wip: dch-webhooks: secrets

20125/config.yml

@@ -1,94 +0,0 @@
-alertmanager:
-  url: http://alertmanager.victoria-metrics:9093
-
-system_wide:
-  alerts:
-  - alertgoup: Active Directory
-  - alertgoup: Longhorn
-  - alertgoup: PostgreSQL
-  - alertgoup: Restic
-  - alertgoup: Temperature
-  - job: authelia
-  - job: blackbox
-  - job: dns_pyrocufflink
-  - job: dns_recursive
-  - job: kubelet
-  - job: kubernetes
-  - job: minio-backups
-  - instance: db0.pyrocufflink.blue
-  - instance: gw1.pyrocufflink.blue
-  - instance: vmhost0.pyrocufflink.blue
-  - instance: vmhost1.pyrocufflink.blue
-
-applications:
-- name: Home Assistant
-  url: https://homeassistant.pyrocufflink.blue/
-  icon:
-    url: icons/home-assistant.svg
-  alerts:
-  - alertgroup: Home Assistant
-  - alertgroup: Frigate
-  - job: homeassistant
-  - instance: homeassistant.pyrocufflink.blue
-
-- name: Nextcloud
-  url: &url0 https://nextcloud.pyrocufflink.net/index.php
-  icon:
-    url: icons/nextcloud.png
-  alerts:
-  - instance: *url0
-  - instance: cloud0.pyrocufflink.blue
-
-- name: Invoice Ninja
-  url: &url1 https://invoiceninja.pyrocufflink.net/
-  icon:
-    url: icons/invoiceninja.svg
-    class: light-bg
-  alerts:
-  - instance: *url1
-
-- name: Jellyfin
-  url: https://jellyfin.pyrocufflink.net/
-  icon:
-    url: icons/jellyfin.svg
-  alerts:
-  - job: jellyfin
-
-- name: Vaultwarden
-  url: &url2 https://bitwarden.pyrocufflink.net/
-  icon:
-    url: icons/vaultwarden.svg
-    class: light-bg
-  alerts:
-  - instance: *url2
-  - alertgroup: Bitwarden
-
-- name: Paperless-ngx
-  url: &url3 https://paperless.pyrocufflink.blue/
-  icon:
-    url: icons/paperless-ngx.svg
-  alerts:
-  - instance: *url3
-  - alertgroup: Paperless-ngx
-  - job: paperless-ngx
-
-- name: Firefly III
-  url: &url4 https://firefly.pyrocufflink.blue/
-  icon:
-    url: icons/firefly-iii.svg
-  alerts:
-  - instance: *url4
-
-- name: Receipts
-  url: &url5 https://receipts.pyrocufflink.blue/
-  icon:
-    url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
-  alerts:
-  - instance: *url5
-
-- name: Music Assistant
-  url: &url6 https://music.pyrocufflink.blue/
-  icon:
-    url: https://music.pyrocufflink.blue/apple-touch-icon.png
-  alerts:
-  - instance: *url6

20125/ingress.yaml

@@ -1,25 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    cert-manager.io/issuer: status-server-ca
-  labels: &labels
-    app.kubernetes.io/name: status-server
-  name: status-server
-spec:
-  tls:
-  - hosts:
-    - 20125.home
-    secretName: status-server-cert
-  rules:
-  - host: 20125.home
-    http:
-      paths:
-      - backend:
-          service:
-            name: status-server
-            port:
-              number: 80
-        path: /
-        pathType: Prefix

20125/kustomization.yaml

@@ -1,26 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: '20125'
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: '20125'
-    app.kubernetes.io/part-of: '20125'
-  includeSelectors: true
-
-resources:
-- namespace.yaml
-- secrets.yaml
-- status-server-ca.yaml
-- status-server.yaml
-- ingress.yaml
-
-configMapGenerator:
-- name: 20125-config
-  files:
-  - config.yml
-
-images:
-- name: git.pyrocufflink.net/packages/20125.home
-  newTag: dev

20125/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: "20125"
-  labels:
-    app.kubernetes.io/name: '20125'

20125/secrets.yaml

@@ -1,13 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: imagepull-gitea
-  namespace: "20125"
-spec:
-  encryptedData:
-    .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
-  template:
-    metadata:
-      name: imagepull-gitea
-      namespace: "20125"
-    type: kubernetes.io/dockerconfigjson

20125/status-server-ca.yaml

@@ -1,32 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: selfsigned-ca
-spec:
-  selfSigned: {}
-
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: status-server-ca
-spec:
-  isCA: true
-  commonName: 20125 CA
-  secretName: status-server-ca-secret
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-  issuerRef:
-    name: selfsigned-ca
-    kind: Issuer
-    group: cert-manager.io
-
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: status-server-ca
-spec:
-  ca:
-    secretName: status-server-ca-secret

20125/status-server.yaml

@@ -1,51 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels: &labels
-    app.kubernetes.io/name: status-server
-    app.kubernetes.io/component: status-server
-  name: status-server
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-    targetPort: 20125
-  selector: *labels
-  type: ClusterIP
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels: &labels
-    app.kubernetes.io/name: status-server
-    app.kubernetes.io/component: status-server
-  name: status-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels: *labels
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      containers:
-      - name: status-server
-        image: git.pyrocufflink.net/packages/20125.home
-        imagePullPolicy: Always
-        env:
-        - name: RUST_LOG
-          value: info,status_server=debug
-        volumeMounts:
-        - mountPath: /usr/local/share/20125.home/config.yml
-          name: config
-          subPath: config.yml
-          readOnly: True
-      nodeSelector:
-        kubernetes.io/arch: amd64
-      imagePullSecrets:
-      - name: imagepull-gitea
-      volumes:
-      - name: config
-        configMap:
-          name: 20125-config

ansible/.gitignore

@@ -1,2 +0,0 @@
-ara/.secrets.toml
-host-provisioner.key

ansible/ara.yaml

@@ -1,88 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: ara
-  labels: &labels
-    app.kubernetes.io/name: ara
-    app.kubernetes.io/component: ara
-spec:
-  selector: *labels
-  type: ClusterIP
-  ports:
-  - name: http
-    port: 8000
-    targetPort: 8000
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ara
-  labels: &labels
-    app.kubernetes.io/name: ara
-    app.kubernetes.io/component: ara
-spec:
-  selector:
-    matchLabels: *labels
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      enableServiceLinks: false
-      containers:
-      - name: ara-api
-        image: quay.io/recordsansible/ara-api
-        imagePullPolicy: IfNotPresent
-        env:
-        - name: ARA_BASE_DIR
-          value: /etc/ara
-        - name: ARA_SETTINGS
-          value: /etc/ara/settings.toml
-        - name: SECRETS_FOR_DYNACONF
-          value: /etc/ara/.secrets.toml
-        ports:
-        - containerPort: 8000
-          name: http
-        readinessProbe: &probe
-          httpGet:
-            port: 8000
-            path: /api/
-            httpHeaders:
-            - name: Host
-              value: ara.ansible.pyrocufflink.blue
-          failureThreshold: 3
-          periodSeconds: 60
-          successThreshold: 1
-          timeoutSeconds: 5
-        startupProbe:
-          <<: *probe
-          failureThreshold: 30
-          initialDelaySeconds: 1
-          periodSeconds: 1
-          timeoutSeconds: 1
-        volumeMounts:
-        - mountPath: /etc/ara/settings.toml
-          name: config
-          subPath: settings.toml
-          readOnly: true
-        - mountPath: /etc/ara/.secrets.toml
-          name: secrets
-          subPath: .secrets.toml
-          readOnly: true
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 7653
-        runAsGroup: 7653
-      volumes:
-      - name: config
-        configMap:
-          name: ara
-      - name: secrets
-        secret:
-          secretName: ara
-      - name: tmp
-        emptyDir:
-          medium: Memory

ansible/ara/settings.toml

@@ -1,38 +0,0 @@
-[default]
-ALLOWED_HOSTS = [
-    'ara.ansible.pyrocufflink.blue',
-]
-LOG_LEVEL = 'INFO'
-TIME_ZONE = 'UTC'
-
-EXTERNAL_AUTH = true
-READ_LOGIN_REQUIRED = false
-WRITE_LOGIN_REQUIRED = false
-
-DATABASE_ENGINE = 'django.db.backends.postgresql'
-DATABASE_HOST = 'postgresql.pyrocufflink.blue'
-DATABASE_NAME = 'ara'
-DATABASE_USER = 'ara'
-
-[default.DATABASE_OPTIONS]
-sslmode = 'verify-full'
-sslcert = '/run/secrets/ara/postgresql/tls.crt'
-sslkey = '/run/secrets/ara/postgresql/tls.key'
-sslrootcert = '/run/dch-ca/dch-root-ca.crt'
-
-[default.LOGGING]
-version = 1
-disable_existing_loggers = false
-
-[default.LOGGING.formatters.normal]
-format = '%(levelname)s %(name)s: %(message)s'
-
-[default.LOGGING.handlers.console]
-class = 'logging.StreamHandler'
-formatter = 'normal'
-level = 'INFO'
-
-[default.LOGGING.loggers.ara]
-handlers = ['console']
-level = 'INFO'
-propagate = false

ansible/host-provisioner.key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner

ansible/ingress.yaml

@@ -1,32 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: ara
-  labels:
-    app.kubernetes.io/name: ara
-    app.kubernetes.io/component: ara
-  annotations:
-    cert-manager.io/cluster-issuer: dch-ca
-    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
-    nginx.ingress.kubernetes.io/auth-method: GET
-    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
-    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
-    nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header X-Forwarded-Method $request_method;
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - ara.ansible.pyrocufflink.blue
-    secretName: ara-cert
-  rules:
-  - host: ara.ansible.pyrocufflink.blue
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: ara
-            port:
-              name: http

ansible/kustomization.yaml

@@ -1,71 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-transformers:
-- |
-  apiVersion: builtin
-  kind: NamespaceTransformer
-  metadata:
-    name: namespace-transformer
-    namespace: ansible
-  unsetOnly: true
-  setRoleBindingSubjects: allServiceAccounts
-  fieldSpecs:
-  - path: metadata/namespace
-    create: true
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: ansible
-  includeSelectors: true
-  includeTemplates: true
-- pairs:
-    app.kubernetes.io/part-of: ansible
-
-resources:
-- ../dch-root-ca
-- ../ssh-host-keys
-- rbac.yaml
-- secrets.yaml
-- namespace.yaml
-- ara.yaml
-- postgres-cert.yaml
-- ingress.yaml
-
-configMapGenerator:
-- name: ara
-  files:
-  - ara/settings.toml
-  options:
-    labels:
-      app.kubernetes.io/name: ara
-
-patches:
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: ara
-    spec:
-      template:
-        spec:
-          containers:
-          - name: ara-api
-            volumeMounts:
-            - mountPath: /run/dch-ca/dch-root-ca.crt
-              name: dch-root-ca
-              subPath: dch-root-ca.crt
-              readOnly: true
-            - mountPath: /run/secrets/ara/postgresql
-              name: postgresql-cert
-              readOnly: true
-          securityContext:
-            fsGroup: 7653
-          volumes:
-          - name: postgresql-cert
-            secret:
-              secretName: ara-postgres-cert
-              defaultMode: 0640
-          - name: dch-root-ca
-            configMap:
-              name: dch-root-ca

ansible/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ansible
-  labels:
-    app.kubernetes.io/name: ansible

ansible/postgres-cert.yaml

@@ -1,12 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: ara-postgres-cert
-spec:
-  commonName: ara
-  privateKey:
-    algorithm: ECDSA
-  secretName: ara-postgres-cert
-  issuerRef:
-    name: postgresql-ca
-    kind: ClusterIssuer

ansible/rbac.yaml

@@ -1,170 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dch-webhooks
-rules:
-  - apiGroups:
-    - batch
-    resources:
-    - jobs
-    verbs:
-    - create
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dch-webhooks
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dch-webhooks
-subjects:
-- kind: ServiceAccount
-  name: dch-webhooks
-  namespace: default
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: host-provisioner
-  labels:
-    app.kubernetes.io/name: host-provisioner
-    app.kubernetes.io/component: host-provisioner
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: host-provisioner
-  namespace: kube-public
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
-      which it uses to get the connection details for the Kubernetes API
-      server, including the issuing CA certificate, to pass to `kubeadm
-      join` on a new worker node.
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  verbs:
-  - get
-  resourceNames:
-  - cluster-info
-  - kube-root-ca.crt
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: host-provisioner
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to manipulate labels, taints, etc. on
-      nodes it adds to the cluster.
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - nodes
-  verbs:
-  - get
-  - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: host-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: host-provisioner
-subjects:
-- kind: ServiceAccount
-  name: host-provisioner
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: host-provisioner
-  namespace: kube-system
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to create bootstrap tokens in order to
-      add new nodes to the Kubernetes cluster.
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - create
-  - get
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: host-provisioner
-  namespace: kube-public
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: host-provisioner
-subjects:
-- kind: ServiceAccount
-  name: host-provisioner
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: host-provisioner
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: host-provisioner
-subjects:
-- kind: ServiceAccount
-  name: host-provisioner
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: host-provisioner
-  namespace: victoria-metrics
-  annotations:
-    kubernetes.io/description: >-
-      Allows the host-provisioner to update the scrape-collectd
-      ConfigMap when adding new hosts.
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  verbs:
-  - patch
-  - get
-  resourceNames:
-  - scrape-collectd
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: host-provisioner
-  namespace: victoria-metrics
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: host-provisioner
-subjects:
-- kind: ServiceAccount
-  name: host-provisioner

ansible/secrets.yaml

@@ -1,37 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: ara
-  namespace: ansible
-  labels:
-    app.kubernetes.io/name: ara
-    app.kubernetes.io/component: ara
-spec:
-  encryptedData:
-    .secrets.toml: AgAiObM2t8Cmr87pMRhZN4RBqb4soEdG0OJeAmaUCl//in2LihZyOHKu5RDeLBaPneoX5G/t5eQX7KkPCW7hffjBSngVbPMZ+U8Txb1IY3uFFHGAPnJBXwHo6FgRq5uKt3LQ6UmtWLoIF4ZB4K0f/g5BHR3N6FIah/x5pKrnU9lOltVgDFSEd7Ewgrj8AorASdE7ZxBAGuUPNktQZZ9MS0d2YiOhgfZiGHDnLZoqk0osDOZzKJX47yiYg5SR4NHoGzd7gfSvBtbrU4SIQCUGZJYtOKeUGaNtCgKnLe3oCphqV3izUY1JudVF8eN5MDgUH5vG2GcqDqMYTX2oRuk+rgRjiMJTkxQ/OZlbrXGxUocTR51EoM01vgjvvCsqaE3R5MhcKE7oOHrqTXzhDY6UzBPUu6QWrkWWMegBeIVCWA2ID3m8CPljyA0oZuClqVZpx/23cs3aHcyl2vye5ey3ca5QzLkkmKK7826H3przUYdwti9gMNp0sPszsDOTzfmN9iZD33a+WvEPfbf7+ZBXBAnoH06pLXeCGc43Q2S619xdHRw4caVGeczZAWYVjlnq8BUQGmHU2Ra5W6dzYM+i3vUimJRiuzeaG+APgY4KIdZNEjPguiwg93g9NtDWgap1h5rF3Yx4nEQelEN0pNAqT8CP67gW1Kp+wjNRNHkz45Ld3mJbMsvFqjZG5cCqk1s67mBNxhani0HBJM3vEV36wnDBzWwSmemuMUdjrG0zFwQHHeZwQe7oR+9XNz1DLPxvvp6KfEbHA3YMagQa2RYxN/C9APBBC+dmk6+TJn1n
-  template:
-    metadata:
-      name: ara
-      namespace: ansible
-      labels:
-        app.kubernetes.io/name: ara
-        app.kubernetes.io/component: ara
-
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: provisioner-ssh-key
-  namespace: ansible
-  labels: &labels
-    app.kubernetes.io/name: provisioner-ssh-key
-    app.kubernetes.io/component: host-provisioner
-spec:
-  encryptedData:
-    host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
-  template:
-    metadata:
-      name: provisioner-ssh-key
-      namespace: ansible
-      labels: *labels

argocd/applications/authelia.yaml

@@ -11,6 +11,3 @@ spec:
     path: authelia
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/csi-synology.yaml

@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: csi-synology
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: democratic-csi
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/firefly-iii.yaml

@@ -11,6 +11,3 @@ spec:
     path: firefly-iii
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/grafana.yaml

