infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

Compare commits

base: infra:6d14dee751a0b7a4ee051607052a80cc6c905e10
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets
..
compare: infra:4a2fb10b374bbe78c9f8598945d5bb52df753f84
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets

20 Commits
6d14dee751 ... 4a2fb10b37

Author SHA1 Message Date
bot 4a2fb10b37 authelia: Update to 4.39.5 2025-07-26 11:32:14 +00:00
Dustin fac4b92b71 cert-manager: Drop hatch.chat certificate 
The _hatch.chat_ Matrix server has been gone for quite some time.
 2025-07-23 11:59:28 -05:00
Dustin 81f8c58816 cert-manager: Drop tabitha.biz certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-07-23 11:41:09 -05:00
Dustin 592ff3ce9e cert-manager: Drop apps.d.x certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-07-23 11:29:34 -05:00
Dustin 36015084c8 ansible: Allow host-provisioner to read root CA 
The Kubernetes root CA certificate is stored in a ConfigMap named
`kube-root-ca.crt` in every namespace.  The _host-provisioner_ needs to
be able to read this ConfigMap in order to prepare control plane nodes,
as it is used by HAProxy to check the health of the API servers running
on each node.
 2025-07-23 10:50:24 -05:00
Dustin 484c17c1d5 authelia: Add address, phone scopes for Jenkins 
Not sure why suddenly these need to be granted, but without them, I
cannot log in to Jenkins.
 2025-07-22 15:26:29 -05:00
Dustin e845e66262 restic: pin to 0.18.0 
Let's keep the version of `restic` used by the prune job in sync with
the latest version in Fedora.
 2025-07-21 18:58:57 -05:00
Dustin 717f9244e7 kubelet-csr-approver: Initial commit 
The [kubelet-csr-approver][0] is a controller that automatically approves
CSRs for Kublets that match certain criteria.  I've had it deployed in
the cluster for a while, but apparently never committed the resources.
These manifest files are taken from the [k8s deployment example][1] in
the upstream repository.

[0]: https://github.com/postfinance/kubelet-csr-approver
[1]: https://github.com/postfinance/kubelet-csr-approver/tree/v1.2.10/deploy/k8s
 2025-07-21 18:49:44 -05:00
Dustin da2b1e60cd autoscaler: Set imagePullPolicy: IfNotPresent 
We don't want to pull public container images that already exist.  This
creates prevents pods from starting if there is any connectivity issue
with the upstream registry.
 2025-07-21 17:17:16 -05:00
Dustin 810134e9bc authelia: Set imagePullPolicy: IfNotPresent 
We don't want to pull public container images that already exist.  This
creates prevents pods from starting if there is any connectivity issue
with the upstream registry.
 2025-07-21 17:16:32 -05:00
Dustin 7fd613ccaf ara: Set imagePullPolicy: IfNotPresent 
We don't want to pull public container images that already exist.  This
creates prevents pods from starting if there is any connectivity issue
with the upstream registry.
 2025-07-21 17:14:06 -05:00
Dustin 68c7e0d6cc argocd: Set imagePullPolicy: IfNotPresent 
We don't want to pull public container images that already exist.  This
creates prevents pods from starting if there is any connectivity issue
with the upstream registry.
 2025-07-21 15:07:01 -05:00
Dustin 5da80c6a55 ntfy: Set imagePullPolicy: IfNotPresent 
We don't want to pull public container images that already exist.  This
creates prevents pods from starting if there is any connectivity issue
with the upstream registry.
 2025-07-21 15:07:01 -05:00
Dustin 32132842be firefly-iii: Set imagePullPolicy: IfNotPresent 
We don't want to pull public container images that already exist.  This
creates prevents pods from starting if there is any connectivity issue
with the upstream registry.
 2025-07-21 15:07:01 -05:00
Dustin 0822afe0b3 kitchen: Round weather metrics 
Home Assistant has started sending the full sensor values for weather
metrics to Prometheus, even though their precision is way beyond their
accuracy.  We don't need to see 4+ decimal points for these on the
Kitchen display, so let's round the values when we query.
 2025-07-21 14:40:35 -05:00
Dustin e51878fa92 ansible: Allow h-p to update scrape-collectd CM 
The `scrape-collectd` ConfigMap in the `default` namespace is used by
Victoria Metrics to identif the hosts from which it should scrape
collectd metrics.  When deploying new machines that are _not_ part of
the Kubernetes cluster, we need to explicitly add them to this list.
The _host-provisioner_ can do this with an Ansible task, but it needs
the appropriate permissions to do so.
 2025-07-21 12:24:00 -05:00
Dustin dbbe23aaa5 cert-manager: Add role for Jenkins to access certs 
Ansible playbook running as Jenkins jobs need to be able to access the
Secret resources containing certificates issued by _cert-manager_ in
order to install them on managed nodes.  Although not all jobs do this
yet, eventually, the _cert-exporter_ will no longer be necessary, as the
_certs.git_ repository will not be used anymore.
 2025-07-21 12:24:00 -05:00
Dustin d48dabca5b Merge remote-tracking branch 'refs/remotes/origin/master' 2025-07-21 12:02:44 -05:00
Dustin 16dec1cdec ssh-host-keys: Do not specify a namespace 
We don't want to hard-code a namespace for the `ssh-known-hosts`
ConfigMap because that makes it less useful for other projects besides
Jenkins.  Instead, we omit the namespace specification and allow
consumers to specify their own.

The _jenkins_ project doesn't have a default namespace, since it
specifies resources in the `jenkins` and `jenkins-jobs` namespaces, we
need to create a sub-project to set the namespace for the
`ssh-known-hosts` ConfigMap.
 2025-07-21 11:47:39 -05:00
Dustin 093e909475 v-m/scrape: Scrape Victoria Logs 2025-07-06 15:20:16 -05:00
24 changed files with 323 additions and 77 deletions
Show Stats Expand all files Collapse all files

1
ansible/ara.yaml
View File

@ -32,6 +32,7 @@ spec:
containers:
- name: ara-api
image: quay.io/recordsansible/ara-api
imagePullPolicy: IfNotPresent
env:
- name: ARA_BASE_DIR
value: /etc/ara

36
ansible/rbac.yaml
View File

@ -54,6 +54,7 @@ rules:
- get
resourceNames:
- cluster-info
- kube-root-ca.crt
---
apiVersion: rbac.authorization.k8s.io/v1
@ -132,3 +133,38 @@ roleRef:
subjects:
- kind: ServiceAccount
name: host-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: host-provisioner
namespace: victoria-metrics
annotations:
kubernetes.io/description: >-
Allows the host-provisioner to update the scrape-collectd
ConfigMap when adding new hosts.
rules:
- apiGroups:
- ''
resources:
- configmaps
verbs:
- patch
- get
resourceNames:
- scrape-collectd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: host-provisioner
namespace: victoria-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: host-provisioner
subjects:
- kind: ServiceAccount
name: host-provisioner

60
argocd/kustomization.yaml
View File

@ -24,6 +24,66 @@ configMapGenerator:
- policy.csv
patches:
- patch: |-
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: argocd-application-controller
spec:
template:
spec:
containers:
- name: argocd-application-controller
imagePullPolicy: IfNotPresent
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-notifications-controller
spec:
template:
spec:
containers:
- name: argocd-notifications-controller
imagePullPolicy: IfNotPresent
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-redis
spec:
template:
spec:
containers:
- name: redis
imagePullPolicy: IfNotPresent
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
spec:
template:
spec:
containers:
- name: argocd-repo-server
imagePullPolicy: IfNotPresent
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-server
spec:
template:
spec:
containers:
- name: argocd-server
imagePullPolicy: IfNotPresent
- patch: |-
$patch: delete
apiVersion: apiextensions.k8s.io/v1

2
authelia/configuration.yml
View File

@ -104,6 +104,8 @@ identity_providers:
- profile
- email
- offline_access
- address
- phone
authorization_policy: one_factor
pre_configured_consent_duration: 8h
token_endpoint_auth_method: client_secret_post

1
authelia/kustomization.yaml
View File

@ -37,6 +37,7 @@ patches:
spec:
containers:
- name: authelia
imagePullPolicy: IfNotPresent
env:
- name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
value: /run/authelia/certs/postgresql/tls.crt

1
autoscaler/kustomization.yaml
View File

@ -22,6 +22,7 @@ patches:
spec:
containers:
- name: cluster-autoscaler
imagePullPolicy: IfNotPresent
command:
- ./cluster-autoscaler
- --v=4

15
cert-manager/cert-exporter.config.yml
View File

@ -9,16 +9,6 @@ certs:
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: hatchchat-cert
namespace: default
key: certificates/hatch.chat.key
cert: certificates/hatch.chat.crt
bundle: certificates/hatch.chat.pem
- name: tabitha-cert
namespace: default
key: certificates/tabitha.biz.key
cert: certificates/tabitha.biz.crt
bundle: certificates/tabitha.biz.pem
- name: chmod777-cert
namespace: default
key: certificates/chmod777.sh.key
@ -34,8 +24,3 @@ certs:
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem
- name: appsxyz-cert
namespace: default
key: certificates/apps.du5t1n.xyz.key
cert: certificates/apps.du5t1n.xyz.crt
bundle: certificates/apps.du5t1n.xyz.pem

3
cert-manager/cert-exporter.yaml
View File

@ -19,12 +19,9 @@ rules:
resourceNames:
- pyrocufflink-cert
- dustinhatchname-cert
- hatchchat-cert
- tabitha-cert
- chmod777-cert
- dustinandtabitha-cert
- hlc-cert
- appsxyz-cert
---
apiVersion: rbac.authorization.k8s.io/v1

53
cert-manager/certificates.yaml
View File

@ -35,42 +35,6 @@ spec:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hatchchat-cert
spec:
secretName: hatchchat-cert
dnsNames:
- hatch.chat
- '*.hatch.chat'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tabitha-cert
spec:
secretName: tabitha-cert
dnsNames:
- tabitha.biz
- '*.tabitha.biz'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
@ -136,20 +100,3 @@ spec:
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: appsxyz-cert
spec:
secretName: appsxyz-cert
dnsNames:
- apps.du5t1n.xyz
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

31
cert-manager/jenkins.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jenkins
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
resourceNames:
- pyrocufflink-cert
- dustinhatchname-cert
- chmod777-cert
- dustinandtabitha-cert
- hlc-cert
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: default
namespace: jenkins-jobs

1
cert-manager/kustomization.yaml
View File

@ -8,6 +8,7 @@ resources:
- cert-exporter.yaml
- dch-ca-issuer.yaml
- secrets.yaml
- jenkins.yaml
configMapGenerator:
- name: cert-exporter

2
firefly-iii/firefly-iii.yaml
View File

@ -66,6 +66,7 @@ spec:
containers:
- name: firefly-iii
image: docker.io/fireflyiii/core:version-6.0.19
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: firefly-iii
@ -127,6 +128,7 @@ spec:
spec:
containers:
- image: docker.io/library/busybox
imagePullPolicy: IfNotPresent
name: wget
command:
- wget

2
jenkins/kustomization.yaml
View File

@ -10,7 +10,7 @@ resources:
- secrets.yaml
- iscsi.yaml
- gentoo-storage.yaml
- ../ssh-host-keys
- ssh-host-keys
patches:
- patch: |

7
jenkins/ssh-host-keys/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: jenkins-jobs
resources:
- ../../ssh-host-keys

8
kitchen/secrets.yaml
View File

@ -73,13 +73,13 @@ spec:
weather:
metrics:
temperature: >-
homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}
round(homeassistant_sensor_temperature_celsius{entity="sensor.outdoor_temperature"}, 0.1)
humidity: >-
homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}
round(homeassistant_sensor_humidity_percent{entity="sensor.outdoor_humidity"}, 0.1)
wind_speed: >-
homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}
round(homeassistant_sensor_unit_m_per_s{entity="sensor.wind_speed"}, 0.1)
pool: >-
homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}
round(homeassistant_sensor_temperature_celsius{entity="sensor.pool_sensor_temperature"}, 0.1)
homeassistant:
url: wss://homeassistant.pyrocufflink.blue/api/websocket

42
kubelet-csr-approver/clusterrole.yaml Normal file
View File

@ -0,0 +1,42 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubelet-csr-approver
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/kubelet-serving
resources:
- signers
verbs:
- approve
- apiGroups:
- ""
resources:
- events
verbs:
- create

53
kubelet-csr-approver/deployment.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubelet-csr-approver
namespace: kube-system
spec:
replicas: 2
selector:
matchLabels:
app: kubelet-csr-approver
template:
metadata:
annotations:
prometheus.io/port: '8080'
prometheus.io/scrape: 'true'
labels:
app: kubelet-csr-approver
spec:
serviceAccountName: kubelet-csr-approver
containers:
- name: kubelet-csr-approver
image: postfinance/kubelet-csr-approver:latest
resources:
limits:
memory: "128Mi"
cpu: "500m"
args:
- -metrics-bind-address
- ":8080"
- -health-probe-bind-address
- ":8081"
- -leader-election
livenessProbe:
httpGet:
path: /healthz
port: 8081
env:
- name: PROVIDER_REGEX
value: ^[abcdef]\.test\.ch$
- name: PROVIDER_IP_PREFIXES
value: "0.0.0.0/0,::/0"
- name: MAX_EXPIRATION_SEC
value: "31622400" # 366 days
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Equal

42
kubelet-csr-approver/kustomization.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: kubelet-csr-approver
resources:
- clusterrole.yaml
- deployment.yaml
- rolebinding.yaml
- serviceaccount.yaml
patches:
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubelet-csr-approver
namespace: kube-system
spec:
template:
spec:
containers:
- name: kubelet-csr-approver
imagePullPolicy: IfNotPresent
env:
- name: PROVIDER_REGEX
value: ^(i-[a-z0-9]+\.[a-z0-9-]+\.compute\.internal|k8s-[a-z0-9-]+\.pyrocufflink\.blue|[a-z0-9-]+\.k8s\.pyrocufflink\.black)$
- name: PROVIDER_IP_PREFIXES
value: 172.30.0.0/16
- name: BYPASS_DNS_RESOLUTION
value: 'true'
replicas:
- name: kubelet-csr-approver
count: 1
images:
- name: postfinance/kubelet-csr-approver
newName: ghcr.io/postfinance/kubelet-csr-approver
newTag: v1.2.10

13
kubelet-csr-approver/rolebinding.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubelet-csr-approver
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubelet-csr-approver
subjects:
- kind: ServiceAccount
name: kubelet-csr-approver
namespace: kube-system

5
kubelet-csr-approver/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubelet-csr-approver
namespace: kube-system

1
ntfy/ntfy.yaml
View File

@ -54,6 +54,7 @@ spec:
containers:
- name: ntfy
image: docker.io/binwiederhier/ntfy:v2.5.0
imagePullPolicy: IfNotPresent
args:
- serve
ports:

4
restic/kustomization.yaml
View File

@ -36,6 +36,7 @@ patches:
spec:
containers:
- name: restic-prune
imagePullPolicy: IfNotPresent
env:
- name: RESTIC_CACERT
value: /run/dch-ca/dch-root-ca.crt
@ -48,3 +49,6 @@ patches:
configMap:
name: dch-root-ca
images:
- name: ghcr.io/restic/restic
newTag: 0.18.0

1
ssh-host-keys/kustomization.yaml
View File

@ -3,7 +3,6 @@ kind: Kustomization
configMapGenerator:
- name: ssh-known-hosts
namespace: jenkins-jobs
files:
- ssh_known_hosts
options:

16
victoria-metrics/scrape.yml
View File

@ -242,6 +242,22 @@ scrape_configs:
- source_labels: [__address__]
target_label: instance
- job_name: victoria-logs
scheme: https
tls_config:
ca_file: /run/dch-ca/dch-root-ca.crt
dns_sd_configs:
- names:
- logs.pyrocufflink.blue
type: A
port: 443
relabel_configs:
- source_labels: [__meta_dns_name, __meta_dns_srv_record_port]
separator: ':'
target_label: __address__
- source_labels: [__address__]
target_label: instance
- job_name: promtail
static_configs:
- targets: