clank/kubernetes-state
1
0
Fork 0
Code Issues 1 Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: clank:6ff24b8df0f2a4be3380335177dbc3fd206458a6
Branches Tags
clank:main clank:renovate/all
...
compare: clank:main
Branches Tags
clank:renovate/all clank:main

126 Commits
6ff24b8df0 ... main

Author SHA1 Message Date
Kasper Juul Hermansen
de229e6473 Update dependency fluxcd/flux2 to v2.5.1
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-02-26 01:45:05 +00:00
Kasper Juul Hermansen
29caf72a1b Update dependency fluxcd/flux2 to v2.5.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2025-02-21 01:52:00 +00:00
Kasper Juul Hermansen
730269f97a Update dependency fluxcd/flux2 to v2.4.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2024-10-01 00:43:43 +00:00
Kasper Juul Hermansen
ab8865c6a8 Update dependency fluxcd/flux2 to v2.2.1
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-12-15 10:42:14 +00:00
Kasper Juul Hermansen
a85f805a4d Update dependency fluxcd/flux2 to v2.2.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-12-12 15:56:20 +00:00
Kasper Juul Hermansen
bc80546f04 Update dependency fluxcd/flux2 to v2.1.2
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-10-12 14:03:42 +00:00
Kasper Juul Hermansen
e48d4c740d Update dependency fluxcd/flux2 to v2.1.1
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-09-19 12:22:26 +00:00
Kasper Juul Hermansen
5e610148e1 Update dependency fluxcd/flux2 to v2.1.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-08-24 12:42:35 +00:00
Kasper Juul Hermansen
44ec664257 Update dependency fluxcd/flux2 to v2
Some checks reported errors
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build encountered an error
Details
2023-07-23 10:52:19 +00:00
Kasper Juul Hermansen
40065f9066 Update dependency fluxcd/flux2 to v0.41.2
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-03-21 19:10:24 +00:00
Kasper Juul Hermansen
52109204e1 Update dependency fluxcd/flux2 to v0.41.1
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-03-10 15:36:13 +00:00
Kasper Juul Hermansen
858cb421ca Update dependency fluxcd/flux2 to v0.41.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-03-09 19:17:57 +00:00
Kasper Juul Hermansen
0f76adc9d1 Update dependency fluxcd/flux2 to v0.40.2
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2023-02-28 15:57:36 +00:00
Kasper Juul Hermansen
70c47fcd51 Update dependency fluxcd/flux2 to v0.38.2
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2022-12-22 14:19:08 +00:00
Kasper Juul Hermansen
40dd60fcab Update dependency fluxcd/flux2 to v0.38.1
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2022-12-22 10:44:46 +00:00
Kasper Juul Hermansen
7608d03c2a Update dependency fluxcd/flux2 to v0.37.0
All checks were successful
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2022-11-22 17:31:22 +00:00
kjuulh
1fae8a6704 Add .drone.yml 2022-10-26 16:16:23 +02:00
kjuulh
66579bbe93 Add .drone.yml
Some checks reported errors
continuous-integration/drone Build encountered an error
Details
2022-10-26 11:29:59 +02:00
Kasper Juul Hermansen
967476d960 Merge pull request 'Configure Renovate' (#1) from renovate/configure into main 
Reviewed-on: https://git.front.kjuulh.io/clank/kubernetes-state/pulls/1
 2022-10-25 20:55:25 +00:00
Kasper Juul Hermansen
d3052ce240 Add renovate.json 2022-10-25 20:53:57 +00:00
kjuulh
268b4693cf Add ability to create dbs 2022-06-04 17:10:05 +02:00
kjuulh
