This commit is contained in:
Brieuc Dubois 2023-04-16 15:04:06 +02:00 committed by Bhasher
parent 30672ed4bb
commit e42ab413b8
238 changed files with 115967 additions and 0 deletions

View File

@ -0,0 +1,78 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mealie
namespace: cloud
labels:
app: mealie
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 0
revisionHistoryLimit: 1
selector:
matchLabels:
app: mealie
template:
metadata:
labels:
app: mealie
spec:
containers:
- name: mealie
image: hkotel/mealie:latest
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: mealie
- secretRef:
name: mealie
---
apiVersion: v1
kind: Service
metadata:
name: mealie
namespace: cloud
spec:
type: ClusterIP
selector:
app: mealie
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mealie
namespace: cloud
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "cook.bhasher.com"
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method request_method;
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method request_method;
spec:
ingressClassName: nginx
tls:
- hosts:
- cook.bhasher.com
secretName: mealie-tls
rules:
- host: cook.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mealie
port:
number: 80

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: mealie
namespace: cloud
data:
DB_ENGINE: postgres
POSTGRES_USER: mealie
POSTGRES_SERVER: postgres.storage.svc.cluster.local
POSTGRES_PORT: "5432"
POSTGRES_DB: mealie
DEFAULT_GROUP: Home
BASE_URL: https://cook.bhasher.com
# LDAP_AUTH_ENABLED: true
# LDAP_SERVER_URL: ldap.idp.svc.cluster.local
# LDAP_BIND_TEMPLATE: uid={},ou=users,dc=bhasher,dc=com
# LDAP_ADMIN_FILTER: memberOf=cn=admin,ou=groups,dc=bhasher,dc=com

View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: mealie
namespace: cloud
spec:
encryptedData:
POSTGRES_PASSWORD: AgCxIpWXdnPhW3ncKCWD18Cur2lhUvGZJvq4NPXRNUJ1G7XXSIFNfMkm9QW4jVyIEqxNiIA6RqnAOdFrvQX4VmZJ6a5V0wab2P0si3liXuXJxHziqoy5qAhHB0/3J/4d2dps2eGrXYluEZbAZoX+RwLOUL/BD0rks4ZOYg9eJZ7ArQPMAAnRdGQK9CaEP3HU930k7AmbKEmFYkdSmGkftmrgI+1Rb4fOCQfYVdUHQWnX0RlNJfyZmpbSsoEbuxFbiYtyqj5ElazzjqlTRN8F1dJpkh9+BLB2zdCAfJxx0PMcFe07pdArAFqXUSXq7dZPC/B9e+UaoLDAJIiaOYVnriYpKC3XdNTtik4ikNA+TQ9r6N/zDGbcXpm531yrf1DT5zgeOlbBeW6n8RA248wIaLKUDAvyv7ZnCOrba70Kphr8jw0o4f/KB9xwDSZltgFpFc+e2rHNtUzIsrIHGyndb80BjIZ3LgJmRbQy6U0QSjOTtImDyJlDBtUysPDrriWKZE8LPXIuPigwV5PkBPYfVWmfF1LCfOhJH0nq1/StKHd9Y3w01CyZKA5sL5sRrMYy2cCUG88/3dMSSCH8qUTuoBUecWlJfbS3PqrM4qWNEB7MjhWN1tsakRKmeiaQDBf1iA0CW0pewQQUcZcffulVP8Oo4hwKQqJt5BhQsqLEUQZXPHPhdE6eXUiXRQ7CohUJ3EnydpAPn3zhl5kpQo3bDdMCg/ps4vfZk+hx4+q+ocNLUFnECp72QJ3H03wwUFuT0PKfUXnI79kT81NGN/raup2Z
template:
data: null
metadata:
creationTimestamp: null
name: mealie
namespace: cloud

View File

@ -0,0 +1,128 @@
apiVersion: v1
kind: Namespace
metadata:
name: cloud
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud
namespace: cloud
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteMany
resources:
requests:
storage: 25Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud
namespace: cloud
labels:
app: nextcloud
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: nextcloud
template:
metadata:
labels:
app: nextcloud
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- nextcloud
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- name: nextcloud
image: nextcloud:latest
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: nextcloud
- secretRef:
name: nextcloud
volumeMounts:
- name: nextcloud
mountPath: /var/www/html
readOnly: false
- name: configs-file
mountPath: /var/www/html/config/sso.config.php
subPath: sso.config.php
readOnly: true
- name: configs-file
mountPath: /var/www/html/config/custom.config.php
subPath: custom.config.php
readOnly: true
volumes:
- name: nextcloud
persistentVolumeClaim:
claimName: nextcloud
- name: configs-file
configMap:
name: nextcloud-configs-file
---
apiVersion: v1
kind: Service
metadata:
name: nextcloud
namespace: cloud
spec:
type: ClusterIP
selector:
app: nextcloud
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud
namespace: cloud
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 5G
nginx.ingress.kubernetes.io/client-body-buffer-size: 250M;
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "nextcloud.bhasher.com"
spec:
ingressClassName: nginx-external
tls:
- hosts:
- nextcloud.bhasher.com
secretName: nextcloud-tls
rules:
- host: nextcloud.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud
port:
number: 80

View File

@ -0,0 +1,50 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nextcloud
namespace: cloud
data:
POSTGRES_HOST: postgres.storage.svc.cluster.local
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
NEXTCLOUD_ADMIN_USER: admin
NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.bhasher.com
NEXTCLOUD_INIT_LOCK: "true"
REDIS_HOST: redis.storage.svc.cluster.local
SMTP_HOST: smtp.bhasher.com
SMTP_SECURE: ssl
SMTP_PORT: "465"
SMTP_NAME: no-reply@bhasher.com
MAIL_FROM_ADDRESS: "Nextcloud <no-reply@bhasher.com>"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nextcloud-configs-file
namespace: cloud
data:
sso.config.php: |
<?php
$CONFIG = array(
'oidc_login_proxy_ldap' => true,
'oidc_login_provider_url' => 'https://idp.bhasher.com',
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => (string) getenv('SSO_CLIENT_SECRET'),
'oidc_login_auto_redirect' => true,
'oidc_login_button_text' => 'Authelia',
'oidc_login_scope' => 'openid profile',
'oidc_login_tls_verify' => false,
'overwriteprotocol' => 'https',
'oidc_login_attributes' => array (
'ldap_uid' => 'preferred_username',
),
'oidc_login_password_authentication' => true,
);
custom.config.php: |
<?
$CONFIG = array(
'trashbin_retention_obligation' => 'auto, 7',
);

View File

@ -0,0 +1,19 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: nextcloud
namespace: cloud
spec:
encryptedData:
NEXTCLOUD_ADMIN_PASSWORD: AgCtQXeM5Jad8BsVy2ew27CUk7d1lEpL69C/rlcEsFPu1pp5Ap18yLS0t0OG/6iGsxNvQmrCQhui3ddEa1juKlw4yZ11IlPaZUSZVXzXMstkXLM8PU81152iD1P3MEun4r47K/P5KrgsEsZ9rLJRvwcrhm3OSuO+qSGsI3LIAG3cKD6xnZg97XEPGpRa+wcV1vCrb9ubz/UpZqCGKawfGI8fxFmfn7IqtVogQymc5s+JVkGYVLcMNI09P+OZuaFJN2zp3jJWgEEt1T8mNVNDZip1Mz+NyGkMx8f2n0PPkpBpK6Bz8sX1NFIsPY+Cu5XR450yf729xg9rH04/Fi3YL0H5D0RnIjTQzpfsraP9eXZ1DDSaIivlKS3yiX8VKUH7wa3ElYAJ72Tl4vCHKRL9vMFZeEmqL3qrDW0TnMcMfFBoD0pLy0Z/pP276+Te3Yxq8C9eCTinn60lfHG64OBJR6CCMPXqTn6RdHwhchXydLwYojccF/SU2sy2FGUrNHqWKeYv7/q4si9ke5lZJNJP05cjD0jBfcfzb9Qkc7Oi/ENF5OAU/KNwJnU52TL8DB1sl1JKyO2rZXhMfttqiSqAXKkgK0SmPQ3ii3F0kUPV0Zl5cAiEIXGXZOlyVDd6e/FfSzxfKjjBqA84EqfoU4j6zF0J+7CtP/DjZAhkMCDLYl1CTJt503xwdKzDhbWUzbXzcfHOSULqqpWyVyHTYMMvuzwrLQ8UZh9sK2ou5mMipRFP2MILwTGIRapqPmc2jLTP8PVr2zMvmLi4ayuo87nbeS1R
POSTGRES_PASSWORD: AgAoRw4D98hfPD2FXjmfCN9SOWaSp3YE8foWYUBdCHWK8kFkqZkdVZ//QAKKk5UXO/YOrQqEgUBgGvBhGME9Pm4HH0/9kT5P8Rpuqkf/xccYIdciebakUO5dua5fk7I7A/Ea6Sl7EDI5NNeyJeWOD09tTlga6WsM97Qp0Nu6MmDh3LE247jsDtLmEN0P0HhtjD5B9HTKYgP9E3P5YSdSvZf3CoTXawrD4y1XMspY50EvCMDbBahQ065VpFmzUnds6F1PrKHVmcYVCrkScZTjlCX3ybNSaDy7saGz7I7i3l1rtwr69KhqsJ1aj/KspDFKjf2awS6Z07Qk3tlbuudxS1nJXgcE9w8btERCHhFtJBdDaEGlg47EgEj52qENCXtqggtTfua2qn78uaJz/BDnOYfaJcpkYMjgbQXPlyUtyLVC9MpmYgwx4sztliyTkV7EF1u+qlfKik2U5zY5/XTlS7GN/7n+YNhx4NrZId5idC0LuvzpuPzw7P95S4Tw8OLkuk9SEgz7gXgefv6fGFNaFR+iqtjcosVqaMMJ7KUvoXKPJdaCQMwrN/BmRr5P/ZrX+PbhbMlA3A9r+d2eWFTsfyFBxBFQ46NYc1c1W9ahryxxbnxKHmzasXYciz9A8hS5wyVxHZAuGjHdJ1BlwzWcCy9w2LEUe+9SDSK+jyo5ppDVq/h4D8baOXKbc0gsRG7ukoaUvfcNjGR6SYEO4JMo6KAcYioPl/ONxLsQZEyqmhQF+wwQShQgdwaQHdJOjVPLiaqzYSUtU56r+v4xi/eoy2RG
SMTP_PASSWORD: AgBFkC/ZGhS0R4d0n81FfjiXggLCBP3wy+Dzto+z+YaCigcvCUYBQ1SL3UaVCEFZu/js8xYHTTELKC8YaO8LlGKL+/gCcCXC47ckGqmIiWWch4JZPMGBAsjILdN8n9HSAfHM667/9EvJMfMLcYbOv9z4EG0IamqYJUmedToRZx8rDGBv83SnoBK1daKAAPErvGyLvjXjGuMShPe0RCcFe/snHGKSvLdhnWVTHflbFmTCTIFZjR5U32hW5jW6H4co72N1zZcuqrwvdjve+Kie3weooxYTUwbZskV9zcfXyr97sif0ZAC6rIx4nYquJljHBJqi50sW3t/0SebjfVqu/UjTKuqQtoWXlmsd1JVxv1jzOqoCjS5XL+YxqU5OmJ3hEfowR/SMuMiIpU1+lR5mOPlbUCwUO2XTnk2/FeFCviJXyD2WfnsZhh8ipZpJtBExqWg4CMbcRJFIQUfCw8V4swjxVAVbYMWHPtcCpOP0vSsfimVMrru3r7yul835s+BCn3m8Gte07gsEC06it2u4DRiKB8jauHcoWeBfv7G8NyDvjCN0eNJ9YKvF9Dl5et5RG6kdaoUtIJ4KbV/6uNlimrpA7JomEbvfiDsBRXa1XV4jeimUFwVPSEdtXh4XG2Cy3u2YKXZv+LRVaSVwiMZy/pyo2G4rgshAWawjFeaBHv7hfhnxhSANF4FyyBa72ypWi33EwR9ZTQ1jMLucPqAXQfWMHzqyl3UERaE7sn/jzGGYxNz72wYDn2CGHHenPvKuvw9Uq5Ut2LoT5EVuenDKzeav
SSO_CLIENT_SECRET: AgAprcM5+VApsVAd8V/88tVwLj522DNSIJBaXNqRBDbaS0od7mFreoNZzDQbjmRIl/lBJ1Lu52XI0VUsNLbvjJVFcpPGMxpcYE+Zhyf3XItDX8nUELZDXMioY8f3u26NAhiOKEV9+NFy1ZhTAo4T+BAKwvmtdAkImbw7elWOT57I4uIna/I7nTaCp98L6raQQ4j/hwwr/5APHVjpyjjDEscGKKIkX0cE/ZLxeLUm1uf6JVreezrNgeE85GLj3CgPa5DvUrjL3kf3hEzWOGl0aEwpiHRrNGyQMfMW6UFz6DgWMki7xepH/nxvotabv3jT28cqO9GtsOiqAAQ286/zF0Nw9ux2V9kRJj/cH/1Jh/d/519JV+9yPGNNz1suM6m6XH+qmQg9kg0cx0ACXLHKqbSo+ZUYQ0EOJBaPIvfQaxKrZBCop1JlfOcpHLl2T2UXvnXZDhbgWa0LQoq+9QwVtnTxXJj2WBUJAlJqI7DE62glGhTbHgvij34AITLZKaizveuu3bc7eXYGeGb3FBRh3WTE5L+Tjlyk1Nt41L/1OpmubF0F9LguWUALeOeRxgK8wzFO39NZNFUYt9+ucBbtmr9mvl2LwdB+xXgFtA4Ma6rZGV4qh4KbPAsGMEJnw3r4FocilIvQdew1D79tYuG3qh4neXacbh0saUvf8NU5qJ4QNFHIt9X8yIKH9YX8u1w+3CwNbF3pbzjK/Jr/pV2WwThIEOAF5Pgla1F9CVoCIVrGW32opWMNifPidAcdgQq/KXtGdCATSXlJmCVhcRL7BewY
template:
data: null
metadata:
creationTimestamp: null
name: nextcloud
namespace: cloud

View File

@ -0,0 +1,100 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: onlyoffice
namespace: cloud
labels:
app: onlyoffice
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: onlyoffice
template:
metadata:
labels:
app: onlyoffice
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- onlyoffice
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- name: onlyoffice
image: onlyoffice/documentserver:latest-arm64
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: onlyoffice
- secretRef:
name: onlyoffice
ports:
- name: http
containerPort: 80
livenessProbe:
httpGet:
path: /
port: http
failureThreshold: 3
periodSeconds: 10
startupProbe:
httpGet:
path: /
port: http
failureThreshold: 30
periodSeconds: 10
---
apiVersion: v1
kind: Service
metadata:
name: onlyoffice
namespace: cloud
spec:
type: ClusterIP
selector:
app: onlyoffice
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: onlyoffice
namespace: cloud
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "onlyoffice.bhasher.com"
spec:
ingressClassName: nginx-external
tls:
- hosts:
- onlyoffice.bhasher.com
secretName: onlyoffice-tls
rules:
- host: onlyoffice.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: onlyoffice
port:
number: 80

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: onlyoffice
namespace: cloud
data:
DB_TYPE: postgres
DB_HOST: postgres.storage.svc.cluster.local
DB_NAME: onlyoffice
DB_USER: onlyoffice
REDIS_SERVER_HOST: redis.storage.svc.cluster.local
USE_UNAUTHORIZED_STORAGE: "true"
JWT_ENABLED: "true"

