diff --git a/projects/system/Chart.yaml b/projects/system/Chart.yaml new file mode 100644 index 0000000..6f7e8fd --- /dev/null +++ b/projects/system/Chart.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v2 +name: system-apps +type: application +version: 1.0.0 +appVersion: "1.0.0" + +dependencies: + - name: app-of-apps + version: 1.0.2 + repository: file://../../../charts/app-of-apps/ diff --git a/projects/system/values.yaml b/projects/system/values.yaml new file mode 100644 index 0000000..db0c71f --- /dev/null +++ b/projects/system/values.yaml @@ -0,0 +1,151 @@ +--- +app-of-apps: + project: system + destination: + server: https://kubernetes.default.svc + source: + repoURL: https://git.nc.landry.land/davad/argo.git + path: system + apps: + # - name: cert-manager + # namespace: cert-manager + # path: cert-manager + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # - name: cloudflared + # namespace: cloudflared + # path: cloudflared + # - name: cloudnative-pg + # namespace: cnpg + # path: cloudnative-pg + # - name: kubernetes-dashboard + # namespace: kubernetes-dashboard + # path: dashboard + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # extraSyncOptions: + # - RespectIgnoreDifferences=true + # ignoreDifferences: + # - name: kubernetes-dashboard-csrf + # kind: Secret + # jsonPointers: + # - /data/csrf + # - name: dyndns + # namespace: dyndns + # path: dyndns + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # - name: keycloak + # namespace: identity + # path: identity/keycloak + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # - name: metrics-server + # namespace: metrics-server + # path: metrics-server + + # - name: nfs-subdir-external-provisioner + # namespace: nfs-subdir-provisioner + # path: nfs-subdir-external-provisioner + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + + # - name: oauth2-proxy + # namespace: oauth2-proxy + # path: oauth2-proxy + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # - name: prometheus-stack + # namespace: monitoring + # path: prometheus-stack + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # extraSyncOptions: + # - ServerSideApply=true + # managedNamespaceMetadata: + # labels: + # pod-security.kubernetes.io/enforce: privileged + # + - name: traefik + namespace: traefik + path: traefik + plugin: + env: + - name: SOPS_SECRET_FILE + value: secret.sec.yaml + + # - name: node-feature-discovery + # namespace: node-feature-discovery + # path: node-feature-discovery + # extraSyncOptions: + # - RespectIgnoreDifferences=true + # ignoreDifferences: + # - group: apps + # kind: DaemonSet + # jsonPointers: + # - /spec/template/metadata/annotations + # managedNamespaceMetadata: + # labels: + # pod-security.kubernetes.io/enforce: privileged + # - name: intel-device-plugins-operator + # namespace: intel-device-plugins-operator + # path: intel-device-plugins-operator + # managedNamespaceMetadata: + # labels: + # pod-security.kubernetes.io/enforce: privileged + # - name: intel-gpu-plugin + # namespace: intel-gpu-plugin + # path: intel-gpu-plugin + # extraSyncOptions: + # - RespectIgnoreDifferences=true + # ignoreDifferences: + # - group: deviceplugin.intel.com + # kind: GpuDevicePlugin + # jsonPointers: + # - /spec/resourceManager + # managedNamespaceMetadata: + # labels: + # pod-security.kubernetes.io/enforce: privileged + # - name: snapshot-controller + # namespace: snapshot-controller + # path: snapshot-controller + # ignoreDifferences: + # - group: "admissionregistration.k8s.io" + # kind: ValidatingWebhookConfiguration + # name: snapshot-validation-webhook + # jqPathExpressions: + # - .webhooks[]?.clientConfig.caBundle + # - kind: Secret + # name: snapshot-validation-webhook-tls + # jsonPointers: + # - /data + # - name: external-secrets + # namespace: external-secrets + # path: external-secrets + # plugin: + # env: + # - name: SOPS_SECRET_FILE + # value: secret.sec.yaml + # - name: kubelet-csr-approver + # namespace: kube-system + # path: kubelet-csr-approver + # - name: volsync + # namespace: volsync + # path: volsync + # - name: talos-backup + # namespace: talos-backup + # path: talos-backup diff --git a/system/traefik/Chart.yaml b/system/traefik/Chart.yaml new file mode 100644 index 0000000..7086afb --- /dev/null +++ b/system/traefik/Chart.