Compare commits
14 Commits
3b4e57afcc
...
bab05add07
| Author | SHA1 | Date | |
|---|---|---|---|
|
bab05add07 | ||
|
|
467365922a | ||
|
|
0815350de8 | ||
|
|
d48ebb4292 | ||
|
|
7ddaf5bda8 | ||
| 9645abef5e | |||
| 8491d2ded7 | |||
| ff1e13a5d7 | |||
| 61460e56e9 | |||
| 9d18173b3e | |||
|
52f999fe93 | ||
| cc83a5115a | |||
| 370c8486fa | |||
| 6e2cbeb102 |
@@ -14,6 +14,7 @@ system_wide:
|
|||||||
- job: dns_recursive
|
- job: dns_recursive
|
||||||
- job: kubelet
|
- job: kubelet
|
||||||
- job: kubernetes
|
- job: kubernetes
|
||||||
|
- job: minio-backups
|
||||||
- instance: db0.pyrocufflink.blue
|
- instance: db0.pyrocufflink.blue
|
||||||
- instance: gw1.pyrocufflink.blue
|
- instance: gw1.pyrocufflink.blue
|
||||||
- instance: vmhost0.pyrocufflink.blue
|
- instance: vmhost0.pyrocufflink.blue
|
||||||
|
|||||||
@@ -1,6 +1,19 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
|
|
||||||
|
transformers:
|
||||||
|
- |
|
||||||
|
apiVersion: builtin
|
||||||
|
kind: NamespaceTransformer
|
||||||
|
metadata:
|
||||||
|
name: namespace-transformer
|
||||||
|
namespace: ansible
|
||||||
|
unsetOnly: true
|
||||||
|
setRoleBindingSubjects: allServiceAccounts
|
||||||
|
fieldSpecs:
|
||||||
|
- path: metadata/namespace
|
||||||
|
create: true
|
||||||
|
|
||||||
labels:
|
labels:
|
||||||
- pairs:
|
- pairs:
|
||||||
app.kubernetes.io/instance: ansible
|
app.kubernetes.io/instance: ansible
|
||||||
@@ -9,8 +22,6 @@ labels:
|
|||||||
- pairs:
|
- pairs:
|
||||||
app.kubernetes.io/part-of: ansible
|
app.kubernetes.io/part-of: ansible
|
||||||
|
|
||||||
namespace: ansible
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
- ../dch-root-ca
|
- ../dch-root-ca
|
||||||
- ../ssh-host-keys
|
- ../ssh-host-keys
|
||||||
|
|||||||
@@ -23,3 +23,112 @@ subjects:
|
|||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: dch-webhooks
|
name: dch-webhooks
|
||||||
namespace: default
|
namespace: default
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: host-provisioner
|
||||||
|
app.kubernetes.io/component: host-provisioner
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
namespace: kube-public
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/description: >-
|
||||||
|
Allows the host-provisioner to access the _cluster-info_ ConfigMap,
|
||||||
|
which it uses to get the connection details for the Kubernetes API
|
||||||
|
server, including the issuing CA certificate, to pass to `kubeadm
|
||||||
|
join` on a new worker node.
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- configmaps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
resourceNames:
|
||||||
|
- cluster-info
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/description: >-
|
||||||
|
Allows the host-provisioner to manipulate labels, taints, etc. on
|
||||||
|
nodes it adds to the cluster.
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: host-provisioner
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: host-provisioner
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
namespace: kube-system
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/description: >-
|
||||||
|
Allows the host-provisioner to create bootstrap tokens in order to
|
||||||
|
add new nodes to the Kubernetes cluster.
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- get
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
namespace: kube-public
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: host-provisioner
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: host-provisioner
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: host-provisioner
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: host-provisioner
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: host-provisioner
|
||||||
|
|||||||
@@ -123,6 +123,7 @@ identity_providers:
|
|||||||
redirect_uris:
|
redirect_uris:
|
||||||
- https://burp.pyrocufflink.blue:9090/oauth_callback
|
- https://burp.pyrocufflink.blue:9090/oauth_callback
|
||||||
- https://minio.backups.pyrocufflink.blue/oauth_callback
|
- https://minio.backups.pyrocufflink.blue/oauth_callback
|
||||||
|
claims_policy: default
|
||||||
- client_id: step-ca
|
- client_id: step-ca
|
||||||
client_name: step-ca
|
client_name: step-ca
|
||||||
public: true
|
public: true
|
||||||
|
|||||||
@@ -90,11 +90,15 @@ spec:
|
|||||||
- mountPath: /tmp
|
- mountPath: /tmp
|
||||||
name: tmp
|
name: tmp
|
||||||
subPath: tmp
|
subPath: tmp
|
||||||
|
- mountPath: /var/tmp
|
||||||
|
name: tmp
|
||||||
|
subPath: tmp
|
||||||
securityContext:
|
securityContext:
|
||||||
runAsNonRoot: true
|
runAsNonRoot: true
|
||||||
runAsUser: 1000
|
runAsUser: 1000
|
||||||
runAsGroup: 1000
|
runAsGroup: 1000
|
||||||
fsGroup: 1000
|
fsGroup: 1000
|
||||||
|
serviceAccountName: host-provisioner
|
||||||
volumes:
|
volumes:
|
||||||
- name: dch-root-ca
|
- name: dch-root-ca
|
||||||
configMap:
|
configMap:
|
||||||
|
|||||||
@@ -55,4 +55,4 @@ patches:
|
|||||||
defaultMode: 0640
|
defaultMode: 0640
|
||||||
images:
|
images:
|
||||||
- name: docker.io/fireflyiii/core
|
- name: docker.io/fireflyiii/core
|
||||||
newTag: version-6.2.19
|
newTag: version-6.2.20
|
||||||
|
|||||||
@@ -152,14 +152,18 @@ patches:
|
|||||||
|
|
||||||
images:
|
images:
|
||||||
- name: ghcr.io/home-assistant/home-assistant
|
- name: ghcr.io/home-assistant/home-assistant
|
||||||
newTag: 2025.6.3
|
newTag: 2025.7.1
|
||||||
- name: docker.io/rhasspy/wyoming-whisper
|
- name: docker.io/rhasspy/wyoming-whisper
|
||||||
newTag: 2.5.0
|
newTag: 2.5.0
|
||||||
- name: docker.io/rhasspy/wyoming-piper
|
- name: docker.io/rhasspy/wyoming-piper
|
||||||
newTag: 1.5.4
|
newTag: 1.6.2
|
||||||
- name: docker.io/koenkk/zigbee2mqtt
|
- name: ghcr.io/koenkk/zigbee2mqtt
|
||||||
newTag: 2.4.0
|
newTag: 2.4.0
|
||||||
- name: docker.io/zwavejs/zwave-js-ui
|
- name: ghcr.io/zwave-js/zwave-js-ui
|
||||||
newTag: 10.7.0
|
newTag: 10.7.0
|
||||||
- name: docker.io/library/eclipse-mosquitto
|
- name: docker.io/library/eclipse-mosquitto
|
||||||
newTag: 2.0.21
|
newTag: 2.0.22
|
||||||
|
- name: docker.io/koenkk/zigbee2mqtt
|
||||||
|
newTag: 2.5.1
|
||||||
|
- name: docker.io/zwavejs/zwave-js-ui
|
||||||
|
newTag: 10.9.0
|
||||||
|
|||||||
@@ -60,7 +60,7 @@ spec:
|
|||||||
effect: NoExecute
|
effect: NoExecute
|
||||||
containers:
|
containers:
|
||||||
- name: zigbee2mqtt
|
- name: zigbee2mqtt
|
||||||
image: docker.io/koenkk/zigbee2mqtt:1.33.1
|
image: ghcr.io/koenkk/zigbee2mqtt:1.33.1
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: zigbee2mqtt
|
name: zigbee2mqtt
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ spec:
|
|||||||
effect: NoExecute
|
effect: NoExecute
|
||||||
containers:
|
containers:
|
||||||
- name: zwavejs2mqtt
|
- name: zwavejs2mqtt
|
||||||
image: docker.io/zwavejs/zwave-js-ui:9.1.2
|
image: ghcr.io/zwave-js/zwave-js-ui:9.1.2
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8091
|
- containerPort: 8091
|
||||||
name: http
|
name: http
|
||||||
|
|||||||
@@ -25,13 +25,13 @@ projects:
|
|||||||
namespace: rhasspy
|
namespace: rhasspy
|
||||||
repository: wyoming-piper
|
repository: wyoming-piper
|
||||||
- name: zigbee2mqtt
|
- name: zigbee2mqtt
|
||||||
image: docker.io/koenkk/zigbee2mqtt
|
image: ghcr.io/koenkk/zigbee2mqtt
|
||||||
source:
|
source:
|
||||||
kind: github
|
kind: github
|
||||||
organization: Koenkk
|
organization: Koenkk
|
||||||
repo: zigbee2mqtt
|
repo: zigbee2mqtt
|
||||||
- name: zwavejs2mqtt
|
- name: zwavejs2mqtt
|
||||||
image: docker.io/zwavejs/zwave-js-ui
|
image: ghcr.io/zwave-js/zwave-js-ui
|
||||||
source:
|
source:
|
||||||
kind: github
|
kind: github
|
||||||
organization: zwave-js
|
organization: zwave-js
|
||||||
|
|||||||
@@ -36,7 +36,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: alertmanager
|
- name: alertmanager
|
||||||
image: docker.io/prom/alertmanager:v0.26.0
|
image: quay.io/prometheus/alertmanager:v0.26.0
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 9093
|
- containerPort: 9093
|
||||||
name: http
|
name: http
|
||||||
|
|||||||
@@ -456,3 +456,20 @@ scrape_configs:
|
|||||||
- source_labels:
|
- source_labels:
|
||||||
- __meta_dns_name
|
- __meta_dns_name
|
||||||
target_label: instance
|
target_label: instance
|
||||||
|
|
||||||
|
- job_name: minio-backups
|
||||||
|
metrics_path: /minio/v2/metrics/cluster
|
||||||
|
scheme: https
|
||||||
|
tls_config:
|
||||||
|
ca_file: /run/dch-ca/dch-root-ca.crt
|
||||||
|
dns_sd_configs:
|
||||||
|
- names:
|
||||||
|
- s3.backups.pyrocufflink.blue
|
||||||
|
type: A
|
||||||
|
port: 443
|
||||||
|
relabel_configs:
|
||||||
|
- source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
|
||||||
|
separator: ':'
|
||||||
|
target_label: __address__
|
||||||
|
- source_labels: [__address__]
|
||||||
|
target_label: instance
|
||||||
|
|||||||
@@ -91,7 +91,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: vmagent
|
- name: vmagent
|
||||||
image: docker.io/victoriametrics/vmagent:v1.96.0
|
image: quay.io/victoriametrics/vmagent:v1.96.0
|
||||||
args:
|
args:
|
||||||
- -envflag.enable=true
|
- -envflag.enable=true
|
||||||
- -envflag.prefix=vmagent_
|
- -envflag.prefix=vmagent_
|
||||||
|
|||||||
@@ -34,7 +34,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: vmalert
|
- name: vmalert
|
||||||
image: docker.io/victoriametrics/vmalert:v1.96.0
|
image: quay.io/victoriametrics/vmalert:v1.96.0
|
||||||
args:
|
args:
|
||||||
- -envflag.enable=true
|
- -envflag.enable=true
|
||||||
- -envflag.prefix=vmalert_
|
- -envflag.prefix=vmalert_
|
||||||
|
|||||||
@@ -34,7 +34,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: vminsert
|
- name: vminsert
|
||||||
image: docker.io/victoriametrics/vminsert:v1.96.0-cluster
|
image: quay.io/victoriametrics/vminsert:v1.96.0-cluster
|
||||||
args:
|
args:
|
||||||
- -envflag.enable=true
|
- -envflag.enable=true
|
||||||
- -envflag.prefix=vminsert_
|
- -envflag.prefix=vminsert_
|
||||||
|
|||||||
@@ -34,7 +34,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: vmselect
|
- name: vmselect
|
||||||
image: docker.io/victoriametrics/vmselect:v1.96.0-cluster
|
image: quay.io/victoriametrics/vmselect:v1.96.0-cluster
|
||||||
args:
|
args:
|
||||||
- -envflag.enable=true
|
- -envflag.enable=true
|
||||||
- -envflag.prefix=vmselect_
|
- -envflag.prefix=vmselect_
|
||||||
|
|||||||
@@ -50,7 +50,7 @@ spec:
|
|||||||
weight: 1
|
weight: 1
|
||||||
containers:
|
containers:
|
||||||
- name: vmstorage
|
- name: vmstorage
|
||||||
image: docker.io/victoriametrics/vmstorage:v1.96.0-cluster
|
image: quay.io/victoriametrics/vmstorage:v1.98.0-cluster
|
||||||
args:
|
args:
|
||||||
- -envflag.enable=true
|
- -envflag.enable=true
|
||||||
- -envflag.prefix=vmstorage_
|
- -envflag.prefix=vmstorage_
|
||||||
|
|||||||
Reference in New Issue
Block a user