From 1e23bac25e1263b1aadbce145cc7bb524051d579 Mon Sep 17 00:00:00 2001 From: Dennis Witt <94747795+wittdennis@users.noreply.github.com> Date: Mon, 6 Jan 2025 07:54:43 +0100 Subject: [PATCH] chore: disable local foundry instance --- argo-apps/in-cluster/ddb-proxy.cd.yaml | 88 ++-- argo-apps/in-cluster/foundry-app.cd.yaml | 102 ++--- .../argo-workflows/backup-restore.yaml | 400 +++++++++--------- .../argo-workflows/offsite-backup.yaml | 272 ++++++------ .../argo-workflows/scale-workload.yaml | 104 ++--- .../external-secrets/backup-settings.yaml | 70 +-- .../external-secrets/test-foundryvtt.yaml | 80 ++-- in-cluster/rbac/deployment-scaler-rb.yaml | 24 +- in-cluster/rbac/deployment-scaler-role.yaml | 42 +- in-cluster/rbac/foundry-sa-crbs.yaml | 24 +- in-cluster/rbac/foundry-workflows-sa.yaml | 10 +- .../secrets/foundry-workflows-token.yaml | 16 +- 12 files changed, 616 insertions(+), 616 deletions(-) diff --git a/argo-apps/in-cluster/ddb-proxy.cd.yaml b/argo-apps/in-cluster/ddb-proxy.cd.yaml index 98639a9..1a4756d 100644 --- a/argo-apps/in-cluster/ddb-proxy.cd.yaml +++ b/argo-apps/in-cluster/ddb-proxy.cd.yaml @@ -1,45 +1,45 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: in-cluster-ddb-proxy-test - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: foundry - syncPolicy: - automated: - prune: true - destination: - name: in-cluster - namespace: foundry - source: - repoURL: https://charts.derwitt.dev - targetRevision: 1.0.1 - chart: ddb-proxy - helm: - releaseName: test - values: | +# --- +# apiVersion: argoproj.io/v1alpha1 +# kind: Application +# metadata: +# name: in-cluster-ddb-proxy-test +# finalizers: +# - resources-finalizer.argocd.argoproj.io +# spec: +# project: foundry +# syncPolicy: +# automated: +# prune: true +# destination: +# name: in-cluster +# namespace: foundry +# source: +# repoURL: https://charts.derwitt.dev +# targetRevision: 1.0.1 +# chart: ddb-proxy +# helm: +# releaseName: test +# values: | - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - memory: 128Mi - ingress: - enabled: true - className: traefik - annotations: - cert-manager.io/cluster-issuer: cloudflare-cluster-issuer - traefik.ingress.kubernetes.io/router.middlewares: traefik-redirect-to-https@kubernetescrd - external-dns.alpha.kubernetes.io/target: 172.30.0.5, 2a01:4f8:c012:f0b3:ac1e::5 - hosts: - - host: ddb-proxy.home.derwitt.net - paths: - - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - ddb-proxy.home.derwitt.net - secretName: ddb-proxy-ingress-tls +# resources: +# requests: +# cpu: 50m +# memory: 64Mi +# limits: +# memory: 128Mi +# ingress: +# enabled: true +# className: traefik +# annotations: +# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer +# traefik.ingress.kubernetes.io/router.middlewares: traefik-redirect-to-https@kubernetescrd +# external-dns.alpha.kubernetes.io/target: 172.30.0.5, 2a01:4f8:c012:f0b3:ac1e::5 +# hosts: +# - host: ddb-proxy.home.derwitt.net +# paths: +# - path: / +# pathType: ImplementationSpecific +# tls: +# - hosts: +# - ddb-proxy.home.derwitt.net +# secretName: ddb-proxy-ingress-tls diff --git a/argo-apps/in-cluster/foundry-app.cd.yaml b/argo-apps/in-cluster/foundry-app.cd.yaml index 5c66dbc..3722b87 100644 --- a/argo-apps/in-cluster/foundry-app.cd.yaml +++ b/argo-apps/in-cluster/foundry-app.cd.yaml @@ -1,52 +1,52 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: in-cluster-foundry-test - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: foundry - syncPolicy: - automated: - prune: true - destination: - name: in-cluster - namespace: foundry - source: - repoURL: https://charts.derwitt.dev - targetRevision: 12.0.2 - chart: foundryvtt - helm: - releaseName: test - values: | +# --- +# apiVersion: argoproj.io/v1alpha1 +# kind: Application +# metadata: +# name: in-cluster-foundry-test +# finalizers: +# - resources-finalizer.argocd.argoproj.io +# spec: +# project: foundry +# syncPolicy: +# automated: +# prune: true +# destination: +# name: in-cluster +# namespace: foundry +# source: +# repoURL: https://charts.derwitt.dev +# targetRevision: 12.0.2 +# chart: foundryvtt +# helm: +# releaseName: test +# values: | - config: - enableTelemetry: true - existingSecret: - containsLicenseKey: true - containsAwsConfig: true - storage: - className: longhorn - resources: - requests: - cpu: 40m - memory: 512Mi - limits: - memory: 512Mi - ingress: - enabled: true - className: traefik - annotations: - cert-manager.io/cluster-issuer: cloudflare-cluster-issuer - traefik.ingress.kubernetes.io/router.middlewares: traefik-redirect-to-https@kubernetescrd - external-dns.alpha.kubernetes.io/target: 172.30.0.5, 2a01:4f8:c012:f0b3:ac1e::5 - hosts: - - host: vtt.home.derwitt.net - paths: - - path: / - pathType: ImplementationSpecific - tls: - - hosts: - - vtt.home.derwitt.net - secretName: foundry-ingress-tls +# config: +# enableTelemetry: true +# existingSecret: +# containsLicenseKey: true +# containsAwsConfig: true +# storage: +# className: longhorn +# resources: +# requests: +# cpu: 40m +# memory: 512Mi +# limits: +# memory: 512Mi +# ingress: +# enabled: true +# className: traefik +# annotations: +# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer +# traefik.ingress.kubernetes.io/router.middlewares: traefik-redirect-to-https@kubernetescrd +# external-dns.alpha.kubernetes.io/target: 172.30.0.5, 2a01:4f8:c012:f0b3:ac1e::5 +# hosts: +# - host: vtt.home.derwitt.net +# paths: +# - path: / +# pathType: ImplementationSpecific +# tls: +# - hosts: +# - vtt.home.derwitt.net +# secretName: foundry-ingress-tls diff --git a/in-cluster/custom-resources/argo-workflows/backup-restore.yaml b/in-cluster/custom-resources/argo-workflows/backup-restore.yaml index 672a76d..94eac4f 100644 --- a/in-cluster/custom-resources/argo-workflows/backup-restore.yaml +++ b/in-cluster/custom-resources/argo-workflows/backup-restore.yaml @@ -1,208 +1,208 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/argoproj/argo-workflows/main/api/jsonschema/schema.json ---- -apiVersion: argoproj.io/v1alpha1 -kind: WorkflowTemplate -metadata: - name: foundry-backup-restore -spec: - entrypoint: restore - onExit: exit-handler - serviceAccountName: foundry-workflows - artifactGC: - strategy: OnWorkflowDeletion - serviceAccountName: foundry-workflows - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumes: - - name: foundry-data - persistentVolumeClaim: - claimName: data-test-foundryvtt-0 - - name: tmp - emptyDir: {} - templates: - - name: restore - steps: - - - name: list-snapshots - template: list-snapshots - - - name: choose-snapshot - template: choose-snapshot - - - name: download-snapshot - template: download-snapshot - arguments: - parameters: - - name: snapshotId - value: "{{steps.choose-snapshot.outputs.parameters.snapshotId}}" - - - name: scale-down - arguments: - parameters: - - name: name - value: test-foundryvtt - - name: replicaCount - value: "0" - - name: type - value: statefulset - templateRef: - template: scale-workload - name: scale-workload - - - name: restore-data - template: restore-data - arguments: - artifacts: - - name: backup-archive - from: "{{steps.download-snapshot.outputs.artifacts.backup-archive}}" +# # yaml-language-server: $schema=https://raw.githubusercontent.com/argoproj/argo-workflows/main/api/jsonschema/schema.json +# --- +# apiVersion: argoproj.io/v1alpha1 +# kind: WorkflowTemplate +# metadata: +# name: foundry-backup-restore +# spec: +# entrypoint: restore +# onExit: exit-handler +# serviceAccountName: foundry-workflows +# artifactGC: +# strategy: OnWorkflowDeletion +# serviceAccountName: foundry-workflows +# securityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# seccompProfile: +# type: RuntimeDefault +# volumes: +# - name: foundry-data +# persistentVolumeClaim: +# claimName: data-test-foundryvtt-0 +# - name: tmp +# emptyDir: {} +# templates: +# - name: restore +# steps: +# - - name: list-snapshots +# template: list-snapshots +# - - name: choose-snapshot +# template: choose-snapshot +# - - name: download-snapshot +# template: download-snapshot +# arguments: +# parameters: +# - name: snapshotId +# value: "{{steps.choose-snapshot.outputs.parameters.snapshotId}}" +# - - name: scale-down +# arguments: +# parameters: +# - name: name +# value: test-foundryvtt +# - name: replicaCount +# value: "0" +# - name: type +# value: statefulset +# templateRef: +# template: scale-workload +# name: scale-workload +# - - name: restore-data +# template: restore-data +# arguments: +# artifacts: +# - name: backup-archive +# from: "{{steps.download-snapshot.outputs.artifacts.backup-archive}}" - - name: list-snapshots - container: - image: restic/restic:0.17.3 # renovate - command: [sh, -c] - args: - - | - set -eu +# - name: list-snapshots +# container: +# image: restic/restic:0.17.3 # renovate +# command: [sh, -c] +# args: +# - | +# set -eu - restic init || true - restic snapshots - volumeMounts: - - name: tmp - mountPath: /tmp - env: - - name: AZURE_ACCOUNT_NAME - valueFrom: - secretKeyRef: - name: backup-settings - key: azure-account-name - - name: AZURE_ACCOUNT_KEY - valueFrom: - secretKeyRef: - name: backup-settings - key: azure-account-key - - name: RESTIC_PASSWORD - valueFrom: - secretKeyRef: - name: backup-settings - key: restic-password - - name: RESTIC_REPOSITORY - value: azure:foundry:/ - securityContext: - runAsUser: 100 - runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL +# restic init || true +# restic snapshots +# volumeMounts: +# - name: tmp +# mountPath: /tmp +# env: +# - name: AZURE_ACCOUNT_NAME +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: azure-account-name +# - name: AZURE_ACCOUNT_KEY +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: azure-account-key +# - name: RESTIC_PASSWORD +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: restic-password +# - name: RESTIC_REPOSITORY +# value: azure:foundry:/ +# securityContext: +# runAsUser: 100 +# runAsGroup: 1000 +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# capabilities: +# drop: +# - ALL - - name: choose-snapshot - suspend: {} - inputs: - parameters: - - name: snapshotId - default: "CHANGE ME!" - description: >- - Snapshot ID to be restored. Can be retrieved from previous step - outputs: - parameters: - - name: snapshotId - valueFrom: - supplied: {} +# - name: choose-snapshot +# suspend: {} +# inputs: +# parameters: +# - name: snapshotId +# default: "CHANGE ME!" +# description: >- +# Snapshot ID to be restored. Can be retrieved from previous step +# outputs: +# parameters: +# - name: snapshotId +# valueFrom: +# supplied: {} - - name: download-snapshot - inputs: - parameters: - - name: snapshotId - outputs: - artifacts: - - name: backup-archive - path: /tmp/foundry-data.tar.xz - s3: - key: "{{workflow.name}}/foundry-data.tar.xz" - container: - image: restic/restic:0.17.3 # renovate - command: [sh, -c] - args: - - | - set -eu +# - name: download-snapshot +# inputs: +# parameters: +# - name: snapshotId +# outputs: +# artifacts: +# - name: backup-archive +# path: /tmp/foundry-data.tar.xz +# s3: +# key: "{{workflow.name}}/foundry-data.tar.xz" +# container: +# image: restic/restic:0.17.3 # renovate +# command: [sh, -c] +# args: +# - | +# set -eu - echo "Getting snapshot form restic repository" - restic init || true - restic restore {{inputs.parameters.snapshotId}} --target / --path /tmp/foundry-data.tar.xz - volumeMounts: - - name: tmp - mountPath: /tmp - env: - - name: AZURE_ACCOUNT_NAME - valueFrom: - secretKeyRef: - name: backup-settings - key: azure-account-name - - name: AZURE_ACCOUNT_KEY - valueFrom: - secretKeyRef: - name: backup-settings - key: azure-account-key - - name: RESTIC_PASSWORD - valueFrom: - secretKeyRef: - name: backup-settings - key: restic-password - - name: RESTIC_REPOSITORY - value: azure:foundry:/ - securityContext: - runAsUser: 100 - runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL +# echo "Getting snapshot form restic repository" +# restic init || true +# restic restore {{inputs.parameters.snapshotId}} --target / --path /tmp/foundry-data.tar.xz +# volumeMounts: +# - name: tmp +# mountPath: /tmp +# env: +# - name: AZURE_ACCOUNT_NAME +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: azure-account-name +# - name: AZURE_ACCOUNT_KEY +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: azure-account-key +# - name: RESTIC_PASSWORD +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: restic-password +# - name: RESTIC_REPOSITORY +# value: azure:foundry:/ +# securityContext: +# runAsUser: 100 +# runAsGroup: 1000 +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# capabilities: +# drop: +# - ALL - - name: restore-data - serviceAccountName: foundry-workflows - inputs: - artifacts: - - name: backup-archive - path: /tmp/foundry-data.tar.xz - container: - image: denniswitt/tar:0.1.2 # renovate - workingDir: /tmp - command: - - sh - - -c - args: - - | - set -eux +# - name: restore-data +# serviceAccountName: foundry-workflows +# inputs: +# artifacts: +# - name: backup-archive +# path: /tmp/foundry-data.tar.xz +# container: +# image: denniswitt/tar:0.1.2 # renovate +# workingDir: /tmp +# command: +# - sh +# - -c +# args: +# - | +# set -eux - tar -C /foundry-data -Jxvf foundry-data.tar.xz --overwrite --strip-components=1 - volumeMounts: - - mountPath: /tmp - name: tmp - - mountPath: /foundry-data - name: foundry-data - securityContext: - runAsUser: 0 - runAsGroup: 0 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault +# tar -C /foundry-data -Jxvf foundry-data.tar.xz --overwrite --strip-components=1 +# volumeMounts: +# - mountPath: /tmp +# name: tmp +# - mountPath: /foundry-data +# name: foundry-data +# securityContext: +# runAsUser: 0 +# runAsGroup: 0 +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: false +# seccompProfile: +# type: RuntimeDefault - - name: exit-handler - steps: - - - name: scale-up - arguments: - parameters: - - name: name - value: test-foundryvtt - - name: replicaCount - value: "1" - - name: type - value: statefulset - templateRef: - template: scale-workload - name: scale-workload +# - name: exit-handler +# steps: +# - - name: scale-up +# arguments: +# parameters: +# - name: name +# value: test-foundryvtt +# - name: replicaCount +# value: "1" +# - name: type +# value: statefulset +# templateRef: +# template: scale-workload +# name: scale-workload diff --git a/in-cluster/custom-resources/argo-workflows/offsite-backup.yaml b/in-cluster/custom-resources/argo-workflows/offsite-backup.yaml index d217adb..e5b238e 100644 --- a/in-cluster/custom-resources/argo-workflows/offsite-backup.yaml +++ b/in-cluster/custom-resources/argo-workflows/offsite-backup.yaml @@ -1,140 +1,140 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/argoproj/argo-workflows/main/api/jsonschema/schema.json ---- -apiVersion: argoproj.io/v1alpha1 -kind: WorkflowTemplate -metadata: - name: foundry-offsite-backup -spec: - entrypoint: backup - onExit: exit-handler - artifactGC: - strategy: OnWorkflowDeletion - serviceAccountName: foundry-workflows - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - volumes: - - name: foundry-data - persistentVolumeClaim: - claimName: data-test-foundryvtt-0 - - name: tmp - emptyDir: {} - templates: - - name: backup - steps: - - - name: scale-down - arguments: - parameters: - - name: name - value: test-foundryvtt - - name: replicaCount - value: "0" - - name: type - value: statefulset - templateRef: - template: scale-workload - name: scale-workload - - - name: create-backup - template: archive-data - - - name: upload-backup - template: upload-backup - arguments: - artifacts: - - name: backup-archive - from: "{{steps.create-backup.outputs.artifacts.backup-archive}}" +# # yaml-language-server: $schema=https://raw.githubusercontent.com/argoproj/argo-workflows/main/api/jsonschema/schema.json +# --- +# apiVersion: argoproj.io/v1alpha1 +# kind: WorkflowTemplate +# metadata: +# name: foundry-offsite-backup +# spec: +# entrypoint: backup +# onExit: exit-handler +# artifactGC: +# strategy: OnWorkflowDeletion +# serviceAccountName: foundry-workflows +# securityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# seccompProfile: +# type: RuntimeDefault +# volumes: +# - name: foundry-data +# persistentVolumeClaim: +# claimName: data-test-foundryvtt-0 +# - name: tmp +# emptyDir: {} +# templates: +# - name: backup +# steps: +# - - name: scale-down +# arguments: +# parameters: +# - name: name +# value: test-foundryvtt +# - name: replicaCount +# value: "0" +# - name: type +# value: statefulset +# templateRef: +# template: scale-workload +# name: scale-workload +# - - name: create-backup +# template: archive-data +# - - name: upload-backup +# template: upload-backup +# arguments: +# artifacts: +# - name: backup-archive +# from: "{{steps.create-backup.outputs.artifacts.backup-archive}}" - - name: exit-handler - steps: - - - name: scale-up - arguments: - parameters: - - name: name - value: test-foundryvtt - - name: replicaCount - value: "1" - - name: type - value: statefulset - templateRef: - template: scale-workload - name: scale-workload +# - name: exit-handler +# steps: +# - - name: scale-up +# arguments: +# parameters: +# - name: name +# value: test-foundryvtt +# - name: replicaCount +# value: "1" +# - name: type +# value: statefulset +# templateRef: +# template: scale-workload +# name: scale-workload - - name: archive-data - serviceAccountName: foundry-workflows - outputs: - artifacts: - - name: backup-archive - path: /tmp/foundry-data.tar.xz - s3: - key: "{{workflow.name}}/foundry-data.tar.xz" - container: - image: denniswitt/tar:0.1.2 # renovate - workingDir: /tmp - command: - - sh - - -c - args: - - | - set -eux +# - name: archive-data +# serviceAccountName: foundry-workflows +# outputs: +# artifacts: +# - name: backup-archive +# path: /tmp/foundry-data.tar.xz +# s3: +# key: "{{workflow.name}}/foundry-data.tar.xz" +# container: +# image: denniswitt/tar:0.1.2 # renovate +# workingDir: /tmp +# command: +# - sh +# - -c +# args: +# - | +# set -eux - tar cfJv foundry-data.tar.xz /foundry-data/Data - du -sch foundry-data.tar.xz - volumeMounts: - - mountPath: /tmp - name: tmp - - mountPath: /foundry-data - name: foundry-data - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault +# tar cfJv foundry-data.tar.xz /foundry-data/Data +# du -sch foundry-data.tar.xz +# volumeMounts: +# - mountPath: /tmp +# name: tmp +# - mountPath: /foundry-data +# name: foundry-data +# securityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# seccompProfile: +# type: RuntimeDefault - - name: upload-backup - serviceAccountName: foundry-workflows - inputs: - artifacts: - - name: backup-archive - path: /tmp/foundry-data.tar.xz - container: - image: restic/restic:0.17.3 # renovate - command: [sh, -c] - args: - - | - restic init --no-cache || true - restic backup --no-cache --host foundry-data /tmp/foundry-data.tar.xz - restic forget --no-cache --keep-last 90 --prune - env: - - name: AZURE_ACCOUNT_NAME - valueFrom: - secretKeyRef: - name: backup-settings - key: azure-account-name - - name: AZURE_ACCOUNT_KEY - valueFrom: - secretKeyRef: - name: backup-settings - key: azure-account-key - - name: RESTIC_PASSWORD - valueFrom: - secretKeyRef: - name: backup-settings - key: restic-password - - name: RESTIC_REPOSITORY - value: azure:foundry:/ - volumeMounts: - - mountPath: /tmp - name: tmp - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault +# - name: upload-backup +# serviceAccountName: foundry-workflows +# inputs: +# artifacts: +# - name: backup-archive +# path: /tmp/foundry-data.tar.xz +# container: +# image: restic/restic:0.17.3 # renovate +# command: [sh, -c] +# args: +# - | +# restic init --no-cache || true +# restic backup --no-cache --host foundry-data /tmp/foundry-data.tar.xz +# restic forget --no-cache --keep-last 90 --prune +# env: +# - name: AZURE_ACCOUNT_NAME +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: azure-account-name +# - name: AZURE_ACCOUNT_KEY +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: azure-account-key +# - name: RESTIC_PASSWORD +# valueFrom: +# secretKeyRef: +# name: backup-settings +# key: restic-password +# - name: RESTIC_REPOSITORY +# value: azure:foundry:/ +# volumeMounts: +# - mountPath: /tmp +# name: tmp +# securityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# seccompProfile: +# type: RuntimeDefault diff --git a/in-cluster/custom-resources/argo-workflows/scale-workload.yaml b/in-cluster/custom-resources/argo-workflows/scale-workload.yaml index d69ddfb..36704a4 100644 --- a/in-cluster/custom-resources/argo-workflows/scale-workload.yaml +++ b/in-cluster/custom-resources/argo-workflows/scale-workload.yaml @@ -1,53 +1,53 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/argoproj/argo-workflows/main/api/jsonschema/schema.json ---- -apiVersion: argoproj.io/v1alpha1 -kind: WorkflowTemplate -metadata: - name: scale-workload -spec: - entrypoint: scale-workload - artifactGC: - strategy: OnWorkflowDeletion - serviceAccountName: foundry-workflows - podGC: - strategy: OnWorkflowSuccess - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - arguments: - parameters: - - name: replicaCount - - name: name - default: foundry - - name: type - default: statefulset - templates: - - name: scale-workload - serviceAccountName: foundry-workflows - automountServiceAccountToken: true - inputs: - parameters: - - name: replicaCount - - name: name - - name: type - container: - image: bitnami/kubectl:1.32.0 # renovate - command: - - sh - - -c - args: - - | - set -eu +# # yaml-language-server: $schema=https://raw.githubusercontent.com/argoproj/argo-workflows/main/api/jsonschema/schema.json +# --- +# apiVersion: argoproj.io/v1alpha1 +# kind: WorkflowTemplate +# metadata: +# name: scale-workload +# spec: +# entrypoint: scale-workload +# artifactGC: +# strategy: OnWorkflowDeletion +# serviceAccountName: foundry-workflows +# podGC: +# strategy: OnWorkflowSuccess +# securityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# seccompProfile: +# type: RuntimeDefault +# arguments: +# parameters: +# - name: replicaCount +# - name: name +# default: foundry +# - name: type +# default: statefulset +# templates: +# - name: scale-workload +# serviceAccountName: foundry-workflows +# automountServiceAccountToken: true +# inputs: +# parameters: +# - name: replicaCount +# - name: name +# - name: type +# container: +# image: bitnami/kubectl:1.32.0 # renovate +# command: +# - sh +# - -c +# args: +# - | +# set -eu - kubectl scale --replicas={{inputs.parameters.replicaCount}} -n foundry {{inputs.parameters.type}}/{{inputs.parameters.name}} - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault +# kubectl scale --replicas={{inputs.parameters.replicaCount}} -n foundry {{inputs.parameters.type}}/{{inputs.parameters.name}} +# securityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# seccompProfile: +# type: RuntimeDefault diff --git a/in-cluster/custom-resources/external-secrets/backup-settings.yaml b/in-cluster/custom-resources/external-secrets/backup-settings.yaml index 92a7472..e211b21 100644 --- a/in-cluster/custom-resources/external-secrets/backup-settings.yaml +++ b/in-cluster/custom-resources/external-secrets/backup-settings.yaml @@ -1,35 +1,35 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: backup-settings - labels: - app.kubernetes.io/name: backup-settings - app.kubernetes.io/component: foundry - app.kubernetes.io/part-of: foundry - app.kubernetes.io/managed-by: argocd -spec: - refreshInterval: 1h - secretStoreRef: - name: vault-backend-foundry - kind: ClusterSecretStore - target: - name: backup-settings - creationPolicy: Owner - deletionPolicy: Delete - data: - - remoteRef: - conversionStrategy: Default - key: /backups/azure-blob-settings - property: azure-account-key - secretKey: azure-account-key - - remoteRef: - conversionStrategy: Default - key: /backups/azure-blob-settings - property: azure-account-name - secretKey: azure-account-name - - remoteRef: - conversionStrategy: Default - key: /backups/restic-settings - property: password - secretKey: restic-password +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: backup-settings +# labels: +# app.kubernetes.io/name: backup-settings +# app.kubernetes.io/component: foundry +# app.kubernetes.io/part-of: foundry +# app.kubernetes.io/managed-by: argocd +# spec: +# refreshInterval: 1h +# secretStoreRef: +# name: vault-backend-foundry +# kind: ClusterSecretStore +# target: +# name: backup-settings +# creationPolicy: Owner +# deletionPolicy: Delete +# data: +# - remoteRef: +# conversionStrategy: Default +# key: /backups/azure-blob-settings +# property: azure-account-key +# secretKey: azure-account-key +# - remoteRef: +# conversionStrategy: Default +# key: /backups/azure-blob-settings +# property: azure-account-name +# secretKey: azure-account-name +# - remoteRef: +# conversionStrategy: Default +# key: /backups/restic-settings +# property: password +# secretKey: restic-password diff --git a/in-cluster/custom-resources/external-secrets/test-foundryvtt.yaml b/in-cluster/custom-resources/external-secrets/test-foundryvtt.yaml index 05ba4b1..e7fc9c1 100644 --- a/in-cluster/custom-resources/external-secrets/test-foundryvtt.yaml +++ b/in-cluster/custom-resources/external-secrets/test-foundryvtt.yaml @@ -1,40 +1,40 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: test-foundryvtt -spec: - refreshInterval: 1h - secretStoreRef: - name: vault-backend-foundry - kind: ClusterSecretStore - target: - name: test-foundryvtt - creationPolicy: Owner - deletionPolicy: Delete - data: - - remoteRef: - conversionStrategy: Default - key: /credentials - property: username - secretKey: foundry-username - - remoteRef: - conversionStrategy: Default - key: /credentials - property: password - secretKey: foundry-password - - remoteRef: - conversionStrategy: Default - key: /license - property: foundry-license-key - secretKey: foundry-license-key - - remoteRef: - conversionStrategy: Default - key: /settings - property: admin-key - secretKey: admin-key - - remoteRef: - conversionStrategy: Default - key: /settings - property: aws-config - secretKey: awsConfig.json +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: test-foundryvtt +# spec: +# refreshInterval: 1h +# secretStoreRef: +# name: vault-backend-foundry +# kind: ClusterSecretStore +# target: +# name: test-foundryvtt +# creationPolicy: Owner +# deletionPolicy: Delete +# data: +# - remoteRef: +# conversionStrategy: Default +# key: /credentials +# property: username +# secretKey: foundry-username +# - remoteRef: +# conversionStrategy: Default +# key: /credentials +# property: password +# secretKey: foundry-password +# - remoteRef: +# conversionStrategy: Default +# key: /license +# property: foundry-license-key +# secretKey: foundry-license-key +# - remoteRef: +# conversionStrategy: Default +# key: /settings +# property: admin-key +# secretKey: admin-key +# - remoteRef: +# conversionStrategy: Default +# key: /settings +# property: aws-config +# secretKey: awsConfig.json diff --git a/in-cluster/rbac/deployment-scaler-rb.yaml b/in-cluster/rbac/deployment-scaler-rb.yaml index 1405446..0645d43 100644 --- a/in-cluster/rbac/deployment-scaler-rb.yaml +++ b/in-cluster/rbac/deployment-scaler-rb.yaml @@ -1,12 +1,12 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: workload-scaler -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: workload-scaler -subjects: - - kind: ServiceAccount - name: foundry-workflows +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: workload-scaler +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: Role +# name: workload-scaler +# subjects: +# - kind: ServiceAccount +# name: foundry-workflows diff --git a/in-cluster/rbac/deployment-scaler-role.yaml b/in-cluster/rbac/deployment-scaler-role.yaml index d2d6aa3..acbe17b 100644 --- a/in-cluster/rbac/deployment-scaler-role.yaml +++ b/in-cluster/rbac/deployment-scaler-role.yaml @@ -1,21 +1,21 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: workload-scaler -rules: - - verbs: - - get - resources: - - deployments - - statefulsets - apiGroups: - - apps - - verbs: - - patch - - update - resources: - - deployments/scale - - statefulsets/scale - apiGroups: - - apps +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: Role +# metadata: +# name: workload-scaler +# rules: +# - verbs: +# - get +# resources: +# - deployments +# - statefulsets +# apiGroups: +# - apps +# - verbs: +# - patch +# - update +# resources: +# - deployments/scale +# - statefulsets/scale +# apiGroups: +# - apps diff --git a/in-cluster/rbac/foundry-sa-crbs.yaml b/in-cluster/rbac/foundry-sa-crbs.yaml index 8b36d91..0d3dfb0 100644 --- a/in-cluster/rbac/foundry-sa-crbs.yaml +++ b/in-cluster/rbac/foundry-sa-crbs.yaml @@ -1,12 +1,12 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: foundry-workflows-executor-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: workflow-executor -subjects: - - kind: ServiceAccount - name: foundry-workflows +# --- +# apiVersion: rbac.authorization.k8s.io/v1 +# kind: RoleBinding +# metadata: +# name: foundry-workflows-executor-binding +# roleRef: +# apiGroup: rbac.authorization.k8s.io +# kind: ClusterRole +# name: workflow-executor +# subjects: +# - kind: ServiceAccount +# name: foundry-workflows diff --git a/in-cluster/rbac/foundry-workflows-sa.yaml b/in-cluster/rbac/foundry-workflows-sa.yaml index 7cb4f96..b4ac544 100644 --- a/in-cluster/rbac/foundry-workflows-sa.yaml +++ b/in-cluster/rbac/foundry-workflows-sa.yaml @@ -1,5 +1,5 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: foundry-workflows +# --- +# apiVersion: v1 +# kind: ServiceAccount +# metadata: +# name: foundry-workflows diff --git a/in-cluster/secrets/foundry-workflows-token.yaml b/in-cluster/secrets/foundry-workflows-token.yaml index a97f6bf..1757405 100644 --- a/in-cluster/secrets/foundry-workflows-token.yaml +++ b/in-cluster/secrets/foundry-workflows-token.yaml @@ -1,8 +1,8 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: foundry-workflows-token - annotations: - "kubernetes.io/service-account.name": foundry-workflows -type: kubernetes.io/service-account-token +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: foundry-workflows-token +# annotations: +# "kubernetes.io/service-account.name": foundry-workflows +# type: kubernetes.io/service-account-token