887424946f Add postgres 2022-06-04 16:08:41 +02:00
kjuulh
fee24bc228 Add emberstack to sources 2022-06-04 15:50:04 +02:00
kjuulh
cd5113b661 Add reflector for secret 2022-06-04 15:49:11 +02:00
kjuulh
c2c4d249e9 Add reflector 2022-06-04 15:47:33 +02:00
kjuulh
c585e7497d Add traefik ingress 2022-06-04 15:41:02 +02:00
kjuulh
1c141714a3 Added certificate 2022-06-04 15:38:49 +02:00
kjuulh
35e4ed430e Add sealed secret for cluster-issuer 2022-06-04 15:36:03 +02:00
kjuulh
a5940a3bb6 Add namespace 2022-06-04 15:25:11 +02:00
kjuulh
58b285eb6f Added sealed secrets 2022-06-04 15:23:13 +02:00
kjuulh
0ae9832801 Add install CRDs 2022-06-04 15:13:04 +02:00
kjuulh
cf650782be Added cert-manager 2022-06-04 15:08:47 +02:00
kjuulh
634389d6f7 Added jetstack charts 2022-06-04 15:02:02 +02:00
kjuulh
743dc036a7 Without linebreaks 2022-06-04 14:56:52 +02:00
kjuulh
39e8770a4f Added traefik config 2022-06-04 14:55:22 +02:00
kjuulh
9065daf3de Refresh release 2022-06-04 14:44:44 +02:00
kjuulh
2dfe1af11e Add nginx release 2022-06-04 14:37:58 +02:00
Flux
db3a41fcc1 Add Flux sync manifests 2022-06-04 14:24:32 +02:00
Flux
a5de857abc Add Flux v0.30.2 component manifests 2022-06-04 14:24:22 +02:00
kjuulh
ec3de3bcf2 Added base cluster 2022-06-04 14:13:26 +02:00
kjuulh
87a9790081 Removed everything 2022-06-04 00:57:54 +02:00
kjuulh
32ca369e16 Set minutes 2022-05-14 23:05:26 +02:00
kjuulh
799059ad75 Add namespace 2022-05-14 21:52:43 +02:00
kjuulh
b35900ee4a Add path 2022-05-14 21:51:32 +02:00
kjuulh
9d937c164a Add release 2022-05-14 21:41:15 +02:00
kjuulh
d1bd8dfca9 Added postgres base 2022-05-14 21:28:38 +02:00
kjuulh
f86082455e Remove release from plan 2022-05-11 11:35:20 +02:00
kjuulh
693ecf9d12 Set info in kubernetes 2022-05-11 11:24:28 +02:00
kjuulh
228812130d Add darklight to traefik service 2022-05-10 12:09:55 +02:00
kjuulh
9b2f642a13 Set tag latest 2022-05-10 12:04:11 +02:00
kjuulh
5cc42cfbef Add image pinning 2022-05-10 11:59:58 +02:00
kjuulh
0300f62dec Add health check endpoint 2022-05-10 11:56:27 +02:00
kjuulh
9325619310 Remove namespace from server 2022-05-10 11:43:25 +02:00
kjuulh
a304d25730 Add darklight app 2022-05-10 11:41:55 +02:00
kjuulh
7485edc45e set service to correct app 2022-05-10 09:49:10 +02:00
kjuulh
d2de4f9c83 Add namespace wishlist 2022-05-09 17:26:26 +02:00
kjuulh
669ff1ad29 Add debug logging 2022-05-09 17:24:31 +02:00
kjuulh
b9adb461e2 WIP: again... 2022-05-09 17:09:27 +02:00
kjuulh
90e8f64a18 Add another again... 2022-05-09 17:04:56 +02:00
kjuulh
8c04aac4ad Add providers 2022-05-09 16:59:55 +02:00
kjuulh
dfd2fee3ac Adding to existing 2022-05-09 16:54:45 +02:00
kjuulh
f64566981a Trying to set other namespace 2022-05-09 16:53:11 +02:00
kjuulh
8022b1c619 Add more ingress 2022-05-09 16:50:09 +02:00
kjuulh
d5a44fbf63 Fix missing ips 2022-05-09 16:45:35 +02:00
kjuulh
43dfb611d4 Add values to kustomization 2022-05-09 16:43:17 +02:00
kjuulh
82eb04b89c Add helm chart config again 2022-05-09 16:42:54 +02:00
kjuulh
6cd65eef9c Remove traefik config 2022-05-09 16:15:36 +02:00
kjuulh
53b9b067b7 add config 2022-05-09 16:12:15 +02:00
kjuulh
a7ee800fc9 set certificate 2022-05-09 15:58:18 +02:00
kjuulh
abb593b2ec Remove cert manager 2022-05-09 15:56:53 +02:00
kjuulh
aecda14ba1 Put in correct namespace 2022-05-09 15:35:11 +02:00
kjuulh
bf7dbed1ef Removed duplicate 2022-05-09 15:31:15 +02:00
kjuulh
ec030e6d9a Add namespace to release 2022-05-09 15:24:36 +02:00
kjuulh
2afedbf9e6 Add traefik yaml 2022-05-09 15:23:29 +02:00