View File

@ -0,0 +1,17 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: onlyoffice
namespace: cloud
spec:
encryptedData:
DB_PWD: AgBhRL0jXlCFl5OSrZ6mFTAkFnp0EVthNKBlnfsnhUuOj418YnWM3VguImS56K+O9pQXQjQqxqmTZE7wergse74bCsgib31BG/ofycAUfuryDUerLu7UHzRuBlIwLqH+RSGhuIUpQUE8S5Iogsst0ia0kMIIOkaWhAQjCo65oXKKuqsSRiaykg16PCd2GIhdKgNqga8jJXweRXDT65zEMNinFBVOGWgr7qdoxtdzEwrHjou/E5pIztLeFlNL1WMIpngxK6ysHNNkqCy4PA6mOWYQicpx6axsQ0qYXo2feVw4AhMO9f+KWaI2aEAEkra2WGQcgaXapoKVZOyrChLLRZyi0yY7T3INnxRs89g+cQRd6qderAaOQREB31idEbsXpMeiHb72e4YCYlG2+fq2Rx7KW2v8qgHv144mXrFbkSG4f6JWJYytqB6jDYXNl88IpseUaT7fC+uwX7bL55iv+voW82KjaTCzggNfLAl8eM4GA2SbabCZybRfzek36tkwsS9IbtEYPLYbvCR9C8jdfaGUZIU6NJM9zU5UHRFh5YGIpVQ3+HwE6ykSXk5LLnjl0gGC47AuqW5SRQdyoxEl/PRB2VtrbeoYP6/u678owlzdRvFhVYxFc5f0eV/KuBEICbNfsQJCIo265zajL5p9gM8Tj/0lCPQmXxLyZV+S8u8JCof3gGm4vfkddvsYL/8Gc6pd1MGWnrHqJMweFgqIgRoId4Fif5Lu4dZZZoq9bamRn12bcVxHiX1QPc/k5Mo209PFK3S6bPHLQZv4RUml31ME
JWT_SECRET: AgCPe2MnQ1n0OWI68tnLpuV7stgeAuUtHB1WgrgXOzyTulGh9eXdShT/RQYijFdeU6GUbK6EiHc9GqV1b0H0aQvkh/rHnFzmqG8XhDs6/+OFKr/B8ZGH/DfGF1406yu6VIPLb8yBGuL1m7+gOvR0XworrQM5jthulEZVjy7PfVrX+lbMuZ64rLtSUZFxNL8sxucd/wEIk954n8rVPNHfwT+ohPCGiQ4OVwYMvQKbeKmne9a7qVDgIYnBG1XZys6WD5TtrMUnRnQIc6+F1wMZcPTBz5ic6WCpZuWwyn387Bjj411SixflHxBxI2FQwCGquY8TghNY31tVYJ5HAWQAmynBUpUxyo+cpPkdGslW1dRevHOQ1Ceq2T6dUN3r+BJKMi3elukRM0FSSjwmRT1ZSj1ljkYbDZYwERmBIZyxKxa5Pl9/GrXHTGlgqVz9DPq7bLx3e6ESIOIOTd2zvNVlin8V3JVjPjpgfhSn0cKj932hYSnvNkQ6rkHR9CqwZAR6mc7MpE3gRRCRLMxEwhAchLPkp/+P1naWeXRCusSkmw8GspIM3s43QVz07vEgD7Ssi1Y90koEt3F9aaedsy7JZyI5MnxQ8J3iNvHT/m4yTX1/6qvlYudwuqFbriiJH1psgHrdYHBwx5FkISQmT4bg3poRL8BcuBMTUrHnZ7A9Qma9cQoXIUYEg0P7yP1CJVJHhi+6Mcx4QtiZUtUlxcsVt+VFFL+ye5/Ov57DCN52bYhFPiv9BXELOWl2EHGurT8nz85lxzE/qVyl2VRI+lN6wvVA
template:
data: null
metadata:
creationTimestamp: null
name: onlyoffice
namespace: cloud

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: crons

View File

@ -0,0 +1,79 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ovh-dyndns-config
namespace: crons
data:
update_ovh.sh: |
#/bin/sh
#
# CONFIG
#
# HOST=${}
# LOGIN=${}
# PASSWORD=${}
CURRENT_DATE=`date +'%d/%m/%Y %H:%M:%S'`
#
# GET IP(s)
#
CURRENT_IP=`{
cat <<EOF ; sleep 1;
GET / HTTP/1.0
Host: www.ifconfig.io
User-Agent: curl
Referer: http://ifconfig.io
EOF
} | nc -vvv www.ifconfig.io 80 | tail -1`
#
# DO THE WORK
#
if [ -z $CURRENT_IP ]
then
echo "No IP retrieved"
else
echo "$DYNDNS_LOGIN:$DYNDNS_PASSWORD"
echo "https://www.ovh.com/nic/update?system=dyndns&hostname=$DYNDNS_HOST&myip=$CURRENT_IP"
curl --user "$DYNDNS_LOGIN:$DYNDNS_PASSWORD" "https://www.ovh.com/nic/update?system=dyndns&hostname=$DYNDNS_HOST&myip=$CURRENT_IP"
echo "$CURRENT_DATE"": IP updated to" "$CURRENT_IP"
fi
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ovh-dyndns
namespace: crons
spec:
schedule: "0 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
volumes:
- name: data
configMap:
name: ovh-dyndns-config
containers:
- name: ovh-dyndns
image: alpine:latest
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- apk --no-cache add curl;/bin/sh /data/update_ovh.sh
envFrom:
- secretRef:
name: ovh-dyndns-creds
volumeMounts:
- name: data
mountPath: /data
readOnly: true
restartPolicy: OnFailure

View File

@ -0,0 +1,75 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: permis-config
namespace: crons
data:
requirements.txt: |
requests==2.27.1
permis.py: |
import requests
from datetime import date
import os
token = os.getenv('TELEGRAM_TOKEN')
chat_id = os.getenv('TELEGRAM_ID')
assert token is not None, "Telegram token must be set"
assert chat_id is not None, "Telegram chat ID must be set"
base = 'https://rendezvous.permisconduire.be/api/frontend/v4/offers/'
str_to_date = lambda x: date(*[int(el) for el in x.split('-')])
afterDate = date(year=2022, month=6, day=10).strftime('%Y-%m-%d')
dates_url = base + f'_calendar?afterDate={afterDate}&size=42&sites=W3wn7&types=rQj2a'
rep = requests.get(dates_url).json()
dates = {el for el in {str_to_date(day['day']) for day in rep['days'] if day['hasOffer']} if el <= date(2022, 7, 20)}
if dates:
text = 'There are places for :\n - ' + '\n - '.join([el.strftime('%d/%m/%Y') for el in dates])
url = f'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={text}'
print(date.today().strftime('%Y-%m-%d'), requests.get(url).status_code)
else:
print(date.today().strftime('%Y-%m-%d'), "No places")
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: permis
namespace: crons
annotations:
reloader.stakater.com/auto: "true"
spec:
schedule: "*/10 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
suspend: true
jobTemplate:
spec:
template:
spec:
volumes:
- name: app
configMap:
name: permis-config
containers:
- name: permis
image: python:3-slim-buster
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- pip install --no-cache-dir -r /app/requirements.txt;python /app/permis.py
volumeMounts:
- name: app
mountPath: /app
readOnly: true
envFrom:
- secretRef:
name: telegram-k-creds
restartPolicy: OnFailure

View File

@ -0,0 +1,78 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: restou-config
namespace: crons
data:
requirements.txt: |
requests==2.27.1
beautifulsoup4==4.10.0
restou.py: |
import requests
from bs4 import BeautifulSoup as bs
from datetime import datetime
import os
soup = bs(requests.get('https://uclouvain.be/fr/decouvrir/resto-u/le-galilee-self.html').text, features='html.parser')
contents = soup.find('div', {'class': 'bigcontenu'}).findAll('div', {'class': 'menus'})
result = ['Menu du jour:']
for item in contents[datetime.now().weekday()].findAll('div'):
try:
title = item.find('p', {'class': 'titre2'}).text.strip()
content = item.find('p', {'class': 'texte1'}).text.strip()
except:
continue
if title and content and content != '0':
result.append(f' - {title}: {content}')
token = os.getenv('TELEGRAM_TOKEN')
chat_id = os.getenv('TELEGRAM_ID')
assert token is not None, "Telegram token must be set"
assert chat_id is not None, "Telegram chat ID must be set"
text = '\n'.join(result)
url = f'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={text}'
print(url)
requests.get(url)
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: restou
namespace: crons
spec:
schedule: "30 11 * * 2,4"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
volumes:
- name: data
configMap:
name: restou-config
containers:
- name: restou
image: python:3-slim-buster
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- pip install --no-cache-dir -r /data/requirements.txt;python /data/restou.py
envFrom:
- secretRef:
name: telegram-creds
volumeMounts:
- name: data
mountPath: /data
readOnly: true
restartPolicy: OnFailure

View File

@ -0,0 +1,14 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ovh-dyndns-creds
namespace: crons
spec:
encryptedData:
DYNDNS_HOST: AgCJbz6Qd11HuDWQhY6pVMtiwek1P7c4BJB4dhcIASzVjUrNrhEaOzXNFCwemeZxcg+qWH5KmMD0eM0RdGypSewDWiJt/3TVpLNulQ3MBy/jmms3WUSRDM9Q8dypKbivrTxCiRlBurKthSjJtY+SG5vSIIGdL/vZUz90f8B+unS3lM1fEEhhwCf2fj59npA3jhlOuXSpfFgfx0Nc1dd7yVan/2PYplAjGX3OOVyHzqVm7G/vs6jcwn3FjY7xwLL/xcpqKle52uDAA1WZFpSDGOfJH6iNaGTzaE10GiFuhzrQPrdUcXPVg82FvhpuaRHcsbii7l+bmm1+kNwUXpfPX7UJEUBGD7M39CqogrRfa8UuyMNjt0Ie3wMrW6PBRbjGw7LZQxIV4ORADbKz7upmfiY8yPlzD7nsyaVlkhtjz6hdaidXV9eEqQydwDt8T0Nld6kTysrOf+WkCUChrmOV86EMLgP0KI2jnvr5vubITp3MFxSdrmWt43iqO+d+LUzZqPu4DYqKr42vGApksL9UmJFa2W7XUzWhZH3BHPPaYxyeDgvvxCcMXuVL1Pm1DNeZ55CB8eO6Q2DMyuoISypPkuZBtJYfOzpCUk44NaN4XUcCO3MAbGeISWpXHi/Dp3HdHWXt9f0Jn/cqteymojkIONUThlaS4NeoPqVm4FJ6PbBTb9Zi70QoY7Pd28Cj/z+nWT9450xvEFiza+Xbje/Owj8=
DYNDNS_LOGIN: AgC5CdZGoLFtaNVcO1tSpvfVFrgPJKKZHGkhEUUH2Cgoa5hX4sH3R5f8Y0uLIKAZrODJUNKNmC2Shq7iYERIZ90KGnQf4LcrN3e1O1nQyH5iIItoUYpRZCjgZ0d3VOH9ehRmaYxbBKdz5jOaoGknqCMnR7B3BFD5Gq4m1yXAiplGoARNhb+WCnjNfgjj0wrg4a4TpitHsFnNbNf23XaQu/WPUdvVByjN4hJ909f8I7tdveVMRul6AkFIuNS8WAOhJHCQNNSmDZXU/4T2PZXDs9/xztKwLM0JhTlMXRRT4WLqBFDi34PloxBgrv70qlrrJ7VoQkmj+0L49KOTASZ4uSaRwOCNhugoLDh0Rauw6BZfRS+8oLDmH9nRFrLX4j0HV+MIhNMp10ky3NintjMab1y/EmPSDHJFE5Cf+th8T0wt046apBQWhI9KZIYeg04sDAD+BnnWO8NG1PVz+fEmvFzni5FxCEz9auv35PGVns1IU4bQ1K5QnbV+IECC2u9G2aMQzyojGZ1ZvJlt0lrSDgjmF1zvDHXiwBOumJ6SsgHCcES3dOTDvChASnkWWExRnvR4QABOUN+Uhcf170JcXp71d9psovkS/0y57bz7CiQ3STlh0NpoVw2g8p7uQo1okoVN2NMlcsH+/up2Nw7Yd+gRIOFGnG1floYKAjrufzJIFjO6rZbrSkDvc0imJV9ySx9HFQqKcKS92oRhfawh/WY=
DYNDNS_PASSWORD: AgAHEJIn0hE2uho5a0S2Hw6meNcVz5BUbmFZErbxCJlkbyDwwCkTy8Hp3xdyT2iWIVRGbCQFWGonRCXqpCpo4bYQ+/5RprqA/8RixzM6VuzEzlRW90V0OBQ6XTpPK4Wy/A385+04gv9IzaLtQOq6LuRUOH2XROsGh3psA2m292BeWBoDV1EXpb2ImOwnEKSuJU5dBCPue+whuNi/4cALfBlW7nx8T7Vf+fgDEPOc96ICnwekRzL/LHQODOKjarUPU0EnFKg9WBJlfe5qpncj8wxpyDw9rYPZ/KCkdHPKJrK5+zw0GytYX+TzPOHeWKS/nDIBHSEFjDYfuA6M+lTsIoH14YyGr89HGKhK6A+sB9MMQZeEG2b6PlrYaTW/J5KPWlOnJAOiismqYX0SzFxVupoWlSSJtfmN37UNthoGFVdTWAa4fFMvGn13cjkJnGM7KgSotfNC8jbvgSiq4FEM7nMR9BUGmV5P+8bNG5XScTl5ocP3obiLbDvrcJsE55uQF2m54Mgl8YjLju6gWihdnyFDGH6rt/Tbno0w5l3a4NITBSOBw8y+VJ0iczBjKwjHHW7Dwb/HAjo4zjFI3WFbaVJc5prEqRx7IoeHbyEyU5qaecaS/vCxuNjpw7MT4iQj4f/JeNAtJvG6vqlXMfxDhb/ELTac9caR/vI/98/jWjsjyxLsNNY0QaLfMXHK08QL0FzxaxxnU5YcCh4AcjLBn/m7y4GfESZ4s6WJRzijBow=
template:
metadata:
name: ovh-dyndns-creds
namespace: crons

View File

@ -0,0 +1,14 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: telegram-k-creds
namespace: crons
spec:
encryptedData:
TELEGRAM_ID: AgDOgLMPt2YgazghTVOCdjkTMD/l2tPPOi0Cejfyqu7R8vVqjpRag6EFL6C/bB7TJbW2SLXdqDOpfUd5j/7sjFSJuMAi9ZY8aWvD5N0i1vJ+VTz8nuHTLhTKMhId5WYJbA3QElFcTvP9wqDZn1Cgm375yhAXsXwBZ4wENraMGMTesIJf3HxhvpgbQ+9u47HBIW1zfbuaOplusL0VGGDS1kU+e1rWsjBh+t29XS66HNb+NpiGO/0ZzlVLPxVTMbcxoQSIEsqUB43nQPbI0pcLzJzw0bKFezZwOlpkR/yWHrTV1+z8w5gPjPvsxEwgwhFhVxnjeXphh35HA8a7Je4uBOwjBhsP1UevJdWgzcGTHPNViQnywlDemwVL38MrAT79M0bOKy3ze3R3cSm8zNcCk0v9vVs2VqYu55ejobjbGwawR7k4r0p+vGLsn9KLwSrzGrq0vsGlElk8lW6fFqqFaijEkGbhJjMZOsCY30qHjGxQQaMUnZ+U+H9znnO8eivCg9gnz1kcmPrAUt5N/4o/K1mwjXl4dPV6TqD+4CS5JcAB1ds6jQ/Ru1qDPfjAxFs0u1rulTz1w0lV4i0o3DehWwVS6lESFA0ZlE4hSWlvsLVTV63JDtgaN2FsCLSHappvPz+RCmHrry+n4TCnvvM5CtRKU0/q3ylactzHn8oiIw/w0RNtwELY895suwWbgOHScJM0Rxhf0FUdIlyF
TELEGRAM_TOKEN: AgCKS3cDHu0OYFa2PEs2zRmbmDATt8G+wSIl1v3MHOHXH4uCyDVkmd8KdZ6n+vv9T9+MKCIABqDQozcHWdGaMBsYNmxGGC5B7gWpo9uwOWRyuDZEVlrsgC/PspaJ4hVBwNpjL5jVglwRIE0xrgf6fdjF7XJGmeugAv7v03mK8UX0VUh6KXMjKv7RSt+GnkDrFFCBI+VORYqpsrSR5/a9CnA6WrlTOS74umvraPbH+iypjN9pkp6KhGMr8id+GmQT++d9ZKJosornu7YS0lBvP79oqDp19xaO/pcBeAeDcsfTyE39meedyw4gk5BizDWklEWWuhBnHH+MKO8dSeLzzakNVmPoZCpTvT8K5Uh+fKInwVxVRJQZDRiwhDrR+h3icaTivZDsK4MQlQTx0DaZTULKio07eAEElU+eFZjV3E4//qqYB57d2YnMOfZFXN1BAXuAAcby5uDxIcU1s6iZOQz8cgdsa9aDTOilX2CgOEjkUqJHttV8iBDjqRO3jgYlciPCoH7KW6A3JH9R1pG4IdxRJg9eA3dX6IMc01HRqR5h5qSzpF6ZI1t/gLa6zX3Q8Je/xb1+6+HOJbZNS/07M3c0XRBBCh9t1XPHeixBLF7kNxh82gx/F6uOrjq9UF/FeONYaSBcqE6io1iwDT1bpfnjvlLohLuFxs6so4rLdxnhDX7XldLzgjAxxcvawzbseX7xRGYlCh7S2il4A8yPq6AeClbuWer3QcuXk1ejk+zz9QugZ5pATpnIojL08I1n
template:
metadata:
name: telegram-k-creds
namespace: crons

