste/manifest.yaml b/paste/manifest.yaml index 3dadd98..1dd17d0 100644 --- a/paste/manifest.yaml +++ b/paste/manifest.yaml @@ -37,17 +37,17 @@ spec: securityContext: fsGroup: 82 containers: - - name: paste - image: privatebin/nginx-fpm-alpine - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: "/srv/data" - name: paste-volume + - name: paste + image: privatebin/nginx-fpm-alpine + ports: + - containerPort: 8080 + volumeMounts: + - mountPath: "/srv/data" + name: paste-volume volumes: - - name: paste-volume - persistentVolumeClaim: - claimName: paste-pvc + - name: paste-volume + persistentVolumeClaim: + claimName: paste-pvc --- apiVersion: v1 kind: Service @@ -71,17 +71,17 @@ metadata: namespace: paste spec: rules: - - host: "paste.apps.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: paste-service - port: - number: 80 + - host: "paste.apps.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: paste-service + port: + number: 80 tls: - - hosts: - - paste.apps.yolokube.de - secretName: paste-tls-key + - hosts: + - paste.apps.yolokube.de + secretName: paste-tls-key diff --git a/prometheus/alerts.yaml b/prometheus/alerts.yaml index 9ce517a..fc892a0 100644 --- a/prometheus/alerts.yaml +++ b/prometheus/alerts.yaml @@ -10,114 +10,114 @@ spec: groups: - name: hardware rules: - - alert: MemoryHigh - expr: round((((node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes) * 100), 0.1) > 80 - for: 5m - labels: - severity: warning - annotations: - summary: "Memory over 80%" - description: "Memory on node {{ $labels.node }} is over 80% for more than 5 minutes. Plox fix. Memory usage: {{ $value }}%" - - alert: DiskspaceLow - expr: round(node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} * 100, 1) < 5 - for: 1m - labels: - severity: warning - annotations: - summary: "Free disk space at {{ $value }}%" - description: "Disk space on node {{ $labels.node }} is only {{ $value }}%. Plox fix. Partition: {{ $labels.device }}" - - alert: HostMemoryUnderMemoryPressure - expr: rate(node_vmstat_pgmajfault[1m]) > 1000 - for: 2m - labels: - severity: warning - annotations: - summary: Host memory under memory pressure {{ $labels.node }} - description: "The node is under heavy memory pressure. High rate of major page faults\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - - alert: HostUnusualDiskReadRate - expr: sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 200 - for: 5m - labels: - severity: warning - annotations: - summary: Host unusual disk read rate {{ $labels.node }} - description: "Disk is probably reading too much data (> 200 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - - alert: HostUnusualDiskWriteRate - expr: sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 200 - for: 3m - labels: - severity: warning - annotations: - summary: Host unusual disk write rate {{ $labels.node }} - description: "Disk is probably writing too much data (> 200 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - - alert: HostCpuStealNoisyNeighbor - expr: avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10 - for: 1m - labels: - severity: warning - annotations: - summary: Host CPU steal noisy neighbor {{ $labels.node }} - description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" - - alert: HostPhysicalComponentTooHot - expr: node_hwmon_temp_celsius > 90 - for: 5m - labels: - severity: warning - annotations: - summary: Host physical component too hot {{ $labels.node }} - description: "Physical hardware component too hot\n Sensor = {{ $labels.sensor }}\n Temp = {{ $value }}" - - alert: SMARTbad - expr: smartmon_device_smart_healthy < 1 - for: 0m - labels: - severity: critical - annotations: - summary: SMART check bad of drive {{ $labels.exported_disk }} in node {{ $labels.node }} - description: "SMART check returned bad health of {{ $labels.exported_disk }} in node {{ $labels.node }}. VALUE = {{ $value }}\n LABELS = {{ $labels }}" - - alert: "SMARTcheck too old" - expr: (time() - smartmon_smartctl_run) > 10800 - labels: - severity: warning - annotations: - summary: "SMARTcheck not running" - description: 'The last SMARTcheck on node {{ $labels.node }} was more than 3h ago. Plox fix.' - - alert: "ECC Memory errors" - expr: (node_edac_correctable_errors_total) > 100 - labels: - severity: warning - annotations: - summary: "ECC errors on {{ $labels.node }}" - description: 'The node {{ $labels.node }} accumulated {{ $value }} correctable errors.' - - alert: "ECC Memory uncorrectable errors" - expr: (node_edac_uncorrectable_errors_total) > 0 - labels: - severity: critical - annotations: - summary: "ECC errors on {{ $labels.node }}" - description: 'The node {{ $labels.node }} accumulated {{ $value }} uncorrectable errors.' + - alert: MemoryHigh + expr: round((((node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes) * 100), 0.1) > 80 + for: 5m + labels: + severity: warning + annotations: + summary: "Memory over 80%" + description: "Memory on node {{ $labels.node }} is over 80% for more than 5 minutes. Plox fix. Memory usage: {{ $value }}%" + - alert: DiskspaceLow + expr: round(node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} * 100, 1) < 5 + for: 1m + labels: + severity: warning + annotations: + summary: "Free disk space at {{ $value }}%" + description: "Disk space on node {{ $labels.node }} is only {{ $value }}%. Plox fix. Partition: {{ $labels.device }}" + - alert: HostMemoryUnderMemoryPressure + expr: rate(node_vmstat_pgmajfault[1m]) > 1000 + for: 2m + labels: + severity: warning + annotations: + summary: Host memory under memory pressure {{ $labels.node }} + description: "The node is under heavy memory pressure. High rate of major page faults\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + - alert: HostUnusualDiskReadRate + expr: sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 200 + for: 5m + labels: + severity: warning + annotations: + summary: Host unusual disk read rate {{ $labels.node }} + description: "Disk is probably reading too much data (> 200 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + - alert: HostUnusualDiskWriteRate + expr: sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 200 + for: 3m + labels: + severity: warning + annotations: + summary: Host unusual disk write rate {{ $labels.node }} + description: "Disk is probably writing too much data (> 200 MB/s)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + - alert: HostCpuStealNoisyNeighbor + expr: avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10 + for: 1m + labels: + severity: warning + annotations: + summary: Host CPU steal noisy neighbor {{ $labels.node }} + description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + - alert: HostPhysicalComponentTooHot + expr: node_hwmon_temp_celsius > 90 + for: 5m + labels: + severity: warning + annotations: + summary: Host physical component too hot {{ $labels.node }} + description: "Physical hardware component too hot\n Sensor = {{ $labels.sensor }}\n Temp = {{ $value }}" + - alert: SMARTbad + expr: smartmon_device_smart_healthy < 1 + for: 0m + labels: + severity: critical + annotations: + summary: SMART check bad of drive {{ $labels.exported_disk }} in node {{ $labels.node }} + description: "SMART check returned bad health of {{ $labels.exported_disk }} in node {{ $labels.node }}. VALUE = {{ $value }}\n LABELS = {{ $labels }}" + - alert: "SMARTcheck too old" + expr: (time() - smartmon_smartctl_run) > 10800 + labels: + severity: warning + annotations: + summary: "SMARTcheck not running" + description: 'The last SMARTcheck on node {{ $labels.node }} was more than 3h ago. Plox fix.' + - alert: "ECC Memory errors" + expr: (node_edac_correctable_errors_total) > 100 + labels: + severity: warning + annotations: + summary: "ECC errors on {{ $labels.node }}" + description: 'The node {{ $labels.node }} accumulated {{ $value }} correctable errors.' + - alert: "ECC Memory uncorrectable errors" + expr: (node_edac_uncorrectable_errors_total) > 0 + labels: + severity: critical + annotations: + summary: "ECC errors on {{ $labels.node }}" + description: 'The node {{ $labels.node }} accumulated {{ $value }} uncorrectable errors.' - name: etcdbackup rules: - - alert: "etcdbackup too old" - expr: (time() - etcdbackup_time) > 10800 - labels: - severity: warning - annotations: - summary: "etcd backup not running" - description: 'The last etcd backup on node {{ $labels.node }} was more than 3h ago. Plox fix.' - - alert: "etcdbackup failed" - expr: etcdbackup_result > 0 - labels: - severity: warning - annotations: - summary: "etcdbackup failed" - description: "The backup script for etcd failed on node {{ $labels.node }}. Plox fix." + - alert: "etcdbackup too old" + expr: (time() - etcdbackup_time) > 10800 + labels: + severity: warning + annotations: + summary: "etcd backup not running" + description: 'The last etcd backup on node {{ $labels.node }} was more than 3h ago. Plox fix.' + - alert: "etcdbackup failed" + expr: etcdbackup_result > 0 + labels: + severity: warning + annotations: + summary: "etcdbackup failed" + description: "The backup script for etcd failed on node {{ $labels.node }}. Plox fix." - name: kubernetes rules: - - alert: KubernetesUnhealthyPod - expr: kube_pod_container_status_waiting_reason == 1 - for: 5m - labels: - severity: warning - annotations: - summary: "The Pod {{ $labels.pod }} is {{ $labels.reason }}" - description: "The Pod {{ $labels.pod }} is in the state {{ $labels.reason }} for more than 5m. The Pod is in namespace {{ $labels.namespace }} and on node {{ $labels.node }}." + - alert: KubernetesUnhealthyPod + expr: kube_pod_container_status_waiting_reason == 1 + for: 5m + labels: + severity: warning + annotations: + summary: "The Pod {{ $labels.pod }} is {{ $labels.reason }}" + description: "The Pod {{ $labels.pod }} is in the state {{ $labels.reason }} for more than 5m. The Pod is in namespace {{ $labels.namespace }} and on node {{ $labels.node }}." diff --git a/prometheus/kustomization.yaml b/prometheus/kustomization.yaml index 051c95b..77ff045 100644 --- a/prometheus/kustomization.yaml +++ b/prometheus/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/prometheus/namespace.yaml b/prometheus/namespace.yaml index bc6c6e7..083c839 100644 --- a/prometheus/namespace.yaml +++ b/prometheus/namespace.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: diff --git a/prometheus/secret-generator.yaml b/prometheus/secret-generator.yaml index 486c4c1..7f9b73e 100644 --- a/prometheus/secret-generator.yaml +++ b/prometheus/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/prometheus/secret.yaml b/prometheus/secret.yaml index f3a9602..96a0883 100644 --- a/prometheus/secret.yaml +++ b/prometheus/secret.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/prometheus/service-monitor-longhorn.yaml b/prometheus/service-monitor-longhorn.yaml index 745c977..0f26048 100644 --- a/prometheus/service-monitor-longhorn.yaml +++ b/prometheus/service-monitor-longhorn.yaml @@ -1,3 +1,4 @@ +--- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: @@ -11,6 +12,6 @@ spec: app: longhorn-manager namespaceSelector: matchNames: - - longhorn-system + - longhorn-system endpoints: - - port: manager + - port: manager diff --git a/prometheus/templates.yaml b/prometheus/templates.yaml index 6c8c408..fc8da4c 100644 --- a/prometheus/templates.yaml +++ b/prometheus/templates.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ConfigMap metadata: @@ -12,4 +13,4 @@ data: {{ .Annotations.description }} {{ end }} - {{ end }} \ No newline at end of file + {{ end }} diff --git a/prometheus/values.yaml b/prometheus/values.yaml index f64a7ff..cdd7157 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -1,3 +1,4 @@ +--- alertmanager: alertmanagerSpec: podAntiAffinity: "hard" @@ -8,11 +9,11 @@ alertmanager: - "templates" storage: volumeClaimTemplate: - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 5Gi + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 5Gi useExistingSecret: false config: global: @@ -27,20 +28,20 @@ alertmanager: receiver: 'tg1' routes: - matchers: - - severity=warning + - severity=warning receiver: 'tg1' - matchers: - - severity=critical + - severity=critical receiver: 'tg1' receivers: - - name: tg1 - telegram_configs: - - bot_token_file: '/etc/alertmanager/secrets/telegram-api/api_key' - chat_id: -995270884 - api_url: "https://api.telegram.org" - send_resolved: true - parse_mode: "HTML" - message: '{{ template "telegram.aaron" .}}' + - name: tg1 + telegram_configs: + - bot_token_file: '/etc/alertmanager/secrets/telegram-api/api_key' + chat_id: -995270884 + api_url: "https://api.telegram.org" + send_resolved: true + parse_mode: "HTML" + message: '{{ template "telegram.aaron" .}}' inhibit_rules: - source_matchers: - severity = critical @@ -97,7 +98,7 @@ grafana: persistence: enabled: true accessModes: - - ReadWriteMany + - ReadWriteMany grafana.ini: auth: disable_login_form: true @@ -168,12 +169,12 @@ prometheus: replicas: 2 storageSpec: volumeClaimTemplate: - spec: - storageClassName: longhorn - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 10Gi + spec: + storageClassName: longhorn + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi serviceMonitorNamespaceSelector: matchLabels: prometheus: yolokube diff --git a/quota/quotad.yaml b/quota/quotad.yaml index 4eeee78..db034d5 100644 --- a/quota/quotad.yaml +++ b/quota/quotad.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: @@ -109,4 +110,4 @@ subjects: roleRef: kind: ClusterRole name: quotad-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/tests/test-egress.yaml b/tests/test-egress.yaml index 299cc5f..0c6da2e 100644 --- a/tests/test-egress.yaml +++ b/tests/test-egress.yaml @@ -1,51 +1,51 @@ -#--- -#apiVersion: v1 -#kind: Namespace -#metadata: -# name: egress -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: egress-deployment -# namespace: egress -# labels: -# app: egress -#spec: -# replicas: 3 -# selector: -# matchLabels: -# app: egress -# template: -# metadata: -# labels: -# app: egress -# spec: -# containers: -# - name: egress -# image: curlimages/curl -# command: ['/usr/bin/curl'] -# args: ['-s', '-L', '-4', 'ip.hetzner.com'] -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: egress6-deployment -# namespace: egress -# labels: -# app: egress6 -#spec: -# replicas: 3 -# selector: -# matchLabels: -# app: egress6 -# template: -# metadata: -# labels: -# app: egress6 -# spec: -# containers: -# - name: egress6 -# image: curlimages/curl -# command: ['/usr/bin/curl'] -# args: ['-s', '-L', '-6', 'ip.hetzner.com'] \ No newline at end of file +# --- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: egress +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: egress-deployment +# namespace: egress +# labels: +# app: egress +# spec: +# replicas: 3 +# selector: +# matchLabels: +# app: egress +# template: +# metadata: +# labels: +# app: egress +# spec: +# containers: +# - name: egress +# image: curlimages/curl +# command: ['/usr/bin/curl'] +# args: ['-s', '-L', '-4', 'ip.hetzner.com'] +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: egress6-deployment +# namespace: egress +# labels: +# app: egress6 +# spec: +# replicas: 3 +# selector: +# matchLabels: +# app: egress6 +# template: +# metadata: +# labels: +# app: egress6 +# spec: +# containers: +# - name: egress6 +# image: curlimages/curl +# command: ['/usr/bin/curl'] +# args: ['-s', '-L', '-6', 'ip.hetzner.com'] diff --git a/tests/test-ingress.yaml b/tests/test-ingress.yaml index 5e4805c..beab63e 100644 --- a/tests/test-ingress.yaml +++ b/tests/test-ingress.yaml @@ -23,10 +23,10 @@ spec: app: test1 spec: containers: - - name: test1 - image: containous/whoami - ports: - - containerPort: 80 + - name: test1 + image: containous/whoami + ports: + - containerPort: 80 --- apiVersion: v1 kind: Service @@ -51,17 +51,17 @@ metadata: namespace: aaron-test spec: rules: - - host: "test.services.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: test1-service - port: - number: 80 + - host: "test.services.