From de8a4529f9bda9a1f287b29e862341a6b317f33c Mon Sep 17 00:00:00 2001 From: Timtor Chen Date: Mon, 8 Apr 2024 17:03:51 +0800 Subject: [PATCH] chore(deps): upgrade common chart to v3 --- kubernetes/cloudflared/cloudflared.yaml | 115 ++--- kubernetes/kromgo/app/kromgo.yaml | 5 - kubernetes/mydata/immich/app/immich.yaml | 411 ++++++++---------- .../mydata/immich/deps/immich-dragonfly.yaml | 110 ++--- kubernetes/mydata/navidrome/navidrome.yaml | 122 +++--- .../mydata/nextcloud/app/nextcloud.yaml | 217 ++++----- .../nextcloud/deps/nextcloud-dragonfly.yaml | 109 ++--- kubernetes/smart-exporter/smart-exporter.yaml | 79 ++-- .../snmp-exporter-mikrotik/snmp-exporter.yaml | 117 ++--- .../unifi-controller/unifi-controller.yaml | 98 +++-- kubernetes/unpoller/unpoller.yaml | 109 +++-- kubernetes/vaultwarden/vaultwarden.yaml | 166 +++---- kubernetes/vector/vector.yaml | 78 ++-- 13 files changed, 901 insertions(+), 835 deletions(-) diff --git a/kubernetes/cloudflared/cloudflared.yaml b/kubernetes/cloudflared/cloudflared.yaml index 11f24b7a..4afd9866 100644 --- a/kubernetes/cloudflared/cloudflared.yaml +++ b/kubernetes/cloudflared/cloudflared.yaml @@ -20,46 +20,80 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - replicas: 2 - strategy: RollingUpdate - rollingUpdate: - unavailable: 1 - image: - repository: cloudflare/cloudflared - tag: 2024.3.0 - args: - - tunnel - - --no-autoupdate - - --config - - /config/tunnel.yaml - - run + controllers: + main: + type: deployment + replicas: 2 + strategy: RollingUpdate + rollingUpdate: + unavailable: 1 + annotations: + secret.reloader.stakater.com/reload: &s cloudflared-secret + configmap.reloader.stakater.com/reload: &c cloudflared-config + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 65532 + containers: + main: + image: + repository: cloudflare/cloudflared + tag: 2024.3.0 + args: + - tunnel + - --no-autoupdate + - --config + - /config/tunnel.yaml + - run + probes: + startup: + enabled: false + readiness: + enabled: false + liveness: + enabled: true + custom: true + spec: + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + httpGet: + path: /ready + port: 2000 + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-cloudflared eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: &s cloudflared-secret - configmap.reloader.stakater.com/reload: &c cloudflared-config persistence: config: - enabled: true type: configMap - name: cloudflared-config - mountPath: /config + name: *c + globalMounts: + - path: /config + readOnly: true ## Get the secret with `cloudflared tunnel token --cred-file credential.json` ## The tunnel token fetched on UI is generally the base64 compact version of credential.json secret: - enabled: true type: custom - mountPath: /secret volumeSpec: csi: driver: secrets-store.csi.k8s.io @@ -67,44 +101,19 @@ spec: volumeAttributes: secretProviderClass: *s - podSecurityContext: - fsGroup: 65532 - securityContext: - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - probes: - liveness: - enabled: true - custom: true - spec: - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - httpGet: - path: /ready - port: 2000 - service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: true - protocol: TCP + primary: true port: 2000 + protocol: TCP serviceMonitor: main: - enabled: true + serviceName: cloudflared endpoints: - port: http scheme: http diff --git a/kubernetes/kromgo/app/kromgo.yaml b/kubernetes/kromgo/app/kromgo.yaml index 65d5a4c0..14e9c29e 100644 --- a/kubernetes/kromgo/app/kromgo.yaml +++ b/kubernetes/kromgo/app/kromgo.yaml @@ -57,7 +57,6 @@ spec: persistence: kromgo-config: name: *c - enabled: true type: configMap advancedMounts: main: @@ -67,19 +66,15 @@ spec: readOnly: true service: main: - enabled: true controller: main primary: true - type: ClusterIP ports: http: - enabled: true primary: true port: &p 8080 protocol: HTTP ingress: main: - enabled: true className: nginx hosts: - host: kromgo.timtor.dev diff --git a/kubernetes/mydata/immich/app/immich.yaml b/kubernetes/mydata/immich/app/immich.yaml index e0d5e4dc..c354bd6f 100644 --- a/kubernetes/mydata/immich/app/immich.yaml +++ b/kubernetes/mydata/immich/app/immich.yaml @@ -1,18 +1,9 @@ --- -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: mydata - name: immich - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich - eks.amazonaws.com/audience: sts.amazonaws.com ---- apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: namespace: mydata - name: immich-server + name: immich spec: chart: spec: @@ -20,52 +11,177 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: global: nameOverride: immich - podLabels: - app.kubernetes.io/component: server - controller: - strategy: RollingUpdate - image: - repository: ghcr.io/immich-app/immich-server - tag: v1.101.0 - command: ["./start.sh", "immich"] - serviceAccount: - create: false - name: immich - podAnnotations: - secret.reloader.stakater.com/reload: &s immich-secret + defaultPodOptions: + automountServiceAccountToken: false + securityContext: + fsGroup: 65534 - env: - SERVER_PORT: &port 3001 - IMMICH_MEDIA_LOCATION: &data /data - IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003 - REDIS_HOSTNAME: immich-dragonfly - DB_VECTOR_EXTENSION: pgvector - DB_URL: - valueFrom: - secretKeyRef: - name: *s - key: DB_URL - REDIS_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: REDIS_PASSWORD + controllers: + server: + type: deployment + replicas: 1 + strategy: RollingUpdate + annotations: &annotations + secret.reloader.stakater.com/reload: &s immich-secret + labels: + app.kubernetes.io/component: server + containers: + main: + image: + repository: ghcr.io/immich-app/immich-server + tag: v1.101.0 + command: ["./start.sh", "immich"] + env: + SERVER_PORT: &p1 3001 + IMMICH_MEDIA_LOCATION: &data-dir /data + IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003 + REDIS_HOSTNAME: immich-dragonfly + DB_VECTOR_EXTENSION: pgvector + DB_URL: + valueFrom: + secretKeyRef: + name: *s + key: DB_URL + REDIS_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: REDIS_PASSWORD + probes: &probes + startup: + enabled: true + readiness: + enabled: true + liveness: + enabled: true + resources: + limits: + memory: 512Mi + requests: + cpu: 50m + memory: 512Mi + securityContext: &sc + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + microservices: + type: deployment + replicas: 1 + strategy: RollingUpdate + annotations: *annotations + labels: + app.kubernetes.io/component: microservices + containers: + main: + image: + repository: ghcr.io/immich-app/immich-server + tag: v1.101.0 + command: ["./start.sh", "microservices"] + env: + SERVER_PORT: &p2 3002 + IMMICH_MEDIA_LOCATION: *data-dir + IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003 + REVERSE_GEOCODING_DUMP_DIRECTORY: &geo-dir /geocode + REDIS_HOSTNAME: immich-dragonfly + DB_VECTOR_EXTENSION: pgvector + DB_URL: + valueFrom: + secretKeyRef: + name: *s + key: DB_URL + REDIS_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: REDIS_PASSWORD + probes: *probes + resources: + limits: + memory: 500Mi + requests: + cpu: 100m + memory: 500Mi + securityContext: *sc + machine-learning: + type: deployment + replicas: 1 + strategy: RollingUpdate + annotations: *annotations + labels: + app.kubernetes.io/component: machine-learning + containers: + main: + image: + repository: ghcr.io/immich-app/immich-machine-learning + tag: v1.101.0 + env: + MACHINE_LEARNING_PORT: &p3 3003 + MACHINE_LEARNING_CACHE_FOLDER: &cache-dir /cache + TRANSFORMERS_CACHE: *cache-dir + probes: *probes + resources: + limits: + memory: 1Gi + requests: + cpu: 100m + memory: 1Gi + securityContext: + <<: *sc + # some python libraries need /var and /tmp + readOnlyRootFilesystem: false + + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich + eks.amazonaws.com/audience: sts.amazonaws.com persistence: data: - enabled: true - type: pvc - mountPath: *data + type: persistentVolumeClaim existingClaim: immich-data + advancedMounts: + server: + main: + - path: *data-dir + microservices: + main: + - path: *data-dir + geocode: + type: persistentVolumeClaim + storageClass: fs-fast-delete + accessMode: ReadWriteMany + size: 1Gi + retain: false + advancedMounts: + microservices: + main: + - path: *geo-dir + cache: + type: persistentVolumeClaim + storageClass: fs-fast-delete + accessMode: ReadWriteMany + size: 5Gi + retain: false + advancedMounts: + machine-learning: + main: + - path: *cache-dir secret: - enabled: true type: custom volumeSpec: csi: @@ -74,196 +190,37 @@ spec: volumeAttributes: secretProviderClass: *s - probes: - liveness: - enabled: false - readiness: - enabled: false - - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - service: - main: - enabled: true + server: + controller: server + primary: true ports: http: - port: *port - + port: *p1 + primary: true + protocol: HTTP + microservices: + controller: microservices + ports: + http: + port: *p2 + primary: true + protocol: HTTP + machine-learning: + controller: machine-learning + ports: + http: + port: *p3 + primary: true + protocol: HTTP ingress: main: - enabled: true - ingressClassName: nginx + className: nginx hosts: - host: photo.timtor.dev paths: - path: / pathType: Prefix ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - namespace: mydata - name: immich-microservices -spec: - chart: - spec: - sourceRef: - kind: HelmRepository - name: bjw-s - chart: app-template - version: 1.5.1 - interval: 1h - maxHistory: 1 - values: - global: - nameOverride: immich - podLabels: - app.kubernetes.io/component: microservices - controller: - strategy: RollingUpdate - image: - repository: ghcr.io/immich-app/immich-server - tag: v1.101.0 - command: ["./start.sh", "microservices"] - - serviceAccount: - create: false - name: immich - podAnnotations: - secret.reloader.stakater.com/reload: &s immich-secret - - env: - SERVER_PORT: &port 3002 - IMMICH_MEDIA_LOCATION: &media /data - IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003 - REVERSE_GEOCODING_DUMP_DIRECTORY: &dump /geocode - REDIS_HOSTNAME: immich-dragonfly - DB_VECTOR_EXTENSION: pgvector - DB_URL: - valueFrom: - secretKeyRef: - name: *s - key: DB_URL - REDIS_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: REDIS_PASSWORD - - persistence: - media: - enabled: true - type: pvc - mountPath: *media - existingClaim: immich-data - geocode: - enabled: true - type: pvc - mountPath: *dump - storageClass: fs-fast - accessMode: ReadWriteMany - size: 1Gi - secret: - enabled: true - type: custom - volumeSpec: - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: *s - - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - service: - main: - enabled: true - ports: - http: - port: *port - probes: - liveness: - enabled: false - readiness: - enabled: false ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - namespace: mydata - name: immich-machine-learning -spec: - chart: - spec: - sourceRef: - kind: HelmRepository - name: bjw-s - chart: app-template - version: 1.5.1 - interval: 1h - maxHistory: 1 - values: - global: - nameOverride: immich - podLabels: - app.kubernetes.io/component: machine-learning - image: - repository: ghcr.io/immich-app/immich-machine-learning - tag: v1.101.0 - env: - MACHINE_LEARNING_CACHE_FOLDER: &cache /cache - TRANSFORMERS_CACHE: *cache - persistence: - cache: - enabled: true - type: pvc - mountPath: *cache - storageClass: fs-fast - accessMode: ReadWriteMany - size: 5Gi - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - # some python libraries need /var and /tmp - readOnlyRootFilesystem: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - service: - main: - enabled: true - ports: - http: - port: 3003 - probes: - liveness: - enabled: false - readiness: - enabled: false + service: + identifier: server + port: *p1 diff --git a/kubernetes/mydata/immich/deps/immich-dragonfly.yaml b/kubernetes/mydata/immich/deps/immich-dragonfly.yaml index 2bedb118..9ea4b995 100644 --- a/kubernetes/mydata/immich/deps/immich-dragonfly.yaml +++ b/kubernetes/mydata/immich/deps/immich-dragonfly.yaml @@ -11,45 +11,74 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - type: statefulset - replicas: 1 - image: - repository: ghcr.io/dragonflydb/dragonfly - tag: v1.6.2 - args: - # https://github.com/immich-app/immich/issues/2542 - - --default_lua_flags=allow-undeclared-keys - - --dir=/data + controllers: + main: + type: statefulset + replicas: 1 + strategy: RollingUpdate + annotations: + secret.reloader.stakater.com/reload: &s immich-dragonfly-secret + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 65534 + statefulset: + volumeClaimTemplates: + - name: data + storageClass: rbd-fast + accessMode: ReadWriteOnce + size: 1Gi + globalMounts: + - path: /data + containers: + main: + image: + repository: ghcr.io/dragonflydb/dragonfly + tag: v1.6.2 + args: + # https://github.com/immich-app/immich/issues/2542 + - --default_lua_flags=allow-undeclared-keys + - --dir=/data + env: + DFLY_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: DFLY_PASSWORD + resources: + requests: + cpu: 100m + probes: + startup: + enabled: true + readiness: + enabled: true + liveness: + enabled: true + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-dragonfly eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: &s immich-dragonfly-secret - - env: - DFLY_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: DFLY_PASSWORD - volumeClaimTemplates: - - name: data - storageClass: rbd-fast - accessMode: ReadWriteOnce - mountPath: /data - size: 1Gi persistence: secret: - enabled: true type: custom volumeSpec: csi: @@ -58,31 +87,12 @@ spec: volumeAttributes: secretProviderClass: *s - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - service: main: - enabled: true + controller: main + primary: true ports: - http: - enabled: false redis: - protocol: TCP + primary: true port: 6379 - - probes: - liveness: - enabled: false - readiness: - enabled: false + protocol: TCP diff --git a/kubernetes/mydata/navidrome/navidrome.yaml b/kubernetes/mydata/navidrome/navidrome.yaml index f463cd75..b649b84a 100644 --- a/kubernetes/mydata/navidrome/navidrome.yaml +++ b/kubernetes/mydata/navidrome/navidrome.yaml @@ -12,87 +12,101 @@ spec: namespace: mydata name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - image: - repository: deluan/navidrome - tag: 0.51.1 - - ## debug only - # command: ["sleep", "infinity"] - - env: - ND_MUSICFOLDER: &dir1 /data - ND_DATAFOLDER: &dir2 /db - # no such environment variable just for symmetry - ND_CACHEFOLDER: &dir3 /db/cache - ND_PORT: &p 4533 - ND_ENABLETRANSCODINGCONFIG: "true" + controllers: + main: + type: deployment + replicas: 1 + strategy: RollingUpdate + pod: + securityContext: + fsGroup: 65534 + containers: + main: + image: + repository: deluan/navidrome + tag: 0.51.1 + ## debug only + # command: ["sleep", "infinity"] + env: + ND_MUSICFOLDER: &dir1 /data + ND_DATAFOLDER: &dir2 /db + # no such environment variable just for symmetry + ND_CACHEFOLDER: &dir3 /db/cache + ND_PORT: &p 4533 + ND_ENABLETRANSCODINGCONFIG: "true" + probes: + startup: + enabled: true + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 256Mi + requests: + cpu: 10m + memory: 256Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault persistence: data: - enabled: true - type: pvc - mountPath: *dir1 + type: persistentVolumeClaim existingClaim: navidrome-data + advancedMounts: + main: + main: + - path: *dir1 db: - enabled: true - type: pvc + type: persistentVolumeClaim existingClaim: navidrome-db - mountPath: *dir2 + advancedMounts: + main: + main: + - path: *dir2 cache: - enabled: true - type: pvc + type: persistentVolumeClaim storageClass: fs-fast-delete accessMode: ReadWriteOnce size: 1Gi - mountPath: *dir3 retain: true - - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - probes: - liveness: - enabled: false - readiness: - enabled: false - - resources: - limits: - memory: 256Mi - requests: - cpu: 10m - memory: 256Mi + advancedMounts: + main: + main: + - path: *dir3 service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: true + primary: true port: *p + protocol: HTTP ingress: main: - enabled: true - ingressClassName: nginx + className: nginx hosts: - host: music.timtor.dev paths: - path: / pathType: Prefix service: + identifier: main port: *p diff --git a/kubernetes/mydata/nextcloud/app/nextcloud.yaml b/kubernetes/mydata/nextcloud/app/nextcloud.yaml index dbdfa913..da07ff19 100644 --- a/kubernetes/mydata/nextcloud/app/nextcloud.yaml +++ b/kubernetes/mydata/nextcloud/app/nextcloud.yaml @@ -11,66 +11,91 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - replicas: 2 - strategy: RollingUpdate - rollingUpdate: - unavailable: 1 - image: - repository: nextcloud - tag: 28.0.4-apache - serviceAccount: - create: true - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud - eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: &s nextcloud-secret - configmap.reloader.stakater.com/reload: &c nextcloud-config - - env: - OVERWRITECLIURL: https://drive.timtor.dev - OVERWRITEPROTOCOL: https - NEXTCLOUD_TRUSTED_DOMAINS: &host drive.timtor.dev - NEXTCLOUD_DATA_DIR: &data /data - NEXTCLOUD_ADMIN_USER: - valueFrom: - secretKeyRef: - name: *s - key: NEXTCLOUD_ADMIN_USER - NEXTCLOUD_ADMIN_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: NEXTCLOUD_ADMIN_PASSWORD - POSTGRES_HOST: nextcloud-postgres-rw - POSTGRES_DB: nextcloud - POSTGRES_USER: - valueFrom: - secretKeyRef: - name: *s - key: POSTGRES_USER - POSTGRES_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: POSTGRES_PASSWORD - #! the underscore is intended to by pass the annoying entrypoint.sh - _REDIS_HOST: nextcloud-dragonfly - REDIS_HOST_PORT: 6379 - REDIS_HOST_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: REDIS_HOST_PASSWORD + controllers: + main: + type: deployment + replicas: 2 + strategy: RollingUpdate + rollingUpdate: + unavailable: 1 + annotations: + secret.reloader.stakater.com/reload: &s nextcloud-secret + configmap.reloader.stakater.com/reload: &c nextcloud-config + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 33 + containers: + main: + image: + repository: nextcloud + tag: 28.0.4-apache + env: + OVERWRITECLIURL: https://drive.timtor.dev + OVERWRITEPROTOCOL: https + NEXTCLOUD_TRUSTED_DOMAINS: &host drive.timtor.dev + NEXTCLOUD_DATA_DIR: &data-dir /data + NEXTCLOUD_ADMIN_USER: + valueFrom: + secretKeyRef: + name: *s + key: NEXTCLOUD_ADMIN_USER + NEXTCLOUD_ADMIN_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: NEXTCLOUD_ADMIN_PASSWORD + POSTGRES_HOST: nextcloud-postgres-rw + POSTGRES_DB: nextcloud + POSTGRES_USER: + valueFrom: + secretKeyRef: + name: *s + key: POSTGRES_USER + POSTGRES_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: POSTGRES_PASSWORD + #! the underscore is intended to by pass the annoying entrypoint.sh + _REDIS_HOST: nextcloud-dragonfly + REDIS_HOST_PORT: 6379 + REDIS_HOST_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: REDIS_HOST_PASSWORD + resources: + limits: + memory: 1Gi + requests: + cpu: 