View File

@ -0,0 +1,13 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: telegram-creds
namespace: crons
spec:
encryptedData:
TELEGRAM_ID: AgCSUvDgfxsJEhppeZbvGV8iQ7Qk0D0kbjZwaEdZ5A2lUfD2nSxuLHLK1psly9d1sAGO7VGak8YgAXQPsOYmoOZePd2u3c+9e7hLzciUhLQ142vlzhEaU0+H2MFfMn1VjIy/ipNjm6svocelf8SBGC78m0fSDRMmSh845tOxIsP2rr8q0lEnD8ydHEDpFwF6cVe6D3wizqIqaucWSy7XMloxviDtGpTa8FJZhUNMfc+xW+RFDlRJIv1ZMqS6rbbnrunEzqA3Mk5vmfbTRLKBxiERNg8em/1KEjrnvrTIgWy4VcSiyYcDXUR4uct9Gykfg4reapT/18Kpu0ICbULEeMdPFeMZN55f/yxbGD9k9ImKpzd0+pRCSBq3reyXv7kRNs08WCpuxmrMwf9zmHKWHNZV+YocyQZDdeBSLKrUv7Tk1GUTj3IVknsPc7hHIY6VYnqn0ApjTxzP2iQkt7ZxDzCW9htskaJy74jgfHW0R58YuBSra11Jezwxvk3+jiR28ZS2tnBuNZt6Zxi36TiZBoPYm8gDxZBuKKQZUl1ujd9j+4pfQ275QEyd67byFj1WlgUOelfaXLyqn6S87uNW3yRdkgo9c0vF1u4HvHfedKkJ1nqOtGpmeKq2ccmPysF38NapfGKsx8s4aLqKY2JTc2X5VeUwLtADpWdP1O2g2PmeMD0Lv/ehbU27FMbT3O/SXNudT+B8gsKlCcM7
TELEGRAM_TOKEN: AgBjqR1y124X1TAXplLp4NGfCLPT2fNkjG6PM/73MAeyVWyKHD5ScD/O2IDbS4LvnguTMs4C+5QKw8QRRbavon5hmMBn+iQqA1QYpObNSrWET+IQxJ0vp7W8l//PM3WIHsujxhWP7IJffmI45JoqZ1Jwx9Ca/9Hgp3wfy3DkdVvI+4Boe3UiAcOX23jLo9Ak9X4Iw7F8eH7Mf8JZHAB7jB7dSJFkBmBxUHfvSX3dTinASvbHtobSmbjDY7Ewf22RssZFpDfr/UOGDA8bEfDZMkZd+RQs8yKJJVEOmfu9i+sqDqLbEf5Mjw6DQ9Bfc2J6lH1tJzqrp7iPE2gqrkDFxgkNen3QBBUJPDJrs+N574qkuhtQL0GglhS24dk4GaoLZg46TZ6QMOoi4qYf9B8sz9LAe7jFpL2Y1Mpxh2S+ABZIPDhDRgFTLzD319gLHRzhJRv55AJfKOUZeJ6xs8Eilfr5PXBMzmwBxBAxFPBZSrAs9d2TxyahuDjt6xkkAbsOvX1iEpdCzJvadUcQv5OJFhDhMMLIeKeDIvcm7z0TOAVxC3biy/jyGqto1c3bvp1i0N4l+G2QJoHt9oOdoxTdnfmVJmwZsVeIL/S6dO42yA+EPctGwZ2wPSG5q9bnSR2ZbTQRE8tPBGle3+c+FdKvz5m7XPjsp3WDhSH8DZ9FXBl5znEX062cB9Af8u76v7SkjRMWzHB05rNa2bnhvOAx5CARa/jcax2XWRDSxArGyd1/mk4reu5lw7v28NksFKmR
template:
metadata:
name: telegram-creds
namespace: crons

View File

@ -0,0 +1,104 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unibet-pvc
namespace: crons
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: unibet-config
namespace: crons
data:
requirements.txt: |
requests==2.27.1
unibet.py: |
#!/usr/bin/env python
# coding: utf-8
import requests
from datetime import datetime
import os
import json
def analyze_event(data):
return {
'time': data['event']['start'],
'homeTeam': data['event']['homeName'],
'awayTeam': data['event']['awayName'],
'odds': {d['criterion']['englishLabel']: {o['englishLabel'] + (' ' + str(o['line']) if 'line' in o else ''): o['odds']/1000 for o in d['outcomes']} for d in data['betOffers']}
}
competitions = [
'england/premier_league',
'belgium/jupiler_pro_league',
'france/ligue_1'
]
for comp in competitions:
content = requests.get(f'https://fr-sports.unibet.be/sportsbook-feeds/views/filter/football/{comp}/matches').json()
res = []
for a in content['layout']['sections']:
try:
for b in a['widgets']:
try:
for c in b['matches']['events']:
try:
res.append(analyze_event(c))
except:
pass
except:
pass
except:
pass
os.makedirs(f'/data/records/{comp.replace("/","-")}', exist_ok=True)
with open(f'/data/records/{comp.replace("/","-")}/{datetime.now()}.rec', 'w') as file:
json.dump(res, file)
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: unibet
namespace: crons
spec:
schedule: "30 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
volumes:
- name: app
configMap:
name: unibet-config
- name: data
persistentVolumeClaim:
claimName: unibet-pvc
containers:
- name: unibet
image: python:3-slim-buster
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- pip install --no-cache-dir -r /app/requirements.txt;python /app/unibet.py
volumeMounts:
- name: app
mountPath: /app
readOnly: true
- name: data
mountPath: /data
readOnly: false
restartPolicy: OnFailure

View File

@ -0,0 +1,51 @@
kind: Service
apiVersion: v1
metadata:
name: bazarr
namespace: external-endpoints
spec:
type: ClusterIP
ports:
- port: 6767
targetPort: 6767
---
kind: Endpoints
apiVersion: v1
metadata:
name: bazarr
namespace: external-endpoints
subsets:
- addresses:
- ip: 192.168.1.201
ports:
- port: 6767
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bazarr
namespace: external-endpoints
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "bazarr.bhasher.com"
spec:
ingressClassName: "nginx"
tls:
- hosts:
- bazarr.bhasher.com
secretName: bazarr-tls
rules:
- host: bazarr.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bazarr
port:
number: 6767

View File

@ -0,0 +1,51 @@
kind: Service
apiVersion: v1
metadata:
name: docker
namespace: external-endpoints
spec:
type: ClusterIP
ports:
- port: 5000
---
kind: Endpoints
apiVersion: v1
metadata:
name: docker
namespace: external-endpoints
subsets:
- addresses:
- ip: 192.168.1.201
ports:
- port: 5000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: docker
namespace: external-endpoints
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 500m
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "docker.bhasher.com"
spec:
ingressClassName: "nginx"
tls:
- hosts:
- docker.bhasher.com
secretName: docker-tls
rules:
- host: docker.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: docker
port:
number: 5000

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: external-endpoints

View File

@ -0,0 +1,51 @@
kind: Service
apiVersion: v1
metadata:
name: jellyfin
namespace: external-endpoints
spec:
type: ClusterIP
ports:
- port: 8096
targetPort: 8096
---
kind: Endpoints
apiVersion: v1
metadata:
name: jellyfin
namespace: external-endpoints
subsets:
- addresses:
- ip: 192.168.1.201
ports:
- port: 8096
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin
namespace: external-endpoints
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "jellyfin.bhasher.com"
spec:
ingressClassName: "nginx-external"
tls:
- hosts:
- jellyfin.bhasher.com
secretName: jellyfin-tls
rules:
- host: jellyfin.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyfin
port:
number: 8096

View File

@ -0,0 +1,51 @@
kind: Service
apiVersion: v1
metadata:
name: sonarr
namespace: external-endpoints
spec:
type: ClusterIP
ports:
- port: 8989
targetPort: 8989
---
kind: Endpoints
apiVersion: v1
metadata:
name: sonarr
namespace: external-endpoints
subsets:
- addresses:
- ip: 192.168.1.201
ports:
- port: 8989
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr
namespace: external-endpoints
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "sonarr.bhasher.com"
spec:
ingressClassName: "nginx"
tls:
- hosts:
- sonarr.bhasher.com
secretName: sonarr-tls
rules:
- host: sonarr.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sonarr
port:
number: 8989

View File

@ -0,0 +1,134 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea
namespace: git
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
namespace: git
labels:
app: gitea
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
strategy:
type: Recreate
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
volumes:
- name: gitea-data
persistentVolumeClaim:
claimName: gitea
- name: gitea-certs
secret:
secretName: gitea-certs
- name: gitea-config
configMap:
name: gitea-config
- name: ca
configMap:
name: ca
containers:
- name: gitea
image: gitea/gitea:latest
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: gitea-tokens
volumeMounts:
- name: gitea-data
mountPath: /data
readOnly: false
- name: ca
mountPath: /etc/ssl/certs/bhasherCA.pem
subPath: bhasherCA.pem
readOnly: true
livenessProbe:
httpGet:
path: /
port: 3000
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
startupProbe:
httpGet:
path: /
port: 3000
failureThreshold: 30
periodSeconds: 10
initContainers:
- name: init-config
image: busybox:latest
command: ['sh', '-c', 'mkdir -p /data/gitea/conf && cp /tmp/config/app.ini /data/gitea/conf/app.ini']
volumeMounts:
- name: gitea-data
mountPath: /data
readOnly: false
- name: gitea-config
mountPath: "/tmp/config"
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: gitea
namespace: git
spec:
type: ClusterIP
selector:
app: gitea
ports:
- name: https
port: 3000
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea
namespace: git
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 50m
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "git.bhasher.com"
spec:
ingressClassName: nginx-external
tls:
- hosts:
- git.bhasher.com
secretName: gitea-tls
rules:
- host: git.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 3000

View File

@ -0,0 +1,64 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ca
namespace: git
data:
bhasherCA.pem : |
-----BEGIN CERTIFICATE-----
MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
/O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
Pzrn2j0Zdg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,275 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-config
namespace: git
data:
app.ini: |
APP_NAME = Gitea Bhasher
RUN_MODE = prod
RUN_USER = git
[repository]
ROOT = /data/git/repositories
SCRIPT_TYPE = bash
DETECT_CHARSETS_ORDER = defaults
FORCE_PRIVATE = false
DEFAULT_PRIVATE = public
DEFAULT_PUSH_CREATE_PRIVATE = false
MAX_CREATION_LIMIT = -1
PREFERED_LICENSES = MIT License
DISABLE_HTTP_GIT = false
ENABLE_PUSH_CREATE_USER = false
ENABLE_PUSH_CREATE_ORG = false
DEFAULT_BRANCH = master
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
FILE_MAX_SIZE = 25
MAX_FILES = 100
[repository.signing]
SIGNING_KEY = default
INITIAL_COMMIT = always
DEFAULT_TRUST_MODEL = collaborator
WIKI = parentsigned
CRUD_ACTIONS = pubkey,parentsigned
MERGES = pubkey,basesigned,comitssigned
[ui]
EXPLORE_PAGING_NUM = 20
ISSUE_PAGING_NUM = 20
MEMBERS_PAGING_NUM = 20
FEED_PAGING_NUM = 20
GRAPH_MAX_COMMIT_NUM = 100
DEFAULT_THEME = arc-green
SHOW_USER_EMAIL = true
MAX_DISPLAY_FILE_SIZE = 8388608
DEFAULT_SHOW_FULL_NAME = true
[ui.meta]
AUTHOR = Bhasher's git
DESCRIPTION = Custom git server based on gitea
KEYWORDS = gitea,git,bhasher,self-hosted
[ui.csv]
MAX_FILE_SIZE = 8388608
[markdown]
ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true
ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS = true
CUSTOM_URL_SCHEMES = git
[server]
APP_DATA_PATH = /data/gitea
PROTOCOL = http
DOMAIN = git.bhasher.com
HTTP_ADDR = 0.0.0.0
HTTP_PORT = 3000
UNIX_SOCKET_PERMISSION = 660
ROOT_URL = https://git.bhasher.com/
LOCAL_ROOT_URL = http://127.0.0.1:3000/
DISABLE_SSH = true
LFS_START_SERVER = false
APP_DATA_PATH = /data/gitea
OFFLINE_MODE = false
LANDING_PAGE = explore
[database]
DB_TYPE = postgres
HOST = postgres.storage.svc.cluster.local
NAME = gitea
USER = gitea
SCHEMA = public
SSL_MODE = disable
LOG_SQL = false
[indexer]
ISSUE_INDEXER_TYPE = bleve
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
REPO_INDEXER_ENABLED = true
REPO_INDEXER_TYPE = bleve
REPO_INDEXER_PATH = /data/gitea/indexers/repos.bleve
MAX_FILE_SIZE = 524288
[admin]
DEFAULT_EMAIL_NOTIFICATIONS = enabled
DISABLE_REGULAR_ORG_CREATION = false
[security]
INSTALL_LOCK = true
LOGIN_REMEMBER_DAYS = 7
REVERSE_PROXY_LIMIT = 1
DISABLE_GIT_HOOKS = true
DISABLE_WEBHOOKS = false
INTERNAL_TOKEN = azerty
REVERSE_PROXY_AUTHENTICATION_USER = Remote-User
REVERSE_PROXY_AUTHENTICATION_EMAIL = Remote-Email
REVERSE_PROXY_TRUSTED_PROXIES = ingress-nginx-controller.ingress-nginx.svc.cluster.local
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = true
ENABLE_BASIC_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTHENTICATION = false # true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_USER_IS_RESTRICTED = false
DEFAULT_ENABLE_DEPENDENCIES = true
ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
ENABLE_USER_HEATMAP = true
DEFAULT_ENABLE_TIMETRACKING = true
DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true
SHOW_REGISTRATION_BUTTON = false
SHOW_MILESTONES_DASHBOARD_PAGE = true
AUTO_WATCH_NEW_REPOS = true
DEFAULT_USER_VISIBILITY = public
ALLOWED_USER_VISIBILITY_MODES = public,limited
DEFAULT_ORG_VISIBILITY = public
DEFAULT_ORG_MEMBER_VISIBLE = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = true
NO_REPLY_ADDRESS = noreply.git.bhasher.com
VALID_SITE_URL_SCHEMES = https
[service.explore]
REQUIRE_SIGNIN_VIEW = false
DISABLE_USERS_PAGE = false
[webhook]
DELIVER_TIMEOUT = 5
ALLOWED_HOST_LIST = *
SKIP_TLS_VERIFY = false
[mailer]
ENABLED = true
FROM = "Bhasher's gitea" <no-reply@bhasher.com>
MAILER_TYPE = smtp
HOST = bdubois.io:465
IS_TLS_ENABLED = true
USER = no-reply@bhasher.com
SEND_AS_PLAIN_TEXT = false
SKIP_VERIFY = true
SUBJECT_PREFIX = [Gitea]
[cache]
ENABLED = true
ADAPTER = memory
ITEM_TTL = 1h
[cache.last_commit]
ENABLED = true
ITEM_TTL = 24h
COMMITS_COUNT = 100
[session]
PROVIDER = memory
COOKIE_SECURE = true
COOKIE_NAME = sessid
SESSION_LIFE_TIME = 43200
SAME_SITE = strict
[picture]
DISABLE_GRAVATAR = false
GRAVATAR_SOURCE = gravatar
ENABLE_FEDERATED_AVATAR = true
#AVATAR_STORAGE_TYPE = default
AVATAR_UPLOAD_PATH = /data/gitea/avatars
AVATAR_MAX_WIDTH = 2048
AVATAR_MAX_HEIGHT = 1536
AVATAR_MAX_FILE_SIZE = 1048576
AVATAR_RENDERED_SIZE_FACTOR = 5
#REPOSITORY_AVATAR_STORAGE_TYPE = default
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
REPOSITORY_AVATAR_FALLBACK = random
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = true
REPO_INDEXER_EXCLUDE_VENDORED = true
[attachment]
ENABLE = true
ALLOWED_TYPES = .docx,.gif,.gz,.jpeg,.jpg,.mp4,.log,.pdf,.png,.pptx,.txt,.xlsx
MAX_SIZE = 2
MAX_FILES = 5
STORAGE_TYPE = local
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = Warn
ROUTER = console
ROOT_PATH = /data/gitea/log
[git]
PATH =
DISABLE_DIFF_HIGHLIGHT = false
MAX_GIT_DIFF_LINES = 1000
MAX_GIT_DIFF_LINE_CHARACTERS = 1000
MAX_GIT_DIFF_FILES = 100
PULL_REQUEST_PUSH_MESSAGE = true
VERBOSE_PUSH = true
VERBOSE_PUSH_DELAY = 5
LARGE_OBJECT_THRESHOLD = 1048576
DISABLE_PARTIAL_CLONE = false
[git.timeout]
DEFAULT = 60
MIGRATE = 60
MIRROR = 60
CLONE = 60
PULL = 60
GC = 60
[metrics]
ENABLED = false
[api]
ENABLE_SWAGGER = false
MAX_RESPONSE_ITEMS = 50
DEFAULT_PAGING_NUM = 20
DEFAULT_GIT_TREES_PER_PAGE = 100
DEFAULT_MAX_BLOB_SIZE = 1048576
[oauth2]
ENABLE = false
[i18n]
LANGS = en-US,de-DE,fr-FR,nl-NL,es-ES,it-IT,pt-PT
NAMES = English,Deutsch,Français,Nederlands,Español,Italiano,Portguês
[markup]
ENABLED = false
[time]
DEFAULT_UI_LOCATION = Europe/Paris
[migrations]
ALLOW_LOCALNETWORKS = true
SKIP_TLS_VERIFY = true
[federation]
ENABLED = false
[packages]
ENABLED = true
[mirror]
ENABLED = true
DISABLE_NEW_PULL = false
DISABLE_NEW_PUSH = false
DEFAULT_INTERVAL = 1h
MIN_INTERVAL = 15m
[other]
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
SHOW_FOOTER_VERSION = false

