Archives
This commit is contained in:
parent
30672ed4bb
commit
e42ab413b8
|
@ -0,0 +1,78 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: mealie
|
||||
namespace: cloud
|
||||
labels:
|
||||
app: mealie
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 0
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: mealie
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: mealie
|
||||
spec:
|
||||
containers:
|
||||
- name: mealie
|
||||
image: hkotel/mealie:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: mealie
|
||||
- secretRef:
|
||||
name: mealie
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: mealie
|
||||
namespace: cloud
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: mealie
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: mealie
|
||||
namespace: cloud
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "cook.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method request_method;
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method request_method;
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- hosts:
|
||||
- cook.bhasher.com
|
||||
secretName: mealie-tls
|
||||
rules:
|
||||
- host: cook.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: mealie
|
||||
port:
|
||||
number: 80
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mealie
|
||||
namespace: cloud
|
||||
data:
|
||||
DB_ENGINE: postgres
|
||||
POSTGRES_USER: mealie
|
||||
POSTGRES_SERVER: postgres.storage.svc.cluster.local
|
||||
POSTGRES_PORT: "5432"
|
||||
POSTGRES_DB: mealie
|
||||
DEFAULT_GROUP: Home
|
||||
BASE_URL: https://cook.bhasher.com
|
||||
# LDAP_AUTH_ENABLED: true
|
||||
# LDAP_SERVER_URL: ldap.idp.svc.cluster.local
|
||||
# LDAP_BIND_TEMPLATE: uid={},ou=users,dc=bhasher,dc=com
|
||||
# LDAP_ADMIN_FILTER: memberOf=cn=admin,ou=groups,dc=bhasher,dc=com
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: mealie
|
||||
namespace: cloud
|
||||
spec:
|
||||
encryptedData:
|
||||
POSTGRES_PASSWORD: AgCxIpWXdnPhW3ncKCWD18Cur2lhUvGZJvq4NPXRNUJ1G7XXSIFNfMkm9QW4jVyIEqxNiIA6RqnAOdFrvQX4VmZJ6a5V0wab2P0si3liXuXJxHziqoy5qAhHB0/3J/4d2dps2eGrXYluEZbAZoX+RwLOUL/BD0rks4ZOYg9eJZ7ArQPMAAnRdGQK9CaEP3HU930k7AmbKEmFYkdSmGkftmrgI+1Rb4fOCQfYVdUHQWnX0RlNJfyZmpbSsoEbuxFbiYtyqj5ElazzjqlTRN8F1dJpkh9+BLB2zdCAfJxx0PMcFe07pdArAFqXUSXq7dZPC/B9e+UaoLDAJIiaOYVnriYpKC3XdNTtik4ikNA+TQ9r6N/zDGbcXpm531yrf1DT5zgeOlbBeW6n8RA248wIaLKUDAvyv7ZnCOrba70Kphr8jw0o4f/KB9xwDSZltgFpFc+e2rHNtUzIsrIHGyndb80BjIZ3LgJmRbQy6U0QSjOTtImDyJlDBtUysPDrriWKZE8LPXIuPigwV5PkBPYfVWmfF1LCfOhJH0nq1/StKHd9Y3w01CyZKA5sL5sRrMYy2cCUG88/3dMSSCH8qUTuoBUecWlJfbS3PqrM4qWNEB7MjhWN1tsakRKmeiaQDBf1iA0CW0pewQQUcZcffulVP8Oo4hwKQqJt5BhQsqLEUQZXPHPhdE6eXUiXRQ7CohUJ3EnydpAPn3zhl5kpQo3bDdMCg/ps4vfZk+hx4+q+ocNLUFnECp72QJ3H03wwUFuT0PKfUXnI79kT81NGN/raup2Z
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: mealie
|
||||
namespace: cloud
|
||||
|
|
@ -0,0 +1,128 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cloud
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 25Gi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
labels:
|
||||
app: nextcloud
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nextcloud
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nextcloud
|
||||
spec:
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app
|
||||
operator: In
|
||||
values:
|
||||
- nextcloud
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 100
|
||||
containers:
|
||||
- name: nextcloud
|
||||
image: nextcloud:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: nextcloud
|
||||
- secretRef:
|
||||
name: nextcloud
|
||||
volumeMounts:
|
||||
- name: nextcloud
|
||||
mountPath: /var/www/html
|
||||
readOnly: false
|
||||
- name: configs-file
|
||||
mountPath: /var/www/html/config/sso.config.php
|
||||
subPath: sso.config.php
|
||||
readOnly: true
|
||||
- name: configs-file
|
||||
mountPath: /var/www/html/config/custom.config.php
|
||||
subPath: custom.config.php
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: nextcloud
|
||||
persistentVolumeClaim:
|
||||
claimName: nextcloud
|
||||
- name: configs-file
|
||||
configMap:
|
||||
name: nextcloud-configs-file
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: nextcloud
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 5G
|
||||
nginx.ingress.kubernetes.io/client-body-buffer-size: 250M;
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "nextcloud.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: nginx-external
|
||||
tls:
|
||||
- hosts:
|
||||
- nextcloud.bhasher.com
|
||||
secretName: nextcloud-tls
|
||||
rules:
|
||||
- host: nextcloud.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: nextcloud
|
||||
port:
|
||||
number: 80
|
|
@ -0,0 +1,50 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
data:
|
||||
POSTGRES_HOST: postgres.storage.svc.cluster.local
|
||||
POSTGRES_DB: nextcloud
|
||||
POSTGRES_USER: nextcloud
|
||||
NEXTCLOUD_ADMIN_USER: admin
|
||||
NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.bhasher.com
|
||||
NEXTCLOUD_INIT_LOCK: "true"
|
||||
REDIS_HOST: redis.storage.svc.cluster.local
|
||||
SMTP_HOST: smtp.bhasher.com
|
||||
SMTP_SECURE: ssl
|
||||
SMTP_PORT: "465"
|
||||
SMTP_NAME: no-reply@bhasher.com
|
||||
MAIL_FROM_ADDRESS: "Nextcloud <no-reply@bhasher.com>"
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: nextcloud-configs-file
|
||||
namespace: cloud
|
||||
data:
|
||||
sso.config.php: |
|
||||
<?php
|
||||
$CONFIG = array(
|
||||
'oidc_login_proxy_ldap' => true,
|
||||
'oidc_login_provider_url' => 'https://idp.bhasher.com',
|
||||
'oidc_login_client_id' => 'nextcloud',
|
||||
'oidc_login_client_secret' => (string) getenv('SSO_CLIENT_SECRET'),
|
||||
'oidc_login_auto_redirect' => true,
|
||||
'oidc_login_button_text' => 'Authelia',
|
||||
'oidc_login_scope' => 'openid profile',
|
||||
'oidc_login_tls_verify' => false,
|
||||
'overwriteprotocol' => 'https',
|
||||
'oidc_login_attributes' => array (
|
||||
'ldap_uid' => 'preferred_username',
|
||||
),
|
||||
'oidc_login_password_authentication' => true,
|
||||
);
|
||||
|
||||
custom.config.php: |
|
||||
<?
|
||||
$CONFIG = array(
|
||||
'trashbin_retention_obligation' => 'auto, 7',
|
||||
);
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
spec:
|
||||
encryptedData:
|
||||
NEXTCLOUD_ADMIN_PASSWORD: AgCtQXeM5Jad8BsVy2ew27CUk7d1lEpL69C/rlcEsFPu1pp5Ap18yLS0t0OG/6iGsxNvQmrCQhui3ddEa1juKlw4yZ11IlPaZUSZVXzXMstkXLM8PU81152iD1P3MEun4r47K/P5KrgsEsZ9rLJRvwcrhm3OSuO+qSGsI3LIAG3cKD6xnZg97XEPGpRa+wcV1vCrb9ubz/UpZqCGKawfGI8fxFmfn7IqtVogQymc5s+JVkGYVLcMNI09P+OZuaFJN2zp3jJWgEEt1T8mNVNDZip1Mz+NyGkMx8f2n0PPkpBpK6Bz8sX1NFIsPY+Cu5XR450yf729xg9rH04/Fi3YL0H5D0RnIjTQzpfsraP9eXZ1DDSaIivlKS3yiX8VKUH7wa3ElYAJ72Tl4vCHKRL9vMFZeEmqL3qrDW0TnMcMfFBoD0pLy0Z/pP276+Te3Yxq8C9eCTinn60lfHG64OBJR6CCMPXqTn6RdHwhchXydLwYojccF/SU2sy2FGUrNHqWKeYv7/q4si9ke5lZJNJP05cjD0jBfcfzb9Qkc7Oi/ENF5OAU/KNwJnU52TL8DB1sl1JKyO2rZXhMfttqiSqAXKkgK0SmPQ3ii3F0kUPV0Zl5cAiEIXGXZOlyVDd6e/FfSzxfKjjBqA84EqfoU4j6zF0J+7CtP/DjZAhkMCDLYl1CTJt503xwdKzDhbWUzbXzcfHOSULqqpWyVyHTYMMvuzwrLQ8UZh9sK2ou5mMipRFP2MILwTGIRapqPmc2jLTP8PVr2zMvmLi4ayuo87nbeS1R
|
||||
POSTGRES_PASSWORD: AgAoRw4D98hfPD2FXjmfCN9SOWaSp3YE8foWYUBdCHWK8kFkqZkdVZ//QAKKk5UXO/YOrQqEgUBgGvBhGME9Pm4HH0/9kT5P8Rpuqkf/xccYIdciebakUO5dua5fk7I7A/Ea6Sl7EDI5NNeyJeWOD09tTlga6WsM97Qp0Nu6MmDh3LE247jsDtLmEN0P0HhtjD5B9HTKYgP9E3P5YSdSvZf3CoTXawrD4y1XMspY50EvCMDbBahQ065VpFmzUnds6F1PrKHVmcYVCrkScZTjlCX3ybNSaDy7saGz7I7i3l1rtwr69KhqsJ1aj/KspDFKjf2awS6Z07Qk3tlbuudxS1nJXgcE9w8btERCHhFtJBdDaEGlg47EgEj52qENCXtqggtTfua2qn78uaJz/BDnOYfaJcpkYMjgbQXPlyUtyLVC9MpmYgwx4sztliyTkV7EF1u+qlfKik2U5zY5/XTlS7GN/7n+YNhx4NrZId5idC0LuvzpuPzw7P95S4Tw8OLkuk9SEgz7gXgefv6fGFNaFR+iqtjcosVqaMMJ7KUvoXKPJdaCQMwrN/BmRr5P/ZrX+PbhbMlA3A9r+d2eWFTsfyFBxBFQ46NYc1c1W9ahryxxbnxKHmzasXYciz9A8hS5wyVxHZAuGjHdJ1BlwzWcCy9w2LEUe+9SDSK+jyo5ppDVq/h4D8baOXKbc0gsRG7ukoaUvfcNjGR6SYEO4JMo6KAcYioPl/ONxLsQZEyqmhQF+wwQShQgdwaQHdJOjVPLiaqzYSUtU56r+v4xi/eoy2RG
|
||||
SMTP_PASSWORD: AgBFkC/ZGhS0R4d0n81FfjiXggLCBP3wy+Dzto+z+YaCigcvCUYBQ1SL3UaVCEFZu/js8xYHTTELKC8YaO8LlGKL+/gCcCXC47ckGqmIiWWch4JZPMGBAsjILdN8n9HSAfHM667/9EvJMfMLcYbOv9z4EG0IamqYJUmedToRZx8rDGBv83SnoBK1daKAAPErvGyLvjXjGuMShPe0RCcFe/snHGKSvLdhnWVTHflbFmTCTIFZjR5U32hW5jW6H4co72N1zZcuqrwvdjve+Kie3weooxYTUwbZskV9zcfXyr97sif0ZAC6rIx4nYquJljHBJqi50sW3t/0SebjfVqu/UjTKuqQtoWXlmsd1JVxv1jzOqoCjS5XL+YxqU5OmJ3hEfowR/SMuMiIpU1+lR5mOPlbUCwUO2XTnk2/FeFCviJXyD2WfnsZhh8ipZpJtBExqWg4CMbcRJFIQUfCw8V4swjxVAVbYMWHPtcCpOP0vSsfimVMrru3r7yul835s+BCn3m8Gte07gsEC06it2u4DRiKB8jauHcoWeBfv7G8NyDvjCN0eNJ9YKvF9Dl5et5RG6kdaoUtIJ4KbV/6uNlimrpA7JomEbvfiDsBRXa1XV4jeimUFwVPSEdtXh4XG2Cy3u2YKXZv+LRVaSVwiMZy/pyo2G4rgshAWawjFeaBHv7hfhnxhSANF4FyyBa72ypWi33EwR9ZTQ1jMLucPqAXQfWMHzqyl3UERaE7sn/jzGGYxNz72wYDn2CGHHenPvKuvw9Uq5Ut2LoT5EVuenDKzeav
|
||||
SSO_CLIENT_SECRET: AgAprcM5+VApsVAd8V/88tVwLj522DNSIJBaXNqRBDbaS0od7mFreoNZzDQbjmRIl/lBJ1Lu52XI0VUsNLbvjJVFcpPGMxpcYE+Zhyf3XItDX8nUELZDXMioY8f3u26NAhiOKEV9+NFy1ZhTAo4T+BAKwvmtdAkImbw7elWOT57I4uIna/I7nTaCp98L6raQQ4j/hwwr/5APHVjpyjjDEscGKKIkX0cE/ZLxeLUm1uf6JVreezrNgeE85GLj3CgPa5DvUrjL3kf3hEzWOGl0aEwpiHRrNGyQMfMW6UFz6DgWMki7xepH/nxvotabv3jT28cqO9GtsOiqAAQ286/zF0Nw9ux2V9kRJj/cH/1Jh/d/519JV+9yPGNNz1suM6m6XH+qmQg9kg0cx0ACXLHKqbSo+ZUYQ0EOJBaPIvfQaxKrZBCop1JlfOcpHLl2T2UXvnXZDhbgWa0LQoq+9QwVtnTxXJj2WBUJAlJqI7DE62glGhTbHgvij34AITLZKaizveuu3bc7eXYGeGb3FBRh3WTE5L+Tjlyk1Nt41L/1OpmubF0F9LguWUALeOeRxgK8wzFO39NZNFUYt9+ucBbtmr9mvl2LwdB+xXgFtA4Ma6rZGV4qh4KbPAsGMEJnw3r4FocilIvQdew1D79tYuG3qh4neXacbh0saUvf8NU5qJ4QNFHIt9X8yIKH9YX8u1w+3CwNbF3pbzjK/Jr/pV2WwThIEOAF5Pgla1F9CVoCIVrGW32opWMNifPidAcdgQq/KXtGdCATSXlJmCVhcRL7BewY
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: nextcloud
|
||||
namespace: cloud
|
||||
|
|
@ -0,0 +1,100 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: onlyoffice
|
||||
namespace: cloud
|
||||
labels:
|
||||
app: onlyoffice
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: onlyoffice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: onlyoffice
|
||||
spec:
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app
|
||||
operator: In
|
||||
values:
|
||||
- onlyoffice
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 100
|
||||
containers:
|
||||
- name: onlyoffice
|
||||
image: onlyoffice/documentserver:latest-arm64
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: onlyoffice
|
||||
- secretRef:
|
||||
name: onlyoffice
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
failureThreshold: 3
|
||||
periodSeconds: 10
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
failureThreshold: 30
|
||||
periodSeconds: 10
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: onlyoffice
|
||||
namespace: cloud
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: onlyoffice
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: onlyoffice
|
||||
namespace: cloud
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "onlyoffice.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: nginx-external
|
||||
tls:
|
||||
- hosts:
|
||||
- onlyoffice.bhasher.com
|
||||
secretName: onlyoffice-tls
|
||||
rules:
|
||||
- host: onlyoffice.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: onlyoffice
|
||||
port:
|
||||
number: 80
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: onlyoffice
|
||||
namespace: cloud
|
||||
data:
|
||||
DB_TYPE: postgres
|
||||
DB_HOST: postgres.storage.svc.cluster.local
|
||||
DB_NAME: onlyoffice
|
||||
DB_USER: onlyoffice
|
||||
REDIS_SERVER_HOST: redis.storage.svc.cluster.local
|
||||
USE_UNAUTHORIZED_STORAGE: "true"
|
||||
JWT_ENABLED: "true"
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: onlyoffice
|
||||
namespace: cloud
|
||||
spec:
|
||||
encryptedData:
|
||||
DB_PWD: AgBhRL0jXlCFl5OSrZ6mFTAkFnp0EVthNKBlnfsnhUuOj418YnWM3VguImS56K+O9pQXQjQqxqmTZE7wergse74bCsgib31BG/ofycAUfuryDUerLu7UHzRuBlIwLqH+RSGhuIUpQUE8S5Iogsst0ia0kMIIOkaWhAQjCo65oXKKuqsSRiaykg16PCd2GIhdKgNqga8jJXweRXDT65zEMNinFBVOGWgr7qdoxtdzEwrHjou/E5pIztLeFlNL1WMIpngxK6ysHNNkqCy4PA6mOWYQicpx6axsQ0qYXo2feVw4AhMO9f+KWaI2aEAEkra2WGQcgaXapoKVZOyrChLLRZyi0yY7T3INnxRs89g+cQRd6qderAaOQREB31idEbsXpMeiHb72e4YCYlG2+fq2Rx7KW2v8qgHv144mXrFbkSG4f6JWJYytqB6jDYXNl88IpseUaT7fC+uwX7bL55iv+voW82KjaTCzggNfLAl8eM4GA2SbabCZybRfzek36tkwsS9IbtEYPLYbvCR9C8jdfaGUZIU6NJM9zU5UHRFh5YGIpVQ3+HwE6ykSXk5LLnjl0gGC47AuqW5SRQdyoxEl/PRB2VtrbeoYP6/u678owlzdRvFhVYxFc5f0eV/KuBEICbNfsQJCIo265zajL5p9gM8Tj/0lCPQmXxLyZV+S8u8JCof3gGm4vfkddvsYL/8Gc6pd1MGWnrHqJMweFgqIgRoId4Fif5Lu4dZZZoq9bamRn12bcVxHiX1QPc/k5Mo209PFK3S6bPHLQZv4RUml31ME
|
||||
JWT_SECRET: AgCPe2MnQ1n0OWI68tnLpuV7stgeAuUtHB1WgrgXOzyTulGh9eXdShT/RQYijFdeU6GUbK6EiHc9GqV1b0H0aQvkh/rHnFzmqG8XhDs6/+OFKr/B8ZGH/DfGF1406yu6VIPLb8yBGuL1m7+gOvR0XworrQM5jthulEZVjy7PfVrX+lbMuZ64rLtSUZFxNL8sxucd/wEIk954n8rVPNHfwT+ohPCGiQ4OVwYMvQKbeKmne9a7qVDgIYnBG1XZys6WD5TtrMUnRnQIc6+F1wMZcPTBz5ic6WCpZuWwyn387Bjj411SixflHxBxI2FQwCGquY8TghNY31tVYJ5HAWQAmynBUpUxyo+cpPkdGslW1dRevHOQ1Ceq2T6dUN3r+BJKMi3elukRM0FSSjwmRT1ZSj1ljkYbDZYwERmBIZyxKxa5Pl9/GrXHTGlgqVz9DPq7bLx3e6ESIOIOTd2zvNVlin8V3JVjPjpgfhSn0cKj932hYSnvNkQ6rkHR9CqwZAR6mc7MpE3gRRCRLMxEwhAchLPkp/+P1naWeXRCusSkmw8GspIM3s43QVz07vEgD7Ssi1Y90koEt3F9aaedsy7JZyI5MnxQ8J3iNvHT/m4yTX1/6qvlYudwuqFbriiJH1psgHrdYHBwx5FkISQmT4bg3poRL8BcuBMTUrHnZ7A9Qma9cQoXIUYEg0P7yP1CJVJHhi+6Mcx4QtiZUtUlxcsVt+VFFL+ye5/Ov57DCN52bYhFPiv9BXELOWl2EHGurT8nz85lxzE/qVyl2VRI+lN6wvVA
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: onlyoffice
|
||||
namespace: cloud
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: crons
|
|
@ -0,0 +1,79 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: ovh-dyndns-config
|
||||
namespace: crons
|
||||
data:
|
||||
update_ovh.sh: |
|
||||
#/bin/sh
|
||||
|
||||
#
|
||||
# CONFIG
|
||||
#
|
||||
|
||||
# HOST=${}
|
||||
# LOGIN=${}
|
||||
# PASSWORD=${}
|
||||
CURRENT_DATE=`date +'%d/%m/%Y %H:%M:%S'`
|
||||
|
||||
#
|
||||
# GET IP(s)
|
||||
#
|
||||
|
||||
CURRENT_IP=`{
|
||||
cat <<EOF ; sleep 1;
|
||||
GET / HTTP/1.0
|
||||
Host: www.ifconfig.io
|
||||
User-Agent: curl
|
||||
Referer: http://ifconfig.io
|
||||
|
||||
EOF
|
||||
} | nc -vvv www.ifconfig.io 80 | tail -1`
|
||||
|
||||
#
|
||||
# DO THE WORK
|
||||
#
|
||||
if [ -z $CURRENT_IP ]
|
||||
then
|
||||
echo "No IP retrieved"
|
||||
else
|
||||
echo "$DYNDNS_LOGIN:$DYNDNS_PASSWORD"
|
||||
echo "https://www.ovh.com/nic/update?system=dyndns&hostname=$DYNDNS_HOST&myip=$CURRENT_IP"
|
||||
curl --user "$DYNDNS_LOGIN:$DYNDNS_PASSWORD" "https://www.ovh.com/nic/update?system=dyndns&hostname=$DYNDNS_HOST&myip=$CURRENT_IP"
|
||||
echo "$CURRENT_DATE"": IP updated to" "$CURRENT_IP"
|
||||
fi
|
||||
---
|
||||
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: ovh-dyndns
|
||||
namespace: crons
|
||||
spec:
|
||||
schedule: "0 * * * *"
|
||||
successfulJobsHistoryLimit: 1
|
||||
failedJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: data
|
||||
configMap:
|
||||
name: ovh-dyndns-config
|
||||
containers:
|
||||
- name: ovh-dyndns
|
||||
image: alpine:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- apk --no-cache add curl;/bin/sh /data/update_ovh.sh
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: ovh-dyndns-creds
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
readOnly: true
|
||||
restartPolicy: OnFailure
|
|
@ -0,0 +1,75 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: permis-config
|
||||
namespace: crons
|
||||
data:
|
||||
requirements.txt: |
|
||||
requests==2.27.1
|
||||
permis.py: |
|
||||
import requests
|
||||
from datetime import date
|
||||
import os
|
||||
|
||||
token = os.getenv('TELEGRAM_TOKEN')
|
||||
chat_id = os.getenv('TELEGRAM_ID')
|
||||
|
||||
assert token is not None, "Telegram token must be set"
|
||||
assert chat_id is not None, "Telegram chat ID must be set"
|
||||
|
||||
base = 'https://rendezvous.permisconduire.be/api/frontend/v4/offers/'
|
||||
|
||||
str_to_date = lambda x: date(*[int(el) for el in x.split('-')])
|
||||
|
||||
afterDate = date(year=2022, month=6, day=10).strftime('%Y-%m-%d')
|
||||
dates_url = base + f'_calendar?afterDate={afterDate}&size=42&sites=W3wn7&types=rQj2a'
|
||||
rep = requests.get(dates_url).json()
|
||||
dates = {el for el in {str_to_date(day['day']) for day in rep['days'] if day['hasOffer']} if el <= date(2022, 7, 20)}
|
||||
|
||||
if dates:
|
||||
text = 'There are places for :\n - ' + '\n - '.join([el.strftime('%d/%m/%Y') for el in dates])
|
||||
|
||||
url = f'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={text}'
|
||||
|
||||
print(date.today().strftime('%Y-%m-%d'), requests.get(url).status_code)
|
||||
else:
|
||||
print(date.today().strftime('%Y-%m-%d'), "No places")
|
||||
|
||||
---
|
||||
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: permis
|
||||
namespace: crons
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