100m + memory: 1Gi + probes: + startup: + enabled: false + liveness: + enabled: false + readiness: + enabled: false + securityContext: + runAsNonRoot: true + runAsUser: 33 + runAsGroup: 33 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault persistence: secret: - enabled: true type: custom volumeSpec: csi: @@ -79,101 +104,86 @@ spec: volumeAttributes: secretProviderClass: *s apache-overwrite-port-1: - enabled: true type: configMap name: *c - mountPath: /etc/apache2/ports.conf - subPath: ports.conf items: - key: ports.conf path: ports.conf + globalMounts: + - path: /etc/apache2/ports.conf + subPath: ports.conf apache-overwrite-port-2: - enabled: true type: configMap name: *c - mountPath: /etc/apache2/sites-available/000-default.conf - subPath: 000-default.conf items: - key: 000-default.conf path: 000-default.conf + globalMounts: + - path: /etc/apache2/sites-available/000-default.conf + subPath: 000-default.conf apache-extra-config: - enabled: true type: configMap name: *c - mountPath: /etc/apache2/conf-enabled/extra.conf - subPath: extra.conf items: - key: extra.conf path: extra.conf + globalMounts: + - path: /etc/apache2/conf-enabled/extra.conf + subPath: extra.conf php-config: - enabled: true type: configMap name: *c - mountPath: /usr/local/etc/php/conf.d/php-config.ini - subPath: php-config.ini items: - key: php-config.ini path: php-config.ini + globalMounts: + - path: /usr/local/etc/php/conf.d/php-config.ini + subPath: php-config.ini nextcloud-extra-config: - enabled: true type: configMap name: *c defaultMode: 0644 - mountPath: /var/www/html/config/extra.config.php - subPath: extra.config.php items: - key: extra.config.php path: extra.config.php + globalMounts: + - path: /var/www/html/config/extra.config.php + subPath: extra.config.php install: - enabled: true - type: pvc + type: persistentVolumeClaim existingClaim: nextcloud-install - mountPath: /var/www/html + globalMounts: + - path: /var/www/html data: - enabled: true - type: pvc + type: persistentVolumeClaim existingClaim: nextcloud-data - mountPath: *data + globalMounts: + - path: *data-dir music: - enabled: true - type: pvc + type: persistentVolumeClaim existingClaim: navidrome-data - mountPath: /music - - podSecurityContext: - fsGroup: 33 - securityContext: - runAsNonRoot: true - runAsUser: 33 - runAsGroup: 33 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault + globalMounts: + - path: /music - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud + eks.amazonaws.com/audience: sts.amazonaws.com service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: true - protocol: TCP + primary: true port: &port 8080 + protocol: HTTP ingress: main: - enabled: true - ingressClassName: nginx + className: nginx annotations: nginx.ingress.kubernetes.io/proxy-body-size: "0" hosts: @@ -182,4 +192,5 @@ spec: - path: / pathType: Prefix service: + identifier: main port: *port diff --git a/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml b/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml index 1cf06df4..5600b7d5 100644 --- a/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml +++ b/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml @@ -11,43 +11,73 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h + maxHistory: 1 + timeout: 1m0s values: - controller: - type: statefulset - replicas: 1 - image: - repository: ghcr.io/dragonflydb/dragonfly - tag: v1.6.2 - args: - - --default_lua_flags=allow-undeclared-keys - - --dir=/data + controllers: + main: + type: statefulset + replicas: 1 + strategy: RollingUpdate + annotations: + secret.reloader.stakater.com/reload: &s nextcloud-dragonfly-secret + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 65534 + statefulset: + volumeClaimTemplates: + - name: data + storageClass: rbd-fast + accessMode: ReadWriteOnce + size: 1Gi + globalMounts: + - path: /data + containers: + main: + image: + repository: ghcr.io/dragonflydb/dragonfly + tag: v1.6.2 + args: + - --default_lua_flags=allow-undeclared-keys + - --dir=/data + env: + DFLY_PASSWORD: + valueFrom: + secretKeyRef: + name: *s + key: DFLY_PASSWORD + resources: + requests: + cpu: 100m + probes: + startup: + enabled: false + liveness: + enabled: false + readiness: + enabled: false + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-dragonfly eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: &s nextcloud-dragonfly-secret - - env: - DFLY_PASSWORD: - valueFrom: - secretKeyRef: - name: *s - key: DFLY_PASSWORD - volumeClaimTemplates: - - name: data - storageClass: rbd-fast - accessMode: ReadWriteOnce - mountPath: /data - size: 1Gi persistence: secret: - enabled: true type: custom volumeSpec: csi: @@ -56,33 +86,12 @@ spec: volumeAttributes: secretProviderClass: *s - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - service: main: - enabled: true + controller: main + primary: true ports: - http: - enabled: false redis: + primary: true protocol: TCP port: 6379 - - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false diff --git a/kubernetes/smart-exporter/smart-exporter.yaml b/kubernetes/smart-exporter/smart-exporter.yaml index 5320bc72..a76255d1 100644 --- a/kubernetes/smart-exporter/smart-exporter.yaml +++ b/kubernetes/smart-exporter/smart-exporter.yaml @@ -20,52 +20,65 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - type: daemonset - image: - repository: matusnovak/prometheus-smartctl - tag: v2.3.0 - env: - SMARTCTL_EXPORTER_PORT: &port 9902 - SMARTCTL_REFRESH_INTERVAL: 60 + controllers: + main: + type: daemonset + strategy: RollingUpdate + pod: + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + containers: + main: + image: + repository: matusnovak/prometheus-smartctl + tag: v2.3.0 + env: + SMARTCTL_EXPORTER_PORT: &port 9902 + SMARTCTL_REFRESH_INTERVAL: 60 + probes: + startup: + enabled: true + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi + securityContext: + privileged: true persistence: device: - enabled: true type: hostPath hostPath: /dev - mountPath: /dev - - securityContext: - privileged: true - - tolerations: - - effect: NoSchedule - operator: Exists - - resources: - limits: - memory: 64Mi - requests: - cpu: 50m - memory: 64Mi + globalMounts: + - path: /dev + readOnly: true service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: true - protocol: TCP + primary: true port: *port + protocol: HTTP serviceMonitor: main: - enabled: true + serviceName: smart-exporter endpoints: - port: http scheme: http @@ -79,11 +92,3 @@ spec: - action: drop sourceLabels: [__name__] regex: ^(python|process).* - - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false diff --git a/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml b/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml index 4e9c76af..2d1871fb 100644 --- a/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml +++ b/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml @@ -20,19 +20,64 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - replicas: 1 - strategy: RollingUpdate - image: - repository: prom/snmp-exporter - tag: v0.24.1 - args: - - --config.file=/config/*.yml - - --config.file=/secret/*.yml + controllers: + main: + type: deployment + replicas: 1 + strategy: RollingUpdate + annotations: + secret.reloader.stakater.com/reload: &s snmp-exporter-mikrotik-secret + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 65534 + initContainers: + download: + image: + repository: busybox + tag: 1.28 + command: ["sh", "-c"] + args: + - | + wget https://raw.githubusercontent.com/IgorKha/Grafana-Mikrotik/master/snmp/snmp.yml \ + -O /config/snmp.yml + securityContext: &sc + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + containers: + main: + image: + repository: prom/snmp-exporter + tag: v0.24.1 + args: + - --config.file=/config/*.yml + - --config.file=/secret/*.yml + probes: + startup: + enabled: true + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: *sc serviceAccount: create: true @@ -40,17 +85,14 @@ spec: annotations: eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-snmp-exporter-mikrotik eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: &s snmp-exporter-mikrotik-secret + persistence: config: - enabled: true type: emptyDir - mountPath: /config + globalMounts: + - path: /config secret: - enabled: true type: custom - mountPath: /secret volumeSpec: csi: driver: secrets-store.csi.k8s.io @@ -58,52 +100,19 @@ spec: volumeAttributes: secretProviderClass: *s - podSecurityContext: - fsGroup: 65534 - securityContext: &sc - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - initContainers: - download: - image: busybox:1.28 - securityContext: *sc - volumeMounts: - - name: config - mountPath: /config - command: ["sh", "-c"] - args: - - | - wget https://raw.githubusercontent.com/IgorKha/Grafana-Mikrotik/master/snmp/snmp.yml \ - -O /config/snmp.yml - service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: true - protocol: TCP + primary: true port: 9116 - - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false + protocol: HTTP serviceMonitor: main: - enabled: true + serviceName: snmp-exporter endpoints: - &mikrotik port: http diff --git a/kubernetes/unifi-controller/unifi-controller.yaml b/kubernetes/unifi-controller/unifi-controller.yaml index 77f9dc33..9ffd2951 100644 --- a/kubernetes/unifi-controller/unifi-controller.yaml +++ b/kubernetes/unifi-controller/unifi-controller.yaml @@ -20,68 +20,77 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - ##! Stateful application in Deployment - controller: - replicas: 1 - strategy: Recreate - image: - repository: jacobalberty/unifi - tag: v8.1 + controllers: + main: + type: deployment + replicas: 1 + strategy: RollingUpdate + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 999 + containers: + main: + image: + repository: jacobalberty/unifi + tag: v8.1 + probes: + startup: + enabled: true + readiness: + enabled: true + liveness: + enabled: true + resources: + limits: + memory: 1Gi + requests: + cpu: 50m + memory: 1Gi + securityContext: + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault persistence: data: - enabled: true - type: pvc + type: persistentVolumeClaim existingClaim: unifi-controller-data - mountPath: /unifi - subPath: data + globalMounts: + - path: /unifi + subPath: data tmp: - enabled: true type: emptyDir - mountPath: /tmp - - podSecurityContext: - fsGroup: 999 - securityContext: - runAsNonRoot: true - runAsUser: 999 - runAsGroup: 999 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false + globalMounts: + - path: /tmp service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: false - web: - protcol: TCP + primary: true port: &web 8443 + protocol: HTTP inform: - prototol: TCP port: &inform 8080 + protocol: TCP ingress: main: - enabled: true - ingressClassName: nginx + className: nginx annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS hosts: @@ -90,10 +99,10 @@ spec: - path: / pathType: Prefix service: + identifier: main port: *web inform: - enabled: true - ingressClassName: nginx + className: nginx annotations: nginx.ingress.kubernetes.io/ssl-redirect: "false" hosts: @@ -102,4 +111,5 @@ spec: - path: /inform pathType: Prefix service: + identifier: main port: *inform diff --git a/kubernetes/unpoller/unpoller.yaml b/kubernetes/unpoller/unpoller.yaml index 9f28509e..9116cc28 100644 --- a/kubernetes/unpoller/unpoller.yaml +++ b/kubernetes/unpoller/unpoller.yaml @@ -20,43 +20,79 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - replicas: 1 - image: - repository: ghcr.io/unpoller/unpoller - tag: v2.11.0 - command: ["unpoller", "--config", "/config/unpoller.yaml"] + controllers: + main: + type: deployment + replicas: 1 + strategy: RollingUpdate + annotations: + secret.reloader.stakater.com/reload: &s unpoller-secret + configmap.reloader.stakater.com/reload: &c unpoller-config + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 65534 + containers: + main: + image: + repository: ghcr.io/unpoller/unpoller + tag: v2.11.0 + command: ["unpoller", "--config", "/config/unpoller.yaml"] + env: + UP_UNIFI_CONTROLLER_0_USER: + valueFrom: + secretKeyRef: + name: *s + key: UP_UNIFI_CONTROLLER_0_USER + UP_UNIFI_CONTROLLER_0_PASS: + valueFrom: + secretKeyRef: + name: *s + key: UP_UNIFI_CONTROLLER_0_PASS + probes: + startup: + enabled: true + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 64Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-unpoller eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: &s unpoller-secret - configmap.reloader.stakater.com/reload: &c unpoller-config - env: - UP_UNIFI_CONTROLLER_0_USER: - valueFrom: - secretKeyRef: - name: *s - key: UP_UNIFI_CONTROLLER_0_USER - UP_UNIFI_CONTROLLER_0_PASS: - valueFrom: - secretKeyRef: - name: *s - key: UP_UNIFI_CONTROLLER_0_PASS persistence: config: enabled: true type: configMap name: *c - mountPath: /config - sync-secret: + globalMounts: + - path: /config + readOnly: true + secret: enabled: true type: custom volumeSpec: @@ -66,39 +102,22 @@ spec: volumeAttributes: secretProviderClass: *s - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - service: main: enabled: true + controller: main + primary: true ports: http: enabled: true - protocol: TCP + primary: true port: 9130 - - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false + protocol: HTTP serviceMonitor: main: enabled: true + serviceName: unpoller endpoints: - port: http scheme: http diff --git a/kubernetes/vaultwarden/vaultwarden.yaml b/kubernetes/vaultwarden/vaultwarden.yaml index c181430e..6514bac0 100644 --- a/kubernetes/vaultwarden/vaultwarden.yaml +++ b/kubernetes/vaultwarden/vaultwarden.yaml @@ -20,65 +20,90 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - image: - repository: ghcr.io/dani-garcia/vaultwarden - tag: 1.30.5-alpine - - ## Debug only, uncomment - # command: ["sleep", "infinity"] - - serviceAccount: - create: true - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-vaultwarden - eks.amazonaws.com/audience: sts.amazonaws.com - podAnnotations: - secret.reloader.stakater.com/reload: > - vaultwarden-secret, - vaultwarden-backup-secret + controllers: + main: + type: deployment + replicas: 1 + strategy: RollingUpdate + annotations: + secret.reloader.stakater.com/reload: &s vaultwarden-secret + pod: + automountServiceAccountToken: false + securityContext: + fsGroup: 65534 + containers: + main: + image: + repository: ghcr.io/dani-garcia/vaultwarden + tag: 1.30.5-alpine + ## Debug only, uncomment + # command: ["sleep", "infinity"] - ## Environment variables reference - # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template - env: - DATA_FOLDER: &dir /data - ROCKET_PORT: &p 8080 - SIGNUP_ALLOWED: true - DISABLE_ADMIN_TOKEN: false - ## Push notification server - ## Generate the token on https://bitwarden.com/host/ - PUSH_ENABLED: true - PUSH_RELAY_URI: https://push.bitwarden.com - PUSH_IDENTITY_URI: https://identity.bitwarden.com - PUSH_INSTALLATION_ID: - valueFrom: - secretKeyRef: - name: &s vaultwarden-secret - key: PUSH_INSTALLATION_ID - PUSH_INSTALLATION_KEY: - valueFrom: - secretKeyRef: - name: *s - key: PUSH_INSTALLATION_KEY - ## Generate the admin token hash with command - ## `echo -n "admin-password" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4` - ADMIN_TOKEN: - valueFrom: - secretKeyRef: - name: *s - key: ADMIN_TOKEN + ## Environment variables reference + # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template + env: + DATA_FOLDER: &dir /data + ROCKET_PORT: &p 8080 + SIGNUP_ALLOWED: true + DISABLE_ADMIN_TOKEN: false + ## Push notification server + ## Generate the token on https://bitwarden.com/host/ + PUSH_ENABLED: true + PUSH_RELAY_URI: https://push.bitwarden.com + PUSH_IDENTITY_URI: https://identity.bitwarden.com + PUSH_INSTALLATION_ID: + valueFrom: + secretKeyRef: + name: *s + key: PUSH_INSTALLATION_ID + PUSH_INSTALLATION_KEY: + valueFrom: + secretKeyRef: + name: *s + key: PUSH_INSTALLATION_KEY + ## Generate the admin token hash with command + ## `echo -n "admin-password" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4` + ADMIN_TOKEN: + valueFrom: + secretKeyRef: + name: *s + key: ADMIN_TOKEN + probes: + startup: + enabled: true + liveness: + enabled: true + readiness: + enabled: true + resources: + limits: + memory: 128Mi + requests: + cpu: 10m + memory: 128Mi + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault persistence: data: - enabled: true - type: pvc - mountPath: *dir + type: persistentVolumeClaim existingClaim: vaultwarden-data + globalMounts: + - path: *dir secret: - enabled: true type: custom volumeSpec: csi: @@ -87,52 +112,35 @@ spec: volumeAttributes: secretProviderClass: *s - podSecurityContext: - fsGroup: 65534 - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - probes: - liveness: - enabled: false - readiness: - enabled: false - - resources: - limits: - memory: 128Mi - requests: - cpu: 10m - memory: 128Mi + serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-vaultwarden + eks.amazonaws.com/audience: sts.amazonaws.com service: main: - enabled: true + controller: main + primary: true ports: http: - enabled: true + primary: true port: *p + protocol: HTTP ingress: main: - enabled: true - ingressClassName: nginx + className: nginx hosts: - host: vault.timtor.dev paths: - path: / pathType: Prefix service: + identifier: main port: *p - path: /notifications/hub pathType: Prefix service: + identifier: main port: *p diff --git a/kubernetes/vector/vector.yaml b/kubernetes/vector/vector.yaml index 1dbcbf7b..d82b3b8a 100644 --- a/kubernetes/vector/vector.yaml +++ b/kubernetes/vector/vector.yaml @@ -20,32 +20,61 @@ spec: kind: HelmRepository name: bjw-s chart: app-template - version: 1.5.1 + version: 3.0.4 interval: 1h maxHistory: 1 + timeout: 1m0s values: - controller: - replicas: 2 - strategy: RollingUpdate - image: - repository: timberio/vector - tag: 0.33.0-distroless-libc - podAnnotations: - configmap.reloader.stakater.com/reload: &config vector-config - env: - VECTOR_CONFIG_DIR: /config + controllers: + main: + type: deployment + replicas: 2 + strategy: RollingUpdate + annotations: + configmap.reloader.stakater.com/reload: &config vector-config + containers: + main: + image: + repository: timberio/vector + tag: 0.33.0-distroless-libc + env: + VECTOR_CONFIG_DIR: &config-dir /config + resources: + limits: + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi + probes: + startup: + enabled: false + liveness: + enabled: false + readiness: + enabled: false + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + persistence: config: - enabled: true type: configMap name: *config - mountPath: /config + globalMounts: + - path: *config-dir service: main: + controller: main + primary: true ports: - http: - enabled: false talos-kernel: protocol: TCP port: 3001 @@ -58,22 +87,3 @@ spec: unifi: protocol: UDP port: 5001 - - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: ["ALL"] - seccompProfile: - type: RuntimeDefault - - probes: - startup: - enabled: false - liveness: - enabled: false - readiness: - enabled: false