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: git

View File

@ -0,0 +1,20 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: gitea-tokens
namespace: git
spec:
encryptedData:
GITEA__database__PASSWD: AgCGUoM6CDCiUgmFlPCBSyYiqktHWfBeq6WM7JPO8w9jmFiiGYWp/nLgxLCHxgiZRJmZ6gMrLbH/0SfjwdtpbgJEELPfrEKbQF3WMhthvxr8AuxLP8rRT/ECH/AH9q372uA6n7JB/EfWHCJ1py1KSr5g+ZpB4sj4arYBKHV7A1VeWYailAGi9/aE1a916CG0M7zXhLjum7qlNAHmNainFvqfHYeO+DHtGo/dg7h/fCJ/vfPzEzbyzSUytOXNLNqJ6lScCgnqU10WOPQT1Kg+TkQH2xPNW7LEee9XtCOEHr92mHojdDayhEU3Cw+VJz0wbPg77egIbXGJ3ehJ6XX1eYAil1eBYcQWvIc+SU3fhXMDBojZhEJjkenhPVlde9/L8ahOzRa2eVok6qoVkkBtqXMvOp7PtTWmugjoFY+YFVWuTmLbxbYzQadtZFdi2Zr8l0qWObS7hhxWeK68Jk/3OI2bsXZl21mo78oyPA19x3fDetv1Oop31/z0iXfGoa8rMdDikBuEoOMMwspNxdJ1q+GW25LXJEJebcCwGJgJmZgVv6ap2qbRwyjpJQ7M08JSq4Y6DHe283+6YYte7SIYm32Q+m4k9LJbtaRNw5wpskFr2BWXWLX8P7/d/Idyeg3hNbXyjPdobnDGNoJCwJVwv1hBMOiYmEW3wOzY1i2isZeMCcW6CUVLyqcgkmJZeXeuRjyhPqblAr6NRfd5aB8E/LKncZGkTQEoFyG83kA4uqjpBpZHvBdstmyJiq86bvtk+Mk4hpVx0FzIVl+N3MgiQN+H
GITEA__mailer__PASSWD: AgCH3z9kwv8vJcIYJfjDYn7wm86ZSqpZo7fi80sTbqg3LeAsL/biH+fHkWjBWMvCJerCpf04yTIw7sh203xJP0xgEz1cZ2J6+lkl3r4/LZSt+zg/QzF+qSewNssZWJFq6KdNWzxaWWISs90ATjmQUgLNYgp+zX0GEdjwWzdphknB/K7omxYJcYhidCPFThc4nFGrNKiM1QFWhrGK3aiGX+ug6MaZqfF6ABx7WfWRkiLUIyvdKPgIxswbRdLSsjLjN+c75VWa8lD58GKz+a+JYuOVTFX61JtFSwTPW+U8Eb6Nw1OD0oOXjpFFqym54awqElh0avQadyWmMlM7Ste3hktq1L2v9T2hFDupfDHJ6tq38bkImE5jjTJa35XxGmt4nEjM+owDM0FIHotC2l92qJxWzT0QwOV5ARYjbWOQa2Y7LfCd7N4oU6jbnRDMLDwg/fr+v1ngu0Tcnjb+swPhROoTEoWvY5Vy+IAWBhYX3KLm57Gbuhybnorr28sABVNFmCNmNWO2RC0nEYZF7k/TQkQGgY2RC2OIifN0Gon6KYrK1rPr2kBTRgcHh22nc2MozKOQ2W0WuY8WuwXr/4kOkYns3W6zqzsRKpMB8nZDrjyPkKq8liHFpk4t7hia4OBKtjVv1U2A7TWvwVeOXG/Og+9wXehDnLal0gPBiUDs9zY5LI3w7muELzCiBUCglYFnAcN243iXR+GmbC1Xu98YTUYKcfrRE/Cw/x6UPSjHSKGcd3J/AHCzrfWe21xtmVAcpV+ZkUAfEOmcfMyz6qpr4/no
GITEA__metrics__TOKEN: AgBqc7HevQ/iFWczHYSV7pG6tS4IlcQd/tNuKS1UcMzTEKDAYOC0oHb57l3eYdXcN09pR3QPi4HfuMe0ST5ud9bZjm26cQQZnYmy+Mz1lQqTEfy5Fd0Mi1XKSLb1dJQ9Q21XtanKzohfRGcxb+UmOqiqs/b+uTm+UVsjBCj+x4eTGIS7vv+wpxBBtFX0aPUSe2aSNRigJFl1XbkbTD/YZVr2bmPvMEBCJloEmjqpGGfz6WpPH0355WeZj/jXNrJhdK30J7xwxi84x58m8Zijt1hLtcRiqQV3oH+jIQernjMjlCwr8upKwr1H4M4fhBUQdJdCzH7FlYmEJWDmSPOsxO6HJrX2LjzHhKTiKrc3qB74lumHeQIXGVwKEykdDAkWEkaqVHBYCBZ1rafxARbZRouDZUnRZy/3wWTWRiml3rc88jdNO8JNshTTkKmMhQCwbUs9bN0z0DAhBlhBvlc4hD0FKW34VuI9p9lRtzVn+KjdpwWvjvy/FSRdZ5F/YWJoMBfI05Trf0xiiJYEbWQOfnNi3kaVHV4ApizgYJBdCWyPRpG4F/Meip3UqczMyS7YdEuP+gCtJxRnI5FSJI9pIHsJViMvq2hq7/NrYRVV2C9uvC/I55dmsB+N8tIie1Zk1j8juWToDsxcoi/g16jWphWJQbjaYRGyjRWxa5pW6OVMeXFOOnSAGXBeM7tKl9hvJ/4I0nDgQBjOAajZsPmD3ES+nz/zOgmT05z923YdUEuAaOBxtvTNn2IZFsw2ROO9KRm225dAbh84Kj90KOsjdKLB
GITEA__security__INTERNAL_TOKEN: AgAGQAK+SPowj6jTmRw9TDn98mNVLkM32ABfypKGdjypMA9oM7zzLYzj5lOEqrj/e2t7R+rhvRLEv07qnZ/rq/U+FLVuXXqJ32E3MIhrpl6q4UOAGOu7obku8nQRmDhX+QTKYVI5GCzxnvIyA1wkr7Wg7VcTyHfJ4ruJPnwN7+vcQsq90gYAjJl+RxmJHrjY0aPhxf6BF1utD9ZdDcnURFJ/euKIJPAJc/AEhHz79cwQcwi/PxjIq1Rrcx1LzJ9yRhZQh0a996lFAFRlDlcV/BNejbVTbKTnSjaEkZoylO7GcYQag3tCrBXr+Zq52CaivSMufZvOHPoWWUDRrnUu/GIjGIXKcEFH9L8wR64VsbPozJInyMC7Miid4kBi3uJAyA4+e/sINmUDAHNkxHjK5XgqfmxQ1o14c9ZwsKDqaCT4ea+61MSfZ9PuUzz2zPzdlDz8LCfyp1U8Z2rbovqHfmCjxX6DKJa0EwEyqwGrC9VHBQNgptmAQF0GSJytFfoyXnsOVHHZ5PiNcoFSM00UB67e1799gbPG1C97j3iVGj/+ykNOz3pgdlTwUS6RHW3u6J9vANELylQMUlNu5VJ8PEUbS6alv6SQgxDPcTvS7wR3/6ssboyhW5buJm0K7o+4aoE7I+i9jCnkL6qQXrhldDUa6vNWJzsZPx2zfI8bXycfj6YqtBaZFr/Bibe3HzKm9X8rfCMfB2AIB+41N7ks2pAjdENbHnCtpmEp7UMRnyb+51bb3SzOog2Yz2fdENgtSF+iK8VTpTdNxncnDLiCQy0t
GITEA__server__LFS_JWT_SECRET: AgA0bU8405uKAOIOJYgmbGWKS2dGJWh//ACQdcvY2j1vU6tgG7OaDz5Y59TczX6KcfWeeapjABFRZ4OVKfO+t6GETLhSXAPC1UmcEQ6kbxNkhMkQtLWVPjJTYl61qmKNT1nJldPY8lNVfEL0NOpPhHSUD3lpNUIhZ7lL3+vkqSzF+d1NT8ehwXE4WlOLlnNVv+EiqyB+t/THFIw3xrdxGWD7MMJXThKU3C0Os3sG0UjuusCRuKlxsRh0NlZzMG2xkIBqXtqk8T+PJTYw/nHgT8Uekpp5yii6tDmjpaF+uS4wbUBh9R+YehHfRSkqV8s4XDkP5IunW0sTfGe9MlTww0TLe++h9gTi0zkrlkP7l5ilJU7pInsFkTWHLrQuI6CdOV3ATNx520GyNMA/rvednKHHgpHQzIf5gIfz9t44iwtlvzFCXaELOM8DgnuiX5lShVT8Th5E8BefVbMaEuNnLETz4wyQasnApJIXOWBNUmRgTo4kFPCqmzKGYuIP6/Gquj3GcqKI1AECk2z1Vd4ooSsXVzuX87+cwHokSjMODtgMpAw3HjlkO+Av1xDx6h++vh7SqrDYGATwdLsOAMDiXUzj7TJ/R31RwIcfveyFlSLeOZ6d32dzl07ddky2z/iGJnKArYWCMMVfnhhPi5AaCQ00Vtcj9R0hpos8gqqmwx9LJEzAq8LB5WH8eLV4hydrzCdq7tFkst67hr4E5JCbvbx8zg2Hq95v/WhJHNf8mcMx+0Vd7GQdY6owj101c2mUiq6cDkI7uwF4ylZ/Vn/7+jUO
template:
data: null
metadata:
creationTimestamp: null
name: gitea-tokens
namespace: git

View File

@ -0,0 +1,179 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: hass
namespace: hass
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteMany
resources:
requests:
storage: 500Mi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: hass
namespace: hass
data:
configuration.yaml: |
# Loads default set of integrations. Do not remove.
default_config:
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.42.0.0/16
panel_iframe:
nodered:
title: 'Node-Red'
url: 'https://node-red.bhasher.com'
icon: mdi:sitemap
require_admin: true
binary_sensor:
- platform: ping
host: 192.168.1.2
name: "Bhasher's Desktop"
count: 2
scan_interval: 30
wake_on_lan:
switch:
- platform: wake_on_lan
name: "WOL Bhasher's Desktop"
mac: e0:d5:5e:08:3c:d4
broadcast_address: 192.168.1.255
recorder: !include recorder.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: hass
name: hass
namespace: hass
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: hass
template:
metadata:
labels:
app: hass
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- hass
topologyKey: kubernetes.io/hostname
weight: 100
volumes:
- name: data
persistentVolumeClaim:
claimName: hass
- name: config
configMap:
name: hass
- name: secrets
secret:
secretName: hass
containers:
- name: hass
image: homeassistant/home-assistant:latest
imagePullPolicy: IfNotPresent
volumeMounts:
- name: data
mountPath: "/config"
- name: config
mountPath: "/config/configuration.yaml"
subPath: "configuration.yaml"
- name: secrets
mountPath: "/config/recorder.yaml"
subPath: "recorder.yaml"
ports:
- name: http
containerPort: 8123
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
failureThreshold: 2
periodSeconds: 10
startupProbe:
httpGet:
path: /
port: http
failureThreshold: 24
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: hass
namespace: hass
spec:
type: ClusterIP
selector:
app: hass
ports:
- name: http
port: 8123
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hass
namespace: hass
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "hass.bhasher.com"
# nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
# nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
# #nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
# nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
# #nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
spec:
tls:
- hosts:
- hass.bhasher.com
secretName: hass-tls
rules:
- host: hass.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hass
port:
number: 8123

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: hass

View File

@ -0,0 +1,64 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: mosquitto
namespace: hass
data:
mosquitto.conf: |
# persistence true
# persistence_location /mosquitto/data
listener 1883
allow_anonymous true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mosquitto
namespace: hass
labels:
app: mosquitto
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: mosquitto
template:
metadata:
labels:
app: mosquitto
spec:
volumes:
- name: config
configMap:
name: mosquitto
containers:
- name: mosquitto
image: eclipse-mosquitto:latest
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config
mountPath: /mosquitto/config/mosquitto.conf
subPath: mosquitto.conf
readOnly: true
---
apiVersion: v1
kind: Service
metadata:
name: mosquitto
namespace: hass
spec:
type: ClusterIP
ports:
- name: mqtt
port: 1883
targetPort: 1883
protocol: TCP
selector:
app: mosquitto

View File

@ -0,0 +1,95 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: node-red
namespace: hass
labels:
app: node-red
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: node-red
namespace: hass
labels:
app: node-red
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: node-red
template:
metadata:
labels:
app: node-red
spec:
containers:
- name: node-red
image: nodered/node-red:latest
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Paris
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: node-red
---
apiVersion: v1
kind: Service
metadata:
name: node-red
namespace: hass
spec:
type: ClusterIP
selector:
app: node-red
ports:
- name: http
port: 1880
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: node-red
namespace: hass
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "node-red.bhasher.com"
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
spec:
tls:
- hosts:
- node-red.bhasher.com
secretName: node-red-tls
rules:
- host: node-red.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: node-red
port:
number: 1880

View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: hass
namespace: hass
spec:
encryptedData:
recorder.yaml: AgBYJmg/HSCptRB+Yip1T0je3t/JFp9IQ3iHUFS3Mm68uwMsrSAugV4pcBFu27fZjmSbimLFSDo1itrQDq65kqxAny+Qk6rYZnHEQgxBy2z42j4Wt+ycwuGTJct7+HqluebL1UL+eDSPVHzcKhSnTjG0dewjGSaBz4a45/i5VeZQSXYe527LOimFzflyEcPR/qTHVFnmNPR92+shLs3paSajayXVMBbmaEkClq4KnSt9XlZ+rCLuCL1YxWq36Lq+Lt4APQsVJxi58tD8sy6QIU7EslxEGfoNqXKN6a+4SJtZzJXCDbkXmyuU2bbNlTQSn/3hV/O3uRxLyIG2uDJWXfuCxiPR7e6Q/kmGGy9Tl6H6srmYw83qAYQ6fsNy/siSIGN77tOCtVBW6ZeQ+UqQ5uzhWE6K9UJ2qn/WKkrZNWW7HnmpQwcNWDVpu2e1RrZJcWlyoFHL8jbtAWXnJftR5QYGXGybvxjb+Od9XmotCdlwc7FXErG1TISh23+EGA1TlxcxSclfbZ6gqHxOS4EIubJdi3BWOUVQzWkMXbg9fwJ7M9vdbHQpPALO1PUVBswH5fZ5cW9FzNU9sIFGeFm6JalKJMxnQtSILj1+GJLIdhQzxQa9DLP1Y86m0S2Dsqdo0KQW5vNCYPujt7QS3zFo0fQFHlEXN6TW83/4952wgszp15FH/JD0ftpV1BH/kaeLfd2OZ9QEVsGNpPxGCuDPJ8Eu8rd+TLRialES2xwDclS+/iMgMdhsN1TDyVCkjKNq1aH/5Nv8wh9Vtw8rZCp5CGRF2sLTCCJCF1Eer5DiGoWr1+unOZELC6vIMt06f2e2FyBZivwcC0KRxMq55NM3ou6evO7EOpMiKgBoqtfa9RhMs7Sdtgy7LcZIECaWnky3p9MVcIRN7Q==
template:
data: null
metadata:
creationTimestamp: null
name: hass
namespace: hass

View File

@ -0,0 +1,96 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zigbee2mqtt-pvc
namespace: hass
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: zigbee2mqtt
namespace: hass
data:
configuration.yaml: |
homeassistant: true
permit_join: true
mqtt:
base_topic: zigbee2mqtt
server: mqtt://mosquitto.hass.svc.cluster.local
serial:
port: /dev/ttyACM0
devices:
'0x54ef441000367592':
friendly_name: WallSwitchOffice
'0x00158d00068b2c39':
friendly_name: MovementSensorDeskOffice
'0x00158d00067ca592':
friendly_name: MovementSensorShelfOffice
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zigbee2mqtt
namespace: hass
labels:
app: zigbee2mqtt
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: zigbee2mqtt
template:
metadata:
labels:
app: zigbee2mqtt
spec:
nodeSelector:
zigbee: "true"
volumes:
- name: data
persistentVolumeClaim:
claimName: zigbee2mqtt-pvc
- name: config
configMap:
name: zigbee2mqtt
- name: udev
hostPath:
path: /run/udev
- name: ttyacm
hostPath:
path: /dev/ttyACM0
containers:
- name: zigbee2mqtt
image: koenkk/zigbee2mqtt:latest
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Paris
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: "/app/data"
readOnly: false
- name: config
mountPath: /app/configuration.yaml
subPath: configuration.yaml
readOnly: true
- name: udev
mountPath: /run/udev
readOnly: true
- name: ttyacm
mountPath: /dev/ttyACM0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,54 @@
singleuser:
defaultUrl: "/lab"
extraEnv:
JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp"
EDITOR: "vim"
memory:
limit: 1G
guarantee: 100M
cpu:
limit: 1.
guarantee: 1.
storage:
dynamic:
storageClass: longhorn
capacity: 2Gi
hub:
extraEnv:
OAUTH_TLS_VERIFY: "0"
OAUTH2_TLS_VERIFY: "0"
config:
Authenticator:
admin_users:
- bhasher
GenericOAuthenticator:
client_id: jupyterhub
client_secret: 8sbWBuDMmKIvcjfTQTg12f2ycRV3Y3Cy
oauth_callback_url: https://jupyter.bhasher.com/hub/oauth_callback
authorize_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/auth
token_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/token
userdata_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/userinfo
login_service: OpenID
username_key: preferred_username
userdata_params:
state: state
JupyterHub:
authenticator_class: generic-oauth
ingress:
enabled: true
hosts:
- jupyter.bhasher.com
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "jupyter.bhasher.com"
tls:
- hosts:
- jupyter.bhasher.com
secretName: jupyterhub-tls
prePuller:
continuous:
enabled: false