schedule: "*/10 * * * *"
|
||||
successfulJobsHistoryLimit: 1
|
||||
failedJobsHistoryLimit: 1
|
||||
suspend: true
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: app
|
||||
configMap:
|
||||
name: permis-config
|
||||
containers:
|
||||
- name: permis
|
||||
image: python:3-slim-buster
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- pip install --no-cache-dir -r /app/requirements.txt;python /app/permis.py
|
||||
volumeMounts:
|
||||
- name: app
|
||||
mountPath: /app
|
||||
readOnly: true
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: telegram-k-creds
|
||||
restartPolicy: OnFailure
|
|
@ -0,0 +1,78 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: restou-config
|
||||
namespace: crons
|
||||
data:
|
||||
requirements.txt: |
|
||||
requests==2.27.1
|
||||
beautifulsoup4==4.10.0
|
||||
restou.py: |
|
||||
import requests
|
||||
from bs4 import BeautifulSoup as bs
|
||||
from datetime import datetime
|
||||
import os
|
||||
|
||||
soup = bs(requests.get('https://uclouvain.be/fr/decouvrir/resto-u/le-galilee-self.html').text, features='html.parser')
|
||||
|
||||
contents = soup.find('div', {'class': 'bigcontenu'}).findAll('div', {'class': 'menus'})
|
||||
|
||||
result = ['Menu du jour:']
|
||||
|
||||
for item in contents[datetime.now().weekday()].findAll('div'):
|
||||
try:
|
||||
title = item.find('p', {'class': 'titre2'}).text.strip()
|
||||
content = item.find('p', {'class': 'texte1'}).text.strip()
|
||||
except:
|
||||
continue
|
||||
if title and content and content != '0':
|
||||
result.append(f' - {title}: {content}')
|
||||
|
||||
token = os.getenv('TELEGRAM_TOKEN')
|
||||
chat_id = os.getenv('TELEGRAM_ID')
|
||||
|
||||
assert token is not None, "Telegram token must be set"
|
||||
assert chat_id is not None, "Telegram chat ID must be set"
|
||||
|
||||
text = '\n'.join(result)
|
||||
url = f'https://api.telegram.org/bot{token}/sendMessage?chat_id={chat_id}&text={text}'
|
||||
|
||||
print(url)
|
||||
|
||||
requests.get(url)
|
||||
|
||||
---
|
||||
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: restou
|
||||
namespace: crons
|
||||
spec:
|
||||
schedule: "30 11 * * 2,4"
|
||||
successfulJobsHistoryLimit: 1
|
||||
failedJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: data
|
||||
configMap:
|
||||
name: restou-config
|
||||
containers:
|
||||
- name: restou
|
||||
image: python:3-slim-buster
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- pip install --no-cache-dir -r /data/requirements.txt;python /data/restou.py
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: telegram-creds
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
readOnly: true
|
||||
restartPolicy: OnFailure
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: ovh-dyndns-creds
|
||||
namespace: crons
|
||||
spec:
|
||||
encryptedData:
|
||||
DYNDNS_HOST: AgCJbz6Qd11HuDWQhY6pVMtiwek1P7c4BJB4dhcIASzVjUrNrhEaOzXNFCwemeZxcg+qWH5KmMD0eM0RdGypSewDWiJt/3TVpLNulQ3MBy/jmms3WUSRDM9Q8dypKbivrTxCiRlBurKthSjJtY+SG5vSIIGdL/vZUz90f8B+unS3lM1fEEhhwCf2fj59npA3jhlOuXSpfFgfx0Nc1dd7yVan/2PYplAjGX3OOVyHzqVm7G/vs6jcwn3FjY7xwLL/xcpqKle52uDAA1WZFpSDGOfJH6iNaGTzaE10GiFuhzrQPrdUcXPVg82FvhpuaRHcsbii7l+bmm1+kNwUXpfPX7UJEUBGD7M39CqogrRfa8UuyMNjt0Ie3wMrW6PBRbjGw7LZQxIV4ORADbKz7upmfiY8yPlzD7nsyaVlkhtjz6hdaidXV9eEqQydwDt8T0Nld6kTysrOf+WkCUChrmOV86EMLgP0KI2jnvr5vubITp3MFxSdrmWt43iqO+d+LUzZqPu4DYqKr42vGApksL9UmJFa2W7XUzWhZH3BHPPaYxyeDgvvxCcMXuVL1Pm1DNeZ55CB8eO6Q2DMyuoISypPkuZBtJYfOzpCUk44NaN4XUcCO3MAbGeISWpXHi/Dp3HdHWXt9f0Jn/cqteymojkIONUThlaS4NeoPqVm4FJ6PbBTb9Zi70QoY7Pd28Cj/z+nWT9450xvEFiza+Xbje/Owj8=
|
||||
DYNDNS_LOGIN: AgC5CdZGoLFtaNVcO1tSpvfVFrgPJKKZHGkhEUUH2Cgoa5hX4sH3R5f8Y0uLIKAZrODJUNKNmC2Shq7iYERIZ90KGnQf4LcrN3e1O1nQyH5iIItoUYpRZCjgZ0d3VOH9ehRmaYxbBKdz5jOaoGknqCMnR7B3BFD5Gq4m1yXAiplGoARNhb+WCnjNfgjj0wrg4a4TpitHsFnNbNf23XaQu/WPUdvVByjN4hJ909f8I7tdveVMRul6AkFIuNS8WAOhJHCQNNSmDZXU/4T2PZXDs9/xztKwLM0JhTlMXRRT4WLqBFDi34PloxBgrv70qlrrJ7VoQkmj+0L49KOTASZ4uSaRwOCNhugoLDh0Rauw6BZfRS+8oLDmH9nRFrLX4j0HV+MIhNMp10ky3NintjMab1y/EmPSDHJFE5Cf+th8T0wt046apBQWhI9KZIYeg04sDAD+BnnWO8NG1PVz+fEmvFzni5FxCEz9auv35PGVns1IU4bQ1K5QnbV+IECC2u9G2aMQzyojGZ1ZvJlt0lrSDgjmF1zvDHXiwBOumJ6SsgHCcES3dOTDvChASnkWWExRnvR4QABOUN+Uhcf170JcXp71d9psovkS/0y57bz7CiQ3STlh0NpoVw2g8p7uQo1okoVN2NMlcsH+/up2Nw7Yd+gRIOFGnG1floYKAjrufzJIFjO6rZbrSkDvc0imJV9ySx9HFQqKcKS92oRhfawh/WY=
|
||||
DYNDNS_PASSWORD: AgAHEJIn0hE2uho5a0S2Hw6meNcVz5BUbmFZErbxCJlkbyDwwCkTy8Hp3xdyT2iWIVRGbCQFWGonRCXqpCpo4bYQ+/5RprqA/8RixzM6VuzEzlRW90V0OBQ6XTpPK4Wy/A385+04gv9IzaLtQOq6LuRUOH2XROsGh3psA2m292BeWBoDV1EXpb2ImOwnEKSuJU5dBCPue+whuNi/4cALfBlW7nx8T7Vf+fgDEPOc96ICnwekRzL/LHQODOKjarUPU0EnFKg9WBJlfe5qpncj8wxpyDw9rYPZ/KCkdHPKJrK5+zw0GytYX+TzPOHeWKS/nDIBHSEFjDYfuA6M+lTsIoH14YyGr89HGKhK6A+sB9MMQZeEG2b6PlrYaTW/J5KPWlOnJAOiismqYX0SzFxVupoWlSSJtfmN37UNthoGFVdTWAa4fFMvGn13cjkJnGM7KgSotfNC8jbvgSiq4FEM7nMR9BUGmV5P+8bNG5XScTl5ocP3obiLbDvrcJsE55uQF2m54Mgl8YjLju6gWihdnyFDGH6rt/Tbno0w5l3a4NITBSOBw8y+VJ0iczBjKwjHHW7Dwb/HAjo4zjFI3WFbaVJc5prEqRx7IoeHbyEyU5qaecaS/vCxuNjpw7MT4iQj4f/JeNAtJvG6vqlXMfxDhb/ELTac9caR/vI/98/jWjsjyxLsNNY0QaLfMXHK08QL0FzxaxxnU5YcCh4AcjLBn/m7y4GfESZ4s6WJRzijBow=
|
||||
template:
|
||||
metadata:
|
||||
name: ovh-dyndns-creds
|
||||
namespace: crons
|
|
@ -0,0 +1,14 @@
|
|||
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: telegram-k-creds
|
||||
namespace: crons
|
||||
spec:
|
||||
encryptedData:
|
||||
TELEGRAM_ID: AgDOgLMPt2YgazghTVOCdjkTMD/l2tPPOi0Cejfyqu7R8vVqjpRag6EFL6C/bB7TJbW2SLXdqDOpfUd5j/7sjFSJuMAi9ZY8aWvD5N0i1vJ+VTz8nuHTLhTKMhId5WYJbA3QElFcTvP9wqDZn1Cgm375yhAXsXwBZ4wENraMGMTesIJf3HxhvpgbQ+9u47HBIW1zfbuaOplusL0VGGDS1kU+e1rWsjBh+t29XS66HNb+NpiGO/0ZzlVLPxVTMbcxoQSIEsqUB43nQPbI0pcLzJzw0bKFezZwOlpkR/yWHrTV1+z8w5gPjPvsxEwgwhFhVxnjeXphh35HA8a7Je4uBOwjBhsP1UevJdWgzcGTHPNViQnywlDemwVL38MrAT79M0bOKy3ze3R3cSm8zNcCk0v9vVs2VqYu55ejobjbGwawR7k4r0p+vGLsn9KLwSrzGrq0vsGlElk8lW6fFqqFaijEkGbhJjMZOsCY30qHjGxQQaMUnZ+U+H9znnO8eivCg9gnz1kcmPrAUt5N/4o/K1mwjXl4dPV6TqD+4CS5JcAB1ds6jQ/Ru1qDPfjAxFs0u1rulTz1w0lV4i0o3DehWwVS6lESFA0ZlE4hSWlvsLVTV63JDtgaN2FsCLSHappvPz+RCmHrry+n4TCnvvM5CtRKU0/q3ylactzHn8oiIw/w0RNtwELY895suwWbgOHScJM0Rxhf0FUdIlyF
|
||||
TELEGRAM_TOKEN: AgCKS3cDHu0OYFa2PEs2zRmbmDATt8G+wSIl1v3MHOHXH4uCyDVkmd8KdZ6n+vv9T9+MKCIABqDQozcHWdGaMBsYNmxGGC5B7gWpo9uwOWRyuDZEVlrsgC/PspaJ4hVBwNpjL5jVglwRIE0xrgf6fdjF7XJGmeugAv7v03mK8UX0VUh6KXMjKv7RSt+GnkDrFFCBI+VORYqpsrSR5/a9CnA6WrlTOS74umvraPbH+iypjN9pkp6KhGMr8id+GmQT++d9ZKJosornu7YS0lBvP79oqDp19xaO/pcBeAeDcsfTyE39meedyw4gk5BizDWklEWWuhBnHH+MKO8dSeLzzakNVmPoZCpTvT8K5Uh+fKInwVxVRJQZDRiwhDrR+h3icaTivZDsK4MQlQTx0DaZTULKio07eAEElU+eFZjV3E4//qqYB57d2YnMOfZFXN1BAXuAAcby5uDxIcU1s6iZOQz8cgdsa9aDTOilX2CgOEjkUqJHttV8iBDjqRO3jgYlciPCoH7KW6A3JH9R1pG4IdxRJg9eA3dX6IMc01HRqR5h5qSzpF6ZI1t/gLa6zX3Q8Je/xb1+6+HOJbZNS/07M3c0XRBBCh9t1XPHeixBLF7kNxh82gx/F6uOrjq9UF/FeONYaSBcqE6io1iwDT1bpfnjvlLohLuFxs6so4rLdxnhDX7XldLzgjAxxcvawzbseX7xRGYlCh7S2il4A8yPq6AeClbuWer3QcuXk1ejk+zz9QugZ5pATpnIojL08I1n
|
||||
template:
|
||||
metadata:
|
||||
name: telegram-k-creds
|
||||
namespace: crons
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
name: telegram-creds
|
||||
namespace: crons
|
||||
spec:
|
||||
encryptedData:
|
||||
TELEGRAM_ID: AgCSUvDgfxsJEhppeZbvGV8iQ7Qk0D0kbjZwaEdZ5A2lUfD2nSxuLHLK1psly9d1sAGO7VGak8YgAXQPsOYmoOZePd2u3c+9e7hLzciUhLQ142vlzhEaU0+H2MFfMn1VjIy/ipNjm6svocelf8SBGC78m0fSDRMmSh845tOxIsP2rr8q0lEnD8ydHEDpFwF6cVe6D3wizqIqaucWSy7XMloxviDtGpTa8FJZhUNMfc+xW+RFDlRJIv1ZMqS6rbbnrunEzqA3Mk5vmfbTRLKBxiERNg8em/1KEjrnvrTIgWy4VcSiyYcDXUR4uct9Gykfg4reapT/18Kpu0ICbULEeMdPFeMZN55f/yxbGD9k9ImKpzd0+pRCSBq3reyXv7kRNs08WCpuxmrMwf9zmHKWHNZV+YocyQZDdeBSLKrUv7Tk1GUTj3IVknsPc7hHIY6VYnqn0ApjTxzP2iQkt7ZxDzCW9htskaJy74jgfHW0R58YuBSra11Jezwxvk3+jiR28ZS2tnBuNZt6Zxi36TiZBoPYm8gDxZBuKKQZUl1ujd9j+4pfQ275QEyd67byFj1WlgUOelfaXLyqn6S87uNW3yRdkgo9c0vF1u4HvHfedKkJ1nqOtGpmeKq2ccmPysF38NapfGKsx8s4aLqKY2JTc2X5VeUwLtADpWdP1O2g2PmeMD0Lv/ehbU27FMbT3O/SXNudT+B8gsKlCcM7
|
||||
TELEGRAM_TOKEN: AgBjqR1y124X1TAXplLp4NGfCLPT2fNkjG6PM/73MAeyVWyKHD5ScD/O2IDbS4LvnguTMs4C+5QKw8QRRbavon5hmMBn+iQqA1QYpObNSrWET+IQxJ0vp7W8l//PM3WIHsujxhWP7IJffmI45JoqZ1Jwx9Ca/9Hgp3wfy3DkdVvI+4Boe3UiAcOX23jLo9Ak9X4Iw7F8eH7Mf8JZHAB7jB7dSJFkBmBxUHfvSX3dTinASvbHtobSmbjDY7Ewf22RssZFpDfr/UOGDA8bEfDZMkZd+RQs8yKJJVEOmfu9i+sqDqLbEf5Mjw6DQ9Bfc2J6lH1tJzqrp7iPE2gqrkDFxgkNen3QBBUJPDJrs+N574qkuhtQL0GglhS24dk4GaoLZg46TZ6QMOoi4qYf9B8sz9LAe7jFpL2Y1Mpxh2S+ABZIPDhDRgFTLzD319gLHRzhJRv55AJfKOUZeJ6xs8Eilfr5PXBMzmwBxBAxFPBZSrAs9d2TxyahuDjt6xkkAbsOvX1iEpdCzJvadUcQv5OJFhDhMMLIeKeDIvcm7z0TOAVxC3biy/jyGqto1c3bvp1i0N4l+G2QJoHt9oOdoxTdnfmVJmwZsVeIL/S6dO42yA+EPctGwZ2wPSG5q9bnSR2ZbTQRE8tPBGle3+c+FdKvz5m7XPjsp3WDhSH8DZ9FXBl5znEX062cB9Af8u76v7SkjRMWzHB05rNa2bnhvOAx5CARa/jcax2XWRDSxArGyd1/mk4reu5lw7v28NksFKmR
|
||||
template:
|
||||
metadata:
|
||||
name: telegram-creds
|
||||
namespace: crons
|
|
@ -0,0 +1,104 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: unibet-pvc
|
||||
namespace: crons
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: unibet-config
|
||||
namespace: crons
|
||||
data:
|
||||
requirements.txt: |
|
||||
requests==2.27.1
|
||||
unibet.py: |
|
||||
#!/usr/bin/env python
|
||||
# coding: utf-8
|
||||
|
||||
import requests
|
||||
from datetime import datetime
|
||||
import os
|
||||
import json
|
||||
|
||||
def analyze_event(data):
|
||||
return {
|
||||
'time': data['event']['start'],
|
||||
'homeTeam': data['event']['homeName'],
|
||||
'awayTeam': data['event']['awayName'],
|
||||
'odds': {d['criterion']['englishLabel']: {o['englishLabel'] + (' ' + str(o['line']) if 'line' in o else ''): o['odds']/1000 for o in d['outcomes']} for d in data['betOffers']}
|
||||
}
|
||||
|
||||
competitions = [
|
||||
'england/premier_league',
|
||||
'belgium/jupiler_pro_league',
|
||||
'france/ligue_1'
|
||||
]
|
||||
|
||||
for comp in competitions:
|
||||
content = requests.get(f'https://fr-sports.unibet.be/sportsbook-feeds/views/filter/football/{comp}/matches').json()
|
||||
res = []
|
||||
for a in content['layout']['sections']:
|
||||
try:
|
||||
for b in a['widgets']:
|
||||
try:
|
||||
for c in b['matches']['events']:
|
||||
try:
|
||||
res.append(analyze_event(c))
|
||||
except:
|
||||
pass
|
||||
except:
|
||||
pass
|
||||
except:
|
||||
pass
|
||||
os.makedirs(f'/data/records/{comp.replace("/","-")}', exist_ok=True)
|
||||
with open(f'/data/records/{comp.replace("/","-")}/{datetime.now()}.rec', 'w') as file:
|
||||
json.dump(res, file)
|
||||
|
||||
---
|
||||
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: unibet
|
||||
namespace: crons
|
||||
spec:
|
||||
schedule: "30 * * * *"
|
||||
successfulJobsHistoryLimit: 1
|
||||
failedJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
volumes:
|
||||
- name: app
|
||||
configMap:
|
||||
name: unibet-config
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: unibet-pvc
|
||||
containers:
|
||||
- name: unibet
|
||||
image: python:3-slim-buster
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- pip install --no-cache-dir -r /app/requirements.txt;python /app/unibet.py
|
||||
volumeMounts:
|
||||
- name: app
|
||||
mountPath: /app
|
||||
readOnly: true
|
||||
- name: data
|
||||
mountPath: /data
|
||||
readOnly: false
|
||||
restartPolicy: OnFailure
|
|
@ -0,0 +1,51 @@
|
|||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: bazarr
|
||||
namespace: external-endpoints
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 6767
|
||||
targetPort: 6767
|
||||
|
||||
---
|
||||
|
||||
kind: Endpoints
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: bazarr
|
||||
namespace: external-endpoints
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: 192.168.1.201
|
||||
ports:
|
||||
- port: 6767
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: bazarr
|
||||
namespace: external-endpoints
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "bazarr.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: "nginx"
|
||||
tls:
|
||||
- hosts:
|
||||
- bazarr.bhasher.com
|
||||
secretName: bazarr-tls
|
||||
rules:
|
||||
- host: bazarr.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: bazarr
|
||||
port:
|
||||
number: 6767
|
|
@ -0,0 +1,51 @@
|
|||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: docker
|
||||
namespace: external-endpoints
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 5000
|
||||
|
||||
---
|
||||
|
||||
kind: Endpoints
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: docker
|
||||
namespace: external-endpoints
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: 192.168.1.201
|
||||
ports:
|
||||
- port: 5000
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: docker
|
||||
namespace: external-endpoints
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 500m
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "docker.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: "nginx"
|
||||
tls:
|
||||
- hosts:
|
||||
- docker.bhasher.com
|
||||
secretName: docker-tls
|
||||
rules:
|
||||
- host: docker.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: docker
|
||||
port:
|
||||
number: 5000
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: external-endpoints
|
|
@ -0,0 +1,51 @@
|
|||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: jellyfin
|
||||
namespace: external-endpoints
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 8096
|
||||
targetPort: 8096
|
||||
|
||||
---
|
||||
|
||||
kind: Endpoints
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: jellyfin
|
||||
namespace: external-endpoints
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: 192.168.1.201
|
||||
ports:
|
||||
- port: 8096
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: jellyfin
|
||||
namespace: external-endpoints
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "jellyfin.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: "nginx-external"
|
||||
tls:
|
||||
- hosts:
|
||||
- jellyfin.bhasher.com
|
||||
secretName: jellyfin-tls
|
||||
rules:
|
||||
- host: jellyfin.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: jellyfin
|
||||
port:
|
||||
number: 8096
|
|
@ -0,0 +1,51 @@
|
|||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: sonarr
|
||||
namespace: external-endpoints
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 8989
|
||||
targetPort: 8989
|
||||
|
||||
---
|
||||
|
||||
kind: Endpoints
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: sonarr
|
||||
namespace: external-endpoints
|
||||
subsets:
|
||||
- addresses:
|
||||
- ip: 192.168.1.201
|
||||
ports:
|
||||
- port: 8989
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: sonarr
|
||||
namespace: external-endpoints
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "sonarr.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: "nginx"
|
||||
tls:
|
||||
- hosts:
|
||||
- sonarr.bhasher.com
|
||||
secretName: sonarr-tls
|
||||
rules:
|
||||
- host: sonarr.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: sonarr
|
||||
port:
|
||||
number: 8989
|
|
@ -0,0 +1,134 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: gitea
|
||||
namespace: git
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea
|
||||
namespace: git
|
||||
labels:
|
||||
app: gitea
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea
|
||||
spec:
|
||||
volumes:
|
||||
- name: gitea-data
|
||||
persistentVolumeClaim:
|
||||
claimName: gitea
|
||||
- name: gitea-certs
|
||||
secret:
|
||||
secretName: gitea-certs
|
||||
- name: gitea-config
|
||||
configMap:
|
||||
name: gitea-config
|
||||
- name: ca
|
||||
configMap:
|
||||
name: ca
|
||||
containers:
|
||||
- name: gitea
|
||||
image: gitea/gitea:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: gitea-tokens
|
||||
volumeMounts:
|
||||
- name: gitea-data
|
||||
mountPath: /data
|
||||
readOnly: false
|
||||
- name: ca
|
||||
mountPath: /etc/ssl/certs/bhasherCA.pem
|
||||
subPath: bhasherCA.pem
|
||||
readOnly: true
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 3000
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
failureThreshold: 10
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: 3000
|
||||
failureThreshold: 30
|
||||
periodSeconds: 10
|
||||
initContainers:
|
||||
- name: init-config
|
||||
image: busybox:latest
|
||||
command: ['sh', '-c', 'mkdir -p /data/gitea/conf && cp /tmp/config/app.ini /data/gitea/conf/app.ini']
|
||||
volumeMounts:
|
||||
- name: gitea-data
|
||||
mountPath: /data
|
||||
readOnly: false
|
||||
- name: gitea-config
|
||||
mountPath: "/tmp/config"
|
||||
readOnly: true
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: gitea
|
||||
namespace: git
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: gitea
|
||||
ports:
|
||||
- name: https
|
||||
port: 3000
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: gitea