@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: grafana
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: grafana
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/home-assistant.yaml

@@ -11,6 +11,3 @@ spec:
     path: home-assistant
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/invoice-ninja.yaml

@@ -1,13 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: invoice-ninja
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: invoice-ninja
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master

argocd/applications/jenkins.yaml

@@ -11,7 +11,3 @@ spec:
     path: jenkins
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true

argocd/applications/ntfy.yaml

@@ -11,6 +11,3 @@ spec:
     path: ntfy
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/paperless-ngx.yaml

@@ -11,6 +11,3 @@ spec:
     path: paperless-ngx
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/postgresql.yaml

@@ -1,13 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: step-ca
+  name: postgresql
   namespace: argocd
 spec:
   destination:
     server: https://kubernetes.default.svc
   project: default
   source:
-    path: step-ca
+    path: postgresql
     repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
     targetRevision: master

argocd/applications/receipts.yaml

@@ -1,18 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: &name receipts
-  namespace: argocd
-  labels:
-    vendor: dustin
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: *name
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/applications/vaultwarden.yaml

@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vaultwarden
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    path: vaultwarden
-    repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
-    targetRevision: master
-  syncPolicy:
-    automated:
-      prune: true

argocd/kustomization.yaml

@@ -24,66 +24,6 @@ configMapGenerator:
   - policy.csv
 
 patches:
-- patch: |-
-    apiVersion: apps/v1
-    kind: StatefulSet
-    metadata:
-      name: argocd-application-controller
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-application-controller
-            imagePullPolicy: IfNotPresent
-
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-notifications-controller
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-notifications-controller
-            imagePullPolicy: IfNotPresent
-
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-redis
-    spec:
-      template:
-        spec:
-          containers:
-          - name: redis
-            imagePullPolicy: IfNotPresent
-
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-repo-server
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-repo-server
-            imagePullPolicy: IfNotPresent
-
-- patch: |-
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: argocd-server
-    spec:
-      template:
-        spec:
-          containers:
-          - name: argocd-server
-            imagePullPolicy: IfNotPresent
-
 - patch: |-
     $patch: delete
     apiVersion: apiextensions.k8s.io/v1

authelia/authelia.yaml

@@ -54,7 +54,7 @@ spec:
       - name: authelia
         image: ghcr.io/authelia/authelia
         env:
-        - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+        - name: AUTHELIA_JWT_SECRET_FILE
           value: /run/authelia/secrets/jwt.secret
         - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
           value: /run/authelia/secrets/ldap.password
@@ -66,13 +66,6 @@ spec:
           value: /run/authelia/secrets/oidc.hmac_secret
         - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
           value: /run/authelia/secrets/oidc.issuer_private_key
-        ports:
-        - containerPort: 9091
-          name: http
-          protocol: TCP
-        - containerPort: 9959
-          name: metrics
-          protocol: TCP
         startupProbe:
           httpGet:
             port: 9091
@@ -127,10 +120,9 @@ spec:
   tls:
   - hosts:
     - auth.pyrocufflink.blue
-    - auth.pyrocufflink.net
   rules:
   - host: auth.pyrocufflink.blue
-    http: &http
+    http:
       paths:
       - path: /
         pathType: Prefix
@@ -139,5 +131,4 @@ spec:
             name: authelia
             port:
               name: http
-  - host: auth.pyrocufflink.net
-    http: *http
+

authelia/configuration.yml

@@ -5,10 +5,11 @@ access_control:
     networks:
     - 172.30.0.0/26
     - 172.31.1.0/24
-  - name: cluster
-    networks:
-    - 10.149.0.0/16
   rules:
+  - domain: paperless.pyrocufflink.blue
+    resources:
+    - '^/api/'
+    policy: bypass
   - domain: paperless.pyrocufflink.blue
     policy: two_factor
     subject:
@@ -39,34 +40,6 @@ access_control:
     networks:
     - internal
     policy: bypass
-  - domain: metrics.pyrocufflink.blue
-    resources:
-    - '^/insert/.*'
-    policy: bypass
-  - domain: metrics.pyrocufflink.blue
-    networks:
-    - internal
-    resources:
-    - '^/alertmanager([/?].*)?$'
-    methods:
-    - GET
-    - HEAD
-    - OPTIONS
-    policy: bypass
-  - domain: hlcforms.pyrocufflink.blue
-    resources:
-    - '^/submit/.*'
-    policy: bypass
-  - domain: ara.ansible.pyrocufflink.blue
-    networks:
-    - internal
-    - cluster
-    resources:
-    - '^/api/.*'
-    methods:
-    - POST
-    - PATCH
-    policy: bypass
 
 authentication_backend:
   ldap:
@@ -74,123 +47,87 @@ authentication_backend:
     implementation: activedirectory
     tls:
       minimum_version: TLS1.2
-    address: ldaps://pyrocufflink.blue
+    url: ldaps://pyrocufflink.blue
     user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
 
 certificates_directory: /run/authelia/certs
 
 identity_providers:
   oidc:
-    claims_policies:
-      default:
-        id_token:
-        - groups
-        - email
-        - email_verified
-        - preferred_username
-        - name
     clients:
-    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
-      client_name: Jenkins
-      client_secret: >-
+    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
+      description: Jenkins
+      secret: >-
         $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
       redirect_uris:
       - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
-      response_types:
-      - code
       scopes:
       - openid
       - groups
       - profile
       - email
       - offline_access
-      - address
-      - phone
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-      token_endpoint_auth_method: client_secret_post
-    - client_id: kubernetes
-      client_name: Kubernetes
+    - id: kubernetes
+      description: Kubernetes
       public: true
-      claims_policy: default
       redirect_uris:
       - http://localhost:8000
       - http://localhost:18000
       authorization_policy: one_factor
       pre_configured_consent_duration: 8h
-    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
-      client_name: MinIO
-      client_secret: >-
+    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
+      description: MinIO
+      secret: >-
         $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
       redirect_uris:
       - https://burp.pyrocufflink.blue:9090/oauth_callback
-      - https://minio.backups.pyrocufflink.blue/oauth_callback
-      claims_policy: default
-    - client_id: step-ca
-      client_name: step-ca
+    - id: step-ca
+      description: step-ca
       public: true
-      claims_policy: default
       redirect_uris:
       - http://127.0.0.1
       pre_configured_consent_duration: 8h
-    - client_id: argocd
-      client_name: Argo CD
-      claims_policy: default
+    - id: argocd
+      description: Argo CD
       pre_configured_consent_duration: 8h
       redirect_uris:
       - https://argocd.pyrocufflink.blue/auth/callback
-      client_secret: >-
+      secret: >-
         $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
-    - client_id: argocd-cli
-      client_name: argocd CLI
+    - id: argocd-cli
+      description: argocd CLI
       public: true
-      claims_policy: default
       pre_configured_consent_duration: 8h
       audience:
       - argocd-cli
       redirect_uris:
       - http://localhost:8085/auth/callback
-      response_types:
-      - code
       scopes:
       - openid
-      - groups
       - profile
       - email
+      - groups
       - offline_access
-    - client_id: sshca
-      client_name: SSHCA
-      public: true
-      claims_policy: default
-      pre_configured_consent_duration: 4h
-      redirect_uris:
-      - http://127.0.0.1
-      scopes:
-      - openid
-      - profile
-      - email
-      - groups
 
 log:
-  level: info
+  level: trace
 
 notifier:
   smtp:
     disable_require_tls: true
-    address: 'mail.pyrocufflink.blue:25'
+    host: mail.pyrocufflink.blue
+    port: 25
     sender: auth@pyrocufflink.net
 
 session:
+  domain: pyrocufflink.blue
   expiration: 1d
   inactivity: 4h
   redis:
     host: redis
     port: 6379
-  cookies:
-  - domain: pyrocufflink.blue
-    authelia_url: 'https://auth.pyrocufflink.blue'
-  - domain: pyrocufflink.net
-    authelia_url: 'https://auth.pyrocufflink.net'
 
 server:
   buffers:
@@ -198,15 +135,8 @@ server:
 
 storage:
   postgres:
-    address: postgresql.pyrocufflink.blue
+    host: default.postgresql
     database: authelia
-    username: authelia
-    password: unused
+    username: authelia.authelia
     tls:
       skip_verify: false
-
-telemetry:
-  metrics:
-    enabled: true
-
-theme: auto

authelia/kustomization.yaml

@@ -1,29 +1,25 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: authelia
-
 labels:
 - pairs:
     app.kubernetes.io/instance: authelia
 
 resources:
-- ../dch-root-ca
 - secrets.yaml
 - redis.yaml
 - authelia.yaml
 - oidc-cluster-admin.yaml
-- postgres-cert.yaml
-
-replicas:
-- name: authelia
-  count: 2
 
 configMapGenerator:
 - name: authelia
   namespace: authelia
   files:
   - configuration.yml
+- name: postgresql-ca
+  namespace: authelia
+  files:
+  - postgresql-ca.crt
 
 patches:
 - patch: |-
@@ -37,25 +33,18 @@ patches:
         spec:
           containers:
           - name: authelia
-            imagePullPolicy: IfNotPresent
             env:
-            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
-              value: /run/authelia/certs/postgresql/tls.crt
-            - name: AUTHELIA_STORAGE_POSTGRES_TLS_PRIVATE_KEY_FILE
-              value: /run/authelia/certs/postgresql/tls.key
+            - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
+              value: /run/authelia/secrets/postgresql/password
             volumeMounts:
-            - mountPath: /run/authelia/certs/dch-root-ca.crt
-              name: dch-root-ca
-              subPath: dch-root-ca.crt
-            - mountPath: /run/authelia/certs/postgresql
-              name: postgresql-cert
+            - mountPath: /run/authelia/certs
+              name: postgresql-ca
+            - mountPath: /run/authelia/secrets/postgresql
+              name: postgresql-auth
           volumes:
-          - name: postgresql-cert
+          - name: postgresql-auth
             secret:
-              secretName: postgres-client-cert
-          - name: dch-root-ca
+              secretName: authelia.authelia.default.credentials.postgresql.acid.zalan.do
+          - name: postgresql-ca
             configMap:
-              name: dch-root-ca
-images:
-- name: ghcr.io/authelia/authelia
-  newTag: 4.39.9
+              name: postgresql-ca

authelia/postgres-cert.yaml

@@ -1,12 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: postgres-client-cert
-spec:
-  commonName: authelia
-  privateKey:
-    algorithm: ECDSA
-  secretName: postgres-client-cert
-  issuerRef:
-    name: postgresql-ca
-    kind: ClusterIssuer

autoscaler/kustomization.yaml

@@ -3,7 +3,6 @@ kind: Kustomization
 
 resources:
 - https://github.com/kubernetes/autoscaler/raw/cluster-autoscaler-release-1.26/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml
-- secrets.yaml
 
 images:
 - name: k8s.gcr.io/autoscaling/cluster-autoscaler
@@ -22,7 +21,6 @@ patches:
         spec:
           containers:
           - name: cluster-autoscaler
-            imagePullPolicy: IfNotPresent
             command:
             - ./cluster-autoscaler
             - --v=4

autoscaler/secrets.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: autoscaler-aws-keys
-  namespace: kube-system
-spec:
-  encryptedData:
-    access_key_id: AgA8WLIutrqtizbW/gRNjUaTV9AebXviLX0ffhvRTKVQnPbmjWYUOEyqI6inXmNmxIE342+U0oDtYs878+yHYIxfRAcUi6FRIKPpbUtICzgaudHnjYZaT8gpp20M/ovijkbHTSZMO7snxB72CAa0uzfs+NIY3ky5kDsBDEQKhUix7kQ5Zn75mIBEZhV/W1n5tPQ80k0rykcGt174VPTOtKWV9pIqVJxkw3xZE4vrxB6Cb5S7FfSft5te2vWld8oKE6wbCgEbRVROQ+Q3NfvY8I1jTzZT1eSIHuYM9OmS8NL1S9DOLl/6Pin4jLoBJEaIHOT5abOQLtvQUSuuOvbdbePHaoABBUG+TSXNZnM9GlF+an461ARxHZi51TtjcAHp9063ClTICiEuNT5VoGyfH6Z67MGVtox5DmOo28mgPE1OXALmC3Z3QV/uSIyulTrkV/VDTvp7au21m1nEd54/pzLXUtn78hwv8rnJ9gJGsgq9ovM42Yyo964zN5oBvZkzkIGLPqjAJUEYtXwvOSUprrmyWnJ7bdFZMvx2yGT0S3Hdwt2o6svuPMhXKVI9Ykd122hA14n1/UpimnBq7nAy3EQmCPTAQOh5ufCjqUG3z722aY1KDPDZA+cL8XfrI7JRae+gH0zrCxjKMCyibdz8MHd0ca2n/t42NVbPO0AptY1OKoDK2byUwuAXZl+e9aE302y5Y4ZNiJu+yhaAHZ1gtiDp07eLKA==
-    secret_access_key: AgAkFztvEEVWpioxcnNJ7b077AzyJ5IMtgKn0nVa+tMzEYWzuWe45G2MuPwajARj5Ji8WH4gwzcBwJOBfuDMmBz7GeodoZJ2tVcbcNg/5dZp5LA9IU3WqUMGIf0lMMnlOaxIxm1Zy+stJM7lbNabA9Nh+NXq4BpcGj+fUevYodhJpLyP7gqKSLZlvsfXVxX8O9XxADUMb1NrAYBx+0J19lh8WkJe2s9oQzpJND6pj3dUlb8UbBdg6uD4CSlORcSW1WdqQz9WW/clt0eBO1hlgVC6me7GlWtAqm88+1+sBlmT7SrCzbP0Ky7w2xz9L6Y2I9k65c2yCwkPrfh6CiIXltjPZEtvL+gzIIvXNIO1XUX4FlcSu+AartVPyDkAuA0TsMEuaORo0C9HnxSYm4fHRaDe2HZWwXCLXXyW1xZxfy0le1pr9zUNcx5HFjR7XJ6E3seirIyk8B9CnqDY/Ff29PQzDjv2k50UiSXHLIpwbZ5G2nqYzkOG2MRhjggiYKh7VPpKTwQUebVyFsdiLaAFcWr8BrLwXXcbOeEpHRnsZlCCqXM1uN4H3Am0RuRc12V2pYWHP/q53sSfYYBDsXFHOXr6e3iZ/c95GI/ndjaBqk1EtV7go4wn5sZaZvDmQktYalNKYk4EZLzAsgj7PdOeS5SDa2ZnQud4Om7a2MRoayntg8pyCeLfvV6G5CwuUh/kFZVn+2v2OTabC+6HMde4Yq1MMrFD+qOKGywHMG8HvZieHCzi4ZnnT3Wt
-  template:
-    metadata:
-      creationTimestamp: null
-      name: autoscaler-aws-keys
-      namespace: kube-system

calico/kustomization.yaml

@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: calico
-
-resources:
-- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/operator-crds.yaml
-- https://raw.githubusercontent.com/projectcalico/calico/v3.30.2/manifests/tigera-operator.yaml

cert-manager/cert-exporter.yaml

@@ -0,0 +1,133 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+data:
+  config.yml: |
+    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
+    certs:
+    - name: pyrocufflink-cert
+      namespace: default
+      key: certificates/_.pyrocufflink.net.key
+      cert: certificates/_.pyrocufflink.net.crt
+      bundle: certificates/_.pyrocufflink.net.pem
+    - name: dustinhatchname-cert
+      namespace: default
+      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
+      cert: acme.sh/dustin.hatch.name/fullchain.cer
+    - name: hatchchat-cert
+      namespace: default
+      key: certificates/hatch.chat.key
+      cert: certificates/hatch.chat.crt
+      bundle: certificates/hatch.chat.pem
+    - name: tabitha-cert
+      namespace: default
+      key: certificates/tabitha.biz.key
+      cert: certificates/tabitha.biz.crt
+      bundle: certificates/tabitha.biz.pem
+    - name: dcow-cert
+      namespace: default
+      key: certificates/darkchestofwonders.us.key
+      cert: certificates/darkchestofwonders.us.crt
+      bundle: certificates/darkchestofwonders.us.pem
+    - name: chmod777-cert
+      namespace: default
+      key: certificates/chmod777.sh.key
+      cert: certificates/chmod777.sh.crt
+      bundle: certificates/chmod777.sh.pem
+    - name: dustinandtabitha-cert
+      namespace: default
+      key: certificates/dustinandtabitha.com.key
+      cert: certificates/dustinandtabitha.com.crt
+      bundle: certificates/dustinandtabitha.com.pem
+    - name: hlc-cert
+      namespace: default
+      key: certificates/hatchlearningcenter.org.key
+      cert: certificates/hatchlearningcenter.org.crt
+      bundle: certificates/hatchlearningcenter.org.pem
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-exporter
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  resourceNames:
+  - pyrocufflink-cert
+  - dustinhatchname-cert
+  - hatchchat-cert
+  - tabitha-cert
+  - dcow-cert
+  - chmod777-cert
+  - dustinandtabitha-cert
+  - hlc-cert
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-exporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-exporter
+subjects:
+- kind: ServiceAccount
+  name: cert-exporter
+  namespace: cert-manager
+
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cert-exporter
+  namespace: cert-manager
+spec:
+  timeZone: America/Chicago
+  schedule: '27 9,20 * * *'
+  jobTemplate: &jobtemplate
+    spec:
+      template:
+        spec:
+          containers:
+          - image: git.pyrocufflink.net/containerimages/cert-exporter
+            name: cert-exporter
+            volumeMounts:
+            - mountPath: /etc/cert-exporter/config.yml
+              name: config
+              subPath: config.yml
+              readOnly: true
+            - mountPath: /home/cert-exporter/.ssh/id_ed25519
+              name: sshkeys
+              subPath: cert-exporter.pem
+              readOnly: true
+            - mountPath: /etc/ssh/ssh_known_hosts
+              name: sshkeys
+              subPath: ssh_known_hosts
+              readOnly: true
+          securityContext:
+            fsGroup: 1000
+          serviceAccount: cert-exporter
+          volumes:
+          - name: config
+            configMap:
+              name: cert-exporter
+          - name: sshkeys
+            secret:
+              secretName: cert-exporter-sshkey
+              defaultMode: 00440
+          restartPolicy: Never

cert-manager/certificates.yaml

@@ -16,3 +16,141 @@ spec:
   privateKey:
     algorithm: ECDSA
     rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dustinhatchname-cert
+spec:
+  secretName: dustinhatchname-cert
+  dnsNames:
+  - dustin.hatch.name
+  - '*.dustin.hatch.name'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hatchchat-cert
+spec:
+  secretName: hatchchat-cert
+  dnsNames:
+  - hatch.chat
+  - '*.hatch.chat'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tabitha-cert
+spec:
+  secretName: tabitha-cert
+  dnsNames:
+  - tabitha.biz
+  - '*.tabitha.biz'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dcow-cert
+spec:
+  secretName: dcow-cert
+  dnsNames:
+  - darkchestofwonders.us
+  - '*.darkchestofwonders.us'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: chmod777-cert
+spec:
+  secretName: chmod777-cert
+  dnsNames:
+  - chmod777.sh
+  - '*.chmod777.sh'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dustinandtabitha-cert
+spec:
+  secretName: dustinandtabitha-cert
+  dnsNames:
+  - dustinandtabitha.com
+  - '*.dustinandtabitha.com'
+  - dustinandtabitha.xyz
+  - '*.dustinandtabitha.xyz'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: hlc-cert
+spec:
+  secretName: hlc-cert
+  dnsNames:
+  - hatchlearningcenter.org
+  - '*.hatchlearningcenter.org'
+  - hatchlearningcenter.com
+  - '*.hatchlearningcenter.com'
+  - hlckc.org
+  - '*.hlckc.org'
+  - hlckc.com
+  - '*.hlckc.com'
+  - hlcks.org
+  - '*.hlcks.org'
+  - hlcks.com
+  - '*.hlcks.com'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: zerossl
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

cert-manager/dch-ca-issuer.yaml

@@ -1,29 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: dch-ca
-spec:
-  acme:
-    server: https://ca.pyrocufflink.blue:32599/acme/acme/directory
-    email: cert-manager@pyrocufflink.net
-    privateKeySecretRef:
-      name: dch-ca-acme
-    caBundle:
-      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-
-    solvers:
-    - dns01:
-        cnameStrategy: Follow
-        rfc2136:
-          nameserver: 172.30.0.1
-          tsigSecretSecretRef:
-            name: pyrocufflink-tsig
-            key: cert-manager.tsig.key
-          tsigKeyName: cert-manager
-          tsigAlgorithm: HMACSHA512
-      selector:
-        dnsNames:
-        - rabbitmq.pyrocufflink.blue
-    - http01:
-        ingress:
-          ingressClassName: nginx

cert-manager/jenkins.yaml

@@ -1,27 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - get
-  resourceNames:
-  - pyrocufflink-cert
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs

cert-manager/kustomization.yaml

@@ -2,14 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
+- cert-manager.yaml
 - cluster-issuer.yaml
 - certificates.yaml
-- dch-ca-issuer.yaml
-- secrets.yaml
-- jenkins.yaml
+- cert-exporter.yaml
 
 secretGenerator:
+- name: cert-manager-tsig
+  namespace: cert-manager
+  files:
+  - cert-manager.key
+  options:
+    disableNameSuffixHash: true
+
 - name: zerossl-eab
   namespace: cert-manager
   envs:
@@ -17,34 +22,22 @@ secretGenerator:
   options:
     disableNameSuffixHash: true
 
+- name: cert-exporter-sshkey
+  namespace: cert-manager
+  files:
+  - cert-exporter.pem
+  - ssh_known_hosts
+
+- name: acme-dns
+  namespace: cert-manager
+  files:
+  - acme-dns.json
+  options:
+    disableNameSuffixHash: true
+
 - name: cloudflare
   namespace: cert-manager
   files:
   - cloudflare.api-token
   options:
     disableNameSuffixHash: true
-
-patches:
-- patch: |
-    apiVersion: apps/v1
-    kind: Deployment
-    metadata:
-      name: cert-manager
-      namespace: cert-manager
-    spec:
-      template:
-        spec:
-          dnsConfig:
-            nameservers:
-            - 172.30.0.1
-          dnsPolicy: None
-- patch: |
-    - op: add
-      path: /spec/template/spec/containers/0/args/-
-      value: >-
-        --dns01-recursive-nameservers-only
-  target:
-    group: apps
-    version: v1
-    kind: Deployment
-    name: cert-manager

cert-manager/secrets.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: pyrocufflink-tsig
-  namespace: cert-manager
-spec:
-  encryptedData:
-    cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
-  template:
-    metadata:
-      name: pyrocufflink-tsig
-      namespace: cert-manager

collectd/collectd.d/df.conf

@@ -1,10 +0,0 @@
-LoadPlugin df
-
-<Plugin df>
-    ReportByDevice true
-
-    FSType autofs
-    FSType overlay
-    FSType efivarfs
-    IgnoreSelected true
-</Plugin>

collectd/collectd.d/log.conf

@@ -1,8 +0,0 @@
-LoadPlugin logfile
-
-<Plugin logfile>
-	LogLevel info
-	File stderr
-	Timestamp false
-	PrintSeverity true
-</Plugin>

collectd/collectd.d/plugins.conf

@@ -1,9 +0,0 @@
-LoadPlugin chrony
-LoadPlugin cpufreq
-LoadPlugin disk
-LoadPlugin entropy
-LoadPlugin processes
-LoadPlugin swap
-LoadPlugin tcpconns
-LoadPlugin thermal
-LoadPlugin uptime

collectd/collectd.d/prometheus.conf

@@ -1,5 +0,0 @@
-LoadPlugin write_prometheus
-
-<Plugin write_prometheus>
-    Port 9103
-</Plugin>

collectd/collectd.yaml

@@ -1,74 +0,0 @@
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: collectd
-  labels:
-    app.kubernetes.io/name: collectd
-    app.kubernetes.io/component: collectd
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: collectd
-      app.kubernetes.io/component: collectd
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: collectd
-        app.kubernetes.io/component: collectd
-    spec:
-      containers:
-      - name: collectd
-        image: git.pyrocufflink.net/containerimages/collectd
-        ports:
-        - containerPort: 9103
-          name: http
-        readinessProbe: &probe
-          httpGet:
-            port: http
-            path: /metrics
-          periodSeconds: 60
-        startupProbe:
-          <<: *probe
-          periodSeconds: 1
-          successThreshold: 1
-          failureThreshold: 30
-          timeoutSeconds: 1
-        securityContext:
-          capabilities:
-            add:
-            - DAC_READ_SEARCH
-            drop:
-            - ALL
-          seLinuxOptions:
-            type: spc_t
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /etc/collectd.d
-          name: config
-          readOnly: true
-        - mountPath: /host
-          name: host
-        - mountPath: /run
-          name: host
-          subPath: run
-        - mountPath: /tmp
-          name: tmp
-      hostNetwork: true
-      hostPID: true
-      hostIPC: true
-      tolerations:
-      - effect: NoExecute
-        operator: Exists
-      - effect: NoSchedule
-        operator: Exists
-      volumes:
-      - name: config
-        configMap:
-          name: collectd
-      - name: host
-        hostPath:
-          path: /
-      - name: tmp
-        emptyDir:
-          medium: Memory

collectd/kustomization.yaml

@@ -1,34 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: collectd
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: collectd
-    app.kubernetes.io/part-of: collectd
-  includeSelectors: false
-
-resources:
-- namespace.yaml
-- collectd.yaml
-
-configMapGenerator:
-- name: collectd
-  files:
-  - collectd.d/df.conf
-  - collectd.d/log.conf
-  - collectd.d/plugins.conf
-  - collectd.d/prometheus.conf
-
-patches:
-- patch: |-
-    apiVersion: apps/v1
-    kind: DaemonSet
-    metadata:
-      name: collectd
-    spec:
-      template:
-        spec:
-          nodeSelector:
-            du5t1n.me/collectd: 'true'

collectd/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: collectd
-  labels:
-    app.kubernetes.io/name: collectd

dch-root-ca/kustomization.yaml

@@ -5,5 +5,3 @@ configMapGenerator:
 - name: dch-root-ca
   files:
   - dch-root-ca.crt
-  options:
-    disableNameSuffixHash: true

dch-webhooks/ansible-job.yaml

@@ -1,121 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  generateName: host-provision-
-  labels: &labels
-    app.kubernetes.io/name: host-provisioner
-    app.kubernetes.io/component: host-provisioner
-spec:
-  backoffLimit: 0
-  template:
-    metadata:
-      labels: *labels
-    spec:
-      restartPolicy: Never
-      initContainers:
-      - name: ssh-agent
-        image: &image git.pyrocufflink.net/infra/host-provisioner
-        imagePullPolicy: Always
-        command:
-        - tini
-        - ssh-agent
-        - --
-        - -D
-        - -a
-        - /run/ssh/agent.sock
-        restartPolicy: Always
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /run/ssh
-          name: tmp
-          subPath: run/ssh
-      - name: ssh-add
-        image: *image
-        command:
-        - ssh-add
-        - -t
-        - 30m
-        - /run/secrets/ssh/host-provisioner.key
-        env:
-        - name: SSH_AUTH_SOCK
-          value: /run/ssh/agent.sock
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /run/ssh
-          name: tmp
-          subPath: run/ssh
-        - mountPath: /run/secrets/ssh
-          name: provisioner-key
-          readOnly: true
-      containers:
-      - name: host-provisioner
-        image: *image
-        env:
-        - name: SSH_AUTH_SOCK
-          value: /run/ssh/agent.sock
-        - name: AMQP_HOST
-          value: rabbitmq.pyrocufflink.blue
-        - name: AMQP_PORT
-          value: '5671'
-        - name: AMQP_CA_CERT
-          value: /run/dch-ca/dch-root-ca.crt
-        - name: AMQP_CLIENT_CERT
-          value: /run/secrets/host-provisioner/rabbitmq/tls.crt
-        - name: AMQP_CLIENT_KEY
-          value: /run/secrets/host-provisioner/rabbitmq/tls.key
-        - name: AMQP_EXTERNAL_CREDENTIALS
-          value: '1'
-        - name: PYROCUFFLINK_EXCLUDE_TEST
-          value: 'false'
-        securityContext:
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /etc/ssh/ssh_known_hosts
-          name: ssh-known-hosts
-          subPath: ssh_known_hosts
-          readOnly: true
-        - mountPath: /home/jenkins
-          name: workspace
-        - mountPath: /run/dch-ca
-          name: dch-root-ca
-          readOnly: true
-        - mountPath: /run/ssh
-          name: tmp
-          subPath: run/ssh
-        - mountPath: /run/secrets/host-provisioner/rabbitmq
-          name: rabbitmq-cert
-          readOnly: true
-        - mountPath: /tmp
-          name: tmp
-          subPath: tmp
-        - mountPath: /var/tmp
-          name: tmp
-          subPath: tmp
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
-      serviceAccountName: host-provisioner
-      volumes:
-      - name: dch-root-ca
-        configMap:
-          name: dch-root-ca
-      - name: provisioner-key
-        secret:
-          secretName: provisioner-ssh-key
-          defaultMode: 0440
-      - name: ssh-known-hosts
-        configMap:
-          name: ssh-known-hosts
-      - name: rabbitmq-cert
-        secret:
-          secretName: rabbitmq-cert
-          defaultMode: 0440
-      - name: tmp
-        emptyDir:
-          medium: Memory
-      - name: workspace
-        emptyDir: {}

dch-webhooks/certificate.yaml

@@ -1,14 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: rabbitmq
-spec:
-  secretName: rabbitmq-cert
-  commonName: dch-webhooks
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name: rabbitmq-ca
-  privateKey:
-    algorithm: ECDSA
-    rotationPolicy: Always

dch-webhooks/dch-webhooks.env

@@ -7,10 +7,3 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
 STEP_ROOT=/run/dch-root-ca.crt
 STEP_PROVISIONER=host-bootstrap
 STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
-
-AMQP_HOST=rabbitmq.pyrocufflink.blue
-AMQP_PORT=5671
-AMQP_EXTERNAL_CREDENTIALS=1
-AMQP_CA_CERT=/run/dch-root-ca.crt
-AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
-AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key

dch-webhooks/dch-webhooks.yaml

@@ -1,14 +1,4 @@
 apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dch-webhooks
-  labels:
-    app.kubernetes.io/name: dch-webhooks
-    app.kubernetes.io/component: dch-webhooks
-    app.kubernetes.io/part-of: dch-webhooks
-
----
-apiVersion: v1
 kind: Service
 metadata:
   labels:
@@ -58,8 +48,6 @@ spec:
           value: 0.0.0.0
         - name: UVICORN_LOG_LEVEL
           value: debug
-        - name: ANSIBLE_JOB_YAML
-          value: /etc/dch-webhooks/ansible-job.yaml
         envFrom:
         - configMapRef:
             name: dch-webhooks
@@ -88,44 +76,23 @@ spec:
           name: firefly-token
         - mountPath: /run/secrets/du5t1n.me/paperless
           name: paperless-token
-        - mountPath: /run/secrets/du5t1n.me/rabbitmq
-          name: rabbitmq-cert
-          readOnly: true
-        - mountPath: /run/secrets/du5t1n.me/step-ca
-          name: step-ca-password
         - mountPath: /tmp
           name: tmp
           subPath: tmp
-        - mountPath: /etc/dch-webhooks
-          name: host-provisioner
-          readOnly: true
       securityContext:
         runAsNonRoot: true
-      serviceAccountName: dch-webhooks
       volumes:
       - name: firefly-token
         secret:
           secretName: firefly-token
           optional: true
-      - name: host-provisioner
-        configMap:
-          name: host-provisioner
-          optional: true
       - name: paperless-token
         secret:
           secretName: paperless-token
           optional: true
-      - name: rabbitmq-cert
-        secret:
-          secretName: rabbitmq-cert
-          optional: true
       - name: root-ca
         configMap:
           name: dch-root-ca
-      - name: step-ca-password
-        secret:
-          secretName: step-ca-password
-          optional: true
       - name: tmp
         emptyDir:
           medium: Memory

dch-webhooks/jenkins.yaml

@@ -1,28 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: jenkins.dch-webhooks
-rules:
-  - apiGroups:
-    - apps
-    resources:
-    - deployments
-    resourceNames:
-    - dch-webhooks
-    verbs:
-    - get
-    - patch
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: jenkins.dch-webhooks
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: jenkins.dch-webhooks
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: jenkins-jobs

dch-webhooks/kustomization.yaml

@@ -1,39 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-labels:
-- pairs:
-    app.kubernetes.io/instance: dch-webhooks
-  includeSelectors: true
-  includeTemplates: true
-- pairs:
-    app.kubernetes.io/part-of: dch-webhooks
-
 resources:
 - ../dch-root-ca
 - dch-webhooks.yaml
-- certificate.yaml
 - ingress.yaml
+- secrets.yaml
 
 configMapGenerator:
 - name: dch-webhooks
   envs:
   - dch-webhooks.env
-- name: host-provisioner
-  files:
-  - ansible-job.yaml
-  options:
-    disableNameSuffixHash: true
-
-secretGenerator:
-- name: firefly-token
-  files:
-  - firefly.token
-
-- name: paperless-token
-  files:
-  - paperless.token
-
-- name: step-ca-password
-  files:
-  - provisioner.password

dch-webhooks/secrets.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: firefly-token
+  namespace: default
+spec:
+  encryptedData:
+    firefly.token: AgB8sD5GEwGMiCUQEioisw+ni5DqJM3L7AEwMnrdlrK7gq2TL/Htqo2TzuUIMxovf9KPkUWD4Y7KpT52z88yysbHlcEQkjB6djJYYecMyNVvPVYBEbKp+zLlJGqPTVoCrcvxaNAOTgOEnUx0zhWy90qWmmWQ4JPEfu1pm7++ZWJhp9c8p2HYsiQ81WV23IIp3Ua+7FK45+QxL1D1W1OXjqYs8BhXDgMS3bc5YGNTEx+e+fKN/i+KlKuO0h6ONt9vp8+DS3sQuiW+pkB+1Ra4bZ3RWZoVyqaoPdQZ95DCOTT6r8dDZObS6rxO3J1Bmppm1xB6zpN5HVFJnE0NpX0ljLSSk59BDZ3LLVawm9QAgwLKVLuyJ9hdlUDJD+EH2gj8ioxiiUAWHqThP3xBjoKD7nZWgyGM0zdyZuX+mADAflyAwcOydRwIXA6s5Tjw5RM0RWQ5JrOJGDAO41LOHoRu6qlFMmwc4novu4tzvlRvakqND4BxCEhDk6v4P1pDQh2xP2fvD3HOU5rqlq3z1X5lPnKHkRJUi2v0pryGBhoLrt8htCYA+w0LjMTx3c5dVC7Fz41U/7vVWhoQcPLNGx9I4Npb9z1qs8ozQCJUCdbPOaEnoKJtMVr2ByoR3WLr4hMT4b1Z2gFfU1rwhz3TO2xTCbY956GXaj1QACk67uHxvzLFaW0Td6vNHJGxQcgbtPvdtzS6yuNlF6W6Y3SlmADjvq5YeIF8n6UviIqqihYf4+os1r3ea14T7Jsi5VCNO1GyXLAke9oQruXe2sXAkTg6xbu+bgUqxDUqjkF677fVRlBTWcpf0gFsqGpHSkVK782I4Z+OUQMceE3+yJzkOD3DzZkGihQUuj82pctY7Ik2nDfc90JE4WMF9gmK1MxnS67yqcvHjKm7yuGNoP8JvdClmQcipJ3LsVdXm4s4dpmWCHDoqkMbN8+KDnh2TjTDwndcsCkCe5cWrKZfwMn9zQyPHH+/BWT77KwNviO6MjLDUzP1CWWAXmizxZozzIYSq67IUggAifv0n2oaBMyN7CsRZaL5KKMdLBhmE4EcEZvxDnRaxII2oWw5B2uyfyD2YWy35K0WRxHQH+TUmZEvPG3e2EWQcj8NR6L6J2wB4h4y2EJXRhrdbgZBppMQ0j22QZsw+0Yiol3uR9oLYlVXXgpkxuDTPUkm9k3GPItJmE75RmInI6xBKUMkueZQBYfSmoYLhsfwliMQ0rPnuY7kEIDJTS5NPrJqdkSZY5chkl9pSDeearJQLaFyB6PXZtBWz+6CqqKZFTO/YOPgU/9zqeUEWoyPUZ1FAVJ3aMrirscHz37jqTgQbn6hMW+WCw2WiApoMG9D+xU5ZfQRIph+Y3S1QjGdfxH7oE7XIuLdy6bQ7Cw93MZVn9kaIvLzcZTHtptOxy0XpygfalC/SDcubBpGCCKDw2I5xpkEC165ZKKM/NN3mxXZKeSY+8nePWl+pZeU8etiulGtQ/ZIqOmGaU7W4T5gJCij1bpGKS28lNhv25lUxMFBvyheLn6qUIMIRdCsvr6OdF+YOQQLLzwDquDD9ankHGzKMI73OWDCFrhXl85QqPg62bVCdghEMlohY4Wniy5k2CRLM0pQm9OZsp+RlPvv/Ea9JxyjQGtv4EcCXG2nv5ewWysv8mIYd8qWH/ZSh2o44pixC0levmrOXMb6cC5T3TC9OI6w1DglF84k3+bVGn+wNAHbo5ALxAhdGmB/GTdSRS1x368o4k2E0MThsezymlfjo8K8wyFWMpHpat/eF7WQy2ibl/lt6sCk8iBFEb4LPVbb68w4gZhPHHqcfZ//9+0rC28eagpYfx6LQi8gDUC/Uw06iPygJBOKABdppLNHqNa6zzOET2yECRlAtuxCmO9WYEpi0cOzg8fvdSzP57f47MJu3vnztFo1AIx5YU0Ohlv9KtjNxTaXziAJY47Y8o9jEnT7ajb81pwLf1/iMHT73TZtu8tVWKKZ7VReEQUzeKfERoboZO/P8TrVOvkK3ZLw5+tA
+  template:
+    metadata:
+      name: firefly-token
+      namespace: default
+    type: Opaque
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: paperless-token
+  namespace: default
+spec:
+  encryptedData:
+    paperless.token: AgBV2pcAAh+4bbMiNbKqRgFCNOpuZ19H6+YDSbM56pqyV3NRUZTiaRdPReG9T0WxRcYzjHluX7fIrr1kq8uIaCBDhnckdEjITwYqYRDtl6GDXhEXgfXt2HIKkBpBX+rK6j/qwlXpqwtx2oIq30G20WSll7wPsexQ/c0ZvquZysQ1/r7NvynbJB1/1lNk6wnEkRnByCWJI//0nQjYAeUeliftqU2e+PkpETGRyrUlaPlRt4NBaFbJDgZSBh1qlHqE4t0Lf23VdE0VVeFDaDR9EjVO4DPiwC7BEAfDi65+DM6iXUygAfyYL9KsCQGbUdxdb7SAp/ROCVUuu+dLGh1upk42J3XGa1rufN2XtXLCRL8MQ1j4JeV7Jm3yewNt4WYP6tD8UYKBxhRUK5pYU12jBR8yWZ1BBWNvWRN1w++pklMF72N95R61qJQhlftbq8F4yHj4Vh/9n+usJ1zw8LaZg179ZucIV9byA3NrDnbvDWLCvs/sVycrXbcnPec6+oMrgJL6lp96ofjBxqWDCDp/SUBUkDC34jiiaxjzrY5q9hUyf5gdqbzKN5Jda2lHvj6UgJj6Qo8AdQmMF6MNH4X2A1Ni2mR/WTwNzXDGfHibLeaTuBSyvALFoIbuuR78Wkjz76ZC6SQT8HwwCeylPskd7KPJURpJfXfdB/UwyV02LveZpsASgQo/m22znCZVwVhrOlC8SvNht4WO5HgHBf+21cSHfwZ03NM/81fedfxyySvMoMjpGy+89hwfnA==
+  template:
+    metadata:
+      name: paperless-token
+      namespace: default
+    type: Opaque

democratic-csi/.gitignore

@@ -1,2 +0,0 @@
-synology.password
-synology-iscsi-chap.yaml

democratic-csi/democratic-csi.yaml

@@ -1,385 +0,0 @@
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
-  name: csi-synology-democratic-csi-node
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-    app.kubernetes.io/csi-role: node
-    app.kubernetes.io/component: node-linux
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: democratic-csi
-      app.kubernetes.io/csi-role: node
-      app.kubernetes.io/component: node-linux
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: democratic-csi
-        app.kubernetes.io/csi-role: node
-        app.kubernetes.io/component: node-linux
-    spec:
-      serviceAccount: csi-synology-democratic-csi-node-sa
-      priorityClassName: system-node-critical
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      hostAliases: []
-      hostIPC: true
-      hostPID: false
-      containers:
-      - name: csi-driver
-        image: docker.io/democraticcsi/democratic-csi:latest
-        args:
-        - --csi-version=1.5.0
-        - --csi-name=org.democratic-csi.iscsi-synology
-        - --driver-config-file=/config/driver-config-file.yaml
-        - --log-level=info
-        - --csi-mode=node
-        - --server-socket=/csi-data/csi.sock.internal
-        securityContext:
-          allowPrivilegeEscalation: true
-          capabilities:
-            add:
-            - SYS_ADMIN
-          privileged: true
-        env:
-        - name: CSI_NODE_ID
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        terminationMessagePath: /tmp/termination-log
-        terminationMessagePolicy: File
-        livenessProbe:
-          failureThreshold: 3
-          exec:
-            command:
-            - bin/liveness-probe
-            - --csi-version=1.5.0
-            - --csi-address=/csi-data/csi.sock.internal
-          initialDelaySeconds: 10
-          timeoutSeconds: 15
-          periodSeconds: 60
-        volumeMounts:
-        - name: socket-dir
-          mountPath: /csi-data
-        - name: kubelet-dir
-          mountPath: /var/lib/kubelet
-          mountPropagation: Bidirectional
-        - name: iscsi-dir
-          mountPath: /etc/iscsi
-          mountPropagation: Bidirectional
-        - name: iscsi-info
-          mountPath: /var/lib/iscsi
-          mountPropagation: Bidirectional
-        - name: modules-dir
-          mountPath: /lib/modules
-          readOnly: true
-        - name: localtime
-          mountPath: /etc/localtime
-          readOnly: true
-        - name: udev-data
-          mountPath: /run/udev
-        - name: host-dir
-          mountPath: /host
-          mountPropagation: Bidirectional
-        - mountPath: /sys
-          name: sys-dir
-        - name: dev-dir
-          mountPath: /dev
-        - name: config
-          mountPath: /config
-      - name: csi-proxy
-        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
-        env:
-        - name: BIND_TO
-          value: unix:///csi-data/csi.sock
-        - name: PROXY_TO
-          value: unix:///csi-data/csi.sock.internal
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-      - name: driver-registrar
-        image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
-        args:
-        - --v=5
-        - --csi-address=/csi-data/csi.sock
-        - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
-        env:
-        - name: KUBE_NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        livenessProbe:
-          exec:
-            command:
-            - /csi-node-driver-registrar
-            - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
-            - --mode=kubelet-registration-probe
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        - name: registration-dir
-          mountPath: /registration
-        - name: kubelet-dir
-          mountPath: /var/lib/kubelet
-      - name: cleanup
-        image: docker.io/busybox:1.37.0
-        command:
-        - /bin/sh
-        args:
-        - -c
-        - |-
-          sleep infinity &
-          trap 'kill !$' INT TERM
-          wait
-        lifecycle:
-          preStop:
-            exec:
-              command:
-              - /bin/sh
-              - -c
-              - rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
-        volumeMounts:
-        - name: plugins-dir
-          mountPath: /plugins
-        - name: registration-dir
-          mountPath: /registration
-      volumes:
-      - name: socket-dir
-        hostPath:
-          path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
-          type: DirectoryOrCreate
-      - name: plugins-dir
-        hostPath:
-          path: /var/lib/kubelet/plugins
-          type: Directory
-      - name: registration-dir
-        hostPath:
-          path: /var/lib/kubelet/plugins_registry
-          type: Directory
-      - name: kubelet-dir
-        hostPath:
-          path: /var/lib/kubelet
-          type: Directory
-      - name: iscsi-dir
-        hostPath:
-          path: /etc/iscsi
-          type: Directory
-      - name: iscsi-info
-        hostPath:
-          path: /var/lib/iscsi
-      - name: dev-dir
-        hostPath:
-          path: /dev
-          type: Directory
-      - name: modules-dir
-        hostPath:
-          path: /lib/modules
-      - name: localtime
-        hostPath:
-          path: /etc/localtime
-      - name: udev-data
-        hostPath:
-          path: /run/udev
-      - name: sys-dir
-        hostPath:
-          path: /sys
-          type: Directory
-      - name: host-dir
-        hostPath:
-          path: /
-          type: Directory
-      - name: config
-        secret:
-          secretName: csi-synology-democratic-csi-driver-config
-      nodeSelector:
-        kubernetes.io/os: linux
-
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: csi-synology-democratic-csi-controller
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-    app.kubernetes.io/csi-role: controller
-    app.kubernetes.io/component: controller-linux
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: democratic-csi
-      app.kubernetes.io/csi-role: controller
-      app.kubernetes.io/component: controller-linux
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: democratic-csi
-        app.kubernetes.io/csi-role: controller
-        app.kubernetes.io/component: controller-linux
-    spec:
-      serviceAccount: csi-synology-democratic-csi-controller-sa
-      priorityClassName: system-cluster-critical
-      hostNetwork: false
-      dnsPolicy: ClusterFirst
-      hostAliases: []
-      hostIPC: false
-      containers:
-      - name: external-attacher
-        image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --worker-threads=10
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-      - name: external-provisioner
-        image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --worker-threads=10
-        - --extra-create-metadata
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-      - name: external-resizer
-        image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --workers=10
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-      # https://github.com/kubernetes-csi/external-snapshotter
-      # beware upgrading version:
-      #  - https://github.com/rook/rook/issues/4178
-      #  - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
-      - name: external-snapshotter
-        image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
-        args:
-        - --v=5
-        - --leader-election
-        - --leader-election-namespace=democratic-csi
-        - --timeout=90s
-        - --worker-threads=10
-        - --csi-address=/csi-data/csi.sock
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: spec.nodeName
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-      - name: csi-driver
-        image: docker.io/democraticcsi/democratic-csi:latest
-        args:
-        - --csi-version=1.5.0
-        - --csi-name=org.democratic-csi.iscsi-synology
-        - --driver-config-file=/config/driver-config-file.yaml
-        - --log-level=debug
-        - --csi-mode=controller
-        - --server-socket=/csi-data/csi.sock.internal
-        livenessProbe:
-          failureThreshold: 3
-          exec:
-            command:
-            - bin/liveness-probe
-            - --csi-version=1.5.0
-            - --csi-address=/csi-data/csi.sock.internal
-          initialDelaySeconds: 10
-          timeoutSeconds: 15
-          periodSeconds: 60
-        volumeMounts:
-        - name: socket-dir
-          mountPath: /csi-data
-        - name: config
-          mountPath: /config
-      - name: csi-proxy
-        image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
-        env:
-        - name: BIND_TO
-          value: unix:///csi-data/csi.sock
-        - name: PROXY_TO
-          value: unix:///csi-data/csi.sock.internal
-        volumeMounts:
-        - mountPath: /csi-data
-          name: socket-dir
-      volumes:
-      - name: socket-dir
-        emptyDir: {}
-      - name: config
-        secret:
-          secretName: csi-synology-democratic-csi-driver-config
-      nodeSelector:
-        kubernetes.io/os: linux
-
----
-apiVersion: storage.k8s.io/v1
-kind: CSIDriver
-metadata:
-  name: org.democratic-csi.iscsi-synology
-  labels:
-    app.kubernetes.io/name: democratic-csi
-spec:
-  attachRequired: true
-  podInfoOnMount: true

democratic-csi/driver-config-file.yaml

@@ -1,93 +0,0 @@
-driver: synology-iscsi
-httpConnection:
-  protocol: https
-  host: storage0.pyrocufflink.blue
-  port: 5001
-  username: democratic-csi
-  allowInsecure: true
-  # should be uniqe across all installs to the same nas
-  session: "democratic-csi"
-  serialize: true
-
-# Choose the DSM volume this driver operates on. The default value is /volume1.
-# synology:
-#   volume: /volume1
-
-iscsi:
-  targetPortal: "server[:port]"
-  # for multipath
-  targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
-  # leave empty to omit usage of -I with iscsiadm
-  interface: ""
-  # can be whatever you would like
-  baseiqn: "iqn.2000-01.com.synology:csi."
-
-  # MUST ensure uniqueness
-  # full iqn limit is 223 bytes, plan accordingly
-  namePrefix: ""
-  nameSuffix: ""
-
-  # documented below are several blocks
-  # pick the option appropriate for you based on what your backing fs is and desired features
-  # you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
-  # These options can also be configured per storage-class:
-  # See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
-  lunTemplate:
-    # can be static value or handlebars template
-    #description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
-    
-    # btrfs thin provisioning
-    type: "BLUN"
-    # tpws = Hardware-assisted zeroing
-    # caw = Hardware-assisted locking
-    # 3pc = Hardware-assisted data transfer
-    # tpu = Space reclamation
-    # can_snapshot = Snapshot
-    #dev_attribs:
-    #- dev_attrib: emulate_tpws
-    #  enable: 1
-    #- dev_attrib: emulate_caw
-    #  enable: 1
-    #- dev_attrib: emulate_3pc
-    #  enable: 1
-    #- dev_attrib: emulate_tpu
-    #  enable: 0
-    #- dev_attrib: can_snapshot
-    #  enable: 1
-
-    # btfs thick provisioning
-    # only zeroing and locking supported
-    #type: "BLUN_THICK"
-    # tpws = Hardware-assisted zeroing
-    # caw = Hardware-assisted locking
-    #dev_attribs:
-    #- dev_attrib: emulate_tpws
-    #  enable: 1
-    #- dev_attrib: emulate_caw
-    #  enable: 1
-
-    # ext4 thinn provisioning UI sends everything with enabled=0
-    #type: "THIN"
-
-    # ext4 thin with advanced legacy features set
-    # can only alter tpu (all others are set as enabled=1)
-    #type: "ADV"
-    #dev_attribs:
-    #- dev_attrib: emulate_tpu
-    #  enable: 1
-
-    # ext4 thick
-    # can only alter caw
-    #type: "FILE"
-    #dev_attribs:
-    #- dev_attrib: emulate_caw
-    #  enable: 1
-
-  lunSnapshotTemplate:
-    is_locked: true
-    # https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
-    is_app_consistent: true
-
-  targetTemplate:
-    auth_type: 0
-    max_sessions: 0

democratic-csi/kustomization.yaml

@@ -1,32 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: democratic-csi
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: csi-synology
-
-resources:
-- namespace.yaml
-- rbac.yaml
-- democratic-csi.yaml
-- secrets.yaml
-- storageclass.yaml
-
-patches:
-- patch: |
-    kind: Deployment
-    apiVersion: apps/v1
-    metadata:
-      name: csi-synology-democratic-csi-controller
-      namespace: democratic-csi
-    spec:
-      template:
-        spec:
-          hostNetwork: true
-
-images:
-- name: docker.io/democraticcsi/democratic-csi
-  newName: ghcr.io/democratic-csi/democratic-csi
-  digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1

democratic-csi/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: democratic-csi

democratic-csi/rbac.yaml

@@ -1,316 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: csi-synology-democratic-csi-controller-sa
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: csi-synology-democratic-csi-node-sa
-  namespace: democratic-csi
-  labels:
-    app.kubernetes.io/name: democratic-csi
-
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-controller-cr
-  labels:
-    app.kubernetes.io/name: democratic-csi
-rules:
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - list
-  - create
-- apiGroups:
-  - 
-  resources:
-  - persistentvolumes
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
-  - update
-  - patch
-- apiGroups:
-  - 
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - 
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - 
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-- apiGroups:
-  - 
-  resources:
-  - persistentvolumeclaims/status
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-- apiGroups:
-  - 
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - volumeattachments
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - volumeattachments/status
-  verbs:
-  - patch
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - csi.storage.k8s.io
-  resources:
-  - csidrivers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - create
-- apiGroups:
-  - 
-  resources:
-  - events
-  verbs:
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshotclasses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshots/status
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshotcontents
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshotcontents/status
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshots
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - csinodes
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - csi.storage.k8s.io
-  resources:
-  - csinodeinfos
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - get
-  - watch
-  - list
-  - delete
-  - update
-  - create
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - csistoragecapacities
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - 
-  resources:
-  - pods
-  verbs:
-  - get
-- apiGroups:
-  - apps
-  resources:
-  - daemonsets
-  - deployments
-  - replicasets
-  - statefulsets
-  verbs:
-  - get
-
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-node-cr
-  labels:
-    app.kubernetes.io/name: democratic-csi
-rules:
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - list
-  - create
-- apiGroups:
-  - 
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - 
-  resources:
-  - persistentvolumes
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - volumeattachments
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-controller-rb
-  labels:
-    app.kubernetes.io/name: democratic-csi
-roleRef:
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-  name: csi-synology-democratic-csi-controller-cr
-subjects:
-- kind: ServiceAccount
-  name: csi-synology-democratic-csi-controller-sa
-  namespace: democratic-csi
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-synology-democratic-csi-node-rb
-  labels:
-    app.kubernetes.io/name: democratic-csi
-roleRef:
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-  name: csi-synology-democratic-csi-node-cr
-subjects:
-- kind: ServiceAccount
-  name: csi-synology-democratic-csi-node-sa
-  namespace: democratic-csi

democratic-csi/secrets.yaml

@@ -1,73 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: csi-synology-democratic-csi-driver-config
-  namespace: democratic-csi
-  labels: &labels
-    app.kubernetes.io/name: synology-iscsi-driver-config
-    app.kubernetes.io/component: democratic-csi
-    app.kubernetes.io/part-of: democratic-csi
-spec:
-  encryptedData:
-    synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
-  template:
-    metadata:
-      name: csi-synology-democratic-csi-driver-config
-      namespace: democratic-csi
-    data:
-      driver-config-file.yaml: |
-        driver: synology-iscsi
-        httpConnection:
-          protocol: https
-          host: storage0.pyrocufflink.blue
-          port: 5001
-          username: democratic-csi
-          password: {{ index . "synology.password" }}
-          allowInsecure: true
-          session: democratic-csi
-          serialize: true
-        iscsi:
-          targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
-          baseiqn: iqn.2000-01.com.synology:csi.
-          lunTemplate:
-            type: BLUN
-          targetTemplate:
-            auth_type: 2  # 0: None; 1: CHAP; 2: Mutual CHAP
-            max_sessions: 0  # 0: Unlimited
-            chap: true
-            mutual_chap: true
-          lunSnapshotTemplate:
-            is_app_consistent: true
-            is_locked: true
-
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: synology-iscsi-provisioner
-  namespace: democratic-csi
-spec:
-  encryptedData:
-    targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
-  template:
-    metadata:
-      name: synology-iscsi-provisioner
-      namespace: democratic-csi
-
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: synology-iscsi-chap
-  namespace: democratic-csi
-spec:
-  encryptedData:
-    node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
-    node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
-    node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
-    node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
-  template:
-    metadata:
-      name: synology-iscsi-chap
-      namespace: democratic-csi

democratic-csi/storageclass.yaml

@@ -1,20 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: synology-iscsi
-allowVolumeExpansion: true
-provisioner: org.democratic-csi.iscsi-synology
-parameters:
-  fsType: xfs
-  csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
-  csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
-  csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
-  csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
-
----
-apiVersion: snapshot.storage.k8s.io/v1
-kind: VolumeSnapshotClass
-metadata:
-  name: synology-iscsi
-driver: org.democratic-csi.iscsi-synology
-deletionPolicy: Delete

device-plugins/fuse-device-plugin.yaml

@@ -27,7 +27,6 @@ spec:
      tolerations:
      - key: du5t1n.me/machine
        value: raspberrypi
-     - key: du5t1n.me/jenkins
      volumes:
      - name: device-plugin
        hostPath:

dynk8s-provisioner/.gitignore

@@ -1 +0,0 @@
-wireguard-config

dynk8s-provisioner/dynk8s-provisioner.yaml

@@ -1,3 +1,196 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dynk8s
+  labels:
+    kubernetes.io/metadata.name: dynk8s
+    app.kubernetes.io/instance: dynk8s-provisioner
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+automountServiceAccountToken: true
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  resourceNames:
+  - cluster-info
+  verbs:
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - list
+  - get
+  - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dynk8s-provisioner
+  namespace: kube-public
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynk8s-provisioner
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/part-of: dynk8s-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynk8s-provisioner
+subjects:
+- kind: ServiceAccount
+  name: dynk8s-provisioner
+  namespace: dynk8s
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dynk8s-provisioner-pvc
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner-pvc
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: dynk8s-provisioner
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -53,7 +246,8 @@ spec:
       serviceAccountName: dynk8s-provisioner
       volumes:
       - name: dynk8s-provisioner
-        emptyDir: {}
+        persistentVolumeClaim:
+          claimName: dynk8s-provisioner-pvc
 
 ---
 apiVersion: v1
@@ -74,3 +268,54 @@ spec:
   ports:
   - port: 8000
     name: http
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dynk8s-provisioner
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/name: dynk8s-provisioner
+    app.kubernetes.io/instance: dynk8s-provisioner
+    app.kubernetes.io/component: http-api
+    app.kubernetes.io/part-of: dynk8s-provisioner
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dynk8s-provisioner.pyrocufflink.net
+  rules:
+  - host: dynk8s-provisioner.pyrocufflink.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dynk8s-provisioner
+            port:
+              name: http
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wireguard-config-0
+  namespace: dynk8s
+  labels:
+    app.kubernetes.io/part-of: dynk8s-provisioner
+    dynk8s.du5t1n.me/ec2-instance-id: ''
+type: dynk8s.du5t1n.me/wireguard-config
+stringData:
+  wireguard-config: |+
+    [Interface]
+    Address = 172.30.0.178/28
+    DNS = 172.30.0.1
+    PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
+
+    [Peer]
+    PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
+    PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
+    Endpoint = vpn.pyrocufflink.net:19998
+    AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

dynk8s-provisioner/ingress.yaml

@@ -1,26 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - dynk8s-provisioner.pyrocufflink.net
-  rules:
-  - host: dynk8s-provisioner.pyrocufflink.net
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: dynk8s-provisioner
-            port:
-              name: http

dynk8s-provisioner/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-
-resources:
-- namespace.yaml
-- rbac.yaml
-- dynk8s-provisioner.yaml
-- ingress.yaml
-- secrets.yaml

dynk8s-provisioner/namespace.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dynk8s
-  labels:
-    kubernetes.io/metadata.name: dynk8s
-    app.kubernetes.io/instance: dynk8s-provisioner

dynk8s-provisioner/rbac.yaml

@@ -1,164 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-automountServiceAccountToken: true
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - secrets
-  verbs:
-  - '*'
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - configmaps
-  resourceNames:
-  - cluster-info
-  verbs:
-  - get
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/component: http-api
-    app.kubernetes.io/part-of: dynk8s-provisioner
-rules:
-- apiGroups:
-  - ''
-  resources:
-  - nodes
-  verbs:
-  - list
-  - get
-  - delete
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: dynk8s
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: dynk8s-provisioner
-  namespace: kube-public
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: dynk8s-provisioner
-  labels:
-    app.kubernetes.io/name: dynk8s-provisioner
-    app.kubernetes.io/instance: dynk8s-provisioner
-    app.kubernetes.io/part-of: dynk8s-provisioner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: dynk8s-provisioner
-subjects:
-- kind: ServiceAccount
-  name: dynk8s-provisioner
-  namespace: dynk8s

dynk8s-provisioner/secrets.yaml

@@ -1,16 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: wireguard-config-0
-  namespace: dynk8s
-spec:
-  encryptedData:
-    wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
-  template:
-    metadata:
-      name: wireguard-config-0
-      namespace: dynk8s
-      labels:
-        app.kubernetes.io/part-of: dynk8s-provisioner
-        dynk8s.du5t1n.me/ec2-instance-id: ''
-    type: dynk8s.du5t1n.me/wireguard-config

dynk8s-provisioner/wireguard-config.new

@@ -1,11 +0,0 @@
-# vim: set ft=dosini :
-[Interface]
-Address = 172.30.0.194/29
-DNS = 172.30.0.1
-PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
-
-[Peer]
-PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
-PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
-Endpoint = vpn.pyrocufflink.net:19998
-AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

firefly-iii/firefly-iii-importer.env

@@ -1,6 +1,6 @@
 TZ=America/Chicago
 
-TRUSTED_PROXIES=10.149.0.0/16
+TRUSTED_PROXIES=172.30.0.160/28
 VANITY_URL=https://firefly.pyrocufflink.blue
 
 CAN_POST_FILES=true

firefly-iii/firefly-iii.env

@@ -4,16 +4,13 @@ SITE_OWNER=dustin@hatch.name
 
 TZ=America/Chicago
 
-TRUSTED_PROXIES=10.149.0.0/16
+TRUSTED_PROXIES=172.30.0.160/28
 
 DB_CONNECTION=pgsql
-DB_HOST=postgresql.pyrocufflink.blue
+DB_HOST=default.postgresql
 DB_PORT=5432
-DB_USERNAME=firefly
+DB_USERNAME=firefly-iii.firefly
 DB_DATABASE=firefly
-PGSSLROOTCERT=/run/dch-ca/dch-root-ca.crt
-PGSSLCERT=/run/secrets/firefly/postgresql/tls.crt
-PGSSLKEY=/run/secrets/firefly/postgresql/tls.key
 
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis

firefly-iii/firefly-iii.yaml

@@ -66,7 +66,6 @@ spec:
       containers:
       - name: firefly-iii
         image: docker.io/fireflyiii/core:version-6.0.19
-        imagePullPolicy: IfNotPresent
         envFrom:
         - configMapRef:
             name: firefly-iii
@@ -74,6 +73,8 @@ spec:
         env:
         - name: APP_KEY_FILE
           value: /run/secrets/firefly-iii/app.key
+        - name: DB_PASSWORD_FILE
+          value: /run/secrets/firefly-iii/db.password
         - name: STATIC_CRON_TOKEN_FILE
           value: /run/secrets/firefly-iii/cron.token
         ports:
@@ -128,7 +129,6 @@ spec:
         spec:
           containers:
           - image: docker.io/library/busybox
-            imagePullPolicy: IfNotPresent
             name: wget
             command:
             - wget

firefly-iii/kustomization.yaml

@@ -9,13 +9,11 @@ namespace: firefly-iii
 
 resources:
 - secrets.yaml
-- postgres-cert.yaml
 - redis.yaml
 - firefly-iii.yaml
 - ingress.yaml
 - importer.yaml
 - importer-ingress.yaml
-- ../dch-root-ca
 
 configMapGenerator:
 - name: firefly-iii
@@ -28,6 +26,9 @@ configMapGenerator:
   - firefly-iii-importer.env
 
 patches:
+# This patch changes the source secret for the PostgreSQL database
+# password from the default (`db.password` inside `firefly-iii`) to
+# a secret managed by the postgres operator.
 - patch: |-
     apiVersion: apps/v1
     kind: Deployment
@@ -36,33 +37,17 @@ patches:
     spec:
       template:
         spec:
-          affinity:
-            nodeAffinity:
-              preferredDuringSchedulingIgnoredDuringExecution:
-              - weight: 100
-                preference:
-                  matchExpressions:
-                  - key: kubernetes.io/arch
-                    operator: In
-                    values:
-                    - amd64
           containers:
           - name: firefly-iii
+            env:
+            - name: DB_PASSWORD_FILE
+              value: /run/secrets/postgresql/password
             volumeMounts:
-            - mountPath: /run/dch-ca
-              name: dch-root-ca
-              readOnly: true
-            - mountPath: /run/secrets/firefly/postgresql
-              name: postgresql-cert
+            - name: db-secret
+              mountPath: /run/secrets/postgresql
               readOnly: true
           volumes:
-          - name: dch-root-ca
-            configMap:
-              name: dch-root-ca
-          - name: postgresql-cert
+          - name: db-secret
             secret:
-              secretName: postgres-client-cert
-              defaultMode: 0640
-images:
-- name: docker.io/fireflyiii/core
-  newTag: version-6.2.21
+              secretName: firefly-iii.firefly.default.credentials.postgresql.acid.zalan.do
+              defaultMode: 0440

firefly-iii/postgres-cert.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: postgres-client-cert
-spec:
-  commonName: firefly
-  privateKey:
-    algorithm: ECDSA
-  secretName: postgres-client-cert
-  issuerRef:
-    name: postgresql-ca
-    kind: ClusterIssuer
-

firefly-iii/redis.yaml

@@ -1,3 +1,22 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis
+  namespace: firefly-iii
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/instance: firefly-iii
+    app.kubernetes.io/part-of: firefly-iii
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -56,7 +75,7 @@ spec:
           runAsUser: 1000
           runAsGroup: 1000
         volumeMounts:
-        - name: data
+        - name: redisdata
           mountPath: /data
           subPath: data
         - name: tmp
@@ -64,21 +83,9 @@ spec:
       securityContext:
         fsGroup: 1000
       volumes:
+      - name: redisdata
+        persistentVolumeClaim:
+          claimName: redis
       - name: tmp
         emptyDir:
-  volumeClaimTemplates:
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: data
-      labels:
-        app.kubernetes.io/name: redis
-        app.kubernetes.io/component: redis
-        app.kubernetes.io/part-of: firefly-iii
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2G
 

firefly-iii/secrets.yaml

@@ -21,7 +21,7 @@ metadata:
   namespace: firefly-iii
 spec:
   encryptedData:
-    dustin.access-token: AgAEv1RHTUGZBoxDa4nMOZ+gU9sW/SjTdaQ5NAqoFuVOYwlrXMLKubonXduiLXp2YSduuRCsF/X8GH8xLjsegf+zcDZcWPUjUq6Hm7q2KDPmy+Ekjv5Z3IOmBOtQLcPZlJGOeJenHhNu+UyA1G9prBEiXj9PnfMh/RrT6nGU4pCxw3406p4YCvhwh00DhNYYQu8VaFejxkWB9RRQ/sQ54708VxCd9myxKfS5oSbi0+3z20cTfk5mGZs6bM+dbvL994cAUIGViNpnqiT1HFvWwvI1ItRFxhp6/CjLfZh9CRKsz6JnaA1JV8+mU6903yNAU8HjTIJlJNL3+vW9lRwUSCnd1Bghfz+iRpyuV+jaCZD76FrOKTlOr4Eo3M6U+HgSx+1ivamnwDAp0K/EpK3BjW2P476NqCDc10uxmN/gdxsSHDtL2XP91t94ApXQ9xq5/3a6lAOldqYJodg2/EKvwpEjsFlfU1/JgUPyZ6qryDQQpY8o2d0f9GOqVINEjH0Lw7zW4GxutWipw3zKbmN+6OoJyhF4FDRNXDCkI8Q4TVEN05nzSipmWzVmgyeSPLwRW6IJ/uzTGDHVYWGMIXfag9zfDP9X6t4j+81n2MRcJoLPjHgkbsJvo9+yEPnHkwp7WbkBMlEwsDVVSkRDv3bo7BSzOxNqVR7MWlfadbAHkX7HAb7Evj6i1Aq/qLtIp6ubdeYlTgQ/Xjs2k0WjfIIXQAsU4WvelRKqoVJKhTkRDo3SFuRqVYRCQQkPVIZhmmcdzXhemUBpFiRjqLV8IaXOXSXR0jOTp+DDHj7vonwygnMaTRkTwUH5yZw1X74vrZf01Yl6vC+ih6iZk1bwQiPKSfZS2XUZhO9df/TDleBHB1rucLo5dWm9GUIg/GqOc5hcbEmE+0zEA9tdXI5eYTPsKfPLBJic+ej/9A+Qx6aIpylFWVwcYS56Ks/RejHCnA5vq7pE4N8SsOLbcxkvETSEHn3xi1p5YMDF9IeMw2gqGzVT8WZzdhD5MxV4jRvk1LnlRli8SN+G6JEifc219c030YVDuGIU4wO3cmjUoD6QXAK8SIUrjsUbci1T5TEbNjcJtaDxwBHKUvFNaDKvDdKTOYbvRjgQaAmFx0TBu15SPLugrHdD7nYsGwKMUusIRT8K9RxTMuvqwzS0vvn0GBmlrJsny5LlaDuknh2+3KpPUe/P+ZNmnsCG0l48Bw87jkxHeSWzGPMDiFqwpuYA8aDkxW2GFehQEIXefzmz6JOBdlvWsh/BxcYsO1Fch9M0jO1EVS3wDJkbseUs9uIzl6Xs1wbvgrIzDe1qKWdLTt5hLexcsYAcsNDygV4IOpJX+D+yqsRY1BKKbKyBUhEfe7dtbyljM5skfEVjDRpmcPyjoer2/rTVf/Z+DLXgL7kYi0hjrAjeVMaeHx3HJcEYmuVuDsilmjcXeArNB/mvL9wbq8FHWiiGpjNKFlHXUaQFfejGJlIwDT5Zb4GuEpLLYJNt0fUi3zBHtq3/YRk560r0Rw4NjjsBfiUddoY2HbRR7miQub6FQ6NJqTZdezvHn2AX3ggb58OpQZw+qPuL4+/QBCDmIV5p7W1FbdaGnb5+5rEva5qidAErvWfWqaJgtCqbHSCgtF3zbEJFppaPS/ukluEjaXfx24d4NkxVilFWlyaMcTdP6OwLrfnZhf1unmv3QqeNHvcp/bNbVwQqQGLDffCMK5j1X7k4m3mchm09C6C7ZUr7p851y7nouNbWxlEI1DCJ0tPARj8KPvYs/j8nr7Hj4KZO4aCQRM8xbWaGO9hiZNm8IAF5L20T24Icv1kWyDAQC2qretr9rzXdNnQtdbj7UJ+U4MlDffUBpPG9m/plRlyeRK3zR91yaJVxU8RpGrE2pn+h2zszMCbhqSMQuD0hFR7W5LYD4bJniVNaU9WempvfMJHicW7lpX0z38I/zA7eYf1ouOmSNDvS/2hPUAEGZGPuRlDQgc1XIVhFT2N2BvWMbA8pMazpWPXzMvjCwLrSmmfuUlApxA==
+    dustin.access-token: AgBqtl9wO0Xb2fbyBm7SJanNvCy1bpJyE83nZQpNIpOoNLkBmi3lkBHYRiEpF71lhcd24cdv2f8BWfjoxXe31smzzAoHHGR7vfPyjI2ufXHs5R5lHu/bmC/8Xbp6XaKHV7KhqdsIuPkbZmZGdRccoQAwUWQzjMqVgu7s9pDDKl+XV0bBgFs+LejF0e+PEEyXCSaF8nWy34MWKGW3SgsXlk4QPqJ426DA1TRwsEVsIWBGeqPAAXorDPk4FDmmpELg/jHbrISHSjiFneL3E9bogoPgPBX51XUjU6dupq2XJ1pK70SFMT/AnqgUtGYRyDpJCLe6yEp/IPAXHBgwkWNt+qT+LagY1/3Y+2lvct47N/+jWuqw0aPbpciZjswiO8Q7zGJsGTYKrf1NWNwuruYb4kyNbRPJclnQN+QsQEfVYHugtDClDxbOAj1zJM9kG6t9H5mwAr9lsCrs1Oqc6xFLMMmzjWnOaauwAepVVseJCTz1fkS/VKMDW6WRu1H6DUbmBqaHpA6mgL+CDg2xFeZrqdkYKPKWPjo+y1KDfHDiwxqJ63NDdqQvBFrJg0UrRAetAbCeNlCgZJwWmgTh149MJrxGGb4pgxC7rd+AC0qLs9druzyLbHTJkn0JIySy9NuRNGJmrr3WBOUteOT8el+yEg2X37k6Eif7ABBrnibtdUXd+feaVp9pkMIxBM8fyrneNAyX6cpjQ9cwKNEq85VWfu6569x6ZhJAr1lOXUWGc12mdg7ELWoTBkrt0dCjlLzOO+NvP4wOn3Nk0nszs0lP+xpD2etjfVLpIIhg2p/4nutxCU/ZV+JMIqzDOyFH/gJH3k1QW0VgbseLSmE2tQE33ImFCDc2/7NgkHltMl2FYSglVWr9R5s0nlz3u1/wrGHoF2tok5v/aE1ZYPZh4Gcr9KBzxx5uGdy/aUFTntYXLTJ4i2rMRzwKS7QXMycnsD9huHU2nwNDGWW1Hz66Aj0vysCRIZ4vSYPpMZ+Wu/Zxmkd8KoLE8yJ2Ii/0P6B/VvqFcLBokvG59iPjyPH/RVrDwn4CXelpYT1ojA8MFer0t9Gz5htZsgVVgcDQT4FLccjkFPbiyUou0O2cz3xUIUJrIC4YO6Iu57F1F8AzxxMrsS20VJbD8PkgATuMZos755Ze3k8J7nAXQKlBF50EQ65TYwnvyk+GK6yUtbdCn6Y/1aLYWj3CAROg60yokqiOPVT1gn113FmUvmPCWsKVpAjBvc1vJ8BQChCSYXJQaib75z+/zxN4+Celqxls4zLGJDUMNaXjI1Vf3J9vcGLwUUN1ZjofwJzbx3f3l7VqN3HSPw76jq6XNJbWIdxD0Q+KRjwyZf/uAoWDZULuFOZctOvCxIXCvbUX/6IdJNjIvENuvFY6mE9uyVaDWQGLkDIxGk40Cjyyjvwer96LDod70kg6Rh9vlWTl06UFFm1S6QxWbHB6tsU1SAooihiEeSp1QGyRI2YVRDJvNXoNd0Fbnw4xPI2tQHW++GJpdzeoBuHoDo9a6sDN+WBorQQdNukAJkVlhvprYH5qeLN1ealaDehPv0baECHGKp92kSRpgT9lfoztkOsICruT+b6iDpNU8HejkRH8iB+OZJEADdCDdxX17HKxXi4Sd9c1F5/s9VtSSC3lH11V9mSlnSlgEu6omgnXs1VsmSy4+nvSUSECMFdYK4rgDlyqilyRFKmt6n/g3VchjvFmuWkHTzV1itrAL/51OHwcK79prQVeVD8r3M6U5ap2+hKEdo3blayP9wm/4eeJn2O2S/E0uVKqKWCWpYlQw4TYjO7owAVWuAtaDRn48ZrBqnnvGjn1unlb6OUDTjRmxM9PCWUGSK/T0ouEzErPg9vjYhrVPf3eaJRQ5OrhKZ2YMfYvSUXBGo7fKbegzTzqdCXWQ/a0WiHCxmC4ua5g+h03mtNFU9bu8anSa3p04a1cqZbXZ1s4dMpQStGaLc6p3n3ZtEuleJG7oYhdn9Ys8Ukw1ScQTZ14bjzTm5rZLEMJvdZRPQ==
     tabitha.access-token: AgAvnbZFQl98pnAdjAQMRBrUl54L4hE8meGr4lOP0Ah/O3/xyYi9gHJTOmCibxZH/OGo90KFcOjHplosAAVIvaU5Byp7EkxkWySG+XWu5eEvijxsoEXkmuD5ET9BK5Z5rPzCLG+Dodp7VfwuKETk9te++1UGcfG6rAy5wyqnPSC9mns2xhlb0GLvq1QQdMfrQbEFiOtX5jRcN2Rq57nERlDrpyXkkmpQHh8Qn68qH/Cn2zy6GP6wAxIMEOI4TqZ0Ct0UB+p4Vm0ZYOq4A4ruZTSc61PUfD6BfMH7MswO7dArkfKr0b4s8/rPx1cuJcNVE5ZK1JoiYtAY9+36L5aqYjdNWEWj6b5fmG2QjoAEZ+nynLaYyipFlkkPAjcBMifXe5hK3r7urdPYtBGv/rpHC20dTnNQQqonGdJHkYpXN3rqPImc7XBZWjDUzP2wptzV3PigFfuQdcM+JNUAPLHXK6H1CTNGLNd4pyxXkZc33nvCtUICANtDzbNDqBrzAdrMmnBiySlhQuig/iVgql6/2HFKlo5Uf77Kwhu/V4opkVVfbKpfrLQeZaY+UaQi9N0IyhC0VMgzQ3Lr8P7nEYYc4zfrQlyZGlqW9qLt86Jtj359yZk3L0eGzkq/zKVgw4sOSTt+wmR4ZTBo4OVJelolx9ctPC6MWbW7HCBQhViGNBDb0Sh7OzWy13D6xy8+5t+85XiaW6fGstque62Bteo1nywds7WnPXutyPyteCvQx5d5XGKdurjSzvm37ho3ianbDwpyC6zOVnba7mXbwYtdogevTO8TPjyj+Dm30I9ac4MzStLkziC0ZqKViwadhQZ+rNXwiwMdhbVUmAVOs+XsodTpfLTOKT3wJK4hZ5lHIX8GFxTsmChr6N7+lE4O6/BRczEdFOVKqeErGDVSj/pPnx9DVBUnLLnsXL4jPFEMZJmUht19wAFuH15VQTTSYDb/GL7Bq/ECwniqwkD+jd/fyMTLQSaxrs403b+bHpxAja687632Tvj9Ob2jsolSIWR7gYhqGh3PDqhS1yHU0DiA12t04AieW/NENd2KRnHIRI3eaZow6wzZRx28yeCO0ZqCaEFCZbtKjtvw9D7weist+UnX9MQFC+gbS0yu3wjrW61WpY04Ujsxwh4nKlbCVyhxMvXdx2xrcPkzgLi3ZumAIp028JteDHZBiVcGL4riVlM9VYp5JyL70G5ueUR1H18namVolyALkrM+dsanKdV7LRXc1fK0OODl0nMAGTV00koYFbkeIgVkObgmg5RNnxiE65f73SntI4PjJOem5E4VyBhIb5PFM7Ixxp/BOHI0dr1zITjNC8DyvQ37SYcjYwqCKS6rufBhQQUAq+xlwsX8zXAdPsu8W39+ei4EoFAdV9QpLH4zFvUdD9noimW+s9H3y+JQcJ070LzzvE6snHJdHCHvONuuQ0XFRjEf7Xf2ISZA6dt7i6J/040VTOcrf3JVpcxYdjPRhZZsM6Loti9tNVHWx1UzNZq6NrhnuFrNiYrWyf0wKaaMALwYT6e1KDOhgg0wWR5l18ia8GmtIZ78GQHRojlBWV+blpAM/cS5NHtgL3cRm+9Ep9/KGT2izxJ0gTyXH/DOIbA+NMM4wJT8SWweVbELvyey8br34oIbpv/gOX7C8Qh1h8IOuMPowsqt3IPPjPXyWp9bNLvtXlnFh95VptKW9cm5IR90ATFpzVE8CB04NMu2CYkxtbAuRLPZZWHwN39IeUluRQIEPqJEVhjWthyApJovfuagjcWMRVPbMJddRx+ubYwV1ikjwl8dH2ZT98bcJDN/6mbh3AimpIR2CKI43kNCHuVqLc6PGgwYG+d8w5CWfXk/2eFrCGhC9rWLjvEUiyb6DOM/R1kJt2eunlFr1EyxlvfJ33cdN3K6uQBpXZ6f73YnWXdkEQ2G20TFvizY2payccxo8GuxkSRSiWTlEM+zOZPm8ayF1Z8DKWKiRxNdZHxO0O8eNXR7+QfNMSerCpFb9abcfC/kP6Du9CgB4Q==
     autoimport.secret: AgAUiScErUsHx0VMhOPaN+onfVz9cm1l00x06713HK4UT/h6Ih/4UcATvXayOsKSVTEzzucNkIaGIgrSG/7RWpo1ZMgqkyjmQI9URUE07yVnckZWWt+JqGTmCS7qp2KLD3eC+VAHuz1/3O3xv5fSW0G1zVJ4pJzaOjyAtWYK59qjL0Mjmcx86Vx6FamNgtcibX5kxO06G2ENeHkYLODeNbdCOwc1p7Uoet9E7zZao958/griN7sx7EmruTu1TLv8UbyJP4/gPlKingX8U6B6QRWeI0L4FkTamrtD3AiTTJnbZ5Gl+o3zbrGc7yxA1gPWqVfi12qwjESQprUQxMVpp6GGtBtCjXNX5Ne0f4y79wP+YRpT2jUdUxi6qdKcw4v018CrEvobSLigBkEYLCVMAmvL0wiZlFosp3MfOd33KBtCQrhoyhJCbJmcS0mEqW5KO66T0Ajqtsc71hGS9LqS5X9mKZHvMLHAM28B4E2MfNnJxABOCBC3Vu+j6nku3qtYkCZl1uk2wF2V5srl8wTuX7a86vDsVJGjBwMT8wXquoIvln+ywkxqAGR0smRYp5xcOZaJ2UfXpodY6+97Quuv9lv4lEwkqzTvieoH3Blw2rV6/Eqjj+1DV+eZX7O3VakDMDV1IWadvRmJjaUmD6z4EChNgNTcOXfAgOpmBa+5uEUH113vZDEM9QWrnz6fDl0kMf6AWDg4jpv9J7qurG927e3iZPXZszYS4CY9ZbMuFNHXsA==
   template:

fleetlock/fleetlock.yaml

@@ -1,78 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-  ports:
-  - name: http
-    port: 80
-    targetPort: 8080
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: fleetlock
-      app.kubernetes.io/component: fleetlock
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: fleetlock
-        app.kubernetes.io/component: fleetlock
-        app.kubernetes.io/part-of: fleetlock
-    spec:
-      serviceAccountName: fleetlock
-      containers:
-      - name: fleetlock
-        image: quay.io/poseidon/fleetlock:v0.4.0
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        ports:
-        - name: http
-          containerPort: 8080
-        readinessProbe: &probe
-          httpGet:
-            port: 8080
-            path: /-/healthy
-          periodSeconds: 60
-          timeoutSeconds: 5
-          failureThreshold: 3
-          successThreshold: 1
-        startupProbe:
-          <<: *probe
-          periodSeconds: 1
-          timeoutSeconds: 1
-          failureThreshold: 30
-        resources:
-          requests:
-            cpu: 30m
-            memory: 30Mi
-          limits:
-            cpu: 50m
-            memory: 50Mi
-        securityContext:
-          readOnlyRootFilesystem: true
-      securityContext:
-        runAsUser: 842
-        runAsGroup: 842
-        runAsNonRoot: true

fleetlock/kustomization.yaml

@@ -1,26 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: fleetlock
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: fleetlock
-
-resources:
-- rbac.yaml
-- fleetlock.yaml
-
-patches:
-- patch: |
-    apiVersion: v1
-    kind: Service
-    metadata:
-      name: fleetlock
-    spec:
-      clusterIP: 10.96.1.15
-
-images:
-- name: quay.io/poseidon/fleetlock
-  newName: git.pyrocufflink.net/containerimages/fleetlock
-  newTag: vadimberezniker-wait_evictions

fleetlock/namespace.yaml

@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock

fleetlock/rbac.yaml

@@ -1,92 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - list
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - pods/eviction
-  verbs:
-  - create
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: fleetlock
-subjects:
-- kind: ServiceAccount
-  name: fleetlock
-  namespace: default
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-rules:
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - update
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: fleetlock
-  labels:
-    app.kubernetes.io/name: fleetlock
-    app.kubernetes.io/component: fleetlock
-    app.kubernetes.io/part-of: fleetlock
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: fleetlock
-subjects:
-- kind: ServiceAccount
-  name: fleetlock

grafana/.gitignore

@@ -1 +0,0 @@
-ldap.password

grafana/README.md

@@ -1,6 +0,0 @@
-# Grafana
-
-[Grafana][0] dashboards.  Straightforward, single-instance deployment with
-SQLite database (and thus a StatefulSet with a PersistentVolumeClaim).
-
-[0]: https://grafana.com/

grafana/datasources/loki.yml

@@ -1,14 +0,0 @@
-apiVersion: 1
-
-datasources:
-- name: Loki
-  type: loki
-  access: proxy
-  url: https://loki.pyrocufflink.blue
-  jsonData:
-    tlsAuth: true
-    tlsAuthWithCACert: true
-  secureJsonData:
-    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
-    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
-    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}

grafana/datasources/victoria-logs.yml

@@ -1,14 +0,0 @@
-apiVersion: 1
-
-datasources:
-- name: Victoria Logs
-  type: victoriametrics-logs-datasource
-  access: proxy
-  url: https://logs.pyrocufflink.blue
-  jsonData:
-    tlsAuth: true
-    tlsAuthWithCACert: true
-  secureJsonData:
-    tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
-    tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
-    tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}

grafana/grafana.ini

@@ -1,824 +0,0 @@
-##################### Grafana Configuration Defaults #####################
-#
-# Do not modify this file in grafana installs
-#
-
-# possible values : production, development
-app_mode = production
-
-# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
-instance_name = ${HOSTNAME}
-
-#################################### Paths ###############################
-[paths]
-# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
-data = /var/lib/grafana
-
-# Temporary files in `data` directory older than given duration will be removed
-temp_data_lifetime = 24h
-
-# Directory where grafana can store logs
-logs = /var/log/grafana
-
-# Directory where grafana will automatically scan and look for plugins
-plugins = /var/lib/grafana/plugins
-
-# folder that contains provisioning config files that grafana will apply on startup and while running.
-provisioning = /etc/grafana/provisioning
-
-#################################### Server ##############################
-[server]
-# Protocol (http, https, h2, socket)
-protocol = http
-
-# The ip address to bind to, empty will bind to all interfaces
-http_addr =
-
-# The http port to use
-http_port = 3000
-
-# The public facing domain name used to access grafana from a browser
-domain = grafana.pyrocufflink.blue
-
-# Redirect to correct domain if host header does not match domain
-# Prevents DNS rebinding attacks
-enforce_domain = false
-
-# The full public facing url
-root_url = %(protocol)s://%(domain)s:%(http_port)s/
-
-# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
-serve_from_sub_path = false
-
-# Log web requests
-router_logging = false
-
-# the path relative working path
-static_root_path = public
-
-# enable gzip
-enable_gzip = false
-
-# https certs & key file
-cert_file =
-cert_key =
-
-# Unix socket path
-socket = /tmp/grafana.sock
-
-#################################### Database ############################
-[database]
-# You can configure the database connection by specifying type, host, name, user and password
-# as separate properties or as on string using the url property.
-
-# Either "mysql", "postgres" or "sqlite3", it's your choice
-type = sqlite3
-host = 127.0.0.1:3306
-name = grafana
-user = root
-# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-password =
-# Use either URL or the previous fields to configure the database
-# Example: mysql://user:secret@host:port/database
-url =
-
-# Max idle conn setting default is 2
-max_idle_conn = 2
-
-# Max conn setting default is 0 (mean not set)
-max_open_conn =
-
-# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
-conn_max_lifetime = 14400
-
-# Set to true to log the sql calls and execution times.
-log_queries =
-
-# For "postgres", use either "disable", "require" or "verify-full"
-# For "mysql", use either "true", "false", or "skip-verify".
-ssl_mode = disable
-
-ca_cert_path =
-client_key_path =
-client_cert_path =
-server_cert_name =
-
-# For "sqlite3" only, path relative to data_path setting
-path = grafana.db
-
-# For "sqlite3" only. cache mode setting used for connecting to the database
-cache_mode = private
-
-#################################### Cache server #############################
-[remote_cache]
-# Either "redis", "memcached" or "database" default is "database"
-type = database
-
-# cache connectionstring options
-# database: will use Grafana primary database.
-# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
-# memcache: 127.0.0.1:11211
-connstr =
-
-#################################### Data proxy ###########################
-[dataproxy]
-
-# This enables data proxy logging, default is false
-logging = false
-
-# How long the data proxy waits before timing out, default is 30 seconds.
-# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
-timeout = 30
-
-# How many seconds the data proxy waits before sending a keepalive request.
-keep_alive_seconds = 30
-
-# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
-tls_handshake_timeout_seconds = 10
-
-# How many seconds the data proxy will wait for a server's first response headers after
-# fully writing the request headers if the request has an "Expect: 100-continue"
-# header. A value of 0 will result in the body being sent immediately, without
-# waiting for the server to approve.
-expect_continue_timeout_seconds = 1
-
-# The maximum number of idle connections that Grafana will keep alive.
-max_idle_connections = 100
-
-# How many seconds the data proxy keeps an idle connection open before timing out.
-idle_conn_timeout_seconds = 90
-
-# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request.
-send_user_header = true
-
-#################################### Analytics ###########################
-[analytics]
-# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
-# No ip addresses are being tracked, only simple counters to track
-# running instances, dashboard and error counts. It is very helpful to us.
-# Change this option to false to disable reporting.
-reporting_enabled = false
-
-# Set to false to disable all checks to https://grafana.com
-# for new versions (grafana itself and plugins), check is used
-# in some UI views to notify that grafana or plugin update exists
-# This option does not cause any auto updates, nor send any information
-# only a GET request to https://grafana.com to get latest versions
-check_for_updates = false
-
-# Google Analytics universal tracking code, only enabled if you specify an id here
-google_analytics_ua_id =
-
-# Google Tag Manager ID, only enabled if you specify an id here
-google_tag_manager_id =
-
-#################################### Security ############################
-[security]
-# disable creation of admin user on first start of grafana
-disable_initial_admin_creation = false
-
-# default admin user, created on startup
-admin_user = admin
-
-# default admin password, can be changed before first start of grafana, or in profile settings
-admin_password = admin
-
-# used for signing
-secret_key = SW2YcwTIb9zpOOhoPsMm
-
-# disable gravatar profile images
-disable_gravatar = false
-
-# data source proxy whitelist (ip_or_domain:port separated by spaces)
-data_source_proxy_whitelist =
-
-# disable protection against brute force login attempts
-disable_brute_force_login_protection = false
-
-# set to true if you host Grafana behind HTTPS. default is false.
-cookie_secure = false
-
-# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
-cookie_samesite = lax
-
-# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
-allow_embedding = false
-
-# Set to true if you want to enable http strict transport security (HSTS) response header.
-# This is only sent when HTTPS is enabled in this configuration.
-# HSTS tells browsers that the site should only be accessed using HTTPS.
-strict_transport_security = false
-
-# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
-strict_transport_security_max_age_seconds = 86400
-
-# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
-strict_transport_security_preload = false
-
-# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
-strict_transport_security_subdomains = false
-
-# Set to true to enable the X-Content-Type-Options response header.
-# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
-# in the Content-Type headers should not be changed and be followed.
-x_content_type_options = true
-
-# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
-# when they detect reflected cross-site scripting (XSS) attacks.
-x_xss_protection = true
-
-
-#################################### Snapshots ###########################
-[snapshots]
-# snapshot sharing options
-external_enabled = false
-external_snapshot_url = https://snapshots-origin.raintank.io
-external_snapshot_name = Publish to snapshot.raintank.io
-
-# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
-# creating and deleting snapshots.
-public_mode = false
-
-# remove expired snapshot
-snapshot_remove_expired = true
-
-#################################### Dashboards ##################
-
-[dashboards]
-# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
-versions_to_keep = 20
-
-# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
-# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
-min_refresh_interval = 1s
-
-# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
-default_home_dashboard_path =
-
-#################################### Users ###############################
-[users]
-# disable user signup / registration
-allow_sign_up = false
-
-# Allow non admin users to create organizations
-allow_org_create = false
-
-# Set to true to automatically assign new users to the default organization (id 1)
-auto_assign_org = true
-
-# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
-auto_assign_org_id = 1
-
-# Default role new users will be automatically assigned (if auto_assign_org above is set to true)
-auto_assign_org_role = Viewer
-
-# Require email validation before sign up completes
-verify_email_enabled = false
-
-# Background text for the user field on the login page
-login_hint = email or username
-password_hint = password
-
-# Default UI theme ("dark" or "light")
-default_theme = dark
-
-# External user management
-external_manage_link_url =
-external_manage_link_name =
-external_manage_info =
-
-# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
-viewers_can_edit = false
-
-# Editors can administrate dashboard, folders and teams they create
-editors_can_admin = false
-
-# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
-user_invite_max_lifetime_duration = 24h
-
-[auth]
-# Login cookie name
-login_cookie_name = grafana_session
-
-# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).
-login_maximum_inactive_lifetime_duration =
-
-# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
-login_maximum_lifetime_duration =
-
-# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
-token_rotation_interval_minutes = 10
-
-# Set to true to disable (hide) the login form, useful if you use OAuth
-disable_login_form = false
-
-# Set to true to disable the signout link in the side menu. useful if you use auth.proxy
-disable_signout_menu = false
-
-# URL to redirect the user to after sign out
-signout_redirect_url =
-
-# Set to true to attempt login with OAuth automatically, skipping the login screen.
-# This setting is ignored if multiple OAuth providers are configured.
-oauth_auto_login = false
-
-# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
-oauth_state_cookie_max_age = 600
-
-# limit of api_key seconds to live before expiration
-api_key_max_seconds_to_live = -1
-
-# Set to true to enable SigV4 authentication option for HTTP-based datasources
-sigv4_auth_enabled = false
-
-#################################### Anonymous Auth ######################
-[auth.anonymous]
-# enable anonymous access
-enabled = true
-
-# specify organization name that should be used for unauthenticated users
-org_name = Main Org.
-
-# specify role for unauthenticated users
-org_role = Viewer
-
-# mask the Grafana version number for unauthenticated users
-hide_version = false
-
-#################################### GitHub Auth #########################
-[auth.github]
-enabled = false
-allow_sign_up = true
-client_id = some_id
-client_secret =
-scopes = user:email,read:org
-auth_url = https://github.com/login/oauth/authorize
-token_url = https://github.com/login/oauth/access_token
-api_url = https://api.github.com/user
-allowed_domains =
-team_ids =
-allowed_organizations =
-
-#################################### GitLab Auth #########################
-[auth.gitlab]
-enabled = false
-allow_sign_up = true
-client_id = some_id
-client_secret =
-scopes = api
-auth_url = https://gitlab.com/oauth/authorize
-token_url = https://gitlab.com/oauth/token
-api_url = https://gitlab.com/api/v4
-allowed_domains =
-allowed_groups =
-
-#################################### Google Auth #########################
-[auth.google]
-enabled = false
-allow_sign_up = true
-client_id = some_client_id
-client_secret =
-scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
-auth_url = https://accounts.google.com/o/oauth2/auth
-token_url = https://accounts.google.com/o/oauth2/token
-api_url = https://www.googleapis.com/oauth2/v1/userinfo
-allowed_domains =
-hosted_domain =
-
-#################################### Grafana.com Auth ####################
-# legacy key names (so they work in env variables)
-[auth.grafananet]
-enabled = false
-allow_sign_up = true
-client_id = some_id
-client_secret =
-scopes = user:email
-allowed_organizations =
-
-[auth.grafana_com]
-enabled = false
-allow_sign_up = true
-client_id = some_id
-client_secret =
-scopes = user:email
-allowed_organizations =
-
-#################################### Azure AD OAuth #######################
-[auth.azuread]
-name = Azure AD
-enabled = false
-allow_sign_up = true
-client_id = some_client_id
-client_secret =
-scopes = openid email profile
-auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
-token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
-allowed_domains =
-allowed_groups =
-
-#################################### Okta OAuth #######################
-[auth.okta]
-name = Okta
-enabled = false
-allow_sign_up = true
-client_id = some_id
-client_secret =
-scopes = openid profile email groups
-auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize
-token_url = https://<tenant-id>.okta.com/oauth2/v1/token
-api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
-allowed_domains =
-allowed_groups =
-role_attribute_path =
-
-#################################### Generic OAuth #######################
-[auth.generic_oauth]
-name = OAuth
-enabled = false
-allow_sign_up = true
-client_id = some_id
-client_secret =
-scopes = user:email
-email_attribute_name = email:primary
-email_attribute_path =
-login_attribute_path =
-role_attribute_path =
-id_token_attribute_name =
-auth_url =
-token_url =
-api_url =
-allowed_domains =
-team_ids =
-allowed_organizations =
-tls_skip_verify_insecure = false
-tls_client_cert =
-tls_client_key =
-tls_client_ca =
-
-#################################### Basic Auth ##########################
-[auth.basic]
-enabled = true
-
-#################################### Auth Proxy ##########################
-[auth.proxy]
-enabled = false
-header_name = X-WEBAUTH-USER
-header_property = username
-auto_sign_up = true
-# Deprecated, use sync_ttl instead
-ldap_sync_ttl = 60
-sync_ttl = 60
-whitelist =
-headers =
-enable_login_token = false
-
-#################################### Auth LDAP ###########################
-[auth.ldap]
-enabled = true
-config_file = /etc/grafana/ldap.toml
-allow_sign_up = false
-
-# LDAP backround sync (Enterprise only)
-# At 1 am every day
-sync_cron = "0 0 1 * * *"
-active_sync_enabled = false
-
-#################################### SMTP / Emailing #####################
-[smtp]
-enabled = false
-host = localhost:25
-user =
-# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-password =
-cert_file =
-key_file =
-skip_verify = false
-from_address = admin@grafana.localhost
-from_name = Grafana
-ehlo_identity =
-startTLS_policy =
-
-[emails]
-welcome_email_on_sign_up = false
-templates_pattern = emails/*.html
-
-#################################### Logging ##########################
-[log]
-# Either "console", "file", "syslog". Default is console and file
-# Use space to separate multiple modes, e.g. "console file"
-mode = console
-
-# Either "debug", "info", "warn", "error", "critical", default is "info"
-level = info
-
-# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
-filters =
-
-# For "console" mode only
-[log.console]
-level =
-
-# log line format, valid options are text, console and json
-format = console
-
-# For "file" mode only
-[log.file]
-level =
-
-# log line format, valid options are text, console and json
-format = text
-
-# This enables automated log rotate(switch of following options), default is true
-log_rotate = true
-
-# Max line number of single file, default is 1000000
-max_lines = 1000000
-
-# Max size shift of single file, default is 28 means 1 << 28, 256MB
-max_size_shift = 28
-
-# Segment log daily, default is true
-daily_rotate = true
-
-# Expired days of log file(delete after max days), default is 7
-max_days = 7
-
-[log.syslog]
-level =
-
-# log line format, valid options are text, console and json
-format = text
-
-# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
-network =
-address =
-
-# Syslog facility. user, daemon and local0 through local7 are valid.
-facility =
-
-# Syslog tag. By default, the process' argv[0] is used.
-tag =
-
-#################################### Usage Quotas ########################
-[quota]
-enabled = false
-
-#### set quotas to -1 to make unlimited. ####
-# limit number of users per Org.
-org_user = 10
-
-# limit number of dashboards per Org.
-org_dashboard = 100
-
-# limit number of data_sources per Org.
-org_data_source = 10
-
-# limit number of api_keys per Org.
-org_api_key = 10
-
-# limit number of orgs a user can create.
-user_org = 10
-
-# Global limit of users.
-global_user = -1
-
-# global limit of orgs.
-global_org = -1
-
-# global limit of dashboards
-global_dashboard = -1
-
-# global limit of api_keys
-global_api_key = -1
-
-# global limit on number of logged in users.
-global_session = -1
-
-#################################### Annotations #########################
-
-[annotations.dashboard]
-# Dashboard annotations means that annotations are associated with the dashboard they are created on.
-
-# Configures how long dashboard annotations are stored. Default is 0, which keeps them forever.
-# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
-max_age =
-
-# Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.
-max_annotations_to_keep =
-
-[annotations.api]
-# API annotations means that the annotations have been created using the API without any
-# association with a dashboard.
-
-# Configures how long Grafana stores API annotations. Default is 0, which keeps them forever.
-# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
-max_age =
-
-# Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.
-max_annotations_to_keep =
-
-#################################### Explore #############################
-[explore]
-# Enable the Explore section
-enabled = true
-
-#################################### Internal Grafana Metrics ############
-# Metrics available at HTTP API Url /metrics
-[metrics]
-enabled              = true
-interval_seconds     = 10
-# Disable total stats (stat_totals_*) metrics to be generated
-disable_total_stats = false
-
-#If both are set, basic auth will be required for the metrics endpoint.
-basic_auth_username =
-basic_auth_password =
-
-# Metrics environment info adds dimensions to the `grafana_environment_info` metric, which
-# can expose more information about the Grafana instance.
-[metrics.environment_info]
-#exampleLabel1 = exampleValue1
-#exampleLabel2 = exampleValue2
-
-# Send internal Grafana metrics to graphite
-[metrics.graphite]
-# Enable by setting the address setting (ex localhost:2003)
-address =
-prefix = prod.grafana.%(instance_name)s.
-
-#################################### Grafana.com integration  ##########################
-[grafana_net]
-url = https://grafana.com
-
-[grafana_com]
-url = https://grafana.com
-
-#################################### Distributed tracing ############
-[tracing.jaeger]
-# jaeger destination (ex localhost:6831)
-address =
-# tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
-always_included_tag =
-# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
-sampler_type = const
-# jaeger samplerconfig param
-# for "const" sampler, 0 or 1 for always false/true respectively
-# for "probabilistic" sampler, a probability between 0 and 1
-# for "rateLimiting" sampler, the number of spans per second
-# for "remote" sampler, param is the same as for "probabilistic"
-# and indicates the initial sampling rate before the actual one
-# is received from the mothership
-sampler_param = 1
-# sampling_server_url is the URL of a sampling manager providing a sampling strategy.
-sampling_server_url =
-# Whether or not to use Zipkin span propagation (x-b3- HTTP headers).
-zipkin_propagation = false
-# Setting this to true disables shared RPC spans.
-# Not disabling is the most common setting when using Zipkin elsewhere in your infrastructure.
-disable_shared_zipkin_spans = false
-
-#################################### External Image Storage ##############
-[external_image_storage]
-# Used for uploading images to public servers so they can be included in slack/email messages.
-# You can choose between (s3, webdav, gcs, azure_blob, local)
-provider =
-
-[external_image_storage.s3]
-endpoint =
-path_style_access =
-bucket_url =
-bucket =
-region =
-path =
-access_key =
-secret_key =
-
-[external_image_storage.webdav]
-url =
-username =
-password =
-public_url =
-
-[external_image_storage.gcs]
-key_file =
-bucket =
-path =
-enable_signed_urls = false
-signed_url_expiration =
-
-[external_image_storage.azure_blob]
-account_name =
-account_key =
-container_name =
-
-[external_image_storage.local]
-# does not require any configuration
-
-[rendering]
-# Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.
-# URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.
-server_url =
-# If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.
-callback_url =
-# Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server,
-# which this setting can help protect against by only allowing a certain amount of concurrent requests.
-concurrent_render_request_limit = 30
-
-[panels]
-# here for to support old env variables, can remove after a few months
-enable_alpha = false
-disable_sanitize_html = false
-
-[plugins]
-enable_alpha = false
-app_tls_skip_verify_insecure = false
-# Enter a comma-separated list of plugin identifiers to identify plugins that are allowed to be loaded even if they lack a valid signature.
-allow_loading_unsigned_plugins = pcp-redis-datasource
-marketplace_url = https://grafana.com/grafana/plugins/
-
-#################################### Grafana Image Renderer Plugin ##########################
-[plugin.grafana-image-renderer]
-# Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
-# See ICU’s metaZones.txt (https://cs.chromium.org/chromium/src/third_party/icu/source/data/misc/metaZones.txt) for a list of supported
-# timezone IDs. Fallbacks to TZ environment variable if not set.
-rendering_timezone =
-
-# Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert.
-# Please refer to the HTTP header Accept-Language to understand how to format this value, e.g. 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.
-rendering_language =
-
-# Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert.
-# Default is 1. Using a higher value will produce more detailed images (higher DPI), but will require more disk space to store an image.
-rendering_viewport_device_scale_factor =
-
-# Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to
-# the security risk it's not recommended to ignore HTTPS errors.
-rendering_ignore_https_errors =
-
-# Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will
-# only capture and log error messages. When enabled, debug messages are captured and logged as well.
-# For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure
-# [log].filter = rendering:debug.
-rendering_verbose_logging =
-
-# Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service.
-# Default is false. This can be useful to enable (true) when troubleshooting.
-rendering_dumpio =
-
-# Additional arguments to pass to the headless browser instance. Default is --no-sandbox. The list of Chromium flags can be found
-# here (https://peter.sh/experiments/chromium-command-line-switches/). Multiple arguments is separated with comma-character.
-rendering_args =
-
-# You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.
-# Please note that this is not recommended, since you may encounter problems if the installed version of Chrome/Chromium is not
-# compatible with the plugin.
-rendering_chrome_bin =
-
-# Instruct how headless browser instances are created. Default is 'default' and will create a new browser instance on each request.
-# Mode 'clustered' will make sure that only a maximum of browsers/incognito pages can execute concurrently.
-# Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
-rendering_mode =
-
-# When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
-# and will cluster using browser instances.
-# Mode 'context' will cluster using incognito pages.
-rendering_clustering_mode =
-# When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
-rendering_clustering_max_concurrency =
-
-# Limit the maximum viewport width, height and device scale factor that can be requested.
-rendering_viewport_max_width =
-rendering_viewport_max_height =
-rendering_viewport_max_device_scale_factor =
-
-# Change the listening host and port of the gRPC server. Default host is 127.0.0.1 and default port is 0 and will automatically assign
-# a port not in use.
-grpc_host =
-grpc_port =
-
-[enterprise]
-license_path =
-
-[feature_toggles]
-# enable features, separated by spaces
-enable =
-
-[date_formats]
-# For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/
-
-# Default system date format used in time range picker and other places where full time is displayed
-full_date = YYYY-MM-DD HH:mm:ss
-
-# Used by graph and other places where we only show small intervals
-interval_second = HH:mm:ss
-interval_minute = HH:mm
-interval_hour = MM/DD HH:mm
-interval_day = MM/DD
-interval_month = YYYY-MM
-interval_year = YYYY
-
-# Experimental feature
-use_browser_locale = false
-
-# Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
-default_timezone = browser

grafana/grafana.yaml

@@ -1,106 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: grafana
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/component: grafana
-spec:
-  accessModes:
-  - ReadWriteMany
-  resources:
-    requests:
-      storage: 1Gi
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: grafana
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/component: grafana
-spec:
-  ports:
-  - port: 3000
-    name: grafana
-  selector:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/component: grafana
-  clusterIP: None
-
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: grafana
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/component: grafana
-spec:
-  serviceName: grafana
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: grafana
-      app.kubernetes.io/component: grafana
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: grafana
-        app.kubernetes.io/component: grafana
-    spec:
-      containers:
-      - name: grafana
-        image: docker.io/grafana/grafana:10.2.3
-        ports:
-        - containerPort: 3000
-          name: http
-        readinessProbe: &probe
-          httpGet:
-            port: http
-            path: /api/health
-          periodSeconds: 60
-        startupProbe:
-          <<: *probe
-          periodSeconds: 1
-          successThreshold: 1
-          failureThreshold: 30
-          timeoutSeconds: 1
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /etc/grafana
-          name: config
-          readOnly: true
-        - mountPath: /etc/grafana/provisioning/datasources
-          name: datasources
-          readOnly: true
-        - mountPath: /tmp
-          name: tmp
-        - mountPath: /run/secrets/grafana
-          name: secrets
-          readOnly: true
-        - mountPath: /var/lib/grafana
-          name: grafana
-          subPath: data
-      securityContext:
-        fsGroup: 472
-        runAsNonRoot: true
-      volumes:
-      - name: config
-        configMap:
-          name: grafana
-      - name: datasources
-        configMap:
-          name: datasources
-          optional: true
-      - name: grafana
-        persistentVolumeClaim:
-          claimName: grafana
-      - name: tmp
-        emptyDir:
-          medium: Memory
-      - name: secrets
-        secret:
-          secretName: grafana

grafana/ingress.yaml

@@ -1,19 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: grafana
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/component: grafana
-spec:
-  rules:
-  - host: grafana.pyrocufflink.blue
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: grafana
-            port:
-              name: grafana

grafana/kustomization.yaml

@@ -1,61 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: grafana
-
-labels:
-- pairs:
-    app.kubernetes.io/instance: grafana
-  includeSelectors: true
-- pairs:
-    app.kubernetes.io/part-of: grafana
-  includeSelectors: false
-
-resources:
-- namespace.yaml
-- grafana.yaml
-- ingress.yaml
-- secrets.yaml
-- loki-cert.yaml
-- ../dch-root-ca
-
-configMapGenerator:
-- name: grafana
-  files:
-  - grafana.ini
-  - ldap.toml
-
-- name: datasources
-  files:
-  - datasources/loki.yml
-  - datasources/victoria-logs.yml
-
-patches:
-- patch: |-
-    apiVersion: apps/v1
-    kind: StatefulSet
-    metadata:
-      name: grafana
-    spec:
-      template:
-        spec:
-          containers:
-          - name: grafana
-            volumeMounts:
-            - mountPath: /run/dch-ca
-              name: dch-ca
-              readOnly: true
-            - mountPath: /run/secrets/du5t1n.me/loki
-              name: loki-client-cert
-              readOnly: true
-          volumes:
-          - name: dch-ca
-            configMap:
-              name: dch-root-ca
-          - name: loki-client-cert
-            secret:
-              secretName: loki-client-cert
-
-images:
-- name: docker.io/grafana/grafana
-  newTag: 11.5.5

grafana/ldap.toml

@@ -1,55 +0,0 @@
-# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
-# [log]
-# filters = ldap:debug
-
-[[servers]]
-# Ldap server host (specify multiple hosts space separated)
-host = "pyrocufflink.blue"
-# Default port is 389 or 636 if use_ssl = true
-port = 389
-# Set to true if ldap server supports TLS
-use_ssl = true
-# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
-start_tls = true
-# set to true if you want to skip ssl cert validation
-ssl_skip_verify = false
-# set to the path to your root CA certificate or leave unset to use system defaults
-root_ca_cert = "/run/dch-ca/dch-root-ca.crt"
-# Authentication against LDAP servers requiring client certificates
-# client_cert = "/path/to/client.crt"
-# client_key = "/path/to/client.key"
-
-# Search user bind dn
-bind_dn = "CN=svc.grafana,CN=Users,DC=pyrocufflink,DC=blue"
-# Search user bind password
-# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = '$__file{/run/secrets/grafana/ldap.password}'
-
-# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
-search_filter = "(sAMAccountName=%s)"
-
-# An array of base dns to search through
-search_base_dns = ["DC=pyrocufflink,DC=blue"]
-
-## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
-## Please check grafana LDAP docs for examples
-# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
-# group_search_filter_user_attribute = "uid"
-
-# Specify names of the ldap attributes your ldap uses
-[servers.attributes]
-name = "givenName"
-surname = "sn"
-username = "sAMAccountName"
-member_of = "memberOf"
-email =  "mail"
-
-# Map ldap groups to grafana org roles
-[[servers.group_mappings]]
-group_dn = "CN=Grafana Admins,CN=Users,DC=pyrocufflink,DC=blue"
-org_role = "Admin"
-grafana_admin = true
-[[servers.group_mappings]]
-group_dn = "*"
-org_role = "Viewer"

grafana/loki-cert.yaml

@@ -1,12 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: loki-client-cert
-spec:
-  commonName: grafana
-  privateKey:
-    algorithm: Ed25519
-  secretName: loki-client-cert
-  issuerRef:
-    name: loki-ca
-    kind: ClusterIssuer

grafana/namespace.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: grafana
-  labels:
-    app.kubernetes.io/name: grafana

grafana/secrets.yaml

@@ -1,18 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: grafana
-  namespace: grafana
-  labels:
-    app.kubernetes.io/name: grafana
-    app.kubernetes.io/component: grafana
-spec:
-  encryptedData:
-    ldap.password: AgAPlAsgFK6eKUGeHJymXHgSXbXaKm8uoFwmSgGV0RnXdzhQwKgd67XlXjuN3UHQL6LL6kAz44qiN7C4E21ZZ+WgFfs7CrLGAh1mQ713OH5W9j9CdpH5QdxDdqgmOq2ZBleijKb/XWZdMW6kZZLK03SzjZk80FHR7YaWKnJOsvVj6QQS5ZAamp0sv4wnQnhK86uZvn6cbtIgjXU/bhGiibCh1Gj/c/2rr0aPHAD3NZy6HuLH43SJN2LAvVwL6BQYoxLJ7Af680+tdWnqoYNNHexKphUWvQlfEXYnvS1JXPBynHsFHxBD2xlU/sFnvqJPN6YCu9LXbzGGacZreJX5giKYt5mAuotpvsF/59QzVEW5U6l0f0felOPSeaBvfl8mHkq2ude5SuLedtgaZKMTaI4QM6DcPmjlUoZU5sizDP9fdsw2iuhyEV5tJprmm2p9tuzFXsV/NY7L79m6iJMh0VTfpbglkec8R7f1im04sbBDR6v/Quw3U3R1erndzymZIGzjG7qKwnGzAvNhTTW+9FOLjCBVhE1Jk6PfX0efAkL9UiB3Vo5qpJw535rZa4KP9KfkGiJE8RhsdIqRMnMo2wPzRkiJF+eb+P3v0eIkAeBpPdioK3MI02d+KS+vgGu9cuVeq1jCONkfIfp3EYnxGsu3ZPWyZRzbTwS6m4XV6Ov4NMq5YpjjpnCnMHq3nFg+H14WLqs68TIgNeWwhRJyqhnvpWA+/A6GC6PHzeELpL3xAg==
-  template:
-    metadata:
-      name: grafana
-      namespace: grafana
-      labels:
-        app.kubernetes.io/name: grafana
-        app.kubernetes.io/component: grafana

home-assistant/.gitignore

@@ -1,2 +1 @@
 mosquitto.passwd
-secrets.yaml.in