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: test1-service + port: + number: 80 tls: - - hosts: - - test.services.yolokube.de - secretName: test2-tls-key + - hosts: + - test.services.yolokube.de + secretName: test2-tls-key diff --git a/tests/test-storage.yaml b/tests/test-storage.yaml index b86e250..00a48f8 100644 --- a/tests/test-storage.yaml +++ b/tests/test-storage.yaml @@ -1,88 +1,88 @@ -### example app "privatebin" to test storage -#--- -#apiVersion: v1 -#kind: Namespace -#metadata: -# name: paste -#--- -#apiVersion: v1 -#kind: PersistentVolumeClaim -#metadata: -# name: paste-pvc -# namespace: paste -#spec: -# accessModes: -# - ReadWriteOnce -# volumeMode: Filesystem -# resources: -# requests: -# storage: 8Gi -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: paste-deployment -# namespace: paste -# labels: -# app: paste -#spec: -# replicas: 1 -# selector: -# matchLabels: -# app: paste -# template: -# metadata: -# labels: -# app: paste -# spec: -# securityContext: -# fsGroup: 82 -# containers: -# - name: paste -# image: privatebin/nginx-fpm-alpine -# ports: -# - containerPort: 8080 -# volumeMounts: -# - mountPath: "/srv/data" -# name: paste-volume -# volumes: -# - name: paste-volume -# persistentVolumeClaim: -# claimName: paste-pvc -#--- -#apiVersion: v1 -#kind: Service -#metadata: -# name: paste-service -# namespace: paste -#spec: -# selector: -# app: paste -# ports: -# - protocol: TCP -# port: 80 -# targetPort: 8080 -#--- -#apiVersion: networking.k8s.io/v1 -#kind: Ingress -#metadata: -# annotations: -# kubernetes.io/tls-acme: "true" -# name: paste-ingress -# namespace: paste -#spec: -# rules: -# - host: "paste.apps.yolokube.de" -# http: -# paths: -# - pathType: Prefix -# path: "/" -# backend: -# service: -# name: paste-service -# port: -# number: 80 -# tls: -# - hosts: -# - paste.apps.yolokube.de -# secretName: paste-tls-key +# ## example app "privatebin" to test storage +# --- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: paste +# --- +# apiVersion: v1 +# kind: PersistentVolumeClaim +# metadata: +# name: paste-pvc +# namespace: paste +# spec: +# accessModes: +# - ReadWriteOnce +# volumeMode: Filesystem +# resources: +# requests: +# storage: 8Gi +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: paste-deployment +# namespace: paste +# labels: +# app: paste +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: paste +# template: +# metadata: +# labels: +# app: paste +# spec: +# securityContext: +# fsGroup: 82 +# containers: +# - name: paste +# image: privatebin/nginx-fpm-alpine +# ports: +# - containerPort: 8080 +# volumeMounts: +# - mountPath: "/srv/data" +# name: paste-volume +# volumes: +# - name: paste-volume +# persistentVolumeClaim: +# claimName: paste-pvc +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: paste-service +# namespace: paste +# spec: +# selector: +# app: paste +# ports: +# - protocol: TCP +# port: 80 +# targetPort: 8080 +# --- +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# annotations: +# kubernetes.io/tls-acme: "true" +# name: paste-ingress +# namespace: paste +# spec: +# rules: +# - host: "paste.apps.yolokube.de" +# http: +# paths: +# - pathType: Prefix +# path: "/" +# backend: +# service: +# name: paste-service +# port: +# number: 80 +# tls: +# - hosts: +# - paste.apps.yolokube.de +# secretName: paste-tls-key diff --git a/thanos/2-objectstore-secret.enc.yaml b/thanos/2-objectstore-secret.enc.yaml index 9c62e4c..798271f 100644 --- a/thanos/2-objectstore-secret.enc.yaml +++ b/thanos/2-objectstore-secret.enc.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/thanos/3-querier.yaml b/thanos/3-querier.yaml index cededff..10120bd 100644 --- a/thanos/3-querier.yaml +++ b/thanos/3-querier.yaml @@ -95,17 +95,17 @@ metadata: namespace: thanos spec: rules: - - host: "thanos.services.yolokube.de" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: querier - port: - name: http + - host: "thanos.services.