|
||||
namespace: git
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 50m
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "git.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: nginx-external
|
||||
tls:
|
||||
- hosts:
|
||||
- git.bhasher.com
|
||||
secretName: gitea-tls
|
||||
rules:
|
||||
- host: git.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: gitea
|
||||
port:
|
||||
number: 3000
|
|
@ -0,0 +1,64 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: ca
|
||||
namespace: git
|
||||
data:
|
||||
bhasherCA.pem : |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
|
||||
BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
|
||||
MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
|
||||
BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
|
||||
YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
|
||||
MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
|
||||
A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
|
||||
aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
|
||||
c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
|
||||
2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
|
||||
7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
|
||||
qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
|
||||
4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
|
||||
2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
|
||||
oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
|
||||
SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
|
||||
qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
|
||||
sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
|
||||
sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
|
||||
iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
|
||||
78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
|
||||
D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
|
||||
fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
|
||||
0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
|
||||
/O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
|
||||
CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
|
||||
d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
|
||||
yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
|
||||
NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
|
||||
UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
|
||||
7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
|
||||
NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
|
||||
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
|
||||
GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
|
||||
lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
|
||||
EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
|
||||
uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
|
||||
xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
|
||||
Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
|
||||
qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
|
||||
KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
|
||||
nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
|
||||
EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
|
||||
2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
|
||||
7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
|
||||
O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
|
||||
IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
|
||||
8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
|
||||
nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
|
||||
GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
|
||||
I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
|
||||
chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
|
||||
YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
|
||||
n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
|
||||
Pzrn2j0Zdg==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,275 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: gitea-config
|
||||
namespace: git
|
||||
data:
|
||||
app.ini: |
|
||||
APP_NAME = Gitea Bhasher
|
||||
RUN_MODE = prod
|
||||
RUN_USER = git
|
||||
|
||||
[repository]
|
||||
ROOT = /data/git/repositories
|
||||
SCRIPT_TYPE = bash
|
||||
DETECT_CHARSETS_ORDER = defaults
|
||||
FORCE_PRIVATE = false
|
||||
DEFAULT_PRIVATE = public
|
||||
DEFAULT_PUSH_CREATE_PRIVATE = false
|
||||
MAX_CREATION_LIMIT = -1
|
||||
PREFERED_LICENSES = MIT License
|
||||
DISABLE_HTTP_GIT = false
|
||||
ENABLE_PUSH_CREATE_USER = false
|
||||
ENABLE_PUSH_CREATE_ORG = false
|
||||
DEFAULT_BRANCH = master
|
||||
|
||||
[repository.local]
|
||||
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
|
||||
|
||||
[repository.upload]
|
||||
TEMP_PATH = /data/gitea/uploads
|
||||
FILE_MAX_SIZE = 25
|
||||
MAX_FILES = 100
|
||||
|
||||
[repository.signing]
|
||||
SIGNING_KEY = default
|
||||
INITIAL_COMMIT = always
|
||||
DEFAULT_TRUST_MODEL = collaborator
|
||||
WIKI = parentsigned
|
||||
CRUD_ACTIONS = pubkey,parentsigned
|
||||
MERGES = pubkey,basesigned,comitssigned
|
||||
|
||||
[ui]
|
||||
EXPLORE_PAGING_NUM = 20
|
||||
ISSUE_PAGING_NUM = 20
|
||||
MEMBERS_PAGING_NUM = 20
|
||||
FEED_PAGING_NUM = 20
|
||||
GRAPH_MAX_COMMIT_NUM = 100
|
||||
DEFAULT_THEME = arc-green
|
||||
SHOW_USER_EMAIL = true
|
||||
MAX_DISPLAY_FILE_SIZE = 8388608
|
||||
DEFAULT_SHOW_FULL_NAME = true
|
||||
|
||||
[ui.meta]
|
||||
AUTHOR = Bhasher's git
|
||||
DESCRIPTION = Custom git server based on gitea
|
||||
KEYWORDS = gitea,git,bhasher,self-hosted
|
||||
|
||||
[ui.csv]
|
||||
MAX_FILE_SIZE = 8388608
|
||||
|
||||
[markdown]
|
||||
ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true
|
||||
ENABLE_HARD_LINE_BREAK_IN_DOCUMENTS = true
|
||||
CUSTOM_URL_SCHEMES = git
|
||||
|
||||
[server]
|
||||
APP_DATA_PATH = /data/gitea
|
||||
PROTOCOL = http
|
||||
DOMAIN = git.bhasher.com
|
||||
HTTP_ADDR = 0.0.0.0
|
||||
HTTP_PORT = 3000
|
||||
UNIX_SOCKET_PERMISSION = 660
|
||||
ROOT_URL = https://git.bhasher.com/
|
||||
LOCAL_ROOT_URL = http://127.0.0.1:3000/
|
||||
DISABLE_SSH = true
|
||||
LFS_START_SERVER = false
|
||||
APP_DATA_PATH = /data/gitea
|
||||
OFFLINE_MODE = false
|
||||
LANDING_PAGE = explore
|
||||
|
||||
[database]
|
||||
DB_TYPE = postgres
|
||||
HOST = postgres.storage.svc.cluster.local
|
||||
NAME = gitea
|
||||
USER = gitea
|
||||
SCHEMA = public
|
||||
SSL_MODE = disable
|
||||
LOG_SQL = false
|
||||
|
||||
[indexer]
|
||||
ISSUE_INDEXER_TYPE = bleve
|
||||
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
|
||||
REPO_INDEXER_ENABLED = true
|
||||
REPO_INDEXER_TYPE = bleve
|
||||
REPO_INDEXER_PATH = /data/gitea/indexers/repos.bleve
|
||||
MAX_FILE_SIZE = 524288
|
||||
|
||||
[admin]
|
||||
DEFAULT_EMAIL_NOTIFICATIONS = enabled
|
||||
DISABLE_REGULAR_ORG_CREATION = false
|
||||
|
||||
[security]
|
||||
INSTALL_LOCK = true
|
||||
LOGIN_REMEMBER_DAYS = 7
|
||||
REVERSE_PROXY_LIMIT = 1
|
||||
DISABLE_GIT_HOOKS = true
|
||||
DISABLE_WEBHOOKS = false
|
||||
INTERNAL_TOKEN = azerty
|
||||
REVERSE_PROXY_AUTHENTICATION_USER = Remote-User
|
||||
REVERSE_PROXY_AUTHENTICATION_EMAIL = Remote-Email
|
||||
REVERSE_PROXY_TRUSTED_PROXIES = ingress-nginx-controller.ingress-nginx.svc.cluster.local
|
||||
|
||||
[openid]
|
||||
ENABLE_OPENID_SIGNIN = false
|
||||
ENABLE_OPENID_SIGNUP = false
|
||||
|
||||
[service]
|
||||
DISABLE_REGISTRATION = true
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
REGISTER_EMAIL_CONFIRM = false
|
||||
ENABLE_NOTIFY_MAIL = true
|
||||
ENABLE_BASIC_AUTHENTICATION = false
|
||||
ENABLE_REVERSE_PROXY_AUTHENTICATION = false # true
|
||||
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
|
||||
ENABLE_CAPTCHA = false
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = false
|
||||
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
|
||||
DEFAULT_USER_IS_RESTRICTED = false
|
||||
DEFAULT_ENABLE_DEPENDENCIES = true
|
||||
ALLOW_CROSS_REPOSITORY_DEPENDENCIES = true
|
||||
ENABLE_USER_HEATMAP = true
|
||||
DEFAULT_ENABLE_TIMETRACKING = true
|
||||
DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true
|
||||
SHOW_REGISTRATION_BUTTON = false
|
||||
SHOW_MILESTONES_DASHBOARD_PAGE = true
|
||||
AUTO_WATCH_NEW_REPOS = true
|
||||
DEFAULT_USER_VISIBILITY = public
|
||||
ALLOWED_USER_VISIBILITY_MODES = public,limited
|
||||
DEFAULT_ORG_VISIBILITY = public
|
||||
DEFAULT_ORG_MEMBER_VISIBLE = true
|
||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = true
|
||||
NO_REPLY_ADDRESS = noreply.git.bhasher.com
|
||||
VALID_SITE_URL_SCHEMES = https
|
||||
|
||||
[service.explore]
|
||||
REQUIRE_SIGNIN_VIEW = false
|
||||
DISABLE_USERS_PAGE = false
|
||||
|
||||
[webhook]
|
||||
DELIVER_TIMEOUT = 5
|
||||
ALLOWED_HOST_LIST = *
|
||||
SKIP_TLS_VERIFY = false
|
||||
|
||||
[mailer]
|
||||
ENABLED = true
|
||||
FROM = "Bhasher's gitea" <no-reply@bhasher.com>
|
||||
MAILER_TYPE = smtp
|
||||
HOST = bdubois.io:465
|
||||
IS_TLS_ENABLED = true
|
||||
USER = no-reply@bhasher.com
|
||||
SEND_AS_PLAIN_TEXT = false
|
||||
SKIP_VERIFY = true
|
||||
SUBJECT_PREFIX = [Gitea]
|
||||
|
||||
[cache]
|
||||
ENABLED = true
|
||||
ADAPTER = memory
|
||||
ITEM_TTL = 1h
|
||||
|
||||
[cache.last_commit]
|
||||
ENABLED = true
|
||||
ITEM_TTL = 24h
|
||||
COMMITS_COUNT = 100
|
||||
|
||||
[session]
|
||||
PROVIDER = memory
|
||||
COOKIE_SECURE = true
|
||||
COOKIE_NAME = sessid
|
||||
SESSION_LIFE_TIME = 43200
|
||||
SAME_SITE = strict
|
||||
|
||||
[picture]
|
||||
DISABLE_GRAVATAR = false
|
||||
GRAVATAR_SOURCE = gravatar
|
||||
ENABLE_FEDERATED_AVATAR = true
|
||||
#AVATAR_STORAGE_TYPE = default
|
||||
AVATAR_UPLOAD_PATH = /data/gitea/avatars
|
||||
AVATAR_MAX_WIDTH = 2048
|
||||
AVATAR_MAX_HEIGHT = 1536
|
||||
AVATAR_MAX_FILE_SIZE = 1048576
|
||||
AVATAR_RENDERED_SIZE_FACTOR = 5
|
||||
#REPOSITORY_AVATAR_STORAGE_TYPE = default
|
||||
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
|
||||
REPOSITORY_AVATAR_FALLBACK = random
|
||||
DISABLE_GRAVATAR = false
|
||||
ENABLE_FEDERATED_AVATAR = true
|
||||
REPO_INDEXER_EXCLUDE_VENDORED = true
|
||||
|
||||
[attachment]
|
||||
ENABLE = true
|
||||
ALLOWED_TYPES = .docx,.gif,.gz,.jpeg,.jpg,.mp4,.log,.pdf,.png,.pptx,.txt,.xlsx
|
||||
MAX_SIZE = 2
|
||||
MAX_FILES = 5
|
||||
STORAGE_TYPE = local
|
||||
PATH = /data/gitea/attachments
|
||||
|
||||
[log]
|
||||
MODE = console
|
||||
LEVEL = Warn
|
||||
ROUTER = console
|
||||
ROOT_PATH = /data/gitea/log
|
||||
|
||||
[git]
|
||||
PATH =
|
||||
DISABLE_DIFF_HIGHLIGHT = false
|
||||
MAX_GIT_DIFF_LINES = 1000
|
||||
MAX_GIT_DIFF_LINE_CHARACTERS = 1000
|
||||
MAX_GIT_DIFF_FILES = 100
|
||||
PULL_REQUEST_PUSH_MESSAGE = true
|
||||
VERBOSE_PUSH = true
|
||||
VERBOSE_PUSH_DELAY = 5
|
||||
LARGE_OBJECT_THRESHOLD = 1048576
|
||||
DISABLE_PARTIAL_CLONE = false
|
||||
|
||||
[git.timeout]
|
||||
DEFAULT = 60
|
||||
MIGRATE = 60
|
||||
MIRROR = 60
|
||||
CLONE = 60
|
||||
PULL = 60
|
||||
GC = 60
|
||||
|
||||
[metrics]
|
||||
ENABLED = false
|
||||
|
||||
[api]
|
||||
ENABLE_SWAGGER = false
|
||||
MAX_RESPONSE_ITEMS = 50
|
||||
DEFAULT_PAGING_NUM = 20
|
||||
DEFAULT_GIT_TREES_PER_PAGE = 100
|
||||
DEFAULT_MAX_BLOB_SIZE = 1048576
|
||||
|
||||
[oauth2]
|
||||
ENABLE = false
|
||||
|
||||
[i18n]
|
||||
LANGS = en-US,de-DE,fr-FR,nl-NL,es-ES,it-IT,pt-PT
|
||||
NAMES = English,Deutsch,Français,Nederlands,Español,Italiano,Portguês
|
||||
|
||||
[markup]
|
||||
ENABLED = false
|
||||
|
||||
[time]
|
||||
DEFAULT_UI_LOCATION = Europe/Paris
|
||||
|
||||
[migrations]
|
||||
ALLOW_LOCALNETWORKS = true
|
||||
SKIP_TLS_VERIFY = true
|
||||
|
||||
[federation]
|
||||
ENABLED = false
|
||||
|
||||
[packages]
|
||||
ENABLED = true
|
||||
|
||||
[mirror]
|
||||
ENABLED = true
|
||||
DISABLE_NEW_PULL = false
|
||||
DISABLE_NEW_PUSH = false
|
||||
DEFAULT_INTERVAL = 1h
|
||||
MIN_INTERVAL = 15m
|
||||
|
||||
[other]
|
||||
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
|
||||
SHOW_FOOTER_VERSION = false
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: git
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: gitea-tokens
|
||||
namespace: git
|
||||
spec:
|
||||
encryptedData:
|
||||
GITEA__database__PASSWD: AgCGUoM6CDCiUgmFlPCBSyYiqktHWfBeq6WM7JPO8w9jmFiiGYWp/nLgxLCHxgiZRJmZ6gMrLbH/0SfjwdtpbgJEELPfrEKbQF3WMhthvxr8AuxLP8rRT/ECH/AH9q372uA6n7JB/EfWHCJ1py1KSr5g+ZpB4sj4arYBKHV7A1VeWYailAGi9/aE1a916CG0M7zXhLjum7qlNAHmNainFvqfHYeO+DHtGo/dg7h/fCJ/vfPzEzbyzSUytOXNLNqJ6lScCgnqU10WOPQT1Kg+TkQH2xPNW7LEee9XtCOEHr92mHojdDayhEU3Cw+VJz0wbPg77egIbXGJ3ehJ6XX1eYAil1eBYcQWvIc+SU3fhXMDBojZhEJjkenhPVlde9/L8ahOzRa2eVok6qoVkkBtqXMvOp7PtTWmugjoFY+YFVWuTmLbxbYzQadtZFdi2Zr8l0qWObS7hhxWeK68Jk/3OI2bsXZl21mo78oyPA19x3fDetv1Oop31/z0iXfGoa8rMdDikBuEoOMMwspNxdJ1q+GW25LXJEJebcCwGJgJmZgVv6ap2qbRwyjpJQ7M08JSq4Y6DHe283+6YYte7SIYm32Q+m4k9LJbtaRNw5wpskFr2BWXWLX8P7/d/Idyeg3hNbXyjPdobnDGNoJCwJVwv1hBMOiYmEW3wOzY1i2isZeMCcW6CUVLyqcgkmJZeXeuRjyhPqblAr6NRfd5aB8E/LKncZGkTQEoFyG83kA4uqjpBpZHvBdstmyJiq86bvtk+Mk4hpVx0FzIVl+N3MgiQN+H
|
||||
GITEA__mailer__PASSWD: AgCH3z9kwv8vJcIYJfjDYn7wm86ZSqpZo7fi80sTbqg3LeAsL/biH+fHkWjBWMvCJerCpf04yTIw7sh203xJP0xgEz1cZ2J6+lkl3r4/LZSt+zg/QzF+qSewNssZWJFq6KdNWzxaWWISs90ATjmQUgLNYgp+zX0GEdjwWzdphknB/K7omxYJcYhidCPFThc4nFGrNKiM1QFWhrGK3aiGX+ug6MaZqfF6ABx7WfWRkiLUIyvdKPgIxswbRdLSsjLjN+c75VWa8lD58GKz+a+JYuOVTFX61JtFSwTPW+U8Eb6Nw1OD0oOXjpFFqym54awqElh0avQadyWmMlM7Ste3hktq1L2v9T2hFDupfDHJ6tq38bkImE5jjTJa35XxGmt4nEjM+owDM0FIHotC2l92qJxWzT0QwOV5ARYjbWOQa2Y7LfCd7N4oU6jbnRDMLDwg/fr+v1ngu0Tcnjb+swPhROoTEoWvY5Vy+IAWBhYX3KLm57Gbuhybnorr28sABVNFmCNmNWO2RC0nEYZF7k/TQkQGgY2RC2OIifN0Gon6KYrK1rPr2kBTRgcHh22nc2MozKOQ2W0WuY8WuwXr/4kOkYns3W6zqzsRKpMB8nZDrjyPkKq8liHFpk4t7hia4OBKtjVv1U2A7TWvwVeOXG/Og+9wXehDnLal0gPBiUDs9zY5LI3w7muELzCiBUCglYFnAcN243iXR+GmbC1Xu98YTUYKcfrRE/Cw/x6UPSjHSKGcd3J/AHCzrfWe21xtmVAcpV+ZkUAfEOmcfMyz6qpr4/no
|
||||
GITEA__metrics__TOKEN: AgBqc7HevQ/iFWczHYSV7pG6tS4IlcQd/tNuKS1UcMzTEKDAYOC0oHb57l3eYdXcN09pR3QPi4HfuMe0ST5ud9bZjm26cQQZnYmy+Mz1lQqTEfy5Fd0Mi1XKSLb1dJQ9Q21XtanKzohfRGcxb+UmOqiqs/b+uTm+UVsjBCj+x4eTGIS7vv+wpxBBtFX0aPUSe2aSNRigJFl1XbkbTD/YZVr2bmPvMEBCJloEmjqpGGfz6WpPH0355WeZj/jXNrJhdK30J7xwxi84x58m8Zijt1hLtcRiqQV3oH+jIQernjMjlCwr8upKwr1H4M4fhBUQdJdCzH7FlYmEJWDmSPOsxO6HJrX2LjzHhKTiKrc3qB74lumHeQIXGVwKEykdDAkWEkaqVHBYCBZ1rafxARbZRouDZUnRZy/3wWTWRiml3rc88jdNO8JNshTTkKmMhQCwbUs9bN0z0DAhBlhBvlc4hD0FKW34VuI9p9lRtzVn+KjdpwWvjvy/FSRdZ5F/YWJoMBfI05Trf0xiiJYEbWQOfnNi3kaVHV4ApizgYJBdCWyPRpG4F/Meip3UqczMyS7YdEuP+gCtJxRnI5FSJI9pIHsJViMvq2hq7/NrYRVV2C9uvC/I55dmsB+N8tIie1Zk1j8juWToDsxcoi/g16jWphWJQbjaYRGyjRWxa5pW6OVMeXFOOnSAGXBeM7tKl9hvJ/4I0nDgQBjOAajZsPmD3ES+nz/zOgmT05z923YdUEuAaOBxtvTNn2IZFsw2ROO9KRm225dAbh84Kj90KOsjdKLB
|
||||
GITEA__security__INTERNAL_TOKEN: AgAGQAK+SPowj6jTmRw9TDn98mNVLkM32ABfypKGdjypMA9oM7zzLYzj5lOEqrj/e2t7R+rhvRLEv07qnZ/rq/U+FLVuXXqJ32E3MIhrpl6q4UOAGOu7obku8nQRmDhX+QTKYVI5GCzxnvIyA1wkr7Wg7VcTyHfJ4ruJPnwN7+vcQsq90gYAjJl+RxmJHrjY0aPhxf6BF1utD9ZdDcnURFJ/euKIJPAJc/AEhHz79cwQcwi/PxjIq1Rrcx1LzJ9yRhZQh0a996lFAFRlDlcV/BNejbVTbKTnSjaEkZoylO7GcYQag3tCrBXr+Zq52CaivSMufZvOHPoWWUDRrnUu/GIjGIXKcEFH9L8wR64VsbPozJInyMC7Miid4kBi3uJAyA4+e/sINmUDAHNkxHjK5XgqfmxQ1o14c9ZwsKDqaCT4ea+61MSfZ9PuUzz2zPzdlDz8LCfyp1U8Z2rbovqHfmCjxX6DKJa0EwEyqwGrC9VHBQNgptmAQF0GSJytFfoyXnsOVHHZ5PiNcoFSM00UB67e1799gbPG1C97j3iVGj/+ykNOz3pgdlTwUS6RHW3u6J9vANELylQMUlNu5VJ8PEUbS6alv6SQgxDPcTvS7wR3/6ssboyhW5buJm0K7o+4aoE7I+i9jCnkL6qQXrhldDUa6vNWJzsZPx2zfI8bXycfj6YqtBaZFr/Bibe3HzKm9X8rfCMfB2AIB+41N7ks2pAjdENbHnCtpmEp7UMRnyb+51bb3SzOog2Yz2fdENgtSF+iK8VTpTdNxncnDLiCQy0t
|
||||
GITEA__server__LFS_JWT_SECRET: AgA0bU8405uKAOIOJYgmbGWKS2dGJWh//ACQdcvY2j1vU6tgG7OaDz5Y59TczX6KcfWeeapjABFRZ4OVKfO+t6GETLhSXAPC1UmcEQ6kbxNkhMkQtLWVPjJTYl61qmKNT1nJldPY8lNVfEL0NOpPhHSUD3lpNUIhZ7lL3+vkqSzF+d1NT8ehwXE4WlOLlnNVv+EiqyB+t/THFIw3xrdxGWD7MMJXThKU3C0Os3sG0UjuusCRuKlxsRh0NlZzMG2xkIBqXtqk8T+PJTYw/nHgT8Uekpp5yii6tDmjpaF+uS4wbUBh9R+YehHfRSkqV8s4XDkP5IunW0sTfGe9MlTww0TLe++h9gTi0zkrlkP7l5ilJU7pInsFkTWHLrQuI6CdOV3ATNx520GyNMA/rvednKHHgpHQzIf5gIfz9t44iwtlvzFCXaELOM8DgnuiX5lShVT8Th5E8BefVbMaEuNnLETz4wyQasnApJIXOWBNUmRgTo4kFPCqmzKGYuIP6/Gquj3GcqKI1AECk2z1Vd4ooSsXVzuX87+cwHokSjMODtgMpAw3HjlkO+Av1xDx6h++vh7SqrDYGATwdLsOAMDiXUzj7TJ/R31RwIcfveyFlSLeOZ6d32dzl07ddky2z/iGJnKArYWCMMVfnhhPi5AaCQ00Vtcj9R0hpos8gqqmwx9LJEzAq8LB5WH8eLV4hydrzCdq7tFkst67hr4E5JCbvbx8zg2Hq95v/WhJHNf8mcMx+0Vd7GQdY6owj101c2mUiq6cDkI7uwF4ylZ/Vn/7+jUO
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: gitea-tokens
|
||||
namespace: git
|
||||
|
|
@ -0,0 +1,179 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: hass
|
||||
namespace: hass
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 500Mi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: hass
|
||||
namespace: hass
|
||||
data:
|
||||
configuration.yaml: |
|
||||
# Loads default set of integrations. Do not remove.
|
||||
default_config:
|
||||
|
||||
http:
|
||||
use_x_forwarded_for: true
|
||||
trusted_proxies:
|
||||
- 10.42.0.0/16
|
||||
|
||||
panel_iframe:
|
||||
nodered:
|
||||
title: 'Node-Red'
|
||||
url: 'https://node-red.bhasher.com'
|
||||
icon: mdi:sitemap
|
||||
require_admin: true
|
||||
|
||||
binary_sensor:
|
||||
- platform: ping
|
||||
host: 192.168.1.2
|
||||
name: "Bhasher's Desktop"
|
||||
count: 2
|
||||
scan_interval: 30
|
||||
|
||||
wake_on_lan:
|
||||
|
||||
switch:
|
||||
- platform: wake_on_lan
|
||||
name: "WOL Bhasher's Desktop"
|
||||
mac: e0:d5:5e:08:3c:d4
|
||||
broadcast_address: 192.168.1.255
|
||||
|
||||
recorder: !include recorder.yaml
|
||||
automation: !include automations.yaml
|
||||
script: !include scripts.yaml
|
||||
scene: !include scenes.yaml
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: hass
|
||||
name: hass
|
||||
namespace: hass
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: hass
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: hass
|
||||
spec:
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app
|
||||
operator: In
|
||||
values:
|
||||
- hass
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 100
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: hass
|
||||
- name: config
|
||||
configMap:
|
||||
name: hass
|
||||
- name: secrets
|
||||
secret:
|
||||
secretName: hass
|
||||
containers:
|
||||
- name: hass
|
||||
image: homeassistant/home-assistant:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: "/config"
|
||||
- name: config
|
||||
mountPath: "/config/configuration.yaml"
|
||||
subPath: "configuration.yaml"
|
||||
- name: secrets
|
||||
mountPath: "/config/recorder.yaml"
|
||||
subPath: "recorder.yaml"
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8123
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
failureThreshold: 2
|
||||
periodSeconds: 10
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /
|
||||
port: http
|
||||
failureThreshold: 24
|
||||
periodSeconds: 5
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: hass
|
||||
namespace: hass
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: hass
|
||||
ports:
|
||||
- name: http
|
||||
port: 8123
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: hass
|
||||
namespace: hass
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "hass.bhasher.com"
|
||||
# nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||
# nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
# #nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
# nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
# #nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- hass.bhasher.com
|
||||
secretName: hass-tls
|
||||
rules:
|
||||
- host: hass.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hass
|
||||
port:
|
||||
number: 8123
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: hass
|
|
@ -0,0 +1,64 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: mosquitto
|
||||
namespace: hass
|
||||
data:
|
||||
mosquitto.conf: |
|
||||
# persistence true
|
||||
# persistence_location /mosquitto/data
|
||||
|
||||
listener 1883
|
||||
allow_anonymous true
|
||||
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: mosquitto
|
||||
namespace: hass
|
||||
labels:
|
||||
app: mosquitto
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: mosquitto
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: mosquitto
|
||||
spec:
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: mosquitto
|
||||
containers:
|
||||
- name: mosquitto
|
||||
image: eclipse-mosquitto:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /mosquitto/config/mosquitto.conf
|
||||
subPath: mosquitto.conf
|
||||
readOnly: true
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: mosquitto
|
||||
namespace: hass
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: mqtt
|
||||
port: 1883
|
||||
targetPort: 1883
|
||||
protocol: TCP
|
||||
selector:
|
||||
app: mosquitto
|
|
@ -0,0 +1,95 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: node-red
|
||||
namespace: hass
|
||||
labels:
|
||||
app: node-red
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: node-red
|
||||
namespace: hass
|
||||
labels:
|
||||
app: node-red
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: node-red
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: node-red
|
||||
spec:
|
||||
containers:
|
||||
- name: node-red
|
||||
image: nodered/node-red:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
env:
|
||||
- name: TZ
|
||||
value: Europe/Paris
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: node-red
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: node-red
|
||||
namespace: hass
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: node-red
|
||||
ports:
|
||||
- name: http
|
||||
port: 1880
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: node-red
|
||||
namespace: hass
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "node-red.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- node-red.bhasher.com
|
||||
secretName: node-red-tls
|
||||
rules:
|
||||
- host: node-red.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: node-red
|
||||
port:
|
||||
number: 1880
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: hass
|
||||
namespace: hass
|
||||
spec:
|
||||
encryptedData:
|
||||
recorder.yaml: AgBYJmg/HSCptRB+Yip1T0je3t/JFp9IQ3iHUFS3Mm68uwMsrSAugV4pcBFu27fZjmSbimLFSDo1itrQDq65kqxAny+Qk6rYZnHEQgxBy2z42j4Wt+ycwuGTJct7+HqluebL1UL+eDSPVHzcKhSnTjG0dewjGSaBz4a45/i5VeZQSXYe527LOimFzflyEcPR/qTHVFnmNPR92+shLs3paSajayXVMBbmaEkClq4KnSt9XlZ+rCLuCL1YxWq36Lq+Lt4APQsVJxi58tD8sy6QIU7EslxEGfoNqXKN6a+4SJtZzJXCDbkXmyuU2bbNlTQSn/3hV/O3uRxLyIG2uDJWXfuCxiPR7e6Q/kmGGy9Tl6H6srmYw83qAYQ6fsNy/siSIGN77tOCtVBW6ZeQ+UqQ5uzhWE6K9UJ2qn/WKkrZNWW7HnmpQwcNWDVpu2e1RrZJcWlyoFHL8jbtAWXnJftR5QYGXGybvxjb+Od9XmotCdlwc7FXErG1TISh23+EGA1TlxcxSclfbZ6gqHxOS4EIubJdi3BWOUVQzWkMXbg9fwJ7M9vdbHQpPALO1PUVBswH5fZ5cW9FzNU9sIFGeFm6JalKJMxnQtSILj1+GJLIdhQzxQa9DLP1Y86m0S2Dsqdo0KQW5vNCYPujt7QS3zFo0fQFHlEXN6TW83/4952wgszp15FH/JD0ftpV1BH/kaeLfd2OZ9QEVsGNpPxGCuDPJ8Eu8rd+TLRialES2xwDclS+/iMgMdhsN1TDyVCkjKNq1aH/5Nv8wh9Vtw8rZCp5CGRF2sLTCCJCF1Eer5DiGoWr1+unOZELC6vIMt06f2e2FyBZivwcC0KRxMq55NM3ou6evO7EOpMiKgBoqtfa9RhMs7Sdtgy7LcZIECaWnky3p9MVcIRN7Q==
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: hass
|
||||
namespace: hass
|
||||
|
|
@ -0,0 +1,96 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: zigbee2mqtt-pvc
|
||||
namespace: hass
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: zigbee2mqtt
|
||||
namespace: hass
|
||||
data:
|
||||
configuration.yaml: |
|
||||
homeassistant: true
|
||||
permit_join: true
|
||||
mqtt:
|
||||
base_topic: zigbee2mqtt
|
||||
server: mqtt://mosquitto.hass.svc.cluster.local
|
||||
serial:
|
||||
port: /dev/ttyACM0
|
||||
devices:
|
||||
'0x54ef441000367592':
|
||||
friendly_name: WallSwitchOffice
|
||||
'0x00158d00068b2c39':
|
||||
friendly_name: MovementSensorDeskOffice
|
||||
'0x00158d00067ca592':
|
||||
friendly_name: MovementSensorShelfOffice
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: zigbee2mqtt
|
||||
namespace: hass
|
||||
labels:
|
||||
app: zigbee2mqtt
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: zigbee2mqtt
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: zigbee2mqtt
|
||||
spec:
|
||||
nodeSelector:
|
||||
zigbee: "true"
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: zigbee2mqtt-pvc
|
||||
- name: config
|
||||
configMap:
|
||||
name: zigbee2mqtt
|
||||
- name: udev
|
||||
hostPath:
|
||||
path: /run/udev
|
||||
- name: ttyacm
|
||||
hostPath:
|
||||
path: /dev/ttyACM0
|
||||
containers:
|
||||
- name: zigbee2mqtt
|
||||
image: koenkk/zigbee2mqtt:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
env:
|
||||
- name: TZ
|
||||
value: Europe/Paris
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: "/app/data"
|
||||
readOnly: false
|
||||
- name: config
|
||||
mountPath: /app/configuration.yaml
|
||||
subPath: configuration.yaml
|
||||
readOnly: true
|
||||
- name: udev
|
||||
mountPath: /run/udev
|
||||
readOnly: true
|
||||
- name: ttyacm
|
||||
mountPath: /dev/ttyACM0
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,54 @@
|
|||
singleuser:
|
||||
defaultUrl: "/lab"
|
||||
extraEnv:
|
||||
JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp"
|
||||
EDITOR: "vim"
|
||||
memory:
|
||||
limit: 1G
|
||||
guarantee: 100M
|
||||
cpu:
|
||||
limit: 1.
|
||||
guarantee: 1.
|
||||
storage:
|
||||
dynamic:
|
||||
storageClass: longhorn
|
||||
capacity: 2Gi
|
||||
|
||||
hub:
|
||||
extraEnv:
|
||||
OAUTH_TLS_VERIFY: "0"
|
||||
OAUTH2_TLS_VERIFY: "0"
|
||||
config:
|
||||
Authenticator:
|
||||
admin_users:
|
||||
- bhasher
|
||||
GenericOAuthenticator:
|
||||
client_id: jupyterhub
|
||||
client_secret: 8sbWBuDMmKIvcjfTQTg12f2ycRV3Y3Cy
|
||||
oauth_callback_url: https://jupyter.bhasher.com/hub/oauth_callback
|
||||
authorize_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/auth
|
||||
token_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/token
|
||||
userdata_url: https://openid.bhasher.com/realms/external/protocol/openid-connect/userinfo
|
||||
login_service: OpenID
|
||||
username_key: preferred_username
|
||||
userdata_params:
|
||||
state: state
|
||||
JupyterHub:
|
||||
authenticator_class: generic-oauth
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
hosts:
|
||||
- jupyter.bhasher.com
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "jupyter.bhasher.com"
|
||||
tls:
|
||||
- hosts:
|
||||
- jupyter.bhasher.com
|
||||
secretName: jupyterhub-tls
|
||||
|
||||
prePuller:
|
||||
continuous:
|
||||
enabled: false
|
|
@ -0,0 +1,93 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: radarr
|
||||
namespace: media-server
|
||||
labels:
|
||||
app: radarr
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 0
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: radarr
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: radarr
|
||||
spec:
|
||||
containers:
|
||||
- name: radarr
|
||||
image: lscr.io/linuxserver/radarr:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /config/config.xml
|
||||
subPath: config.xml
|
||||
readOnly: true
|
||||
# - name: movies
|
||||
# mountPath: /movies
|
||||
# subPath: movies
|
||||
# readOnly: false
|
||||
# - name: movies
|
||||
# mountPath: /downloads
|
||||
# subPath: tmp
|
||||
volumes:
|
||||
- name: config
|
||||
secret:
|
||||
secretName: radarr
|
||||
# - name: movies
|
||||
# nfs:
|
||||
# server: truenas.bhasher.com
|
||||
# path: /mnt/Main/local/movies
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: radarr
|
||||
namespace: media-server
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: radarr
|
||||
ports:
|
||||
- name: http
|
||||
port: 7878
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: radarr
|
||||
namespace: media-server
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "radarr.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method request_method;
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method request_method;
|
||||
spec:
|
||||
ingressClassName: nginx-external
|
||||
tls:
|
||||
- hosts:
|
||||
- radarr.bhasher.com
|
||||
secretName: radarr-tls
|
||||
rules:
|
||||
- host: radarr.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: radarr
|
||||
port:
|
||||
number: 7878
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: media-server
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,232 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: dns
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: pihole-pvc
|
||||
namespace: dns
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: dnsmasq-pvc
|
||||
namespace: dns
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: pihole
|
||||
namespace: dns
|
||||
labels:
|
||||
app: pihole
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: pihole
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: pihole
|
||||
name: pihole
|
||||
spec:
|
||||
affinity:
|
||||
podAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app
|
||||
operator: In
|
||||
values:
|
||||
- pihole
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 100
|
||||
containers:
|
||||
- name: pihole
|
||||
image: cbcrowe/pihole-unbound:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: pihole-configmap
|
||||
- secretRef:
|
||||
name: pihole-secret
|
||||
ports:
|
||||
- name: svc-53-udp
|
||||
containerPort: 53
|
||||
protocol: UDP
|
||||
- name: svc-53-tcp
|
||||
containerPort: 53
|
||||
protocol: TCP
|
||||
- name: svc-ui
|
||||
containerPort: 80
|
||||
protocol: TCP
|
||||
# livenessProbe:
|
||||
# httpGet:
|
||||
# port: svc-ui
|
||||
# initialDelaySeconds: 15
|
||||
# periodSeconds: 10
|
||||
# readinessProbe:
|
||||
# httpGet:
|
||||
# port: svc-ui
|
||||
# initialDelaySeconds: 15
|
||||
# periodSeconds: 10
|
||||
# startupProbe:
|
||||
# httpGet:
|
||||
# port: svc-ui
|
||||
# failureThreshold: 12
|
||||
# periodSeconds: 10
|
||||
resources:
|
||||
limits:
|
||||
memory: "300Mi"
|
||||
cpu: "250m"
|
||||
requests:
|
||||
memory: "50Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: pihole-etc
|
||||
mountPath: "/etc/pihole"
|
||||
- name: dnsmasq-etc
|
||||
mountPath: "/etc/dnsmasq.d"
|
||||
- name: unbound-conf
|
||||
mountPath: "/etc/unbound/unbound.conf.d/pi-hole.conf"
|
||||
subPath: "pi-hole.conf"
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: pihole-etc
|
||||
persistentVolumeClaim:
|
||||
claimName: pihole-pvc
|
||||
- name: dnsmasq-etc
|
||||
persistentVolumeClaim:
|
||||
claimName: dnsmasq-pvc
|
||||
- name: unbound-conf
|
||||
configMap:
|
||||
name: unbound-conf
|
||||
|
||||
---
|
||||
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: pihole-pdb
|
||||
namespace: dns
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: pihole
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: pihole-ui-svc
|
||||
namespace: dns
|
||||
spec:
|
||||
selector:
|
||||
app: pihole
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
name: pihole-ui
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: pihole-tcp-svc
|
||||
namespace: dns
|
||||
annotations:
|
||||
metallb.universe.tf/loadBalancerIPs: 192.168.1.211
|
||||
metallb.universe.tf/allow-shared-ip: "pihole-192.168.1.211"
|
||||
spec:
|
||||
selector:
|
||||
app: pihole
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Cluster
|
||||
ports:
|
||||
- port: 53
|
||||
targetPort: 53
|
||||
protocol: TCP
|
||||
name: pihole-dns-tcp
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: pihole-udp-svc
|
||||
namespace: dns
|
||||
annotations:
|
||||
metallb.universe.tf/loadBalancerIPs: 192.168.1.211
|
||||
metallb.universe.tf/allow-shared-ip: "pihole-192.168.1.211"
|
||||
spec:
|
||||
selector:
|
||||
app: pihole
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Cluster
|
||||
ports:
|
||||
- port: 53
|
||||
targetPort: 53
|
||||
protocol: UDP
|
||||
name: pihole-dns-udp
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: pihole
|
||||
namespace: dns
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "pihole.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/app-root: /admin
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- pihole.bhasher.com
|
||||
secretName: pihole-tls
|
||||
rules:
|
||||
- host: pihole.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: pihole-ui-svc
|
||||
port:
|
||||
number: 80
|
|
@ -0,0 +1,78 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pihole-configmap
|
||||
namespace: dns
|
||||
data:
|
||||
TZ: "Europe/Paris"
|
||||
WEBTHEME: "default-dark"
|
||||
REV_SERVER: "false"
|
||||
PIHOLE_DNS_: "127.0.0.1#5335"
|
||||
DNSSEC: "true"
|
||||
DNSMASQ_LISTENING: "single"
|
||||
FTLCONF_REPLY_ADDR4: "192.168.1.211"
|
||||
FTLCONF_RATE_LIMIT: "0/0"
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: unbound-conf
|
||||
namespace: dns
|
||||
data:
|
||||
pi-hole.conf: |
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: 127.0.0.1
|
||||
control-port: 8953
|
||||
|
||||
server:
|
||||
# Conectivity
|
||||
interface: 127.0.0.1 # Only for pi-hole
|
||||
port: 5335
|
||||
do-ip4: yes
|
||||
do-udp: yes
|
||||
do-tcp: yes
|
||||
do-ip6: no
|
||||
prefer-ip6: no
|
||||
|
||||
# Security
|
||||
harden-glue: yes
|
||||
harden-dnssec-stripped: yes
|
||||
harden-referral-path: yes
|
||||
use-caps-for-id: no
|
||||
unwanted-reply-threshold: 10000000
|
||||
|
||||
# Performances
|
||||
edns-buffer-size: 1232
|
||||
prefetch: yes
|
||||
prefetch-key: yes
|
||||
num-threads: 1
|
||||
so-rcvbuf: 1m
|
||||
max-udp-size: 3072
|
||||
cache-min-ttl: 3600
|
||||
cache-max-ttl: 86400
|
||||
msg-cache-slabs: 8
|
||||
rrset-cache-slabs: 8
|
||||
infra-cache-slabs: 8
|
||||
key-cache-slabs: 8
|
||||
rrset-cache-size: 256m
|
||||
msg-cache-size: 128m
|
||||
so-rcvbuf: 1m
|
||||
|
||||
# Privacy
|
||||
hide-identity: yes
|
||||
hide-version: yes
|
||||
private-address: 192.168.0.0/16
|
||||
private-address: 169.254.0.0/16
|
||||
private-address: 172.16.0.0/12
|
||||
private-address: 10.0.0.0/8
|
||||
private-address: fd00::/8
|
||||
private-address: fe80::/10
|
||||
|
||||
# Stats
|
||||
verbosity: 0
|
||||
statistics-interval: 0
|
||||
extended-statistics: yes
|
||||
statistics-cumulative: yes
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pihole-secret
|
||||
namespace: dns
|
||||
spec:
|
||||
encryptedData:
|
||||
WEBPASSWORD: AgAWmlAaATTKbTOvxZullfUsHISve/HYTLe4huk8ERxDM2hoOc5zZPDDZ/CGSj1aTrj7rb6+VuYbvM2v37CUxQ1mnNBQabHkz9Db89Q+ih/c9dbaXB3OeSWk2edLKXVHIV/G0/6AC2MYRJCHqcCOgbZdpAKUeYss6S/uSYPt9ebGhMZaV/8FUb4zLuSjCuN5dNnUTb1Sl7XaaR4vAwXTISHT7HvNh3mdT5OXnBgo3cG5FGblYkF0BP2Z7VEG2wxU6OZnkX5/DWCfBNmnAUbYnNzacfyE5whYsK5hLt2Cu5v9wftEDwVKTzYx3bX7/9TKgw3wTgrczQmTKSqCmico6ja1x/ouYaYVN+rNUw/9IAvXbFOy39K7JsmQMiPCdITHXOVO6SknVMsMVVT8u7T+dIDFaGsTvv19ith/hRSdnDFY55qVW+/9xhe+AFC8TYK1lc256+ReiVJrGNzH9UprCQQRE3rZTAcBealjdrU0xuKZQm2NrvJVgDjSxSNtvOhop7UR6iabyDvhOMAwQ2BqslKZN7BIoAisoWSWyysQPA3xYftpCJi0g+b4nrK8j86RtXln9GXxoZWGkA23YQg7wt8EyDXAlCFs6WRpyqUa1WZmrnRedZeswkWZBzizqSAnPANgPmu/Tm8jwW2D8RPSDxyq2tfdk21L/jrj4vQ4ty2LRV8PivisVkyH6l1p3IrgLDo=
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pihole-secret
|
||||
namespace: dns
|
||||
|
|
@ -0,0 +1,116 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: portal
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: heimdall-pvc
|
||||
namespace: portal
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: heimdall
|
||||
namespace: portal
|
||||
labels:
|
||||
app: heimdall
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: heimdall
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: heimdall
|
||||
spec:
|
||||
containers:
|
||||
- name: heimdall
|
||||
image: lscr.io/linuxserver/heimdall:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- name: svc-ui
|
||||
containerPort: 80
|
||||
protocol: TCP
|
||||
volumeMounts:
|
||||
- name: heimdall
|
||||
mountPath: /config
|
||||
# - name: heimdall-config
|
||||
# mountPath: /config/www/.env
|
||||
# subPath: .env
|
||||
# - name: heimdall-config
|
||||
# mountPath: /config/www/app.sqlite
|
||||
# subPath: empty.sqlite
|
||||
volumes:
|
||||
- name: heimdall
|
||||
persistentVolumeClaim:
|
||||
claimName: heimdall-pvc
|
||||
# - name: heimdall-config
|
||||
# secret:
|
||||
# secretName: heimdall
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: heimdall
|
||||
namespace: portal
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: heimdall
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: heimdall
|
||||
namespace: portal
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "portal.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- hosts:
|
||||
- portal.bhasher.com
|
||||
secretName: portal-tls
|
||||
rules:
|
||||
- host: portal.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: heimdall
|
||||
port:
|
||||
number: 80
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,111 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: timesheet
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: timesheet-pvc
|
||||
namespace: timesheet
|
||||
spec:
|
||||
storageClassName: longhorn-static
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: timesheet
|
||||
namespace: timesheet
|
||||
labels:
|
||||
app: timesheet
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: timesheet
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: timesheet
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: node0
|
||||
volumes:
|
||||
- name: timesheet-data
|
||||
persistentVolumeClaim:
|
||||
claimName: timesheet-pvc
|
||||
- name: timesheet-config
|
||||
configMap:
|
||||
name: timesheet-config
|
||||
containers:
|
||||
- name: timesheet
|
||||
image: 192.168.1.201:8443/timesheet:latest
|
||||
imagePullPolicy: Always
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: timesheet-config
|
||||
volumeMounts:
|
||||
- name: timesheet-data
|
||||
mountPath: /data
|
||||
readOnly: false
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: timesheet
|
||||
namespace: timesheet
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: timesheet
|
||||
ports:
|
||||
- name: https
|
||||
port: 8080
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: timesheet
|
||||
namespace: timesheet
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "timesheet.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
spec:
|
||||
ingressClassName: "nginx"
|
||||
tls:
|
||||
- hosts:
|
||||
- timesheet.bhasher.com
|
||||
secretName: timesheet-tls
|
||||
rules:
|
||||
- host: timesheet.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: timesheet
|
||||
port:
|
||||
number: 8080
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: timesheet-config
|
||||
namespace: timesheet
|
||||
data:
|
||||
TS_DB_PATH: "/data/timesheet.db"
|
||||
TS_HOST: "0.0.0.0"
|
||||
TS_PORT: "8080"
|
|
