start again, again

This commit is contained in:
Simen Røstvik 2022-12-13 16:18:52 +01:00
parent 59cf9468c6
commit 3381e7d529
10 changed files with 29 additions and 515 deletions

View File

@ -11,29 +11,29 @@ argo-cd:
extraArgs:
- --insecure
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/cluster-issuer: roxedus.com-cloudflare
hosts:
- argo.roxedus.com
tls:
- hosts:
- argo.roxedus.com
secretName: argo-roxedus-com-cert
# ingress:
# enabled: true
# ingressClassName: traefik
# annotations:
# cert-manager.io/acme-challenge-type: dns01
# cert-manager.io/cluster-issuer: roxedus.com-cloudflare
# hosts:
# - argo.roxedus.com
# tls:
# - hosts:
# - argo.roxedus.com
# secretName: argo-roxedus-com-cert
config:
accounts.roxedus: apiKey, login
accounts.admin.enabled: "false"
# accounts.admin.enabled: "false"
repositories: |
- type: helm
name: argo-cd
url: https://argoproj.github.io/argo-helm
configs:
cm:
admin.enabled: false
# admin.enabled: false
url: https://argo.roxedus.com
resource.customizations.health.networking.k8s.io_Ingress: |
@ -64,19 +64,19 @@ argo-cd:
hs.message = "Waiting for certificate"
return hs
dex.config: |
# dex.config: |
connectors:
- config:
issuer: https://authentik.roxedus.com/application/o/argo/
clientID: 509095b1ecd5117c95b9a2879d1cbcd5adc0b5d9
clientSecret: $authentik-sso:oidc.auth0.clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
# connectors:
# - config:
# issuer: https://authentik.roxedus.com/application/o/argo/
# clientID: 509095b1ecd5117c95b9a2879d1cbcd5adc0b5d9
# clientSecret: $authentik-sso:oidc.auth0.clientSecret
# insecureEnableGroups: true
# scopes:
# - openid
# - profile
# - email
# - groups
# name: authentik
# type: oidc
# id: authentik

View File

@ -1,22 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: applications
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: default
project: default
source:
path: Deployments/
repoURL: https://git.roxedus.dev/Roxedus/Argo.git
targetRevision: HEAD
directory:
recurse: true
syncPolicy:
automated:
prune: true
selfHeal: true

View File

@ -1,81 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: authentik
project: default
source:
chart: authentik
helm:
values: |
image:
repository: ghcr.io/goauthentik/server
tag: 2022.11.3
authentik:
error_reporting:
enabled: true
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/cluster-issuer: roxedus.com-cloudflare
hosts:
- host: authentik.roxedus.com
paths:
- path: "/"
pathType: Prefix
tls:
- hosts:
- authentik.roxedus.com
secretName: authentik-roxedus-com-cert
envValueFrom:
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
key: postgresql-password
name: authentik-postgresql
AUTHENTIK_SECRET_KEY:
secretKeyRef:
key: AUTHENTIK_SECRET_KEY
name: authentik-secret
postgresql:
image:
registry: ghcr.io
repository: zcube/bitnami-compat/postgresql
tag: 11.18.0-debian-11-r39
enabled: true
# auth:
# existingSecret: authentik-postgresql
# persistence:
# enabled: true
# storageClass: longhorn
# accessModes:
# - ReadWriteOnce
redis:
enabled: true
image:
registry: ghcr.io
repository: zcube/bitnami-compat/redis
tag: 6.2.7-debian-11-r39
repoURL: https://charts.goauthentik.io
targetRevision: 2022.11.3
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View File

@ -1,54 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
project: default
source:
chart: cert-manager
helm:
values: |
prometheus:
enabled: false
extraArgs:
- --enable-certificate-owner-ref=true
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
repoURL: https://charts.jetstack.io
targetRevision: 1.10.1
syncPolicy:
automated:
prune: true
selfHeal: true
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: roxedus.com-cloudflare
namespace: cert-manager
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cloudflare-issuer-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: CLOUDFLARE_API_KEY
# selector:
# dnsNames:
# - 'roxedus.com'
# - '*.roxedus.com'

View File

@ -1,24 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: ci
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: ci
project: default
source:
path: CI/
repoURL: https://git.roxedus.dev/Roxedus/Argo.git
targetRevision: HEAD
directory:
recurse: true
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View File

@ -1,27 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: loki
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: prometheus
project: default
source:
chart: loki-stack
helm:
values: |
test_pod: {}
repoURL: https://grafana.github.io/helm-charts
targetRevision: 2.8.7
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View File

@ -1,39 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: metallb-system
project: default
source:
chart: metallb
repoURL: https://metallb.github.io/metallb
targetRevision: 0.13.7
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: first-pool
namespace: metallb-system
spec:
addresses:
- 10.0.2.40-10.0.2.50
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: first-pool-advertisement
namespace: metallb-system

View File

@ -1,25 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metrics-server
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: kube-system
project: default
source:
chart: metrics-server
helm:
values: |
args:
- --kubelet-insecure-tls
repoURL: https://kubernetes-sigs.github.io/metrics-server/
targetRevision: 3.8.2
syncPolicy:
automated:
prune: true
selfHeal: true

View File

@ -1,69 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: prometheus
project: default
source:
chart: kube-prometheus-stack
helm:
values: |
namespaceOverride: prometheus
alertmanager.enabled: true
kubeApiServer.enabled: false
kubelet.enabled: false
kubeControllerManager.enabled: false
coreDns.enabled: false
kubeDns.enabled: false
kubeEtcd.enabled: false
kubeScheduler.enabled: false
kubeProxy.enabled: false
kubeStateMetrics.enabled: false
grafana:
# persistence:
# enabled: true
# storageClassName: longhorn
env:
GF_SERVER_ROOT_URL: https://%(domain)s/
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
GF_AUTH_GENERIC_OAUTH_NAME: authentik
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://authentik.roxedus.com/application/o/authorize/
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://authentik.roxedus.com/application/o/token/
GF_AUTH_GENERIC_OAUTH_API_URL: https://authentik.roxedus.com/application/o/userinfo/
GF_AUTH_SIGNOUT_REDIRECT_URL: https://authentik.roxedus.com/application/o/grafana/
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
envFromSecrets:
- name: grafana-oauth
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/cluster-issuer: roxedus.com-cloudflare
hosts:
- grafana.roxedus.com
tls:
- hosts:
- grafana.roxedus.com
secretName: grafana-roxedus-com-cert
repoURL: https://prometheus-community.github.io/helm-charts
targetRevision: 42.2.1
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

View File

@ -1,145 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik
namespace: argo-cd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
server: https://kubernetes.default.svc
namespace: traefik
project: default
source:
chart: traefik
helm:
values: |
image:
repository: &traefikImage library/traefik
name: *traefikImage
tag: v2.9.4
pullPolicy: IfNotPresent
experimental:
http3:
enabled: true
plugins:
enabled: false
kubernetesGateway:
enabled: false
# dnsPolicy: ClusterFirstWithHostNet
# hostNetwork: true
# nodeSelector:
# hasDns: "true"
# securityContext:
# capabilities:
# drop: [ALL]
# add: [NET_BIND_SERVICE]
# readOnlyRootFilesystem: true
# runAsGroup: 0
# runAsNonRoot: false
# runAsUser: 0
globalArguments: []
additionalArguments:
# - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32"
- "--api.insecure=true"
- "--ping"
- "--ping.entrypoint=traefik"
envFrom:
- secretRef:
name: traefik-secrets
# persistence:
# enabled: true
# name: data
# accessMode: ReadWriteOnce
# size: 128Mi
# storageClass: "longhorn"
# path: /data
ports:
traefik:
port: 9000
expose: true
exposedPort: 9900
protocol: TCP
web:
port: 8080
exposedPort: 80
expose: true
protocol: TCP
redirectTo: websecure
websecure:
port: 4443
exposedPort: 443
expose: true
protocol: TCP
tls:
enabled: true
metrics:
port: 9102
expose: false
udp:
port: 6666
protocol: UDP
expose: true
tlsOptions:
default:
sniStrict: true
minVersion: VersionTLS12
service:
enabled: true
type: LoadBalancer
# deployment:
# initContainers:
# #The "volume-permissions" init container is required if you run into permission issues.
# #Related issue: https://github.com/traefik/traefik/issues/6825
# - name: volume-permissions
# image: busybox:1.35
# command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"]
# volumeMounts:
# - name: data
# mountPath: /data
logs:
general:
level: DEBUG
providers:
kubernetesCRD:
allowCrossNamespace: true
kubernetesIngress:
publishedService:
enabled: true
ingressClass:
enabled: true
isDefaultClass: true
# certResolvers:
# cloudflare:
# email: me@roxedus.dev
# #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
# dnsChallenge:
# provider: cloudflare
# resolvers:
# - "1.1.1.1:53"
# - "8.8.8.8:53"
# storage: /data/acme.json
repoURL: https://helm.traefik.io/traefik
targetRevision: 20.6.0
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true