View File

@ -0,0 +1,93 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: media-server
labels:
app: radarr
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 0
revisionHistoryLimit: 1
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
containers:
- name: radarr
image: lscr.io/linuxserver/radarr:latest
imagePullPolicy: IfNotPresent
volumeMounts:
- name: config
mountPath: /config/config.xml
subPath: config.xml
readOnly: true
# - name: movies
# mountPath: /movies
# subPath: movies
# readOnly: false
# - name: movies
# mountPath: /downloads
# subPath: tmp
volumes:
- name: config
secret:
secretName: radarr
# - name: movies
# nfs:
# server: truenas.bhasher.com
# path: /mnt/Main/local/movies
---
apiVersion: v1
kind: Service
metadata:
name: radarr
namespace: media-server
spec:
type: ClusterIP
selector:
app: radarr
ports:
- name: http
port: 7878
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr
namespace: media-server
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "radarr.bhasher.com"
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method request_method;
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method request_method;
spec:
ingressClassName: nginx-external
tls:
- hosts:
- radarr.bhasher.com
secretName: radarr-tls
rules:
- host: radarr.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr
port:
number: 7878

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: media-server

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,232 @@
apiVersion: v1
kind: Namespace
metadata:
name: dns
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pihole-pvc
namespace: dns
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dnsmasq-pvc
namespace: dns
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pihole
namespace: dns
labels:
app: pihole
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: pihole
template:
metadata:
labels:
app: pihole
name: pihole
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- pihole
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- name: pihole
image: cbcrowe/pihole-unbound:latest
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: pihole-configmap
- secretRef:
name: pihole-secret
ports:
- name: svc-53-udp
containerPort: 53
protocol: UDP
- name: svc-53-tcp
containerPort: 53
protocol: TCP
- name: svc-ui
containerPort: 80
protocol: TCP
# livenessProbe:
# httpGet:
# port: svc-ui
# initialDelaySeconds: 15
# periodSeconds: 10
# readinessProbe:
# httpGet:
# port: svc-ui
# initialDelaySeconds: 15
# periodSeconds: 10
# startupProbe:
# httpGet:
# port: svc-ui
# failureThreshold: 12
# periodSeconds: 10
resources:
limits:
memory: "300Mi"
cpu: "250m"
requests:
memory: "50Mi"
cpu: "100m"
volumeMounts:
- name: pihole-etc
mountPath: "/etc/pihole"
- name: dnsmasq-etc
mountPath: "/etc/dnsmasq.d"
- name: unbound-conf
mountPath: "/etc/unbound/unbound.conf.d/pi-hole.conf"
subPath: "pi-hole.conf"
readOnly: true
volumes:
- name: pihole-etc
persistentVolumeClaim:
claimName: pihole-pvc
- name: dnsmasq-etc
persistentVolumeClaim:
claimName: dnsmasq-pvc
- name: unbound-conf
configMap:
name: unbound-conf
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pihole-pdb
namespace: dns
spec:
minAvailable: 1
selector:
matchLabels:
app: pihole
---
apiVersion: v1
kind: Service
metadata:
name: pihole-ui-svc
namespace: dns
spec:
selector:
app: pihole
type: ClusterIP
ports:
- port: 80
protocol: TCP
name: pihole-ui
---
apiVersion: v1
kind: Service
metadata:
name: pihole-tcp-svc
namespace: dns
annotations:
metallb.universe.tf/loadBalancerIPs: 192.168.1.211
metallb.universe.tf/allow-shared-ip: "pihole-192.168.1.211"
spec:
selector:
app: pihole
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- port: 53
targetPort: 53
protocol: TCP
name: pihole-dns-tcp
---
apiVersion: v1
kind: Service
metadata:
name: pihole-udp-svc
namespace: dns
annotations:
metallb.universe.tf/loadBalancerIPs: 192.168.1.211
metallb.universe.tf/allow-shared-ip: "pihole-192.168.1.211"
spec:
selector:
app: pihole
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- port: 53
targetPort: 53
protocol: UDP
name: pihole-dns-udp
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pihole
namespace: dns
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "pihole.bhasher.com"
nginx.ingress.kubernetes.io/app-root: /admin
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
spec:
tls:
- hosts:
- pihole.bhasher.com
secretName: pihole-tls
rules:
- host: pihole.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pihole-ui-svc
port:
number: 80

View File

@ -0,0 +1,78 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: pihole-configmap
namespace: dns
data:
TZ: "Europe/Paris"
WEBTHEME: "default-dark"
REV_SERVER: "false"
PIHOLE_DNS_: "127.0.0.1#5335"
DNSSEC: "true"
DNSMASQ_LISTENING: "single"
FTLCONF_REPLY_ADDR4: "192.168.1.211"
FTLCONF_RATE_LIMIT: "0/0"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: unbound-conf
namespace: dns
data:
pi-hole.conf: |
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server:
# Conectivity
interface: 127.0.0.1 # Only for pi-hole
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
# Security
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: no
unwanted-reply-threshold: 10000000
# Performances
edns-buffer-size: 1232
prefetch: yes
prefetch-key: yes
num-threads: 1
so-rcvbuf: 1m
max-udp-size: 3072
cache-min-ttl: 3600
cache-max-ttl: 86400
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
# Privacy
hide-identity: yes
hide-version: yes
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Stats
verbosity: 0
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: pihole-secret
namespace: dns
spec:
encryptedData:
WEBPASSWORD: AgAWmlAaATTKbTOvxZullfUsHISve/HYTLe4huk8ERxDM2hoOc5zZPDDZ/CGSj1aTrj7rb6+VuYbvM2v37CUxQ1mnNBQabHkz9Db89Q+ih/c9dbaXB3OeSWk2edLKXVHIV/G0/6AC2MYRJCHqcCOgbZdpAKUeYss6S/uSYPt9ebGhMZaV/8FUb4zLuSjCuN5dNnUTb1Sl7XaaR4vAwXTISHT7HvNh3mdT5OXnBgo3cG5FGblYkF0BP2Z7VEG2wxU6OZnkX5/DWCfBNmnAUbYnNzacfyE5whYsK5hLt2Cu5v9wftEDwVKTzYx3bX7/9TKgw3wTgrczQmTKSqCmico6ja1x/ouYaYVN+rNUw/9IAvXbFOy39K7JsmQMiPCdITHXOVO6SknVMsMVVT8u7T+dIDFaGsTvv19ith/hRSdnDFY55qVW+/9xhe+AFC8TYK1lc256+ReiVJrGNzH9UprCQQRE3rZTAcBealjdrU0xuKZQm2NrvJVgDjSxSNtvOhop7UR6iabyDvhOMAwQ2BqslKZN7BIoAisoWSWyysQPA3xYftpCJi0g+b4nrK8j86RtXln9GXxoZWGkA23YQg7wt8EyDXAlCFs6WRpyqUa1WZmrnRedZeswkWZBzizqSAnPANgPmu/Tm8jwW2D8RPSDxyq2tfdk21L/jrj4vQ4ty2LRV8PivisVkyH6l1p3IrgLDo=
template:
data: null
metadata:
creationTimestamp: null
name: pihole-secret
namespace: dns

View File

@ -0,0 +1,116 @@
apiVersion: v1
kind: Namespace
metadata:
name: portal
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: heimdall-pvc
namespace: portal
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: heimdall
namespace: portal
labels:
app: heimdall
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
strategy:
type: Recreate
selector:
matchLabels:
app: heimdall
template:
metadata:
labels:
app: heimdall
spec:
containers:
- name: heimdall
image: lscr.io/linuxserver/heimdall:latest
imagePullPolicy: IfNotPresent
ports:
- name: svc-ui
containerPort: 80
protocol: TCP
volumeMounts:
- name: heimdall
mountPath: /config
# - name: heimdall-config
# mountPath: /config/www/.env
# subPath: .env
# - name: heimdall-config
# mountPath: /config/www/app.sqlite
# subPath: empty.sqlite
volumes:
- name: heimdall
persistentVolumeClaim:
claimName: heimdall-pvc
# - name: heimdall-config
# secret:
# secretName: heimdall
---
apiVersion: v1
kind: Service
metadata:
name: heimdall
namespace: portal
spec:
type: ClusterIP
selector:
app: heimdall
ports:
- name: http
port: 80
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: heimdall
namespace: portal
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "portal.bhasher.com"
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
spec:
ingressClassName: nginx
tls:
- hosts:
- portal.bhasher.com
secretName: portal-tls
rules:
- host: portal.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: heimdall
port:
number: 80

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,111 @@
apiVersion: v1
kind: Namespace
metadata:
name: timesheet
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: timesheet-pvc
namespace: timesheet
spec:
storageClassName: longhorn-static
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: timesheet
namespace: timesheet
labels:
app: timesheet
spec:
replicas: 1
revisionHistoryLimit: 1
strategy:
type: Recreate
selector:
matchLabels:
app: timesheet
template:
metadata:
labels:
app: timesheet
spec:
nodeSelector:
kubernetes.io/hostname: node0
volumes:
- name: timesheet-data
persistentVolumeClaim:
claimName: timesheet-pvc
- name: timesheet-config
configMap:
name: timesheet-config
containers:
- name: timesheet
image: 192.168.1.201:8443/timesheet:latest
imagePullPolicy: Always
envFrom:
- configMapRef:
name: timesheet-config
volumeMounts:
- name: timesheet-data
mountPath: /data
readOnly: false
---
apiVersion: v1
kind: Service
metadata:
name: timesheet
namespace: timesheet
spec:
type: ClusterIP
selector:
app: timesheet
ports:
- name: https
port: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: timesheet
namespace: timesheet
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "timesheet.bhasher.com"
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
spec:
ingressClassName: "nginx"
tls:
- hosts:
- timesheet.bhasher.com
secretName: timesheet-tls
rules:
- host: timesheet.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: timesheet
port:
number: 8080

View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: timesheet-config
namespace: timesheet
data:
TS_DB_PATH: "/data/timesheet.db"
TS_HOST: "0.0.0.0"
TS_PORT: "8080"

View File

@ -0,0 +1,104 @@
apiVersion: v1
kind: Namespace
metadata:
name: wiki
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wikijs
namespace: wiki
labels:
app: wikijs
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: wikijs
template:
metadata:
labels:
app: wikijs
spec:
volumes:
- name: ca
configMap:
name: ca
containers:
- name: wikijs
image: ghcr.io/requarks/wiki:latest
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: wikijs
- secretRef:
name: wikijs
volumeMounts:
- name: ca
mountPath: /certs
readOnly: true
ports:
- name: http
containerPort: 3000
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: http
failureThreshold: 2
periodSeconds: 10
startupProbe:
httpGet:
path: /healthz
port: http
failureThreshold: 24
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: wikijs
namespace: wiki
spec:
type: ClusterIP
selector:
app: wikijs
ports:
- name: http
port: 3000
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wikijs
namespace: wiki
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "wiki.bhasher.com"
spec:
ingressClassName: nginx-external
tls:
- hosts:
- wiki.bhasher.com
secretName: wikijs-tls
rules:
- host: wiki.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wikijs
port:
number: 3000

View File

@ -0,0 +1,64 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ca
namespace: wiki
data:
bhasherCA.pem : |
-----BEGIN CERTIFICATE-----
MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
/O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
Pzrn2j0Zdg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: wikijs
namespace: wiki
data:
DB_TYPE: postgres
DB_HOST: postgres.storage.svc.cluster.local
DB_PORT: "5432"
DB_USER: wikijs
DB_NAME: wikijs
HA_ACTIVE: "true"
NODE_EXTRA_CA_CERTS: "/certs/bhasherCA.pem"

View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: wikijs
namespace: wiki
spec:
encryptedData:
DB_PASS: AgAmxq0znbcp/J6U599KIa1LLOBGrFSsAmBusC86oKhvvibXrZjSWGuCaRTLzNIvwDc6ObJayYvuxNuyVGppax+UD3E0s+nu5qGWSpwBS6y/uoTB3lSD2hrdfWEzS84/V/DQNQKLvTJySMBqmccL31CoHIvHOYgg/mPs5AslRvW3XBzWbqRNHvdOwECWVqD/p/HG4fYI+Tq87/9wBkDVxr7/w0bLEwWV2n5scYSjP2DxNBAIVrn74A7EYtRFBlleIDIKHfaSMx3AWUzKU7MhqO+YDP/NLB9jTiDF2adIpzPs4k6zMWdNXZTwUKK6PZWDoepOLJESyAx/iWt9EfGQphhKCzggFnzKTnBGwPc3RaYkBjmRE+Y0dZPVpKyC3IU4/cJXc5U9rCUqxv6B5ZBAmq8zYLIpMBTRlwFKz0s0j0B3Os9K04c63U5G51vfrDxYrqiAMeJZakkFwTVLOKWR0KpnAdFVcVlbL+lq/9Pdxl7DMnpdTD92tVqCppGvWpie3p6ZOPL8lcPjHTp+qgY+vg/gVhw/BSyWQz5nnspMwVqloh77WIIGOemBBziUAVom2CbROgaPPHl4dhXLj7NgminF6QOEPY0FA7d9YSvgKgiXkvTcwhwvJJQcKCB1S/ubBWGyUHYsnqoLwbsXtzfkun4rxhgRc6o4TlF/fhb59AMeeLjXiNPKNWdJbxB1ZRpQsz7M1fEOJbzshSp90ptodoqghLTEzJkUbnluXgHH15VIxU/VS9IvLLDUmZvNAQF+RdSmVrM44oRx3ND/kOvOYUcx
template:
data: null
metadata:
creationTimestamp: null
name: wikijs
namespace: wiki

View File

@ -0,0 +1,121 @@
apiVersion: v1
kind: Namespace
metadata:
name: wireguard
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: wireguard
namespace: wireguard
labels:
app: wireguard
annotations:
reloader.stakater.com/auto: "true"
spec:
selector:
matchLabels:
app: wireguard
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app: wireguard
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: wireguard
restartPolicy: Always
initContainers:
- name: init
image: busybox:1.32.0
command:
- sh
- -c
- sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
containers:
- name: wireguard
image: masipcat/wireguard-go:latest
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
ports:
- containerPort: 51820
protocol: UDP
command:
- sh
- -c
- /entrypoint.sh
env:
- name: LOG_LEVEL
value: info
resources:
requests:
memory: "64Mi"
cpu: "150m"
limits:
memory: "128Mi"
volumeMounts:
- name: wireguard-config
mountPath: /etc/wireguard/wg0.key
subPath: wg0.key
readOnly: true
- name: wireguard-config
mountPath: /etc/wireguard/wg0.conf
subPath: wg0.conf
readOnly: true
volumes:
- name: wireguard-config
secret:
secretName: wireguard
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: wg-pdb
namespace: wireguard
spec:
minAvailable: 1
selector:
matchLabels:
app: wireguard
---
apiVersion: v1
kind: Service
metadata:
name: wireguard
namespace: wireguard
labels:
app: wireguard
annotations:
metallb.universe.tf/loadBalancerIPs: 192.168.1.210
metallb.universe.tf/allow-shared-ip: "management-192.168.1.210"
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
selector:
app: wireguard
ports:
- name: vpn
port: 51820
protocol: UDP

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: cron
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/cron/
destination:
server: https://kubernetes.default.svc
namespace: cron
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,29 @@
# apiVersion: argoproj.io/v1alpha1
# kind: Application
# metadata:
# namespace: devops
# name: jupyterhub
# spec:
# project: k3pi
# source:
# #chart: jupyterhub
# repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
# path: services/apps/jupyterhub
# # repoURL: https://jupyterhub.github.io/helm-chart # /index.yaml
# targetRevision: 1.2.0
# helm:
# valueFiles:
# - values.yaml
# # releaseName: jupyterhub
# # repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
# #targetRevision: HEAD
# # path: services/apps/jupyterhub/
# destination:
# server: https://kubernetes.default.svc
# namespace: jupyterhub
# syncPolicy:
# automated:
# prune: true

View File

@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: media-server
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/media-server/
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: media-server
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: timesheet
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/timesheet/
destination:
server: https://kubernetes.default.svc
namespace: timesheet
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: argo
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/argo/
destination:
server: https://kubernetes.default.svc
namespace: devops
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: cert-manager
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/cert-manager
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: cloud
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/cloud/
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: cloud
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: devops
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/devops
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: devops
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: external-endpoints
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/external-endpoints/
destination:
server: https://kubernetes.default.svc
namespace: external-endpoints
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,19 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: git
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/git/
destination:
server: https://kubernetes.default.svc
namespace: git
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: hass
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/hass/
destination:
server: https://kubernetes.default.svc
namespace: hass
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: idp
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/idp/
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: idp
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: ingress-nginx
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/ingress-nginx/
destination:
server: https://kubernetes.default.svc
namespace: ingress-nginx
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: longhorn
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/longhorn
destination:
server: https://kubernetes.default.svc
namespace: longhorn-system
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: metallb
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/metallb/
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: monitoring
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/monitoring/
directory:
recurse: true
exclude: "custom-ressources/*"
destination:
server: https://kubernetes.default.svc
namespace: monitoring
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: pihole
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/pihole/
destination:
server: https://kubernetes.default.svc
namespace: dns
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,19 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: portal
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/portal/
destination:
server: https://kubernetes.default.svc
namespace: portal
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,15 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: k3pi
namespace: devops
spec:
clusterResourceWhitelist:
- group: '*'
kind: '*'
destinations:
- name: '*'
namespace: '*'
server: 'https://kubernetes.default.svc'
sourceRepos:
- https://git.bhasher.com/Bhasher/K3Pi