@ -0,0 +1,104 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: wiki
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: wikijs
|
||||
namespace: wiki
|
||||
labels:
|
||||
app: wikijs
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: wikijs
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: wikijs
|
||||
spec:
|
||||
volumes:
|
||||
- name: ca
|
||||
configMap:
|
||||
name: ca
|
||||
containers:
|
||||
- name: wikijs
|
||||
image: ghcr.io/requarks/wiki:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: wikijs
|
||||
- secretRef:
|
||||
name: wikijs
|
||||
volumeMounts:
|
||||
- name: ca
|
||||
mountPath: /certs
|
||||
readOnly: true
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 3000
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: http
|
||||
failureThreshold: 2
|
||||
periodSeconds: 10
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: http
|
||||
failureThreshold: 24
|
||||
periodSeconds: 5
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: wikijs
|
||||
namespace: wiki
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: wikijs
|
||||
ports:
|
||||
- name: http
|
||||
port: 3000
|
||||
protocol: TCP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: wikijs
|
||||
namespace: wiki
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "wiki.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: nginx-external
|
||||
tls:
|
||||
- hosts:
|
||||
- wiki.bhasher.com
|
||||
secretName: wikijs-tls
|
||||
rules:
|
||||
- host: wiki.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: wikijs
|
||||
port:
|
||||
number: 3000
|
|
@ -0,0 +1,64 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: ca
|
||||
namespace: wiki
|
||||
data:
|
||||
bhasherCA.pem : |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
|
||||
BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
|
||||
MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
|
||||
BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
|
||||
YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
|
||||
MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
|
||||
A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
|
||||
aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
|
||||
c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
|
||||
2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
|
||||
7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
|
||||
qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
|
||||
4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
|
||||
2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
|
||||
oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
|
||||
SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
|
||||
qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
|
||||
sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
|
||||
sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
|
||||
iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
|
||||
78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
|
||||
D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
|
||||
fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
|
||||
0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
|
||||
/O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
|
||||
CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
|
||||
d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
|
||||
yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
|
||||
NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
|
||||
UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
|
||||
7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
|
||||
NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
|
||||
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
|
||||
GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
|
||||
lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
|
||||
EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
|
||||
uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
|
||||
xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
|
||||
Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
|
||||
qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
|
||||
KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
|
||||
nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
|
||||
EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
|
||||
2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
|
||||
7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
|
||||
O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
|
||||
IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
|
||||
8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
|
||||
nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
|
||||
GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
|
||||
I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
|
||||
chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
|
||||
YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
|
||||
n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
|
||||
Pzrn2j0Zdg==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: wikijs
|
||||
namespace: wiki
|
||||
data:
|
||||
DB_TYPE: postgres
|
||||
DB_HOST: postgres.storage.svc.cluster.local
|
||||
DB_PORT: "5432"
|
||||
DB_USER: wikijs
|
||||
DB_NAME: wikijs
|
||||
HA_ACTIVE: "true"
|
||||
NODE_EXTRA_CA_CERTS: "/certs/bhasherCA.pem"
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: wikijs
|
||||
namespace: wiki
|
||||
spec:
|
||||
encryptedData:
|
||||
DB_PASS: AgAmxq0znbcp/J6U599KIa1LLOBGrFSsAmBusC86oKhvvibXrZjSWGuCaRTLzNIvwDc6ObJayYvuxNuyVGppax+UD3E0s+nu5qGWSpwBS6y/uoTB3lSD2hrdfWEzS84/V/DQNQKLvTJySMBqmccL31CoHIvHOYgg/mPs5AslRvW3XBzWbqRNHvdOwECWVqD/p/HG4fYI+Tq87/9wBkDVxr7/w0bLEwWV2n5scYSjP2DxNBAIVrn74A7EYtRFBlleIDIKHfaSMx3AWUzKU7MhqO+YDP/NLB9jTiDF2adIpzPs4k6zMWdNXZTwUKK6PZWDoepOLJESyAx/iWt9EfGQphhKCzggFnzKTnBGwPc3RaYkBjmRE+Y0dZPVpKyC3IU4/cJXc5U9rCUqxv6B5ZBAmq8zYLIpMBTRlwFKz0s0j0B3Os9K04c63U5G51vfrDxYrqiAMeJZakkFwTVLOKWR0KpnAdFVcVlbL+lq/9Pdxl7DMnpdTD92tVqCppGvWpie3p6ZOPL8lcPjHTp+qgY+vg/gVhw/BSyWQz5nnspMwVqloh77WIIGOemBBziUAVom2CbROgaPPHl4dhXLj7NgminF6QOEPY0FA7d9YSvgKgiXkvTcwhwvJJQcKCB1S/ubBWGyUHYsnqoLwbsXtzfkun4rxhgRc6o4TlF/fhb59AMeeLjXiNPKNWdJbxB1ZRpQsz7M1fEOJbzshSp90ptodoqghLTEzJkUbnluXgHH15VIxU/VS9IvLLDUmZvNAQF+RdSmVrM44oRx3ND/kOvOYUcx
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: wikijs
|
||||
namespace: wiki
|
||||
|
|
@ -0,0 +1,121 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: wireguard
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: wireguard
|
||||
namespace: wireguard
|
||||
labels:
|
||||
app: wireguard
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: wireguard
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
maxUnavailable: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: wireguard
|
||||
spec:
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app: wireguard
|
||||
restartPolicy: Always
|
||||
initContainers:
|
||||
- name: init
|
||||
image: busybox:1.32.0
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
|
||||
securityContext:
|
||||
privileged: true
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
containers:
|
||||
- name: wireguard
|
||||
image: masipcat/wireguard-go:latest
|
||||
securityContext:
|
||||
privileged: true
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
ports:
|
||||
- containerPort: 51820
|
||||
protocol: UDP
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- /entrypoint.sh
|
||||
env:
|
||||
- name: LOG_LEVEL
|
||||
value: info
|
||||
resources:
|
||||
requests:
|
||||
memory: "64Mi"
|
||||
cpu: "150m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
volumeMounts:
|
||||
- name: wireguard-config
|
||||
mountPath: /etc/wireguard/wg0.key
|
||||
subPath: wg0.key
|
||||
readOnly: true
|
||||
- name: wireguard-config
|
||||
mountPath: /etc/wireguard/wg0.conf
|
||||
subPath: wg0.conf
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: wireguard-config
|
||||
secret:
|
||||
secretName: wireguard
|
||||
|
||||
---
|
||||
|
||||
apiVersion: policy/v1
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: wg-pdb
|
||||
namespace: wireguard
|
||||
spec:
|
||||
minAvailable: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: wireguard
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: wireguard
|
||||
namespace: wireguard
|
||||
labels:
|
||||
app: wireguard
|
||||
annotations:
|
||||
metallb.universe.tf/loadBalancerIPs: 192.168.1.210
|
||||
metallb.universe.tf/allow-shared-ip: "management-192.168.1.210"
|
||||
spec:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Cluster
|
||||
selector:
|
||||
app: wireguard
|
||||
ports:
|
||||
- name: vpn
|
||||
port: 51820
|
||||
protocol: UDP
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: cron
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/cron/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: cron
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,29 @@
|
|||
# apiVersion: argoproj.io/v1alpha1
|
||||
# kind: Application
|
||||
# metadata:
|
||||
# namespace: devops
|
||||
# name: jupyterhub
|
||||
# spec:
|
||||
# project: k3pi
|
||||
|
||||
# source:
|
||||
# #chart: jupyterhub
|
||||
# repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
# path: services/apps/jupyterhub
|
||||
# # repoURL: https://jupyterhub.github.io/helm-chart # /index.yaml
|
||||
# targetRevision: 1.2.0
|
||||
# helm:
|
||||
# valueFiles:
|
||||
# - values.yaml
|
||||
# # releaseName: jupyterhub
|
||||
# # repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
# #targetRevision: HEAD
|
||||
# # path: services/apps/jupyterhub/
|
||||
|
||||
# destination:
|
||||
# server: https://kubernetes.default.svc
|
||||
# namespace: jupyterhub
|
||||
|
||||
# syncPolicy:
|
||||
# automated:
|
||||
# prune: true
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: media-server
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/media-server/
|
||||
directory:
|
||||
recurse: true
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: media-server
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: timesheet
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/timesheet/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: timesheet
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: argo
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/argo/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: devops
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: cert-manager
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/cert-manager
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: cert-manager
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: cloud
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/cloud/
|
||||
directory:
|
||||
recurse: true
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: cloud
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: devops
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/devops
|
||||
directory:
|
||||
recurse: true
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: devops
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: external-endpoints
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/external-endpoints/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: external-endpoints
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: git
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/git/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: git
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: hass
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/hass/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: hass
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: idp
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/idp/
|
||||
directory:
|
||||
recurse: true
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: idp
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: ingress-nginx
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/ingress-nginx/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: ingress-nginx
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: longhorn
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/longhorn
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: longhorn-system
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: metallb
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/metallb/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: metallb-system
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: monitoring
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/monitoring/
|
||||
directory:
|
||||
recurse: true
|
||||
exclude: "custom-ressources/*"
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: monitoring
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: pihole
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/pihole/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: dns
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: portal
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/portal/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: portal
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: AppProject
|
||||
metadata:
|
||||
name: k3pi
|
||||
namespace: devops
|
||||
spec:
|
||||
clusterResourceWhitelist:
|
||||
- group: '*'
|
||||
kind: '*'
|
||||
destinations:
|
||||
- name: '*'
|
||||
namespace: '*'
|
||||
server: 'https://kubernetes.default.svc'
|
||||
sourceRepos:
|
||||
- https://git.bhasher.com/Bhasher/K3Pi
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: sealed-secret
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/sealed-secrets
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: kube-system
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: storage
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/utils/storage/
|
||||
directory:
|
||||
recurse: true
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: storage
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: wiki
|
||||
namespace: devops
|
||||
spec:
|
||||
project: k3pi
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/wiki/
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: wiki
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
namespace: devops
|
||||
name: wireguard
|
||||
spec:
|
||||
project: k3pi
|
||||
|
||||
source:
|
||||
repoURL: https://git.bhasher.com/Bhasher/K3Pi.git
|
||||
targetRevision: HEAD
|
||||
path: services/apps/wireguard/
|
||||
|
||||
destination:
|
||||
server: https://kubernetes.default.svc
|
||||
namespace: wireguard
|
||||
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
|
@ -0,0 +1,349 @@
|
|||
# Copyright 2021 The cert-manager Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cert-manager
|
||||
|
||||
---
|
||||
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: bhasherca-k3s-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: bhasherca-k3s-key-pair
|
||||
|
||||
---
|
||||
|
||||
# Source: cert-manager/templates/service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9402
|
||||
name: tcp-prometheus-servicemonitor
|
||||
targetPort: 9402
|
||||
selector:
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-service.yaml
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: "https"
|
||||
selector:
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
---
|
||||
# Source: cert-manager/templates/cainjector-deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
serviceAccountName: cert-manager-cainjector
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: "quay.io/jetstack/cert-manager-cainjector:v1.8.2"
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --v=2
|
||||
- --leader-election-namespace=kube-system
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
---
|
||||
# Source: cert-manager/templates/deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
annotations:
|
||||
prometheus.io/path: "/metrics"
|
||||
prometheus.io/scrape: 'true'
|
||||
prometheus.io/port: '9402'
|
||||
spec:
|
||||
serviceAccountName: cert-manager
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: "quay.io/jetstack/cert-manager-controller:v1.8.2"
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --v=2
|
||||
- --cluster-resource-namespace=$(POD_NAMESPACE)
|
||||
- --leader-election-namespace=kube-system
|
||||
ports:
|
||||
- containerPort: 9402
|
||||
name: http-metrics
|
||||
protocol: TCP
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-deployment.yaml
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
spec:
|
||||
serviceAccountName: cert-manager-webhook
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
containers:
|
||||
- name: cert-manager
|
||||
image: "quay.io/jetstack/cert-manager-webhook:v1.8.2"
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --v=2
|
||||
- --secure-port=10250
|
||||
- --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
|
||||
- --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
|
||||
- --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
|
||||
ports:
|
||||
- name: https
|
||||
protocol: TCP
|
||||
containerPort: 10250
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /livez
|
||||
port: 6080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 6080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
env:
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-mutating-webhook.yaml
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: 10
|
||||
failurePolicy: Fail
|
||||
# Only include 'sideEffects' field in Kubernetes 1.12+
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: "cert-manager"
|
||||
path: /mutate
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-validating-webhook.yaml
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-ca"
|
||||
webhooks:
|
||||
- name: webhook.cert-manager.io
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: "cert-manager.io/disable-validation"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- "true"
|
||||
- key: "name"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- cert-manager
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "cert-manager.io"
|
||||
- "acme.cert-manager.io"
|
||||
apiVersions:
|
||||
- "v1"
|
||||
operations:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
resources:
|
||||
- "*/*"
|
||||
admissionReviewVersions: ["v1"]
|
||||
# This webhook only accepts v1 cert-manager resources.
|
||||
# Equivalent matchPolicy ensures that non-v1 resource requests are sent to
|
||||
# this webhook (after the resources have been converted to v1).
|
||||
matchPolicy: Equivalent
|
||||
timeoutSeconds: 10
|
||||
failurePolicy: Fail
|
||||
sideEffects: None
|
||||
clientConfig:
|
||||
service:
|
||||
name: cert-manager-webhook
|
||||
namespace: "cert-manager"
|
||||
path: /validate
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,26 @@
|
|||
# Copyright 2021 The cert-manager Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Source: cert-manager/templates/webhook-config.yaml
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
data:
|
|
@ -0,0 +1,759 @@
|
|||
# Copyright 2021 The cert-manager Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Source: cert-manager/templates/cainjector-serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
---
|
||||
# Source: cert-manager/templates/serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-serviceaccount.yaml
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
automountServiceAccountToken: true
|
||||
metadata:
|
||||
name: cert-manager-webhook
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
---
|
||||
# Source: cert-manager/templates/cainjector-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["apiregistration.k8s.io"]
|
||||
resources: ["apiservices"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# Issuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-issuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "issuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# ClusterIssuer controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-clusterissuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "clusterissuers/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# Certificates controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-certificates
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/finalizers", "certificaterequests/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders"]
|
||||
verbs: ["create", "delete", "get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# Orders controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-orders
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "orders/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders", "challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["clusterissuers", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["create", "delete"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["orders/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# Challenges controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-challenges
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
# Use to update challenge resource status
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "challenges/status"]
|
||||
verbs: ["update", "patch"]
|
||||
# Used to watch challenge resources
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to watch challenges, issuer and clusterissuer resources
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Need to be able to retrieve ACME account private key to complete challenges
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# Used to create events
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# HTTP01 rules
|
||||
- apiGroups: [""]
|
||||
resources: ["pods", "services"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
- apiGroups: [ "gateway.networking.k8s.io" ]
|
||||
resources: [ "httproutes" ]