kjuulh
958afc9ee0 Removed optional 2022-05-09 15:09:22 +02:00
kjuulh
f89656f1e5 removed ssl from traefik 2022-05-09 15:06:44 +02:00
kjuulh
19dcbb44e3 Remove wishlist ingress 2022-05-09 15:02:33 +02:00
kjuulh
e0fc1c7711 Add kubesystem to provider 2022-05-09 14:58:46 +02:00
kjuulh
66f6f11bbc Target namespace 2022-05-09 14:57:08 +02:00
kjuulh
14db42b419 Remove default namespace from app 2022-05-09 14:55:56 +02:00
kjuulh
be4ba3a0ff Remove namespace traefik 2022-05-09 14:53:51 +02:00
kjuulh
90ae3a29b7 Fixed typo 2022-05-09 14:52:42 +02:00
kjuulh
d5a71839ef With namespace 2022-05-09 14:50:03 +02:00
kjuulh
d4308a345b Set correct path for apps 2022-05-09 14:43:22 +02:00
kjuulh
f84530cfca Changed ingress name 2022-05-09 14:29:16 +02:00
kjuulh
4e273c959e Deleted unneeded defs and created more kustomizations 2022-05-09 14:27:44 +02:00
kjuulh
1e42c99a3a WIP: change namespace 2022-05-09 14:20:05 +02:00
kjuulh
4ee1cac229 Trying without namespace 2022-05-09 14:10:16 +02:00
kjuulh
a6ce5f914a Reflect secrets 2022-05-09 13:54:45 +02:00
kjuulh
4efaf06b64 Set proper version 2022-05-09 13:52:56 +02:00
kjuulh
75fca6b0c1 Remove namespace 2022-05-09 13:51:26 +02:00
kjuulh
6e0eea5b7b Add namespace again 2022-05-09 13:50:13 +02:00
kjuulh
59e45ec0d0 Add namespace 2022-05-09 13:48:53 +02:00
kjuulh
222ec38424 Remove namespace 2022-05-09 13:47:44 +02:00
kjuulh
f061d3854f Set name 2022-05-09 13:45:51 +02:00
kjuulh
282a4e02ad WIP: another namespace 2022-05-09 13:44:07 +02:00
kjuulh
0b4f90a9ee Correcting namespaces 2022-05-09 13:25:52 +02:00
kjuulh
eeab691061 set correct path 2022-05-09 13:17:37 +02:00
kjuulh
1433bb5dfb Add sources 2022-05-09 13:15:50 +02:00
kjuulh
e449124542 Move under provider 2022-05-09 12:46:02 +02:00
kjuulh
29e11d3066 Add kubernetes ingress 2022-05-09 12:45:03 +02:00
kjuulh
9d6860e8e1 add providers 2022-05-09 12:42:32 +02:00
kjuulh
ceac248016 Readd stuff 2022-05-09 12:36:59 +02:00
kjuulh
498986f8e1 Remove empty struct 2022-05-09 12:34:09 +02:00
kjuulh
d25449bf71 namespace ingress to local 2022-05-09 12:17:26 +02:00
kjuulh
2f38c77ca8 trying to add to existing 2022-05-09 12:10:30 +02:00
kjuulh
7d329e79bf Set service name 2022-05-09 12:00:38 +02:00
kjuulh
3c081f18ba Add forwarding 2022-05-09 11:03:01 +02:00
kjuulh
9fe18f3223 Move service 2022-05-09 10:37:27 +02:00
kjuulh
7ad2493a47 Trying another service name 2022-05-09 10:35:07 +02:00
kjuulh
a00bba6e80 With probes 2022-05-09 10:32:30 +02:00
kjuulh
040874618b Set port 2022-05-09 10:25:12 +02:00
kjuulh
39b0f6d200 Fix service name 2022-05-09 10:22:24 +02:00
kjuulh
c95d60e981 Add ingress to wishlist 2022-05-09 10:21:34 +02:00
kjuulh
fabeb43c2d With production url 2022-05-09 10:08:01 +02:00
kjuulh
15157b63ca Set real domain 2022-05-09 09:51:37 +02:00
kjuulh
6fc55510cc Fix string in cert 2022-05-09 09:47:51 +02:00
kjuulh
f15efe40f6 Add helm chart 2022-05-09 09:46:08 +02:00
kjuulh
83a5b0d35f Add dnsNames 2022-05-08 23:02:24 +02:00
kjuulh
d9400ea147 New sealed secret 2022-05-08 22:59:29 +02:00
kjuulh
23eaa48c32 Setting proper indentation 2022-05-08 22:49:18 +02:00
kjuulh
0746c27fff Add certificate issuer 2022-05-08 22:46:20 +02:00
kjuulh
1680314c35 Trying yaml 2022-05-08 22:44:25 +02:00
kjuulh
aab06ad109 set namespace 2022-05-08 22:35:04 +02:00
kjuulh
5cfe43fdad add sealed 2022-05-08 22:32:24 +02:00
kjuulh
3b6ac274b7 add sealed 2022-05-08 22:31:39 +02:00
45 changed files with 13000 additions and 5806 deletions
Expand all files Collapse all files

9
.drone.yml Executable file
View File

@@ -0,0 +1,9 @@
kind: pipeline
type: docker
name: "test"
steps:
- name: test
image: harbor.front.kjuulh.io/docker-proxy/library/bash:latest
commands:
- echo 'Run tests'

6
apps/base/nginx/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: nginx
resources:
- namespace.yaml
- release.yaml

4
apps/base/nginx/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: nginx

21
apps/base/nginx/release.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: nginx
namespace: nginx
spec:
releaseName: nginx
chart:
spec:
chart: nginx
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 5m
install:
remediation:
retries: 3
values:
service:
type: ClusterIP

4
apps/production/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base/nginx

65
clank/apps/prod/wishlist/app.yaml
View File

@@ -1,65 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: wishlist
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wishlist-ingress
namespace: wishlist
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: le
spec:
tls:
- hosts:
- wishlist.kjuulh.app
rules:
- host: wishlist.kjuulh.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wishlist-service
port:
number: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wishlist-deployment
namespace: wishlist
labels:
app: wishlist
spec:
replicas: 3
selector:
matchLabels:
app: wishlist
template:
metadata:
labels:
app: wishlist
spec:
containers:
- name: wishlist
image: kasperhermansen/wishlist-2022
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: wishlist-service
namespace: wishlist
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
run: wishlist

12
clank/apps/test/podinfo-source.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: podinfo
namespace: flux-system
spec:
interval: 30s
ref:
branch: master
url: https://github.com/stefanprodan/podinfo

15
clank/clusters/platform/cert-manager/cert-manager.yaml
View File

@@ -1,15 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: cert-manager
namespace: platform
spec:
interval: 30m0s
retryInterval: 30s
path: ./clank/platform/cert-manager
prune: true
sourceRef:
kind: GitRepository
name: cert-manager
targetNamespace: default

15
clank/clusters/platform/sealed-secrets/sealed-secrets.yaml
View File

@@ -1,15 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: sealed-secrets
namespace: platform
spec:
interval: 30m0s
retryInterval: 30s
path: ./clank/platform/sealed-secrets
prune: true
sourceRef:
kind: GitRepository
name: sealed-secrets
namespace: flux-system

15
clank/clusters/platform/traefik/traefik.yaml
View File

@@ -1,15 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: traefik
namespace: platform
spec:
interval: 30m0s
retryInterval: 30s
path: ./clank/platform/traefik
prune: true
sourceRef:
kind: GitRepository
name: traefik
namespace: flux-system

15
clank/clusters/prod/wishlist/app.yaml
View File

@@ -1,15 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: wishlist
namespace: prod
spec:
interval: 10m0s
retryInterval: 30s
path: ./clank/apps/prod/wishlist
prune: true
sourceRef:
kind: GitRepository
name: apps
targetNamespace: default