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: sealed-secret
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/sealed-secrets
destination:
server: https://kubernetes.default.svc
namespace: kube-system
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,22 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: storage
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/utils/storage/
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: storage
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: wiki
namespace: devops
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/wiki/
destination:
server: https://kubernetes.default.svc
namespace: wiki
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
namespace: devops
name: wireguard
spec:
project: k3pi
source:
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
targetRevision: HEAD
path: services/apps/wireguard/
destination:
server: https://kubernetes.default.svc
namespace: wireguard
syncPolicy:
automated:
prune: true

View File

@ -0,0 +1,349 @@
# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: bhasherca-k3s-issuer
spec:
ca:
secretName: bhasherca-k3s-key-pair
---
# Source: cert-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
spec:
type: ClusterIP
ports:
- protocol: TCP
port: 9402
name: tcp-prometheus-servicemonitor
targetPort: 9402
selector:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
---
# Source: cert-manager/templates/webhook-service.yaml
apiVersion: v1
kind: Service
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
spec:
type: ClusterIP
ports:
- name: https
port: 443
protocol: TCP
targetPort: "https"
selector:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
---
# Source: cert-manager/templates/cainjector-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
template:
metadata:
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
spec:
serviceAccountName: cert-manager-cainjector
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-cainjector:v1.8.2"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --leader-election-namespace=kube-system
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
---
# Source: cert-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
template:
metadata:
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
annotations:
prometheus.io/path: "/metrics"
prometheus.io/scrape: 'true'
prometheus.io/port: '9402'
spec:
serviceAccountName: cert-manager
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-controller:v1.8.2"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
ports:
- containerPort: 9402
name: http-metrics
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
nodeSelector:
kubernetes.io/os: linux
---
# Source: cert-manager/templates/webhook-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
template:
metadata:
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
spec:
serviceAccountName: cert-manager-webhook
securityContext:
runAsNonRoot: true
containers:
- name: cert-manager
image: "quay.io/jetstack/cert-manager-webhook:v1.8.2"
imagePullPolicy: IfNotPresent
args:
- --v=2
- --secure-port=10250
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
ports:
- name: https
protocol: TCP
containerPort: 10250
livenessProbe:
httpGet:
path: /livez
port: 6080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 6080
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
securityContext:
allowPrivilegeEscalation: false
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
nodeSelector:
kubernetes.io/os: linux
---
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: 10
failurePolicy: Fail
# Only include 'sideEffects' field in Kubernetes 1.12+
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /mutate
---
# Source: cert-manager/templates/webhook-validating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: cert-manager-webhook
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
annotations:
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
webhooks:
- name: webhook.cert-manager.io
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
- key: "name"
operator: "NotIn"
values:
- cert-manager
rules:
- apiGroups:
- "cert-manager.io"
- "acme.cert-manager.io"
apiVersions:
- "v1"
operations:
- CREATE
- UPDATE
resources:
- "*/*"
admissionReviewVersions: ["v1"]
# This webhook only accepts v1 cert-manager resources.
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
# this webhook (after the resources have been converted to v1).
matchPolicy: Equivalent
timeoutSeconds: 10
failurePolicy: Fail
sideEffects: None
clientConfig:
service:
name: cert-manager-webhook
namespace: "cert-manager"
path: /validate

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,26 @@
# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Source: cert-manager/templates/webhook-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
data:

View File

@ -0,0 +1,759 @@
# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: cert-manager-cainjector
namespace: "cert-manager"
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
---
# Source: cert-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: cert-manager
namespace: "cert-manager"
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
---
# Source: cert-manager/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: true
metadata:
name: cert-manager-webhook
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
---
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "create", "update", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["apiservices"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "update"]
---
# Source: cert-manager/templates/rbac.yaml
# Issuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "issuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cert-manager/templates/rbac.yaml
# ClusterIssuer controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "clusterissuers/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cert-manager/templates/rbac.yaml
# Certificates controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["cert-manager.io"]
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cert-manager/templates/rbac.yaml
# Orders controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "orders/status"]
verbs: ["update", "patch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders", "challenges"]
verbs: ["get", "list", "watch"]
- apiGroups: ["cert-manager.io"]
resources: ["clusterissuers", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["create", "delete"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["orders/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cert-manager/templates/rbac.yaml
# Challenges controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
# Use to update challenge resource status
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "challenges/status"]
verbs: ["update", "patch"]
# Used to watch challenge resources
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges"]
verbs: ["get", "list", "watch"]
# Used to watch challenges, issuer and clusterissuer resources
- apiGroups: ["cert-manager.io"]
resources: ["issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
# Need to be able to retrieve ACME account private key to complete challenges
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Used to create events
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# HTTP01 rules
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: [ "gateway.networking.k8s.io" ]
resources: [ "httproutes" ]
verbs: ["get", "list", "watch", "create", "delete", "update"]
# We require the ability to specify a custom hostname when we are creating
# new ingress resources.
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
- apiGroups: ["route.openshift.io"]
resources: ["routes/custom-host"]
verbs: ["create"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges/finalizers"]
verbs: ["update"]
# DNS01 rules (duplicated above)
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
---
# Source: cert-manager/templates/rbac.yaml
# ingress-shim controller role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests"]
verbs: ["create", "update", "delete"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
# admission controller enabled:
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/finalizers"]
verbs: ["update"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways", "httproutes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["gateway.networking.k8s.io"]
resources: ["gateways/finalizers", "httproutes/finalizers"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-view
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["get", "list", "watch"]
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-edit
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["certificates", "certificaterequests", "issuers"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates/status"]
verbs: ["update"]
- apiGroups: ["acme.cert-manager.io"]
resources: ["challenges", "orders"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
# Source: cert-manager/templates/rbac.yaml
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-approve:cert-manager-io
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["cert-manager.io"]
resources: ["signers"]
verbs: ["approve"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
---
# Source: cert-manager/templates/rbac.yaml
# Permission to:
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller-certificatesigningrequests
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/status"]
verbs: ["update", "patch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["signers"]
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
verbs: ["sign"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-webhook:subjectaccessreviews
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
---
# Source: cert-manager/templates/cainjector-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-cainjector
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-cainjector
subjects:
- name: cert-manager-cainjector
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-issuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-issuers
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-clusterissuers
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-clusterissuers
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificates
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificates
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-orders
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-orders
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-challenges
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-challenges
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-ingress-shim
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-ingress-shim
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-approve:cert-manager-io
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-approve:cert-manager-io
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-certificatesigningrequests
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cert-manager"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller-certificatesigningrequests
subjects:
- name: cert-manager
namespace: "cert-manager"
kind: ServiceAccount
---
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook:subjectaccessreviews
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook:subjectaccessreviews
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager
---
# Source: cert-manager/templates/cainjector-rbac.yaml
# leader election rules
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
rules:
# Used for leader election by the controller
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
# see cmd/cainjector/start.go#L113
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
# see cmd/cainjector/start.go#L137
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
resourceNames: ["cert-manager-controller"]
verbs: ["get", "update", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create"]
---
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames:
- 'cert-manager-webhook-ca'
verbs: ["get", "list", "watch", "update"]
# It's not possible to grant CREATE permission on a single resourceName.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
# Source: cert-manager/templates/cainjector-rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-cainjector:leaderelection
namespace: kube-system
labels:
app: cainjector
app.kubernetes.io/name: cainjector
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "cainjector"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-cainjector:leaderelection
subjects:
- kind: ServiceAccount
name: cert-manager-cainjector
namespace: cert-manager
---
# Source: cert-manager/templates/rbac.yaml
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager:leaderelection
namespace: kube-system
labels:
app: cert-manager
app.kubernetes.io/name: cert-manager
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "controller"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: cert-manager
---
# Source: cert-manager/templates/webhook-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook:dynamic-serving
namespace: "cert-manager"
labels:
app: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: "webhook"
app.kubernetes.io/version: "v1.8.2"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook:dynamic-serving
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook
namespace: cert-manager

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,986 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd-applicationset
annotations:
reloader.stakater.com/auto: "true"
name: argocd-applicationset-controller
namespace: devops
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app.kubernetes.io/name: argocd-applicationset-controller
template:
metadata:
labels:
app.kubernetes.io/name: argocd-applicationset-controller
spec:
containers:
- command:
- entrypoint.sh
- applicationset-controller
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: ghcr.io/jr64/argocd-applicationset:v0.4.0 # quay.io/argoproj/argocd-applicationset:v0.4.1
imagePullPolicy: Always
name: argocd-applicationset-controller
ports:
- containerPort: 7000
name: webhook
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
serviceAccountName: argocd-applicationset-controller
volumes:
- configMap:
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# labels:
# app.kubernetes.io/component: dex-server
# app.kubernetes.io/name: argocd-dex-server
# app.kubernetes.io/part-of: argocd
# name: argocd-dex-server
# namespace: devops
# spec:
# selector:
# matchLabels:
# app.kubernetes.io/name: argocd-dex-server
# template:
# metadata:
# labels:
# app.kubernetes.io/name: argocd-dex-server
# spec:
# affinity:
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - podAffinityTerm:
# labelSelector:
# matchLabels:
# app.kubernetes.io/part-of: argocd
# topologyKey: kubernetes.io/hostname
# weight: 5
# containers:
# - command:
# - /shared/argocd-dex
# - rundex
# image: ghcr.io/dexidp/dex:v2.30.2
# imagePullPolicy: Always
# name: dex
# ports:
# - containerPort: 5556
# - containerPort: 5557
# - containerPort: 5558
# securityContext:
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# volumeMounts:
# - mountPath: /shared
# name: static-files
# - mountPath: /tmp
# name: dexconfig
# initContainers:
# - command:
# - cp
# - -n
# - /usr/local/bin/argocd
# - /shared/argocd-dex
# image: quay.io/argoproj/argocd:v2.3.4
# imagePullPolicy: Always
# name: copyutil
# volumeMounts:
# - mountPath: /shared
# name: static-files
# - mountPath: /tmp
# name: dexconfig
# serviceAccountName: argocd-dex-server
# volumes:
# - emptyDir: {}
# name: static-files
# - emptyDir: {}
# name: dexconfig
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-notifications-controller
namespace: devops
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app.kubernetes.io/name: argocd-notifications-controller
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: argocd-notifications-controller
spec:
containers:
- command:
- argocd-notifications
image: quay.io/argoproj/argocd:v2.3.4
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 9001
name: argocd-notifications-controller
volumeMounts:
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
workingDir: /app
securityContext:
runAsNonRoot: true
serviceAccountName: argocd-notifications-controller
volumes:
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
name: argocd-repo-server
namespace: devops
spec:
selector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
template:
metadata:
labels:
app.kubernetes.io/name: argocd-repo-server
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/part-of: argocd
topologyKey: kubernetes.io/hostname
weight: 5
automountServiceAccountToken: false
containers:
- command:
- entrypoint.sh
- argocd-repo-server
- --redis
- redis.storage:6379
env:
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.3.4
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: 8084
initialDelaySeconds: 30
periodSeconds: 5
name: argocd-repo-server
ports:
- containerPort: 8081
- containerPort: 8084
readinessProbe:
httpGet:
path: /healthz
port: 8084
initialDelaySeconds: 5
periodSeconds: 10
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /tmp
name: tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
initContainers:
- command:
- cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.3.4
name: copyutil
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
volumes:
- configMap:
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
- emptyDir: {}
name: tmp
- emptyDir: {}
name: helm-working-dir
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
- emptyDir: {}
name: var-files
- emptyDir: {}
name: plugins
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
namespace: devops
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app.kubernetes.io/name: argocd-server
template:
metadata:
labels:
app.kubernetes.io/name: argocd-server
spec:
containers:
- command:
- argocd-server
- --insecure
# - --auth-mode sso
env:
- name: ARGOCD_SERVER_INSECURE
valueFrom:
configMapKeyRef:
key: server.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_BASEHREF
valueFrom:
configMapKeyRef:
key: server.basehref
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_ROOTPATH
valueFrom:
configMapKeyRef:
key: server.rootpath
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: server.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: server.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DEX_SERVER
valueFrom:
configMapKeyRef:
key: server.dex.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_DISABLE_AUTH
valueFrom:
configMapKeyRef:
key: server.disable.auth
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_ENABLE_GZIP
valueFrom:
configMapKeyRef:
key: server.enable.gzip
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: server.repo.server.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_X_FRAME_OPTIONS
valueFrom:
configMapKeyRef:
key: server.x.frame.options
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: server.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: server.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: server.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: server.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: server.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.connection.status.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.oidc.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.login.attempts.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_SERVER_STATIC_ASSETS
valueFrom:
configMapKeyRef:
key: server.staticassets
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.app.state.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: server.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_MAX_COOKIE_NUMBER
valueFrom:
configMapKeyRef:
key: server.http.cookie.maxnumber
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.3.4
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz?full=true
port: 8080
initialDelaySeconds: 3
periodSeconds: 30
name: argocd-server
ports:
- containerPort: 8080
- containerPort: 8083
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 3
periodSeconds: 30
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/server/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: plugins-home
- mountPath: /tmp
name: tmp
- mountPath: /etc/ssl/certs/git.bhasher.com.pem
name: tls-certs
subPath: git.bhasher.com
serviceAccountName: argocd-server
volumes:
- emptyDir: {}
name: plugins-home
- emptyDir: {}
name: tmp
- emptyDir: {}
name: static-files
- configMap:
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
name: argocd-tls-certs-cm
name: tls-certs
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
name: argocd-application-controller
namespace: devops
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
serviceName: argocd-application-controller
template:
metadata:
labels:
app.kubernetes.io/name: argocd-application-controller
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
topologyKey: kubernetes.io/hostname
weight: 100
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/part-of: argocd
topologyKey: kubernetes.io/hostname
weight: 5
containers:
- command:
- argocd-application-controller
env:
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: controller.repo.server.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
key: controller.status.processors
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
key: controller.operation.processors
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: controller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: controller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: controller.metrics.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
key: controller.self.heal.timeout.seconds
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: controller.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
key: controller.repo.server.strict.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: controller.app.state.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: controller.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
image: quay.io/argoproj/argocd:v2.3.4
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 8082
initialDelaySeconds: 5
periodSeconds: 10
name: argocd-application-controller
ports:
- containerPort: 8082
readinessProbe:
httpGet:
path: /healthz
port: 8082
initialDelaySeconds: 5
periodSeconds: 10
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
workingDir: /home/argocd
serviceAccountName: argocd-application-controller
volumes:
- emptyDir: {}
name: argocd-home
- name: argocd-repo-server-tls
secret:
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd-applicationset
name: argocd-applicationset-controller
namespace: devops
spec:
ports:
- name: webhook
port: 7000
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/name: argocd-applicationset-controller
---
# apiVersion: v1
# kind: Service
# metadata:
# labels:
# app.kubernetes.io/component: dex-server
# app.kubernetes.io/name: argocd-dex-server
# app.kubernetes.io/part-of: argocd
# name: argocd-dex-server
# namespace: devops
# spec:
# ports:
# - name: http
# port: 5556
# protocol: TCP
# targetPort: 5556
# - name: grpc
# port: 5557
# protocol: TCP
# targetPort: 5557
# - name: metrics
# port: 5558
# protocol: TCP
# targetPort: 5558
# selector:
# app.kubernetes.io/name: argocd-dex-server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: metrics
app.kubernetes.io/name: argocd-metrics
app.kubernetes.io/part-of: argocd
name: argocd-metrics
namespace: devops
spec:
ports:
- name: metrics
port: 8082
protocol: TCP
targetPort: 8082
selector:
app.kubernetes.io/name: argocd-application-controller
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: argocd-notifications-controller-metrics
name: argocd-notifications-controller-metrics
namespace: devops
spec:
ports:
- name: metrics
port: 9001
protocol: TCP
targetPort: 9001
selector:
app.kubernetes.io/name: argocd-notifications-controller
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
name: argocd-redis
namespace: devops
spec:
ports:
- name: tcp-redis
port: 6379
targetPort: 6379
selector:
app.kubernetes.io/name: argocd-redis
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
name: argocd-repo-server
namespace: devops
spec:
ports:
- name: server
port: 8081
protocol: TCP
targetPort: 8081
- name: metrics
port: 8084
protocol: TCP
targetPort: 8084
selector:
app.kubernetes.io/name: argocd-repo-server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
namespace: devops
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8080
selector:
app.kubernetes.io/name: argocd-server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server-metrics
app.kubernetes.io/part-of: argocd
name: argocd-server-metrics
namespace: devops
spec:
ports:
- name: metrics
port: 8083
protocol: TCP
targetPort: 8083
selector:
app.kubernetes.io/name: argocd-server
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd
namespace: devops
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "argocd.bhasher.com"
spec:
ingressClassName: nginx
tls:
- hosts:
- argocd.bhasher.com
secretName: argocd-tls
rules:
- host: argocd.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80