|
||||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||||
# We require the ability to specify a custom hostname when we are creating
|
||||
# new ingress resources.
|
||||
# See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
|
||||
- apiGroups: ["route.openshift.io"]
|
||||
resources: ["routes/custom-host"]
|
||||
verbs: ["create"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges/finalizers"]
|
||||
verbs: ["update"]
|
||||
# DNS01 rules (duplicated above)
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# ingress-shim controller role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-ingress-shim
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests"]
|
||||
verbs: ["create", "update", "delete"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||||
# admission controller enabled:
|
||||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingresses/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways", "httproutes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["gateway.networking.k8s.io"]
|
||||
resources: ["gateways/finalizers", "httproutes/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-view
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-edit
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificaterequests", "issuers"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates/status"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["acme.cert-manager.io"]
|
||||
resources: ["challenges", "orders"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["signers"]
|
||||
verbs: ["approve"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# Permission to:
|
||||
# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
|
||||
# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["certificatesigningrequests/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: ["certificates.k8s.io"]
|
||||
resources: ["signers"]
|
||||
resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
|
||||
verbs: ["sign"]
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager-webhook:subjectaccessreviews
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["authorization.k8s.io"]
|
||||
resources: ["subjectaccessreviews"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
# Source: cert-manager/templates/cainjector-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-cainjector
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-cainjector
|
||||
subjects:
|
||||
- name: cert-manager-cainjector
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-issuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-issuers
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-clusterissuers
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-clusterissuers
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-certificates
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-certificates
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-orders
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-orders
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-challenges
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-challenges
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-ingress-shim
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-ingress-shim
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-approve:cert-manager-io
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-approve:cert-manager-io
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-controller-certificatesigningrequests
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cert-manager"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-controller-certificatesigningrequests
|
||||
subjects:
|
||||
- name: cert-manager
|
||||
namespace: "cert-manager"
|
||||
kind: ServiceAccount
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager-webhook:subjectaccessreviews
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager-webhook:subjectaccessreviews
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager-webhook
|
||||
namespace: cert-manager
|
||||
---
|
||||
# Source: cert-manager/templates/cainjector-rbac.yaml
|
||||
# leader election rules
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
# Used for leader election by the controller
|
||||
# cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
|
||||
# see cmd/cainjector/start.go#L113
|
||||
# cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
|
||||
# see cmd/cainjector/start.go#L137
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
resourceNames: ["cert-manager-controller"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames:
|
||||
- 'cert-manager-webhook-ca'
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
# It's not possible to grant CREATE permission on a single resourceName.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create"]
|
||||
---
|
||||
# Source: cert-manager/templates/cainjector-rbac.yaml
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cainjector
|
||||
app.kubernetes.io/name: cainjector
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "cainjector"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-cainjector:leaderelection
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cert-manager-cainjector
|
||||
namespace: cert-manager
|
||||
---
|
||||
# Source: cert-manager/templates/rbac.yaml
|
||||
# grant cert-manager permission to manage the leaderelection configmap in the
|
||||
# leader election namespace
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager:leaderelection
|
||||
namespace: kube-system
|
||||
labels:
|
||||
app: cert-manager
|
||||
app.kubernetes.io/name: cert-manager
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "controller"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager:leaderelection
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: cert-manager
|
||||
---
|
||||
# Source: cert-manager/templates/webhook-rbac.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
namespace: "cert-manager"
|
||||
labels:
|
||||
app: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/instance: cert-manager
|
||||
app.kubernetes.io/component: "webhook"
|
||||
app.kubernetes.io/version: "v1.8.2"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-webhook:dynamic-serving
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager-webhook
|
||||
namespace: cert-manager
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,986 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
app.kubernetes.io/part-of: argocd-applicationset
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
name: argocd-applicationset-controller
|
||||
namespace: devops
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- entrypoint.sh
|
||||
- applicationset-controller
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
image: ghcr.io/jr64/argocd-applicationset:v0.4.0 # quay.io/argoproj/argocd-applicationset:v0.4.1
|
||||
imagePullPolicy: Always
|
||||
name: argocd-applicationset-controller
|
||||
ports:
|
||||
- containerPort: 7000
|
||||
name: webhook
|
||||
volumeMounts:
|
||||
- mountPath: /app/config/ssh
|
||||
name: ssh-known-hosts
|
||||
- mountPath: /app/config/tls
|
||||
name: tls-certs
|
||||
- mountPath: /app/config/gpg/source
|
||||
name: gpg-keys
|
||||
- mountPath: /app/config/gpg/keys
|
||||
name: gpg-keyring
|
||||
serviceAccountName: argocd-applicationset-controller
|
||||
volumes:
|
||||
- configMap:
|
||||
name: argocd-ssh-known-hosts-cm
|
||||
name: ssh-known-hosts
|
||||
- configMap:
|
||||
name: argocd-tls-certs-cm
|
||||
name: tls-certs
|
||||
- configMap:
|
||||
name: argocd-gpg-keys-cm
|
||||
name: gpg-keys
|
||||
- emptyDir: {}
|
||||
name: gpg-keyring
|
||||
---
|
||||
# apiVersion: apps/v1
|
||||
# kind: Deployment
|
||||
# metadata:
|
||||
# labels:
|
||||
# app.kubernetes.io/component: dex-server
|
||||
# app.kubernetes.io/name: argocd-dex-server
|
||||
# app.kubernetes.io/part-of: argocd
|
||||
# name: argocd-dex-server
|
||||
# namespace: devops
|
||||
# spec:
|
||||
# selector:
|
||||
# matchLabels:
|
||||
# app.kubernetes.io/name: argocd-dex-server
|
||||
# template:
|
||||
# metadata:
|
||||
# labels:
|
||||
# app.kubernetes.io/name: argocd-dex-server
|
||||
# spec:
|
||||
# affinity:
|
||||
# podAntiAffinity:
|
||||
# preferredDuringSchedulingIgnoredDuringExecution:
|
||||
# - podAffinityTerm:
|
||||
# labelSelector:
|
||||
# matchLabels:
|
||||
# app.kubernetes.io/part-of: argocd
|
||||
# topologyKey: kubernetes.io/hostname
|
||||
# weight: 5
|
||||
# containers:
|
||||
# - command:
|
||||
# - /shared/argocd-dex
|
||||
# - rundex
|
||||
# image: ghcr.io/dexidp/dex:v2.30.2
|
||||
# imagePullPolicy: Always
|
||||
# name: dex
|
||||
# ports:
|
||||
# - containerPort: 5556
|
||||
# - containerPort: 5557
|
||||
# - containerPort: 5558
|
||||
# securityContext:
|
||||
# allowPrivilegeEscalation: false
|
||||
# readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
# volumeMounts:
|
||||
# - mountPath: /shared
|
||||
# name: static-files
|
||||
# - mountPath: /tmp
|
||||
# name: dexconfig
|
||||
# initContainers:
|
||||
# - command:
|
||||
# - cp
|
||||
# - -n
|
||||
# - /usr/local/bin/argocd
|
||||
# - /shared/argocd-dex
|
||||
# image: quay.io/argoproj/argocd:v2.3.4
|
||||
# imagePullPolicy: Always
|
||||
# name: copyutil
|
||||
# volumeMounts:
|
||||
# - mountPath: /shared
|
||||
# name: static-files
|
||||
# - mountPath: /tmp
|
||||
# name: dexconfig
|
||||
# serviceAccountName: argocd-dex-server
|
||||
# volumes:
|
||||
# - emptyDir: {}
|
||||
# name: static-files
|
||||
# - emptyDir: {}
|
||||
# name: dexconfig
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: argocd-notifications-controller
|
||||
namespace: devops
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-notifications-controller
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-notifications-controller
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- argocd-notifications
|
||||
image: quay.io/argoproj/argocd:v2.3.4
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: 9001
|
||||
name: argocd-notifications-controller
|
||||
volumeMounts:
|
||||
- mountPath: /app/config/tls
|
||||
name: tls-certs
|
||||
- mountPath: /app/config/reposerver/tls
|
||||
name: argocd-repo-server-tls
|
||||
workingDir: /app
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
serviceAccountName: argocd-notifications-controller
|
||||
volumes:
|
||||
- configMap:
|
||||
name: argocd-tls-certs-cm
|
||||
name: tls-certs
|
||||
- name: argocd-repo-server-tls
|
||||
secret:
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
optional: true
|
||||
secretName: argocd-repo-server-tls
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: repo-server
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-repo-server
|
||||
namespace: devops
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
spec:
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 100
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/part-of: argocd
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 5
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- command:
|
||||
- entrypoint.sh
|
||||
- argocd-repo-server
|
||||
- --redis
|
||||
- redis.storage:6379
|
||||
env:
|
||||
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: timeout.reconciliation
|
||||
name: argocd-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_SERVER_LOGFORMAT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.log.format
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_SERVER_LOGLEVEL
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.log.level
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.parallelism.limit
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.disable.tls
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_TLS_MIN_VERSION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.tls.minversion
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_TLS_MAX_VERSION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.tls.maxversion
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_TLS_CIPHERS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.tls.ciphers
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.repo.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: REDIS_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: redis.server
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: REDISDB
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: redis.db
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: reposerver.default.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: HELM_CACHE_HOME
|
||||
value: /helm-working-dir
|
||||
- name: HELM_CONFIG_HOME
|
||||
value: /helm-working-dir
|
||||
- name: HELM_DATA_HOME
|
||||
value: /helm-working-dir
|
||||
image: quay.io/argoproj/argocd:v2.3.4
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /healthz?full=true
|
||||
port: 8084
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 5
|
||||
name: argocd-repo-server
|
||||
ports:
|
||||
- containerPort: 8081
|
||||
- containerPort: 8084
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8084
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
volumeMounts:
|
||||
- mountPath: /app/config/ssh
|
||||
name: ssh-known-hosts
|
||||
- mountPath: /app/config/tls
|
||||
name: tls-certs
|
||||
- mountPath: /app/config/gpg/source
|
||||
name: gpg-keys
|
||||
- mountPath: /app/config/gpg/keys
|
||||
name: gpg-keyring
|
||||
- mountPath: /app/config/reposerver/tls
|
||||
name: argocd-repo-server-tls
|
||||
- mountPath: /tmp
|
||||
name: tmp
|
||||
- mountPath: /helm-working-dir
|
||||
name: helm-working-dir
|
||||
- mountPath: /home/argocd/cmp-server/plugins
|
||||
name: plugins
|
||||
initContainers:
|
||||
- command:
|
||||
- cp
|
||||
- -n
|
||||
- /usr/local/bin/argocd
|
||||
- /var/run/argocd/argocd-cmp-server
|
||||
image: quay.io/argoproj/argocd:v2.3.4
|
||||
name: copyutil
|
||||
volumeMounts:
|
||||
- mountPath: /var/run/argocd
|
||||
name: var-files
|
||||
volumes:
|
||||
- configMap:
|
||||
name: argocd-ssh-known-hosts-cm
|
||||
name: ssh-known-hosts
|
||||
- configMap:
|
||||
name: argocd-tls-certs-cm
|
||||
name: tls-certs
|
||||
- configMap:
|
||||
name: argocd-gpg-keys-cm
|
||||
name: gpg-keys
|
||||
- emptyDir: {}
|
||||
name: gpg-keyring
|
||||
- emptyDir: {}
|
||||
name: tmp
|
||||
- emptyDir: {}
|
||||
name: helm-working-dir
|
||||
- name: argocd-repo-server-tls
|
||||
secret:
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
optional: true
|
||||
secretName: argocd-repo-server-tls
|
||||
- emptyDir: {}
|
||||
name: var-files
|
||||
- emptyDir: {}
|
||||
name: plugins
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
namespace: devops
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- argocd-server
|
||||
- --insecure
|
||||
# - --auth-mode sso
|
||||
env:
|
||||
- name: ARGOCD_SERVER_INSECURE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.insecure
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_BASEHREF
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.basehref
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_ROOTPATH
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.rootpath
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_LOGFORMAT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.log.format
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_REPO_SERVER_LOGLEVEL
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.log.level
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_REPO_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: repo.server
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_DEX_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.dex.server
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_DISABLE_AUTH
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.disable.auth
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_ENABLE_GZIP
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.enable.gzip
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.repo.server.timeout.seconds
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_X_FRAME_OPTIONS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.x.frame.options
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.repo.server.plaintext
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.repo.server.strict.tls
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_TLS_MIN_VERSION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.tls.minversion
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_TLS_MAX_VERSION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.tls.maxversion
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_TLS_CIPHERS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.tls.ciphers
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.connection.status.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.oidc.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.login.attempts.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_SERVER_STATIC_ASSETS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.staticassets
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.app.state.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: REDIS_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: redis.server
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: REDISDB
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: redis.db
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.default.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_MAX_COOKIE_NUMBER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: server.http.cookie.maxnumber
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
image: quay.io/argoproj/argocd:v2.3.4
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz?full=true
|
||||
port: 8080
|
||||
initialDelaySeconds: 3
|
||||
periodSeconds: 30
|
||||
name: argocd-server
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
- containerPort: 8083
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8080
|
||||
initialDelaySeconds: 3
|
||||
periodSeconds: 30
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
volumeMounts:
|
||||
- mountPath: /app/config/ssh
|
||||
name: ssh-known-hosts
|
||||
- mountPath: /app/config/tls
|
||||
name: tls-certs
|
||||
- mountPath: /app/config/server/tls
|
||||
name: argocd-repo-server-tls
|
||||
- mountPath: /home/argocd
|
||||
name: plugins-home
|
||||
- mountPath: /tmp
|
||||
name: tmp
|
||||
- mountPath: /etc/ssl/certs/git.bhasher.com.pem
|
||||
name: tls-certs
|
||||
subPath: git.bhasher.com
|
||||
serviceAccountName: argocd-server
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: plugins-home
|
||||
- emptyDir: {}
|
||||
name: tmp
|
||||
- emptyDir: {}
|
||||
name: static-files
|
||||
- configMap:
|
||||
name: argocd-ssh-known-hosts-cm
|
||||
name: ssh-known-hosts
|
||||
- configMap:
|
||||
name: argocd-tls-certs-cm
|
||||
name: tls-certs
|
||||
- name: argocd-repo-server-tls
|
||||
secret:
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
optional: true
|
||||
secretName: argocd-repo-server-tls
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: application-controller
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-application-controller
|
||||
namespace: devops
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
serviceName: argocd-application-controller
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
spec:
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 100
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/part-of: argocd
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 5
|
||||
containers:
|
||||
- command:
|
||||
- argocd-application-controller
|
||||
env:
|
||||
- name: ARGOCD_RECONCILIATION_TIMEOUT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: timeout.reconciliation
|
||||
name: argocd-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: repo.server
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.repo.server.timeout.seconds
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.status.processors
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.operation.processors
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.log.format
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.log.level
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.metrics.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.self.heal.timeout.seconds
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.repo.server.plaintext
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.repo.server.strict.tls
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.app.state.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: REDIS_SERVER
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: redis.server
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: REDISDB
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: redis.db
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
key: controller.default.cache.expiration
|
||||
name: argocd-cmd-params-cm
|
||||
optional: true
|
||||
image: quay.io/argoproj/argocd:v2.3.4
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8082
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
name: argocd-application-controller
