infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

Compare commits

base: infra:3b4e57afcce136ab7c25abc252e2ea2f53549307
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets
...
compare: infra:bab05add079f92c2c8a51b50763ae50e59f49b2e
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets

14 Commits
3b4e57afcc ... bab05add07

Author SHA1 Message Date
bot bab05add07 mosquitto: Update to 2.0.22 2025-07-12 11:32:06 +00:00
bot 467365922a zwavejs2mqtt: Update to 10.9.0 2025-07-12 11:32:06 +00:00
bot 0815350de8 zigbee2mqtt: Update to 2.5.1 2025-07-12 11:32:06 +00:00
bot d48ebb4292 piper: Update to 1.6.2 2025-07-12 11:32:06 +00:00
bot 7ddaf5bda8 home-assistant: Update to 2025.7.1 2025-07-12 11:32:05 +00:00
Dustin 9645abef5e home-assistant: Pull Zigbee/ZWave images from ghcr 
Getting around Docker Hub rate limiting
 2025-07-07 08:46:04 -05:00
Dustin 8491d2ded7 v-m: Switch to quay.io for container images 
Docker Hub has blocked ("rate limited") my IP address.  Moving as much
as I can to use images from other sources.  Hopefully they'll unblock me
soon and I can deploy a caching proxy.
 2025-07-07 08:43:20 -05:00
Dustin ff1e13a5d7 Merge remote-tracking branch 'refs/remotes/origin/master' 2025-07-07 08:43:10 -05:00
Dustin 61460e56e9 20125: Mark MinIO backups alerts as system-wide 
Backups failing may not prevent services from operating correctly, but
we do want to have visibility into that.
 2025-07-06 12:27:07 -05:00
Dustin 9d18173b3e Merge pull request 'firefly-iii: Update to 6.2.20' (#70) from updatebot/firefly-iii into master 
Reviewed-on: #70
 2025-07-05 16:08:07 +00:00
bot 52f999fe93 firefly-iii: Update to 6.2.20 2025-07-05 11:32:18 +00:00
Dustin cc83a5115a v-m/scrape: Scrape MinIO metrics 2025-07-02 10:29:53 -05:00
Dustin 370c8486fa authelia: Set claims policy for MinIO 
MinIO console needs access to the *groups* scope in order to assign the
correct permissions to users as they log in.
 2025-07-01 11:54:01 -05:00
Dustin 6e2cbeb102 ansible: Add service account for host-provisioner 
The _k8s-worker_ Ansible role in the configuration policy now uses the
Kubernetes API to create bootstrap tokens for adding worker nodes to the
cluster.  For this to work, the pod running the host-provisioner must be
associated with a service account that has the correct permissions to
create secrets and access the `cluster-info` ConfigMap.
 2025-06-30 16:16:28 -05:00
17 changed files with 165 additions and 18 deletions
Show Stats Expand all files Collapse all files

1
20125/config.yml
View File

@ -14,6 +14,7 @@ system_wide:
- job: dns_recursive
- job: kubelet
- job: kubernetes
- job: minio-backups
- instance: db0.pyrocufflink.blue
- instance: gw1.pyrocufflink.blue
- instance: vmhost0.pyrocufflink.blue

15
ansible/kustomization.yaml
View File

@ -1,6 +1,19 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- |
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: namespace-transformer
namespace: ansible
unsetOnly: true
setRoleBindingSubjects: allServiceAccounts
fieldSpecs:
- path: metadata/namespace
create: true
labels:
- pairs:
app.kubernetes.io/instance: ansible
@ -9,8 +22,6 @@ labels:
- pairs:
app.kubernetes.io/part-of: ansible
namespace: ansible
resources:
- ../dch-root-ca
- ../ssh-host-keys

109
ansible/rbac.yaml
View File

@ -23,3 +23,112 @@ subjects:
- kind: ServiceAccount
name: dch-webhooks
namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: host-provisioner
labels:
app.kubernetes.io/name: host-provisioner
app.kubernetes.io/component: host-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: host-provisioner
namespace: kube-public
annotations:
kubernetes.io/description: >-
Allows the host-provisioner to access the _cluster-info_ ConfigMap,
which it uses to get the connection details for the Kubernetes API
server, including the issuing CA certificate, to pass to `kubeadm
join` on a new worker node.
rules:
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
resourceNames:
- cluster-info
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: host-provisioner
annotations:
kubernetes.io/description: >-
Allows the host-provisioner to manipulate labels, taints, etc. on
nodes it adds to the cluster.
rules:
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: host-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: host-provisioner
subjects:
- kind: ServiceAccount
name: host-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: host-provisioner
namespace: kube-system
annotations:
kubernetes.io/description: >-
Allows the host-provisioner to create bootstrap tokens in order to
add new nodes to the Kubernetes cluster.
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: host-provisioner
namespace: kube-public
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: host-provisioner
subjects:
- kind: ServiceAccount
name: host-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: host-provisioner
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: host-provisioner
subjects:
- kind: ServiceAccount
name: host-provisioner

1
authelia/configuration.yml
View File

@ -123,6 +123,7 @@ identity_providers:
redirect_uris:
- https://burp.pyrocufflink.blue:9090/oauth_callback
- https://minio.backups.pyrocufflink.blue/oauth_callback
claims_policy: default
- client_id: step-ca
client_name: step-ca
public: true