View File

@ -0,0 +1,146 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: devops
data:
url: https://argocd.bhasher.com
oidc.config: |
name: Authelia
issuer: https://idp.bhasher.com
sessionExpiry: 24h
clientId: argocd
clientSecret: $oidc.authelia.clientSecret
redirectUrl: https://argo-server/auth/callback
requestedScopes:
- openid
- groups
- email
- profile
insecureSkipVerify: true
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-cmd-params-cm
app.kubernetes.io/part-of: argocd
name: argocd-cmd-params-cm
namespace: devops
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-gpg-keys-cm
app.kubernetes.io/part-of: argocd
name: argocd-gpg-keys-cm
namespace: devops
---
apiVersion: v1
kind: ConfigMap
metadata:
creationTimestamp: null
name: argocd-notifications-cm
namespace: devops
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
namespace: devops
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-ssh-known-hosts-cm
app.kubernetes.io/part-of: argocd
name: argocd-ssh-known-hosts-cm
namespace: devops
data:
ssh_known_hosts: |-
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-tls-certs-cm
app.kubernetes.io/part-of: argocd
name: argocd-tls-certs-cm
namespace: devops
data:
git.bhasher.com: |
-----BEGIN CERTIFICATE-----
MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
/O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
Pzrn2j0Zdg==
-----END CERTIFICATE-----

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,121 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-application-controller-network-policy
namespace: devops
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: 8082
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-dex-server-network-policy
namespace: devops
spec:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
ports:
- port: 5556
protocol: TCP
- port: 5557
protocol: TCP
- from:
- namespaceSelector: {}
ports:
- port: 5558
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-dex-server
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-redis-network-policy
namespace: devops
spec:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-redis
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-repo-server-network-policy
namespace: devops
spec:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-application-controller
- podSelector:
matchLabels:
app.kubernetes.io/name: argocd-notifications-controller
ports:
- port: 8081
protocol: TCP
- from:
- namespaceSelector: {}
ports:
- port: 8084
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
policyTypes:
- Ingress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-server-network-policy
namespace: devops
spec:
ingress:
- {}
podSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
policyTypes:
- Ingress

View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: Secret
metadata:
name: argocd-notifications-secret
namespace: devops
type: Opaque

View File

@ -0,0 +1,446 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
name: argocd-application-controller
namespace: devops
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd-applicationset
name: argocd-applicationset-controller
namespace: devops
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
name: argocd-dex-server
namespace: devops
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: argocd-notifications-controller
namespace: devops
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
name: argocd-redis
namespace: devops
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
namespace: devops
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
name: argocd-application-controller
namespace: devops
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd-applicationset
name: argocd-applicationset-controller
namespace: devops
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
name: argocd-dex-server
namespace: devops
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-notifications-controller
namespace: devops
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- argocd-notifications-secret
resources:
- secrets
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
namespace: devops
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- create
- get
- list
- watch
- update
- delete
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
name: argocd-application-controller
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- delete
- get
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
name: argocd-application-controller
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/name: argocd-applicationset-controller
app.kubernetes.io/part-of: argocd-applicationset
name: argocd-applicationset-controller
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-applicationset-controller
subjects:
- kind: ServiceAccount
name: argocd-applicationset-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: argocd-dex-server
app.kubernetes.io/part-of: argocd
name: argocd-dex-server
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-dex-server
subjects:
- kind: ServiceAccount
name: argocd-dex-server
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-notifications-controller
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-notifications-controller
subjects:
- kind: ServiceAccount
name: argocd-notifications-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: redis
app.kubernetes.io/name: argocd-redis
app.kubernetes.io/part-of: argocd
name: argocd-redis
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-redis
subjects:
- kind: ServiceAccount
name: argocd-redis
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: application-controller
app.kubernetes.io/name: argocd-application-controller
app.kubernetes.io/part-of: argocd
name: argocd-application-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: devops
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: server
app.kubernetes.io/name: argocd-server
app.kubernetes.io/part-of: argocd
name: argocd-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argocd-server
subjects:
- kind: ServiceAccount
name: argocd-server
namespace: devops

View File

@ -0,0 +1,20 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: argocd-secret
namespace: devops
spec:
encryptedData:
oidc.authelia.clientSecret: AgBxmb5FeitSFQ4rt+c/GDGGgYs1OdQcvxCuIPu/23bq129shPTuGfJL6pbu7g67p3gy06bZ+LZswyMu1/eaBGbopVSFg9VsNVULIaGTcvGMlQpsfG+cMZ70Yhn2taGFV40AlQMEbmVwOv/1hiUOG6osS45VEepnxNcp1Wrg33FecF/OQDi1QcsPlToA05B4cyft7/jCeXr9ZS7FOrQrKAWfdniFaZfsh445YYfg6lU/T+DzsLkiTmFsdNC1awam1Ia0i3yQqgPLqJ+BXOF39BNgJIocgyttKmSm2IpAxGeY/vbB29M/FHbgYXyKGxgzXYAQOjPhOVX2Gyw6KBnoc9oCAvStyJdYKHSIUqswpW0R3Dq4yGeFwolaHD5RyH3830Ng13lhtJMLYXPxS7ExP9oZTA4JUF5wzOSC/8//vzxxx4v42xcogOzeaarWqjkF9otsnvgMa092aFNpgnuS1qO6DqY2S3ISEBu/lRRq9yFxH4Pz7xA87xWIPUD4JsjE1E6bfEgx0UUzQxLa76A+AJF/px9ESzNO7woGnc3P70ZYuQ8frEg49stAjFkK4SekHA3ENsdZ5Ck4Z0fF1BTI1Fvo+whSq8f7e/BqRCzVTHDubnAZYuGunzb2b693VUl4fs2DDX9N9U9y0ZKwI1fMzo04CbqPJgROspOilTa4RSUkAk8fHDj5D45JIpZDKGwKJ0mxT3FlTz0SNklTksLDgExxkRMHPN+I+vPZq+8QrnTDX+VQMdZXiJdtoT/q+Dx80fT8Wwi84nGTHjysqfnmLcCd
template:
data: null
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
namespace: devops
type: Opaque

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: devops

View File

@ -0,0 +1,146 @@
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-dashboard-certs
namespace: devops
labels:
k8s-app: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-dashboard-csrf
namespace: devops
labels:
k8s-app: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-dashboard-key-holder
namespace: devops
labels:
k8s-app: kubernetes-dashboard
type: Opaque
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: kubernetes-dashboard
namespace: devops
labels:
k8s-app: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.5.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=devops
- --token-ttl=21600
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: devops
labels:
k8s-app: kubernetes-dashboard
spec:
type: ClusterIP
ports:
- port: 8443
targetPort: 8443
protocol: TCP
name: dashboard
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: k3s
namespace: devops
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "dashboard.bhasher.com"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- dashboard.bhasher.com
secretName: k3s-tls
rules:
- host: dashboard.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 8443

View File

@ -0,0 +1,71 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: devops
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
dnsPolicy: ClusterFirst
hostNetwork: true
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.7
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: dashboard-metrics-scraper
namespace: devops
labels:
k8s-app: dashboard-metrics-scraper
spec:
ports:
- port: 8000
targetPort: 8000
name: dashboard-metrics-scrapper
selector:
k8s-app: dashboard-metrics-scraper

View File

@ -0,0 +1,85 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: devops
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: devops
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: devops
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: devops

View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard-admin
namespace: devops
---
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-dashboard-admin
namespace: devops
annotations:
kubernetes.io/service-account.name: kubernetes-dashboard-admin
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: kubernetes-dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: devops

View File

@ -0,0 +1,108 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: reloader
namespace: devops
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: reloader-role
namespace: devops
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- list
- get
- watch
- apiGroups:
- "apps"
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- list
- get
- update
- patch
- apiGroups:
- "extensions"
resources:
- deployments
- daemonsets
verbs:
- list
- get
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: reloader-role-binding
namespace: devops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: reloader-role
subjects:
- kind: ServiceAccount
name: reloader
namespace: devops
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: reloader
name: reloader
namespace: devops
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: reloader
template:
metadata:
labels:
app: reloader
spec:
containers:
- image: stakater/reloader:v0.0.110
imagePullPolicy: IfNotPresent
name: reloader
ports:
- name: http
containerPort: 9090
livenessProbe:
httpGet:
path: /metrics
port: http
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
readinessProbe:
httpGet:
path: /metrics
port: http
timeoutSeconds: 5
failureThreshold: 5
periodSeconds: 10
successThreshold: 1
securityContext:
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: reloader

View File

@ -0,0 +1,90 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
namespace: idp
labels:
app: authelia
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
app: authelia
template:
metadata:
labels:
app: authelia
spec:
containers:
- name: authelia
image: authelia/authelia:latest
args: ["--config", "/config/configuration.yml,/config/oidc.yml"]
ports:
- name: http
containerPort: 9091
volumeMounts:
- name: authelia-config
mountPath: /config/configuration.yml
subPath: configuration.yml
- name: authelia-oidc
mountPath: /config/oidc.yml
subPath: oidc.yml
envFrom:
- secretRef:
name: authelia
volumes:
- name: authelia-config
configMap:
name: authelia-config
- name: authelia-oidc
secret:
secretName: authelia-oidc
---
apiVersion: v1
kind: Service
metadata:
name: authelia
namespace: idp
labels:
app: authelia
spec:
ports:
- name: http
port: 9091
targetPort: 9091
selector:
app: authelia
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authelia
namespace: idp
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "idp.bhasher.com"
spec:
ingressClassName: "nginx-external"
tls:
- hosts:
- idp.bhasher.com
secretName: authelia-tls
rules:
- host: idp.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authelia
port:
number: 9091

View File

@ -0,0 +1,158 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: authelia-config
namespace: idp
data:
configuration.yml: |
default_redirection_url: https://portal.bhasher.com
theme: dark
server:
host: 0.0.0.0
port: 9091
log:
level: debug
totp:
disable: false
issuer: idp.bhasher.com
algorithm: sha256
digits: 6
period: 30
skew: 1
secret_size: 32
authentication_backend:
disable_reset_password: false
refresh_interval: 5m
ldap:
implementation: custom
url: ldap://openldap.idp.svc.cluster.local
timeout: 5s
start_tls: false
base_dn: DC=bhasher,DC=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson))
additional_groups_dn: ou=groups
groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: cn
permit_referrals: false
access_control:
default_policy: deny
rules:
- domain: '*.bhasher.com'
policy: two_factor
subject:
- "group:admin"
- domain: 'git.bhasher.com'
policy: two_factor
subject:
- "group:contributor"
- domain: 'wiki.bhasher.com'
policy: two_factor
subject:
- "group:contributor"
- domain: 'radarr.bhasher.com'
policy: two_factor
subject:
- "group:mediaserver"
- domain: 'nextcloud.bhasher.com'
policy: two_factor
subject:
- "group:home"
session:
name: auth_session
domain: bhasher.com
same_site: lax
expiration: 1d
inactivity: 3h
remember_me_duration: 1w
redis:
host: redis.storage.svc.cluster.local
port: 6379
regulation:
max_retries: 3
find_time: 1m
ban_time: 5m
storage:
# local:
# path: /data/db.sqlite3
postgres:
host: postgres.storage.svc.cluster.local
port: 5432
database: authelia
schema: public
username: authelia
notifier:
smtp:
username: no-reply@bhasher.com
host: bdubois.io
port: 587
sender: no-reply@bhasher.com
tls:
skip_verify: true
password_policy:
standard:
enabled: true
min_length: 8
max_length: 0
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false
identity_providers:
oidc:
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz+97ZILHP+8Hxu2XsK17QZEyOiGQ45SRl6/UbjhiN5Cc5di
UQ3I8LaHwvxrsbbBaqLQsYVISye8xdeVvKEa/Pk/VYVGRgOQ+DFHPthOYwGa9bZa
INtvOKy85OiqFY8mamRiTkCDo4unxVf35mI6Z01+a5WycvG2mC1VY3v0VC2/PyJt
uRusqk9946DbP7IJ83WS8GuVEGsKna8pjr1DW2kC+qUZtA8pM0mH8EK1o2wDKPOb
X/4J+/A9kbx2Gnt8gxq3NtErcUHsSKwQtQfik38ehfFfOxq+xINjn5W90gUvx2q5
zI3gk2cJFTxiKqRtYfTETnepvKqkzTMlBCVAMwIDAQABAoIBAHlpfMBrbW+18xRh
FjGs4JYorMNGHJ+Ls8vAhTXbQpvqoeXhQCjo6ogM6TUt5AYZgALAhgeturvJVRCt
s5YdlHu0vlZ+zqkg9JfxhL0mou/cArFCmJ8P9QSIHdo2d/V6E8ha7ep9IZ6kbEpC
HoxrjqfIP5HE/7eMaSAOKKf5X4Cr701/3r/0rD+BsYZPC0eklRO2W1x801n0+ks0
oVI1/fNkM+F8It7GK/AC1KGThLL8DzBP9cwYaqnABktNKCh+/2z4+50G9z8Bcc3F
4FUYubidahZ0DD0KniFGcENfDhLPpy3HsQU6Sp5IgZBaM+jbbp5Grv3Wh7kqDEOQ
tmdjEGECgYEA7ZLpHm8h2C9nMFwMzCR18VQgAzLlhCxBJn7wOF5EUOJWNRCo1To1
G9qNMUKb1pcnwYGc2s488YfiUkufxZKCjdRSmVwul4D5ufb4zGu/4ulzfrx6DnjJ
8BBAtYPiP5RD+m9keB1OI6BHYOMtLi4Vv+XjkasTbtYRWcPdQABC+DECgYEA0mR1
ye9T4KcrQoFP14I0vFkVLe2gzVa3Kn5MSM7iMMXcTV3G2GSQCtufpVRbGvw0qgDy
cdIvT24dIhYaqF33IuJdZgzSlM4/3KQbMPhVlLpaGpiP1CqUuxsTlrjzOZUkTZBE
BrfkBO9VwaGX35WqnatFyXJ3TEWPt4/1s9DfiaMCgYEA4sg6gDLVu+iEOEWmcbjc
XWJQrL0JGwKjrnu+FBDoZc2pPT6J7AGEcPJPlZZf7Jid+rofYT8+LdHo2WYXPiJ9
PaZQstSsJTOZL0vydDDnG1R+S5zfZrEnE2JwYtViRA7kVUvAPGi9DoURngs+NbcI
TAbHFWaZRlRSe73clhup0gECgYBK9Pm2MSssDcLu1c1RVZVeSUqva0rv/WYSoJ6j
DfouMEAV3EQ80k8zXx3YtF4lFhfZPa8i+CRc4zlD7KYguCGVbxqhgg4AcB72iA0b
/E3ZSC9T7GjJyUXmB3aKK2iUaltduvlRf3CghXiDHQRT5ym7NMsPQ1XXea0DVCnQ
n6kUiwKBgDAMfny68ymQVskEv/NCTbRkpz6O1DA997QyjPV/QyfSpt1znPuNvgkE
SQu0C/b47Nm2ZGAHVryWLo8bBS8+ECEV74GM/kHoDWpWzEeoxynW+dBZoP9sbKzZ
LCWjPegQEkVdtp83Thfqb/MfeUj8GHf8MegIGoJd50f19tggd4a3
-----END RSA PRIVATE KEY-----
access_token_lifespan: 3h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
enable_client_debug_messages: false
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins:
- https://git.bhasher.com
allowed_origins_from_client_redirect_uris: false