|
||||
ports:
|
||||
- containerPort: 8082
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8082
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
volumeMounts:
|
||||
- mountPath: /app/config/controller/tls
|
||||
name: argocd-repo-server-tls
|
||||
- mountPath: /home/argocd
|
||||
name: argocd-home
|
||||
workingDir: /home/argocd
|
||||
serviceAccountName: argocd-application-controller
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: argocd-home
|
||||
- name: argocd-repo-server-tls
|
||||
secret:
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
optional: true
|
||||
secretName: argocd-repo-server-tls
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
app.kubernetes.io/part-of: argocd-applicationset
|
||||
name: argocd-applicationset-controller
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: webhook
|
||||
port: 7000
|
||||
protocol: TCP
|
||||
targetPort: webhook
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
---
|
||||
# apiVersion: v1
|
||||
# kind: Service
|
||||
# metadata:
|
||||
# labels:
|
||||
# app.kubernetes.io/component: dex-server
|
||||
# app.kubernetes.io/name: argocd-dex-server
|
||||
# app.kubernetes.io/part-of: argocd
|
||||
# name: argocd-dex-server
|
||||
# namespace: devops
|
||||
# spec:
|
||||
# ports:
|
||||
# - name: http
|
||||
# port: 5556
|
||||
# protocol: TCP
|
||||
# targetPort: 5556
|
||||
# - name: grpc
|
||||
# port: 5557
|
||||
# protocol: TCP
|
||||
# targetPort: 5557
|
||||
# - name: metrics
|
||||
# port: 5558
|
||||
# protocol: TCP
|
||||
# targetPort: 5558
|
||||
# selector:
|
||||
# app.kubernetes.io/name: argocd-dex-server
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: metrics
|
||||
app.kubernetes.io/name: argocd-metrics
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-metrics
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: metrics
|
||||
port: 8082
|
||||
protocol: TCP
|
||||
targetPort: 8082
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-notifications-controller-metrics
|
||||
name: argocd-notifications-controller-metrics
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: metrics
|
||||
port: 9001
|
||||
protocol: TCP
|
||||
targetPort: 9001
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-notifications-controller
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: redis
|
||||
app.kubernetes.io/name: argocd-redis
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-redis
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: tcp-redis
|
||||
port: 6379
|
||||
targetPort: 6379
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-redis
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: repo-server
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-repo-server
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: server
|
||||
port: 8081
|
||||
protocol: TCP
|
||||
targetPort: 8081
|
||||
- name: metrics
|
||||
port: 8084
|
||||
protocol: TCP
|
||||
targetPort: 8084
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server-metrics
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server-metrics
|
||||
namespace: devops
|
||||
spec:
|
||||
ports:
|
||||
- name: metrics
|
||||
port: 8083
|
||||
protocol: TCP
|
||||
targetPort: 8083
|
||||
selector:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: argocd
|
||||
namespace: devops
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "argocd.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- hosts:
|
||||
- argocd.bhasher.com
|
||||
secretName: argocd-tls
|
||||
rules:
|
||||
- host: argocd.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: argocd-server
|
||||
port:
|
||||
number: 80
|
|
@ -0,0 +1,146 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-cm
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-cm
|
||||
namespace: devops
|
||||
data:
|
||||
url: https://argocd.bhasher.com
|
||||
oidc.config: |
|
||||
name: Authelia
|
||||
issuer: https://idp.bhasher.com
|
||||
sessionExpiry: 24h
|
||||
clientId: argocd
|
||||
clientSecret: $oidc.authelia.clientSecret
|
||||
redirectUrl: https://argo-server/auth/callback
|
||||
requestedScopes:
|
||||
- openid
|
||||
- groups
|
||||
- email
|
||||
- profile
|
||||
insecureSkipVerify: true
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-cmd-params-cm
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-cmd-params-cm
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-gpg-keys-cm
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-gpg-keys-cm
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: argocd-notifications-cm
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-rbac-cm
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-rbac-cm
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-ssh-known-hosts-cm
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-ssh-known-hosts-cm
|
||||
namespace: devops
|
||||
data:
|
||||
ssh_known_hosts: |-
|
||||
bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
|
||||
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
||||
gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
|
||||
gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
|
||||
gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
|
||||
ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
|
||||
vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
|
||||
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|
||||
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-tls-certs-cm
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-tls-certs-cm
|
||||
namespace: devops
|
||||
data:
|
||||
git.bhasher.com: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIKIzCCBgugAwIBAgIUSathEP5DGHryMtf1O98KMTUgZyIwDQYJKoZIhvcNAQEN
|
||||
BQAwgZgxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMQowCAYDVQQHDAEu
|
||||
MRIwEAYDVQQKDAlCaGFzaGVyQ0ExEzARBgNVBAsMCkJoYXNoZXIgSVQxIzAhBgNV
|
||||
BAMMGkJoYXNoZXJDQSBSb290IENlcnRpZmljYXRlMR0wGwYJKoZIhvcNAQkBFg5j
|
||||
YUBiaGFzaGVyLmNvbTAeFw0yMjA0MjkyMzI2MzJaFw0zMjA0MjgyMzI2MzJaMIGY
|
||||
MQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQmVsZ2l1bTEKMAgGA1UEBwwBLjESMBAG
|
||||
A1UECgwJQmhhc2hlckNBMRMwEQYDVQQLDApCaGFzaGVyIElUMSMwIQYDVQQDDBpC
|
||||
aGFzaGVyQ0EgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOY2FAYmhh
|
||||
c2hlci5jb20wggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCYcYWraaSp
|
||||
2Tn+ic7zCPWg/Xy7C2KjL5tdRq4D09eZsnUnruTNvhEbXs+cgEj6u2UQ09jiNA2Z
|
||||
7oYjpNrcr6Hit10n9H2Mpn4nTcYYrA/44Aa0yKY97v3vMM0+Q4/1LDrX96fpvegC
|
||||
qn3VRJd8gHCmRIG4I74QpRdxB7DSkcc749NsyBOP7Hsicpwx9sXE5zBwxlTGBbvR
|
||||
4v7HjaqxxaTqC7V6qTcjG2FjpkxMbZj7lVXyQik07UEnVV0zqAlnie2843d62xSv
|
||||
2zQmyEwtnwvkrKnNKZIt+nELI3DmvHKW9hbB1lNz5zwfX+bwCudoKeXOpsAOY5Vj
|
||||
oYNEDp6+oqPF9/+tqsXjFamC0boe898v6beT8PYNX+yAVc5cOfcgBkR4dupyXyZe
|
||||
SyrGw29wmccyPqfADrr53PTn84kgvGRi0DGAH7VLd8eHbQ6kRuJtvspPXMBL6co9
|
||||
qX3spVJWF00qt6IHrF0oYioCuibxlG/0Hnp0zvO4U9I0DosoVkAOlKjTXppjNDDZ
|
||||
sHdHGkyX+OP868ht0JyTFarSQs6WVWvL6Gs6VCjuiFNwETxq9tYLmKN1IfcZf6Be
|
||||
sVpKD2xISRiMtKsfwmE+1CfUACWqlvsB13vFjw8ZB4eOOUnuG/svvx17TY8J3SAW
|
||||
iAzWnMECFGdJfcqepEln71J9gqO7HuuTiwofV967ruqCtxX7sOWG29xz3tB+JVW4
|
||||
78e0RjOC9sIXF3840WVG8GDbvmFjs0O/ZnYBfNYXh+kNkgIriJa1jnpZ16yVARAs
|
||||
D4RrQ1hg+aKcxe0nzxodnjJKECD7MRfxQPEHs/CAC50IhLj/Ez797SH6NSkvAGNz
|
||||
fmtgYC61zUuKAttJhkzD7lEE5PlSXlif67J8dCbb/ie8qNQTJ4i9ijMoZD6hhieR
|
||||
0NyRiMCGbyaQso7gRwbGxbIa4hp21Vi9XJj6q0U/90S2vBMdokZl+qmKktspxlCH
|
||||
/O7YL3alEmEZxOVz78VpAu/0fHyFc1hCr6FVOmfrsCc2RIbdMGxbLZwAA9tP8R+u
|
||||
CI/aVjxLNQTw6uSjeTekoNeWcXenNYM/REr96HEgvVcwytGX02wbHciulFi/NSyW
|
||||
d5nCst0GhXWA8iQX/WKX1uQUPLoimJGLxUjAT8yVHXsE+otnoCumCrXsrQpMhvga
|
||||
yWg2TLVSh7QvBnrs9JJNp6Z8vVGZuw/VcWxckFu2m7/eNLJc5+f/NXl6wVq0O1OG
|
||||
NIVoqatD/yBl0NgBwQXqSR/PJ30C/bQTuYwTaTiWNGD7gLcGTW61S8EWqGCYdZLu
|
||||
UkYDeafp1LzUyw1wOpxvnKVnMux+3lLceQubWSC4F6XqMCn/nYIMGnQ1Hs/zF/1G
|
||||
7MKi96ZMLsrXAgMBAAGjYzBhMB0GA1UdDgQWBBSgDfvqI+DQCUiCtDfzU0jWjEDS
|
||||
NTAfBgNVHSMEGDAWgBSgDfvqI+DQCUiCtDfzU0jWjEDSNTAPBgNVHRMBAf8EBTAD
|
||||
AQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOCBAEAcrmgBpzu4MQg
|
||||
GLVLNghy+r/01V4fWGx7uyTkWrx0xtEyPUA0Sl1Pky3BNeA9ySfxVYzFPOOOKLLb
|
||||
lsK22LF1bHx7yU8oTuJpgDluE5xK0bKfWqcnDQEwlKfkhJTUu1zO+e8c05oi68fS
|
||||
EcMo/jLGWNuLMUhMQ/OGyaTUeZCXLulUfgWF/NyUDJPfZhPP+U68nXs0fdX7LMq8
|
||||
uIOQlQEA/7Xo5Xz73AA0YimA8XxqhCZIoAhcLOE620sHzpiHlWJ/S1OnFzrUMSeG
|
||||
xnOuXiOqsBklsW5b819UXLhOqKk5PnAoB+ZhoVG1HxoGTG9wQdq1/wpxNyWhYpDH
|
||||
Tj0eLNs7Q7EwZaB6gtAvXDX6yC0/HQ3z6UnMzLViifaON9zC+ljBb63u7ZZ1qBXb
|
||||
qF9Ub3/mgdHIhiy9iBY/JTMQxEZnLqPDwVgSnuwuoF0LYAzX3Tdba2K4wXIZHOtg
|
||||
KVswHtsthGs25CUMfxUw1C0BgjQc8PX3+fWwBQG58ziww+rEwSl/8jxCriyA7mTc
|
||||
nigyfQhMti00lHo+Se0KG9mbkFsgKQfHJ7uCXYVsRf0FM4tn08kRX22ubXD1UE+g
|
||||
EZSWNmrNb+ZnVUQhAqylP5RFGaULPRstW1gKzF0gn5HKt6muz3fWIkKoY57xLphe
|
||||
2XwJppNc02+l7RVb+oMIcRPBmKc7JB7i7dU5ctlae6iLeQnYIa1RZ9DCQhsUqvlk
|
||||
7SHotC3PuXLT6haeF8MUBkt9Og3l+KcsgHhZJqOqeTO4x1wfnqeMvUHG6rsn/DEA
|
||||
O+qu4CVVq+C73Xrl76kZpZkAk40Cw1DeRRObRXCnGuD+/eOGuoTHUXToiOQBnXx7
|
||||
IfDPj+8G4ss3Wb4syH8hhKNn4TEHzHn3NCjKD9NWH0qWIqEnlrxYTkWpRckGMgN6
|
||||
8lCKoH6JnIuLOELsXLey5qwEh8DrEG9+/6TZo1bxziE3+G1FmM/UuiZ4/sp/1rKS
|
||||
nU6k3D3x5yjZbE1Eogq5JI47i/2J75x1uWUgIppYsaI1UvCX7Uux9r1PCMI7ixPz
|
||||
GhS2wKt3jCGU6ulX5vnihDglQXAEP5V+JRcI0xsdEkdB/3lU963EwvFjldQHuJP3
|
||||
I8emKNFl4lnDqloNo1xBqePoD9K0XJF8HHosvLxjUVhc98kmK8rlnGvjyL897KbG
|
||||
chHUpmcOvehDStG9BecQJB7O6F3utebzetuAjBzdzfRVjLMJ9fP5z/py1RgTNk1Y
|
||||
YH6NHOwUEDN1ojFI04z6gnHP8qHhDdCi4Dk9IRJ5zoTtHOpxfYF0EeoqJLOkBpxP
|
||||
n7MKBI2FTJH22/b+YA12FYi9flBI85yHAJwtMvvh2kZssOAMKV0ccNG1EOD6v6dS
|
||||
Pzrn2j0Zdg==
|
||||
-----END CERTIFICATE-----
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,121 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: argocd-application-controller-network-policy
|
||||
namespace: devops
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector: {}
|
||||
ports:
|
||||
- port: 8082
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: argocd-dex-server-network-policy
|
||||
namespace: devops
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
ports:
|
||||
- port: 5556
|
||||
protocol: TCP
|
||||
- port: 5557
|
||||
protocol: TCP
|
||||
- from:
|
||||
- namespaceSelector: {}
|
||||
ports:
|
||||
- port: 5558
|
||||
protocol: TCP
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-dex-server
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: argocd-redis-network-policy
|
||||
namespace: devops
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
ports:
|
||||
- port: 6379
|
||||
protocol: TCP
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-redis
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: argocd-repo-server-network-policy
|
||||
namespace: devops
|
||||
spec:
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-notifications-controller
|
||||
ports:
|
||||
- port: 8081
|
||||
protocol: TCP
|
||||
- from:
|
||||
- namespaceSelector: {}
|
||||
ports:
|
||||
- port: 8084
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-repo-server
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: argocd-server-network-policy
|
||||
namespace: devops
|
||||
spec:
|
||||
ingress:
|
||||
- {}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: argocd-server
|
||||
policyTypes:
|
||||
- Ingress
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: argocd-notifications-secret
|
||||
namespace: devops
|
||||
type: Opaque
|
|
@ -0,0 +1,446 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: application-controller
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-application-controller
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
app.kubernetes.io/part-of: argocd-applicationset
|
||||
name: argocd-applicationset-controller
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: dex-server
|
||||
app.kubernetes.io/name: argocd-dex-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-dex-server
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: argocd-notifications-controller
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: redis
|
||||
app.kubernetes.io/name: argocd-redis
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-redis
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: application-controller
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-application-controller
|
||||
namespace: devops
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
- appprojects
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
app.kubernetes.io/part-of: argocd-applicationset
|
||||
name: argocd-applicationset-controller
|
||||
namespace: devops
|
||||
rules:
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
- appprojects
|
||||
- applicationsets
|
||||
- applicationsets/finalizers
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applicationsets/status
|
||||
verbs:
|
||||
- get
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- apps
|
||||
- extensions
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: dex-server
|
||||
app.kubernetes.io/name: argocd-dex-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-dex-server
|
||||
namespace: devops
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: argocd-notifications-controller
|
||||
namespace: devops
|
||||
rules:
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
- appprojects
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
- secrets
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- argocd-notifications-cm
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resourceNames:
|
||||
- argocd-notifications-secret
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
namespace: devops
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
- appprojects
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- update
|
||||
- delete
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- list
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: application-controller
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-application-controller
|
||||
rules:
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
- nonResourceURLs:
|
||||
- '*'
|
||||
verbs:
|
||||
- '*'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
rules:
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- delete
|
||||
- get
|
||||
- patch
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- list
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
- pods/log
|
||||
verbs:
|
||||
- get
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: application-controller
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-application-controller
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argocd-application-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-application-controller
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: controller
|
||||
app.kubernetes.io/name: argocd-applicationset-controller
|
||||
app.kubernetes.io/part-of: argocd-applicationset
|
||||
name: argocd-applicationset-controller
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argocd-applicationset-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-applicationset-controller
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: dex-server
|
||||
app.kubernetes.io/name: argocd-dex-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-dex-server
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argocd-dex-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-dex-server
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: argocd-notifications-controller
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argocd-notifications-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-notifications-controller
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: redis
|
||||
app.kubernetes.io/name: argocd-redis
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-redis
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argocd-redis
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-redis
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argocd-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-server
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: application-controller
|
||||
app.kubernetes.io/name: argocd-application-controller
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-application-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: argocd-application-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-application-controller
|
||||
namespace: devops
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: server
|
||||
app.kubernetes.io/name: argocd-server
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: argocd-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-server
|
||||
namespace: devops
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: argocd-secret
|
||||
namespace: devops
|
||||
spec:
|
||||
encryptedData:
|
||||
oidc.authelia.clientSecret: AgBxmb5FeitSFQ4rt+c/GDGGgYs1OdQcvxCuIPu/23bq129shPTuGfJL6pbu7g67p3gy06bZ+LZswyMu1/eaBGbopVSFg9VsNVULIaGTcvGMlQpsfG+cMZ70Yhn2taGFV40AlQMEbmVwOv/1hiUOG6osS45VEepnxNcp1Wrg33FecF/OQDi1QcsPlToA05B4cyft7/jCeXr9ZS7FOrQrKAWfdniFaZfsh445YYfg6lU/T+DzsLkiTmFsdNC1awam1Ia0i3yQqgPLqJ+BXOF39BNgJIocgyttKmSm2IpAxGeY/vbB29M/FHbgYXyKGxgzXYAQOjPhOVX2Gyw6KBnoc9oCAvStyJdYKHSIUqswpW0R3Dq4yGeFwolaHD5RyH3830Ng13lhtJMLYXPxS7ExP9oZTA4JUF5wzOSC/8//vzxxx4v42xcogOzeaarWqjkF9otsnvgMa092aFNpgnuS1qO6DqY2S3ISEBu/lRRq9yFxH4Pz7xA87xWIPUD4JsjE1E6bfEgx0UUzQxLa76A+AJF/px9ESzNO7woGnc3P70ZYuQ8frEg49stAjFkK4SekHA3ENsdZ5Ck4Z0fF1BTI1Fvo+whSq8f7e/BqRCzVTHDubnAZYuGunzb2b693VUl4fs2DDX9N9U9y0ZKwI1fMzo04CbqPJgROspOilTa4RSUkAk8fHDj5D45JIpZDKGwKJ0mxT3FlTz0SNklTksLDgExxkRMHPN+I+vPZq+8QrnTDX+VQMdZXiJdtoT/q+Dx80fT8Wwi84nGTHjysqfnmLcCd
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
app.kubernetes.io/name: argocd-secret
|
||||
app.kubernetes.io/part-of: argocd
|
||||
name: argocd-secret
|
||||
namespace: devops
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: devops
|
|
@ -0,0 +1,146 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubernetes-dashboard-certs
|
||||
namespace: devops
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
type: Opaque
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubernetes-dashboard-csrf
|
||||
namespace: devops
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
type: Opaque
|
||||
data:
|
||||
csrf: ""
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubernetes-dashboard-key-holder
|
||||
namespace: devops
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
type: Opaque
|
||||
|
||||
---
|
||||
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 10
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: kubernetes-dashboard
|
||||
image: kubernetesui/dashboard:v2.5.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
protocol: TCP
|
||||
args:
|
||||
- --auto-generate-certificates
|
||||
- --namespace=devops
|
||||
- --token-ttl=21600
|
||||
volumeMounts:
|
||||
- name: kubernetes-dashboard-certs
|
||||
mountPath: /certs
|
||||
# Create on-disk volume to store exec logs
|
||||
- mountPath: /tmp
|
||||
name: tmp-volume
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: HTTPS
|
||||
path: /
|
||||
port: 8443
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 2001
|
||||
volumes:
|
||||
- name: kubernetes-dashboard-certs
|
||||
secret:
|
||||
secretName: kubernetes-dashboard-certs
|
||||
- name: tmp-volume
|
||||
emptyDir: {}
|
||||
serviceAccountName: kubernetes-dashboard
|
||||
nodeSelector:
|
||||
"kubernetes.io/os": linux
|
||||
# Comment the following tolerations if Dashboard must not be deployed on master
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 8443
|
||||
targetPort: 8443
|
||||
protocol: TCP
|
||||
name: dashboard
|
||||
selector:
|
||||
k8s-app: kubernetes-dashboard
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: k3s
|
||||
namespace: devops
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "dashboard.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- dashboard.bhasher.com
|
||||
secretName: k3s-tls
|
||||
rules:
|
||||
- host: dashboard.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: kubernetes-dashboard
|
||||
port:
|
||||
number: 8443
|
|
@ -0,0 +1,71 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
name: dashboard-metrics-scraper
|
||||
namespace: devops
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
dnsPolicy: ClusterFirst
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: dashboard-metrics-scraper
|
||||
image: kubernetesui/metrics-scraper:v1.0.7
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
scheme: HTTP
|
||||
path: /
|
||||
port: 8000
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
volumeMounts:
|
||||
- mountPath: /tmp
|
||||
name: tmp-volume
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 1001
|
||||
runAsGroup: 2001
|
||||
serviceAccountName: kubernetes-dashboard
|
||||
nodeSelector:
|
||||
"kubernetes.io/os": linux
|
||||
# Comment the following tolerations if Dashboard must not be deployed on master
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
volumes:
|
||||
- name: tmp-volume
|
||||
emptyDir: {}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: dashboard-metrics-scraper
|
||||
namespace: devops
|
||||
labels:
|
||||
k8s-app: dashboard-metrics-scraper