5388
clank/platform/cert-manager/cert-manager.yaml
View File

File diff suppressed because it is too large Load Diff

21
clank/platform/cert-manager/certificate.yaml
View File

@@ -1,21 +0,0 @@
#apiVersion: cert-manager.io/v1
#kind: ClusterIssuer
#metadata:
# name: letsencrypt-issuer
#spec:
# acme:
# # You must replace this email address with your own.
# # Let's Encrypt will use this to contact you about expiring
# # certificates, and issues related to your account.
# email: contact@kjuulh.io
# server: https://acme-staging-v02.api.letsencrypt.org/directory
# privateKeySecretRef:
# # Secret resource that will be used to store the account's private key.
# name: letsencrypt-issuer-secret
# # Add a single challenge solver, HTTP01 using nginx
# solvers:
# - dns01:
# cloudflare:
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token

252
clank/platform/sealed-secrets/controller.yaml
View File

@@ -1,252 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- sealed-secrets-controller
resources:
- services
verbs:
- get
- apiGroups:
- ""
resourceNames:
- 'http:sealed-secrets-controller:'
- sealed-secrets-controller
resources:
- services/proxy
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations: {}
labels:
name: sealed-secrets-key-admin
name: sealed-secrets-key-admin
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secrets-unsealer
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations: {}
labels:
name: secrets-unsealer
name: secrets-unsealer
rules:
- apiGroups:
- bitnami.com
resources:
- sealedsecrets
verbs:
- get
- list
- watch
- apiGroups:
- bitnami.com
resources:
- sealedsecrets/status
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
spec:
minReadySeconds: 30
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
name: sealed-secrets-controller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
spec:
containers:
- args: []
command:
- controller
env: []
image: docker.io/bitnami/sealed-secrets-controller:v0.17.5
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: http
name: sealed-secrets-controller
ports:
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /healthz
port: http
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
stdin: false
tty: false
volumeMounts:
- mountPath: /tmp
name: tmp
imagePullSecrets: []
initContainers: []
securityContext:
fsGroup: 65534
serviceAccountName: sealed-secrets-controller
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: tmp
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: sealedsecrets.bitnami.com
spec:
group: bitnami.com
names:
kind: SealedSecret
listKind: SealedSecretList
plural: sealedsecrets
singular: sealedsecret
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
type: object
x-kubernetes-preserve-unknown-fields: true
status:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: Service
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
spec:
ports:
- port: 8080
targetPort: 8080
selector:
name: sealed-secrets-controller
type: ClusterIP
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-service-proxier
name: sealed-secrets-service-proxier
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-service-proxier
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations: {}
labels:
name: sealed-secrets-controller
name: sealed-secrets-controller
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sealed-secrets-key-admin
subjects:
- kind: ServiceAccount
name: sealed-secrets-controller
namespace: kube-system

16
clusters/production/apps.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: apps
namespace: flux-system
spec:
interval: 10m0s
dependsOn:
- name: infrastructure
sourceRef:
kind: GitRepository
name: flux-system
path: ./apps/production
prune: true
wait: true
timeout: 5m0s

12584
clusters/production/flux-system/gotk-components.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

27
clusters/production/flux-system/gotk-sync.yaml Normal file
View File

@@ -0,0 +1,27 @@
# This manifest was generated by flux. DO NOT EDIT.
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: main
secretRef:
name: flux-system
url: ssh://git@git.front.kjuulh.io/clank/kubernetes-state.git
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./clusters/production
prune: true
sourceRef:
kind: GitRepository
name: flux-system

5
clusters/production/flux-system/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml

11
clank/apps/test/podinfo-kustomization.yaml → clusters/production/infrastructure.yaml
View File

@@ -1,15 +1,12 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: podinfo
name: infrastructure
namespace: flux-system
spec:
interval: 10m0s
retryInterval: 30s
path: ./kustomize
prune: true
sourceRef:
kind: GitRepository
name: podinfo
targetNamespace: default
name: flux-system
path: ./infrastructure
prune: true

20
infrastructure/cert-manager/certificate.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: clank
namespace: cert-manager
spec:
commonName: kjuulh.app
secretName: clank-cert
dnsNames:
- kjuulh.app
- "*.kjuulh.app"
issuerRef:
name: letsencrypt-issuer
kind: ClusterIssuer
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system" # Control destination namespaces
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system" #

