Go to file

Dustin C. Hatch 92497004be authelia: Point to external PostgreSQL server

If there is an issue with the in-cluster database server, accessing the
Kubernetes API becomes impossible by normal means.  This is because the
Kubernetes API uses Authelia for authentication and authorization, and
Authelia relies on the in-cluster database server.  To solve this
chicken-and-egg scenario, I've set up a dedicated PostgreSQL database
server on a virtual machine, totally external to the Kubernetes cluster.

With this commit, I have changed the Authelia configuration to point at
this new database server.  The contents of the new database server were
restored from a backup from the in-cluster server, so of Authelia's
state was migrated automatically.  Thus, updating the configuration is
all that is necessary to switch to using it.

The new server uses certificate-based authentication.  In order for
Authelia to access it, it needs a certificate issued by the
_postgresql-ca_ ClusterIssuer, managed by _cert-manager_.  Although the
environment variables for pointing to the certificate and private key
are not listed explicitly in the Authelia documentation, their names
can be inferred from the configuration document schema and work as
expected.

2024-07-02 18:16:05 -05:00

argocd

step-ca: Redeploy with DCH CA R3

2024-02-22 07:10:01 -06:00

authelia

authelia: Point to external PostgreSQL server

2024-07-02 18:16:05 -05:00

autoscaler

autoscaler: Add SealedSecret for AWS key

2024-02-22 09:59:16 -06:00

cert-manager

cert-manager: Remove unused secrets

2024-02-16 20:56:08 -06:00

collectd

collectd: Add DaemonSet for collectd

2024-06-26 18:29:49 -05:00

dch-root-ca

step-ca: Re-deploy (again) with DCH CA R2

2024-04-05 13:03:34 -05:00

dch-webhooks

dch-webhooks: Disable HTTPS redirect

2024-01-22 16:55:03 -06:00

device-plugins

device-plugins: Allow FUSE plugin on Jenkins nodes

2024-02-13 07:56:35 -06:00

docker-distribution

docker-distribution: Deploy OCI image registry

2022-07-31 01:15:01 -05:00

dynk8s-provisioner

dynk8s-provisioner: Set instance label for Argo CD

2023-10-14 07:43:37 -05:00

firefly-iii

firefly-iii: Use volume claim template for redis

2024-06-26 18:29:49 -05:00

fleetlock

fleetlock: Deploy Zincati fleet lock manager

2024-05-31 15:18:01 -05:00

grafana

grafana: Trust dch-root-ca for LDAP connections

2024-06-26 18:29:49 -05:00

home-assistant

home-assistant: Add Pool Time WebDAV calendar

2024-07-02 18:16:05 -05:00

hudctrl

hudctrl: Update for v0.2.0

2022-12-18 16:26:07 -06:00

ingress

home-assistant: Deploy Home Assistant

2023-07-24 17:53:58 -05:00

invoice-ninja

invoice-ninja: Update PVC for restored backup

2024-02-15 09:45:57 -06:00

jenkins

jenkins: Force iSCSI volume on specific nodes

2024-06-26 18:29:49 -05:00

keyserv

keyserv: Add age keys for unifi2

2024-05-26 11:48:12 -05:00

kitchen

kitchen: Run as non-root user

2024-06-06 11:03:42 -05:00

loki-ca

loki-ca: Add cert-manager issuer for Loki CA

2024-02-22 07:10:01 -06:00

metrics

metrics: Add role to allow anon access to metrics

2022-11-05 16:23:02 -05:00

ntfy

ntfy: Set instance label for Argo CD

2023-10-14 07:28:05 -05:00

paperless-ngx

paperless-ngx: Use volume claim template for redis

2024-06-26 18:29:49 -05:00

photoframesvc

photoframesvc: Initial commit

2023-10-14 11:25:50 -05:00

phpipam

phpipam: Migrate to Sealed Secrets

2023-10-14 10:56:20 -05:00

postgresql

postgresql: Fix pod secrets

2023-10-19 07:12:16 -05:00

prometheus_speedtest

prom_speedtest: Add application manifest

2022-08-06 22:21:06 -05:00

promtail

promtail: Deploy as DaemonSet

2024-02-22 07:10:01 -06:00

rent-reminder

rent-reminder: Add CronJob to send reminders

2024-01-04 08:54:54 -06:00

restic-exporter

restic-exporter: Deploy Restic Prometheus exporter

2024-06-26 18:29:49 -05:00

scanservjs

scanservjs: Update to v2.27.0

2023-07-08 07:06:10 -05:00

sealed-secrets

sealed-secrets: Deploy Bitnami Sealed Secrets

2023-10-13 18:34:01 -05:00

setup

setup: ks: Generate iSCSI initiator name

2022-08-23 21:22:01 -05:00

sshca

sshca: Add machine ID for Toad

2024-05-22 15:20:09 -05:00

step-ca

step-ca: Allow longer validity for ACME certificates

2024-06-26 18:29:49 -05:00

storage

home-assistant: Deploy Home Assistant

2023-07-24 17:53:58 -05:00

victoria-metrics

v-m: Add component labels to configmaps

2024-07-02 18:16:05 -05:00

websites

websites: Host darkchestofwonders.us in k8s

2024-01-04 08:56:12 -06:00

xactfetch

xactfetch: Provide Vaultwarden password for sync

2024-05-29 09:36:30 -05:00

README.md

README: Add storage section

2022-07-31 01:38:46 -05:00

README.md

Dustin's Kubernetes Cluster

This repository contains resources for deploying and managing my on-premises Kubernetes cluster

Cluster Setup

The cluster primarily consists of libvirt/QEMU+KVM virtual machines. The Control Plane nodes are VMs, as are the x86_64 worker nodes. Eventually, I would like to add Raspberry Pi or Pine64 machines as aarch64 nodes.

All machines run Fedora, using only Fedora builds of the Kubernetes components (kubeadm, kubectl, and kubeadm).

See Cluster Setup for details.

Jenkins Agents

One of the main use cases for the Kubernetes cluster is to provide dynamic agents for Jenkins. Using the Kubernetes Plugin, Jenkins will automatically launch worker nodes as Kubernetes pods.

See Jenkins Kubernetes Integration for details.

Persistent Storage

Persistent storage for pods is provided by Longhorn. Longhorn runs within the cluster and provisions storage on worker nodes to make available to pods over iSCSI.

See Persistent Storage Using Longorn for details.