From e408c7cf4ed1aaf209bb0cafa4dd54a7f87f659b Mon Sep 17 00:00:00 2001 From: Keli Grubb Date: Thu, 16 May 2024 22:41:21 -0400 Subject: [PATCH] latest upgrades to the cluster --- .../cert-manager/cert-manager-chart.yml | 19 ++ namespaces/cert-manager/issuer.yml | 14 ++ namespaces/cert-manager/namespace.yml | 4 + namespaces/git/default-role.yml | 68 ++++++++ namespaces/git/gitea-chart.yml | 14 +- namespaces/git/woodpecker-chart.yml | 8 +- .../ingress-nginx/ingress-nginx-chart.yml | 10 +- namespaces/ingress-nginx/media.yml | 60 +++++++ namespaces/kube-system/helm-controller.yaml | 163 +++++++++++++++++- namespaces/kube-system/metrics-server.yml | 7 +- namespaces/kube-system/nodelocaldns.yml | 2 +- namespaces/longhorn-system/longhorn-chart.yml | 17 +- namespaces/metallb-system/metallb-chart.yml | 2 +- .../kube-prometheus-stack-chart.yml | 16 +- namespaces/monitoring/loki-chart.yml | 43 +++++ 15 files changed, 428 insertions(+), 19 deletions(-) create mode 100644 namespaces/cert-manager/cert-manager-chart.yml create mode 100644 namespaces/cert-manager/issuer.yml create mode 100644 namespaces/cert-manager/namespace.yml create mode 100644 namespaces/git/default-role.yml create mode 100644 namespaces/ingress-nginx/media.yml create mode 100644 namespaces/monitoring/loki-chart.yml diff --git a/namespaces/cert-manager/cert-manager-chart.yml b/namespaces/cert-manager/cert-manager-chart.yml new file mode 100644 index 0000000..9f6d9b8 --- /dev/null +++ b/namespaces/cert-manager/cert-manager-chart.yml @@ -0,0 +1,19 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: cert-manager + namespace: cert-manager +spec: + chart: cert-manager + targetNamespace: cert-manager + repo: https://charts.jetstack.io + # https://artifacthub.io/packages/helm/cert-manager/cert-manager + version: 1.14.5 + valuesContent: |- + prometheus: + enabled: true + servicemonitor: + enabled: true + installCRDs: true + extraArgs: + - --dns01-recursive-nameservers-only diff --git a/namespaces/cert-manager/issuer.yml b/namespaces/cert-manager/issuer.yml new file mode 100644 index 0000000..7c40d4b --- /dev/null +++ b/namespaces/cert-manager/issuer.yml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-cluster-issuer + namespace: cert-manager +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-cluster-issuer-account-key + solvers: + - http01: + ingress: + ingressClassName: nginx \ No newline at end of file diff --git a/namespaces/cert-manager/namespace.yml b/namespaces/cert-manager/namespace.yml new file mode 100644 index 0000000..caac21a --- /dev/null +++ b/namespaces/cert-manager/namespace.yml @@ -0,0 +1,4 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: cert-manager \ No newline at end of file diff --git a/namespaces/git/default-role.yml b/namespaces/git/default-role.yml new file mode 100644 index 0000000..ed4afe1 --- /dev/null +++ b/namespaces/git/default-role.yml @@ -0,0 +1,68 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: default + namespace: git +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + - namespaces + - serviceaccounts + - persistentvolumeclaims + - services + - configmaps + verbs: + - watch + - create + - delete + - get + - list +- apiGroups: + - "apps" + resources: + - deployments + - daemonsets + verbs: + - get +- apiGroups: + - "helm.cattle.io" + resources: + - helmcharts + verbs: + - get +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - get +- apiGroups: + - "apiregistration.k8s.io" + resources: + - apiservices + verbs: + - get +- apiGroups: + - "metallb.io" + resources: + - ipaddresspools + - l2advertisements + verbs: + - get +- apiGroups: + - "networking.k8s.io" + resources: + - ingresses + verbs: + - get \ No newline at end of file diff --git a/namespaces/git/gitea-chart.yml b/namespaces/git/gitea-chart.yml index 5f7e5f5..4684444 100644 --- a/namespaces/git/gitea-chart.yml +++ b/namespaces/git/gitea-chart.yml @@ -9,7 +9,7 @@ spec: chart: gitea targetNamespace: git repo: https://dl.gitea.io/charts/ - version: 9.5.1 + version: 10.1.4 valuesContent: |- resources: limits: @@ -27,6 +27,12 @@ spec: persistence: enabled: true gitea: + admin: + existingSecret: gitea-admin-secret + email: keligrubb324@gmail.com + additionalConfigFromEnvs: + - name: GITEA__webhook__ALLOWED_HOST_LIST + value: "external,loopback,*.keligrubb.com" metrics: enabled: true serviceMonitor: @@ -63,6 +69,12 @@ spec: paths: - path: / pathType: Prefix + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer" + tls: + - secretName: gitea-tls + hosts: + - git.keligrubb.com persistence: storageClass: longhorn size: 64Gi diff --git a/namespaces/git/woodpecker-chart.yml b/namespaces/git/woodpecker-chart.yml index 4fefb21..16cbf65 100644 --- a/namespaces/git/woodpecker-chart.yml +++ b/namespaces/git/woodpecker-chart.yml @@ -7,13 +7,11 @@ spec: chart: woodpecker targetNamespace: git repo: https://woodpecker-ci.org/ - version: 0.4.2 + version: 1.3.0 valuesContent: |- server: - image: - tag: v1.0.3 env: - WOODPECKER_ADMIN: kgrubb + WOODPECKER_ADMIN: keli.grubb WOODPECKER_GITEA: true WOODPECKER_GITEA_URL: http://git.keligrubb.com WOODPECKER_GITEA_SKIP_VERIFY: true @@ -33,7 +31,5 @@ spec: serviceName: ci.keligrubb.com servicePort: 80 agent: - image: - tag: v1.0.3 env: WOODPECKER_GITEA: true \ No newline at end of file diff --git a/namespaces/ingress-nginx/ingress-nginx-chart.yml b/namespaces/ingress-nginx/ingress-nginx-chart.yml index 6501c7b..4f4014d 100644 --- a/namespaces/ingress-nginx/ingress-nginx-chart.yml +++ b/namespaces/ingress-nginx/ingress-nginx-chart.yml @@ -7,7 +7,7 @@ spec: chart: ingress-nginx targetNamespace: ingress-nginx repo: https://kubernetes.github.io/ingress-nginx - version: 4.8.0 + version: 4.10.1 valuesContent: |- controller: metrics: @@ -18,10 +18,10 @@ spec: release: prometheus resources: requests: - cpu: 100m - memory: 180Mi + cpu: 200m + memory: 200Mi limits: - cpu: 100m - memory: 180Mi + cpu: 200m + memory: 200Mi tcp: 22: git/gitea-ssh:22 \ No newline at end of file diff --git a/namespaces/ingress-nginx/media.yml b/namespaces/ingress-nginx/media.yml new file mode 100644 index 0000000..6b3430e --- /dev/null +++ b/namespaces/ingress-nginx/media.yml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: Service +metadata: + name: media + namespace: ingress-nginx +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8096 + clusterIP: None + type: ClusterIP + +--- + +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + name: media + namespace: ingress-nginx + labels: + kubernetes.io/service-name: media +addressType: IPv4 +ports: + - name: http + protocol: TCP + port: 8096 +endpoints: + - addresses: + - "192.168.1.178" + conditions: + ready: true +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: media + namespace: ingress-nginx + annotations: + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer" +spec: + ingressClassName: "nginx" + tls: + - secretName: media-tls + hosts: + - media.keligrubb.com + rules: + - host: media.keligrubb.com + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: media + port: + number: 80 diff --git a/namespaces/kube-system/helm-controller.yaml b/namespaces/kube-system/helm-controller.yaml index e6cb2d8..6701e92 100644 --- a/namespaces/kube-system/helm-controller.yaml +++ b/namespaces/kube-system/helm-controller.yaml @@ -77,6 +77,84 @@ spec: jobImage: nullable: true type: string + podSecurityContext: + nullable: true + properties: + fsGroup: + nullable: true + type: integer + fsGroupChangePolicy: + nullable: true + type: string + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + supplementalGroups: + items: + type: integer + nullable: true + type: array + sysctls: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + type: object + nullable: true + type: array + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object repo: nullable: true type: string @@ -90,6 +168,89 @@ spec: nullable: true type: string type: object + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object set: additionalProperties: x-kubernetes-int-or-string: true @@ -168,6 +329,6 @@ spec: containers: - command: - helm-controller - image: rancher/helm-controller:v0.15.4 + image: rancher/helm-controller:v0.16.0 name: helm-controller --- diff --git a/namespaces/kube-system/metrics-server.yml b/namespaces/kube-system/metrics-server.yml index cff86df..73f4ecc 100644 --- a/namespaces/kube-system/metrics-server.yml +++ b/namespaces/kube-system/metrics-server.yml @@ -138,7 +138,7 @@ spec: - --kubelet-use-node-status-port - --kubelet-insecure-tls - --metric-resolution=15s - image: registry.k8s.io/metrics-server/metrics-server:v0.6.4 + image: registry.k8s.io/metrics-server/metrics-server:v0.7.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -169,9 +169,14 @@ spec: memory: 400Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /tmp name: tmp-dir diff --git a/namespaces/kube-system/nodelocaldns.yml b/namespaces/kube-system/nodelocaldns.yml index 19ed5ae..044d3ce 100644 --- a/namespaces/kube-system/nodelocaldns.yml +++ b/namespaces/kube-system/nodelocaldns.yml @@ -138,7 +138,7 @@ spec: operator: "Exists" containers: - name: node-cache - image: registry.k8s.io/dns/k8s-dns-node-cache:1.22.23 + image: registry.k8s.io/dns/k8s-dns-node-cache:1.23.0 resources: requests: cpu: 25m diff --git a/namespaces/longhorn-system/longhorn-chart.yml b/namespaces/longhorn-system/longhorn-chart.yml index b552718..dacd745 100644 --- a/namespaces/longhorn-system/longhorn-chart.yml +++ b/namespaces/longhorn-system/longhorn-chart.yml @@ -7,9 +7,24 @@ spec: chart: longhorn targetNamespace: longhorn-system repo: https://charts.longhorn.io - version: 1.5.1 + version: 1.6.1 valuesContent: |- ingress: enabled: true ingressClassName: nginx host: storage.keligrubb.com + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer" + nginx.ingress.kubernetes.io/auth-type: basic + # prevent the controller from redirecting (308) to HTTPS + nginx.ingress.kubernetes.io/ssl-redirect: 'false' + nginx.ingress.kubernetes.io/auth-secret: longhorn-basic-auth-secret + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required ' + nginx.ingress.kubernetes.io/proxy-body-size: 10000m + tls: + - secretName: longhorn-tls + hosts: + - storage.keligrubb.com + defaultSettings: + defaultReplicaCount: 1 + storageOverProvisioningPercentage: 100 diff --git a/namespaces/metallb-system/metallb-chart.yml b/namespaces/metallb-system/metallb-chart.yml index c157737..9e27585 100644 --- a/namespaces/metallb-system/metallb-chart.yml +++ b/namespaces/metallb-system/metallb-chart.yml @@ -9,7 +9,7 @@ spec: chart: metallb targetNamespace: metallb-system repo: https://metallb.github.io/metallb - version: 0.13.11 + version: 0.14.5 valuesContent: |- prometheus: serviceMonitor: diff --git a/namespaces/monitoring/kube-prometheus-stack-chart.yml b/namespaces/monitoring/kube-prometheus-stack-chart.yml index 95a173d..8bf22d1 100644 --- a/namespaces/monitoring/kube-prometheus-stack-chart.yml +++ b/namespaces/monitoring/kube-prometheus-stack-chart.yml @@ -7,18 +7,30 @@ spec: chart: kube-prometheus-stack targetNamespace: monitoring repo: https://prometheus-community.github.io/helm-charts - version: 51.5.3 + version: 58.5.3 valuesContent: |- grafana: defaultDashboardsTimezone: "US/Eastern" ingress: enabled: true ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-cluster-issuer" paths: - path: "/" pathType: Prefix hosts: - monitoring.keligrubb.com + tls: + - secretName: monitoring-tls + hosts: + - monitoring.keligrubb.com + additionalDataSources: + - name: Loki + type: loki + access: proxy + basicAuth: false + url: http://loki-gateway.monitoring.svc.cluster.local kubelet: serviceMonitor: metricRelabelings: @@ -52,7 +64,7 @@ spec: serviceMonitorSelectorNilUsesHelmValues: false podMonitorSelectorNilUsesHelmValues: false probeSelectorNilUsesHelmValues: fales - retention: 14d + retention: 30d retentionSize: "64GB" enableAdminAPI: true securityContext: diff --git a/namespaces/monitoring/loki-chart.yml b/namespaces/monitoring/loki-chart.yml new file mode 100644 index 0000000..224526f --- /dev/null +++ b/namespaces/monitoring/loki-chart.yml @@ -0,0 +1,43 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: loki + namespace: monitoring +spec: + chart: loki + targetNamespace: monitoring + repo: https://grafana.github.io/helm-charts + version: 6.5.2 + valuesContent: |- + deploymentMode: SingleBinary + loki: + auth_enabled: false + commonConfig: + replication_factor: 1 + storage: + type: s3 + schemaConfig: + configs: + - from: 2024-01-01 + store: tsdb + index: + prefix: loki_index_ + period: 24h + object_store: filesystem + schema: v13 + serviceMonitor: + namespaceSelector: + any: true + singleBinary: + replicas: 1 + persistence: + storageClass: longhorn + size: 64Gi + read: + replicas: 0 + backend: + replicas: 0 + write: + replicas: 0 + minio: + enabled: true