16
infrastructure/cert-manager/cloudflare-secret.sealed.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: cloudflare-api-token-secret
namespace: cert-manager
spec:
encryptedData:
api-token: AgBfxV2k7bG5Zf9KIvaSGwgisxhpi6Wxg6TlgIqdJmARkWezhnM7kc41oU2FxK2rOroYF4ailxBJVbCyeCSPoaPu7sn9Fc7+EgGvlb1DOHKvLVLXoAdu3b1opta6gYi05Uzc8anU9uAsMoEJFcn71RTzFIGNMVKVs2VovtajtRf6UW61kNaC54wmMPuhEYsYKYs75sCc/CgmhMD7P8bx6/b6f7QnsksP07mR5GXS1Q8DePu4dHGx9FhMNXVu+lajyd6wW2eLk0EqzNsZ1cSoK3gZrbpKtHGOkuO6TIoBPAgtgqN8wQzurFkeHowTuEU7GMas0FJtP5b/uH0GwKzYeKvqLvX2LLybwiD/idb/fGSZiPIdk5g3ENSOa8bUiVB78mVGXfSWmVcJCAmKY5uB7vRxq44jZI6eTvalrZoAFKF0zzHi1PBTOimgiDUWJXNd6gVORcqqvsbuAOYi/8KzBSXd+qR+EGbAfYgC/0UAhQPr2uuH0MP1x2gnOLtulxU5oRMvtSzMVZrv85qGrkp1KOtK5oQoDT6kgNZKJ6FBV8JsKhISPUGdM0xsgH+cXyqVZ73UlyohaiPYVHpvoRtcMMw0zQM/tQnhMdstEKQgsSGuzg8g7cOgv2aiYFL1sfm08XEofCBeBXrTNodxAa77I4KnNeB1tbR/WXdX/kzLxb0aGheCxsv8nDU3KJyrvAbRj9wVL3hnBnIc6p/bg8KPLrJkp2Qe+3ree/7Wma0+qhlswdvjLn4dGeb9
template:
data: null
metadata:
creationTimestamp: null
name: cloudflare-api-token-secret
namespace: cert-manager

25
infrastructure/cert-manager/cluster-issuer.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: contact@kasperhermansen.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-issuer-secret
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsNames:
- 'kjuulh.app'
- '*.kjuulh.app'

15
infrastructure/cert-manager/create-secret.sh Executable file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
echo "Encrypt secret with 'sealed-secrets'"
kubectl -n default create secret generic cloudflare-api-token-secret \
--from-literal=api-token="$1" \
--namespace="cert-manager" \
--dry-run=client \
-o yaml > cloudflare-secret.yaml
echo "secret: $1"
kubeseal \
--format=yaml \
--controller-name=sealed-secrets \
--controller-namespace=kube-system \
< cloudflare-secret.yaml > cloudflare-secret.sealed.yaml
echo "Updated/created secret"
rm cloudflare-secret.yaml

9
infrastructure/cert-manager/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
resources:
- namespace.yaml
- release.yaml
- cloudflare-secret.sealed.yaml
- cluster-issuer.yaml
- certificate.yaml

4
infrastructure/cert-manager/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager

22
infrastructure/cert-manager/release.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
releaseName: cert-manager
chart:
spec:
chart: cert-manager
sourceRef:
kind: HelmRepository
name: jetstack
namespace: flux-system
interval: 30m
install:
remediation:
retries: 3
values:
installCRDs: true
service:
type: ClusterIP

9
infrastructure/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- sources
- traefik
- cert-manager
- sealed-secrets
- reflector
- postgres

17
infrastructure/postgres/create-db.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
set -e
SUBJECT=$1
PGPASSWORD=$2
PASSWORD=$(openssl rand -hex 20)
ID=$(openssl rand -hex 5)
kubectl run "postgres-client-$ID" --rm -i --image "bitnami/postgresql" -n postgres --env="PGPASSWORD=$PGPASSWORD" --command -- psql --host postgres-postgresql -U postgres <<SQL
CREATE DATABASE $SUBJECT;
CREATE USER $SUBJECT with encrypted password '$PASSWORD';
grant all privileges on database $SUBJECT to $SUBJECT;
SQL
echo "$PASSWORD"