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v2 +name: external-traefik-subchart +type: application +version: 1.0.0 +appVersion: "2.6.1" +dependencies: + - name: traefik + version: 25.0.0 + repository: https://traefik.github.io/charts diff --git a/system/traefik/secret.sec.yaml b/system/traefik/secret.sec.yaml new file mode 100644 index 0000000..c66dea0 --- /dev/null +++ b/system/traefik/secret.sec.yaml @@ -0,0 +1,23 @@ +kind: Secret +data: + private-domain: ENC[AES256_GCM,data:kxGG/OWfCHByyJ4nv/I=,iv:gqILmNxktPvbx2ycWZSseNgxwLmf1D3if9bgCeE7lR8=,tag:HTBLXrPXokplzmDAN1Ka4Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nvkwdu3fnsy3r2ajw36d858hmgrw4nkg2e2t5p4n90zyvdnlffzqp3fxpf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMkd0UGhMV1RpRGl5UHQ1 + RkR6bFNBOHl4OFppRC9ncEJXUDVTeDJkdXpzCnNORnk0ZlNjVWdud3EwekpXSElE + NFpRRjVGb0lEZFdPdXFnWWxXa3ZoRWcKLS0tIG1GTDByaGZjSDY3U2czbzlJdGhh + YU42a2NWZTN0RXdZalpKbXpxSmxYNlkK0x/syDZZ9ig9itXzwnw/Pm2nvL1mE0mX + JgtvyXpStGVbBE/opQFhVfPGtFrHufZZ9atpDcwP8HkjqQ5RE8jwBA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-20T12:10:11Z" + mac: ENC[AES256_GCM,data:6Q+8GNGMKUZ8vVA3+nTYz55JVzPfQnnCNy2mIBkpNNzACwK9DpOjqbQDOsaGdqz1Vc4+O7/kRIdSajL9XwhBbkW1s4EDDuIrbztZNmOZM+2oFhcndMP/xaNPoSIN/wiAmWDdKFTpCdYroJLo9sXgxBpa510z7sP4yN2C73bXrsg=,iv:Ji5GXNBawc3jcINQgwWlI+7Y5uzylOKU1/jAL+OJBZ8=,tag:hktnNMSaPk8J/iSV72hu1w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/system/traefik/templates/cert.yaml b/system/traefik/templates/cert.yaml new file mode 100644 index 0000000..0b3abd4 --- /dev/null +++ b/system/traefik/templates/cert.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: tls-cert + namespace: traefik +spec: + secretName: tls-cert + issuerRef: + name: lets-encrypt-dns01-production-cf + kind: ClusterIssuer + commonName: '' + dnsNames: + - '' + - '*.' diff --git a/system/traefik/templates/dashboard.yaml b/system/traefik/templates/dashboard.yaml new file mode 100644 index 0000000..5dbe15a --- /dev/null +++ b/system/traefik/templates/dashboard.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: dashboard + namespace: traefik + annotations: + kubernetes.io/ingress.class: traefik +spec: + entryPoints: + - websecure + routes: + - match: Host(`traefik.`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) + kind: Rule + services: + - name: api@internal + kind: TraefikService diff --git a/system/traefik/values.yaml b/system/traefik/values.yaml new file mode 100644 index 0000000..4dc90f8 --- /dev/null +++ b/system/traefik/values.yaml @@ -0,0 +1,44 @@ +--- +traefik: + ports: + web: + redirectTo: + port: websecure + + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: + annotations: { + metallb.universe.tf/loadBalancerIPs: "192.168.48.21" + } + single: false + + tlsStore: + default: + defaultCertificate: + secretName: tls-cert + + ingressClass: + enabled: true + + ingressRoute: + dashboard: + enabled: false + + providers: + kubernetesCRD: + ingressClass: traefik + allowCrossNamespace: true + allowExternalNameServices: true + kubernetesIngress: + ingressClass: traefik + allowExternalNameServices: true + publishedService: + enabled: true + + logs: + access: + enabled: true + filters: + statuscodes: "400-405,500" + minDuration: "10ms"