|
||||
spec:
|
||||
ports:
|
||||
- port: 8000
|
||||
targetPort: 8000
|
||||
name: dashboard-metrics-scrapper
|
||||
selector:
|
||||
k8s-app: dashboard-metrics-scraper
|
|
@ -0,0 +1,85 @@
|
|||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
||||
|
||||
---
|
||||
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
||||
rules:
|
||||
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
|
||||
verbs: ["get", "update", "delete"]
|
||||
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["kubernetes-dashboard-settings"]
|
||||
verbs: ["get", "update"]
|
||||
# Allow Dashboard to get metrics.
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
resourceNames: ["heapster", "dashboard-metrics-scraper"]
|
||||
verbs: ["proxy"]
|
||||
- apiGroups: [""]
|
||||
resources: ["services/proxy"]
|
||||
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
|
||||
verbs: ["get"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
rules:
|
||||
# Allow Metrics Scraper to get metrics from the Metrics server
|
||||
- apiGroups: ["metrics.k8s.io"]
|
||||
resources: ["pods", "nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kubernetes-dashboard
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: kubernetes-dashboard
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kubernetes-dashboard
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kubernetes-dashboard
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard
|
||||
namespace: devops
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kubernetes-dashboard-admin
|
||||
namespace: devops
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubernetes-dashboard-admin
|
||||
namespace: devops
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: kubernetes-dashboard-admin
|
||||
type: kubernetes.io/service-account-token
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: kubernetes-dashboard-admin
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubernetes-dashboard-admin
|
||||
namespace: devops
|
|
@ -0,0 +1,108 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: reloader
|
||||
namespace: devops
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: reloader-role
|
||||
namespace: devops
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs:
|
||||
- list
|
||||
- get
|
||||
- watch
|
||||
- apiGroups:
|
||||
- "apps"
|
||||
resources:
|
||||
- deployments
|
||||
- daemonsets
|
||||
- statefulsets
|
||||
verbs:
|
||||
- list
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
resources:
|
||||
- deployments
|
||||
- daemonsets
|
||||
verbs:
|
||||
- list
|
||||
- get
|
||||
- update
|
||||
- patch
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: reloader-role-binding
|
||||
namespace: devops
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: reloader-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: reloader
|
||||
namespace: devops
|
||||
|
||||
---
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: reloader
|
||||
name: reloader
|
||||
namespace: devops
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: reloader
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: reloader
|
||||
spec:
|
||||
containers:
|
||||
- image: stakater/reloader:v0.0.110
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: reloader
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9090
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /metrics
|
||||
port: http
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 5
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /metrics
|
||||
port: http
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 5
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
serviceAccountName: reloader
|
|
@ -0,0 +1,90 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: idp
|
||||
labels:
|
||||
app: authelia
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
revisionHistoryLimit: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: authelia
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: authelia
|
||||
spec:
|
||||
containers:
|
||||
- name: authelia
|
||||
image: authelia/authelia:latest
|
||||
args: ["--config", "/config/configuration.yml,/config/oidc.yml"]
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9091
|
||||
volumeMounts:
|
||||
- name: authelia-config
|
||||
mountPath: /config/configuration.yml
|
||||
subPath: configuration.yml
|
||||
- name: authelia-oidc
|
||||
mountPath: /config/oidc.yml
|
||||
subPath: oidc.yml
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: authelia
|
||||
volumes:
|
||||
- name: authelia-config
|
||||
configMap:
|
||||
name: authelia-config
|
||||
- name: authelia-oidc
|
||||
secret:
|
||||
secretName: authelia-oidc
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: idp
|
||||
labels:
|
||||
app: authelia
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 9091
|
||||
targetPort: 9091
|
||||
selector:
|
||||
app: authelia
|
||||
type: ClusterIP
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: authelia
|
||||
namespace: idp
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "idp.bhasher.com"
|
||||
spec:
|
||||
ingressClassName: "nginx-external"
|
||||
tls:
|
||||
- hosts:
|
||||
- idp.bhasher.com
|
||||
secretName: authelia-tls
|
||||
rules:
|
||||
- host: idp.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: authelia
|
||||
port:
|
||||
number: 9091
|
|
@ -0,0 +1,158 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authelia-config
|
||||
namespace: idp
|
||||
data:
|
||||
configuration.yml: |
|
||||
default_redirection_url: https://portal.bhasher.com
|
||||
theme: dark
|
||||
|
||||
server:
|
||||
host: 0.0.0.0
|
||||
port: 9091
|
||||
|
||||
log:
|
||||
level: debug
|
||||
|
||||
totp:
|
||||
disable: false
|
||||
issuer: idp.bhasher.com
|
||||
algorithm: sha256
|
||||
digits: 6
|
||||
period: 30
|
||||
skew: 1
|
||||
secret_size: 32
|
||||
|
||||
authentication_backend:
|
||||
disable_reset_password: false
|
||||
refresh_interval: 5m
|
||||
ldap:
|
||||
implementation: custom
|
||||
url: ldap://openldap.idp.svc.cluster.local
|
||||
timeout: 5s
|
||||
start_tls: false
|
||||
base_dn: DC=bhasher,DC=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectClass=inetOrgPerson))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: cn
|
||||
permit_referrals: false
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
rules:
|
||||
- domain: '*.bhasher.com'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- "group:admin"
|
||||
- domain: 'git.bhasher.com'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- "group:contributor"
|
||||
- domain: 'wiki.bhasher.com'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- "group:contributor"
|
||||
- domain: 'radarr.bhasher.com'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- "group:mediaserver"
|
||||
- domain: 'nextcloud.bhasher.com'
|
||||
policy: two_factor
|
||||
subject:
|
||||
- "group:home"
|
||||
|
||||
session:
|
||||
name: auth_session
|
||||
domain: bhasher.com
|
||||
same_site: lax
|
||||
expiration: 1d
|
||||
inactivity: 3h
|
||||
remember_me_duration: 1w
|
||||
redis:
|
||||
host: redis.storage.svc.cluster.local
|
||||
port: 6379
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 1m
|
||||
ban_time: 5m
|
||||
|
||||
storage:
|
||||
# local:
|
||||
# path: /data/db.sqlite3
|
||||
postgres:
|
||||
host: postgres.storage.svc.cluster.local
|
||||
port: 5432
|
||||
database: authelia
|
||||
schema: public
|
||||
username: authelia
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: no-reply@bhasher.com
|
||||
host: bdubois.io
|
||||
port: 587
|
||||
sender: no-reply@bhasher.com
|
||||
tls:
|
||||
skip_verify: true
|
||||
|
||||
password_policy:
|
||||
standard:
|
||||
enabled: true
|
||||
min_length: 8
|
||||
max_length: 0
|
||||
require_uppercase: false
|
||||
require_lowercase: false
|
||||
require_number: false
|
||||
require_special: false
|
||||
|
||||
identity_providers:
|
||||
oidc:
|
||||
issuer_private_key: |
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEAwz+97ZILHP+8Hxu2XsK17QZEyOiGQ45SRl6/UbjhiN5Cc5di
|
||||
UQ3I8LaHwvxrsbbBaqLQsYVISye8xdeVvKEa/Pk/VYVGRgOQ+DFHPthOYwGa9bZa
|
||||
INtvOKy85OiqFY8mamRiTkCDo4unxVf35mI6Z01+a5WycvG2mC1VY3v0VC2/PyJt
|
||||
uRusqk9946DbP7IJ83WS8GuVEGsKna8pjr1DW2kC+qUZtA8pM0mH8EK1o2wDKPOb
|
||||
X/4J+/A9kbx2Gnt8gxq3NtErcUHsSKwQtQfik38ehfFfOxq+xINjn5W90gUvx2q5
|
||||
zI3gk2cJFTxiKqRtYfTETnepvKqkzTMlBCVAMwIDAQABAoIBAHlpfMBrbW+18xRh
|
||||
FjGs4JYorMNGHJ+Ls8vAhTXbQpvqoeXhQCjo6ogM6TUt5AYZgALAhgeturvJVRCt
|
||||
s5YdlHu0vlZ+zqkg9JfxhL0mou/cArFCmJ8P9QSIHdo2d/V6E8ha7ep9IZ6kbEpC
|
||||
HoxrjqfIP5HE/7eMaSAOKKf5X4Cr701/3r/0rD+BsYZPC0eklRO2W1x801n0+ks0
|
||||
oVI1/fNkM+F8It7GK/AC1KGThLL8DzBP9cwYaqnABktNKCh+/2z4+50G9z8Bcc3F
|
||||
4FUYubidahZ0DD0KniFGcENfDhLPpy3HsQU6Sp5IgZBaM+jbbp5Grv3Wh7kqDEOQ
|
||||
tmdjEGECgYEA7ZLpHm8h2C9nMFwMzCR18VQgAzLlhCxBJn7wOF5EUOJWNRCo1To1
|
||||
G9qNMUKb1pcnwYGc2s488YfiUkufxZKCjdRSmVwul4D5ufb4zGu/4ulzfrx6DnjJ
|
||||
8BBAtYPiP5RD+m9keB1OI6BHYOMtLi4Vv+XjkasTbtYRWcPdQABC+DECgYEA0mR1
|
||||
ye9T4KcrQoFP14I0vFkVLe2gzVa3Kn5MSM7iMMXcTV3G2GSQCtufpVRbGvw0qgDy
|
||||
cdIvT24dIhYaqF33IuJdZgzSlM4/3KQbMPhVlLpaGpiP1CqUuxsTlrjzOZUkTZBE
|
||||
BrfkBO9VwaGX35WqnatFyXJ3TEWPt4/1s9DfiaMCgYEA4sg6gDLVu+iEOEWmcbjc
|
||||
XWJQrL0JGwKjrnu+FBDoZc2pPT6J7AGEcPJPlZZf7Jid+rofYT8+LdHo2WYXPiJ9
|
||||
PaZQstSsJTOZL0vydDDnG1R+S5zfZrEnE2JwYtViRA7kVUvAPGi9DoURngs+NbcI
|
||||
TAbHFWaZRlRSe73clhup0gECgYBK9Pm2MSssDcLu1c1RVZVeSUqva0rv/WYSoJ6j
|
||||
DfouMEAV3EQ80k8zXx3YtF4lFhfZPa8i+CRc4zlD7KYguCGVbxqhgg4AcB72iA0b
|
||||
/E3ZSC9T7GjJyUXmB3aKK2iUaltduvlRf3CghXiDHQRT5ym7NMsPQ1XXea0DVCnQ
|
||||
n6kUiwKBgDAMfny68ymQVskEv/NCTbRkpz6O1DA997QyjPV/QyfSpt1znPuNvgkE
|
||||
SQu0C/b47Nm2ZGAHVryWLo8bBS8+ECEV74GM/kHoDWpWzEeoxynW+dBZoP9sbKzZ
|
||||
LCWjPegQEkVdtp83Thfqb/MfeUj8GHf8MegIGoJd50f19tggd4a3
|
||||
-----END RSA PRIVATE KEY-----
|
||||
access_token_lifespan: 3h
|
||||
authorize_code_lifespan: 1m
|
||||
id_token_lifespan: 1h
|
||||
refresh_token_lifespan: 90m
|
||||
enable_client_debug_messages: false
|
||||
cors:
|
||||
endpoints:
|
||||
- authorization
|
||||
- token
|
||||
- revocation
|
||||
- introspection
|
||||
allowed_origins:
|
||||
- https://git.bhasher.com
|
||||
allowed_origins_from_client_redirect_uris: false
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,24 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: authelia
|
||||
namespace: idp
|
||||
spec:
|
||||
encryptedData:
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: AgBtB6SSmfYza95ukD5MArbufyWVvVzkvgcN6K4wfELiNzFD36Ky725zCG6K56SNj+hidMiUuiTBEY1QCWsq03YfPxtfdFSQNe7nZoeu7acxP61cIM7MzAhV09q/qt+QdJbYNSai7wAaq316SJbvxw4H/pyYz58K38c7oJ4ZBdK+XSjKgRfgEwir1LY3GF3JkQjC4HrQSR/f1kPyG29+KzTjWB7C1SolMEX+pXwjEvRnoARPEyAIW1S4M2o/0xOp7BDml0j2KVgVhOvjljyP7tR47NFdbWTQ4Vs6gtLRxNjHIG+UVQxOpZdcDIhXK5mLlFXN6mDE+0Tc6wns1SuUcsPaTCx1hO0By6aCN2TjDwtKitLIe7UgJvu+aDbTy8EkXhfUysYTgkgRgQtuKYoLNE0QKwDNx6B4aHghhnpeagHgmHLUbbYn1tYhAcWSjmTQfggWhUP/tpY9SiPIvx4E2JjUIwM2CwIjP6P890Xhk8WffDxbL/PtDwmFTyo5wC6FPZneEwZ+CRpXIIls4ZvXbEyrXBKGITuaJ1oDzSi3MJCYl/KO9swID5nY64xc+0qAGET0Vm81RsoTkkf44+swHmxIcnVgH1+lyyy3/LoPsx5uu1zhyv19XpW8jnmHhp57DpklOdhptdwE/nNWvDwfc7rzfHiiWHRQWMkiwOVooEDKkE9ah2NVhYtgRC024QCBjwQdwTPegVYwJKgvoJr32WaCFtnJoZol1wJqCjI8wTDPWW0stQ70xSI/0uF+R0JTpj+HqBizktmteC7vupz0sPGr
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: AgBZEwrilDSO36V3RIrkRwe9AZiFj0sRretYzDxq+Hu9VksVUi2nqZ/WUI2dVSYrwn+FXE5N0Tbd4zFtmiLSH0yn55pQim7I3mqJcKKh6t/3bw4uCoZ3tCl/zZv96hyD2SEGDd5FQeiairxEZm/cVFNUZbUq5uBh4nbuCx42dKIis7SjeEpqxxKF2y6y/ruykR0i/f/v2Hmcy1VwDvimI/uoKXwnrbIFaF5EK29MFIjFyeqrYn2CGBFwaOmgnGA+NXkNLUkMEbupxeFunuvaCOQLY8hyAtB55A/aLMQt/PY56xWTDIshVvFcRIximPBa+3c1wBAUBQIHLkjrciZ5fwK5SGbjAzQKWL7vnw12tgLul3SgLrGL8o/12EqsQbTyYERi0fbU45XzFkJtQLEAe6YoH7z1NVQCES2yiu1s4EBK3iHJ5EQyQ1bDHhAoSRKk5QxHP5j7b7PoMgT+QrRnLZOyvoOX0H/Dx2IX2Y2S+Cu7BzxM5QqI9zEnQFIwAj89Vveq2Ulu7eS3G09H33EFth/6gU8RzEE0ZOORT106aKRCWsOTDYJNladbfaI3vpeSj2gOvYnexixL4/N84oqfv27SlxFQT921wRo6PuovB97He1iY8u+xcXxeWki7aV4pLoMPqcWKneOelbSywFj0x5stiijgYvG31UEluhXMjrs9RYGnEyzi6YEiNuDnA/182KANFrdP/iD6pJTPpcLMl/IPEYiK2TO8OVA0tlWMaw==
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: AgBRH3NyEss1PgYn2DRwISaWTHGpwkjDUIvV0qPOOhslF5DW2B1axB9tx9U/ZEhAvGAKpeB1lVPaOVcD66+8q5qVIfNsEcWaChv9oGrSG0621JUcx8747+kAZduHLYk7pmnY6c68bqTMbVDw9xtrjZUQpLhqxdPPMHE6Ax7JsEqotujR7DTr2JRvAipGvaRSapOApTpps4hyhJJ7U3n5NvNYQFQiHmN6m1QuTb4hTBhbrWP2U4TBggapbw/3NglZYLTFDGMXBl1LqfE2zaOUlyCMoS2AYc5tMzy+m3j8PBcXK7wv9wUn4XFQgeSLd+jXgL78LTTc9X1VpNE4o6tkJisG/WL444RkSjrd9gOBOlCjxHcbkST5ofQFkqNZ6MW0gCn17JbPXpbFJlDjBH6YfPMGbyIJMT7KA5i8ysDi1vW8VNWBgBfmd9Yp0mR9m5ugUr670kMClOlUXTHnTt1DyX79J8pySVMGThfWct2ZM4cWUSQn6varzE/VlfPO7ZdqdpdQ7f2gi+sdp/RZ36JWDgBDpkiegBHjTEk/nF2dd2ijE/cEuGLKQP/L1/8J5SvgrkhImKWSYmQe60wEIoOq10TIqSRtIUub7ci+iiRkvx+13LwernhNqHJUeO7ccvDagyW6sC65sTsbykcFlCt+MtXpsFGYx+1dmP8ljzxdtTrxt3iYZ4dA9AgYlvvJLgtRUlDxhfRXNQpFZ02ZdRslqFNiWm0gQmRmuJQVYYPD7Xs8fgr25SjfVMhpa5uEa3kOiG7cfahSk4mHARRisq1rPqz3
|
||||
AUTHELIA_JWT_SECRET: AgAdnQfSX3qcWgP+LqvO0ORr1Dd50WFfwWTYuMTdni+wh2cDqomgdt2TA8VhM75yf2F2blIRWmJxP/6ttQ8q0XYdUAwwwd0BndSt8gPzOxrCfiq9gTscSBa0hBCJiamQVzv4+9Mx8frLasMBeNRXkLulS8HG/ucMOZUmcJrBPihUrLLl+HR7OWv+ZJj03dDPHeFahSVW1G5Ra11nCPjB72XMSaz2X/IWamY5QdSW4PE7Me/7mLzmdxS/CxqQDJBgv/M4eR6Js4OJcusHKKgOkVnBqJ8aLba7SYdsXx4DRjoZ627+AdMMHNXwK6QZip/7LwcBgytFwuXz6hBIIZjgHIQhXtT5xO1+hkZN/zGUZG/L44Jl1oo76ftC6KhmA71HQ8b8nKVWngB6zdNjDRgs+rT+h4MyYNYIuQXIEV9vTKwvj1tU37Ld9aS1pKWZ0VxuKzzdeyUVpVblEcrNzi8NbhY6uCm24oPGEBbG6fkpDg7alLos6gJFUqJCqq28YZDXrQaieiULKburSoWAVjcmLVk9AqmN99s+GGT5kBxAwmyMoP5LcZueIqNaf51tV8wRPvmLOc+E9+B6Hi2DYfb/Us5qGTCnGcAxKbMWeZJv5bP6b+6JjHlViYhuSK6ku9jNRgTd5VeQBGEp7atxKpTkkiktNFtgAEXXDFr3duZfU5p6Naxzht8vTJd+ie5YCNo0CMerAzRUai8f7KgmpMjd651xVuLypwo57Nv28NgFAnLJB+VbbvQpFOPwc7E+2uVAbJt0QWUols7AU0azXS2hrfYi
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD: AgBuPO+b2gfZZxpC+YIrr/V894WnruQHW3zDzWR/iOV5y4zx0VhCP5NeynnLeYBPDzyClj/IjC+ji1NChLS1716OYTjGBxYY5he0v5A76cvKw5yjDcptVZ/kCKekZmp6/cljGZg59ZTApQlX3hmM8ilv0NzFamZWaZl1I85fA33Rma2K70yDVTrTF5fL9jDQALt8cqCIk9DJY4rDi1C0GjLvwPhrx4uUaucPpIxOBmqAbMIobBnJxL3e42157Fzc13RnCjdw5N37uU4s3UjEkSzbifIGDkqQBkA6VI4It8/uR27UMYw1MNCmbAClO1xQ4vmEWUhBIQ9kAwuehNvm2o5zKXze66nwy68SUHDWwnB5E2jgChAnZylqAaQALmGZy7fP5Z4OPymHW+l08JB+hv6cv8cuHuajAHmX96jlLXU3cuvrTM/NTwNzsp3vqeLfcZMxbq6KZ1INHuvLTpcKPQaRUg7rIMzU1YPatBN9r1WP8vAfMaXl2s1ctFysRpp34jonlJoE55G5VEYn+MDNYdrdVCjsAAhoNJ5oFxXSX+dASDo2vPp9QcVUHiud3g8wBfJ2ydbqi8kk+rMZIU7r5V1Kn0n6WmSU2OANf3W2DqRNouSHbdbA+rnaBTmXnyHxSNncw78mZ5WIasCm9Ld1XcyMGf2T/fCjN5qlxKt+Ze8BSsCgnDGEMeR9GJFR8bK9v4fb9QbpM0mlkWzFlXVoTcVHkbhZf5DePggwiilWKYG3DCs6YCVME9Xg6hOWkOjrM/sZMSwwfMHCVRJJ4fuwU/UC
|
||||
AUTHELIA_SESSION_SECRET: AgB9Dd/P3SeegcuIq0/jXh1LRZpijJD3q3spQjjsaUmB/rC5p/MnjG7AAePDmoMmiOlKtDu5CLHj6GHQa/eJ7attIxrC3qtthTZi63ASuxm+KtZw/kyG7OGsx/XuIueEdSkBLtzhPdN6Sno0+T1ZlVnQZ3TTwnidc/qoVEhP0NWpq/IZtkAY0AetCQrIFeJBIsM3RcqNHBq7kEwYzsoMHMYVrYwpKOXzawjj2YWVTzr91duxfrrmVBjNcheKyHWOtJhzWpCWV3QmWDvZ5J88tl5RZudFLabzzVlrw3voBteY7jSxC1DAVTxm29D4AaoVgpl31iAn6AECrRIBbWaHhHVmwc6E8LA6eyFYEQP893Szuh0Dv0f+LM6IC9IAwHd8XBBqZbI+xRtXWOTRlmcSxL+6shswWuW9d5zkl8GkUp0NWBUI/tQoHbdZvBUDProVcCtGmxEQoNG9Hr8TaI6G7zm8ES6tgAqZCSNlC/OqzCX0g6Qni52ASR8YY6JfyyGnqCssmAkx4FYXL4d2XKSeb0+4adURih1j0WGCujapYKwxG1ozyBU8cBx+tLWm1CWHNhm9m7BPvZNQ+OlZ1LHcxBXIHAUIH8CqxUozQn8kfMKPN+gX6od9vNBy5o3zSadeLZpbHdSnJpYWBTnbCbU4wfwdQzVt7WZnxZMiwKpGLQGVeJOiZMV6d13Ekmdz+t8l+1MtnW3Cm+HQBVYaQF47jJou8poq4ZS03bcnzmUhkwpD/ety4XZZvkGlPAVjyXp8sd5srKZ1bhv8CA0wRhzSX/7/
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY: AgCP7lrcqQFZ+N3geMzM/tUeP0kD4naVeL4l0wRWsFK1l6z91qr7vaNNUsj5ZaikTI+jkTbAcke/Sj3Sp0b5sOP6J0A4qAOV0J+sRyEvdgbTrtj5NLtM3H+QrTaKZjdmkZfnCsxKY812brBBS2KpFUo0kLb3uMIo0i3erJMkk/IZ4JuCWdMFP1/B66VjdX2Wi1g1MuyV2XWtu0YjoMDBF342s5g7mbUXai9fOgq3KZpNOX5VrD5ns2UexLfQySpRP+Oi5qtT5KtZQ+bQoegsbZglsM5K7iEaYTwA7zOdP113u2eWiEFhas4hV3dph4owAj68uILvvjDAWzJ7y6uA8FxPMoX2OZA7fmbAZTgsi98uKtS8zg+IFK4aEJnyJUtO08TkANoQWkVfkwTDlMVTwLrxV6zdZrT3bjAypUKsc/wPG3rGi12RRd6h//r1HbLxVViojLHmoHipn3FjSTsaaEhtnpDWUIDeurWWsiJKdcieA56h4hKSM7/RwMEPhkbDkrXh94K+gP8kSXGJOlt3+yF//NwwfZyr2q4eusnuUQOAIB1a2Whr9Nl9DfyqFSW0Oxe+wihOWisEkuWVdiQ8d0O7a20kjcqrng+WueAv/L9gkDoE1TcfkcukugDCZF0U9IzD8+NuBYZ9e2DQ7tXgqzezlytcUNNIr14jA6ZAuCtLnTm5c0bFr702rC9V4oskRZMrLnKb46UwQTZW4ADFaYZrinNp/q9eyQCKS3aaK5zCDAiNPU0TNFZLYR/bHQIy4tzowkyzNm+zyOh1MDfQHqwc
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD: AgAH4aJY2onCeT6wN6hDc2QVi5mTtMxYo/Y4b6+X/c40BFWc3Fb2hQa1BM1AGVrk5RrhFVaixXNghb6BpwIbugKIzi6eAMEn4ZSp/EQi5g9AuDrQfHwW2mi53ivkeflkxbgFQC8Ggno10W9kHdXqIhHVKtUeKf9dIAonRHVIz4D5JjwcVGL6CRun7R+LmMVj11+9J/lZUDqLzLODbi2lht85gxi1E/7qM/UkvUjWpkH2rJuqEBx/2weu9F0hxBnD1QhSiC0tNYOBAycmO6G/7DMHJUhQTAJIJUH9bT6M652SrNmq1bzj64bXkNSo04lQmSSB4zQzELtonzIgeo1WsHTksrXJz4sMMCosBhNntLRP+RX0aicrolbXZ/ay+dx0lkZrTNcBdIUZw6Px0VMOC9r4RcYd/2/XNayL5sHSdt4hvE6NTJz31YRGRK884shtIhvCLK8goUoqb+Rf7gdxS7AB4qdpwDIPbDZ9YnmDggpaq0ammSf5SalGOPiBKvpyK2XYUrTgDhK5iKgjOlQ/UDtqZKu2JkHzymg5Bz58XH+h1EasDIID0x3xr3S+bR+b+qQt6/T8KLpe3/S+q9sEYqCKiAv80i3JtPzdKejh//NnLUWUR8Nx0V/xoiMXGG3T/h2L+QHW4d/Cj5ISCf33sn4Wnnk1t5vRis08yCRo77UOk/NIOPSBT4d7ZXQ5Ojv/Hx7nJfUXlcnHpvgmMRg08HBUso947+Ad++Zi/O/WZV8wip4gqqIYlESISEsjBbDpzD2apz3HDRT+fYTN0Og9JJRZ
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: authelia
|
||||
namespace: idp
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: idp
|
|
@ -0,0 +1,76 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: ldapusermanager
|
||||
namespace: idp
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ldapusermanager
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ldapusermanager
|
||||
spec:
|
||||
containers:
|
||||
- name: ldapusermanager
|
||||
image: wheelybird/ldap-user-manager:latest
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: ldapusermanager
|
||||
- secretRef:
|
||||
name: ldapusermanager
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
|
||||
---
|
||||
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: ldapusermanager
|
||||
namespace: idp
|
||||
spec:
|
||||
selector:
|
||||
app: ldapusermanager
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
|
||||
---
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: ldapusermanager
|
||||
namespace: idp
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "bhasherca-k3s-issuer"
|
||||
cert-manager.io/common-name: "accounts.bhasher.com"
|
||||
nginx.ingress.kubernetes.io/auth-signin: https://idp.bhasher.com
|
||||
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Groups
|
||||
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
nginx.ingress.kubernetes.io/auth-url: https://idp.bhasher.com/api/verify
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Forwarded-Method $request_method;
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- hosts:
|
||||
- accounts.bhasher.com
|
||||
secretName: ldapusermanager-tls
|
||||
rules:
|
||||
- host: accounts.bhasher.com
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: ldapusermanager
|
||||
port:
|
||||
number: 80
|
|
@ -0,0 +1,31 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: ldapusermanager
|
||||
namespace: idp
|
||||
data:
|
||||
LDAP_URI: "ldap://openldap.idp.svc.cluster.local"
|
||||
LDAP_BASE_DN: "dc=bhasher,dc=com"
|
||||
LDAP_ADMIN_BIND_DN: "cn=admin,dc=bhasher,dc=com"
|
||||
LDAP_ADMINS_GROUP: "admin"
|
||||
SERVER_HOSTNAME: "accounts.bhasher.com"
|
||||
SERVER_PORT: "80"
|
||||
NO_HTTPS: "true"
|
||||
ORGANISATION_NAME: "Bhasher's Accounts"
|
||||
SITE_NAME: "Account Manager"
|
||||
SHOW_POSIX_ATTRIBUTE: "true"
|
||||
LDAP_USER_OU: "users"
|
||||
LDAP_GROUP_OU: "groups"
|
||||
LDAP_REQUIRE_STARTTLS: "false"
|
||||
LDAP_IGNORE_CERT_ERRORS: "true"
|
||||
LDAP_ACCOUNT_ATTRIBUTE: "uid"
|
||||
LDAP_GROUP_ATTRIBUTE: "cn"
|
||||
DEFAULT_USER_GROUP: "default"
|
||||
ENFORCE_SAFE_SYSTEM_NAMES: "false"
|
||||
USERNAME_FORMAT: "{first_name}.{last_name}"
|
||||
PASSWORD_HASH: "SHA512CRYPT"
|
||||
ACCEPT_WEAK_PASSWORDS: "false"
|
||||
# LDAP_GROUP_MEMBERSHIP_USES_UID: "true"
|
||||
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES: "jpegPhoto^:Profile picture,sshpubkey^+:SSH public key"
|
||||
REMOTE_HTTP_HEADERS_LOGIN: "true"
|
||||
# FORCE_RFC2307BIS: "true"
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: ldapusermanager
|
||||
namespace: idp
|
||||
spec:
|
||||
encryptedData:
|
||||
LDAP_ADMIN_BIND_PWD: AgCwWqGEeY/x+xmJGvOCROOpKCyXyA8cMUfPxEiKUpq3smRJ68L2vOQfXbcdmPXI8a/XkLNmdzUKG1rsYWKH07WGa0SlH6BXHnmhJkeo4/k1uqk14Sw1S8JdptZCMyDXeWHOPJbK8bJiRz8n2WPcGO1srlkh9F5IT7lvxmee93xTS/g8l4adXzz7eK030n2QaC8m5NrVYxRUMVq+5XQQSymCrpxW7BMF96QAXc47Vf+JdPieqdi2CFv75zwIA0ikIC4MBFU1FVimfZT2l2pCwWImtKPHf73EHKEjmFwfWezasnWE0MWK7c+x3hkU6hxTH24YGjuGMDWG7NrcUJ45ntAO9wHAyQZ0lyFzDxLXaOJ9j6vOGFA+Perm5TP8UHU5Y906knLo7rA0Yg+ESp6BdIaD6AttiDpA97Pn+pvIfAi6FqqawSTROAF2/nP92q/B3yLOVOL7nrg1CMwGzZihlhYKAt3I2GUF7bsV0T8vssbiRsrOSAOyE/umKiwgiPo05G+EHAUehzbsOiEIN9YIQN/9fgyFcIUkqrpMzAefo0SsxMzW8ESdQswDChtZQfurvq891AutZWZKjWfosL1LE0cwe/42kbA9tw06Ii+OX3IHeT7cbUHGvlqloBDvur7DUtJd+g/Wuvk/NIPuRYrEDJOGZ0QeoabgKINuUv2zbkU8o9WXq+Y1BZyg0Vfi6O0+kcI5hTHFNq/RD5Pt+8di/Xp6i2irQV6UWTb49zMotI4h81qsv/3Q0sVH1tJKRTN6KHxfmJLeBz0jq2GUdle0Ut0B
|
||||
template:
|
||||
data: null
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: ldapusermanager
|
||||
namespace: idp
|
||||
type: Opaque
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue