infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

Compare commits

base: infra:jenkins-buildroot
Branches Tags
infra:master infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets
..
compare: infra:ffaa0bb1ae79c6f1a4c125bc9bb0705f315bc2c7
Branches Tags
infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:master infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets

69 Commits
jenkins-bu ... ffaa0bb1ae

Author SHA1 Message Date
bot
ffaa0bb1ae firefly-iii: Update to 6.4.2 2025-10-18 11:32:15 +00:00
Dustin C. Hatch
bbcf2d7599 grafana: Increase readiness probe timeout 
Sometimes, Grafana gets pretty slow, especially when it's running on one
of the Raspberry Pi nodes.  When this happens, the health check may take
longer than the default timeout of 1 second to respond.  This then marks
the pod as unhealthy, even though it's still working.
 2025-10-13 13:36:38 -05:00
Dustin C. Hatch
d5a7b5bc2d k8s-reboot-coordinator: Initial deploy 
The `k8s-reboot-coordinator` coordinates node reboots throughout the
cluster.  It runs as a DaemonSet, watching for the presence of a
sentinel file, `/run/reboot-needed` on the node.  When the file appears,
it acquires a lease, to ensure that only one node reboots at a time,
cordons and drains the node, and then triggers the reboot by running
a command on the host.  After the node has rebooted, the daemon will
release the lock and uncordon the node.
 2025-10-13 13:36:38 -05:00
Dustin C. Hatch
5c6a77c47c policy: Add policy to prevent host network usage 
The `policy` Kustomize project defines various cluster-wide security
policies.  Initially, this includes a Validating Admission Policy that
prevents pods from using the host's network namespace.
 2025-10-13 13:36:38 -05:00
Dustin
e1874565b8 Merge pull request 'gotenberg: Update to 8.23.1' (#85) from updatebot/paperless-ngx into master 
Reviewed-on: #85
 2025-10-12 23:55:49 +00:00
Dustin
2e4d356fb7 Merge pull request 'authelia: Update to 4.39.10' (#86) from updatebot/authelia into master 
Reviewed-on: #86
 2025-10-12 23:40:26 +00:00
bot
76566cb027 authelia: Update to 4.39.12 2025-10-11 11:32:16 +00:00
bot
83d85d0b58 tika: Update to 3.2.3.0 2025-10-11 11:32:14 +00:00
bot
d944ae5d3a gotenberg: Update to 8.24.0 2025-10-11 11:32:14 +00:00
Dustin C. Hatch
fd400eb1de home-assistant: Fix image refs for Zigbee/ZWaveJS 
The _updatebot_ has been running with an old configuration for a while,
so while it was correctly identifying updates to ZWaveJS UI and
Zigbee2MQTT, it was generating overrides for the incorrect OCI image
names.
 2025-09-14 15:47:31 -05:00
Dustin
2ef22105a6 Merge pull request 'home-assistant: Update to 2025.8.0' (#77) from updatebot/home-assistant into master 
Reviewed-on: #77
 2025-09-14 20:09:37 +00:00
Dustin
86546df447 Merge pull request 'paperless-ngx: Update to 2.18.2' (#82) from updatebot/paperless-ngx into master 
Reviewed-on: #82
 2025-09-14 03:05:37 +00:00
Dustin
ff6d4fa6e3 Merge pull request 'authelia: Update to 4.39.8' (#83) from updatebot/authelia into master 
Reviewed-on: #83
 2025-09-14 03:04:39 +00:00
bot
9f78f01f14 authelia: Update to 4.39.9 2025-09-13 11:32:15 +00:00
bot
82680ae86e gotenberg: Update to 8.23.0 2025-09-13 11:32:13 +00:00
bot
959bef405f paperless-ngx: Update to 2.18.4 2025-09-13 11:32:13 +00:00
bot
fc3435a978 zwavejs2mqtt: Update to 11.2.1 2025-09-13 11:32:08 +00:00
bot
da2fcdcf28 zigbee2mqtt: Update to 2.6.1 2025-09-13 11:32:07 +00:00
bot
5873892015 piper: Update to 1.6.3 2025-09-13 11:32:07 +00:00
bot
38c0e8ba02 home-assistant: Update to 2025.9.2 2025-09-13 11:32:07 +00:00
Dustin C. Hatch
7158ff89df v-m/alerts: Ignore Restic alert for Purple Pi 
The Purple Pi is no more.  We want to keep it's backups around, though,
but we don't need alerts about them.
 2025-09-12 07:25:21 -05:00
Dustin C. Hatch
5869afa923 jenkins: Add PVC for airplaypi Buildroot job 
Buildroot jobs really benefit from having a persistent workspace volume
instead of an ephemeral one.  This way, only the packages, etc. that
have changed since the last build need to be built, instead of the whole
toolchain and operating system.
 2025-09-07 12:24:11 -05:00
Dustin C. Hatch
4c1992b3c9 v-m/vmagent: Start in parallel 
As with AlertManager, the point of having multiple replicas of `vmagent`
is so that one is always running, even if the other fails.  Thus, we
want to start the pods in parallel so that if the first one does not
come up, the second one at least has a chance.
 2025-09-07 10:49:22 -05:00
Dustin C. Hatch
25d34efb4c v-m/alertmanager: Bring up replicas in parallel 
If something prevents the first AlertManager instance from starting, we
don't want to wait forever for it before starting the second.  That
pretty much defeats the purpose of having two instances.  Fortunately,
we can configure Kubernetes to bring up both instances simultaneously by
setting the pod management policyo to `Parallel`.
 2025-09-07 10:42:50 -05:00
Dustin C. Hatch
e605e3d1ea v-m/alertmanager: Migrate PVC to Synology 
We also don't need a 4 GB volume for AlertManager; even 500 MB is
way too big for the tiny amount of data it stores, but that's about the
smallest size a filesystem can be.
 2025-09-07 10:42:13 -05:00
Dustin C. Hatch
ab38df1d9f Merge branch 'drop-certs' 2025-09-07 10:33:19 -05:00
Dustin C. Hatch
a02dfa1dfc cert-manager: Decommission cert-exporter 
The `cert-exporter` is no longer needed.  All websites manage their own
certificates with _mod_md_ now, and all internal applications that use
the wildcard certificate fetch it directly from the Kubernetes Secret.
 2025-09-07 10:31:36 -05:00
Dustin C. Hatch
b068a260e7 cert-manager: Drop HLC certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-09-07 10:30:20 -05:00
Dustin C. Hatch
479a91ae79 Merge branch 'democratic-csi' 2025-09-07 10:25:14 -05:00
Dustin C. Hatch
87331b24b0 v-m/alerts: Ignore Restic alert for bw0 
_bw0.pyrocufflink.blue_ has been decommissioned since some time, so it
doesn't get backed up any more.  We want to keep its previous backups
around, though, in case we ever need to restore something.  This
triggers the "no recent backups" alert, since the last snapshot is over
a week old.  Let's ignore that hostname when generating this alert.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
7ad8fff7c6 v-m/vmagent: Use ephemeral storage 
The `vmagent` needs a place to spool data it has not yet sent to
Victoria Metrics, but it doesn't really need to be persistent.  As long
as all of the `vmagent` nodes _and_ all of the `vminsert` nodes do not
go down simultaneously, there shouldn't be any data loss.  If they are
all down at the same time, there's probably something else going on and
lost metrics are the least concerning problem.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
ee88e5f1c9 dynk8s-provisioner: Remove PVC 
The _dynk8s-provisioner_ only needs writable storage to store copies of
the AWS SNS notifications it receives for debugging purposes.  We don't
need to keep these around indefinitely, so using ephemeral node-local
storage is sufficient.  I actually want to get rid of that "feature"
anyway...
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
cbed5a8d13 jenkins: Drop Gentoo Portage distribution 
Now that Aimee OS is based on Buildroot instead of Gentoo, we don't need
to keep syncing and sharing the Gentoo repository.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
e63fd199ec firefly-iii: Prefer running on amd64 nodes 
Although Firefly III works on a Raspberry Pi, a few things are pretty
slow.  Notably, the search feature takes a really long time to return
any results, which is particularly annoying when trying to add a receipt
via the Receipts app.  Adding a node affinity rule to prefer running on
an x86_64 machine will ensure that it runs fast whenever possible, but
can fall back to running on a Rasperry Pi if necessary.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
687775c595 invoice-ninja: Fix error in cron container 
The "cron" container has not been working correctly for some time.  No
background tasks are getting run, and this error is printed in the log
every minute:

> `Target class [db.schema] does not exist`

It turns out, this is because of the way the PHP `artisan` tool works.
It MUST be able to write to the code directory, apparently to build some
kind of cache.  There may be a way to cache the data ahead of time, but
I haven't found it yet.  For now, it seems the only way to make
Laravel-based applications run in a container is to make the container
filesystem mutable.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
0a89502620 20125: Add Music Assistant 
Tabitha wants to see Music Assistant in the smart home status app,
mostly to use as a shortcut.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
92cf0edc4b v-m/scrape: Scrape Music Assistant via Blackbox 
Music Assistant doesn't expose any metrics natively.  Since we really
only care about whether or not it's accessible, scraping it with the
blackbox exporter is fine.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
c011a99165 authelia: Allow from pyrocufflink.net 
In order to allow access to Authelia from outside the LAN, it needs to
be able to handle the _pyrocufflink.net_ domain in addition to
_pyrocufflink.blue_.  Originally, this was not possible, as Authelia
only supported a single cookie/domain.  Now that it supports multiple
cookies, we can expose both domains.

The main reason for doing this now is use Authelia's password reset
capability for Mom, since she didn't have a password for her Nextcloud
account that she's just begun using.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
7c9737e092 kitchen: Update DTEX calendar URL 
I wrote a Thunderbird add-on for my work computer that periodically
exports my entire DTEX calendar to a file.  Unfortunately, the file it
creates is not directly usable by the kitchen screen server currently;
it seems to use a time zone identifier that `tzinfo` doesn't understand:

```
Error in background update:
Traceback (most recent call last):
  File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/agenda.py", line 19, in _background_update
    await self._update()
  File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/agenda.py", line 34, in _update
    calendar = await self.fetch_calendar(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/caldav.py", line 39, in fetch_calendar
    return icalendar.Calendar.from_ical(r.text)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/icalendar/cal.py", line 369, in from_ical
    _timezone_cache[component['TZID']] = component.to_tz()
                                         ^^^^^^^^^^^^^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/icalendar/cal.py", line 659, in to_tz
    return cls()
           ^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/pytz/tzinfo.py", line 190, in __init__
    self._transition_info[0])
    ~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range
```

It seems to work fine in Nextcloud, though, so the work-around is to
import it as a subscription in Nextcloud and then read it from there,
using Nextcloud as a sort of proxy.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
28d6bdc3a9 kitchen: Pin to amd64 nodes 
There is not (currently) an aarch64 build of the kitchen screen server,
so we need to force the pod to run on a x86_64 node.  This seems a good
candidate for running on a Raspberry Pi, so I should go ahead and build
a multi-arch image.
 2025-09-07 08:27:19 -05:00
Dustin C. Hatch
67a1d8d0d5 democratic-csi: Enable volume resize 
_democratic-csi_ can also dynamically resize Synology iSCSI LUNs when
PVC resource requests increase.  This requires enabling the external
resizer in the controller pod and marking the StorageClass as supporting
resize.
 2025-09-06 23:49:53 -05:00
Dustin C. Hatch
d909fc0566 democratic-csi: Enable volume snapshot support 
The _democratic-csi_ controller can create Synology LUN snapshots based
on VolumeSnapshot resources.  This feature can be used to e.g. create
data snapshots before upgrades, etc.
 2025-09-06 23:43:25 -05:00
Dustin C. Hatch
f3798c49e3 democratic-csi: Initial deployment 
Deploying _democratic-csi_ to manage PersistentVolumeClaim resources,
mapping them to iSCSI volumes on the Synology.

Eventually, all Longhorn-managed PVCs will be replaced with Synology
iSCSI volumes.  Getting rid of Longhorn should free up a lot of
resources and remove a point of failure from the cluster.
 2025-09-06 22:57:05 -05:00
Dustin
e4f3e8254e Merge pull request 'ntfy: Update to 2.14.0' (#79) from updatebot/ntfy into master 
Reviewed-on: #79
 2025-08-16 19:20:11 +00:00
Dustin
8e968703b3 Merge pull request 'authelia: Update to 4.39.6' (#80) from updatebot/authelia into master 
Reviewed-on: #80
 2025-08-16 19:17:48 +00:00
Dustin
a5fdaff145 Merge pull request 'tika: Update to 3.2.2.0' (#78) from updatebot/paperless-ngx into master 
Reviewed-on: #78
 2025-08-16 19:17:18 +00:00
bot
6f3919fe06 authelia: Update to 4.39.6 2025-08-16 11:32:12 +00:00
bot
e140e9d49d ntfy: Update to 2.14.0 2025-08-16 11:32:10 +00:00
bot
f24285d761 tika: Update to 3.2.2.0 2025-08-16 11:32:09 +00:00
Dustin C. Hatch
8a6b41bacc Revert "music-assistant: Tell players to restart on startup" 
This hacky work-around is no longer necessary, as I've figured out why
the players don't (always) get rediscovered when the server restarts.
It turns out, Avahi on the firewall was caching responses to the mDNS PTR
requests Music Assistant makes.  Rather than forward the requests to the
other VLANs, it would respond with its cached information, but in a way
that Music Assistant didn't understand.  Setting `cache-entries-max` to
`0` in `avahi-daemon.conf` on the firewall resolved the issue.

This reverts commit 42a7964991.
 2025-08-12 20:17:52 -05:00
Dustin C. Hatch
e0e3eab8b6 Merge branch 'music-assistant' 2025-08-11 21:00:02 -05:00
Dustin C. Hatch
42a7964991 music-assistant: Tell players to restart on startup 
I haven't fully determined why, but when the Music Assistant server
restarts, it marks the _shairport-sync_ players as offline and will not
allow playing to them.  The only way I have found to work around this is
to restart the players after the server restarts.  As that's pretty
cumbersome and annoying, I naturally want to automate it, so I've
created this rudimentary synchronization technique using _ntfy_: each
player listens for notifications on a specific topic, and upon receiving
one, tells _shairport-sync_ to exit.  With the `Restart=` property
configured on the _shairport-sync.service_ unit, _systemd_ will restart
the service, which causes Music Assistant to discover the player again.
 2025-08-11 20:59:54 -05:00
Dustin C. Hatch
ae1d952297 music-assistant: Initial deployment 
_Music Assistant_ is pretty straightforward to deploy, despite
upstream's apparent opinion otherwise.  It just needs a small persistent
volume for its media index and customization.  It does need to use the
host network namespace, though, in order to receive multicast
announcements from e.g. AirPlay players, as it doesn't have any way of
statically configuring them.
 2025-08-11 20:43:28 -05:00
Dustin C. Hatch
2a0fdc07df cert-manager: Drop dustinandtabitha.com certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-08-11 08:59:57 -05:00
Dustin C. Hatch
4977f513c5 dch-webhooks: Add role for Jenkins to deploy 
Jenkins needs to be able to patch the Deployment to trigger a restart
after it builds a new container image for _dch-webhooks_.

Note that this manifest must be applied on its own **without
Kustomize**.  Kustomize seems to think the `dch-webhooks` in
`resourceNames` refers to the ConfigMap it manages and "helpfully"
renames it with the name suffix hash.  It's _not_ the ConfigMap, though,
but there's not really any way to tell it this.
 2025-08-10 17:43:02 -05:00
Dustin C. Hatch
3960552f99 calico: Update to v3.30.2 2025-08-08 11:00:27 -05:00
Dustin C. Hatch
aa27579582 cert-manager: Drop dustin.hatch.name certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-08-07 11:26:23 -05:00
Dustin C. Hatch
2b109589c2 h-a/{piper,whisper}: Prefer x86_64 nodes 
Without a node affinity rule, Kubernetes applies equal weight to the
"big" x86_64 nodes and the "small" aarch64 ones.  Since we would really
rather Piper and Whisper _not_ run on a Raspberry Pi, we need the rule
to express this.
 2025-08-07 10:31:10 -05:00
Dustin C. Hatch
ea4e45e479 Revert "h-a: Schedule Piper, Whisper, Mosquitto with HA" 
As it turns out, although Home Assistant itself works perfectly fine on
a Raspberry Pi, Piper and Whisper do not.  They are _much_ too slow to
respond to voice commands.

This reverts commit 32666aa628.
 2025-08-07 10:26:37 -05:00
Dustin
3896dd67eb Merge pull request 'home-assistant: Update to 2025.7.2' (#73) from updatebot/home-assistant into master 
Reviewed-on: #73
 2025-08-05 14:17:24 +00:00
Dustin
c5545445b6 Merge pull request 'firefly-iii: Update to 6.2.21' (#74) from updatebot/firefly-iii into master 
Reviewed-on: #74
 2025-08-03 16:41:17 +00:00
Dustin
2a7d531aa3 Merge pull request 'authelia: Update to 4.39.5' (#75) from updatebot/authelia into master 
Reviewed-on: #75
 2025-08-03 16:35:18 +00:00
Dustin
1998abefbd Merge pull request 'vaultwarden: Update to 1.34.3' (#76) from updatebot/vaultwarden into master 
Reviewed-on: #76
 2025-08-03 16:34:09 +00:00
bot
b2aa70dff0 vaultwarden: Update to 1.34.3 2025-08-02 11:32:29 +00:00
bot
28c7f98cb5 authelia: Update to 4.39.5 2025-08-02 11:32:19 +00:00
bot
14d6af7886 firefly-iii: Update to 6.2.21 2025-08-02 11:32:11 +00:00
bot
a4d05c7288 zwavejs2mqtt: Update to 11.0.1 2025-08-02 11:32:07 +00:00
bot
c10aef5d65 zigbee2mqtt: Update to 2.6.0 2025-08-02 11:32:07 +00:00
bot
474b068708 home-assistant: Update to 2025.7.4 2025-08-02 11:32:06 +00:00
54 changed files with 1380 additions and 582 deletions
Expand all files Collapse all files

7
20125/config.yml
View File

@@ -85,3 +85,10 @@ applications:
url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
alerts:
- instance: *url5
- name: Music Assistant
url: &url6 https://music.pyrocufflink.blue/
icon:
url: https://music.pyrocufflink.blue/apple-touch-icon.png
alerts:
- instance: *url6

16
argocd/applications/csi-synology.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: csi-synology
namespace: argocd
spec:
destination:
server: https://kubernetes.default.svc
project: default
source:
path: democratic-csi
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master
syncPolicy:
automated:
prune: true

6
authelia/authelia.yaml
View File

@@ -127,9 +127,10 @@ spec:
tls:
- hosts:
- auth.pyrocufflink.blue
- auth.pyrocufflink.net
rules:
- host: auth.pyrocufflink.blue
http:
http: &http
paths:
- path: /
pathType: Prefix
@@ -138,4 +139,5 @@ spec:
name: authelia
port:
name: http
- host: auth.pyrocufflink.net
http: *http

2
authelia/configuration.yml
View File

@@ -189,6 +189,8 @@ session:
cookies:
- domain: pyrocufflink.blue
authelia_url: 'https://auth.pyrocufflink.blue'
- domain: pyrocufflink.net
authelia_url: 'https://auth.pyrocufflink.net'
server:
buffers:

2
authelia/kustomization.yaml
View File

@@ -58,4 +58,4 @@ patches:
name: dch-root-ca
images:
- name: ghcr.io/authelia/authelia
newTag: 4.39.4
newTag: 4.39.12

10
calico/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: calico
resources:
- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/operator-crds.yaml
- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/tigera-operator.yaml

21
cert-manager/cert-exporter.config.yml
View File

@@ -1,21 +0,0 @@
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinhatchname-cert
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem

79
cert-manager/cert-exporter.yaml
View File

@@ -1,79 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-exporter
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-exporter
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
resourceNames:
- pyrocufflink-cert
- dustinhatchname-cert
- dustinandtabitha-cert
- hlc-cert
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-exporter
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-exporter
subjects:
- kind: ServiceAccount
name: cert-exporter
namespace: cert-manager
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: cert-exporter
namespace: cert-manager
spec:
timeZone: America/Chicago
schedule: '27 9,20 * * *'
jobTemplate: &jobtemplate
spec:
template:
spec:
containers:
- image: git.pyrocufflink.net/containerimages/cert-exporter
name: cert-exporter
volumeMounts:
- mountPath: /etc/cert-exporter/config.yml
name: config
subPath: config.yml
readOnly: true
- mountPath: /home/cert-exporter/.ssh/id_ed25519
name: sshkeys
subPath: cert-exporter.pem
readOnly: true
- mountPath: /etc/ssh/ssh_known_hosts
name: sshkeys
subPath: ssh_known_hosts
readOnly: true
securityContext:
fsGroup: 1000
serviceAccount: cert-exporter
volumes:
- name: config
configMap:
name: cert-exporter
- name: sshkeys
secret:
secretName: cert-exporter-sshkey
defaultMode: 00440
restartPolicy: Never

66
cert-manager/certificates.yaml
View File

@@ -16,69 +16,3 @@ spec:
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dustinhatchname-cert
spec:
secretName: dustinhatchname-cert
dnsNames:
- dustin.hatch.name
- '*.dustin.hatch.name'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dustinandtabitha-cert
spec:
secretName: dustinandtabitha-cert
dnsNames:
- dustinandtabitha.com
- '*.dustinandtabitha.com'
- dustinandtabitha.xyz
- '*.dustinandtabitha.xyz'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hlc-cert
spec:
secretName: hlc-cert
dnsNames:
- hatchlearningcenter.org
- '*.hatchlearningcenter.org'
- hatchlearningcenter.com
- '*.hatchlearningcenter.com'
- hlckc.org
- '*.hlckc.org'
- hlckc.com
- '*.hlckc.com'
- hlcks.org
- '*.hlcks.org'
- hlcks.com
- '*.hlcks.com'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

3
cert-manager/jenkins.yaml
View File

@@ -11,9 +11,6 @@ rules:
- get
resourceNames:
- pyrocufflink-cert
- dustinhatchname-cert
- dustinandtabitha-cert
- hlc-cert
---
apiVersion: rbac.authorization.k8s.io/v1

15
cert-manager/kustomization.yaml
View File

@@ -5,19 +5,10 @@ resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
- cluster-issuer.yaml
- certificates.yaml
- cert-exporter.yaml
- dch-ca-issuer.yaml
- secrets.yaml
- jenkins.yaml
configMapGenerator:
- name: cert-exporter
namespace: cert-manager
files:
- config.yml=cert-exporter.config.yml
options:
disableNameSuffixHash: True
secretGenerator:
- name: zerossl-eab
namespace: cert-manager
@@ -26,12 +17,6 @@ secretGenerator:
options:
disableNameSuffixHash: true
- name: cert-exporter-sshkey
namespace: cert-manager
files:
- cert-exporter.pem
- ssh_known_hosts
- name: cloudflare
namespace: cert-manager
files:

28
dch-webhooks/jenkins.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jenkins.dch-webhooks
rules:
- apiGroups:
- apps
resources:
- deployments
resourceNames:
- dch-webhooks
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins.dch-webhooks
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins.dch-webhooks
subjects:
- kind: ServiceAccount
name: default
namespace: jenkins-jobs

2
democratic-csi/.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
synology.password
synology-iscsi-chap.yaml

385
democratic-csi/democratic-csi.yaml Normal file
View File

@@ -0,0 +1,385 @@
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-node
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
spec:
selector:
matchLabels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
template:
metadata:
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
spec:
serviceAccount: csi-synology-democratic-csi-node-sa
priorityClassName: system-node-critical
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
hostAliases: []
hostIPC: true
hostPID: false
containers:
- name: csi-driver
image: docker.io/democraticcsi/democratic-csi:latest
args:
- --csi-version=1.5.0
- --csi-name=org.democratic-csi.iscsi-synology
- --driver-config-file=/config/driver-config-file.yaml
- --log-level=info
- --csi-mode=node
- --server-socket=/csi-data/csi.sock.internal
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
privileged: true
env:
- name: CSI_NODE_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
terminationMessagePath: /tmp/termination-log
terminationMessagePolicy: File
livenessProbe:
failureThreshold: 3
exec:
command:
- bin/liveness-probe
- --csi-version=1.5.0
- --csi-address=/csi-data/csi.sock.internal
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 60
volumeMounts:
- name: socket-dir
mountPath: /csi-data
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
- name: iscsi-dir
mountPath: /etc/iscsi
mountPropagation: Bidirectional
- name: iscsi-info
mountPath: /var/lib/iscsi
mountPropagation: Bidirectional
- name: modules-dir
mountPath: /lib/modules
readOnly: true
- name: localtime
mountPath: /etc/localtime
readOnly: true
- name: udev-data
mountPath: /run/udev
- name: host-dir
mountPath: /host
mountPropagation: Bidirectional
- mountPath: /sys
name: sys-dir
- name: dev-dir
mountPath: /dev
- name: config
mountPath: /config
- name: csi-proxy
image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
env:
- name: BIND_TO
value: unix:///csi-data/csi.sock
- name: PROXY_TO
value: unix:///csi-data/csi.sock.internal
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
args:
- --v=5
- --csi-address=/csi-data/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
livenessProbe:
exec:
command:
- /csi-node-driver-registrar
- --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
- --mode=kubelet-registration-probe
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: registration-dir
mountPath: /registration
- name: kubelet-dir
mountPath: /var/lib/kubelet
- name: cleanup
image: docker.io/busybox:1.37.0
command:
- /bin/sh
args:
- -c
- |-
sleep infinity &
trap 'kill !$' INT TERM
wait
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
volumeMounts:
- name: plugins-dir
mountPath: /plugins
- name: registration-dir
mountPath: /registration
volumes:
- name: socket-dir
hostPath:
path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
type: DirectoryOrCreate
- name: plugins-dir
hostPath:
path: /var/lib/kubelet/plugins
type: Directory
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: iscsi-dir
hostPath:
path: /etc/iscsi
type: Directory
- name: iscsi-info
hostPath:
path: /var/lib/iscsi
- name: dev-dir
hostPath:
path: /dev
type: Directory
- name: modules-dir
hostPath:
path: /lib/modules
- name: localtime
hostPath:
path: /etc/localtime
- name: udev-data
hostPath:
path: /run/udev
- name: sys-dir
hostPath:
path: /sys
type: Directory
- name: host-dir
hostPath:
path: /
type: Directory
- name: config
secret:
secretName: csi-synology-democratic-csi-driver-config
nodeSelector:
kubernetes.io/os: linux
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-controller
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
template:
metadata:
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
spec:
serviceAccount: csi-synology-democratic-csi-controller-sa
priorityClassName: system-cluster-critical
hostNetwork: false
dnsPolicy: ClusterFirst
hostAliases: []
hostIPC: false
containers:
- name: external-attacher
image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: external-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --extra-create-metadata
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: external-resizer
image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --workers=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
# https://github.com/kubernetes-csi/external-snapshotter
# beware upgrading version:
# - https://github.com/rook/rook/issues/4178
# - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
- name: external-snapshotter
image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: csi-driver
image: docker.io/democraticcsi/democratic-csi:latest
args:
- --csi-version=1.5.0
- --csi-name=org.democratic-csi.iscsi-synology
- --driver-config-file=/config/driver-config-file.yaml
- --log-level=debug
- --csi-mode=controller
- --server-socket=/csi-data/csi.sock.internal
livenessProbe:
failureThreshold: 3
exec:
command:
- bin/liveness-probe
- --csi-version=1.5.0
- --csi-address=/csi-data/csi.sock.internal
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 60
volumeMounts:
- name: socket-dir
mountPath: /csi-data
- name: config
mountPath: /config
- name: csi-proxy
image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
env:
- name: BIND_TO
value: unix:///csi-data/csi.sock
- name: PROXY_TO
value: unix:///csi-data/csi.sock.internal
volumeMounts:
- mountPath: /csi-data
name: socket-dir
volumes:
- name: socket-dir
emptyDir: {}
- name: config
secret:
secretName: csi-synology-democratic-csi-driver-config
nodeSelector:
kubernetes.io/os: linux
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: org.democratic-csi.iscsi-synology
labels:
app.kubernetes.io/name: democratic-csi
spec:
attachRequired: true
podInfoOnMount: true

93
democratic-csi/driver-config-file.yaml Normal file
View File

@@ -0,0 +1,93 @@
driver: synology-iscsi
httpConnection:
protocol: https
host: storage0.pyrocufflink.blue
port: 5001
username: democratic-csi
allowInsecure: true
# should be uniqe across all installs to the same nas
session: "democratic-csi"
serialize: true
# Choose the DSM volume this driver operates on. The default value is /volume1.
# synology:
# volume: /volume1
iscsi:
targetPortal: "server[:port]"
# for multipath
targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
# leave empty to omit usage of -I with iscsiadm
interface: ""
# can be whatever you would like
baseiqn: "iqn.2000-01.com.synology:csi."
# MUST ensure uniqueness
# full iqn limit is 223 bytes, plan accordingly
namePrefix: ""
nameSuffix: ""
# documented below are several blocks
# pick the option appropriate for you based on what your backing fs is and desired features
# you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
# These options can also be configured per storage-class:
# See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
lunTemplate:
# can be static value or handlebars template
#description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
# btrfs thin provisioning
type: "BLUN"
# tpws = Hardware-assisted zeroing
# caw = Hardware-assisted locking
# 3pc = Hardware-assisted data transfer
# tpu = Space reclamation
# can_snapshot = Snapshot
#dev_attribs:
#- dev_attrib: emulate_tpws
# enable: 1
#- dev_attrib: emulate_caw
# enable: 1
#- dev_attrib: emulate_3pc
# enable: 1
#- dev_attrib: emulate_tpu
# enable: 0
#- dev_attrib: can_snapshot
# enable: 1
# btfs thick provisioning
# only zeroing and locking supported
#type: "BLUN_THICK"
# tpws = Hardware-assisted zeroing
# caw = Hardware-assisted locking
#dev_attribs:
#- dev_attrib: emulate_tpws
# enable: 1
#- dev_attrib: emulate_caw
# enable: 1
# ext4 thinn provisioning UI sends everything with enabled=0
#type: "THIN"
# ext4 thin with advanced legacy features set
# can only alter tpu (all others are set as enabled=1)
#type: "ADV"
#dev_attribs:
#- dev_attrib: emulate_tpu
# enable: 1
# ext4 thick
# can only alter caw
#type: "FILE"
#dev_attribs:
#- dev_attrib: emulate_caw
# enable: 1
lunSnapshotTemplate:
is_locked: true
# https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
is_app_consistent: true
targetTemplate:
auth_type: 0
max_sessions: 0

32
democratic-csi/kustomization.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: democratic-csi
labels:
- pairs:
app.kubernetes.io/instance: csi-synology
resources:
- namespace.yaml
- rbac.yaml
- democratic-csi.yaml
- secrets.yaml
- storageclass.yaml
patches:
- patch: |
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-controller
namespace: democratic-csi
spec:
template:
spec:
hostNetwork: true
images:
- name: docker.io/democraticcsi/democratic-csi
newName: ghcr.io/democratic-csi/democratic-csi
digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1

4
democratic-csi/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: democratic-csi

316
democratic-csi/rbac.yaml Normal file
View File

@@ -0,0 +1,316 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-synology-democratic-csi-controller-sa
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-synology-democratic-csi-node-sa
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-controller-cr
labels:
app.kubernetes.io/name: democratic-csi
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- create
- apiGroups:
-
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- secrets
verbs:
- get
- list
- apiGroups:
-
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
-
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- persistentvolumeclaims/status
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
-
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots/status
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents/status
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- watch
- list
- delete
- update
- create
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
-
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-node-cr
labels:
app.kubernetes.io/name: democratic-csi
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- create
- apiGroups:
-
resources:
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
-
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-controller-rb
labels:
app.kubernetes.io/name: democratic-csi
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: csi-synology-democratic-csi-controller-cr
subjects:
- kind: ServiceAccount
name: csi-synology-democratic-csi-controller-sa
namespace: democratic-csi
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-node-rb
labels:
app.kubernetes.io/name: democratic-csi
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: csi-synology-democratic-csi-node-cr
subjects:
- kind: ServiceAccount
name: csi-synology-democratic-csi-node-sa
namespace: democratic-csi

73
democratic-csi/secrets.yaml Normal file
View File

@@ -0,0 +1,73 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: csi-synology-democratic-csi-driver-config
namespace: democratic-csi
labels: &labels
app.kubernetes.io/name: synology-iscsi-driver-config
app.kubernetes.io/component: democratic-csi
app.kubernetes.io/part-of: democratic-csi
spec:
encryptedData:
synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
template:
metadata:
name: csi-synology-democratic-csi-driver-config
namespace: democratic-csi
data:
driver-config-file.yaml: |
driver: synology-iscsi
httpConnection:
protocol: https
host: storage0.pyrocufflink.blue
port: 5001
username: democratic-csi
password: {{ index . "synology.password" }}
allowInsecure: true
session: democratic-csi
serialize: true
iscsi:
targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
baseiqn: iqn.2000-01.com.synology:csi.
lunTemplate:
type: BLUN
targetTemplate:
auth_type: 2 # 0: None; 1: CHAP; 2: Mutual CHAP
max_sessions: 0 # 0: Unlimited
chap: true
mutual_chap: true
lunSnapshotTemplate:
is_app_consistent: true
is_locked: true
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: synology-iscsi-provisioner
namespace: democratic-csi
spec:
encryptedData:
targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
template:
metadata:
name: synology-iscsi-provisioner
namespace: democratic-csi
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: synology-iscsi-chap
namespace: democratic-csi
spec:
encryptedData:
node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
template:
metadata:
name: synology-iscsi-chap
namespace: democratic-csi

20
democratic-csi/storageclass.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: synology-iscsi
allowVolumeExpansion: true
provisioner: org.democratic-csi.iscsi-synology
parameters:
fsType: xfs
csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
---
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: synology-iscsi
driver: org.democratic-csi.iscsi-synology
deletionPolicy: Delete

20
dynk8s-provisioner/dynk8s-provisioner.yaml
View File

@@ -1,20 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dynk8s-provisioner-pvc
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner-pvc
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: apps/v1
kind: StatefulSet
@@ -70,8 +53,7 @@ spec:
serviceAccountName: dynk8s-provisioner
volumes:
- name: dynk8s-provisioner
persistentVolumeClaim:
claimName: dynk8s-provisioner-pvc
emptyDir: {}
---
apiVersion: v1

12
firefly-iii/kustomization.yaml
View File

@@ -36,6 +36,16 @@ patches:
spec:
template:
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
containers:
- name: firefly-iii
volumeMounts:
@@ -55,4 +65,4 @@ patches:
defaultMode: 0640
images:
- name: docker.io/fireflyiii/core
newTag: version-6.2.20
newTag: version-6.4.2

1
grafana/grafana.yaml
View File

@@ -60,6 +60,7 @@ spec:
port: http
path: /api/health
periodSeconds: 60
timeoutSeconds: 5
startupProbe:
<<: *probe
periodSeconds: 1

12
home-assistant/kustomization.yaml
View File

@@ -152,18 +152,14 @@ patches:
images:
- name: ghcr.io/home-assistant/home-assistant
newTag: 2025.7.1
newTag: 2025.9.2
- name: docker.io/rhasspy/wyoming-whisper
newTag: 2.5.0
- name: docker.io/rhasspy/wyoming-piper
newTag: 1.6.2
newTag: 1.6.3
- name: ghcr.io/koenkk/zigbee2mqtt
newTag: 2.4.0
newTag: 2.6.1
- name: ghcr.io/zwave-js/zwave-js-ui
newTag: 10.7.0
newTag: 11.2.1
- name: docker.io/library/eclipse-mosquitto
newTag: 2.0.22
- name: docker.io/koenkk/zigbee2mqtt
newTag: 2.5.1
- name: docker.io/zwavejs/zwave-js-ui
newTag: 10.9.0

12
home-assistant/mosquitto.yaml
View File

@@ -55,18 +55,6 @@ spec:
app.kubernetes.io/name: mosquitto
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- home-assistant
topologyKey: kubernetes.io/hostname
containers:
- name: mosquitto
image: docker.io/library/eclipse-mosquitto:2.0.15

16
home-assistant/piper.yaml
View File

@@ -37,17 +37,15 @@ spec:
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
podAffinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- home-assistant
topologyKey: kubernetes.io/hostname
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
containers:
- name: piper
image: docker.io/rhasspy/wyoming-piper:1.3.2

16
home-assistant/whisper.yaml
View File

@@ -37,17 +37,15 @@ spec:
app.kubernetes.io/part-of: home-assistant
spec:
affinity:
podAffinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- home-assistant
topologyKey: kubernetes.io/hostname
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
containers:
- name: whisper
image: docker.io/rhasspy/wyoming-whisper:1.0.0

2
invoice-ninja/invoice-ninja.yaml
View File

@@ -154,8 +154,6 @@ spec:
while sleep 60; do php artisan schedule:run; done
env: *env
envFrom: *envFrom
securityContext:
readOnlyRootFilesystem: true
volumeMounts: *mounts
enableServiceLinks: false
affinity:

98
jenkins/buildroot-iscsi.yaml
View File

@@ -1,98 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: buildroot-hudpi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-hudpi
app.kubernetes.io/component: hudpi
spec:
accessModes:
- ReadWriteOnce
storageClassName: ''
capacity:
storage: 64G
iscsi:
targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
iqn: iqn.2000-01.com.synology:storage0.Buildroot-hudpi.8181625090
lun: 1
chapAuthDiscovery: false
chapAuthSession: true
fsType: ext4
secretRef:
name: buildroot-hudpi-iscsi
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: network.du5t1n.me/storage
operator: In
values:
- 'true'
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: buildroot-hudpi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-hudpi
app.kubernetes.io/component: hudpi
spec:
accessModes:
- ReadWriteOnce
storageClassName: ''
resources:
requests:
storage: 64Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: buildroot-airplaypi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/component: airplaypi
spec:
accessModes:
- ReadWriteOnce
storageClassName: ''
capacity:
storage: 32Gi
iscsi:
targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
iqn: iqn.2000-01.com.synology:storage0.Buildroot-airplaypi.8181625090
lun: 1
chapAuthDiscovery: false
chapAuthSession: true
fsType: ext4
secretRef:
name: buildroot-airplaypi-iscsi
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: network.du5t1n.me/storage
operator: In
values:
- 'true'
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: buildroot-airplaypi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/component: airplaypi
spec:
accessModes:
- ReadWriteOnce
storageClassName: ''
resources:
requests:
storage: 32Gi

170
jenkins/gentoo-storage.yaml
View File

@@ -1,170 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: portage
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: binpkgs
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: binpkgs
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
data:
rsyncd.conf: |+
[gentoo-portage]
path = /var/db/repos/gentoo
[binpkgs]
path = /var/cache/binpkgs
---
apiVersion: v1
kind: Service
metadata:
name: gentoo-dist
namespace: jenkins-jobs
spec:
selector:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
ports:
- name: rsync
port: 873
targetPort: rsync
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: rsync
image: docker.io/gentoo/stage3
command:
- /usr/bin/rsync
- --daemon
- --no-detach
- --port=8873
- --log-file=/dev/stderr
ports:
- name: rsync
containerPort: 8873
securityContext:
readOnlyRootFilesystem: true
runAsUser: 250
runAsGroup: 250
volumeMounts:
- mountPath: /etc/rsyncd.conf
name: config
subPath: rsyncd.conf
- mountPath: /var/db/repos/gentoo
name: portage
- mountPath: /var/cache/binpkgs
name: binpkgs
volumes:
- name: binpkgs
persistentVolumeClaim:
claimName: binpkgs
- name: config
configMap:
name: gentoo-dist
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: Job
metadata:
name: emerge-webrsync
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: emerge-webrsync
app.kubernetes.io/component: gentoo
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emerge-webrsync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: sync-portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: sync-portage
app.kubernetes.io/component: gentoo
spec:
schedule: 4 19 * * *
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emaint
- sync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage

3
jenkins/kustomization.yaml
View File

@@ -9,9 +9,8 @@ resources:
- jenkins.yaml
- secrets.yaml
- iscsi.yaml
- gentoo-storage.yaml
- ssh-host-keys
- buildroot-iscsi.yaml
- workspace-volume.yaml
patches:
- patch: |

44
jenkins/secrets.yaml
View File

@@ -73,47 +73,3 @@ spec:
name: rpm-gpg-key-passphrase
namespace: jenkins
type: Opaque
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: buildroot-hudpi-iscsi
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/component: hudpi
app.kubernetes.io/name: buildroot-hudpi
app.kubernetes.io/part-of: buildroot
spec:
encryptedData:
node.session.auth.password: AgB+7YE9JAI907M4S78W5ANGlEAj5/x9YMNvdd6KXPFAJAO3sKl1UrKVPKofQFiVHwLHpjqwjs1+g118jBO0wVQMomALuX8S5M9OziUkMwqjSraYRDnQiBk5Bs6P/RAa5UBCvDc28PDeFCdCYvZW8ZJx41rS1COkuZOcez5o1yMxjlEJcBJAZhFaAgmEfLSLOeMScwOxYIXnZIPL5hKrCKaGBdUZ5d2S5HmUjbdcXdS3AEznXu9RG5CSXKKYgBHU7mi6Z5DF3VuWwj+dwXpP0KBhjdJWBptdwWeWJ5Yhs02EWUVqMj9g6sZbK+R9QtWAflx3QqY89UJRaXHNT4Bs+uhIOxns/ptL9TAttZylzu5P8mTBXFPFSIlp3DJ8TORxKE3oRAk8gr9jIXfTzYuPyEb2trZIVXERVe5+k7w7QA4o3vt8SlJXyHKpRSQOBzYUZ0PTud/rF0gm9cFo29mA71MbR5OgRs9N59mrA6iejGHfXE+cpVs06AbPCkvdykHdB9mUqKQpYkdenRQLnOidxaAk9xgc744I4CvKxJ6gp1ub1xZNy7O4dg341Gsd/RBO49SVG+tlEwm6a9Fz3c8+9Gny8eayvBg287IRvYv5dEfm8JCkQ4dq4cqipPGhWjtTulsuN3mFw8hx0dLbzPI/3VDTc73si3flZ5QAkAXZp8shxcWxyYcuX04vjB+R72J8JvIHqlHcVK6nDN/7BSQ=
node.session.auth.password_in: AgBRLg+0Jm4XqBYlxNncpDT/7yJz0VJutAKwVposN1bNe3mPDGlTYScGq1u13qNG4xC7Yv41quM4vBrgPESRb+fF4h4iRBkURutW+BiHAg/p5BZKyyJlLe/9GU8WnFFCerQN7kFu8q7Nd78TgqdO5vo9/w1T5nPk87w7VD40JBAgkyihRk9L1ClXUC3gtqm3lm/r4+UutF2s3jRpCdZ8eZbr7Xuccbk6u/a+2DqQav5pNFdJLu3P5D5RrPO2GdwrLZDwQjZmTeDVwVD1lbTB0Jsbj77mE98PEN2DzY74EX+DuHvcprN8Tu9QAf1efe32xBnjJKt1r1n4OibVIivqVpnfO/x20G/gj1P5K8eHStAvnAYTHYfutOJsy/S9qrqMrX3J+kS4/OP9O+Hyb3JOXpRdXcwWGPaJl4C3MuHnwunjFlbjNJ9oeLYs7iqPtdHrEY09UWSj/VcNXwq0kTex5yWiqjj4pgZ0iUxB5RnbmJaEH1xpGhwkc1gvftCyA4CY/+iUIC0j2hV2WxcbOJGzZ+EKGq+mzXdWsTJGJvVdF7NFXYPADeJCQeG3MA3drjVZIu8fK8wOBqXlxvlRAHDUU7EkAoqaT51ezSl0x3wy6SeNFnengFGP0qcbLpgKF7oa/pa2mK++/VkfOi45NAi5LmP18kLlrJnQg9d6kzrHRThoQF5KOjt/WhgR0w8HKo5743NXlWT6YR4oZUFSSDk=
node.session.auth.username: AgCnSm21dt1x4kQWdEhLF4pV0Oz8lTpVZJoViF8T+KXbmhvgWIm6VkrD+A/C2e1/H1HXM9pSf3hkQerMl9DLSTTkV4FyLU3W6lrXxT/DoAVAl/Ji1uXtkdoANsq/jspj46QpqfIc6wlGQjSzMk1fysYBFQED3a8cqLFl6NA98VQT/EArpzu2Cmpi39Ras94wiiAxYKfoNs4oQ6ivaXjx+rbYa75cumRczFoanKALlAF/OZHQJ81AW7etlCcGPJKKz7EG1UZL43j4srrUoZK3r6b3fSXfPxpzJipRPisDyDhuvqS95elJLNnVVONsxCh5yVAw4LskCjaFEF8+lgHWkIAUN7fxMTTubF4deK1ihEoECYGaNvnasZIpgxCtX6LRtkEkXY53pcdOevEs+3G+LlYcq352G/gStkqdBkQV5fBa4w5y2jeruIfS+2FMmsk8G0GsV7XgceSL75Uh/wM6uQTBfqzNecdlNF5sfRzsWljVZWbWCp+f7MFut1kEwdsgwzWbX1cdkhASvSQwiZm9aS1yREYttM/xeNHpcxqgdEAirXAB8rRO3m3SJMQPJA9L7nm/NXgEVJ7S+oOz0tUPz4bUZVlKEY8Z3zQjHtLw13yqaxqHNB4gjrCJBCHA2+SDRQ3dHr27eQGUOlTqQZVa79S+qHy9Dy6EiLjSZYnNLWFZgZL9zUAeVGPviVm3Hei3JWONKGyE6uh5
node.session.auth.username_in: AgC0Bc3wzAeoK8hyglns7fpn7LAwkNrNuo6RjSdbteKVePbUJclqS+BaDTjMyU/Rq/iNsUZQgI4DRJkiQCZTC33wBbHhHU67nAtYART7rPcSBHA8EaWkADFLQiaflcLx0IK673agmVO84210BDvCkZMf/dSj6Kl2hiwqnGkx5ZQWvO+BbEQeOsD3Mia3DM3fnVcB7QHIsEJI+2QodIm6LVNIMJOGb/5+Ia8M38EVyys+QEEEFsLuGzDqruu0PeMz/hlHSMbjU+c7dieD2UPIttbmIdB8YK7MQV+IwhuOOgqucwYwK+aNpWFwK9+7kOVJRv/bkVIjwv80VuHC8/j87RjyoW51yMYKvovTrNnVJTgf1pHYutKctlJafKRYleEQ+ms6X+hptefxDsStzDDLeuB0ipVpu7R1b/KelgNySH0Z7CRZX7lWE7OMFdAquMKSBmyT4MGtiNYGPWzVC1SE1eI/nB7tpDUz+V77ai+zy3e1Hr3lyWzw+lhc/kJwN498+tPMzMeGqH2AGqA0QvtPo+8CDGz/rDbubNT8ZYrgfU7WrlR/LCyAy0B14wOAJ5IhnXN8TYgi2LKq6yJ1RnOyktOQPrwIKfgH8fGvx9Jne5StThbGRMc0QMKh9qhdhI5kvfnMuoLNQtsgii9EuXOBVKgI9+echEg+2N134HluTyFQV1gaUciT2kJ237az60jCFpgn9vX3E7GgHQ==
template:
metadata:
labels: *labels
name: buildroot-hudpi-iscsi
namespace: jenkins-jobs
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: buildroot-airplaypi-iscsi
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/component: airplaypi
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/part-of: buildroot
spec:
encryptedData:
node.session.auth.password: AgAAAH0omRLHXikdZ6mGXPxfQJv59KAgcDpGREhmT2EG3oNrt9Ow3kDQua3oiPdZcxwG5mimJ6nBPEOFRLPYaj46BUWlZWfvDGOVPwaIXOuO6oRvkwXHu7zcu8qIgh2hNcJNNjrRhwxMVa/IYJpQSZDotv0FIw+RQCY58SvuB/viyVjG5EcZYm69dDn9SQD8lIJvtHXRaezKOvSwQmnPsEYbqCnobsTKTciVbRXBkODOAzayZug4UdyeVrexgyqE9Uym/dPLRdnIIuW3mf3z3QVvKfYC89ETa9Rr4q34pb/2b1cuaHjmK40i2HOnLAgkdmnUdsm+0ulqxMTjhlXsAjZcR5qH5TqHnB/lFJxlJfoQsMFV3lcqq909xO4a70/AnTHF+unxzlrQXBQZ0ojO2iEPU2LNniSv12Mq2S6hx2riGD0PvfxmzkdbH6q2tXCn+7Tgwkx10QsSGk01Q/OCvrPKtCuSABfh+ODGJ4kcRFhF9nIi0AaYQytPNeRLgKpcgN64zqbsP1zolhimh/U6RHDEQabufl32Nn7GblaO+eiu9+jK2QpTE5mNg05rA8IFACb+jNdiWViaEIUXSvUjmPj5BhNwqe3AknqdrPOsVq+RYlmRkbiOyJxlVYfjUS/Ps8LGySUtb6tMYhFXqffbmxFY9dVTIhN6U2z6WSgxVzxEIFp5BHpoYOzTdLowOfleFFelmFCMDA6Ovsua3jI=
node.session.auth.password_in: AgCZ/LD9ejCea/udtBKSi1rm5RODKd92RE/m2Im9qJNwUlXgBDFFqKXMNf8FperHzZLJYqTzvBZEJcOgI6FdvY5oi+T2cJa10R+V7RM7YFR0Z6ey/JOsUJkf10CdMOWK1UTH8URhcKkaQhKqA956Ew/JZJoWvEnj967hzIkkqrz9SmbaJ1k8Pm0p4SpL9Jmz9rp6KT4bZUZmqHek7HrcFmO+LKtGLDKLIQEMvClZ6xFYG2bTxWhr/tjA2MolZdDZOsqrtSwSrge6e9Ptvk1ZxaO56O7VM2H3MC+s4DwvP7ibFk6/GFGg2P1QTwe1on/KOqZjXsYx4xTzbn+YY9gT0exNgAHtek1h42wOp98oLia3WWaVX0diHnMitXNEuBeK81aJcSjJg/MaHGVDc8yNa5UYBVTO/tYtTiN8FlXLob6moshKxblsSy4DB5RAqhYpZ2NnwHch9E41W1lHbWyGmbUanCP0F5C5CO7TQ9FMUwnFAfJ1NSLT9HzWIG5DPvgBOeUd9BtTuQGxc9qQBmqSPRklQrHycVgpB1KzBZ8qvDzS2+zKOXeuxG+xegR7CEBmLWkCh9WoLXpCp+GYUdY7oC5t+qS0tYaop1Vz70hlyHb9KVVGTwtkqZEyr/Y/Yk5ZWPk0TdgXe/F6awjhTcC54MAJjBaTHbkOSBLtBfvE7ixwMFnqX0HsYTz+nsfWE17GZRW5P+eMWUhysrTSTrw=
node.session.auth.username: AgAQhzmnkbpMVTzIKXs/NqoBl3BGCTJNbAcu/nXNkACNbA4oxe5OS8uErOMI4vGeqPGAdgSPsANugu0FTbprVC+7+K499mxddzUFE6JyV/spbA13eMo7at0d9Gwpv3i4hmxBFslED9B2/DPscXK4TOsgvidd+9K/n0RNWz9tRRsl8+vjTM4Hpkh1TrfqCtJvUSnHvhl+j+YVYMTfJrkCfjkxNSNYx1f8ipx3blwvqceZvht8iq0pVLQoj3lA06DdeQii+AGSpGBl9QXsUdxgsoQ93uYh5rZSfDPxNyNr7NADBumkNO5JlJMDgqHNP/vwF54jrE1MnPB0kfDtvRyXpl2GckpqK0CuHhqaLS0+iqymcxcCE0OKpU2Wd+tq3t0CB7IuJ3d+800NtRhAb7qwhrTME5J9yEpWp1ifu/piIaAQRmGm2MUHeDA+pCzY2Xx0S5rW3uC6/2/gvNIVyiaUzTos53PdfdYJKWffbSeBJhkhSMsIpkGASQ1wyGgX5gAzKDWDUyeBK/qwnEdS0EasDA39mGiem5w8t1gi2021SMpH8M81oZ7YeSV2Wu6aZCsJuWYcdRqrM+PGuhgkKNYnelRt1FjAREcCthPFNGquGbPHBzv7wynD4u/En5IzsdsAzec/EJfBxvbGCcRmVaQcxO0DXmk0S7Tl+a+3/E9Dckev1Xd+SV3EOii/1S7Ij4HymJcIMSFO3CGG
node.session.auth.username_in: AgAfO2gNFWu82gIk6E0J4rMeRBOTE025fwxwoNx6nMiLvIsyH6FEAqhYAWRgJv68X+u3fYIqfsQ2M2i31G/qvoKhp81hgGNTmOfbfdj3UAafCEotAug7EYjkZWPtr+rHLXaqKheR1FpRQD4Ukbet+JbT9mG3WzVAqPEtQ5xHCXZn6bgBkNdRQgNHnCK/EYjekHNs7qDa7ez4pNPzpOeRR3gffWD5E3q5x/PYBNL+/S8q1n3k+JUVnVdnWhju9BmncnOR5j+1v8IEhvMyZJAlXtl0i3tL/IfOVF2co5i3vffiC607AyhbD/B0SsNThlF63qFm4qmaUbjAMLZfveL52gGjiOXRHOVTiirzWDxqBFm5sz2hOpakK4qgtlahseN7eUfi7hrO3s/DkSYlj2Zd/X2tNUnugLXjl3FONxOp8HLi7muz1Dzyi6iLiHapyIlQZbAhkPbHTUbxaPXWlheDkAfCXBI54G2DZcI5xGgQq3Du2nVurKPk52ro3FO8VXAh0SUr6VhN9MuOcWzUWn/AHztTb6C6ABMBpkAw/mYmo5VBKUiUo+c6RpcD0a7kIKx8iELdp/fgsCaCWiQfIl0HV1Dx08FmTvA/h0/idW6SCGsBD5h7O8t/y2QUbhytln0L+TUOimseeCtu+N0TzYKU4+tmWPITWGojmw6panOkI5MwM4CbWLHI9K57l+v24pRS2XyQepaM6iTYzg==
template:
metadata:
name: buildroot-airplaypi-iscsi
namespace: jenkins-jobs
labels: *labels

15
jenkins/workspace-volume.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: buildroot-airplaypi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/component: jenkins
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: synology-iscsi

36
k8s-reboot-coordinator/jenkins.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: jenkins.k8s-reboot-coordinator
labels:
app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
app.kubernetes.io/component: k8s-reboot-coordinator
app.kubernetes.io/part-of: k8s-reboot-coordinator
rules:
- apiGroups:
- apps
resources:
- daemonsets
resourceNames:
- k8s-reboot-coordinator
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins.k8s-reboot-coordinator
labels:
app.kubernetes.io/name: jenkins.k8s-reboot-coordinator
app.kubernetes.io/component: k8s-reboot-coordinator
app.kubernetes.io/part-of: k8s-reboot-coordinator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins.k8s-reboot-coordinator
subjects:
- kind: ServiceAccount
name: default
namespace: jenkins-jobs

37
k8s-reboot-coordinator/kustomization.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
labels:
- pairs:
app.kubernetes.io/instance: k8s-reboot-coordinator
includeSelectors: true
resources:
- https://git.pyrocufflink.net/dustin/k8s-reboot-coordinator//kubernetes?ref=master
- service.yaml
- jenkins.yaml
images:
- name: k8s-reboot-coordinator
newName: git.pyrocufflink.net/packages/k8s-reboot-coordinator
newTag: latest
patches:
- patch: |-
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: k8s-reboot-coordinator
spec:
template:
spec:
containers:
- name: k8s-reboot-coordinator
imagePullPolicy: Always
env:
- name: RUST_LOG
value: k8s_reboot_coordinator=debug,info
imagePullSecrets:
- name: imagepull-gitea

14
k8s-reboot-coordinator/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: &name k8s-reboot-coordinator
labels: &labels
app.kubernetes.io/name: *name
app.kubernetes.io/component: *name
app.kubernetes.io/part-of: *name
spec:
selector: *labels
ports:
- port: 8000
targetPort: http
name: http

2
kitchen/kitchen.yaml
View File

@@ -49,6 +49,8 @@ spec:
mountPath: /kitchen.yaml
subPath: config.yaml
readOnly: true
nodeSelector:
kubernetes.io/arch: amd64
securityContext:
runAsNonRoot: true
runAsUser: 17402

3
kitchen/secrets.yaml
View File

@@ -48,8 +48,9 @@ spec:
calendar_url: >-
https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
dtex: &dtex
<<: *credentials
calendar_url: >-
https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics
https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/pyrocufflinknet-1/?export
agenda:
calendars:

20
music-assistant/ingress.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: music-assistant
labels:
app.kubernetes.io/name: music-assistant
app.kubernetes.io/component: music-assistant
spec:
ingressClassName: nginx
rules:
- host: music.pyrocufflink.blue
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: music-assistant
port:
name: http

21
music-assistant/kustomization.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: music-assistant
labels:
- pairs:
app.kubernetes.io/instance: music-assistant
includeSelectors: true
- pairs:
app.kubernetes.io/part-of: music-assistant
includeTemplates: true
resources:
- namespace.yaml
- music-assistant.yaml
- ingress.yaml
images:
- name: ghcr.io/music-assistant/server
newTag: 2.6.0b18

78
music-assistant/music-assistant.yaml Normal file
View File

@@ -0,0 +1,78 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: music-assistant
labels: &labels
app.kubernetes.io/name: music-assistant
app.kubernetes.io/component: music-assistant
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: music-assistant
labels: &labels
app.kubernetes.io/name: music-assistant
app.kubernetes.io/component: music-assistant
spec:
ports:
- port: 8095
name: http
selector: *labels
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: music-assistant
labels: &labels
app.kubernetes.io/name: music-assistant
app.kubernetes.io/component: music-assistant
spec:
serviceName: music-assistant
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: music-assistant
image: ghcr.io/music-assistant/server
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8095
name: http
readinessProbe: &probe
httpGet:
port: http
path: /
failureThreshold: 3
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
startupProbe:
<<: *probe
failureThreshold: 90
periodSeconds: 1
volumeMounts:
- mountPath: /data
name: music-assistant-data
subPath: data
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
securityContext:
runAsNonRoot: true
runAsUser: 8095
runAsGroup: 8095
fsGroup: 8095
volumes:
- name: music-assistant-data
persistentVolumeClaim:
claimName: music-assistant

6
music-assistant/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: music-assistant
labels:
app.kubernetes.io/name: music-assistant

2
ntfy/kustomization.yaml
View File

@@ -20,4 +20,4 @@ configMapGenerator:
images:
- name: docker.io/binwiederhier/ntfy
newTag: v2.13.0
newTag: v2.14.0

6
paperless-ngx/kustomization.yaml
View File

@@ -45,8 +45,8 @@ patches:
images:
- name: ghcr.io/paperless-ngx/paperless-ngx
newTag: 2.17.1
newTag: 2.18.4
- name: docker.io/gotenberg/gotenberg
newTag: 8.21.1
newTag: 8.24.0
- name: docker.io/apache/tika
newTag: 3.2.1.0
newTag: 3.2.3.0

30
policy/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Cluster Policies
## Validating Admission Policy
To enable (prior to Kubernetes v1.30):
1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key
of the `kubeadm-config` ConfigMap:
```yaml
feature-gates: ValidatingAdmissionPolicy=true
runtime-config: admissionregistration.k8s.io/v1beta1=true
```
2. Redeploy the API servers using `kubeadm`:
```sh
doas kubeadm upgrade apply v1.29.15 --yes
```
### disallow-hostnetwork
This policy prevents pods from running in the host's network namespace. This is
especially important because most nodes are connected to the storage network
VLAN, so allowing pods to use the host network namespace would give them access
to the iSCSI LUNs and NFS shares on the NAS.
If a trusted pod needs to run in the host's network namespace, its Kubernetes
namespace can be listed in the exclusion list of the
`disallow-hostnetwork-binding` policy binding resource.

43
policy/disallow-hostnetwork.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: disallow-hostnetwork
spec:
matchConstraints:
resourceRules:
- apiGroups:
- ''
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
validations:
- expression: >-
!has(object.spec.hostNetwork) || !object.spec.hostNetwork
message: >-
Pods must not use hostNetwork: true
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: disallow-hostnetwork-binding
spec:
policyName: disallow-hostnetwork
validationActions:
- Deny
matchResources:
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- calico-system
- democratic-csi
- keepalived
- kube-system
- music-assistant
- tigera-operator

5
policy/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- disallow-hostnetwork.yaml

8
snapshot-controller/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- https://github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v8.3.0
- https://github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v8.3.0

2
vaultwarden/kustomization.yaml
View File

@@ -27,4 +27,4 @@ configMapGenerator:
images:
- name: ghcr.io/dani-garcia/vaultwarden
newTag: 1.34.1-alpine
newTag: 1.34.3-alpine

3
victoria-metrics/alertmanager.yaml
View File

@@ -70,6 +70,7 @@ spec:
- name: config
configMap:
name: alertmanager
podManagementPolicy: Parallel
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
@@ -83,4 +84,4 @@ spec:
- ReadWriteOnce
resources:
requests:
storage: 4G
storage: 500M

2
victoria-metrics/alerts.yml
View File

@@ -246,7 +246,9 @@ groups:
- alert: Last Backup Age
expr: >-
time() - restic_backup_timestamp{
client_hostname!="bw0.pyrocufflink.blue",
client_hostname!="luma.pyrocufflink.blue",
client_hostname!="purplepi.hatch",
client_hostname!="toad.pyrocufflink.blue",
}> 604800
annotations:

10
victoria-metrics/kustomization.yaml
View File

@@ -216,6 +216,16 @@ patches:
- --cluster.peer=alertmanager-0.alertmanager:9094
- --cluster.peer=alertmanager-1.alertmanager:9094
- patch: |
- op: add
path: /spec/volumeClaimTemplates/0/spec/storageClassName
value: synology-iscsi
target:
group: apps
version: v1
kind: StatefulSet
name: alertmanager
- patch: |
- op: add
path: /spec/volumeClaimTemplates/0/spec/storageClassName

16
victoria-metrics/scrape.yml
View File

@@ -522,3 +522,19 @@ scrape_configs:
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115
- job_name: music-assistant
metrics_path: /probe
params:
module:
- http
static_configs:
- targets:
- music.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115

17
victoria-metrics/vmagent.yaml
View File

@@ -136,17 +136,6 @@ spec:
- name: config
configMap:
name: vmagent
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tmpdata
labels:
app.kubernetes.io/name: vmagent
app.kubernetes.io/component: vmagent
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4G
- name: tmpdata
emptyDir: {}
podManagementPolicy: Parallel