Merge pull request 'Add yamllint to Woodpecker CI' (#154) from improce_ci into main

Reviewed-on: #154
Reviewed-by: Aaron Riedel <git@ar21.de>

.drone.yml

@@ -1,88 +1,89 @@
+---
 kind: pipeline
 name: deploy
 steps:
-- name: kustomize build dashboard (prod + staging)
+  - name: kustomize build dashboard (prod + staging)
-  image: git.ar21.de/aaron/kustomize-ci
+    image: git.ar21.de/aaron/kustomize-ci
-  commands:
+    commands:
-    - cd /deployment-repo
+      - cd /deployment-repo
-    - git clone https://git.ar21.de/yolokube/core-deployments.git .
+      - git clone https://git.ar21.de/yolokube/core-deployments.git .
-    - cd /deployment-repo/dashboard/overlays/prod
+      - cd /deployment-repo/dashboard/overlays/prod
-    - kustomize build -o /deployment-repo/dashboard/prod/dashboard.yaml
+      - kustomize build -o /deployment-repo/dashboard/prod/dashboard.yaml
-    - cd /deployment-repo/dashboard/overlays/staging
+      - cd /deployment-repo/dashboard/overlays/staging
-    - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml
+      - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml
-  volumes:
+    volumes:
-  - name: deployment-repo
+      - name: deployment-repo
-    path: /deployment-repo
+        path: /deployment-repo
-  when:
+    when:
-    branch:
+      branch:
-      - main
-    event:
-      - push
-- name: kustomize build dashboard (staging)
-  image: git.ar21.de/aaron/kustomize-ci
-  commands:
-    - cd /deployment-repo
-    - git clone https://git.ar21.de/yolokube/core-deployments.git .
-    - cd /staging-repo
-    - git clone -b $DRONE_BRANCH https://git.ar21.de/yolokube/core-deployments.git .
-    - cd /staging-repo/dashboard/overlays/staging
-    - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml
-  volumes:
-  - name: deployment-repo
-    path: /deployment-repo
-  - name: staging-repo
-    path: /staging-repo
-  when:
-    branch:
-      exclude:
         - main
-    event:
+      event:
-      - push
+        - push
-- name: kustomize push dashboard changes (prod + staging)
+  - name: kustomize build dashboard (staging)
-  image: appleboy/drone-git-push
+    image: git.ar21.de/aaron/kustomize-ci
-  settings:
+    commands:
-    branch: main
+      - cd /deployment-repo
-    remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git
+      - git clone https://git.ar21.de/yolokube/core-deployments.git .
-    path: /deployment-repo
+      - cd /staging-repo
-    force: false
+      - git clone -b $DRONE_BRANCH https://git.ar21.de/yolokube/core-deployments.git .
-    commit: true
+      - cd /staging-repo/dashboard/overlays/staging
-    commit_message: "KUSTOMIZE BUILD: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} (done automagically via Drone pipeline) [CI SKIP]"
+      - kustomize build -o /deployment-repo/dashboard/staging/dashboard.yaml
-    ssh_key:
+    volumes:
-      from_secret: GITEA_SSH_KEY
+      - name: deployment-repo
-  volumes:
+        path: /deployment-repo
-  - name: deployment-repo
+      - name: staging-repo
-    path: /deployment-repo
+        path: /staging-repo
-  when:
+    when:
-    branch:
+      branch:
-      - main
+        exclude:
-    event:
+          - main
-      - push
+      event:
-- name: kustomize push dashboard changes (staging)
+        - push
-  image: appleboy/drone-git-push
+  - name: kustomize push dashboard changes (prod + staging)
-  settings:
+    image: appleboy/drone-git-push
-    branch: main
+    settings:
-    remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git
+      branch: main
-    path: /deployment-repo
+      remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git
-    force: false
+      path: /deployment-repo
-    commit: true
+      force: false
-    commit_message: "KUSTOMIZE BUILD STAGING: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} [CI SKIP]"
+      commit: true
-    ssh_key:
+      commit_message: "KUSTOMIZE BUILD: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} (done automagically via Drone pipeline) [CI SKIP]"
-      from_secret: GITEA_SSH_KEY
+      ssh_key:
-  volumes:
+        from_secret: GITEA_SSH_KEY
-  - name: deployment-repo
+    volumes:
-    path: /deployment-repo
+      - name: deployment-repo
-  when:
+        path: /deployment-repo
-    branch:
+    when:
-      exclude:
+      branch:
         - main
-    event:
+      event:
-      - push
+        - push
+  - name: kustomize push dashboard changes (staging)
+    image: appleboy/drone-git-push
+    settings:
+      branch: main
+      remote: ssh://git@git.ar21.de:2222/yolokube/core-deployments.git
+      path: /deployment-repo
+      force: false
+      commit: true
+      commit_message: "KUSTOMIZE BUILD STAGING: rebuild dashboard deployment with kustomize ${DRONE_BUILD_NUMBER} [CI SKIP]"
+      ssh_key:
+        from_secret: GITEA_SSH_KEY
+    volumes:
+      - name: deployment-repo
+        path: /deployment-repo
+    when:
+      branch:
+        exclude:
+          - main
+      event:
+        - push
 volumes:
-- name: deployment-repo
+  - name: deployment-repo
-  temp: {}
+    temp: {}
-- name: staging-repo
+  - name: staging-repo
-  temp: {}
+    temp: {}
 when:
   event:
     exclude:
-      - pull_request
+      - pull_request

.woodpecker/.yamllint.yaml

@@ -0,0 +1,8 @@
+---
+steps:
+  - name: linting
+    image: cytopia/yamllint:latest
+    commands:
+      - yamllint -f colored -s .
+when:
+  - event: push

.yamllint

@@ -0,0 +1,10 @@
+---
+yaml-files:
+  - '*.yaml'
+  - '*.yml'
+  - '.yamllint'
+
+extends: default
+
+rules:
+  line-length: disable

app-files/apps.yaml

@@ -28,12 +28,12 @@ spec:
   project: default
   sources:
     - chart: woodpecker
-      repoURL:  https://woodpecker-ci.org/
+      repoURL: https://woodpecker-ci.org/
       targetRevision: 1.6.0
       helm:
         releaseName: woodpecker
         valueFiles:
-        - $values/woodpecker/values/values.yaml
+          - $values/woodpecker/values/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -45,7 +45,7 @@ spec:
     namespace: woodpecker
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -65,7 +65,7 @@ spec:
     namespace: paste
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       selfHeal: false
       prune: false

app-files/core-deployments.yaml

@@ -13,7 +13,7 @@ spec:
       helm:
         releaseName: traefik
         valueFiles:
-        - $values/traefik/values.yaml
+          - $values/traefik/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -25,7 +25,7 @@ spec:
     namespace: traefik
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -43,7 +43,7 @@ spec:
       helm:
         releaseName: argo
         valueFiles:
-        - $values/argo/values.yaml
+          - $values/argo/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -55,7 +55,7 @@ spec:
     namespace: argocd
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       selfHeal: true
       prune: false
@@ -70,11 +70,11 @@ spec:
   sources:
     - repoURL: https://charts.longhorn.io
       chart: longhorn
-      targetRevision: 1.7.1 # see Infos below, the CSI snapshotter needs to be updated too <-- version association can be found here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/enable-csi-snapshot-support/
+      targetRevision: 1.7.1  # see Infos below, the CSI snapshotter needs to be updated too <-- version association can be found here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/enable-csi-snapshot-support/
       helm:
         releaseName: longhorn
         valueFiles:
-        - $values/longhorn/values.yaml
+          - $values/longhorn/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -82,17 +82,17 @@ spec:
       targetRevision: HEAD
       path: longhorn
     - repoURL: https://github.com/kubernetes-csi/external-snapshotter.git
-      targetRevision: v6.3.2 # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/
+      targetRevision: v6.3.2  # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/
       path: client/config/crd
     - repoURL: https://github.com/kubernetes-csi/external-snapshotter.git
-      targetRevision: v6.3.2 # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/
+      targetRevision: v6.3.2  # <-- needs to be updated when longhorn version is changed. Find the correct version here: https://longhorn.io/docs/latest/snapshots-and-backups/csi-snapshot-support/csi-volume-snapshot-associated-with-longhorn-snapshot/
       path: deploy/kubernetes/snapshot-controller
   destination:
     server: https://kubernetes.default.svc
     namespace: longhorn-system
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -110,7 +110,7 @@ spec:
       helm:
         releaseName: prometheus
         valueFiles:
-        - $values/prometheus/values.yaml
+          - $values/prometheus/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -122,30 +122,30 @@ spec:
     namespace: prometheus
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
-    - ServerSideApply=true
+      - ServerSideApply=true
-    - RespectIgnoreDifferences=true
+      - RespectIgnoreDifferences=true
     automated:
       prune: false
   ignoreDifferences:
-  - group: apps
+    - group: apps
-    kind: Deployment
+      kind: Deployment
-    jqPathExpressions:
+      jqPathExpressions:
-    - '.spec.template.spec.initContainers[]?.resources'
+        - '.spec.template.spec.initContainers[]?.resources'
-    - '.spec.template.spec.containers[]?.resources'
+        - '.spec.template.spec.containers[]?.resources'
-  - group: apps
+    - group: apps
-    kind: DaemonSet
+      kind: DaemonSet
-    jqPathExpressions:
+      jqPathExpressions:
-    - '.spec.template.spec.initContainers[]?.resources'
+        - '.spec.template.spec.initContainers[]?.resources'
-    - '.spec.template.spec.containers[]?.resources'
+        - '.spec.template.spec.containers[]?.resources'
-  - group: admissionregistration.k8s.io
+    - group: admissionregistration.k8s.io
-    kind: MutatingWebhookConfiguration
+      kind: MutatingWebhookConfiguration
-    jqPathExpressions:
+      jqPathExpressions:
-    - '.webhooks[]?.clientConfig.caBundle'
+        - '.webhooks[]?.clientConfig.caBundle'
-  - group: admissionregistration.k8s.io
+    - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
+      kind: ValidatingWebhookConfiguration
-    jqPathExpressions:
+      jqPathExpressions:
-    - '.webhooks[]?.clientConfig.caBundle'
+        - '.webhooks[]?.clientConfig.caBundle'
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -161,7 +161,7 @@ spec:
       helm:
         releaseName: cilium-cni
         valueFiles:
-        - $values/cilium/values.yaml
+          - $values/cilium/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -173,22 +173,22 @@ spec:
     namespace: kube-cilium
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
-    - ServerSideApply=true
+      - ServerSideApply=true
-    - RespectIgnoreDifferences=true
+      - RespectIgnoreDifferences=true
     automated:
       prune: false
   ignoreDifferences:
-  - group: apps
+    - group: apps
-    kind: Deployment
+      kind: Deployment
-    jqPathExpressions:
+      jqPathExpressions:
-    - '.spec.template.spec.containers[]?.resources'
+        - '.spec.template.spec.containers[]?.resources'
-  - group: apps
+    - group: apps
-    kind: DaemonSet
+      kind: DaemonSet
-    jqPathExpressions:
+      jqPathExpressions:
-    - '.spec.template.spec.initContainers[]?.resources'
+        - '.spec.template.spec.initContainers[]?.resources'
-    - '.spec.template.spec.containers[]?.resources'
+        - '.spec.template.spec.containers[]?.resources'
-    - '.spec.template.metadata.annotations'
+        - '.spec.template.metadata.annotations'
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -206,7 +206,7 @@ spec:
     namespace: node-labeler
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -226,7 +226,7 @@ spec:
     namespace: quota
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -246,7 +246,7 @@ spec:
     namespace: dashboard
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -266,7 +266,7 @@ spec:
     namespace: dashboard-staging
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -284,7 +284,7 @@ spec:
       helm:
         releaseName: loki
         valueFiles:
-        - $values/loki/values.yaml
+          - $values/loki/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -296,7 +296,7 @@ spec:
     namespace: logs
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -318,7 +318,7 @@ spec:
     namespace: logs
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -348,7 +348,7 @@ spec:
     namespace: kube-system
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -405,7 +405,7 @@ spec:
       helm:
         releaseName: cert-manager
         valueFiles:
-        - $values/cert-manager/values.yaml
+          - $values/cert-manager/values.yaml
     - repoURL: https://git.ar21.de/yolokube/core-deployments.git
       targetRevision: HEAD
       ref: values
@@ -417,7 +417,7 @@ spec:
     namespace: cert-manager
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -437,7 +437,7 @@ spec:
     namespace: authentik
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false
 ---
@@ -457,6 +457,6 @@ spec:
     namespace: thanos
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
     automated:
       prune: false

app-files/tests.yaml

@@ -35,7 +35,7 @@ spec:
     namespace: test-deployments
   syncPolicy:
     syncOptions:
-    - CreateNamespace=true
+      - CreateNamespace=true
 
     automated:
       selfHeal: false

argo/cm.yaml

@@ -18,12 +18,12 @@ data:
         hs.status = "Healthy"
         return hs
   resource.exclusions: |
-   - apiGroups:
+    - apiGroups:
-       - cilium.io
+        - cilium.io
-     kinds:
+      kinds:
-       - CiliumIdentity
+        - CiliumIdentity
-     clusters:
+      clusters:
-       - "*"
+        - "*"
   url: https://argo.services.yolokube.de
   oidc.config: |
     name: aaronID

argo/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

argo/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

argo/secret.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

argo/sops-secret.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

argo/values.yaml

@@ -1,3 +1,4 @@
+---
 global:
   domain: argo.services.yolokube.de
 configs:

authentik/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

authentik/manifest.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -37,20 +38,20 @@ metadata:
   namespace: authentik
 spec:
   rules:
-  - host: "sso.services.yolokube.de"
+    - host: "sso.services.yolokube.de"
-    http:
+      http:
-      paths:
+        paths:
-      - pathType: Prefix
+          - pathType: Prefix
-        path: "/"
+            path: "/"
-        backend:
+            backend:
-          service:
+              service:
-            name: authentik-outpost
+                name: authentik-outpost
-            port:
+                port:
-              number: 9000
+                  number: 9000
   tls:
-  - hosts:
+    - hosts:
-      - sso.services.yolokube.de
+        - sso.services.yolokube.de
-    secretName: authentik-tls-key
+      secretName: authentik-tls-key
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -76,21 +77,21 @@ spec:
     spec:
       containers:
         - env:
-          - name: AUTHENTIK_HOST
+            - name: AUTHENTIK_HOST
-            valueFrom:
+              valueFrom:
-              secretKeyRef:
+                secretKeyRef:
-                key: authentik_host
+                  key: authentik_host
-                name: authentik-outpost-api
+                  name: authentik-outpost-api
-          - name: AUTHENTIK_TOKEN
+            - name: AUTHENTIK_TOKEN
-            valueFrom:
+              valueFrom:
-              secretKeyRef:
+                secretKeyRef:
-                key: token
+                  key: token
-                name: authentik-outpost-api
+                  name: authentik-outpost-api
-          - name: AUTHENTIK_INSECURE
+            - name: AUTHENTIK_INSECURE
-            valueFrom:
+              valueFrom:
-              secretKeyRef:
+                secretKeyRef:
-                key: authentik_host_insecure
+                  key: authentik_host_insecure
-                name: authentik-outpost-api
+                  name: authentik-outpost-api
           image: ghcr.io/goauthentik/proxy:2024.8.3
           name: proxy
           ports:
@@ -104,22 +105,22 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-    name: authentik
+  name: authentik
-    namespace: authentik
+  namespace: authentik
 spec:
-    forwardAuth:
+  forwardAuth:
-        address: http://authentik-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
+    address: http://authentik-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
-        trustForwardHeader: true
+    trustForwardHeader: true
-        authResponseHeaders:
+    authResponseHeaders:
-            - X-authentik-username
+      - X-authentik-username
-            - X-authentik-groups
+      - X-authentik-groups
-            - X-authentik-email
+      - X-authentik-email
-            - X-authentik-name
+      - X-authentik-name
-            - X-authentik-uid
+      - X-authentik-uid
-            - X-authentik-jwt
+      - X-authentik-jwt
-            - X-authentik-grafana-role
+      - X-authentik-grafana-role
-            - X-authentik-meta-jwks
+      - X-authentik-meta-jwks
-            - X-authentik-meta-outpost
+      - X-authentik-meta-outpost
-            - X-authentik-meta-provider
+      - X-authentik-meta-provider
-            - X-authentik-meta-app
+      - X-authentik-meta-app
-            - X-authentik-meta-version
+      - X-authentik-meta-version

authentik/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

authentik/secret.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

cert-manager/issuer.yaml

@@ -2,29 +2,29 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
- name: letsencrypt-prod
+  name: letsencrypt-prod
 spec:
- acme:
+  acme:
-   email: letsencrypt@ar21.de
+    email: letsencrypt@ar21.de
-   server: https://acme-v02.api.letsencrypt.org/directory
+    server: https://acme-v02.api.letsencrypt.org/directory
-   privateKeySecretRef:
+    privateKeySecretRef:
-     name: letsencrypt-prod-key
+      name: letsencrypt-prod-key
-   solvers:
+    solvers:
-     - http01:
+      - http01:
-         ingress:
+        ingress:
-           class: traefik
+          class: traefik
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
- name: letsencrypt-staging
+  name: letsencrypt-staging
 spec:
- acme:
+  acme:
-   email: letsencrypt@ar21.de
+    email: letsencrypt@ar21.de
-   server: https://acme-staging-v02.api.letsencrypt.org/directory
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
-   privateKeySecretRef:
+    privateKeySecretRef:
-     name: letsencrypt-staging-key
+      name: letsencrypt-staging-key
-   solvers:
+    solvers:
-     - http01:
+      - http01:
-         ingress:
+        ingress:
-           class: traefik
+          class: traefik

cert-manager/namespace.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:

cert-manager/values.yaml

@@ -1,3 +1,4 @@
+---
 namespace: cert-manager
 replicaCount: 3
 podDisruptionBudget:

cilium/values.yaml

@@ -1,3 +1,4 @@
+---
 encryption:
   enabled: false
 ipam:

dashboard/base/dashboard.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -21,17 +22,17 @@ spec:
         app: dashboard
     spec:
       containers:
-      - name: dashboard
+        - name: dashboard
-        image: git.ar21.de/yolokube/dashboard:latest
+          image: git.ar21.de/yolokube/dashboard:latest
-        imagePullPolicy: Always
+          imagePullPolicy: Always
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-        livenessProbe:
+          livenessProbe:
-          httpGet:
+            httpGet:
-            path: /
+              path: /
-            port: 8080
+              port: 8080
-          initialDelaySeconds: 4
+            initialDelaySeconds: 4
-          periodSeconds: 3
+            periodSeconds: 3
 ---
 apiVersion: v1
 kind: Service
@@ -55,17 +56,17 @@ metadata:
   namespace: dashboard
 spec:
   rules:
-  - host: "dashboard.services.yolokube.de"
+    - host: "dashboard.services.yolokube.de"
-    http:
+      http:
-      paths:
+        paths:
-      - pathType: Prefix
+          - pathType: Prefix
-        path: "/"
+            path: "/"
-        backend:
+            backend:
-          service:
+              service:
-            name: dashboard-service
+                name: dashboard-service
-            port:
+                port:
-              number: 80
+                  number: 80
   tls:
-  - hosts:
+    - hosts:
-      - dashboard.services.yolokube.de
+        - dashboard.services.yolokube.de
-    secretName: dashboard-tls-key
+      secretName: dashboard-tls-key

dashboard/base/kustomization.yaml

@@ -1,4 +1,5 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- dashboard.yaml
+  - dashboard.yaml

dashboard/overlays/prod/kustomization.yaml

@@ -1,9 +1,10 @@
+---
 resources:
-- ../../base
+  - ../../base
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-- name: git.ar21.de/yolokube/dashboard
+  - name: git.ar21.de/yolokube/dashboard
-  newName: git.ar21.de/yolokube/dashboard
+    newName: git.ar21.de/yolokube/dashboard
-  newTag: "96"
+    newTag: "96"
 namespace: dashboard

dashboard/overlays/staging/kustomization.yaml

@@ -1,31 +1,32 @@
+---
 resources:
-- ../../base
+  - ../../base
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-- name: git.ar21.de/yolokube/dashboard
+  - name: git.ar21.de/yolokube/dashboard
-  newName: git.ar21.de/yolokube/dashboard
+    newName: git.ar21.de/yolokube/dashboard
-  newTag: staging-95
+    newTag: staging-95
 namespace: dashboard-staging
 patches:
-- patch: |-
+  - patch: |-
-    - op: replace
+      - op: replace
-      path: /spec/rules/0/host
+        path: /spec/rules/0/host
-      value: "dashboard-staging.services.yolokube.de"
+        value: "dashboard-staging.services.yolokube.de"
-  target:
+    target:
-    kind: Ingress
+      kind: Ingress
-    name: dashboard-ingress
+      name: dashboard-ingress
-- patch: |-
+  - patch: |-
-    - op: replace
+      - op: replace
-      path: /spec/tls/0/hosts/0
+        path: /spec/tls/0/hosts/0
-      value: "dashboard-staging.services.yolokube.de"
+        value: "dashboard-staging.services.yolokube.de"
-  target:
+    target:
-    kind: Ingress
+      kind: Ingress
-    name: dashboard-ingress
+      name: dashboard-ingress
-- patch: |-
+  - patch: |-
-    - op: replace
+      - op: replace
-      path: /spec/replicas
+        path: /spec/replicas
-      value: 1
+        value: 1
-  target:
+    target:
-    kind: Deployment
+      kind: Deployment
-    name: dashboard-deployment
+      name: dashboard-deployment

examples/example-deployment.yaml

@@ -37,17 +37,17 @@ spec:
         app: example
     spec:
       containers:
-      - name: example
+        - name: example
-        image: testcontainers/helloworld
+          image: testcontainers/helloworld
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-        volumeMounts:
+          volumeMounts:
-        - mountPath: "/var/www/html"
+            - mountPath: "/var/www/html"
-          name: example-volume
+              name: example-volume
       volumes:
-      - name: example-volume
+        - name: example-volume
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: example-pvc
+            claimName: example-pvc
 ---
 apiVersion: v1
 kind: Service
@@ -75,17 +75,17 @@ metadata:
   namespace: example
 spec:
   rules:
-  - host: "example.apps.yolokube.de"
+    - host: "example.apps.yolokube.de"
-    http:
+      http:
-      paths:
+        paths:
-      - pathType: Prefix
+          - pathType: Prefix
-        path: "/"
+            path: "/"
-        backend:
+            backend:
-          service:
+              service:
-            name: example-service
+                name: example-service
-            port:
+                port:
-              number: 80
+                  number: 80
   tls:
-  - hosts:
+    - hosts:
-      - example.apps.yolokube.de
+        - example.apps.yolokube.de
-    secretName: example-tls-key
+      secretName: example-tls-key

ingress/values.yaml

@@ -1,3 +1,4 @@
+---
 controller:
   enableSnippets: true
   hostNetwork: true

loki/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

loki/namespace.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:

loki/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

loki/secret.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

loki/values.yaml

@@ -1,3 +1,4 @@
+---
 loki:
   auth_enabled: false
   persistence:

longhorn/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

longhorn/namespace.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:

longhorn/recurringjobs.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: longhorn.io/v1beta1
 kind: RecurringJob
 metadata:

longhorn/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

longhorn/secret.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,11 +8,11 @@ type: Opaque
 data:
     AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:78iskasj0MX32r8qp4LCmTsf5q8r3W5nCs7BrA==,iv:dQFU/Pm+bQQKWfWKq7c63XTW2+czjOeIZuoL2mrPKbM=,tag:we+rZ+YoMpeiAve7zcH6pg==,type:str]
     AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:zR3LNrmweWn9ONkpOlgNGfJ0ERJeNgNsurvBcsX7JZox/vyaZRb6lt4VEjdBDMdTZ+dWRvtvHUw=,iv:CCLoHHixnzVaT0SX3uOjyb7SCNyAe5H30acmMEIgubI=,tag:c7nWPRTZQXqgp8jVgtU57g==,type:str]
-    #ENC[AES256_GCM,data:p1aNW086iJ/xbZGc3A9VFitml4AB0ly8BOyJztOoIBd9I7Ld,iv:5um8w4PL9EfHcCHlfIW0Yr6aqvgs5FVh4Y54RDQDOLY=,tag:17ELSDORVx0aj2hzFDaxUA==,type:comment]
+    # ENC[AES256_GCM,data:p1aNW086iJ/xbZGc3A9VFitml4AB0ly8BOyJztOoIBd9I7Ld,iv:5um8w4PL9EfHcCHlfIW0Yr6aqvgs5FVh4Y54RDQDOLY=,tag:17ELSDORVx0aj2hzFDaxUA==,type:comment]
     AWS_ENDPOINTS: ENC[AES256_GCM,data:Cm4ISXx3mosAwVCzFqK5461gFIAqWtSwazvhfe/01blpOLOGpEW7b7S00fnRMviR,iv:Zflw/1JEQjcKarQPOrpBSpCprdL/2Ry6FH74K3/NfFo=,tag:l6idxnQStu2ycr0og2/otw==,type:str]
-    #ENC[AES256_GCM,data:0QVDgxSYpM+pFAiXf2+xcAnZath1zSzyZDy/zS8L36kZrSQnBSDN91OwAKLYpOb1m+cbex6lWN9OYFRYcIhUjA==,iv:Cm7bwYZS6F4XkRFaqUcBehXUQXmUI/48l+cDBPjlao8=,tag:jBUadTKqWJbPqpljshBoRg==,type:comment]
+    # ENC[AES256_GCM,data:0QVDgxSYpM+pFAiXf2+xcAnZath1zSzyZDy/zS8L36kZrSQnBSDN91OwAKLYpOb1m+cbex6lWN9OYFRYcIhUjA==,iv:Cm7bwYZS6F4XkRFaqUcBehXUQXmUI/48l+cDBPjlao8=,tag:jBUadTKqWJbPqpljshBoRg==,type:comment]
-    #ENC[AES256_GCM,data:oxfKvt9xbus8la9hJGLOCVBfyQMCP4wpD4QZcEIw/SFWysMm2NaFzUHtUH39QAG2kCw1C5gKtTQ5EhJ1C2bgxVB6qlC6DUhO5uwlIoXtDqNsfhnsyWuIvJMH5jnPwAfO8Y+plLk2g4dV3aMmYt8Hfg==,iv:Ai/0l0GDbJzTaVy7Xhp1offyaqKD/Ge/oU9YDiGXC28=,tag:wIGYy7TBnCZYrbKDd1y7xQ==,type:comment]
+    # ENC[AES256_GCM,data:oxfKvt9xbus8la9hJGLOCVBfyQMCP4wpD4QZcEIw/SFWysMm2NaFzUHtUH39QAG2kCw1C5gKtTQ5EhJ1C2bgxVB6qlC6DUhO5uwlIoXtDqNsfhnsyWuIvJMH5jnPwAfO8Y+plLk2g4dV3aMmYt8Hfg==,iv:Ai/0l0GDbJzTaVy7Xhp1offyaqKD/Ge/oU9YDiGXC28=,tag:wIGYy7TBnCZYrbKDd1y7xQ==,type:comment]
-    #ENC[AES256_GCM,data:6IieK5gwtUr+u3PjRjOXs5fJafO3N14yLmDCxBdU5VBfgOpIV4P5nX07DJ5jXw9BJgr6nqsQA0tlgeddT0vnO/cQNKJFBeQXVCzjxLHlrNv7JLg6EbtXZoO/eNow0XBGCLyg6Mq+6S83J2p8pix4tEae4YQrwveQ+dD0A15hK7n5gWOdFz50qE5IImbZsm9aR3ymxs1o9fjkZYTNycsneWe069SNCdb2gFtf4Q==,iv:N30tKPf2ajQT2s0/GYZPV8ipy1Qkkfh+dAlJ4pdGm9M=,tag:qtfr6TY8nyAoMykRONC3kQ==,type:comment]
+    # ENC[AES256_GCM,data:6IieK5gwtUr+u3PjRjOXs5fJafO3N14yLmDCxBdU5VBfgOpIV4P5nX07DJ5jXw9BJgr6nqsQA0tlgeddT0vnO/cQNKJFBeQXVCzjxLHlrNv7JLg6EbtXZoO/eNow0XBGCLyg6Mq+6S83J2p8pix4tEae4YQrwveQ+dD0A15hK7n5gWOdFz50qE5IImbZsm9aR3ymxs1o9fjkZYTNycsneWe069SNCdb2gFtf4Q==,iv:N30tKPf2ajQT2s0/GYZPV8ipy1Qkkfh+dAlJ4pdGm9M=,tag:qtfr6TY8nyAoMykRONC3kQ==,type:comment]
 sops:
     kms: []
     gcp_kms: []

longhorn/storageclass.yaml

@@ -1,3 +1,4 @@
+---
 # this is the storageclass manifest for the logs and metrics volumes
 kind: StorageClass
 apiVersion: storage.k8s.io/v1
@@ -12,4 +13,4 @@ parameters:
   staleReplicaTimeout: "30"
   fromBackup: ""
   fsType: "ext4"
-  dataLocality: "disabled"
+  dataLocality: "disabled"

longhorn/values.yaml

@@ -1,3 +1,4 @@
+---
 persistence:
   recurringJobSelector:
     enable: true

longhorn/volumesnapshotclass.yaml

@@ -1,3 +1,4 @@
+---
 kind: VolumeSnapshotClass
 apiVersion: snapshot.storage.k8s.io/v1
 metadata:
@@ -16,4 +17,4 @@ metadata:
 driver: driver.longhorn.io
 deletionPolicy: Delete
 parameters:
-  type: snap
+  type: snap

node-labeler/node-labeler.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -78,4 +79,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: worker-node-labeler-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

paste/manifest.yaml

@@ -37,17 +37,17 @@ spec:
       securityContext:
         fsGroup: 82
       containers:
-      - name: paste
+        - name: paste
-        image: privatebin/nginx-fpm-alpine
+          image: privatebin/nginx-fpm-alpine
-        ports:
+          ports:
-        - containerPort: 8080
+            - containerPort: 8080
-        volumeMounts:
+          volumeMounts:
-        - mountPath: "/srv/data"
+            - mountPath: "/srv/data"
-          name: paste-volume
+              name: paste-volume
       volumes:
-      - name: paste-volume
+        - name: paste-volume
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: paste-pvc
+            claimName: paste-pvc
 ---
 apiVersion: v1
 kind: Service
@@ -71,17 +71,17 @@ metadata:
   namespace: paste
 spec:
   rules:
-  - host: "paste.apps.yolokube.de"
+    - host: "paste.apps.yolokube.de"
-    http:
+      http:
-      paths:
+        paths:
-      - pathType: Prefix
+          - pathType: Prefix
-        path: "/"
+            path: "/"
-        backend:
+            backend:
-          service:
+              service:
-            name: paste-service
+                name: paste-service
-            port:
+                port:
-              number: 80
+                  number: 80
   tls:
-  - hosts:
+    - hosts:
-      - paste.apps.yolokube.de
+        - paste.apps.yolokube.de
-    secretName: paste-tls-key
+      secretName: paste-tls-key

prometheus/alerts.yaml

@@ -10,114 +10,114 @@ spec:
   groups:
     - name: hardware
       rules:
-      - alert: MemoryHigh
+        - alert: MemoryHigh
-        expr: round((((node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes) * 100), 0.1) > 80
+          expr: round((((node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes) * 100), 0.1) > 80
-        for: 5m
+          for: 5m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "Memory over 80%"
+            summary: "Memory over 80%"
-          description: "Memory on node {{ $labels.node }} is over 80% for more than 5 minutes. Plox fix. Memory usage: {{ $value }}%"
+            description: "Memory on node {{ $labels.node }} is over 80% for more than 5 minutes. Plox fix. Memory usage: {{ $value }}%"
-      - alert: DiskspaceLow
+        - alert: DiskspaceLow
-        expr: round(node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} * 100, 1) < 5
+          expr: round(node_filesystem_avail_bytes{mountpoint="/"} / node_filesystem_size_bytes{mountpoint="/"} * 100, 1) < 5
-        for: 1m
+          for: 1m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "Free disk space at {{ $value }}%"
+            summary: "Free disk space at {{ $value }}%"
-          description: "Disk space on node {{ $labels.node }} is only {{ $value }}%. Plox fix. Partition: {{ $labels.device }}"
+            description: "Disk space on node {{ $labels.node }} is only {{ $value }}%. Plox fix. Partition: {{ $labels.device }}"
-      - alert: HostMemoryUnderMemoryPressure
+        - alert: HostMemoryUnderMemoryPressure
-        expr: rate(node_vmstat_pgmajfault[1m]) > 1000
+          expr: rate(node_vmstat_pgmajfault[1m]) > 1000
-        for: 2m
+          for: 2m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: Host memory under memory pressure {{ $labels.node }}
+            summary: Host memory under memory pressure {{ $labels.node }}
-          description: "The node is under heavy memory pressure. High rate of major page faults\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+            description: "The node is under heavy memory pressure. High rate of major page faults\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
-      - alert: HostUnusualDiskReadRate
+        - alert: HostUnusualDiskReadRate
-        expr: sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 200
+          expr: sum by (instance) (rate(node_disk_read_bytes_total[2m])) / 1024 / 1024 > 200
-        for: 5m
+          for: 5m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: Host unusual disk read rate {{ $labels.node }}
+            summary: Host unusual disk read rate {{ $labels.node }}
-          description: "Disk is probably reading too much data (> 200 MB/s)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+            description: "Disk is probably reading too much data (> 200 MB/s)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
-      - alert: HostUnusualDiskWriteRate
+        - alert: HostUnusualDiskWriteRate
-        expr: sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 200
+          expr: sum by (instance) (rate(node_disk_written_bytes_total[2m])) / 1024 / 1024 > 200
-        for: 3m
+          for: 3m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: Host unusual disk write rate {{ $labels.node }}
+            summary: Host unusual disk write rate {{ $labels.node }}
-          description: "Disk is probably writing too much data (> 200 MB/s)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+            description: "Disk is probably writing too much data (> 200 MB/s)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
-      - alert: HostCpuStealNoisyNeighbor
+        - alert: HostCpuStealNoisyNeighbor
-        expr: avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10
+          expr: avg by(instance) (rate(node_cpu_seconds_total{mode="steal"}[5m])) * 100 > 10
-        for: 1m
+          for: 1m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: Host CPU steal noisy neighbor {{ $labels.node }}
+            summary: Host CPU steal noisy neighbor {{ $labels.node }}
-          description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+            description: "CPU steal is > 10%. A noisy neighbor is killing VM performances or a spot instance may be out of credit.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
-      - alert: HostPhysicalComponentTooHot
+        - alert: HostPhysicalComponentTooHot
-        expr: node_hwmon_temp_celsius > 90
+          expr: node_hwmon_temp_celsius > 90
-        for: 5m
+          for: 5m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: Host physical component too hot {{ $labels.node }}
+            summary: Host physical component too hot {{ $labels.node }}
-          description: "Physical hardware component too hot\n  Sensor = {{ $labels.sensor }}\n Temp = {{ $value }}"
+            description: "Physical hardware component too hot\n  Sensor = {{ $labels.sensor }}\n Temp = {{ $value }}"
-      - alert: SMARTbad
+        - alert: SMARTbad
-        expr: smartmon_device_smart_healthy < 1
+          expr: smartmon_device_smart_healthy < 1
-        for: 0m
+          for: 0m
-        labels:
+          labels:
-          severity: critical
+            severity: critical
-        annotations:
+          annotations:
-          summary: SMART check bad of drive {{ $labels.exported_disk }} in node {{ $labels.node }}
+            summary: SMART check bad of drive {{ $labels.exported_disk }} in node {{ $labels.node }}
-          description: "SMART check returned bad health of {{ $labels.exported_disk }} in node {{ $labels.node }}. VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+            description: "SMART check returned bad health of {{ $labels.exported_disk }} in node {{ $labels.node }}. VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
-      - alert: "SMARTcheck too old"
+        - alert: "SMARTcheck too old"
-        expr: (time() - smartmon_smartctl_run) > 10800
+          expr: (time() - smartmon_smartctl_run) > 10800
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "SMARTcheck not running"
+            summary: "SMARTcheck not running"
-          description: 'The last SMARTcheck on node {{ $labels.node }} was more than 3h ago. Plox fix.'
+            description: 'The last SMARTcheck on node {{ $labels.node }} was more than 3h ago. Plox fix.'
-      - alert: "ECC Memory errors"
+        - alert: "ECC Memory errors"
-        expr: (node_edac_correctable_errors_total) > 100
+          expr: (node_edac_correctable_errors_total) > 100
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "ECC errors on {{ $labels.node }}"
+            summary: "ECC errors on {{ $labels.node }}"
-          description: 'The node {{ $labels.node }} accumulated {{ $value }} correctable errors.'
+            description: 'The node {{ $labels.node }} accumulated {{ $value }} correctable errors.'
-      - alert: "ECC Memory uncorrectable errors"
+        - alert: "ECC Memory uncorrectable errors"
-        expr: (node_edac_uncorrectable_errors_total) > 0
+          expr: (node_edac_uncorrectable_errors_total) > 0
-        labels:
+          labels:
-          severity: critical
+            severity: critical
-        annotations:
+          annotations:
-          summary: "ECC errors on {{ $labels.node }}"
+            summary: "ECC errors on {{ $labels.node }}"
-          description: 'The node {{ $labels.node }} accumulated {{ $value }} uncorrectable errors.'
+            description: 'The node {{ $labels.node }} accumulated {{ $value }} uncorrectable errors.'
     - name: etcdbackup
       rules:
-      - alert: "etcdbackup too old"
+        - alert: "etcdbackup too old"
-        expr: (time() - etcdbackup_time) > 10800
+          expr: (time() - etcdbackup_time) > 10800
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "etcd backup not running"
+            summary: "etcd backup not running"
-          description: 'The last etcd backup on node {{ $labels.node }} was more than 3h ago. Plox fix.'
+            description: 'The last etcd backup on node {{ $labels.node }} was more than 3h ago. Plox fix.'
-      - alert: "etcdbackup failed"
+        - alert: "etcdbackup failed"
-        expr: etcdbackup_result > 0
+          expr: etcdbackup_result > 0
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "etcdbackup failed"
+            summary: "etcdbackup failed"
-          description: "The backup script for etcd failed on node {{ $labels.node }}. Plox fix."
+            description: "The backup script for etcd failed on node {{ $labels.node }}. Plox fix."
     - name: kubernetes
       rules:
-      - alert: KubernetesUnhealthyPod
+        - alert: KubernetesUnhealthyPod
-        expr: kube_pod_container_status_waiting_reason == 1
+          expr: kube_pod_container_status_waiting_reason == 1
-        for: 5m
+          for: 5m
-        labels:
+          labels:
-          severity: warning
+            severity: warning
-        annotations:
+          annotations:
-          summary: "The Pod {{ $labels.pod }} is {{ $labels.reason }}"
+            summary: "The Pod {{ $labels.pod }} is {{ $labels.reason }}"
-          description: "The Pod {{ $labels.pod }} is in the state {{ $labels.reason }} for more than 5m. The Pod is in namespace {{ $labels.namespace }} and on node {{ $labels.node }}."
+            description: "The Pod {{ $labels.pod }} is in the state {{ $labels.reason }} for more than 5m. The Pod is in namespace {{ $labels.namespace }} and on node {{ $labels.node }}."

prometheus/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

prometheus/namespace.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:

prometheus/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

prometheus/secret.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

prometheus/service-monitor-longhorn.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
@@ -11,6 +12,6 @@ spec:
       app: longhorn-manager
   namespaceSelector:
     matchNames:
-    - longhorn-system
+      - longhorn-system
   endpoints:
-  - port: manager
+    - port: manager

prometheus/templates.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -12,4 +13,4 @@ data:
 
       {{ .Annotations.description }}
       {{ end }}
-    {{ end }}
+    {{ end }}

prometheus/values.yaml

@@ -1,3 +1,4 @@
+---
 alertmanager:
   alertmanagerSpec:
     podAntiAffinity: "hard"
@@ -8,11 +9,11 @@ alertmanager:
       - "templates"
     storage:
       volumeClaimTemplate:
-       spec:
+        spec:
-         accessModes: ["ReadWriteOnce"]
+          accessModes: ["ReadWriteOnce"]
-         resources:
+          resources:
-           requests:
+            requests:
-             storage: 5Gi
+              storage: 5Gi
     useExistingSecret: false
   config:
     global:
@@ -27,20 +28,20 @@ alertmanager:
       receiver: 'tg1'
       routes:
         - matchers:
-          - severity=warning
+            - severity=warning
           receiver: 'tg1'
         - matchers:
-          - severity=critical
+            - severity=critical
           receiver: 'tg1'
     receivers:
-    - name: tg1
+      - name: tg1
-      telegram_configs:
+        telegram_configs:
-      - bot_token_file: '/etc/alertmanager/secrets/telegram-api/api_key'
+          - bot_token_file: '/etc/alertmanager/secrets/telegram-api/api_key'
-        chat_id: -995270884
+            chat_id: -995270884
-        api_url: "https://api.telegram.org"
+            api_url: "https://api.telegram.org"
-        send_resolved: true
+            send_resolved: true
-        parse_mode: "HTML"
+            parse_mode: "HTML"
-        message: '{{ template "telegram.aaron" .}}'
+            message: '{{ template "telegram.aaron" .}}'
     inhibit_rules:
       - source_matchers:
           - severity = critical
@@ -97,7 +98,7 @@ grafana:
   persistence:
     enabled: true
     accessModes:
-     - ReadWriteMany
+      - ReadWriteMany
   grafana.ini:
     auth:
       disable_login_form: true
@@ -168,12 +169,12 @@ prometheus:
     replicas: 2
     storageSpec:
       volumeClaimTemplate:
-       spec:
+        spec:
-         storageClassName: longhorn
+          storageClassName: longhorn
-         accessModes: ["ReadWriteOnce"]
+          accessModes: ["ReadWriteOnce"]
-         resources:
+          resources:
-           requests:
+            requests:
-             storage: 10Gi
+              storage: 10Gi
     serviceMonitorNamespaceSelector:
       matchLabels:
         prometheus: yolokube

quota/quotad.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -109,4 +110,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: quotad-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

tests/test-egress.yaml

@@ -1,51 +1,51 @@
-#---
+# ---
-#apiVersion: v1
+# apiVersion: v1
-#kind: Namespace
+# kind: Namespace
-#metadata:
+# metadata:
-#  name: egress
+#   name: egress
-#---
+# ---
-#apiVersion: apps/v1
+# apiVersion: apps/v1
-#kind: Deployment
+# kind: Deployment
-#metadata:
+# metadata:
-#  name: egress-deployment
+#   name: egress-deployment
-#  namespace: egress
+#   namespace: egress
-#  labels:
+#   labels:
-#    app: egress
+#     app: egress
-#spec:
+# spec:
-#  replicas: 3
+#   replicas: 3
-#  selector:
+#   selector:
-#    matchLabels:
+#     matchLabels:
-#      app: egress
+#       app: egress
-#  template:
+#   template:
-#    metadata:
+#     metadata:
-#      labels:
+#       labels:
-#        app: egress
+#         app: egress
-#    spec:
+#     spec:
-#      containers:
+#       containers:
-#      - name: egress
+#         - name: egress
-#        image: curlimages/curl
+#           image: curlimages/curl
-#        command: ['/usr/bin/curl']
+#           command: ['/usr/bin/curl']
-#        args: ['-s', '-L', '-4', 'ip.hetzner.com']
+#           args: ['-s', '-L', '-4', 'ip.hetzner.com']
-#---
+# ---
-#apiVersion: apps/v1
+# apiVersion: apps/v1
-#kind: Deployment
+# kind: Deployment
-#metadata:
+# metadata:
-#  name: egress6-deployment
+#   name: egress6-deployment
-#  namespace: egress
+#   namespace: egress
-#  labels:
+#   labels:
-#    app: egress6
+#     app: egress6
-#spec:
+# spec:
-#  replicas: 3
+#   replicas: 3
-#  selector:
+#   selector:
-#    matchLabels:
+#     matchLabels:
-#      app: egress6
+#       app: egress6
-#  template:
+#   template:
-#    metadata:
+#     metadata:
-#      labels:
+#       labels:
-#        app: egress6
+#         app: egress6
-#    spec:
+#     spec:
-#      containers:
+#       containers:
-#      - name: egress6
+#         - name: egress6
-#        image: curlimages/curl
+#           image: curlimages/curl
-#        command: ['/usr/bin/curl']
+#           command: ['/usr/bin/curl']
-#        args: ['-s', '-L', '-6', 'ip.hetzner.com']
+#           args: ['-s', '-L', '-6', 'ip.hetzner.com']

tests/test-ingress.yaml

@@ -23,10 +23,10 @@ spec:
         app: test1
     spec:
       containers:
-      - name: test1
+        - name: test1
-        image: containous/whoami
+          image: containous/whoami
-        ports:
+          ports:
-        - containerPort: 80
+            - containerPort: 80
 ---
 apiVersion: v1
 kind: Service
@@ -51,17 +51,17 @@ metadata:
   namespace: aaron-test
 spec:
   rules:
-  - host: "test.services.yolokube.de"
+    - host: "test.services.yolokube.de"
-    http:
+      http:
-      paths:
+        paths:
-      - pathType: Prefix
+          - pathType: Prefix
-        path: "/"
+            path: "/"
-        backend:
+            backend:
-          service:
+              service:
-            name: test1-service
+                name: test1-service
-            port:
+                port:
-              number: 80
+                  number: 80
   tls:
-  - hosts:
+    - hosts:
-      - test.services.yolokube.de
+        - test.services.yolokube.de
-    secretName: test2-tls-key
+      secretName: test2-tls-key

tests/test-storage.yaml

@@ -1,88 +1,88 @@
-### example app "privatebin" to test storage
+# ## example app "privatebin" to test storage
-#---
+# ---
-#apiVersion: v1
+# apiVersion: v1
-#kind: Namespace
+# kind: Namespace
-#metadata:
+# metadata:
-#  name: paste
+#   name: paste
-#---
+# ---
-#apiVersion: v1
+# apiVersion: v1
-#kind: PersistentVolumeClaim
+# kind: PersistentVolumeClaim
-#metadata:
+# metadata:
-#  name: paste-pvc
+#   name: paste-pvc
-#  namespace: paste
+#   namespace: paste
-#spec:
+# spec:
-#  accessModes:
+#   accessModes:
-#    - ReadWriteOnce
+#     - ReadWriteOnce
-#  volumeMode: Filesystem
+#   volumeMode: Filesystem
-#  resources:
+#   resources:
-#    requests:
+#     requests:
-#      storage: 8Gi
+#       storage: 8Gi
-#---
+# ---
-#apiVersion: apps/v1
+# apiVersion: apps/v1
-#kind: Deployment
+# kind: Deployment
-#metadata:
+# metadata:
-#  name: paste-deployment
+#   name: paste-deployment
-#  namespace: paste
+#   namespace: paste
-#  labels:
+#   labels:
-#    app: paste
+#     app: paste
-#spec:
+# spec:
-#  replicas: 1
+#   replicas: 1
-#  selector:
+#   selector:
-#    matchLabels:
+#     matchLabels:
-#      app: paste
+#       app: paste
-#  template:
+#   template:
-#    metadata:
+#     metadata:
-#      labels:
+#       labels:
-#        app: paste
+#         app: paste
-#    spec:
+#     spec:
-#      securityContext:
+#       securityContext:
-#        fsGroup: 82
+#         fsGroup: 82
-#      containers:
+#       containers:
-#      - name: paste
+#         - name: paste
-#        image: privatebin/nginx-fpm-alpine
+#           image: privatebin/nginx-fpm-alpine
-#        ports:
+#           ports:
-#        - containerPort: 8080
+#             - containerPort: 8080
-#        volumeMounts:
+#           volumeMounts:
-#        - mountPath: "/srv/data"
+#             - mountPath: "/srv/data"
-#          name: paste-volume
+#               name: paste-volume
-#      volumes:
+#       volumes:
-#      - name: paste-volume
+#         - name: paste-volume
-#        persistentVolumeClaim:
+#           persistentVolumeClaim:
-#          claimName: paste-pvc
+#             claimName: paste-pvc
-#---
+# ---
-#apiVersion: v1
+# apiVersion: v1
-#kind: Service
+# kind: Service
-#metadata:
+# metadata:
-#  name: paste-service
+#   name: paste-service
-#  namespace: paste
+#   namespace: paste
-#spec:
+# spec:
-#  selector:
+#   selector:
-#    app: paste
+#     app: paste
-#  ports:
+#   ports:
-#    - protocol: TCP
+#     - protocol: TCP
-#      port: 80
+#       port: 80
-#      targetPort: 8080
+#       targetPort: 8080
-#---
+# ---
-#apiVersion: networking.k8s.io/v1
+# apiVersion: networking.k8s.io/v1
-#kind: Ingress
+# kind: Ingress
-#metadata:
+# metadata:
-#  annotations:
+#   annotations:
-#    kubernetes.io/tls-acme: "true"
+#     kubernetes.io/tls-acme: "true"
-#  name: paste-ingress
+#   name: paste-ingress
-#  namespace: paste
+#   namespace: paste
-#spec:
+# spec:
-#  rules:
+#   rules:
-#  - host: "paste.apps.yolokube.de"
+#     - host: "paste.apps.yolokube.de"
-#    http:
+#       http:
-#      paths:
+#         paths:
-#      - pathType: Prefix
+#           - pathType: Prefix
-#        path: "/"
+#             path: "/"
-#        backend:
+#             backend:
-#          service:
+#               service:
-#            name: paste-service
+#                 name: paste-service
-#            port:
+#                 port:
-#              number: 80
+#                   number: 80
-#  tls:
+#   tls:
-#  - hosts:
+#     - hosts:
-#      - paste.apps.yolokube.de
+#         - paste.apps.yolokube.de
-#    secretName: paste-tls-key
+#       secretName: paste-tls-key

thanos/2-objectstore-secret.enc.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

thanos/3-querier.yaml

@@ -95,17 +95,17 @@ metadata:
   namespace: thanos
 spec:
   rules:
-  - host: "thanos.services.yolokube.de"
+    - host: "thanos.services.yolokube.de"
-    http:
+      http:
-      paths:
+        paths:
-      - pathType: Prefix
+          - pathType: Prefix
-        path: "/"
+            path: "/"
-        backend:
+            backend:
-          service:
+              service:
-            name: querier
+                name: querier
-            port:
+                port:
-              name: http
+                  name: http
   tls:
-  - hosts:
+    - hosts:
-      - thanos.services.yolokube.de
+        - thanos.services.yolokube.de
-    secretName: thanos-tls-key
+      secretName: thanos-tls-key

thanos/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

thanos/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

traefik/basicauth.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -17,4 +18,4 @@ data:
     YWFyb246JDJ5JDA1JEIyLlEuOS9lNFZFWHNub2UueXBqWU9raXlrbXJGMmhwQXBFN0NZYzJEUEly
     MHBGSWRETzFPCnRvbTokMnkkMDUkQnNNN2Z2bWYzR3B1em5hazVPU2dyZTB4ODFLNC52eFVRTy9h
     S1c1Y1k0Z21RT3p2c3NQTE8KYmFzdGk6JCRhcHIxJCRYYUdERnByYiQkTzlZMW9SaFROWTdVNWFh
-    NUxqM3dhMQo=
+    NUxqM3dhMQo=

traefik/secondingressclass.yaml

@@ -1,6 +1,7 @@
+---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   name: nginx
 spec:
-  controller: traefik.io/ingress-controller
+  controller: traefik.io/ingress-controller

traefik/values.yaml

@@ -1,3 +1,4 @@
+---
 deployment:
   kind: DaemonSet
   minReadySeconds: 120

vcluster/aaron.yaml

@@ -1,3 +1,4 @@
+---
 controlPlane:
   distro:
     k8s:
@@ -18,7 +19,7 @@ controlPlane:
       replicas: 3
   proxy:
     extraSANs:
-    - vcluster.k8s.ar21.de
+      - vcluster.k8s.ar21.de
 exportKubeConfig:
   server: https://vcluster.k8s.ar21.de:443
 sync:

vcluster/ingress-aaron.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
@@ -7,9 +8,9 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: HostSNI(`vcluster.k8s.ar21.de`)
+    - match: HostSNI(`vcluster.k8s.ar21.de`)
-    services:
+      services:
-      - name: ar
+        - name: ar
-        port: 443
+          port: 443
   tls:
     passthrough: true

vcluster/tom.yaml

@@ -1,3 +1,4 @@
+---
 controlPlane:
   distro:
     k8s:

woodpecker/secrets/kustomization.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 generators:

woodpecker/secrets/secret-generator.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: viaduct.ai/v1
 kind: ksops
 metadata:

woodpecker/secrets/secrets.enc.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:

woodpecker/values/values.yaml

@@ -1,10 +1,11 @@
+---
 server:
   ingress:
     # -- Enable the ingress for the server component
     enabled: true
     # -- Add annotations to the ingress
     annotations:
-    # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/ingress.class: nginx
       kubernetes.io/tls-acme: "true"
     hosts:
       - host: woodpecker.ar21.de
@@ -15,7 +16,7 @@ server:
               servicePort: 80
     tls:
       - hosts:
-        - woodpecker.ar21.de
+          - woodpecker.ar21.de
         secretName: woodpecker-tls-key
   statefulSet:
     replicaCount: 1