From a27d8dded37b0a8e0b396ba40b2fd805156ac5a1 Mon Sep 17 00:00:00 2001 From: James Andariese Date: Wed, 20 Dec 2023 16:40:16 -0600 Subject: [PATCH] true it on up y'all --- .gitignore | 1 + .tool-versions | 2 +- audiobookshelf/deployment.yaml | 104 + budibase/.gitignore | 1 + budibase/application.yaml | 51 - budibase/deploy.sh | 3 + budibase/diff.sh | 1 + budibase/helm-jq/add-budibase-persist.jq | 13 + budibase/helm-jq/add-kubectl-proxy.jq | 22 + budibase/helm-jq/set-http-mb-limit.jq | 10 + budibase/post-process.sh | 23 + budibase/quasi-base64-generator.yaml | 13 + budibase/secrets.yaml | 39 + budibase/static/ingress.yaml | 19 + budibase/static/pvc.yaml | 14 + budibase/static/sa.yaml | 42 + budibase/values.yaml | 5 + cascade/br0-static.yaml | 29 + cascade/bridge.yaml | 19 + cascade/dmz0.yaml | 19 + cascade/ns.yaml | 7 + cascade/private0.yaml | 19 + cascade/router-pvc.yaml | 14 + cascade/router.yaml | 45 + cascade/xerneas.yaml | 42 + cascade/yveltal.yaml | 42 + cert-manager/deploy.sh | 2 + cert-manager/diff.sh | 1 + cert-manager/values.yaml | 6 + coredns/coredns-address-pool.yaml | 11 + coredns/deploy-dev.sh | 1 + coredns/deploy.sh | 2 + coredns/test.sh | 44 + coredns/values-dev.yaml | 107 + coredns/values.yaml | 107 + dex/debugger.yaml | 97 + dex/deploy.sh | 2 + dex/diff.sh | 2 + dex/values.yaml | 67 + dhcp-server/cm.yaml | 40 + dhcp-server/deployment.yaml | 49 + dhcp-server/ns.yaml | 4 + dhcp-server/pvc.yaml | 13 + external-services/home.yaml | 4 +- external-services/minio-admin.yaml | 8 +- external-services/minio.yaml | 18 +- external-services/noctowl.yaml | 8 +- .../{windmill.yaml => plex.yaml} | 20 +- external-services/webdav.yaml | 8 +- factorio/factorio-com-secret.yaml | 21 + frigate/build-trt-models.yaml | 85 + frigate/deploy.sh | 12 + frigate/diff.sh | 10 + frigate/ingress.yaml | 26 + frigate/mqtt-broker-sealed.yaml | 23 + .../oauth2-proxy-cookie-secret-sealed.yaml | 22 + frigate/oauth2-proxy.yaml | 220 + frigate/oidc-bypass-user-secret-sealed.yaml | 23 + frigate/pvc.yaml | 15 + frigate/values.yaml | 97 + frigate/wildcard-tls.yaml | 74 + fusionpbx/ingress.yaml | 19 + fusionpbx/ns.yaml | 7 + fusionpbx/pvc.yaml | 13 + fusionpbx/untls-shim.yaml | 107 + fusionpbx/update-tls.sh | 3 + fusionpbx/vm.yaml | 58 + gitea/email-secret.yaml | 39 + gitea/gitea-secrets.yaml | 34 + gitea/ingress.yaml | 6 +- gitea/sts.yaml | 21 +- gost-dns/deployment.yaml | 45 + gost-dns/ns.yaml | 4 + grist/deploy.yaml | 83 + grist/grist-session-secret.yaml | 16 + grist/ingress.yaml | 35 + grist/ns.yaml | 7 + grist/oidc-secret.yaml | 54 + grist/pvc.yaml | 14 + grist/quasi-base64-generator.yaml | 13 + harbor/deploy.sh | 2 + harbor/diff.sh | 1 + harbor/values.yaml | 19 + harbor/wildcard-tls.yaml | 13 + illa/deployment.yaml | 41 + illa/ingress.yaml | 18 + ingress-shim/deploy.yaml | 35 +- ingress-shim/wildcard-tls.yaml | 19 + jellyfin/deployment.yaml | 91 + jellyfin/ingress.yaml | 21 + jellyfin/ns.yaml | 4 + jellyfin/service.yaml | 14 + jenkins/0ns.yaml | 4 + jenkins/deploy.sh | 3 + jenkins/diff.sh | 3 + jenkins/ingress.yaml | 19 + jenkins/pvc.yaml | 13 + jenkins/values.yaml | 4 + keycloak/debugger.yaml | 101 + keycloak/echoserver.yaml | 80 + keycloak/oidc-secret.yaml | 49 + keycloak/tf/client-pleroma.tf | 3 +- kubevirt/cdi-cr.yaml | 20 + kubevirt/cdi-ingress.yaml | 126 + kubevirt/kubevirt-cr.yaml | 15 + kubevirt/kubevirt-operator.yaml | 7359 +++++++++++++++++ kubevirt/update.sh | 4 + local-storage/kustomization.yaml | 14 + local-storage/local-storage.yaml | 159 + longhorn/deploy.sh | 3 + longhorn/diff.sh | 1 + longhorn/ingress.yaml | 18 + longhorn/longhorn-backups-user-minio.yaml | 25 + longhorn/longhorn-backups-user.yaml | 21 + longhorn/oauth2-proxy-secret.yaml | 34 + longhorn/oauth2-proxy.yaml | 90 + longhorn/sc-nvme.yaml | 13 + longhorn/storageclass.yaml | 26 + longhorn/values.yaml | 25 + mastodon/application.yaml | 403 - matrix/db.yaml | 94 +- matrix/deployment.yaml | 3 +- matrix/ingress.yaml | 25 +- matrix/maubot-pvc.yaml | 13 + matrix/maubot-svc.yaml | 16 + matrix/maubot.yaml | 46 + matrix/untls-shim.yaml | 107 + metallb/NEEDS_HELM | 1 + multus/TODO | 3 + multus/network-addons-config.yaml | 10 + .../node-init.yaml | 30 +- nordproxy/.gitignore | 1 + nordproxy/deployment.yaml | 3 - nordproxy/import-vpnconfig.sh | 4 + nvidia/README.md | 2 +- nvidia/deploy.sh | 13 + nvidia/gpu-test.yaml | 22 + nvidia/nvidia-runtime-class.yaml | 6 + opsdroid/deploy.yaml | 75 - peertube/application.yaml | 253 - peertube/db.yaml | 30 + peertube/deploy.sh | 1 + peertube/diff.sh | 1 + peertube/ns.yaml | 4 + peertube/values.yaml | 225 + pihole/cm.yaml | 9 + pihole/deployment.yaml | 63 + pihole/ingress.yaml | 18 + pihole/ns.yaml | 4 + pihole/pvc.yaml | 41 + pihole/svc.yaml | 17 + profanity/ingress.yaml | 6 +- readarr/deployment.yaml | 156 + readarr/ns.yaml | 6 + sonarr/deployment.yaml | 7 +- sonarr/pvc.yaml | 14 + toots-werts/db.yaml | 43 + toots-werts/deployment.yaml | 179 + toots-werts/ns.yaml | 6 + tubearchivist/diff.sh | 2 + tubearchivist/ingress.yaml | 18 + tubearchivist/oauth2-proxy-secret.yaml | 34 + tubearchivist/template.sh | 6 + tubearchivist/tubearchivist.yaml | 1070 +++ tubearchivist/values.yaml | 22 + tubesync/deployment.yaml | 122 + tubesync/ingress.yaml | 26 + .../oauth2-proxy-cookie-secret-sealed.yaml | 22 + tubesync/oauth2-proxy.yaml | 100 + tubesync/oidc-bypass-user-sealed.yaml | 23 + tubesync/pvc.yaml | 15 + uptime-kuma/deployment.yaml | 29 + uptime-kuma/ingress.yaml | 18 + uptime-kuma/ns.yaml | 4 + uptime-kuma/pvc.yaml | 12 + uptime-kuma/svc.yaml | 17 + vaultwarden/ingress.yaml | 6 +- well-known-werts/cm.yaml | 8 +- wildcard-tls/wildcard-tls.yaml | 3 - 179 files changed, 13550 insertions(+), 903 deletions(-) create mode 100644 audiobookshelf/deployment.yaml create mode 100644 budibase/.gitignore delete mode 100644 budibase/application.yaml create mode 100644 budibase/deploy.sh create mode 100644 budibase/diff.sh create mode 100644 budibase/helm-jq/add-budibase-persist.jq create mode 100644 budibase/helm-jq/add-kubectl-proxy.jq create mode 100644 budibase/helm-jq/set-http-mb-limit.jq create mode 100755 budibase/post-process.sh create mode 100644 budibase/quasi-base64-generator.yaml create mode 100644 budibase/secrets.yaml create mode 100644 budibase/static/ingress.yaml create mode 100644 budibase/static/pvc.yaml create mode 100644 budibase/static/sa.yaml create mode 100644 budibase/values.yaml create mode 100644 cascade/br0-static.yaml create mode 100644 cascade/bridge.yaml create mode 100644 cascade/dmz0.yaml create mode 100644 cascade/ns.yaml create mode 100644 cascade/private0.yaml create mode 100644 cascade/router-pvc.yaml create mode 100644 cascade/router.yaml create mode 100644 cascade/xerneas.yaml create mode 100644 cascade/yveltal.yaml create mode 100644 cert-manager/deploy.sh create mode 100644 cert-manager/diff.sh create mode 100644 cert-manager/values.yaml create mode 100644 coredns/coredns-address-pool.yaml create mode 100644 coredns/deploy-dev.sh create mode 100644 coredns/deploy.sh create mode 100644 coredns/test.sh create mode 100644 coredns/values-dev.yaml create mode 100644 coredns/values.yaml create mode 100644 dex/debugger.yaml create mode 100644 dex/deploy.sh create mode 100644 dex/diff.sh create mode 100644 dex/values.yaml create mode 100644 dhcp-server/cm.yaml create mode 100644 dhcp-server/deployment.yaml create mode 100644 dhcp-server/ns.yaml create mode 100644 dhcp-server/pvc.yaml rename external-services/{windmill.yaml => plex.yaml} (55%) create mode 100644 factorio/factorio-com-secret.yaml create mode 100644 frigate/build-trt-models.yaml create mode 100644 frigate/deploy.sh create mode 100644 frigate/diff.sh create mode 100644 frigate/ingress.yaml create mode 100644 frigate/mqtt-broker-sealed.yaml create mode 100644 frigate/oauth2-proxy-cookie-secret-sealed.yaml create mode 100644 frigate/oauth2-proxy.yaml create mode 100644 frigate/oidc-bypass-user-secret-sealed.yaml create mode 100644 frigate/pvc.yaml create mode 100644 frigate/values.yaml create mode 100644 frigate/wildcard-tls.yaml create mode 100644 fusionpbx/ingress.yaml create mode 100644 fusionpbx/ns.yaml create mode 100644 fusionpbx/pvc.yaml create mode 100644 fusionpbx/untls-shim.yaml create mode 100755 fusionpbx/update-tls.sh create mode 100644 fusionpbx/vm.yaml create mode 100644 gitea/email-secret.yaml create mode 100644 gitea/gitea-secrets.yaml create mode 100644 gost-dns/deployment.yaml create mode 100644 gost-dns/ns.yaml create mode 100644 grist/deploy.yaml create mode 100644 grist/grist-session-secret.yaml create mode 100644 grist/ingress.yaml create mode 100644 grist/ns.yaml create mode 100644 grist/oidc-secret.yaml create mode 100644 grist/pvc.yaml create mode 100644 grist/quasi-base64-generator.yaml create mode 100644 harbor/deploy.sh create mode 100644 harbor/diff.sh create mode 100644 harbor/values.yaml create mode 100644 harbor/wildcard-tls.yaml create mode 100644 illa/deployment.yaml create mode 100644 illa/ingress.yaml create mode 100644 ingress-shim/wildcard-tls.yaml create mode 100644 jellyfin/deployment.yaml create mode 100644 jellyfin/ingress.yaml create mode 100644 jellyfin/ns.yaml create mode 100644 jellyfin/service.yaml create mode 100644 jenkins/0ns.yaml create mode 100644 jenkins/deploy.sh create mode 100644 jenkins/diff.sh create mode 100644 jenkins/ingress.yaml create mode 100644 jenkins/pvc.yaml create mode 100644 jenkins/values.yaml create mode 100644 keycloak/debugger.yaml create mode 100644 keycloak/echoserver.yaml create mode 100644 keycloak/oidc-secret.yaml create mode 100644 kubevirt/cdi-cr.yaml create mode 100644 kubevirt/cdi-ingress.yaml create mode 100644 kubevirt/kubevirt-cr.yaml create mode 100644 kubevirt/kubevirt-operator.yaml create mode 100644 kubevirt/update.sh create mode 100644 local-storage/kustomization.yaml create mode 100644 local-storage/local-storage.yaml create mode 100644 longhorn/deploy.sh create mode 100644 longhorn/diff.sh create mode 100644 longhorn/ingress.yaml create mode 100644 longhorn/longhorn-backups-user-minio.yaml create mode 100644 longhorn/longhorn-backups-user.yaml create mode 100644 longhorn/oauth2-proxy-secret.yaml create mode 100644 longhorn/oauth2-proxy.yaml create mode 100644 longhorn/sc-nvme.yaml create mode 100644 longhorn/storageclass.yaml create mode 100644 longhorn/values.yaml delete mode 100644 mastodon/application.yaml create mode 100644 matrix/maubot-pvc.yaml create mode 100644 matrix/maubot-svc.yaml create mode 100644 matrix/maubot.yaml create mode 100644 matrix/untls-shim.yaml create mode 100644 metallb/NEEDS_HELM create mode 100644 multus/TODO create mode 100644 multus/network-addons-config.yaml rename node-sysctls/set-sysctls-ds.yaml => node-init/node-init.yaml (59%) create mode 100644 nordproxy/.gitignore create mode 100644 nordproxy/import-vpnconfig.sh create mode 100644 nvidia/deploy.sh create mode 100644 nvidia/gpu-test.yaml create mode 100644 nvidia/nvidia-runtime-class.yaml delete mode 100644 opsdroid/deploy.yaml delete mode 100644 peertube/application.yaml create mode 100644 peertube/db.yaml create mode 100644 peertube/deploy.sh create mode 100644 peertube/diff.sh create mode 100644 peertube/ns.yaml create mode 100644 peertube/values.yaml create mode 100644 pihole/cm.yaml create mode 100644 pihole/deployment.yaml create mode 100644 pihole/ingress.yaml create mode 100644 pihole/ns.yaml create mode 100644 pihole/pvc.yaml create mode 100644 pihole/svc.yaml create mode 100644 readarr/deployment.yaml create mode 100644 readarr/ns.yaml create mode 100644 sonarr/pvc.yaml create mode 100644 toots-werts/db.yaml create mode 100644 toots-werts/deployment.yaml create mode 100644 toots-werts/ns.yaml create mode 100644 tubearchivist/diff.sh create mode 100644 tubearchivist/ingress.yaml create mode 100644 tubearchivist/oauth2-proxy-secret.yaml create mode 100644 tubearchivist/template.sh create mode 100644 tubearchivist/tubearchivist.yaml create mode 100644 tubearchivist/values.yaml create mode 100644 tubesync/deployment.yaml create mode 100644 tubesync/ingress.yaml create mode 100644 tubesync/oauth2-proxy-cookie-secret-sealed.yaml create mode 100644 tubesync/oauth2-proxy.yaml create mode 100644 tubesync/oidc-bypass-user-sealed.yaml create mode 100644 tubesync/pvc.yaml create mode 100644 uptime-kuma/deployment.yaml create mode 100644 uptime-kuma/ingress.yaml create mode 100644 uptime-kuma/ns.yaml create mode 100644 uptime-kuma/pvc.yaml create mode 100644 uptime-kuma/svc.yaml diff --git a/.gitignore b/.gitignore index e5b0c0e..d679565 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ /local-config.sh charts/ /old/ +/deleted/ diff --git a/.tool-versions b/.tool-versions index a80d28d..7bfc50e 100644 --- a/.tool-versions +++ b/.tool-versions @@ -2,7 +2,7 @@ operator-sdk 1.19.1 kubectl 1.25.9 terraform 1.1.9 kubectx 0.9.4 -cmctl 1.8.0 +cmctl 1.13.2 helm 3.8.2 k3sup 0.11.3 krew 0.4.3 diff --git a/audiobookshelf/deployment.yaml b/audiobookshelf/deployment.yaml new file mode 100644 index 0000000..c26c187 --- /dev/null +++ b/audiobookshelf/deployment.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: audiobookshelf + namespace: audiobookshelf +spec: + ingressClassName: haproxy + rules: + - host: audiobooks.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: audiobookshelf + port: + number: 80 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: audiobookshelf-data + namespace: audiobookshelf +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: ssd + volumeMode: Filesystem +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: audiobookshelf + name: audiobookshelf +spec: + replicas: 1 + selector: + matchLabels: + app: audiobookshelf + strategy: + type: Recreate + template: + metadata: + labels: + app: audiobookshelf + spec: + terminationGracePeriodSeconds: 0 + restartPolicy: Always + volumes: + - name: data + persistentVolumeClaim: + claimName: audiobookshelf-data + - name: podcasts + nfs: + server: 172.16.18.1 + path: /volume1/podcasts + - name: audiobooks + nfs: + server: 172.16.18.1 + path: /volume1/audiobooks + containers: + - name: audiobookshelf + image: ghcr.io/advplyr/audiobookshelf:2.4.4 + env: [] + volumeMounts: + - mountPath: /audiobooks + name: audiobooks + - mountPath: /podcasts + name: podcasts + - mountPath: /config + name: data + subPath: config + - mountPath: /metadata + name: data + subPath: metadata + #securityContext: + # capabilities: + # add: ["NET_ADMIN","SYS_TIME"] +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: audiobookshelf + name: audiobookshelf + namespace: audiobookshelf +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: audiobookshelf + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: audiobookshelf + sessionAffinity: None + type: ClusterIP diff --git a/budibase/.gitignore b/budibase/.gitignore new file mode 100644 index 0000000..1aa57d7 --- /dev/null +++ b/budibase/.gitignore @@ -0,0 +1 @@ +_helm-output*.json diff --git a/budibase/application.yaml b/budibase/application.yaml deleted file mode 100644 index 011ca02..0000000 --- a/budibase/application.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - wildcard-tls.kn8v.com/copy: "true" - name: budibase ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: budibase - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - destination: - server: "https://kubernetes.default.svc" - namespace: budibase - syncPolicy: - automated: - prune: true - selfHeal: true - source: - chart: budibase - repoURL: https://budibase.github.io/budibase/ - targetRevision: 2.8.10 - helm: - values: |- - globals: - appVersion: v2.8.10 - ingress: - nginx: false - className: haproxy - annotations: - haproxy-ingress.github.io/ssl-redirect: "true" - hosts: - - host: bb.strudelline.net - paths: - - path: / - pathType: Prefix - backend: - service: - name: proxy-service - port: - number: 10000 - tls: - - hosts: - - bb.strudelline.net - secretName: wildcard-tls diff --git a/budibase/deploy.sh b/budibase/deploy.sh new file mode 100644 index 0000000..aeeee41 --- /dev/null +++ b/budibase/deploy.sh @@ -0,0 +1,3 @@ +helm repo add budibase https://budibase.github.io/budibase/ +helm repo update +helm upgrade -i -n budibase --create-namespace budibase budibase/budibase -f values.yaml --post-renderer ./post-process.sh diff --git a/budibase/diff.sh b/budibase/diff.sh new file mode 100644 index 0000000..1cbcc55 --- /dev/null +++ b/budibase/diff.sh @@ -0,0 +1 @@ +helm diff upgrade --install -n budibase budibase budibase/budibase -f values.yaml --post-renderer ./post-process.sh --normalize-manifests "$@" diff --git a/budibase/helm-jq/add-budibase-persist.jq b/budibase/helm-jq/add-budibase-persist.jq new file mode 100644 index 0000000..0032b14 --- /dev/null +++ b/budibase/helm-jq/add-budibase-persist.jq @@ -0,0 +1,13 @@ +if ( + .kind? == "Deployment" + and .apiVersion? == "apps/v1" + and (.metadata.name? == "app-service" or .metadata.name? == "worker-service") +) then + .spec.template.spec.containers //= [] + | .spec.template.spec.containers[0].volumeMounts //= [] + | .spec.template.spec.containers[0].volumeMounts += [{"mountPath":"/root","name":"persist"}] + | .spec.template.spec.volumes //= [] + | .spec.template.spec.volumes += [{"name":"persist","persistentVolumeClaim":{"claimName":"budibase-persist"}}] +else + . +end diff --git a/budibase/helm-jq/add-kubectl-proxy.jq b/budibase/helm-jq/add-kubectl-proxy.jq new file mode 100644 index 0000000..00213b7 --- /dev/null +++ b/budibase/helm-jq/add-kubectl-proxy.jq @@ -0,0 +1,22 @@ +if (.kind? == "Deployment" and .apiVersion? == "apps/v1" and + (.metadata.name? == "app-service" or .metadata.name? == "worker-service")) then + .spec.template.spec.containers //= [] + | .spec.template.spec.containers += [{ + "name": "kubectl-proxy", + "image": "bitnami/kubectl:1.28.2", + "args": ["proxy", "--token", "$(TOKEN)"], + "env": [ + { + "name": "TOKEN", + "valueFrom": { + "secretKeyRef": { + "name": "budibase-sa", + "key": "token" + } + } + } + ] + }] +else + . +end diff --git a/budibase/helm-jq/set-http-mb-limit.jq b/budibase/helm-jq/set-http-mb-limit.jq new file mode 100644 index 0000000..4758fa8 --- /dev/null +++ b/budibase/helm-jq/set-http-mb-limit.jq @@ -0,0 +1,10 @@ +if ( + .kind? == "Deployment" + and .apiVersion? == "apps/v1" + and (.metadata.name? == "app-service" or .metadata.name? == "proxy-service") +) then + .spec.template.spec.containers[0].env //= [] + | .spec.template.spec.containers[0].env += [{"name":"HTTP_MB_LIMIT","value":"250"}] # ,{"name":"","value":"10000"}] +else + . +end diff --git a/budibase/post-process.sh b/budibase/post-process.sh new file mode 100755 index 0000000..dbb06ac --- /dev/null +++ b/budibase/post-process.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +INPUT="$(cat|yq -o json .|jq .)" + +I=0 +echo "$INPUT" > _helm-output${I}.json;I=$((I+1)) + +for f in helm-jq/*.jq;do + INPUT="$(echo "$INPUT" | jq "$(cat "$f")")" + echo "$INPUT" > _helm-output${I}.json;I=$((I+1)) +done + +( + echo "$INPUT" + + for f in static/*.yaml;do + cat "$f" | yq -o json . + done +) \ +| jq -c . \ +| while read -r R;do echo ---;echo "$R";done \ +| awk 'll!="---" || $0!="---" {print} {ll=$0}' \ +| yq -P . diff --git a/budibase/quasi-base64-generator.yaml b/budibase/quasi-base64-generator.yaml new file mode 100644 index 0000000..064ba1e --- /dev/null +++ b/budibase/quasi-base64-generator.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: generators.external-secrets.io/v1alpha1 +kind: Password +metadata: + name: quasi-base64 + namespace: budibase +spec: + length: 20 + digits: 5 + symbols: 1 + symbolCharacters: "-_" + noUpper: false + allowRepeat: true diff --git a/budibase/secrets.yaml b/budibase/secrets.yaml new file mode 100644 index 0000000..50351f7 --- /dev/null +++ b/budibase/secrets.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: budibase-budibase + namespace: budibase + annotations: + meta.helm.sh/release-name: budibase + meta.helm.sh/release-namespace: budibase + app.kubernetes.io/managed-by: Helm +spec: + refreshInterval: "0" + target: + name: budibase-budibase + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: quasi-base64 + rewrite: ["regexp": {"source": ".*", "target": "jwtSecret"}] + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: quasi-base64 + rewrite: ["regexp": {"source": ".*", "target": "internalApiKey"}] + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: quasi-base64 + rewrite: ["regexp": {"source": ".*", "target": "objectStoreAccess"}] + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: quasi-base64 + rewrite: ["regexp": {"source": ".*", "target": "objectStoreSecret"}] diff --git a/budibase/static/ingress.yaml b/budibase/static/ingress.yaml new file mode 100644 index 0000000..4a6643c --- /dev/null +++ b/budibase/static/ingress.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: budibase + namespace: budibase +spec: + ingressClassName: haproxy + rules: + - host: bb.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: proxy-service + port: + number: 10000 diff --git a/budibase/static/pvc.yaml b/budibase/static/pvc.yaml new file mode 100644 index 0000000..38a0934 --- /dev/null +++ b/budibase/static/pvc.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: budibase-persist + namespace: budibase +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: ssd + volumeMode: Filesystem diff --git a/budibase/static/sa.yaml b/budibase/static/sa.yaml new file mode 100644 index 0000000..1a6cc20 --- /dev/null +++ b/budibase/static/sa.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: budibase + namespace: budibase +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: budibase + name: budibase +rules: +- apiGroups: ["*"] + resources: + - "*" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + name: budibase-rolebinding + namespace: budibase +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: budibase +subjects: +- kind: ServiceAccount + name: budibase + namespace: budibase +--- +apiVersion: v1 +kind: Secret +metadata: + name: budibase-sa + namespace: budibase + annotations: + kubernetes.io/service-account.name: budibase +type: kubernetes.io/service-account-token diff --git a/budibase/values.yaml b/budibase/values.yaml new file mode 100644 index 0000000..5992d90 --- /dev/null +++ b/budibase/values.yaml @@ -0,0 +1,5 @@ +globals: + createSecrets: false +ingress: + enabled: false + nginx: false diff --git a/cascade/br0-static.yaml b/cascade/br0-static.yaml new file mode 100644 index 0000000..98c249b --- /dev/null +++ b/cascade/br0-static.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: br0-static + namespace: cascade + annotations: + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br0 +spec: + config: > + { + "cniVersion": "0.3.1", + "name": "br0-static", + "plugins": [{ + "type": "bridge", + "bridge": "br0", + "ipam": { + "type": "static", + "routes": [ + { "dst": "0.0.0.0/0", "gw": "172.16.1.1" } + ], + "dns": { + "nameservers" : ["172.16.1.8"], + "domain": "cascade.strudelline.net", + "search": [ "cascade.strudelline.net" ] + } + } + }] + } diff --git a/cascade/bridge.yaml b/cascade/bridge.yaml new file mode 100644 index 0000000..3dea0a5 --- /dev/null +++ b/cascade/bridge.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: br0 + namespace: cascade + annotations: + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br0 +spec: + config: > + { + "cniVersion": "0.3.1", + "name": "br0", + "plugins": [{ + "type": "bridge", + "bridge": "br0", + "ipam": {} + }] + } diff --git a/cascade/dmz0.yaml b/cascade/dmz0.yaml new file mode 100644 index 0000000..cfa99ac --- /dev/null +++ b/cascade/dmz0.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: dmz0 + namespace: cascade + annotations: + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/dmz0 +spec: + config: > + { + "cniVersion": "0.3.1", + "name": "dmz0", + "plugins": [{ + "type": "bridge", + "bridge": "dmz0", + "ipam": {} + }] + } diff --git a/cascade/ns.yaml b/cascade/ns.yaml new file mode 100644 index 0000000..5be1469 --- /dev/null +++ b/cascade/ns.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: cascade +spec: {} +status: {} diff --git a/cascade/private0.yaml b/cascade/private0.yaml new file mode 100644 index 0000000..d7c3c8f --- /dev/null +++ b/cascade/private0.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: private0 + namespace: cascade + annotations: + k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/private0 +spec: + config: > + { + "cniVersion": "0.3.1", + "name": "private0", + "plugins": [{ + "type": "bridge", + "bridge": "private0", + "ipam": {} + }] + } diff --git a/cascade/router-pvc.yaml b/cascade/router-pvc.yaml new file mode 100644 index 0000000..5f26357 --- /dev/null +++ b/cascade/router-pvc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: router-root + namespace: cascade +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 44023414784 + volumeName: asdf + storageClassName: ssd + volumeMode: Filesystem diff --git a/cascade/router.yaml b/cascade/router.yaml new file mode 100644 index 0000000..cd2d696 --- /dev/null +++ b/cascade/router.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + name: router + namespace: cascade +spec: + running: true + template: + spec: + terminationGracePeriodSeconds: 0 + domain: + cpu: + model: Westmere-IBRS + cores: 3 + threads: 3 + sockets: 1 + resources: + requests: + cpu: 1500m + memory: 4G + devices: + interfaces: + - name: dmz0 + bridge: {} + macAddress: a0:ce:c8:c6:d2:5f + model: virtio + - name: br0 + bridge: {} + model: virtio + disks: + - name: root + disk: + bus: virtio + networks: + - name: br0 + multus: + networkName: br0 + - name: dmz0 + multus: + networkName: dmz0 + volumes: + - persistentVolumeClaim: + claimName: router-root + name: root diff --git a/cascade/xerneas.yaml b/cascade/xerneas.yaml new file mode 100644 index 0000000..b75b839 --- /dev/null +++ b/cascade/xerneas.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + name: xerneas + namespace: cascade +spec: + running: true + template: + spec: + terminationGracePeriodSeconds: 30 + domain: + resources: + requests: + memory: 1700M + devices: + interfaces: + - name: br0 + bridge: {} + macAddress: 00:15:5d:40:de:1c + model: e1000 + disks: + - name: pvdisk + disk: + bus: sata + features: + smm: + enabled: true + firmware: + bootloader: + efi: {} + nodeSelector: + kubernetes.io/hostname: chimecho + networks: + - name: br0 + multus: + networkName: br0 + volumes: + - name: pvdisk + persistentVolumeClaim: + claimName: xerneas-pvc + readOnly: false diff --git a/cascade/yveltal.yaml b/cascade/yveltal.yaml new file mode 100644 index 0000000..e5d3551 --- /dev/null +++ b/cascade/yveltal.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + name: yveltal + namespace: cascade +spec: + running: true + template: + spec: + terminationGracePeriodSeconds: 30 + domain: + resources: + requests: + memory: 1500M + devices: + interfaces: + - name: br0 + bridge: {} + macAddress: 00:15:5d:40:de:20 + model: e1000 + disks: + - name: pvdisk + disk: + bus: sata + features: + smm: + enabled: true + firmware: + bootloader: + efi: {} + nodeSelector: + kubernetes.io/hostname: chimecho + networks: + - name: br0 + multus: + networkName: br0 + volumes: + - name: pvdisk + persistentVolumeClaim: + claimName: yveltal-pvc + readOnly: false diff --git a/cert-manager/deploy.sh b/cert-manager/deploy.sh new file mode 100644 index 0000000..70d1ddf --- /dev/null +++ b/cert-manager/deploy.sh @@ -0,0 +1,2 @@ +helm repo add jetstack https://charts.jetstack.io +helm upgrade -i --create-namespace -n cert-manager cert-manager jetstack/cert-manager -f values.yaml diff --git a/cert-manager/diff.sh b/cert-manager/diff.sh new file mode 100644 index 0000000..117240e --- /dev/null +++ b/cert-manager/diff.sh @@ -0,0 +1 @@ +helm diff upgrade -n cert-manager cert-manager jetstack/cert-manager -f values.yaml diff --git a/cert-manager/values.yaml b/cert-manager/values.yaml new file mode 100644 index 0000000..158d562 --- /dev/null +++ b/cert-manager/values.yaml @@ -0,0 +1,6 @@ +extraArgs: +- --dns01-recursive-nameservers-only +- --dns01-recursive-nameservers=1.1.1.1:53 +ingressShim.defaultIssuerKind: ClusterIssuer +ingressShim.defaultIssuerName: zerossl +installCRDs: "true" diff --git a/coredns/coredns-address-pool.yaml b/coredns/coredns-address-pool.yaml new file mode 100644 index 0000000..fe989a9 --- /dev/null +++ b/coredns/coredns-address-pool.yaml @@ -0,0 +1,11 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: coredns + namespace: metallb-system +spec: + addresses: + - 172.16.1.9/32 + - 172.16.2.9/32 + autoAssign: false + avoidBuggyIPs: false diff --git a/coredns/deploy-dev.sh b/coredns/deploy-dev.sh new file mode 100644 index 0000000..4ce96e3 --- /dev/null +++ b/coredns/deploy-dev.sh @@ -0,0 +1 @@ +helm upgrade -i -n coredns-dev --create-namespace coredns-dev coredns/coredns -f values-dev.yaml diff --git a/coredns/deploy.sh b/coredns/deploy.sh new file mode 100644 index 0000000..a32580b --- /dev/null +++ b/coredns/deploy.sh @@ -0,0 +1,2 @@ +helm repo add coredns https://coredns.github.io/helm +helm upgrade -i -n coredns --create-namespace coredns coredns/coredns -f values.yaml diff --git a/coredns/test.sh b/coredns/test.sh new file mode 100644 index 0000000..0e5b7d4 --- /dev/null +++ b/coredns/test.sh @@ -0,0 +1,44 @@ +black() { echo -ne '\033[0;30m'; } +red() { echo -ne '\033[0;31m'; } +green() { echo -ne '\033[0;32m'; } +yellow() { echo -ne '\033[0;33m'; } +blue() { echo -ne '\033[0;34m'; } +purple() { echo -ne '\e[0;033;35m'; } +cyan() { echo -ne '\033[0;36m'; } +white() { echo -ne '\033[0;37m'; } +bold() { echo -ne '\033[1m'; } +uncolor() { echo -ne '\033[0m'; } + +EIGHTYDOTS="................................................................................" +EIGHTYEQUALS="$(echo -n "$EIGHTYDOTS" | tr . =)" +EIGHTYDASHES="$(echo -n "$EIGHTYDOTS" | tr . -)" + +function _time { + red + echo "$EIGHTYEQUALS" + yellow + echo -n "$EIGHTYDASHES" + echo -e "\r--- $@ " + uncolor + export TIMEFORMAT="%4R real %4U user %4S system" + time $@ +} + +blue;bold +echo +echo "starting tests of the DNS subsystems" +date +echo +_time dig +short @172.16.1.8 xerneas.cascade.strudelline.net +_time dig +short @172.16.1.9 xerneas.cascade.strudelline.net +_time dig +short @172.16.1.8 google.com.cascade.strudelline.net +_time dig +short @172.16.1.9 google.com.cascade.strudelline.net +_time dig +short @172.16.1.8 google.com +_time dig +short @172.16.1.9 google.com +_time dig +short @172.16.1.9 $RANDOM$RANDOM.strudelline.net +_time dig +short @172.16.1.1 $RANDOM$RANDOM.strudelline.net + +red;echo "$EIGHTYEQUALS" + + +uncolor diff --git a/coredns/values-dev.yaml b/coredns/values-dev.yaml new file mode 100644 index 0000000..a0726eb --- /dev/null +++ b/coredns/values-dev.yaml @@ -0,0 +1,107 @@ +replicaCount: 3 + +servers: +- zones: + - zone: . + port: 53 + # If serviceType is nodePort you can specify nodePort here + # nodePort: 30053 + # hostPort: 53 + plugins: + - name: errors + # Serves a /health endpoint on :8080, required for livenessProbe + - name: health + configBlock: |- + lameduck 5s + # Serves a /ready endpoint on :8181, required for readinessProbe + - name: ready + # Required to query kubernetes API for data + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + - name: transfer + configBlock: |- + to * + - name: k8s_external + parameters: k + configBlock: |- + fallthrough + # Serves a /metrics endpoint on :9153, required for serviceMonitor + - name: prometheus + parameters: 0.0.0.0:9153 + #- name: k8s_gateway + # parameters: cluster.gateway + # configBlock: |- + # resources Ingress + # ttl 10 + + # individual hosts (full domains but still just hosts) + - {"parameters": "IN A harbor.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN A 172.16.17.115\"", "name": "template"} + - {"parameters": "IN A frigate.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN A 172.16.17.33\"", "name": "template"} + #- {"parameters": "IN A email.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN CNAME mailgun.org.\"", "name": "template"} + #- {"parameters": "IN A pbx.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN A 172.16.56.1\"", "name": "template"} + # werts.us + - name: template + parameters: IN A werts.us + configBlock: answer "{{ .Name }} 60 IN A 172.16.17.80" + # minio.strudelline.net + - name: template + parameters: IN A minio.strudelline.net + configBlock: answer "{{ .Name }} 60 IN A 172.16.17.80" + # cascade.strudelline.net + - name: template + parameters: IN A cascade.strudelline.net + configBlock: | + match ^cascade[.]strudelline[.]net[.]$ + answer "{{ .Name }} 60 IN A 172.16.34.1" + answer "{{ .Name }} 60 IN A 172.16.33.1" + fallthrough + # *.strudelline.net + - name: template + parameters: IN A strudelline.net + configBlock: | + match ^(?P[^.]*)[.]strudelline[.]net[.]$ + answer "{{ .Name }} 60 IN A 172.16.17.80" + fallthrough + # BYPASS FAMILY FILTER FOR SOME SITES + - name: forward + parameters: myrunningman.com 172.16.1.53:153 + # *.cascade.strudelline.net + - name: forward + parameters: in-addr.arpa 172.16.33.1 172.16.34.1 + - name: forward + parameters: cascade.strudelline.net 172.16.33.1 172.16.34.1 + - name: forward + parameters: . 172.16.1.53:53 172.16.1.53:54 + configBlock: | + force_tcp + - name: loop + - name: reload + - name: nsid + parameters: "coredns-ext" + - name: cache + parameters: 30 + - name: cancel + - name: whoami + - name: loadbalance + - name: log + - name: minimal + +serviceType: LoadBalancer +service: + annotations: + metallb.universe.tf/allow-shared-ip: 172.16.2.9 + metallb.universe.tf/loadBalancerIPs: 172.16.2.9 + +isClusterService: false + + #podAnnotations: + # k8s.v1.cni.cncf.io/networks: | + # [{ + # "namespace": "cascade", + # "name": "br0-static", + # "ips": ["172.16.2.9/12"] + # }] diff --git a/coredns/values.yaml b/coredns/values.yaml new file mode 100644 index 0000000..dedb304 --- /dev/null +++ b/coredns/values.yaml @@ -0,0 +1,107 @@ +replicaCount: 3 + +servers: +- zones: + - zone: . + port: 53 + # If serviceType is nodePort you can specify nodePort here + # nodePort: 30053 + # hostPort: 53 + plugins: + - name: errors + # Serves a /health endpoint on :8080, required for livenessProbe + - name: health + configBlock: |- + lameduck 5s + # Serves a /ready endpoint on :8181, required for readinessProbe + - name: ready + # Required to query kubernetes API for data + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + - name: transfer + configBlock: |- + to * + - name: k8s_external + parameters: k + configBlock: |- + fallthrough + # Serves a /metrics endpoint on :9153, required for serviceMonitor + - name: prometheus + parameters: 0.0.0.0:9153 + #- name: k8s_gateway + # parameters: cluster.gateway + # configBlock: |- + # resources Ingress + # ttl 10 + + # individual hosts (full domains but still just hosts) + - {"parameters": "IN A harbor.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN A 172.16.17.115\"", "name": "template"} + - {"parameters": "IN A frigate.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN A 172.16.17.33\"", "name": "template"} + #- {"parameters": "IN A email.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN CNAME mailgun.org.\"", "name": "template"} + #- {"parameters": "IN A pbx.strudelline.net", "configBlock": "answer \"{{ .Name }} 60 IN A 172.16.56.1\"", "name": "template"} + # werts.us + - name: template + parameters: IN A werts.us + configBlock: answer "{{ .Name }} 60 IN A 172.16.17.80" + # minio.strudelline.net + - name: template + parameters: IN A minio.strudelline.net + configBlock: answer "{{ .Name }} 60 IN A 172.16.17.80" + # cascade.strudelline.net + - name: template + parameters: IN A cascade.strudelline.net + configBlock: | + match ^cascade[.]strudelline[.]net[.]$ + answer "{{ .Name }} 60 IN A 172.16.34.1" + answer "{{ .Name }} 60 IN A 172.16.33.1" + fallthrough + # *.strudelline.net + - name: template + parameters: IN A strudelline.net + configBlock: | + match ^(?P[^.]*)[.]strudelline[.]net[.]$ + answer "{{ .Name }} 60 IN A 172.16.17.80" + fallthrough + # BYPASS FAMILY FILTER FOR SOME SITES + - name: forward + parameters: myrunningman.com 172.16.1.53:153 + # *.cascade.strudelline.net + - name: forward + parameters: in-addr.arpa 172.16.33.1 172.16.34.1 + - name: forward + parameters: cascade.strudelline.net 172.16.33.1 172.16.34.1 + - name: forward + parameters: . 172.16.1.53 + configBlock: | + force_tcp + - name: loop + - name: reload + - name: nsid + parameters: "coredns-ext" + - name: cache + parameters: 30 + - name: cancel + - name: whoami + - name: loadbalance + - name: log + - name: minimal + +serviceType: LoadBalancer +service: + annotations: + metallb.universe.tf/allow-shared-ip: 172.16.1.9 + metallb.universe.tf/loadBalancerIPs: 172.16.1.9 + +isClusterService: false + +#podAnnotations: +# k8s.v1.cni.cncf.io/networks: | +# [{ +# "namespace": "cascade", +# "name": "br0-static", +# "ips": ["172.16.1.9/12"] +# }] diff --git a/dex/debugger.yaml b/dex/debugger.yaml new file mode 100644 index 0000000..0e99cfb --- /dev/null +++ b/dex/debugger.yaml @@ -0,0 +1,97 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: debugger + namespace: dex +spec: + ingressClassName: haproxy + rules: + - host: dexdebug.