4
dch-webhooks/ansible-job.yaml
View File

@ -90,11 +90,15 @@ spec:
- mountPath: /tmp
name: tmp
subPath: tmp
- mountPath: /var/tmp
name: tmp
subPath: tmp
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
serviceAccountName: host-provisioner
volumes:
- name: dch-root-ca
configMap:

2
firefly-iii/kustomization.yaml
View File

@ -55,4 +55,4 @@ patches:
defaultMode: 0640
images:
- name: docker.io/fireflyiii/core
newTag: version-6.2.19
newTag: version-6.2.20

14
home-assistant/kustomization.yaml
View File

@ -152,14 +152,18 @@ patches:
images:
- name: ghcr.io/home-assistant/home-assistant
newTag: 2025.6.3
newTag: 2025.7.1
- name: docker.io/rhasspy/wyoming-whisper
newTag: 2.5.0
- name: docker.io/rhasspy/wyoming-piper
newTag: 1.5.4
- name: docker.io/koenkk/zigbee2mqtt
newTag: 1.6.2
- name: ghcr.io/koenkk/zigbee2mqtt
newTag: 2.4.0
- name: docker.io/zwavejs/zwave-js-ui
- name: ghcr.io/zwave-js/zwave-js-ui
newTag: 10.7.0
- name: docker.io/library/eclipse-mosquitto
newTag: 2.0.21
newTag: 2.0.22
- name: docker.io/koenkk/zigbee2mqtt
newTag: 2.5.1
- name: docker.io/zwavejs/zwave-js-ui
newTag: 10.9.0

2
home-assistant/zigbee2mqtt.yaml
View File

@ -60,7 +60,7 @@ spec:
effect: NoExecute
containers:
- name: zigbee2mqtt
image: docker.io/koenkk/zigbee2mqtt:1.33.1
image: ghcr.io/koenkk/zigbee2mqtt:1.33.1
envFrom:
- configMapRef:
name: zigbee2mqtt

2
home-assistant/zwavejs2mqtt.yaml
View File

@ -62,7 +62,7 @@ spec:
effect: NoExecute
containers:
- name: zwavejs2mqtt
image: docker.io/zwavejs/zwave-js-ui:9.1.2
image: ghcr.io/zwave-js/zwave-js-ui:9.1.2
ports:
- containerPort: 8091
name: http

4
updatebot/config.yml
View File

@ -25,13 +25,13 @@ projects:
namespace: rhasspy
repository: wyoming-piper
- name: zigbee2mqtt
image: docker.io/koenkk/zigbee2mqtt
image: ghcr.io/koenkk/zigbee2mqtt
source:
kind: github
organization: Koenkk
repo: zigbee2mqtt
- name: zwavejs2mqtt
image: docker.io/zwavejs/zwave-js-ui
image: ghcr.io/zwave-js/zwave-js-ui
source:
kind: github
organization: zwave-js

2
victoria-metrics/alertmanager.yaml
View File

@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: alertmanager
image: docker.io/prom/alertmanager:v0.26.0
image: quay.io/prometheus/alertmanager:v0.26.0
ports:
- containerPort: 9093
name: http

17
victoria-metrics/scrape.yml
View File

@ -456,3 +456,20 @@ scrape_configs:
- source_labels:
- __meta_dns_name
target_label: instance
- job_name: minio-backups
metrics_path: /minio/v2/metrics/cluster
scheme: https
tls_config:
ca_file: /run/dch-ca/dch-root-ca.crt
dns_sd_configs:
- names:
- s3.backups.pyrocufflink.blue
type: A
port: 443
relabel_configs:
- source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
separator: ':'
target_label: __address__
- source_labels: [__address__]
target_label: instance

2
victoria-metrics/vmagent.yaml
View File

@ -91,7 +91,7 @@ spec:
spec:
containers:
- name: vmagent
image: docker.io/victoriametrics/vmagent:v1.96.0
image: quay.io/victoriametrics/vmagent:v1.96.0
args:
- -envflag.enable=true
- -envflag.prefix=vmagent_

2
victoria-metrics/vmalert.yaml
View File

@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: vmalert
image: docker.io/victoriametrics/vmalert:v1.96.0
image: quay.io/victoriametrics/vmalert:v1.96.0
args:
- -envflag.enable=true
- -envflag.prefix=vmalert_

2
victoria-metrics/vminsert.yaml
View File

@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: vminsert
image: docker.io/victoriametrics/vminsert:v1.96.0-cluster
image: quay.io/victoriametrics/vminsert:v1.96.0-cluster
args:
- -envflag.enable=true
- -envflag.prefix=vminsert_

2
victoria-metrics/vmselect.yaml
View File

@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: vmselect
image: docker.io/victoriametrics/vmselect:v1.96.0-cluster
image: quay.io/victoriametrics/vmselect:v1.96.0-cluster
args:
- -envflag.enable=true
- -envflag.prefix=vmselect_

2
victoria-metrics/vmstorage.yaml
View File

@ -50,7 +50,7 @@ spec:
weight: 1
containers:
- name: vmstorage
image: docker.io/victoriametrics/vmstorage:v1.96.0-cluster
image: quay.io/victoriametrics/vmstorage:v1.98.0-cluster
args:
- -envflag.enable=true
- -envflag.prefix=vmstorage_