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: querier + port: + name: http tls: - - hosts: - - thanos.services.yolokube.de - secretName: thanos-tls-key + - hosts: + - thanos.services.yolokube.de + secretName: thanos-tls-key diff --git a/thanos/kustomization.yaml b/thanos/kustomization.yaml index 0bf99cb..17cc57e 100644 --- a/thanos/kustomization.yaml +++ b/thanos/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/thanos/secret-generator.yaml b/thanos/secret-generator.yaml index 67bbbfe..6acf7af 100644 --- a/thanos/secret-generator.yaml +++ b/thanos/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/traefik/basicauth.yaml b/traefik/basicauth.yaml index 6b68db5..6714f0a 100644 --- a/traefik/basicauth.yaml +++ b/traefik/basicauth.yaml @@ -1,3 +1,4 @@ +--- apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: @@ -17,4 +18,4 @@ data: YWFyb246JDJ5JDA1JEIyLlEuOS9lNFZFWHNub2UueXBqWU9raXlrbXJGMmhwQXBFN0NZYzJEUEly MHBGSWRETzFPCnRvbTokMnkkMDUkQnNNN2Z2bWYzR3B1em5hazVPU2dyZTB4ODFLNC52eFVRTy9h S1c1Y1k0Z21RT3p2c3NQTE8KYmFzdGk6JCRhcHIxJCRYYUdERnByYiQkTzlZMW9SaFROWTdVNWFh - NUxqM3dhMQo= \ No newline at end of file + NUxqM3dhMQo= diff --git a/traefik/secondingressclass.yaml b/traefik/secondingressclass.yaml index 9931d8c..776d346 100644 --- a/traefik/secondingressclass.yaml +++ b/traefik/secondingressclass.yaml @@ -1,6 +1,7 @@ +--- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: nginx spec: - controller: traefik.io/ingress-controller \ No newline at end of file + controller: traefik.io/ingress-controller diff --git a/traefik/values.yaml b/traefik/values.yaml index aac896a..4e8181a 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -1,3 +1,4 @@ +--- deployment: kind: DaemonSet minReadySeconds: 120 diff --git a/vcluster/aaron.yaml b/vcluster/aaron.yaml index a734d9e..e959fff 100644 --- a/vcluster/aaron.yaml +++ b/vcluster/aaron.yaml @@ -1,3 +1,4 @@ +--- controlPlane: distro: k8s: @@ -18,7 +19,7 @@ controlPlane: replicas: 3 proxy: extraSANs: - - vcluster.k8s.ar21.de + - vcluster.k8s.ar21.de exportKubeConfig: server: https://vcluster.k8s.ar21.de:443 sync: diff --git a/vcluster/ingress-aaron.yaml b/vcluster/ingress-aaron.yaml index d07c8e4..0269767 100644 --- a/vcluster/ingress-aaron.yaml +++ b/vcluster/ingress-aaron.yaml @@ -1,3 +1,4 @@ +--- apiVersion: traefik.io/v1alpha1 kind: IngressRouteTCP metadata: @@ -7,9 +8,9 @@ spec: entryPoints: - websecure routes: - - match: HostSNI(`vcluster.k8s.ar21.de`) - services: - - name: ar - port: 443 + - match: HostSNI(`vcluster.k8s.ar21.de`) + services: + - name: ar + port: 443 tls: passthrough: true diff --git a/vcluster/tom.yaml b/vcluster/tom.yaml index 395e617..33bf339 100644 --- a/vcluster/tom.yaml +++ b/vcluster/tom.yaml @@ -1,3 +1,4 @@ +--- controlPlane: distro: k8s: diff --git a/woodpecker/secrets/kustomization.yaml b/woodpecker/secrets/kustomization.yaml index 073e908..d840c3c 100644 --- a/woodpecker/secrets/kustomization.yaml +++ b/woodpecker/secrets/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization generators: diff --git a/woodpecker/secrets/secret-generator.yaml b/woodpecker/secrets/secret-generator.yaml index b0e550d..a591479 100644 --- a/woodpecker/secrets/secret-generator.yaml +++ b/woodpecker/secrets/secret-generator.yaml @@ -1,3 +1,4 @@ +--- apiVersion: viaduct.ai/v1 kind: ksops metadata: diff --git a/woodpecker/secrets/secrets.enc.yaml b/woodpecker/secrets/secrets.enc.yaml index 86ab261..178c675 100644 --- a/woodpecker/secrets/secrets.enc.yaml +++ b/woodpecker/secrets/secrets.enc.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Secret metadata: diff --git a/woodpecker/values/values.yaml b/woodpecker/values/values.yaml index 822f9d3..66f2329 100644 --- a/woodpecker/values/values.yaml +++ b/woodpecker/values/values.yaml @@ -1,10 +1,11 @@ +--- server: ingress: # -- Enable the ingress for the server component enabled: true # -- Add annotations to the ingress annotations: - # kubernetes.io/ingress.class: nginx + # kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" hosts: - host: woodpecker.ar21.de @@ -15,7 +16,7 @@ server: servicePort: 80 tls: - hosts: - - woodpecker.ar21.de + - woodpecker.ar21.de secretName: woodpecker-tls-key statefulSet: replicaCount: 1