6
infrastructure/postgres/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: postgres
resources:
- namespace.yaml
- release.yaml

4
infrastructure/postgres/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: postgres

7
infrastructure/postgres/port-forward-db.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
set -e
PGPASSWORD=$1
kubectl run postgres-client --rm --tty -i --image "bitnami/postgresql" -n postgres --env="PGPASSWORD=$PGPASSWORD" --command -- psql --host postgres-postgresql -U postgres

21
infrastructure/postgres/release.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: postgres
spec:
releaseName: postgres
chart:
spec:
chart: postgresql
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
version: "11.6.3"
interval: 1h0m0s
install:
remediation:
retries: 3
values:
global:
storageClass: hcloud-volumes

6
infrastructure/reflector/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: reflector
resources:
- namespace.yaml
- release.yaml

4
infrastructure/reflector/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: reflector

18
infrastructure/reflector/release.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: reflector
spec:
releaseName: reflector
chart:
spec:
chart: reflector
sourceRef:
kind: HelmRepository
name: emberstack
namespace: flux-system
version: "6.1.47"
interval: 1h0m0s
install:
remediation:
retries: 3

4
infrastructure/sealed-secrets/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- release.yaml

18
infrastructure/sealed-secrets/release.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: sealed-secrets
namespace: kube-system
spec:
releaseName: sealed-secrets
chart:
spec:
chart: sealed-secrets
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
interval: 30m
install:
remediation:
retries: 3

7
infrastructure/sources/bitnami.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bitnami
spec:
interval: 30m
url: https://charts.bitnami.com/bitnami

7
infrastructure/sources/emberstack.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: emberstack
spec:
interval: 30m
url: https://emberstack.github.io/helm-charts

7
infrastructure/sources/jetstack.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: jetstack
spec:
interval: 30m
url: https://charts.jetstack.io

7
infrastructure/sources/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: flux-system
resources:
- bitnami.yaml
- jetstack.yaml
- emberstack.yaml

57
infrastructure/traefik/helmconfig.yaml Normal file
View File

@@ -0,0 +1,57 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
failurePolicy: abort
valuesContent: |
logs:
general:
level: INFO
providers:
kubernetesCRD:
enabled: true
allowCrossNamespace: true
allowExternalNameServices: true
# ingressClass: traefik-internal
# labelSelector: environment=production,method=traefik
namespaces:
- "default"
- "kube-system"
kubernetesIngress:
enabled: true
allowExternalNameServices: true
allowEmptyServices: true
# ingressClass: traefik-internal
# labelSelector: environment=production,method=traefik
namespaces:
- "default"
- "kube-system"
# IP used for Kubernetes Ingress endpoints
publishedService:
enabled: true
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
service:
enabled: true
type: LoadBalancer
annotations:
"load-balancer.hetzner.cloud/name": "clank"
# make hetzners load-balancer connect to our nodes via our private k3s
"load-balancer.hetzner.cloud/use-private-ip": "true"
# keep hetzner-ccm from exposing our private ingress ip, which in general isn't routeable from the public internet
"load-balancer.hetzner.cloud/disable-private-ingress": "true"
# disable ipv6 by default, because external-dns doesn't support AAAA for hcloud yet https://github.com/kubernetes-sigs/external-dns/issues/2044
"load-balancer.hetzner.cloud/ipv6-disabled": "true"
"load-balancer.hetzner.cloud/location": "fsn1"
"load-balancer.hetzner.cloud/type": "lb11"
"load-balancer.hetzner.cloud/uses-proxyprotocol": "true"
additionalArguments:
- "--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
- "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
- "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
- "--providers.kubernetescrd.allowCrossNamespace=true"

3
clank/platform/traefik/ingress.yaml → infrastructure/traefik/ingress.yaml
View File

@@ -1,4 +1,3 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
@@ -14,3 +13,5 @@ spec:
services: # Service to redirect requests to
- name: api@internal # Special service created by Traefik pod
kind: TraefikService
tls:
secretName: clank-cert

5
infrastructure/traefik/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helmconfig.yaml
- ingress.yaml

3
renovate.json Normal file
View File

@@ -0,0 +1,3 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json"
}