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,24 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: authelia
namespace: idp
spec:
encryptedData:
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: AgBtB6SSmfYza95ukD5MArbufyWVvVzkvgcN6K4wfELiNzFD36Ky725zCG6K56SNj+hidMiUuiTBEY1QCWsq03YfPxtfdFSQNe7nZoeu7acxP61cIM7MzAhV09q/qt+QdJbYNSai7wAaq316SJbvxw4H/pyYz58K38c7oJ4ZBdK+XSjKgRfgEwir1LY3GF3JkQjC4HrQSR/f1kPyG29+KzTjWB7C1SolMEX+pXwjEvRnoARPEyAIW1S4M2o/0xOp7BDml0j2KVgVhOvjljyP7tR47NFdbWTQ4Vs6gtLRxNjHIG+UVQxOpZdcDIhXK5mLlFXN6mDE+0Tc6wns1SuUcsPaTCx1hO0By6aCN2TjDwtKitLIe7UgJvu+aDbTy8EkXhfUysYTgkgRgQtuKYoLNE0QKwDNx6B4aHghhnpeagHgmHLUbbYn1tYhAcWSjmTQfggWhUP/tpY9SiPIvx4E2JjUIwM2CwIjP6P890Xhk8WffDxbL/PtDwmFTyo5wC6FPZneEwZ+CRpXIIls4ZvXbEyrXBKGITuaJ1oDzSi3MJCYl/KO9swID5nY64xc+0qAGET0Vm81RsoTkkf44+swHmxIcnVgH1+lyyy3/LoPsx5uu1zhyv19XpW8jnmHhp57DpklOdhptdwE/nNWvDwfc7rzfHiiWHRQWMkiwOVooEDKkE9ah2NVhYtgRC024QCBjwQdwTPegVYwJKgvoJr32WaCFtnJoZol1wJqCjI8wTDPWW0stQ70xSI/0uF+R0JTpj+HqBizktmteC7vupz0sPGr
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: AgBZEwrilDSO36V3RIrkRwe9AZiFj0sRretYzDxq+Hu9VksVUi2nqZ/WUI2dVSYrwn+FXE5N0Tbd4zFtmiLSH0yn55pQim7I3mqJcKKh6t/3bw4uCoZ3tCl/zZv96hyD2SEGDd5FQeiairxEZm/cVFNUZbUq5uBh4nbuCx42dKIis7SjeEpqxxKF2y6y/ruykR0i/f/v2Hmcy1VwDvimI/uoKXwnrbIFaF5EK29MFIjFyeqrYn2CGBFwaOmgnGA+NXkNLUkMEbupxeFunuvaCOQLY8hyAtB55A/aLMQt/PY56xWTDIshVvFcRIximPBa+3c1wBAUBQIHLkjrciZ5fwK5SGbjAzQKWL7vnw12tgLul3SgLrGL8o/12EqsQbTyYERi0fbU45XzFkJtQLEAe6YoH7z1NVQCES2yiu1s4EBK3iHJ5EQyQ1bDHhAoSRKk5QxHP5j7b7PoMgT+QrRnLZOyvoOX0H/Dx2IX2Y2S+Cu7BzxM5QqI9zEnQFIwAj89Vveq2Ulu7eS3G09H33EFth/6gU8RzEE0ZOORT106aKRCWsOTDYJNladbfaI3vpeSj2gOvYnexixL4/N84oqfv27SlxFQT921wRo6PuovB97He1iY8u+xcXxeWki7aV4pLoMPqcWKneOelbSywFj0x5stiijgYvG31UEluhXMjrs9RYGnEyzi6YEiNuDnA/182KANFrdP/iD6pJTPpcLMl/IPEYiK2TO8OVA0tlWMaw==
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: AgBRH3NyEss1PgYn2DRwISaWTHGpwkjDUIvV0qPOOhslF5DW2B1axB9tx9U/ZEhAvGAKpeB1lVPaOVcD66+8q5qVIfNsEcWaChv9oGrSG0621JUcx8747+kAZduHLYk7pmnY6c68bqTMbVDw9xtrjZUQpLhqxdPPMHE6Ax7JsEqotujR7DTr2JRvAipGvaRSapOApTpps4hyhJJ7U3n5NvNYQFQiHmN6m1QuTb4hTBhbrWP2U4TBggapbw/3NglZYLTFDGMXBl1LqfE2zaOUlyCMoS2AYc5tMzy+m3j8PBcXK7wv9wUn4XFQgeSLd+jXgL78LTTc9X1VpNE4o6tkJisG/WL444RkSjrd9gOBOlCjxHcbkST5ofQFkqNZ6MW0gCn17JbPXpbFJlDjBH6YfPMGbyIJMT7KA5i8ysDi1vW8VNWBgBfmd9Yp0mR9m5ugUr670kMClOlUXTHnTt1DyX79J8pySVMGThfWct2ZM4cWUSQn6varzE/VlfPO7ZdqdpdQ7f2gi+sdp/RZ36JWDgBDpkiegBHjTEk/nF2dd2ijE/cEuGLKQP/L1/8J5SvgrkhImKWSYmQe60wEIoOq10TIqSRtIUub7ci+iiRkvx+13LwernhNqHJUeO7ccvDagyW6sC65sTsbykcFlCt+MtXpsFGYx+1dmP8ljzxdtTrxt3iYZ4dA9AgYlvvJLgtRUlDxhfRXNQpFZ02ZdRslqFNiWm0gQmRmuJQVYYPD7Xs8fgr25SjfVMhpa5uEa3kOiG7cfahSk4mHARRisq1rPqz3
AUTHELIA_JWT_SECRET: AgAdnQfSX3qcWgP+LqvO0ORr1Dd50WFfwWTYuMTdni+wh2cDqomgdt2TA8VhM75yf2F2blIRWmJxP/6ttQ8q0XYdUAwwwd0BndSt8gPzOxrCfiq9gTscSBa0hBCJiamQVzv4+9Mx8frLasMBeNRXkLulS8HG/ucMOZUmcJrBPihUrLLl+HR7OWv+ZJj03dDPHeFahSVW1G5Ra11nCPjB72XMSaz2X/IWamY5QdSW4PE7Me/7mLzmdxS/CxqQDJBgv/M4eR6Js4OJcusHKKgOkVnBqJ8aLba7SYdsXx4DRjoZ627+AdMMHNXwK6QZip/7LwcBgytFwuXz6hBIIZjgHIQhXtT5xO1+hkZN/zGUZG/L44Jl1oo76ftC6KhmA71HQ8b8nKVWngB6zdNjDRgs+rT+h4MyYNYIuQXIEV9vTKwvj1tU37Ld9aS1pKWZ0VxuKzzdeyUVpVblEcrNzi8NbhY6uCm24oPGEBbG6fkpDg7alLos6gJFUqJCqq28YZDXrQaieiULKburSoWAVjcmLVk9AqmN99s+GGT5kBxAwmyMoP5LcZueIqNaf51tV8wRPvmLOc+E9+B6Hi2DYfb/Us5qGTCnGcAxKbMWeZJv5bP6b+6JjHlViYhuSK6ku9jNRgTd5VeQBGEp7atxKpTkkiktNFtgAEXXDFr3duZfU5p6Naxzht8vTJd+ie5YCNo0CMerAzRUai8f7KgmpMjd651xVuLypwo57Nv28NgFAnLJB+VbbvQpFOPwc7E+2uVAbJt0QWUols7AU0azXS2hrfYi
AUTHELIA_NOTIFIER_SMTP_PASSWORD: AgBuPO+b2gfZZxpC+YIrr/V894WnruQHW3zDzWR/iOV5y4zx0VhCP5NeynnLeYBPDzyClj/IjC+ji1NChLS1716OYTjGBxYY5he0v5A76cvKw5yjDcptVZ/kCKekZmp6/cljGZg59ZTApQlX3hmM8ilv0NzFamZWaZl1I85fA33Rma2K70yDVTrTF5fL9jDQALt8cqCIk9DJY4rDi1C0GjLvwPhrx4uUaucPpIxOBmqAbMIobBnJxL3e42157Fzc13RnCjdw5N37uU4s3UjEkSzbifIGDkqQBkA6VI4It8/uR27UMYw1MNCmbAClO1xQ4vmEWUhBIQ9kAwuehNvm2o5zKXze66nwy68SUHDWwnB5E2jgChAnZylqAaQALmGZy7fP5Z4OPymHW+l08JB+hv6cv8cuHuajAHmX96jlLXU3cuvrTM/NTwNzsp3vqeLfcZMxbq6KZ1INHuvLTpcKPQaRUg7rIMzU1YPatBN9r1WP8vAfMaXl2s1ctFysRpp34jonlJoE55G5VEYn+MDNYdrdVCjsAAhoNJ5oFxXSX+dASDo2vPp9QcVUHiud3g8wBfJ2ydbqi8kk+rMZIU7r5V1Kn0n6WmSU2OANf3W2DqRNouSHbdbA+rnaBTmXnyHxSNncw78mZ5WIasCm9Ld1XcyMGf2T/fCjN5qlxKt+Ze8BSsCgnDGEMeR9GJFR8bK9v4fb9QbpM0mlkWzFlXVoTcVHkbhZf5DePggwiilWKYG3DCs6YCVME9Xg6hOWkOjrM/sZMSwwfMHCVRJJ4fuwU/UC
AUTHELIA_SESSION_SECRET: AgB9Dd/P3SeegcuIq0/jXh1LRZpijJD3q3spQjjsaUmB/rC5p/MnjG7AAePDmoMmiOlKtDu5CLHj6GHQa/eJ7attIxrC3qtthTZi63ASuxm+KtZw/kyG7OGsx/XuIueEdSkBLtzhPdN6Sno0+T1ZlVnQZ3TTwnidc/qoVEhP0NWpq/IZtkAY0AetCQrIFeJBIsM3RcqNHBq7kEwYzsoMHMYVrYwpKOXzawjj2YWVTzr91duxfrrmVBjNcheKyHWOtJhzWpCWV3QmWDvZ5J88tl5RZudFLabzzVlrw3voBteY7jSxC1DAVTxm29D4AaoVgpl31iAn6AECrRIBbWaHhHVmwc6E8LA6eyFYEQP893Szuh0Dv0f+LM6IC9IAwHd8XBBqZbI+xRtXWOTRlmcSxL+6shswWuW9d5zkl8GkUp0NWBUI/tQoHbdZvBUDProVcCtGmxEQoNG9Hr8TaI6G7zm8ES6tgAqZCSNlC/OqzCX0g6Qni52ASR8YY6JfyyGnqCssmAkx4FYXL4d2XKSeb0+4adURih1j0WGCujapYKwxG1ozyBU8cBx+tLWm1CWHNhm9m7BPvZNQ+OlZ1LHcxBXIHAUIH8CqxUozQn8kfMKPN+gX6od9vNBy5o3zSadeLZpbHdSnJpYWBTnbCbU4wfwdQzVt7WZnxZMiwKpGLQGVeJOiZMV6d13Ekmdz+t8l+1MtnW3Cm+HQBVYaQF47jJou8poq4ZS03bcnzmUhkwpD/ety4XZZvkGlPAVjyXp8sd5srKZ1bhv8CA0wRhzSX/7/
AUTHELIA_STORAGE_ENCRYPTION_KEY: AgCP7lrcqQFZ+N3geMzM/tUeP0kD4naVeL4l0wRWsFK1l6z91qr7vaNNUsj5ZaikTI+jkTbAcke/Sj3Sp0b5sOP6J0A4qAOV0J+sRyEvdgbTrtj5NLtM3H+QrTaKZjdmkZfnCsxKY812brBBS2KpFUo0kLb3uMIo0i3erJMkk/IZ4JuCWdMFP1/B66VjdX2Wi1g1MuyV2XWtu0YjoMDBF342s5g7mbUXai9fOgq3KZpNOX5VrD5ns2UexLfQySpRP+Oi5qtT5KtZQ+bQoegsbZglsM5K7iEaYTwA7zOdP113u2eWiEFhas4hV3dph4owAj68uILvvjDAWzJ7y6uA8FxPMoX2OZA7fmbAZTgsi98uKtS8zg+IFK4aEJnyJUtO08TkANoQWkVfkwTDlMVTwLrxV6zdZrT3bjAypUKsc/wPG3rGi12RRd6h//r1HbLxVViojLHmoHipn3FjSTsaaEhtnpDWUIDeurWWsiJKdcieA56h4hKSM7/RwMEPhkbDkrXh94K+gP8kSXGJOlt3+yF//NwwfZyr2q4eusnuUQOAIB1a2Whr9Nl9DfyqFSW0Oxe+wihOWisEkuWVdiQ8d0O7a20kjcqrng+WueAv/L9gkDoE1TcfkcukugDCZF0U9IzD8+NuBYZ9e2DQ7tXgqzezlytcUNNIr14jA6ZAuCtLnTm5c0bFr702rC9V4oskRZMrLnKb46UwQTZW4ADFaYZrinNp/q9eyQCKS3aaK5zCDAiNPU0TNFZLYR/bHQIy4tzowkyzNm+zyOh1MDfQHqwc
AUTHELIA_STORAGE_POSTGRES_PASSWORD: AgAH4aJY2onCeT6wN6hDc2QVi5mTtMxYo/Y4b6+X/c40BFWc3Fb2hQa1BM1AGVrk5RrhFVaixXNghb6BpwIbugKIzi6eAMEn4ZSp/EQi5g9AuDrQfHwW2mi53ivkeflkxbgFQC8Ggno10W9kHdXqIhHVKtUeKf9dIAonRHVIz4D5JjwcVGL6CRun7R+LmMVj11+9J/lZUDqLzLODbi2lht85gxi1E/7qM/UkvUjWpkH2rJuqEBx/2weu9F0hxBnD1QhSiC0tNYOBAycmO6G/7DMHJUhQTAJIJUH9bT6M652SrNmq1bzj64bXkNSo04lQmSSB4zQzELtonzIgeo1WsHTksrXJz4sMMCosBhNntLRP+RX0aicrolbXZ/ay+dx0lkZrTNcBdIUZw6Px0VMOC9r4RcYd/2/XNayL5sHSdt4hvE6NTJz31YRGRK884shtIhvCLK8goUoqb+Rf7gdxS7AB4qdpwDIPbDZ9YnmDggpaq0ammSf5SalGOPiBKvpyK2XYUrTgDhK5iKgjOlQ/UDtqZKu2JkHzymg5Bz58XH+h1EasDIID0x3xr3S+bR+b+qQt6/T8KLpe3/S+q9sEYqCKiAv80i3JtPzdKejh//NnLUWUR8Nx0V/xoiMXGG3T/h2L+QHW4d/Cj5ISCf33sn4Wnnk1t5vRis08yCRo77UOk/NIOPSBT4d7ZXQ5Ojv/Hx7nJfUXlcnHpvgmMRg08HBUso947+Ad++Zi/O/WZV8wip4gqqIYlESISEsjBbDpzD2apz3HDRT+fYTN0Og9JJRZ
template:
data: null
metadata:
creationTimestamp: null
name: authelia
namespace: idp
type: Opaque

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: idp

View File

@ -0,0 +1,76 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ldapusermanager
namespace: idp
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
selector:
matchLabels:
app: ldapusermanager
template:
metadata:
labels:
app: ldapusermanager
spec:
containers:
- name: ldapusermanager
image: wheelybird/ldap-user-manager:latest
envFrom:
- configMapRef:
name: ldapusermanager
- secretRef:
name: ldapusermanager
ports:
- name: http
containerPort: 80
---
kind: Service
apiVersion: v1
metadata:
name: ldapusermanager
namespace: idp
spec:
selector:
app: ldapusermanager
type: ClusterIP
ports:
- name: http
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ldapusermanager
namespace: idp
annotations:
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
cert-manager.io/common-name: "accounts.bhasher.com"
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Groups
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
spec:
ingressClassName: nginx
tls:
- hosts:
- accounts.bhasher.com
secretName: ldapusermanager-tls
rules:
- host: accounts.bhasher.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ldapusermanager
port:
number: 80

View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ldapusermanager
namespace: idp
data:
LDAP_URI: "ldap://openldap.idp.svc.cluster.local"
LDAP_BASE_DN: "dc=bhasher,dc=com"
LDAP_ADMIN_BIND_DN: "cn=admin,dc=bhasher,dc=com"
LDAP_ADMINS_GROUP: "admin"
SERVER_HOSTNAME: "accounts.bhasher.com"
SERVER_PORT: "80"
NO_HTTPS: "true"
ORGANISATION_NAME: "Bhasher's Accounts"
SITE_NAME: "Account Manager"
SHOW_POSIX_ATTRIBUTE: "true"
LDAP_USER_OU: "users"
LDAP_GROUP_OU: "groups"
LDAP_REQUIRE_STARTTLS: "false"
LDAP_IGNORE_CERT_ERRORS: "true"
LDAP_ACCOUNT_ATTRIBUTE: "uid"
LDAP_GROUP_ATTRIBUTE: "cn"
DEFAULT_USER_GROUP: "default"
ENFORCE_SAFE_SYSTEM_NAMES: "false"
USERNAME_FORMAT: "{first_name}.{last_name}"
PASSWORD_HASH: "SHA512CRYPT"
ACCEPT_WEAK_PASSWORDS: "false"
# LDAP_GROUP_MEMBERSHIP_USES_UID: "true"
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES: "jpegPhoto^:Profile picture,sshpubkey^+:SSH public key"
REMOTE_HTTP_HEADERS_LOGIN: "true"
# FORCE_RFC2307BIS: "true"

View File

@ -0,0 +1,17 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: ldapusermanager
namespace: idp
spec:
encryptedData:
LDAP_ADMIN_BIND_PWD: AgCwWqGEeY/x+xmJGvOCROOpKCyXyA8cMUfPxEiKUpq3smRJ68L2vOQfXbcdmPXI8a/XkLNmdzUKG1rsYWKH07WGa0SlH6BXHnmhJkeo4/k1uqk14Sw1S8JdptZCMyDXeWHOPJbK8bJiRz8n2WPcGO1srlkh9F5IT7lvxmee93xTS/g8l4adXzz7eK030n2QaC8m5NrVYxRUMVq+5XQQSymCrpxW7BMF96QAXc47Vf+JdPieqdi2CFv75zwIA0ikIC4MBFU1FVimfZT2l2pCwWImtKPHf73EHKEjmFwfWezasnWE0MWK7c+x3hkU6hxTH24YGjuGMDWG7NrcUJ45ntAO9wHAyQZ0lyFzDxLXaOJ9j6vOGFA+Perm5TP8UHU5Y906knLo7rA0Yg+ESp6BdIaD6AttiDpA97Pn+pvIfAi6FqqawSTROAF2/nP92q/B3yLOVOL7nrg1CMwGzZihlhYKAt3I2GUF7bsV0T8vssbiRsrOSAOyE/umKiwgiPo05G+EHAUehzbsOiEIN9YIQN/9fgyFcIUkqrpMzAefo0SsxMzW8ESdQswDChtZQfurvq891AutZWZKjWfosL1LE0cwe/42kbA9tw06Ii+OX3IHeT7cbUHGvlqloBDvur7DUtJd+g/Wuvk/NIPuRYrEDJOGZ0QeoabgKINuUv2zbkU8o9WXq+Y1BZyg0Vfi6O0+kcI5hTHFNq/RD5Pt+8di/Xp6i2irQV6UWTb49zMotI4h81qsv/3Q0sVH1tJKRTN6KHxfmJLeBz0jq2GUdle0Ut0B
template:
data: null
metadata:
creationTimestamp: null
name: ldapusermanager
namespace: idp
type: Opaque

Some files were not shown because too many files have changed in this diff Show More