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: debugger + port: + number: 9009 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: dex + name: debugger +spec: + replicas: 1 + selector: + matchLabels: + app: debugger + template: + metadata: + labels: + app: debugger + spec: + containers: + - image: ghcr.io/beryju/oidc-test-client:1.4 + name: debugger + env: + - name: OIDC_DO_REFRESH + value: "false" + - name: OIDC_DO_INTROSPECTION + value: "false" + - name: OIDC_CLIENT_ID + value: dexdebug + - name: OIDC_CLIENT_SECRET + value: dexdebugSecret + - name: OIDC_PROVIDER + value: https://dex.strudelline.net + - name: OIDC_ROOT_URL + value: https://dexdebug.strudelline.net + - name: OIDC_SCOPES + value: openid,email,groups + ports: + - containerPort: 9009 + name: http + protocol: TCP + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: debugger + namespace: dex +spec: + ports: + - port: 9009 + protocol: TCP + targetPort: 9009 + selector: + app: debugger + type: ClusterIP +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: debugger-oidc-secret + namespace: dex +spec: + data: + - remoteRef: + key: oidc client - debugger + property: username + secretKey: id + - remoteRef: + key: oidc client - debugger + property: password + secretKey: secret + - remoteRef: + key: oidc client - debugger + property: discovery_url + secretKey: discovery_url + refreshInterval: 60s + secretStoreRef: + kind: ClusterSecretStore + name: bitwarden + target: + name: debugger-oidc-secret diff --git a/dex/deploy.sh b/dex/deploy.sh new file mode 100644 index 0000000..5ba0c74 --- /dev/null +++ b/dex/deploy.sh @@ -0,0 +1,2 @@ +helm repo add dex https://charts.dexidp.io && helm repo update +helm upgrade -i -n dex --create-namespace dex dex/dex --reuse-values -f values.yaml "$@" diff --git a/dex/diff.sh b/dex/diff.sh new file mode 100644 index 0000000..eaee57c --- /dev/null +++ b/dex/diff.sh @@ -0,0 +1,2 @@ +helm repo add dex https://charts.dexidp.io && helm repo update +helm diff upgrade -n dex dex dex/dex --reuse-values -f values.yaml "$@" diff --git a/dex/values.yaml b/dex/values.yaml new file mode 100644 index 0000000..b3fc1c6 --- /dev/null +++ b/dex/values.yaml @@ -0,0 +1,67 @@ +config: + connectors: + - config: + bindDN: CN=ldapsearch,OU=ldapsearch,DC=cascade,DC=strudelline,DC=net + #bindPW: run deploy.sh with --set config.connectors[0].config.bindPW="yourpw" to set this value + groupSearch: + baseDN: cn=Users,dc=cascade,dc=strudelline,dc=net + filter: (objectClass=group) + nameAttr: cn + userMatchers: + - groupAttr: member + userAttr: distinguishedName + host: cascade.strudelline.net:636 + insecureNoSSL: false + insecureSkipVerify: true + userSearch: + baseDN: cn=Users,dc=cascade,dc=strudelline,dc=net + emailAttr: mail + filter: (objectClass=person) + idAttr: sAMAccountName + nameAttr: cn + preferredUsernameAttr: sAMAccountName + username: sAMAccountName + usernamePrompt: username + id: ad + name: ActiveDirectory + type: ldap + enablePasswordDB: true + issuer: https://dex.strudelline.net + oauth2: + responseTypes: + - code + - token + - id_token + skipApprovalScreen: true + staticClients: + - id: dexdebug + name: Dex Debugger + redirectURIs: + - https://dexdebug.strudelline.net/auth/callback + secret: dexdebugSecret + - id: gitea + name: Dex Debugger + redirectURIs: + - https://git.strudelline.net/user/oauth2/werts/callback + secret: nUs1qeYWA7o3poJFM8gXJMQhwoMIA3py7go8lPEdWTNwZTXW5HnsxJMYSlolBbFt5OS5u3rUapwehGJ19opECR + - id: oa2p + name: oauth2proxy + redirectURIs: + - https://oidc.strudelline.net/be/callback + secret: oa2ptest + staticPasswords: + - email: test@strudelline.net + hash: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W + userID: 08a8684b-db88-4b73-90a9-3cd1661f5466 + username: test + storage: + config: + inCluster: true + type: kubernetes +ingress: + enabled: true + hosts: + - host: dex.strudelline.net + paths: + - path: / + pathType: Prefix diff --git a/dhcp-server/cm.yaml b/dhcp-server/cm.yaml new file mode 100644 index 0000000..debc02b --- /dev/null +++ b/dhcp-server/cm.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: dnsmasq-etc + namespace: dhcp-server +data: + logdhcp.conf: log-dhcp + disable_dns.conf: port=53 + dhcp_auth.conf: dhcp-authoritative + use_net1.conf: interface=net1 + defaultgw.conf: dhcp-option=3,172.16.1.1 + defaultdns.conf: dhcp-option=6,172.16.1.8 + defaultntp.conf: dhcp-option=42,172.16.1.1 + defaulttz.conf: dhcp-option=2,0xffffb9b0 + domain_15.conf: dhcp-option=15,cascade.strudelline.net + tftp_grandstream.conf: dhcp-option=tag:grandstream,66,https://pbx.strudelline.net/app/provision + http_grandstream.conf: dhcp-option=tag:grandstream,160,https://pbx.strudelline.net/app/provision + mac_grandstream.conf: dhcp-mac=set:grandstream,00:0b:82 + domain.conf: domain=cascade.strudelline.net + range_default.conf: dhcp-range=default,172.20.2.0,172.20.255.255,255.240.0.0,1h + range_clients.conf: dhcp-range=clients,172.17.0.0,static,255.240.0.0,4h + range_servers.conf: dhcp-range=servers,172.16.0.0,static,255.240.0.0,24h + range_cameras.conf: dhcp-range=cameras,172.28.1.1,172.28.1.255,255.240.0.0,1h + range_grandstream.conf: dhcp-range=grandstream,172.29.1.1,172.29.1.255,255.240.0.0,1h + server_001132c83aed.conf: dhcp-host=00:11:32:c8:3a:ed,id:*,net:servers,172.16.18.1,noctowl + server_0007324be4c2.conf: dhcp-host=00:07:32:4b:e4:c2,id:*,net:servers,172.16.61.1,api1 + server_0007324e8913.conf: dhcp-host=00:07:32:4e:89:13,id:*,net:servers,172.16.62.1,api2 + server_0007324bfcb3.conf: dhcp-host=00:07:32:4b:fc:b3,id:*,net:servers,172.16.63.1,api3 + server_1c1b0d9d5649.conf: dhcp-host=1c:1b:0d:9d:56:49,id:*,net:servers,172.16.32.1,absol + server_008010ecaff4.conf: dhcp-host=00:80:10:ec:af:f4,id:*,net:servers,172.16.56.1,kirlia + server_021132293ca4.conf: dhcp-host=02:11:32:29:3c:a4,id:*,net:servers,172.16.55.1,home + client_706655342463.conf: dhcp-host=70:66:55:34:24:63,id:*,net:clients,172.17.19.100,19weewees + client_5cc5d4a718d1.conf: dhcp-host=5c:c5:d4:a7:18:d1,id:*,net:clients,172.17.3.100,mrs-bugwert + client_a483e7c51e2a.conf: dhcp-host=a4:83:e7:c5:1e:2a,id:*,net:clients,172.17.50.100,Jamess-MBP + #client_5414f3623aa4.conf: dhcp-host=54:14:f3:62:3a:a4,id:*,net:clients,172.17.19.101,wesley + client_5414f3623aa4.conf: dhcp-host=58:11:22:4c:5d:0f,id:*,net:clients,172.17.19.101,wesley + client_2c8db1976f99.conf: dhcp-host=2c:8d:b1:97:6f:99,id:*,net:clients,172.17.6.101,jonathan + client_dca632382c1e.conf: dhcp-host=dc:a6:32:38:2c:1e,id:*,net:servers,172.16.88.1,rpi4 + client_b827eba2eec3.conf: dhcp-host=b8:27:eb:a2:ee:c3,id:*,net:servers,172.27.2.1,camera-1 + client_9c8ecd3fc616.conf: dhcp-host=9c:8e:cd:3f:c6:16,id:*,net:cameras,172.28.2.2,camera-2 diff --git a/dhcp-server/deployment.yaml b/dhcp-server/deployment.yaml new file mode 100644 index 0000000..70c9ce4 --- /dev/null +++ b/dhcp-server/deployment.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: dhcp-server + name: dhcp-server + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: dhcp-server + strategy: + type: Recreate + template: + metadata: + labels: + app: dhcp-server + annotations: + k8s.v1.cni.cncf.io/networks: | + [{ + "namespace": "cascade", + "name": "br0-static", + "ips": ["172.16.1.67/12"] + }] + spec: + containers: + - image: jamesandariese/alpine-dnsmasq:0.1.3 + name: dnsmasq + env: + - name: TZ + value: America/Chicago + volumeMounts: + - name: dnsmasq-etc + mountPath: /etc/dnsmasq.d + - name: dnsmasq-data + mountPath: /data + securityContext: + capabilities: + add: ["NET_ADMIN"] + restartPolicy: Always + volumes: + - name: dnsmasq-etc + configMap: + name: dnsmasq-etc + - name: dnsmasq-data + persistentVolumeClaim: + claimName: dnsmasq-data diff --git a/dhcp-server/ns.yaml b/dhcp-server/ns.yaml new file mode 100644 index 0000000..229d9c0 --- /dev/null +++ b/dhcp-server/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: dhcp-server diff --git a/dhcp-server/pvc.yaml b/dhcp-server/pvc.yaml new file mode 100644 index 0000000..a30dd14 --- /dev/null +++ b/dhcp-server/pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: dnsmasq-data + namespace: dhcp-server +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: longhorn + volumeMode: Filesystem diff --git a/external-services/home.yaml b/external-services/home.yaml index a3edd14..7dfb6ab 100644 --- a/external-services/home.yaml +++ b/external-services/home.yaml @@ -4,7 +4,7 @@ metadata: name: homeassistant namespace: external-services spec: - externalName: 172.25.194.19 + externalName: 172.16.55.1 type: ExternalName ports: - name: http @@ -17,7 +17,7 @@ metadata: name: homeassistant namespace: external-services spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: home.strudelline.net http: diff --git a/external-services/minio-admin.yaml b/external-services/minio-admin.yaml index eaebc6a..dce42e8 100644 --- a/external-services/minio-admin.yaml +++ b/external-services/minio-admin.yaml @@ -4,7 +4,7 @@ metadata: name: minio-admin namespace: external-services spec: - externalName: noctowl.cascade.strudelline.net + externalName: 172.16.18.1 type: ExternalName ports: - name: http @@ -17,7 +17,7 @@ metadata: name: minio-admin namespace: external-services spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: minio-admin.strudelline.net http: @@ -29,7 +29,3 @@ spec: name: minio-admin port: number: 58714 - tls: - - hosts: - - minio-admin.strudelline.net - secretName: wildcard-tls diff --git a/external-services/minio.yaml b/external-services/minio.yaml index b047269..a5f0f58 100644 --- a/external-services/minio.yaml +++ b/external-services/minio.yaml @@ -4,7 +4,7 @@ metadata: name: minio namespace: external-services spec: - externalName: noctowl.cascade.strudelline.net + externalName: 172.16.18.1 type: ExternalName ports: - name: http @@ -17,8 +17,18 @@ metadata: name: minio namespace: external-services spec: - ingressClassName: istio + ingressClassName: haproxy rules: + - host: '*.minio.strudelline.net' + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: minio + port: + number: 58713 - host: werts.us.minio.strudelline.net http: paths: @@ -39,7 +49,3 @@ spec: name: minio port: number: 58713 - tls: - - hosts: - - minio.strudelline.net - secretName: wildcard-tls diff --git a/external-services/noctowl.yaml b/external-services/noctowl.yaml index 666eec0..be9bd28 100644 --- a/external-services/noctowl.yaml +++ b/external-services/noctowl.yaml @@ -4,7 +4,7 @@ metadata: name: noctowl namespace: external-services spec: - externalName: noctowl.cascade.strudelline.net + externalName: 172.16.18.1 type: ExternalName ports: - name: http @@ -17,7 +17,7 @@ metadata: name: noctowl namespace: external-services spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: noctowl.strudelline.net http: @@ -29,7 +29,3 @@ spec: name: noctowl port: number: 5000 - tls: - - hosts: - - noctowl.strudelline.net - secretName: wildcard-tls diff --git a/external-services/windmill.yaml b/external-services/plex.yaml similarity index 55% rename from external-services/windmill.yaml rename to external-services/plex.yaml index 58fd24e..6132604 100644 --- a/external-services/windmill.yaml +++ b/external-services/plex.yaml @@ -1,35 +1,31 @@ apiVersion: v1 kind: Service metadata: - name: windmill + name: plex namespace: external-services spec: - externalName: noctowl.cascade.strudelline.net + externalName: 172.16.18.1 type: ExternalName ports: - name: http protocol: TCP - port: 8444 + port: 32400 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: windmill + name: plex namespace: external-services spec: - ingressClassName: istio + ingressClassName: haproxy rules: - - host: windmill.strudelline.net + - host: plex.strudelline.net http: paths: - path: / pathType: Prefix backend: service: - name: windmill + name: plex port: - number: 8444 - tls: - - hosts: - - windmill.strudelline.net - secretName: wildcard-tls + number: 32400 diff --git a/external-services/webdav.yaml b/external-services/webdav.yaml index c1b35e5..55676cf 100644 --- a/external-services/webdav.yaml +++ b/external-services/webdav.yaml @@ -4,7 +4,7 @@ metadata: name: webdav namespace: external-services spec: - externalName: noctowl.cascade.strudelline.net + externalName: 172.16.18.1 type: ExternalName ports: - name: http @@ -20,7 +20,7 @@ metadata: ingress.kubernetes.io/config-backend: | http-request set-header X-Real-IP %[src] spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: webdav.strudelline.net http: @@ -32,7 +32,3 @@ spec: name: webdav port: number: 5005 - tls: - - hosts: - - webdav.strudelline.net - secretName: wildcard-tls diff --git a/factorio/factorio-com-secret.yaml b/factorio/factorio-com-secret.yaml new file mode 100644 index 0000000..317246b --- /dev/null +++ b/factorio/factorio-com-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: factorio-com-caddr + namespace: factorio-servers +spec: + refreshInterval: "600s" + secretStoreRef: + name: bitwarden + kind: ClusterSecretStore + target: + name: factorio-com-caddr + data: + - secretKey: username + remoteRef: + key: 'Factorio' + property: username + - secretKey: token + remoteRef: + key: 'Factorio' + property: token diff --git a/frigate/build-trt-models.yaml b/frigate/build-trt-models.yaml new file mode 100644 index 0000000..4874dd8 --- /dev/null +++ b/frigate/build-trt-models.yaml @@ -0,0 +1,85 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: build-trt-models + namespace: frigate +spec: + parallelism: 1 + completions: 1 + backoffLimit: 6 + completionMode: NonIndexed + template: + spec: + restartPolicy: OnFailure + runtimeClassName: nvidia + containers: + - name: builder + image: nvcr.io/nvidia/tensorrt:22.07-py3 + command: + - bash + - /tensorrt_models.sh + env: + - name: USE_FP16 + value: "False" + - name: YOLO_MODELS + value: yolov7-640 + volumeMounts: + - name: trt-models + mountPath: /tensorrt_demos + subPath: tensorrt_demos + - name: trt-models + mountPath: /tensorrt_models + - name: tensorrt-build-models-script + mountPath: /tensorrt_models.sh + subPath: tensorrt_models.sh + volumes: + - name: trt-models + persistentVolumeClaim: + claimName: trt-models + - name: tensorrt-build-models-script + configMap: + name: tensorrt-build-models-script +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: tensorrt-build-models-script + namespace: frigate +data: + tensorrt_models.sh: | + #!/bin/bash + + set -euxo pipefail + + CUDA_HOME=/usr/local/cuda + LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/cuda/lib64:/usr/local/cuda/extras/CUPTI/lib64 + OUTPUT_FOLDER=/tensorrt_models + echo "Generating the following TRT Models: ${YOLO_MODELS:="yolov4-tiny-288,yolov4-tiny-416,yolov7-tiny-416"}" + + # Create output folder + mkdir -p ${OUTPUT_FOLDER} + + # Install packages + pip install --upgrade pip && pip install onnx==1.9.0 protobuf==3.20.3 + + if [ ! -d /tensorrt_demos/.git ];then + # Clone tensorrt_demos repo + git clone --depth 1 https://github.com/yeahme49/tensorrt_demos.git /tensorrt_demos + fi + + # Build libyolo + cd /tensorrt_demos/plugins && make all + cp libyolo_layer.so ${OUTPUT_FOLDER}/libyolo_layer.so + + # Download yolo weights + cd /tensorrt_demos/yolo && ./download_yolo.sh + + # Build trt engine + cd /tensorrt_demos/yolo + + for model in ${YOLO_MODELS//,/ } + do + python3 yolo_to_onnx.py -m ${model} + python3 onnx_to_tensorrt.py -m ${model} + cp /tensorrt_demos/yolo/${model}.trt ${OUTPUT_FOLDER}/${model}.trt; + done diff --git a/frigate/deploy.sh b/frigate/deploy.sh new file mode 100644 index 0000000..702dcf3 --- /dev/null +++ b/frigate/deploy.sh @@ -0,0 +1,12 @@ +helm repo add blakeblackshear https://blakeblackshear.github.io/blakeshome-charts/ + + +kubectl apply -f pvc.yaml + +helm upgrade --install \ + -n frigate \ + --create-namespace \ + frigate \ + blakeblackshear/frigate \ + -f values.yaml + diff --git a/frigate/diff.sh b/frigate/diff.sh new file mode 100644 index 0000000..5cc908d --- /dev/null +++ b/frigate/diff.sh @@ -0,0 +1,10 @@ +helm repo add blakeblackshear https://blakeblackshear.github.io/blakeshome-charts/ && helm repo update + +kubectl diff -f pvc.yaml + +helm diff \ + -n frigate \ + frigate \ + blakeblackshear/frigate \ + -f values.yaml + diff --git a/frigate/ingress.yaml b/frigate/ingress.yaml new file mode 100644 index 0000000..d23cb97 --- /dev/null +++ b/frigate/ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: frigate + namespace: frigate +spec: + ingressClassName: haproxy + rules: + - host: frigate.strudelline.net + http: + paths: + #- path: /oauth2 + - path: / + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http + #- path: / + # pathType: Prefix + # backend: + # service: + # name: frigate + # port: + # number: 5000 diff --git a/frigate/mqtt-broker-sealed.yaml b/frigate/mqtt-broker-sealed.yaml new file mode 100644 index 0000000..5585be5 --- /dev/null +++ b/frigate/mqtt-broker-sealed.yaml @@ -0,0 +1,23 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "mqtt-broker", + "namespace": "frigate", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "mqtt-broker", + "namespace": "frigate", + "creationTimestamp": null + }, + "type": "Opaque" + }, + "encryptedData": { + "FRIGATE_MQTT_PASSWORD": "AgBtScnU49NZjv+310TI1n61bRCDR+VJF/abFsvlQAUoLMJUrTj2t6C7ifXduO2eMjHxvYJIY5we8FUpodqAfOm8rMq+WYtrRBF7dmYkYgcp+vQnTPc8rm0MU7YFdtF6kUKPNvIjIRzrAS9tFZidJGZqGRJ7jpL9KB7tUQuTAz4bZRmH8kCqW6U9vihxNavhp2qCtsthafGX6zCkngJdWzRmN7aGzlVo/5+td1QQsra3/NScCJN5PS2FFeOImNGnKyBw993ki0K4wXwyAnzK0WXqpSGBAhLVUXZeUYouu6jAhUj6buQ56haG7I0Rc0IkZwckPzTwt2lhX8MeE9nhcggl/CqcJF9WGh1iXWYS/I33lWc286yoJ/3nKS8J5m+17u9idFiYwURlM9rDxR74NtUW0mVjieNvm0Log9uevg1TzGCzhwEfNS117atYhzYSdEPrmd+hYcwD7DXM4HgeA6+bstyJgprjhRaeHlOgTPwwypNgeNWCe+GtAXQJzQIfpu97B4FunMHKw8ucdX+EoOFbdBGSh1DC+KfsP4Vi75VxplIA+Qk/Xy7cvIilcrlNuZ9MwGxAUHlAyt6PMoJ/+61a/EfJKrlFPgRIWJ3LigjS61Z1eyVseQZm2oB+xQwpqGRwctEI1LMo1sWJWVBrCw+wsFpuQCcN1NWZ9+99FOVmUXu/9lRNB4Yeh3b8Q6k+1Be3NKIiLURJ", + "FRIGATE_MQTT_USER": "AgB7hTaMioXG0wtF27hMoqT7hCMkTFbdJ4L6VSel5xbSOmtojwEbUXGIWP50jSUDwFGQbPxDAGHRGwgjVy0AsVtTDQfhmEEbBqbU43FPESwqDxzCbYPWlJ8K0wcGDQe4PYDg3sYJpO9qF4MGjVaVSN4tAbvbYMDTCCmhMAQ3mJef6EpXoMUmgWUCeBxahst3XlfX2mjJTwgXIQ0FloUTZDxMjdXDkkZBKq6VLBV6csp1uR6NN65otmAai371OPgzTxkI8gZVGsJ5/dkkiisdYzytNaT6GL8qnJp9szx3yh3S4ry3LxWAmT9DwPypmMw0L1zM81AKZZuB3zzAQfRw04X3QGsMFVxCiLjkwooPOD1S73lfpSdXE10z5JWS7mnB6TtIdQtVXbsVSeCUpsodyyFcEdDxHXK9zGxPBItvx6zTrWMVFUqAeGuIeBiIeC69Zvn7IAJCn6D/ePOeIW4Cfcm/3N2NLWz8FkKmwiBIAT/DEm9lFRpIQJWyLze1tnhyAr4YkMECHtwlHF3F5AyovKYFTcLZlHBoEg0iqpQOjiSZQg9aHB03nNJIZH7raPfaf2ZqbiOJlL+hENNs3Ggu80EKi56uDqlvLbXchhEDFthmgQrv/F4M6T+XtsxaLj/9YN4C/tHK0EDaI4XzqdAN3HaZUsfklx/P7kMFW/t67XpuhvfW4AgRL5tM0zyOpjZQRJ1kPFdfFw==" + } + } +} diff --git a/frigate/oauth2-proxy-cookie-secret-sealed.yaml b/frigate/oauth2-proxy-cookie-secret-sealed.yaml new file mode 100644 index 0000000..4265b14 --- /dev/null +++ b/frigate/oauth2-proxy-cookie-secret-sealed.yaml @@ -0,0 +1,22 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "oauth2-proxy", + "namespace": "frigate", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "oauth2-proxy", + "namespace": "frigate", + "creationTimestamp": null + }, + "type": "Opaque" + }, + "encryptedData": { + "cookie_secret": "AgBLbPOphYpZdC8lgB6Oz3VmzMvKuIT65zk8kalU1Hxabv/zvEf8EuvB7AfACznVmRukxjZX2rCYVwGZ/I2DGXqeSr6BhN/6/YHuTLUv6vNCSL2uuBh1sBV1HIBtuZVM1RW06bVzSD/AuhHTq8on6UG2WYRiRGfTWSr3ByfjjQsMdQ7HFSUCZlLxtijjdC/nGI9dvOOHcDwl4A1S4jhAuBIU5hs/kb2/q0f4QABrc+CIb+6kDCaRyaXNKC+/PUH1bGROexGTWL6hzBw3FU8EVkdxyZEZ+a4Z/CmkwSQRjLVS57UQCMPy3J8/vTtMfFdwfBnXnDYP9STVDyg5nudOxBkxc/+NVqRpMThimKsLCA/wGaHV2oPJvtLMAILUPeHpdoxX475Bapv0ZyNkABKvKYbZyO3CSE1fcHBl14A0K2JXC0VUjHEmEcuomPe667MMicbUhaiRWlv1Q+U5DeodII8UNIqdXOKBTzRGt4tx7RWTE8aqudRMIm9x9fYsOwc0sa6V3WTZtvUZyVt3KEu6c2I4OvIz/uBBvUm3zcLvJ9c38hhKYYUCsyqkYpgvwiS+wfFO3/7K4mK7ca61xUUHnNhxU8UAyox2ogYzcTSnRAAVSrBk81w8rsnW5sNuaHrnH17kh17GXvP5tccLphngtA7BdzTuKQTRTjl1vwv8R0+rLNyQJSbRMG2BAvSRET8xfWnfs3TeiACfv/82InHA8e3dsQmRRknEH69Iev1VsOKzQBtStlXhx25wQ7woMw==" + } + } +} diff --git a/frigate/oauth2-proxy.yaml b/frigate/oauth2-proxy.yaml new file mode 100644 index 0000000..bf9847c --- /dev/null +++ b/frigate/oauth2-proxy.yaml @@ -0,0 +1,220 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: frigate +spec: + replicas: 1 + selector: + matchLabels: + app: oauth2-proxy + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: oauth2-proxy + spec: + initContainers: + - name: password-creator + image: httpd:alpine3.19 + command: + - /usr/local/apache2/bin/htpasswd + - -Bbc + - /xfr/htpasswd + - "$(OIDC_BYPASS_USERNAME)" + - "$(OIDC_BYPASS_PASSWORD)" + envFrom: + - secretRef: + name: oidc-bypass-user + volumeMounts: + - name: htpasswd-xfr + mountPath: /xfr + containers: + - name: oauth2-proxy-http + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie_secret + - name: OAUTH2_PROXY_UPSTREAMS + value: http://frigate:5000 + args: + - --http-address=0.0.0.0:4180 + - --whitelist-domain=strudelline.net:* + - --whitelist-domain=.strudelline.net:* + - --cookie-domain=strudelline.net + - --email-domain=werts.us + - --email-domain=strudelline.net + - --email-domain=andariese.net + - --cookie-secure + - --skip-provider-button + - --htpasswd-file=/xfr/htpasswd + - --set-xauthrequest + - --provider=oidc + - --oidc-issuer-url=https://auth.werts.us/realms/werts + - --trusted-ip=172.16.0.0/16 + - --cookie-csrf-per-request + volumeMounts: + - name: htpasswd-xfr + mountPath: /xfr + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - containerPort: 4180 + name: http + protocol: TCP + - name: oauth2-proxy-https + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie_secret + - name: OAUTH2_PROXY_UPSTREAMS + value: http://frigate:5000 + args: + - --https-address=0.0.0.0:4443 + - --tls-cert-file=/certs/tls.crt + - --tls-key-file=/certs/tls.key + - --whitelist-domain=strudelline.net:* + - --whitelist-domain=.strudelline.net:* + - --cookie-domain=strudelline.net + - --email-domain=werts.us + - --email-domain=strudelline.net + - --email-domain=andariese.net + - --cookie-secure + - --skip-provider-button + - --htpasswd-file=/xfr/htpasswd + - --set-xauthrequest + - --provider=oidc + - --oidc-issuer-url=https://auth.werts.us/realms/werts + - --trusted-ip=172.16.0.0/16 + - --cookie-csrf-per-request + volumeMounts: + - name: htpasswd-xfr + mountPath: /xfr + - name: certs + mountPath: /certs + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: https + scheme: HTTPS + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - containerPort: 4443 + name: https + protocol: TCP + volumes: + - name: htpasswd-xfr + emptyDir: + medium: Memory + sizeLimit: 5Mi + - name: certs + secret: + secretName: wildcard-tls + terminationGracePeriodSeconds: 2 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: oauth2-proxy + annotations: + metallb.universe.tf/allow-shared-ip: 172.16.17.33 + metallb.universe.tf/loadBalancerIPs: 172.16.17.33 + name: oauth2-proxy + namespace: frigate +spec: + type: LoadBalancer + externalTrafficPolicy: Local + internalTrafficPolicy: Local + ports: + - name: http-redirect + port: 80 + protocol: TCP + targetPort: 4180 + - name: https-frigate + port: 443 + protocol: TCP + targetPort: 4443 + - name: http-frigate + port: 5000 + protocol: TCP + targetPort: 4180 + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 + selector: + app: oauth2-proxy +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: frigate + app.kubernetes.io/name: frigate + annotations: + metallb.universe.tf/allow-shared-ip: 172.16.17.33 + metallb.universe.tf/loadBalancerIPs: 172.16.17.33 + name: frigate-lb + namespace: frigate +spec: + type: LoadBalancer + externalTrafficPolicy: Local + internalTrafficPolicy: Local + ports: + - name: rtmp + port: 1935 + protocol: TCP + targetPort: 1935 + - name: restream + port: 8554 + protocol: TCP + targetPort: 8554 + selector: + app.kubernetes.io/instance: frigate + app.kubernetes.io/name: frigate diff --git a/frigate/oidc-bypass-user-secret-sealed.yaml b/frigate/oidc-bypass-user-secret-sealed.yaml new file mode 100644 index 0000000..55ef6b8 --- /dev/null +++ b/frigate/oidc-bypass-user-secret-sealed.yaml @@ -0,0 +1,23 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "oidc-bypass-user", + "namespace": "frigate", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "oidc-bypass-user", + "namespace": "frigate", + "creationTimestamp": null + }, + "type": "Opaque" + }, + "encryptedData": { + "OIDC_BYPASS_PASSWORD": "AgAb60RtJhGd4lcb0UQSn37Rc5WYEcnuq/wTcc7+nwprl9h8kJFo2muGioik7RLlwbpEstdWQ/e1J6KZZ1WoCxXe/W5Etvc0nCaHLOCCdxrH8V+jypLiaOHQVfwYWpdVBcxjWsY2NY0M3pe15dZRot5uBoZBGgr7kkrp4V4/gdiK9WswrhQpSCHWgMrmc7/yVHIipOsbOOzGVxIO/LBVHz4Xb+0h10gSAv5morWkj9eiXY+bGb7Ujhy0bzzYtGX1i2ioPErCbIthBCQtVVuLHi6PkrOrc7DV9AcSrOTrQYiV2cT15nYGp0uhGMa9b4tGuyhRbP6uHl3FmT+KVB6OosUGX67MJorptCfRiZ77c74IBu/3KMOAqA/EMTczoawUevxqXvob6O3qoRvQFUWHkXq+DjeQ2iqvuJDjyIWsGrbOO0hmElhdBjHSeQeJUoTb/MnfUAGMtY/G2Aywn67O1PLwWvXJz7V3sB6wBQBUp1+nWpqyx0E+MYD0x1APSemOV+VnHAm4lCAurE2GAFy+5Q2Ve/cbcUc1kkYQ+FWKf0wUPeG+aZ062QCQEVZ1Tb0NI/6jJIoijpt1EgEgQ0FZOj+GzEGQ5FrP1Pi/tL2WQCi27MCuWbQUnfhX0ynVDR5A1Av4euwyJgD8nwHPQ9wqjqjpJ/cymmBV10Smlx0x0u1JvwrwurJGKnG4D52FHJC7WiqBsF8vybDcjb5f2JvUCDPpWbBIhNQcjS0jHQI0jp4mdQ==", + "OIDC_BYPASS_USERNAME": "AgCKMh79ai7hOhnT+92hnUXokvQKVBtjI3LLYIolXQLkcd7IVbtnRr2zS/fayQquWO2VefDBtKVW98Uq2yRFttYpAx6TyRFKz8Etvr4h0QSF7MyzJ1CB6ypR73WIvDRbAak4PuQstj02x7L1p4f3Xs4lr/RxB5VATA2rpk90uGgyjUKpA5mssbk1ghwC8b9c1DD7/B/ZwHE4ozjFDBS/Lrh2bMxNwKuQlJ2Ra3HlAGWQqCZ/A9DKKCpUnlhh8SLDE7r0aCIFBM4wyWdG1LWwVkaFpLP8hHdWhUyH9rtNCKhAUBYxpGwIC2XJaXvbm/bndcHlRUzrOAnoaXh69g/WxBcWAT/kCMkWFTFZfVPb2svlRgpNoD+srjXZqplOqLenAQAP3yPH1wDDQCm9XUZDycVKAdfWJsiMI3+/Y6YFUY/fysPcn5uw8+COfa1D4HV/bBVTD22V9BsF4kfVA5UXy6y6coFOs5UzODKgCrtp6KoOnU6/J7MpjEN57H0+uTW0rJHyw5L9Qiwg/wRKgDtfzx9fWcElkkDV2BSipi/tDxVA53WwtqHDcHxVYxg5arx0JzS/IbYNEPYhS2yXnrmnQFejle+pLKhqWRoE1892iiaUYyCdivy6MogURpsPzX/891Qfe0RPg8Du/I484m50W1pUb/w36c6CJy6xI4WZ73gtp1pey/Uy6sWcszJKeHLFdXhZr3DOAXQ=" + } + } +} diff --git a/frigate/pvc.yaml b/frigate/pvc.yaml new file mode 100644 index 0000000..7c8d6c1 --- /dev/null +++ b/frigate/pvc.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: trt-models + namespace: frigate +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Gi + storageClassName: longhorn + volumeMode: Filesystem + diff --git a/frigate/values.yaml b/frigate/values.yaml new file mode 100644 index 0000000..0e2e4b0 --- /dev/null +++ b/frigate/values.yaml @@ -0,0 +1,97 @@ +image: + tag: "0.12.0-tensorrt" + +envFromSecrets: +- mqtt-broker +- rtsp-secret + +config: | + ffmpeg: + hwaccel_args: preset-nvidia-h264 + + mqtt: + enabled: True + user: "{FRIGATE_MQTT_USER}" + password: "{FRIGATE_MQTT_PASSWORD}" + port: 1883 + host: 172.16.17.83 + + record: + enabled: True + events: + retain: + default: 10 + retain: + days: 7 + mode: motion + + cameras: + cammy: # <------ Name the camera + ffmpeg: + inputs: + - path: "rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@172.28.2.2:554" + roles: + - record + - path: "rtsp://{FRIGATE_RTSP_USER}:{FRIGATE_RTSP_PASSWORD}@172.28.2.2:554/cam/realmonitor?channel=1&subtype=0" + roles: + - detect + detect: + enabled: False # <---- disable detection until you have a working camera feed + width: 640 # <---- update for your camera's resolution + height: 480 # <---- update for your camera's resolution + + detectors: + tensorrt: + type: tensorrt + device: 0 #This is the default, select the first GPU + + model: + path: /trt-models/yolov7-640.trt + input_tensor: nchw + input_pixel_format: rgb + width: 640 + height: 640 + +service: + type: ClusterIP + +gpu: + nvidia: + enabled: true + runtimeClassName: nvidia + +ingress: + enabled: false + hosts: + - host: frigate.strudelline.net + paths: + - / + +extraVolumeMounts: +- name: trt-models + mountPath: /trt-models +- name: data + mountPath: /media + subPath: media +- name: cctv-synology + mountPath: /media/frigate/clips + subPath: clips +- name: cctv-synology + mountPath: /media/frigate/recordings + subPath: recordings + + +extraVolumes: +- name: trt-models + persistentVolumeClaim: + claimName: trt-models +- name: cctv-synology + nfs: + server: 172.16.18.1 + path: /volume1/cctv/frigate + +persistence: + data: + enabled: true + skipuninstall: true + size: 100Gi diff --git a/frigate/wildcard-tls.yaml b/frigate/wildcard-tls.yaml new file mode 100644 index 0000000..9cb1c6b --- /dev/null +++ b/frigate/wildcard-tls.yaml @@ -0,0 +1,74 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: wildcard-tls + name: wildcard-tls-reader +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: wildcard-tls-sa + namespace: frigate +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: wildcard-tls-reader-from-frigate + namespace: wildcard-tls +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: wildcard-tls-reader +subjects: +- kind: ServiceAccount + name: wildcard-tls-sa + namespace: frigate +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: wildcard-tls + namespace: frigate +spec: + provider: + kubernetes: + # with this, the store is able to pull only from `default` namespace + remoteNamespace: wildcard-tls + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + key: ca.crt + auth: + serviceAccount: + name: "wildcard-tls-sa" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: wildcard-tls + namespace: frigate +spec: + refreshInterval: 1h + secretStoreRef: + kind: SecretStore + name: wildcard-tls + target: + name: wildcard-tls + dataFrom: + - extract: + key: wildcard-tls diff --git a/fusionpbx/ingress.yaml b/fusionpbx/ingress.yaml new file mode 100644 index 0000000..b639964 --- /dev/null +++ b/fusionpbx/ingress.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: pbx + namespace: fusionpbx +spec: + ingressClassName: haproxy + rules: + - host: pbx.werts.us + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pbx-untls-shim + port: + number: 80 diff --git a/fusionpbx/ns.yaml b/fusionpbx/ns.yaml new file mode 100644 index 0000000..4c4bb6d --- /dev/null +++ b/fusionpbx/ns.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: fusionpbx +spec: {} +status: {} diff --git a/fusionpbx/pvc.yaml b/fusionpbx/pvc.yaml new file mode 100644 index 0000000..0a19cf2 --- /dev/null +++ b/fusionpbx/pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: fusionpbx-root + namespace: fusionpbx +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Gi + storageClassName: ssd + volumeMode: Filesystem diff --git a/fusionpbx/untls-shim.yaml b/fusionpbx/untls-shim.yaml new file mode 100644 index 0000000..7f46013 --- /dev/null +++ b/fusionpbx/untls-shim.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: "pbx-untls-shim" + namespace: "fusionpbx" +data: + haproxy.cfg: | + global + log stdout format raw local0 + stats timeout 30s + user haproxy + group haproxy + + defaults + log global + mode http + option httplog + option dontlognull + balance source + timeout connect 5000 + timeout client 50000 + timeout server 50000 + http-reuse never + option disable-h2-upgrade + + frontend http80 + bind *:80 + http-request capture req.hdr(Host) len 255 + default_backend httpnodes + + backend httpnodes + option forwardfor + http-request add-header x-forwarded-proto https + server s1 172.16.56.1:443 ssl verify none check + + frontend stats + mode http + option httplog + bind *:8404 + http-request capture req.hdr(X-Forwarded-For) len 64 + http-request capture req.hdr(Host) len 255 + stats enable + stats uri / + stats refresh 10s + stats admin if LOCALHOST +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "pbx-untls-shim" + namespace: "fusionpbx" + annotations: + "reloader.stakater.com/auto": "true" +spec: + replicas: 1 + selector: + matchLabels: + app: "pbx-untls-shim" + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: "pbx-untls-shim" + spec: + containers: + - image: haproxy:latest + name: haproxy + volumeMounts: + - mountPath: /usr/local/etc/haproxy/haproxy.cfg + name: config + subPath: haproxy.cfg + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 8404 + name: stats + protocol: TCP + restartPolicy: Always + volumes: + - name: config + configMap: + name: "pbx-untls-shim" +--- +apiVersion: v1 +kind: Service +metadata: + name: "pbx-untls-shim" + namespace: "fusionpbx" +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http-80 + port: 80 + protocol: TCP + targetPort: http + - name: https-8404 + port: 8404 + protocol: TCP + targetPort: stats + selector: + app: "pbx-untls-shim" + type: ClusterIP diff --git a/fusionpbx/update-tls.sh b/fusionpbx/update-tls.sh new file mode 100755 index 0000000..316d2ee --- /dev/null +++ b/fusionpbx/update-tls.sh @@ -0,0 +1,3 @@ +kubectl secretdata -n wildcard-tls wildcard-tls | yq -o json '.[][]["tls.key"]' | jq -r . | ssh 172.16.56.1 sudo sponge /etc/ssl/private/nginx.key +kubectl secretdata -n wildcard-tls wildcard-tls | yq -o json '.[][]["tls.crt"]' | jq -r . | ssh 172.16.56.1 sudo sponge /etc/ssl/certs/nginx.crt +ssh 172.16.56.1 sudo systemctl restart nginx diff --git a/fusionpbx/vm.yaml b/fusionpbx/vm.yaml new file mode 100644 index 0000000..a7c320c --- /dev/null +++ b/fusionpbx/vm.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + name: fusionpbx + namespace: fusionpbx +spec: + running: true + template: + spec: + terminationGracePeriodSeconds: 3 + domain: + cpu: + model: Westmere + cores: 2 + threads: 1 + sockets: 1 + resources: + requests: + cpu: 1000m + memory: 1G + devices: + interfaces: + - name: br0 + bridge: {} + macAddress: 00:80:10:ec:af:f4 + model: virtio + disks: + #- name: iso + # disk: + # bus: virtio + - name: root + disk: + bus: virtio + networks: + - name: br0 + multus: + networkName: cascade/br0 + volumes: + - persistentVolumeClaim: + claimName: fusionpbx-root + name: root + #- dataVolume: + # name: debian-iso + # name: iso + #dataVolumeTemplates: + #- metadata: + # name: debian-iso + # spec: + # pvc: + # accessModes: + # - ReadWriteOnce + # resources: + # requests: + # storage: 1Gi + # source: + # http: + # url: https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.1.0-amd64-netinst.iso diff --git a/gitea/email-secret.yaml b/gitea/email-secret.yaml new file mode 100644 index 0000000..03202ef --- /dev/null +++ b/gitea/email-secret.yaml @@ -0,0 +1,39 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: email-secret + namespace: gitea +spec: + secretStoreRef: + kind: ClusterSecretStore + name: bitwarden + data: + - remoteRef: + key: gmail app password (gitea) + property: password + secretKey: GITEA__mailer__PASSWD + - remoteRef: + key: gmail app password (gitea) + property: username + secretKey: GITEA__mailer__USER + - remoteRef: + key: gmail app password (gitea) + property: from + secretKey: GITEA__mailer__FROM + - remoteRef: + key: gmail app password (gitea) + property: port + secretKey: GITEA__mailer__SMTP_PORT + - remoteRef: + key: gmail app password (gitea) + property: host + secretKey: GITEA__mailer__SMTP_ADDR + refreshInterval: 5m + target: + creationPolicy: Owner + deletionPolicy: Delete + name: email-secret + template: + mergePolicy: "Merge" + data: + GITEA__mailer__ENABLED: "true" diff --git a/gitea/gitea-secrets.yaml b/gitea/gitea-secrets.yaml new file mode 100644 index 0000000..dbd88c2 --- /dev/null +++ b/gitea/gitea-secrets.yaml @@ -0,0 +1,34 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: gitea-secrets + namespace: gitea +spec: + secretStoreRef: + kind: ClusterSecretStore + name: bitwarden + data: + - remoteRef: + key: gitea secrets + property: GITEA__security__SECRET_KEY + secretKey: GITEA__security__SECRET_KEY + - remoteRef: + key: gitea secrets + property: GITEA__oauth2__JWT_SECRET + secretKey: GITEA__oauth2__JWT_SECRET + - remoteRef: + key: gitea secrets + property: GITEA__security__INTERNAL_TOKEN + secretKey: GITEA__security__INTERNAL_TOKEN + - remoteRef: + key: gitea secrets + property: GITEA__server__LFS_JWT_SECRET + secretKey: GITEA__server__LFS_JWT_SECRET + refreshInterval: 5m + target: + creationPolicy: Owner + deletionPolicy: Delete + name: gitea-secrets + template: + mergePolicy: "Merge" + data: {} diff --git a/gitea/ingress.yaml b/gitea/ingress.yaml index 09cd376..b04d947 100644 --- a/gitea/ingress.yaml +++ b/gitea/ingress.yaml @@ -5,7 +5,7 @@ metadata: name: gitea namespace: gitea spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: git.strudelline.net http: @@ -17,7 +17,3 @@ spec: name: gitea port: name: gitea - tls: - - hosts: - - git.strudelline.net - secretName: wildcard-tls diff --git a/gitea/sts.yaml b/gitea/sts.yaml index 14171cf..05aea9f 100644 --- a/gitea/sts.yaml +++ b/gitea/sts.yaml @@ -6,6 +6,8 @@ metadata: app: gitea name: gitea namespace: gitea + annotations: + "reloader.stakater.com/auto": "true" spec: podManagementPolicy: OrderedReady replicas: 1 @@ -24,16 +26,15 @@ spec: spec: containers: - name: gitea - image: gitea/gitea:1.20.2 - env: - - name: GITEA__actions__ENABLED - value: "true" - - name: MINIO__server__ROOT_URL - value: https://git.strudelline.net/ - - name: MINIO__server__DOMAIN - value: git.strudelline.net - - name: GITEA__actions__DEFAULT_ACTIONS_URL - value: https://github.com + image: gitea/gitea:1.21.2 + envFrom: + - configMapRef: + name: gitea-config + - secretRef: + name: gitea-secrets + - secretRef: + name: email-secret + livenessProbe: httpGet: path: /api/healthz diff --git a/gost-dns/deployment.yaml b/gost-dns/deployment.yaml new file mode 100644 index 0000000..20a3b6d --- /dev/null +++ b/gost-dns/deployment.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: gost-dns + name: gost-dns +spec: + replicas: 1 + selector: + matchLabels: + app: gost-dns + template: + metadata: + labels: + app: gost-dns + annotations: + k8s.v1.cni.cncf.io/networks: | + [{ + "namespace": "cascade", + "name": "br0-static", + "ips": ["172.16.1.53/12"] + }] + spec: + containers: + - image: ginuerzh/gost:latest + imagePullPolicy: IfNotPresent + name: gost + command: + - gost + - -L + - dns://:53?mode=tcp&dns=https://1.1.1.3/dns-query + - -L + - dns://:53?mode=udp&dns=https://1.1.1.3/dns-query + - -L + - dns://:54?mode=tcp&dns=https://doh.cleanbrowsing.org/doh/family-filter/ + - -L + - dns://:54?mode=udp&dns=https://doh.cleanbrowsing.org/doh/family-filter/ + - -L + - dns://:153?mode=tcp&dns=https://1.1.1.1/dns-query + - -L + - dns://:153?mode=udp&dns=https://1.1.1.1/dns-query + #securityContext: + # capabilities: + # add: ["NET_ADMIN"] + restartPolicy: Always diff --git a/gost-dns/ns.yaml b/gost-dns/ns.yaml new file mode 100644 index 0000000..3705e28 --- /dev/null +++ b/gost-dns/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gost-dns diff --git a/grist/deploy.yaml b/grist/deploy.yaml new file mode 100644 index 0000000..38017a2 --- /dev/null +++ b/grist/deploy.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: grist + name: grist + namespace: grist +spec: + replicas: 1 + selector: + matchLabels: + app: grist + template: + metadata: + labels: + app: grist + spec: + containers: + - name: grist + image: gristlabs/grist:latest + env: + - name: PORT + value: "8080" + - name: GRIST_SANDBOX_FLAVOR + value: gvisor + - name: GRIST_FORCE_LOGIN + value: "true" + - name: APP_HOME_URL + value: https://grist.strudelline.net + - name: GRIST_SINGLE_ORG + value: docs + - name: GRIST_FORWARD_AUTH_HEADER + value: X-Forwarded-Email + #- name: GRIST_FORWARD_AUTH_LOGIN_PATH + # value: /oauth2/sign_in + - name: GRIST_FORWARD_AUTH_LOGOUT_PATH + value: /oauth2/sign_out + - name: GRIST_SESSION_SECRET + valueFrom: + secretKeyRef: + name: grist-session-secret + key: password + ports: + - containerPort: 8080 + name: http + protocol: TCP + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /persist + name: grist-persist + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + args: + - --http-address=0.0.0.0:4180 + - --config=/config.cfg + ports: + - containerPort: 4180 + name: http + protocol: TCP + volumeMounts: + - mountPath: /config.cfg + name: oauth2-proxy-config + subPath: oauth2-proxy.cfg + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + restartPolicy: Always + volumes: + - name: grist-persist + persistentVolumeClaim: + claimName: grist-persist + - name: oauth2-proxy-config + secret: + optional: false + secretName: oidc-secret diff --git a/grist/grist-session-secret.yaml b/grist/grist-session-secret.yaml new file mode 100644 index 0000000..1ab78a6 --- /dev/null +++ b/grist/grist-session-secret.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: grist-session-secret + namespace: grist +spec: + refreshInterval: "720h" + target: + name: grist-session-secret + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: quasi-base64 diff --git a/grist/ingress.yaml b/grist/ingress.yaml new file mode 100644 index 0000000..2a61dfc --- /dev/null +++ b/grist/ingress.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grist + namespace: grist +spec: + ingressClassName: haproxy + rules: + - host: grist.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grist + port: + number: 4180 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: grist + name: grist + namespace: grist +spec: + selector: + app: grist + ports: + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 diff --git a/grist/ns.yaml b/grist/ns.yaml new file mode 100644 index 0000000..2f6c3c6 --- /dev/null +++ b/grist/ns.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: grist +spec: {} +status: {} diff --git a/grist/oidc-secret.yaml b/grist/oidc-secret.yaml new file mode 100644 index 0000000..06ba800 --- /dev/null +++ b/grist/oidc-secret.yaml @@ -0,0 +1,54 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: oidc-secret + namespace: grist +spec: + secretStoreRef: + kind: ClusterSecretStore + name: bitwarden + data: + - remoteRef: + key: oidc client - grist + property: password + secretKey: client_secret + - remoteRef: + key: oidc client - grist + property: username + secretKey: client_id + - remoteRef: + key: oidc client - grist + property: cookie-secret + secretKey: cookie_secret + refreshInterval: 5m + target: + creationPolicy: Owner + deletionPolicy: Delete + name: oidc-secret + template: + data: + oauth2-proxy.cfg: | + cookie_secret='{{ .cookie_secret }}' + cookie_domains=['werts.us','strudelline.net'] + + whitelist_domains=['.werts.us','.strudelline.net','strudelline.net','werts.us'] + # only users with this domain will be let in + email_domains=["werts.us","strudelline.net","andariese.net"] + + client_id="{{ .client_id }}" + client_secret="{{ .client_secret }}" + cookie_secure="true" + + upstreams = [ "http://localhost:8080" ] + #skip_auth_routes = [ + # "!=^/admin(/.*)?$" + #] + + skip_provider_button = true + + reverse_proxy = true + set_xauthrequest = true + + provider="oidc" + oidc_issuer_url="https://auth.werts.us/realms/werts" + type: Opaque diff --git a/grist/pvc.yaml b/grist/pvc.yaml new file mode 100644 index 0000000..245820e --- /dev/null +++ b/grist/pvc.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grist-persist + namespace: grist +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: longhorn + volumeMode: Filesystem diff --git a/grist/quasi-base64-generator.yaml b/grist/quasi-base64-generator.yaml new file mode 100644 index 0000000..81e637b --- /dev/null +++ b/grist/quasi-base64-generator.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: generators.external-secrets.io/v1alpha1 +kind: Password +metadata: + name: quasi-base64 + namespace: grist +spec: + length: 32 + digits: 5 + symbols: 1 + symbolCharacters: "-_" + noUpper: false + allowRepeat: true diff --git a/harbor/deploy.sh b/harbor/deploy.sh new file mode 100644 index 0000000..17ff412 --- /dev/null +++ b/harbor/deploy.sh @@ -0,0 +1,2 @@ +helm repo add harbor https://helm.goharbor.io && helm repo update +helm upgrade -i -n harbor --create-namespace harbor harbor/harbor -f values.yaml diff --git a/harbor/diff.sh b/harbor/diff.sh new file mode 100644 index 0000000..726e804 --- /dev/null +++ b/harbor/diff.sh @@ -0,0 +1 @@ +helm diff upgrade -n harbor harbor harbor/harbor -f values.yaml diff --git a/harbor/values.yaml b/harbor/values.yaml new file mode 100644 index 0000000..83ba92c --- /dev/null +++ b/harbor/values.yaml @@ -0,0 +1,19 @@ +externalURL: https://harbor.strudelline.net +expose: + type: loadBalancer + tls: + enabled: true + certSource: secret + secret: + secretName: wildcard-tls + loadBalancer: + ports: + httpPort: 80 + httpsPort: 443 + IP: 172.16.17.115 +persistence: + persistentVolumeClaim: + jobservice: + jobLog: + accessMode: ReadWriteMany + diff --git a/harbor/wildcard-tls.yaml b/harbor/wildcard-tls.yaml new file mode 100644 index 0000000..74ec003 --- /dev/null +++ b/harbor/wildcard-tls.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-tls + namespace: harbor +spec: + secretName: wildcard-tls + issuerRef: + name: zerossl + kind: ClusterIssuer + dnsNames: + - strudelline.net + - '*.strudelline.net' diff --git a/illa/deployment.yaml b/illa/deployment.yaml new file mode 100644 index 0000000..171b4c3 --- /dev/null +++ b/illa/deployment.yaml @@ -0,0 +1,41 @@ +--- +# illa-builder deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: illa + name: illa-builder +spec: + selector: + matchLabels: + app.kubernetes.io/name: illa-builder + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: illa-builder + spec: + containers: + - image: docker.io/illasoft/illa-builder:latest + imagePullPolicy: Always + name: illa-builder + ports: + - containerPort: 2022 + env: + - name: ILLA_DEPLOY_MODE + value: "self-host" +--- +# illa-builder service +apiVersion: v1 +kind: Service +metadata: + namespace: illa + name: illa-builder +spec: + ports: + - port: 2022 + targetPort: 2022 + protocol: TCP + type: NodePort + selector: + app.kubernetes.io/name: illa-builder diff --git a/illa/ingress.yaml b/illa/ingress.yaml new file mode 100644 index 0000000..5c71c0f --- /dev/null +++ b/illa/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: illa + namespace: illa +spec: + ingressClassName: haproxy + rules: + - host: illa.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: illa-builder + port: + number: 2022 diff --git a/ingress-shim/deploy.yaml b/ingress-shim/deploy.yaml index a479d2f..16cff95 100644 --- a/ingress-shim/deploy.yaml +++ b/ingress-shim/deploy.yaml @@ -38,20 +38,35 @@ data: frontend https443 bind *:443 ssl crt /ssl-tmp/tls.pem http-request capture req.hdr(Host) len 255 + http-request set-header X-Forwarded-Proto https http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1 http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1 default_backend httpnodes + frontend rtmp1935 + bind *:1935 + mode tcp + default_backend wertube1935 + frontend proxy4443 bind *:4443 ssl crt /ssl-tmp/tls.pem accept-proxy http-request capture req.hdr(Host) len 255 + http-request set-header X-Forwarded-Proto https http-response replace-value Location http(://.*[.]werts[.]us/.*) https\1 http-response replace-value Location http(://.*[.]strudelline[.]net/.*) https\1 default_backend httpnodes + backend wertube1935 + mode tcp + balance leastconn + server s1 peertube-werts.peertube-werts.svc:1935 check + backend httpnodes option forwardfor - server s1 istio-ingressgateway.istio-system.svc.cluster.local:80 check + #server s1 istio-ingressgateway.istio-system.svc.cluster.local:443 check ssl verify none + #server s2 172.16.17.5:443 check ssl verify none + # USE THE FRONTING PROXY PORT IN HAPROXY-INGRESS + server s1 172.16.17.82:81 check frontend stats mode http @@ -64,25 +79,27 @@ data: stats refresh 10s stats admin if LOCALHOST --- +# This is a daemonset so that we can use local traffic policies. +# The whole point of this pod is to gather and preserve client IPs +# so local traffic policies are a must (kube-proxy will change the +# origin IP). apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: name: "haproxy-server" namespace: "ingress-shim" annotations: "reloader.stakater.com/auto": "true" spec: - replicas: 1 selector: matchLabels: app: "haproxy-server" - strategy: - type: RollingUpdate template: metadata: labels: app: "haproxy-server" spec: + terminationGracePeriodSeconds: 0 initContainers: - name: combine-certs command: ["bash", "-c"] @@ -113,6 +130,9 @@ spec: - containerPort: 443 name: https protocol: TCP + - containerPort: 1935 + name: rtmp + protocol: TCP - containerPort: 4443 name: proxys protocol: TCP @@ -143,6 +163,7 @@ metadata: metallb.universe.tf/loadBalancerIPs: 172.16.17.80 spec: allocateLoadBalancerNodePorts: true + # PRESERVE CLIENT IPS! THIS IS THE WHOLE POINT! externalTrafficPolicy: Local internalTrafficPolicy: Local ipFamilies: @@ -153,6 +174,10 @@ spec: port: 80 protocol: TCP targetPort: http + - name: rtmp-1935 + port: 1935 + protocol: TCP + targetPort: rtmp - name: https-443 port: 443 protocol: TCP diff --git a/ingress-shim/wildcard-tls.yaml b/ingress-shim/wildcard-tls.yaml new file mode 100644 index 0000000..5257228 --- /dev/null +++ b/ingress-shim/wildcard-tls.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-tls + namespace: ingress-shim +spec: + secretName: wildcard-tls + issuerRef: + name: zerossl + kind: ClusterIssuer + dnsNames: + - strudelline.net + - '*.strudelline.net' + - '*.notes.werts.us' + - '*.minio.strudelline.net' + - werts.us + - '*.werts.us' + - kn8v.com + - '*.kn8v.com' diff --git a/jellyfin/deployment.yaml b/jellyfin/deployment.yaml new file mode 100644 index 0000000..ed922a4 --- /dev/null +++ b/jellyfin/deployment.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jellyfin + namespace: jellyfin + labels: + app: jellyfin +spec: + replicas: 1 + selector: + matchLabels: + app: jellyfin + template: + metadata: + annotations: + k8s.v1.cni.cncf.io/networks: | + [{ + "namespace": "cascade", + "name": "br0-static", + "ips": ["172.16.1.77/12"] + }] + labels: + app: jellyfin + spec: + containers: + - name: jellyfin + image: jellyfin/jellyfin:latest + imagePullPolicy: Always + ports: + - containerPort: 8096 + name: http + - containerPort: 8920 + name: https + - containerPort: 1900 + name: discovery1 + protocol: UDP + - containerPort: 7359 + name: discovery2 + protocol: UDP + volumeMounts: + - name: jellyfin-data + mountPath: /config + subPath: config + - name: jellyfin-data + mountPath: /cache + subPath: cache + - name: dropbox + mountPath: /volume1/dropbox + - name: tv-shows + mountPath: /volume1/tv shows + - name: video + mountPath: /volume1/video + - name: movies + mountPath: /volume1/movies + resources: + requests: + cpu: 500m + memory: 2Gi + volumes: + - name: jellyfin-data + persistentVolumeClaim: + claimName: jellyfin-data + - name: dropbox + nfs: + server: 172.16.18.1 + path: /volume1/dropbox + - name: tv-shows + nfs: + server: 172.16.18.1 + path: /volume1/tv shows + - name: video + nfs: + server: 172.16.18.1 + path: /volume1/video + - name: movies + nfs: + server: 172.16.18.1 + path: /volume1/movies +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-data +spec: + storageClassName: longhorn + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 40Gi diff --git a/jellyfin/ingress.yaml b/jellyfin/ingress.yaml new file mode 100644 index 0000000..9deb42c --- /dev/null +++ b/jellyfin/ingress.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: jellyfin + namespace: jellyfin + labels: + app: jellyfin +spec: + ingressClassName: haproxy + rules: + - host: jellyfin.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jellyfin + port: + name: http diff --git a/jellyfin/ns.yaml b/jellyfin/ns.yaml new file mode 100644 index 0000000..167a2cb --- /dev/null +++ b/jellyfin/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jellyfin diff --git a/jellyfin/service.yaml b/jellyfin/service.yaml new file mode 100644 index 0000000..7e10ee1 --- /dev/null +++ b/jellyfin/service.yaml @@ -0,0 +1,14 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: jellyfin + namespace: jellyfin +spec: + selector: + app: jellyfin + ports: + - protocol: TCP + port: 80 + name: http + targetPort: 8096 diff --git a/jenkins/0ns.yaml b/jenkins/0ns.yaml new file mode 100644 index 0000000..5eb2c27 --- /dev/null +++ b/jenkins/0ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jenkins diff --git a/jenkins/deploy.sh b/jenkins/deploy.sh new file mode 100644 index 0000000..c63677d --- /dev/null +++ b/jenkins/deploy.sh @@ -0,0 +1,3 @@ +#!/bin/bash +# +helm upgrade -i --create-namespace -n jenkins jenkins jenkins/jenkins -f values.yaml diff --git a/jenkins/diff.sh b/jenkins/diff.sh new file mode 100644 index 0000000..7f220cb --- /dev/null +++ b/jenkins/diff.sh @@ -0,0 +1,3 @@ +#!/bin/bash +# +helm diff upgrade -n jenkins jenkins jenkins/jenkins -f values.yaml diff --git a/jenkins/ingress.yaml b/jenkins/ingress.yaml new file mode 100644 index 0000000..baf43a3 --- /dev/null +++ b/jenkins/ingress.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: jenkins + namespace: jenkins +spec: + ingressClassName: haproxy + rules: + - host: jenkins.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jenkins + port: + name: http diff --git a/jenkins/pvc.yaml b/jenkins/pvc.yaml new file mode 100644 index 0000000..38bc533 --- /dev/null +++ b/jenkins/pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jenkins + namespace: jenkins +spec: + storageClassName: longhorn + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi diff --git a/jenkins/values.yaml b/jenkins/values.yaml new file mode 100644 index 0000000..30a4b3b --- /dev/null +++ b/jenkins/values.yaml @@ -0,0 +1,4 @@ +USER-SUPPLIED VALUES: +controller: + jenkinsUriPrefix: "" + jenkinsUrl: https://jenkins.strudelline.net diff --git a/keycloak/debugger.yaml b/keycloak/debugger.yaml new file mode 100644 index 0000000..1168cd3 --- /dev/null +++ b/keycloak/debugger.yaml @@ -0,0 +1,101 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: debugger + namespace: keycloak +spec: + ingressClassName: haproxy + rules: + - host: debug.werts.us + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: debugger + port: + number: 9009 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: keycloak + name: debugger +spec: + replicas: 1 + selector: + matchLabels: + app: debugger + template: + metadata: + labels: + app: debugger + spec: + containers: + - image: beryju/oidc-test-client:latest + name: debugger + env: + - name: OIDC_DO_REFRESH + value: "false" + - name: OIDC_DO_INTROSPECTION + value: "false" + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: debugger-oidc-secret + key: id + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: debugger-oidc-secret + key: secret + - name: OIDC_PROVIDER + value: https://auth.werts.us/realms/werts + - name: OIDC_ROOT_URL + value: https://debug.werts.us/ + ports: + - containerPort: 9009 + name: http + protocol: TCP + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: debugger + namespace: keycloak +spec: + ports: + - port: 9009 + protocol: TCP + targetPort: 9009 + selector: + app: debugger + type: ClusterIP +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: debugger-oidc-secret + namespace: keycloak +spec: + data: + - remoteRef: + key: oidc client - debugger + property: username + secretKey: id + - remoteRef: + key: oidc client - debugger + property: password + secretKey: secret + - remoteRef: + key: oidc client - debugger + property: discovery_url + secretKey: discovery_url + refreshInterval: 60s + secretStoreRef: + kind: ClusterSecretStore + name: bitwarden + target: + name: debugger-oidc-secret diff --git a/keycloak/echoserver.yaml b/keycloak/echoserver.yaml new file mode 100644 index 0000000..b29fab5 --- /dev/null +++ b/keycloak/echoserver.yaml @@ -0,0 +1,80 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: echoserver + namespace: keycloak + annotations: + ingress.kubernetes.io/oauth: oauth2_proxy + ingress.kubernetes.io/auth-url: https://auth.werts.us/oauth2/auth + ingress.kubernetes.io/auth-signin: https://auth.werts.us/oauth2/start?rd=https://echo.werts.us + ingress.kubernetes.io/auth-signout-not-implemented: https://auth.werts.us/realms/werts/protocol/openid-connect/logout +spec: + ingressClassName: haproxy + rules: + - host: echo.werts.us + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: echoserver + port: + number: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: echoserver-non-auth + namespace: keycloak +spec: + ingressClassName: haproxy + rules: + - host: echo.werts.us + http: + paths: + - path: /non-auth + pathType: Prefix + backend: + service: + name: echoserver + port: + number: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: keycloak + name: echoserver +spec: + replicas: 1 + selector: + matchLabels: + app: echoserver + template: + metadata: + labels: + app: echoserver + spec: + containers: + - image: mendhak/http-https-echo:30 + name: echoserver + ports: + - containerPort: 4180 + name: http + protocol: TCP + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: echoserver + namespace: keycloak +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: echoserver + type: ClusterIP diff --git a/keycloak/oidc-secret.yaml b/keycloak/oidc-secret.yaml new file mode 100644 index 0000000..de715c8 --- /dev/null +++ b/keycloak/oidc-secret.yaml @@ -0,0 +1,49 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: oauth2-proxy-oidc-secret + namespace: keycloak +spec: + data: + - remoteRef: + key: oidc client - oauth2-proxy + property: password + secretKey: client_secret + - remoteRef: + key: oidc client - oauth2-proxy + property: username + secretKey: client_id + - remoteRef: + key: oidc client - oauth2-proxy + property: cookie-secret + secretKey: cookie_secret + refreshInterval: 5m + secretStoreRef: + kind: ClusterSecretStore + name: bitwarden + target: + name: oauth2-proxy-oidc-secret + template: + data: + oauth2-proxy.cfg: | + cookie_secret='{{ .cookie_secret }}' + cookie_domains=['werts.us','strudelline.net'] + cookie_csrf_per_request = true + + whitelist_domains=['.werts.us','.strudelline.net','strudelline.net','werts.us'] + # only users with this domain will be let in + email_domains=["werts.us","strudelline.net","andariese.net"] + + client_id="{{ .client_id }}" + client_secret="{{ .client_secret }}" + cookie_secure="true" + + upstreams = [ "file:///dev/null" ] + skip_provider_button = true + set_xauthrequest = true + pass_access_token = true + + provider="oidc" + oidc_issuer_url="https://auth.werts.us/realms/werts" + engineVersion: v2 + type: Opaque diff --git a/keycloak/tf/client-pleroma.tf b/keycloak/tf/client-pleroma.tf index c164cc6..feb7e88 100644 --- a/keycloak/tf/client-pleroma.tf +++ b/keycloak/tf/client-pleroma.tf @@ -6,7 +6,8 @@ module "werts_pleroma_oidc_client" { keepers = { epoch = 1 } redirect_uris = ["http://toots.werts.us/oauth/keycloak/callback"] - #vault_secret_name = "k8s-ns/pleroma/werts-oidc" + kubernetes_secret_name = "toots-oidc" + kubernetes_secret_namespace = "toots-werts" } output "pleroma_client_id" { diff --git a/kubevirt/cdi-cr.yaml b/kubevirt/cdi-cr.yaml new file mode 100644 index 0000000..2cca65a --- /dev/null +++ b/kubevirt/cdi-cr.yaml @@ -0,0 +1,20 @@ +apiVersion: cdi.kubevirt.io/v1beta1 +kind: CDI +metadata: + name: cdi + namespace: kubevirt +spec: + config: + featureGates: + - HonorWaitForFirstConsumer + #uploadProxyURLOverride: https://cdi-uploadproxy.strudelline.net + imagePullPolicy: IfNotPresent + infra: + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + workload: + nodeSelector: + kubernetes.io/os: linux diff --git a/kubevirt/cdi-ingress.yaml b/kubevirt/cdi-ingress.yaml new file mode 100644 index 0000000..83cf461 --- /dev/null +++ b/kubevirt/cdi-ingress.yaml @@ -0,0 +1,126 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cdi-uploadproxy + namespace: cdi +spec: + ingressClassName: haproxy + rules: + - host: cdi-uploadproxy.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: cdi-uploadproxy-untls-shim + port: + number: 80 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: "cdi-uploadproxy-untls-shim" + namespace: "cdi" +data: + haproxy.cfg: | + global + log stdout format raw local0 + stats timeout 30s + user haproxy + group haproxy + + defaults + log global + mode http + option httplog + option dontlognull + balance source + timeout connect 5000 + timeout client 50000 + timeout server 50000 + http-reuse never + option disable-h2-upgrade + + frontend http80 + bind *:80 + http-request capture req.hdr(Host) len 255 + default_backend httpnodes + + backend httpnodes + option forwardfor + http-request add-header x-forwarded-proto https + server s1 cdi-uploadproxy.cdi.svc:443 ssl verify none check + + frontend stats + mode http + option httplog + bind *:8404 + http-request capture req.hdr(X-Forwarded-For) len 64 + http-request capture req.hdr(Host) len 255 + stats enable + stats uri / + stats refresh 10s + stats admin if LOCALHOST +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "cdi-uploadproxy-untls-shim" + namespace: "cdi" + annotations: + "reloader.stakater.com/auto": "true" +spec: + replicas: 1 + selector: + matchLabels: + app: "cdi-uploadproxy-untls-shim" + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: "cdi-uploadproxy-untls-shim" + spec: + containers: + - image: haproxy:latest + name: haproxy + volumeMounts: + - mountPath: /usr/local/etc/haproxy/haproxy.cfg + name: config + subPath: haproxy.cfg + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 8404 + name: stats + protocol: TCP + restartPolicy: Always + volumes: + - name: config + configMap: + name: "cdi-uploadproxy-untls-shim" +--- +apiVersion: v1 +kind: Service +metadata: + name: "cdi-uploadproxy-untls-shim" + namespace: "cdi" +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http-80 + port: 80 + protocol: TCP + targetPort: http + - name: https-8404 + port: 8404 + protocol: TCP + targetPort: stats + selector: + app: "cdi-uploadproxy-untls-shim" + type: ClusterIP diff --git a/kubevirt/kubevirt-cr.yaml b/kubevirt/kubevirt-cr.yaml new file mode 100644 index 0000000..2925ac7 --- /dev/null +++ b/kubevirt/kubevirt-cr.yaml @@ -0,0 +1,15 @@ +apiVersion: kubevirt.io/v1 +kind: KubeVirt +metadata: + name: kubevirt + namespace: kubevirt +spec: + certificateRotateStrategy: {} + configuration: + developerConfiguration: + featureGates: + - ExpandDisks + - VMExport + customizeComponents: {} + imagePullPolicy: IfNotPresent + workloadUpdateStrategy: {} diff --git a/kubevirt/kubevirt-operator.yaml b/kubevirt/kubevirt-operator.yaml new file mode 100644 index 0000000..1613a4f --- /dev/null +++ b/kubevirt/kubevirt-operator.yaml @@ -0,0 +1,7359 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + kubevirt.io: "" + pod-security.kubernetes.io/enforce: "privileged" + name: kubevirt +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + operator.kubevirt.io: "" + name: kubevirts.kubevirt.io +spec: + group: kubevirt.io + names: + categories: + - all + kind: KubeVirt + plural: kubevirts + shortNames: + - kv + - kvs + singular: kubevirt + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + name: v1 + schema: + openAPIV3Schema: + description: KubeVirt represents the object deploying all KubeVirt resources + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + certificateRotateStrategy: + properties: + selfSigned: + properties: + ca: + description: CA configuration CA certs are kept in the CA + bundle as long as they are valid + properties: + duration: + description: The requested 'duration' (i.e. lifetime) + of the Certificate. + type: string + renewBefore: + description: The amount of time before the currently issued + certificate's "notAfter" time that we will begin to + attempt to renew the certificate. + type: string + type: object + caOverlapInterval: + description: Deprecated. Use CA.Duration and CA.RenewBefore + instead + type: string + caRotateInterval: + description: Deprecated. Use CA.Duration instead + type: string + certRotateInterval: + description: Deprecated. Use Server.Duration instead + type: string + server: + description: Server configuration Certs are rotated and discarded + properties: + duration: + description: The requested 'duration' (i.e. lifetime) + of the Certificate. + type: string + renewBefore: + description: The amount of time before the currently issued + certificate's "notAfter" time that we will begin to + attempt to renew the certificate. + type: string + type: object + type: object + type: object + configuration: + description: holds kubevirt configurations. same as the virt-configMap + properties: + additionalGuestMemoryOverheadRatio: + description: AdditionalGuestMemoryOverheadRatio can be used to + increase the virtualization infrastructure overhead. This is + useful, since the calculation of this overhead is not accurate + and cannot be entirely known in advance. The ratio that is being + set determines by which factor to increase the overhead calculated + by Kubevirt. A higher ratio means that the VMs would be less + compromised by node pressures, but would mean that fewer VMs + could be scheduled to a node. If not set, the default is 1. + type: string + apiConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + architectureConfiguration: + properties: + amd64: + properties: + emulatedMachines: + items: + type: string + type: array + x-kubernetes-list-type: atomic + machineType: + type: string + ovmfPath: + type: string + type: object + arm64: + properties: + emulatedMachines: + items: + type: string + type: array + x-kubernetes-list-type: atomic + machineType: + type: string + ovmfPath: + type: string + type: object + defaultArchitecture: + type: string + ppc64le: + properties: + emulatedMachines: + items: + type: string + type: array + x-kubernetes-list-type: atomic + machineType: + type: string + ovmfPath: + type: string + type: object + type: object + autoCPULimitNamespaceLabelSelector: + description: When set, AutoCPULimitNamespaceLabelSelector will + set a CPU limit on virt-launcher for VMIs running inside namespaces + that match the label selector. The CPU limit will equal the + number of requested vCPUs. This setting does not apply to VMIs + with dedicated CPUs. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + controllerConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + cpuModel: + type: string + cpuRequest: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + defaultRuntimeClass: + type: string + developerConfiguration: + description: DeveloperConfiguration holds developer options + properties: + cpuAllocationRatio: + description: 'For each requested virtual CPU, CPUAllocationRatio + defines how much physical CPU to request per VMI from the + hosting node. The value is in fraction of a CPU thread (or + core on non-hyperthreaded nodes). For example, a value of + 1 means 1 physical CPU thread per VMI CPU thread. A value + of 100 would be 1% of a physical thread allocated for each + requested VMI thread. This option has no effect on VMIs + that request dedicated CPUs. More information at: https://kubevirt.io/user-guide/operations/node_overcommit/#node-cpu-allocation-ratio + Defaults to 10' + type: integer + diskVerification: + description: DiskVerification holds container disks verification + limits + properties: + memoryLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - memoryLimit + type: object + featureGates: + description: FeatureGates is the list of experimental features + to enable. Defaults to none + items: + type: string + type: array + logVerbosity: + description: LogVerbosity sets log verbosity level of various + components + properties: + nodeVerbosity: + additionalProperties: + type: integer + description: NodeVerbosity represents a map of nodes with + a specific verbosity level + type: object + virtAPI: + type: integer + virtController: + type: integer + virtHandler: + type: integer + virtLauncher: + type: integer + virtOperator: + type: integer + type: object + memoryOvercommit: + description: MemoryOvercommit is the percentage of memory + we want to give VMIs compared to the amount given to its + parent pod (virt-launcher). For example, a value of 102 + means the VMI will "see" 2% more memory than its parent + pod. Values under 100 are effectively "undercommits". Overcommits + can lead to memory exhaustion, which in turn can lead to + crashes. Use carefully. Defaults to 100 + type: integer + minimumClusterTSCFrequency: + description: Allow overriding the automatically determined + minimum TSC frequency of the cluster and fixate the minimum + to this frequency. + format: int64 + type: integer + minimumReservePVCBytes: + description: MinimumReservePVCBytes is the amount of space, + in bytes, to leave unused on disks. Defaults to 131072 (128KiB) + format: int64 + type: integer + nodeSelectors: + additionalProperties: + type: string + description: NodeSelectors allows restricting VMI creation + to nodes that match a set of labels. Defaults to none + type: object + pvcTolerateLessSpaceUpToPercent: + description: LessPVCSpaceToleration determines how much smaller, + in percentage, disk PVCs are allowed to be compared to the + requested size (to account for various overheads). Defaults + to 10 + type: integer + useEmulation: + description: UseEmulation can be set to true to allow fallback + to software emulation in case hardware-assisted emulation + is not available. Defaults to false + type: boolean + type: object + emulatedMachines: + items: + type: string + type: array + evictionStrategy: + description: EvictionStrategy defines at the cluster level if + the VirtualMachineInstance should be migrated instead of shut-off + in case of a node drain. If the VirtualMachineInstance specific + field is set it overrides the cluster level one. + type: string + handlerConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + imagePullPolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + ksmConfiguration: + description: KSMConfiguration holds the information regarding + the enabling the KSM in the nodes (if available). + properties: + nodeLabelSelector: + description: NodeLabelSelector is a selector that filters + in which nodes the KSM will be enabled. Empty NodeLabelSelector + will enable ksm for every node. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: object + liveUpdateConfiguration: + description: LiveUpdateConfiguration holds defaults for live update + features + properties: + maxCpuSockets: + description: MaxCpuSockets holds the maximum amount of sockets + that can be hotplugged + format: int32 + type: integer + type: object + machineType: + type: string + mediatedDevicesConfiguration: + description: MediatedDevicesConfiguration holds information about + MDEV types to be defined, if available + properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. + items: + type: string + type: array + x-kubernetes-list-type: atomic + nodeMediatedDeviceTypes: + items: + description: NodeMediatedDeviceTypesConfig holds information + about MDEV types to be defined in a specific node that + matches the NodeSelector field. + properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. + items: + type: string + type: array + x-kubernetes-list-type: atomic + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the vmi to fit on a node. Selector which + must match a node''s labels for the vmi to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + required: + - nodeSelector + type: object + type: array + x-kubernetes-list-type: atomic + type: object + memBalloonStatsPeriod: + format: int32 + type: integer + migrations: + description: MigrationConfiguration holds migration options. Can + be overridden for specific groups of VMs though migration policies. + Visit https://kubevirt.io/user-guide/operations/migration_policies/ + for more information. + properties: + allowAutoConverge: + description: AllowAutoConverge allows the platform to compromise + performance/availability of VMIs to guarantee successful + VMI live migrations. Defaults to false + type: boolean + allowPostCopy: + description: AllowPostCopy enables post-copy live migrations. + Such migrations allow even the busiest VMIs to successfully + live-migrate. However, events like a network failure can + cause a VMI crash. If set to true, migrations will still + start in pre-copy, but switch to post-copy when CompletionTimeoutPerGiB + triggers. Defaults to false + type: boolean + bandwidthPerMigration: + anyOf: + - type: integer + - type: string + description: BandwidthPerMigration limits the amount of network + bandwidth live migrations are allowed to use. The value + is in quantity per second. Defaults to 0 (no limit) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + completionTimeoutPerGiB: + description: CompletionTimeoutPerGiB is the maximum number + of seconds per GiB a migration is allowed to take. If a + live-migration takes longer to migrate than this value multiplied + by the size of the VMI, the migration will be cancelled, + unless AllowPostCopy is true. Defaults to 800 + format: int64 + type: integer + disableTLS: + description: When set to true, DisableTLS will disable the + additional layer of live migration encryption provided by + KubeVirt. This is usually a bad idea. Defaults to false + type: boolean + matchSELinuxLevelOnMigration: + description: By default, the SELinux level of target virt-launcher + pods is forced to the level of the source virt-launcher. + When set to true, MatchSELinuxLevelOnMigration lets the + CRI auto-assign a random level to the target. That will + ensure the target virt-launcher doesn't share categories + with another pod on the node. However, migrations will fail + when using RWX volumes that don't automatically deal with + SELinux levels. + type: boolean + network: + description: Network is the name of the CNI network to use + for live migrations. By default, migrations go through the + pod network. + type: string + nodeDrainTaintKey: + description: 'NodeDrainTaintKey defines the taint key that + indicates a node should be drained. Note: this option relies + on the deprecated node taint feature. Default: kubevirt.io/drain' + type: string + parallelMigrationsPerCluster: + description: ParallelMigrationsPerCluster is the total number + of concurrent live migrations allowed cluster-wide. Defaults + to 5 + format: int32 + type: integer + parallelOutboundMigrationsPerNode: + description: ParallelOutboundMigrationsPerNode is the maximum + number of concurrent outgoing live migrations allowed per + node. Defaults to 2 + format: int32 + type: integer + progressTimeout: + description: ProgressTimeout is the maximum number of seconds + a live migration is allowed to make no progress. Hitting + this timeout means a migration transferred 0 data for that + many seconds. The migration is then considered stuck and + therefore cancelled. Defaults to 150 + format: int64 + type: integer + unsafeMigrationOverride: + description: UnsafeMigrationOverride allows live migrations + to occur even if the compatibility check indicates the migration + will be unsafe to the guest. Defaults to false + type: boolean + type: object + minCPUModel: + type: string + network: + description: NetworkConfiguration holds network options + properties: + defaultNetworkInterface: + type: string + permitBridgeInterfaceOnPodNetwork: + type: boolean + permitSlirpInterface: + type: boolean + type: object + obsoleteCPUModels: + additionalProperties: + type: boolean + type: object + ovmfPath: + type: string + permittedHostDevices: + description: PermittedHostDevices holds information about devices + allowed for passthrough + properties: + mediatedDevices: + items: + description: MediatedHostDevice represents a host mediated + device allowed for passthrough + properties: + externalResourceProvider: + type: boolean + mdevNameSelector: + type: string + resourceName: + type: string + required: + - mdevNameSelector + - resourceName + type: object + type: array + x-kubernetes-list-type: atomic + pciHostDevices: + items: + description: PciHostDevice represents a host PCI device + allowed for passthrough + properties: + externalResourceProvider: + description: If true, KubeVirt will leave the allocation + and monitoring to an external device plugin + type: boolean + pciVendorSelector: + description: The vendor_id:product_id tuple of the PCI + device + type: string + resourceName: + description: The name of the resource that is representing + the device. Exposed by a device plugin and requested + by VMs. Typically of the form vendor.com/product_nameThe + name of the resource that is representing the device. + Exposed by a device plugin and requested by VMs. Typically + of the form vendor.com/product_name + type: string + required: + - pciVendorSelector + - resourceName + type: object + type: array + x-kubernetes-list-type: atomic + type: object + seccompConfiguration: + description: SeccompConfiguration holds Seccomp configuration + for Kubevirt components + properties: + virtualMachineInstanceProfile: + description: VirtualMachineInstanceProfile defines what profile + should be used with virt-launcher. Defaults to none + properties: + customProfile: + description: CustomProfile allows to request arbitrary + profile for virt-launcher + properties: + localhostProfile: + type: string + runtimeDefaultProfile: + type: boolean + type: object + type: object + type: object + selinuxLauncherType: + type: string + smbios: + properties: + family: + type: string + manufacturer: + type: string + product: + type: string + sku: + type: string + version: + type: string + type: object + supportContainerResources: + description: SupportContainerResources specifies the resource + requirements for various types of supporting containers such + as container disks/virtiofs/sidecars and hotplug attachment + pods. If omitted a sensible default will be supplied. + items: + description: SupportContainerResources are used to specify the + cpu/memory request and limits for the containers that support + various features of Virtual Machines. These containers are + usually idle and don't require a lot of memory or cpu. + properties: + resources: + description: ResourceRequirements describes the compute + resource requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where + this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of + compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: + type: string + required: + - resources + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedGuestAgentVersions: + description: deprecated + items: + type: string + type: array + tlsConfiguration: + description: TLSConfiguration holds TLS options + properties: + ciphers: + items: + type: string + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: "MinTLSVersion is a way to specify the minimum + protocol version that is acceptable for TLS connections. + Protocol versions are based on the following most common + TLS configurations: \n https://ssl-config.mozilla.org/ + \n Note that SSLv3.0 is not a supported protocol version + due to well known vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + virtualMachineInstancesPerNode: + type: integer + virtualMachineOptions: + description: VirtualMachineOptions holds the cluster level information + regarding the virtual machine. + properties: + disableFreePageReporting: + description: DisableFreePageReporting disable the free page + reporting of memory balloon device https://libvirt.org/formatdomain.html#memory-balloon-device. + This will have effect only if AutoattachMemBalloon is not + false and the vmi is not requesting any high performance + feature (dedicatedCPU/realtime/hugePages), in which free + page reporting is always disabled. + type: object + type: object + vmStateStorageClass: + description: VMStateStorageClass is the name of the storage class + to use for the PVCs created to preserve VM state, like TPM. + The storage class must support RWX in filesystem mode. + type: string + webhookConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + type: object + customizeComponents: + properties: + flags: + description: Configure the value used for deployment and daemonset + resources + properties: + api: + additionalProperties: + type: string + type: object + controller: + additionalProperties: + type: string + type: object + handler: + additionalProperties: + type: string + type: object + type: object + patches: + items: + properties: + patch: + type: string + resourceName: + minLength: 1 + type: string + resourceType: + minLength: 1 + type: string + type: + type: string + required: + - patch + - resourceName + - resourceType + - type + type: object + type: array + x-kubernetes-list-type: atomic + type: object + imagePullPolicy: + description: The ImagePullPolicy to use. + type: string + imagePullSecrets: + description: The imagePullSecrets to pull the container images from + Defaults to none + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + x-kubernetes-list-type: atomic + imageRegistry: + description: The image registry to pull the container images from + Defaults to the same registry the operator's container image is + pulled from. + type: string + imageTag: + description: The image tag to use for the continer images installed. + Defaults to the same tag as the operator's container image. + type: string + infra: + description: selectors and tolerations that should apply to KubeVirt + infrastructure components + properties: + nodePlacement: + description: nodePlacement describes scheduling configuration + for specific KubeVirt components + properties: + affinity: + description: affinity enables pod affinity/anti-affinity placement + expanding the types of constraints that can be expressed + with nodeSelector. affinity is going to be applied to the + relevant kind of pods in parallel with nodeSelector See + https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'nodeSelector is the node selector applied to + the relevant kind of pods It specifies a map of key-value + pairs: for the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' + type: object + tolerations: + description: tolerations is a list of tolerations applied + to the relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for more info. These are additional tolerations other than + default ones. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: 'replicas indicates how many replicas should be created + for each KubeVirt infrastructure component (like virt-api or + virt-controller). Defaults to 2. WARNING: this is an advanced + feature that prevents auto-scaling for core kubevirt components. + Please use with caution!' + type: integer + type: object + monitorAccount: + description: The name of the Prometheus service account that needs + read-access to KubeVirt endpoints Defaults to prometheus-k8s + type: string + monitorNamespace: + description: The namespace Prometheus is deployed in Defaults to openshift-monitor + type: string + productComponent: + description: Designate the apps.kubevirt.io/component label for KubeVirt + components. Useful if KubeVirt is included as part of a product. + If ProductComponent is not specified, the component label default + value is kubevirt. + type: string + productName: + description: Designate the apps.kubevirt.io/part-of label for KubeVirt + components. Useful if KubeVirt is included as part of a product. + If ProductName is not specified, the part-of label will be omitted. + type: string + productVersion: + description: Designate the apps.kubevirt.io/version label for KubeVirt + components. Useful if KubeVirt is included as part of a product. + If ProductVersion is not specified, KubeVirt's version will be used. + type: string + serviceMonitorNamespace: + description: The namespace the service monitor will be deployed When + ServiceMonitorNamespace is set, then we'll install the service monitor + object in that namespace otherwise we will use the monitoring namespace. + type: string + uninstallStrategy: + description: Specifies if kubevirt can be deleted if workloads are + still present. This is mainly a precaution to avoid accidental data + loss + type: string + workloadUpdateStrategy: + description: WorkloadUpdateStrategy defines at the cluster level how + to handle automated workload updates + properties: + batchEvictionInterval: + description: "BatchEvictionInterval Represents the interval to + wait before issuing the next batch of shutdowns \n Defaults + to 1 minute" + type: string + batchEvictionSize: + description: "BatchEvictionSize Represents the number of VMIs + that can be forced updated per the BatchShutdownInteral interval + \n Defaults to 10" + type: integer + workloadUpdateMethods: + description: "WorkloadUpdateMethods defines the methods that can + be used to disrupt workloads during automated workload updates. + When multiple methods are present, the least disruptive method + takes precedence over more disruptive methods. For example if + both LiveMigrate and Shutdown methods are listed, only VMs which + are not live migratable will be restarted/shutdown \n An empty + list defaults to no automated workload updating" + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + workloads: + description: selectors and tolerations that should apply to KubeVirt + workloads + properties: + nodePlacement: + description: nodePlacement describes scheduling configuration + for specific KubeVirt components + properties: + affinity: + description: affinity enables pod affinity/anti-affinity placement + expanding the types of constraints that can be expressed + with nodeSelector. affinity is going to be applied to the + relevant kind of pods in parallel with nodeSelector See + https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'nodeSelector is the node selector applied to + the relevant kind of pods It specifies a map of key-value + pairs: for the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' + type: object + tolerations: + description: tolerations is a list of tolerations applied + to the relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for more info. These are additional tolerations other than + default ones. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: 'replicas indicates how many replicas should be created + for each KubeVirt infrastructure component (like virt-api or + virt-controller). Defaults to 2. WARNING: this is an advanced + feature that prevents auto-scaling for core kubevirt components. + Please use with caution!' + type: integer + type: object + type: object + status: + description: KubeVirtStatus represents information pertaining to a KubeVirt + deployment. + properties: + conditions: + items: + description: KubeVirtCondition represents a condition of a KubeVirt + deployment + properties: + lastProbeTime: + format: date-time + nullable: true + type: string + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + defaultArchitecture: + type: string + generations: + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - lastGeneration + - name + - resource + type: object + type: array + x-kubernetes-list-type: atomic + observedDeploymentConfig: + type: string + observedDeploymentID: + type: string + observedGeneration: + format: int64 + type: integer + observedKubeVirtRegistry: + type: string + observedKubeVirtVersion: + type: string + operatorVersion: + type: string + outdatedVirtualMachineInstanceWorkloads: + type: integer + phase: + description: KubeVirtPhase is a label for the phase of a KubeVirt + deployment at the current time. + type: string + targetDeploymentConfig: + type: string + targetDeploymentID: + type: string + targetKubeVirtRegistry: + type: string + targetKubeVirtVersion: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.phase + name: Phase + type: string + deprecated: true + deprecationWarning: kubevirt.io/v1alpha3 is now deprecated and will be removed + in a future release. + name: v1alpha3 + schema: + openAPIV3Schema: + description: KubeVirt represents the object deploying all KubeVirt resources + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + certificateRotateStrategy: + properties: + selfSigned: + properties: + ca: + description: CA configuration CA certs are kept in the CA + bundle as long as they are valid + properties: + duration: + description: The requested 'duration' (i.e. lifetime) + of the Certificate. + type: string + renewBefore: + description: The amount of time before the currently issued + certificate's "notAfter" time that we will begin to + attempt to renew the certificate. + type: string + type: object + caOverlapInterval: + description: Deprecated. Use CA.Duration and CA.RenewBefore + instead + type: string + caRotateInterval: + description: Deprecated. Use CA.Duration instead + type: string + certRotateInterval: + description: Deprecated. Use Server.Duration instead + type: string + server: + description: Server configuration Certs are rotated and discarded + properties: + duration: + description: The requested 'duration' (i.e. lifetime) + of the Certificate. + type: string + renewBefore: + description: The amount of time before the currently issued + certificate's "notAfter" time that we will begin to + attempt to renew the certificate. + type: string + type: object + type: object + type: object + configuration: + description: holds kubevirt configurations. same as the virt-configMap + properties: + additionalGuestMemoryOverheadRatio: + description: AdditionalGuestMemoryOverheadRatio can be used to + increase the virtualization infrastructure overhead. This is + useful, since the calculation of this overhead is not accurate + and cannot be entirely known in advance. The ratio that is being + set determines by which factor to increase the overhead calculated + by Kubevirt. A higher ratio means that the VMs would be less + compromised by node pressures, but would mean that fewer VMs + could be scheduled to a node. If not set, the default is 1. + type: string + apiConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + architectureConfiguration: + properties: + amd64: + properties: + emulatedMachines: + items: + type: string + type: array + x-kubernetes-list-type: atomic + machineType: + type: string + ovmfPath: + type: string + type: object + arm64: + properties: + emulatedMachines: + items: + type: string + type: array + x-kubernetes-list-type: atomic + machineType: + type: string + ovmfPath: + type: string + type: object + defaultArchitecture: + type: string + ppc64le: + properties: + emulatedMachines: + items: + type: string + type: array + x-kubernetes-list-type: atomic + machineType: + type: string + ovmfPath: + type: string + type: object + type: object + autoCPULimitNamespaceLabelSelector: + description: When set, AutoCPULimitNamespaceLabelSelector will + set a CPU limit on virt-launcher for VMIs running inside namespaces + that match the label selector. The CPU limit will equal the + number of requested vCPUs. This setting does not apply to VMIs + with dedicated CPUs. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + controllerConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + cpuModel: + type: string + cpuRequest: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + defaultRuntimeClass: + type: string + developerConfiguration: + description: DeveloperConfiguration holds developer options + properties: + cpuAllocationRatio: + description: 'For each requested virtual CPU, CPUAllocationRatio + defines how much physical CPU to request per VMI from the + hosting node. The value is in fraction of a CPU thread (or + core on non-hyperthreaded nodes). For example, a value of + 1 means 1 physical CPU thread per VMI CPU thread. A value + of 100 would be 1% of a physical thread allocated for each + requested VMI thread. This option has no effect on VMIs + that request dedicated CPUs. More information at: https://kubevirt.io/user-guide/operations/node_overcommit/#node-cpu-allocation-ratio + Defaults to 10' + type: integer + diskVerification: + description: DiskVerification holds container disks verification + limits + properties: + memoryLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - memoryLimit + type: object + featureGates: + description: FeatureGates is the list of experimental features + to enable. Defaults to none + items: + type: string + type: array + logVerbosity: + description: LogVerbosity sets log verbosity level of various + components + properties: + nodeVerbosity: + additionalProperties: + type: integer + description: NodeVerbosity represents a map of nodes with + a specific verbosity level + type: object + virtAPI: + type: integer + virtController: + type: integer + virtHandler: + type: integer + virtLauncher: + type: integer + virtOperator: + type: integer + type: object + memoryOvercommit: + description: MemoryOvercommit is the percentage of memory + we want to give VMIs compared to the amount given to its + parent pod (virt-launcher). For example, a value of 102 + means the VMI will "see" 2% more memory than its parent + pod. Values under 100 are effectively "undercommits". Overcommits + can lead to memory exhaustion, which in turn can lead to + crashes. Use carefully. Defaults to 100 + type: integer + minimumClusterTSCFrequency: + description: Allow overriding the automatically determined + minimum TSC frequency of the cluster and fixate the minimum + to this frequency. + format: int64 + type: integer + minimumReservePVCBytes: + description: MinimumReservePVCBytes is the amount of space, + in bytes, to leave unused on disks. Defaults to 131072 (128KiB) + format: int64 + type: integer + nodeSelectors: + additionalProperties: + type: string + description: NodeSelectors allows restricting VMI creation + to nodes that match a set of labels. Defaults to none + type: object + pvcTolerateLessSpaceUpToPercent: + description: LessPVCSpaceToleration determines how much smaller, + in percentage, disk PVCs are allowed to be compared to the + requested size (to account for various overheads). Defaults + to 10 + type: integer + useEmulation: + description: UseEmulation can be set to true to allow fallback + to software emulation in case hardware-assisted emulation + is not available. Defaults to false + type: boolean + type: object + emulatedMachines: + items: + type: string + type: array + evictionStrategy: + description: EvictionStrategy defines at the cluster level if + the VirtualMachineInstance should be migrated instead of shut-off + in case of a node drain. If the VirtualMachineInstance specific + field is set it overrides the cluster level one. + type: string + handlerConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + imagePullPolicy: + description: PullPolicy describes a policy for if/when to pull + a container image + type: string + ksmConfiguration: + description: KSMConfiguration holds the information regarding + the enabling the KSM in the nodes (if available). + properties: + nodeLabelSelector: + description: NodeLabelSelector is a selector that filters + in which nodes the KSM will be enabled. Empty NodeLabelSelector + will enable ksm for every node. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: object + liveUpdateConfiguration: + description: LiveUpdateConfiguration holds defaults for live update + features + properties: + maxCpuSockets: + description: MaxCpuSockets holds the maximum amount of sockets + that can be hotplugged + format: int32 + type: integer + type: object + machineType: + type: string + mediatedDevicesConfiguration: + description: MediatedDevicesConfiguration holds information about + MDEV types to be defined, if available + properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. + items: + type: string + type: array + x-kubernetes-list-type: atomic + nodeMediatedDeviceTypes: + items: + description: NodeMediatedDeviceTypesConfig holds information + about MDEV types to be defined in a specific node that + matches the NodeSelector field. + properties: + mediatedDeviceTypes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mediatedDevicesTypes: + description: Deprecated. Use mediatedDeviceTypes instead. + items: + type: string + type: array + x-kubernetes-list-type: atomic + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the vmi to fit on a node. Selector which + must match a node''s labels for the vmi to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + required: + - nodeSelector + type: object + type: array + x-kubernetes-list-type: atomic + type: object + memBalloonStatsPeriod: + format: int32 + type: integer + migrations: + description: MigrationConfiguration holds migration options. Can + be overridden for specific groups of VMs though migration policies. + Visit https://kubevirt.io/user-guide/operations/migration_policies/ + for more information. + properties: + allowAutoConverge: + description: AllowAutoConverge allows the platform to compromise + performance/availability of VMIs to guarantee successful + VMI live migrations. Defaults to false + type: boolean + allowPostCopy: + description: AllowPostCopy enables post-copy live migrations. + Such migrations allow even the busiest VMIs to successfully + live-migrate. However, events like a network failure can + cause a VMI crash. If set to true, migrations will still + start in pre-copy, but switch to post-copy when CompletionTimeoutPerGiB + triggers. Defaults to false + type: boolean + bandwidthPerMigration: + anyOf: + - type: integer + - type: string + description: BandwidthPerMigration limits the amount of network + bandwidth live migrations are allowed to use. The value + is in quantity per second. Defaults to 0 (no limit) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + completionTimeoutPerGiB: + description: CompletionTimeoutPerGiB is the maximum number + of seconds per GiB a migration is allowed to take. If a + live-migration takes longer to migrate than this value multiplied + by the size of the VMI, the migration will be cancelled, + unless AllowPostCopy is true. Defaults to 800 + format: int64 + type: integer + disableTLS: + description: When set to true, DisableTLS will disable the + additional layer of live migration encryption provided by + KubeVirt. This is usually a bad idea. Defaults to false + type: boolean + matchSELinuxLevelOnMigration: + description: By default, the SELinux level of target virt-launcher + pods is forced to the level of the source virt-launcher. + When set to true, MatchSELinuxLevelOnMigration lets the + CRI auto-assign a random level to the target. That will + ensure the target virt-launcher doesn't share categories + with another pod on the node. However, migrations will fail + when using RWX volumes that don't automatically deal with + SELinux levels. + type: boolean + network: + description: Network is the name of the CNI network to use + for live migrations. By default, migrations go through the + pod network. + type: string + nodeDrainTaintKey: + description: 'NodeDrainTaintKey defines the taint key that + indicates a node should be drained. Note: this option relies + on the deprecated node taint feature. Default: kubevirt.io/drain' + type: string + parallelMigrationsPerCluster: + description: ParallelMigrationsPerCluster is the total number + of concurrent live migrations allowed cluster-wide. Defaults + to 5 + format: int32 + type: integer + parallelOutboundMigrationsPerNode: + description: ParallelOutboundMigrationsPerNode is the maximum + number of concurrent outgoing live migrations allowed per + node. Defaults to 2 + format: int32 + type: integer + progressTimeout: + description: ProgressTimeout is the maximum number of seconds + a live migration is allowed to make no progress. Hitting + this timeout means a migration transferred 0 data for that + many seconds. The migration is then considered stuck and + therefore cancelled. Defaults to 150 + format: int64 + type: integer + unsafeMigrationOverride: + description: UnsafeMigrationOverride allows live migrations + to occur even if the compatibility check indicates the migration + will be unsafe to the guest. Defaults to false + type: boolean + type: object + minCPUModel: + type: string + network: + description: NetworkConfiguration holds network options + properties: + defaultNetworkInterface: + type: string + permitBridgeInterfaceOnPodNetwork: + type: boolean + permitSlirpInterface: + type: boolean + type: object + obsoleteCPUModels: + additionalProperties: + type: boolean + type: object + ovmfPath: + type: string + permittedHostDevices: + description: PermittedHostDevices holds information about devices + allowed for passthrough + properties: + mediatedDevices: + items: + description: MediatedHostDevice represents a host mediated + device allowed for passthrough + properties: + externalResourceProvider: + type: boolean + mdevNameSelector: + type: string + resourceName: + type: string + required: + - mdevNameSelector + - resourceName + type: object + type: array + x-kubernetes-list-type: atomic + pciHostDevices: + items: + description: PciHostDevice represents a host PCI device + allowed for passthrough + properties: + externalResourceProvider: + description: If true, KubeVirt will leave the allocation + and monitoring to an external device plugin + type: boolean + pciVendorSelector: + description: The vendor_id:product_id tuple of the PCI + device + type: string + resourceName: + description: The name of the resource that is representing + the device. Exposed by a device plugin and requested + by VMs. Typically of the form vendor.com/product_nameThe + name of the resource that is representing the device. + Exposed by a device plugin and requested by VMs. Typically + of the form vendor.com/product_name + type: string + required: + - pciVendorSelector + - resourceName + type: object + type: array + x-kubernetes-list-type: atomic + type: object + seccompConfiguration: + description: SeccompConfiguration holds Seccomp configuration + for Kubevirt components + properties: + virtualMachineInstanceProfile: + description: VirtualMachineInstanceProfile defines what profile + should be used with virt-launcher. Defaults to none + properties: + customProfile: + description: CustomProfile allows to request arbitrary + profile for virt-launcher + properties: + localhostProfile: + type: string + runtimeDefaultProfile: + type: boolean + type: object + type: object + type: object + selinuxLauncherType: + type: string + smbios: + properties: + family: + type: string + manufacturer: + type: string + product: + type: string + sku: + type: string + version: + type: string + type: object + supportContainerResources: + description: SupportContainerResources specifies the resource + requirements for various types of supporting containers such + as container disks/virtiofs/sidecars and hotplug attachment + pods. If omitted a sensible default will be supplied. + items: + description: SupportContainerResources are used to specify the + cpu/memory request and limits for the containers that support + various features of Virtual Machines. These containers are + usually idle and don't require a lot of memory or cpu. + properties: + resources: + description: ResourceRequirements describes the compute + resource requirements. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where + this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of + compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: + type: string + required: + - resources + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedGuestAgentVersions: + description: deprecated + items: + type: string + type: array + tlsConfiguration: + description: TLSConfiguration holds TLS options + properties: + ciphers: + items: + type: string + type: array + x-kubernetes-list-type: set + minTLSVersion: + description: "MinTLSVersion is a way to specify the minimum + protocol version that is acceptable for TLS connections. + Protocol versions are based on the following most common + TLS configurations: \n https://ssl-config.mozilla.org/ + \n Note that SSLv3.0 is not a supported protocol version + due to well known vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE" + enum: + - VersionTLS10 + - VersionTLS11 + - VersionTLS12 + - VersionTLS13 + type: string + type: object + virtualMachineInstancesPerNode: + type: integer + virtualMachineOptions: + description: VirtualMachineOptions holds the cluster level information + regarding the virtual machine. + properties: + disableFreePageReporting: + description: DisableFreePageReporting disable the free page + reporting of memory balloon device https://libvirt.org/formatdomain.html#memory-balloon-device. + This will have effect only if AutoattachMemBalloon is not + false and the vmi is not requesting any high performance + feature (dedicatedCPU/realtime/hugePages), in which free + page reporting is always disabled. + type: object + type: object + vmStateStorageClass: + description: VMStateStorageClass is the name of the storage class + to use for the PVCs created to preserve VM state, like TPM. + The storage class must support RWX in filesystem mode. + type: string + webhookConfiguration: + description: ReloadableComponentConfiguration holds all generic + k8s configuration options which can be reloaded by components + without requiring a restart. + properties: + restClient: + description: RestClient can be used to tune certain aspects + of the k8s client in use. + properties: + rateLimiter: + description: RateLimiter allows selecting and configuring + different rate limiters for the k8s client. + properties: + tokenBucketRateLimiter: + properties: + burst: + description: Maximum burst for throttle. If it's + zero, the component default will be used + type: integer + qps: + description: QPS indicates the maximum QPS to + the apiserver from this client. If it's zero, + the component default will be used + type: number + required: + - burst + - qps + type: object + type: object + type: object + type: object + type: object + customizeComponents: + properties: + flags: + description: Configure the value used for deployment and daemonset + resources + properties: + api: + additionalProperties: + type: string + type: object + controller: + additionalProperties: + type: string + type: object + handler: + additionalProperties: + type: string + type: object + type: object + patches: + items: + properties: + patch: + type: string + resourceName: + minLength: 1 + type: string + resourceType: + minLength: 1 + type: string + type: + type: string + required: + - patch + - resourceName + - resourceType + - type + type: object + type: array + x-kubernetes-list-type: atomic + type: object + imagePullPolicy: + description: The ImagePullPolicy to use. + type: string + imagePullSecrets: + description: The imagePullSecrets to pull the container images from + Defaults to none + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + x-kubernetes-list-type: atomic + imageRegistry: + description: The image registry to pull the container images from + Defaults to the same registry the operator's container image is + pulled from. + type: string + imageTag: + description: The image tag to use for the continer images installed. + Defaults to the same tag as the operator's container image. + type: string + infra: + description: selectors and tolerations that should apply to KubeVirt + infrastructure components + properties: + nodePlacement: + description: nodePlacement describes scheduling configuration + for specific KubeVirt components + properties: + affinity: + description: affinity enables pod affinity/anti-affinity placement + expanding the types of constraints that can be expressed + with nodeSelector. affinity is going to be applied to the + relevant kind of pods in parallel with nodeSelector See + https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'nodeSelector is the node selector applied to + the relevant kind of pods It specifies a map of key-value + pairs: for the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' + type: object + tolerations: + description: tolerations is a list of tolerations applied + to the relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for more info. These are additional tolerations other than + default ones. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: 'replicas indicates how many replicas should be created + for each KubeVirt infrastructure component (like virt-api or + virt-controller). Defaults to 2. WARNING: this is an advanced + feature that prevents auto-scaling for core kubevirt components. + Please use with caution!' + type: integer + type: object + monitorAccount: + description: The name of the Prometheus service account that needs + read-access to KubeVirt endpoints Defaults to prometheus-k8s + type: string + monitorNamespace: + description: The namespace Prometheus is deployed in Defaults to openshift-monitor + type: string + productComponent: + description: Designate the apps.kubevirt.io/component label for KubeVirt + components. Useful if KubeVirt is included as part of a product. + If ProductComponent is not specified, the component label default + value is kubevirt. + type: string + productName: + description: Designate the apps.kubevirt.io/part-of label for KubeVirt + components. Useful if KubeVirt is included as part of a product. + If ProductName is not specified, the part-of label will be omitted. + type: string + productVersion: + description: Designate the apps.kubevirt.io/version label for KubeVirt + components. Useful if KubeVirt is included as part of a product. + If ProductVersion is not specified, KubeVirt's version will be used. + type: string + serviceMonitorNamespace: + description: The namespace the service monitor will be deployed When + ServiceMonitorNamespace is set, then we'll install the service monitor + object in that namespace otherwise we will use the monitoring namespace. + type: string + uninstallStrategy: + description: Specifies if kubevirt can be deleted if workloads are + still present. This is mainly a precaution to avoid accidental data + loss + type: string + workloadUpdateStrategy: + description: WorkloadUpdateStrategy defines at the cluster level how + to handle automated workload updates + properties: + batchEvictionInterval: + description: "BatchEvictionInterval Represents the interval to + wait before issuing the next batch of shutdowns \n Defaults + to 1 minute" + type: string + batchEvictionSize: + description: "BatchEvictionSize Represents the number of VMIs + that can be forced updated per the BatchShutdownInteral interval + \n Defaults to 10" + type: integer + workloadUpdateMethods: + description: "WorkloadUpdateMethods defines the methods that can + be used to disrupt workloads during automated workload updates. + When multiple methods are present, the least disruptive method + takes precedence over more disruptive methods. For example if + both LiveMigrate and Shutdown methods are listed, only VMs which + are not live migratable will be restarted/shutdown \n An empty + list defaults to no automated workload updating" + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + workloads: + description: selectors and tolerations that should apply to KubeVirt + workloads + properties: + nodePlacement: + description: nodePlacement describes scheduling configuration + for specific KubeVirt components + properties: + affinity: + description: affinity enables pod affinity/anti-affinity placement + expanding the types of constraints that can be expressed + with nodeSelector. affinity is going to be applied to the + relevant kind of pods in parallel with nodeSelector See + https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of + resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'nodeSelector is the node selector applied to + the relevant kind of pods It specifies a map of key-value + pairs: for the pod to be eligible to run on a node, the + node must have each of the indicated key-value pairs as + labels (it can have additional labels as well). See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector' + type: object + tolerations: + description: tolerations is a list of tolerations applied + to the relevant kind of pods See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + for more info. These are additional tolerations other than + default ones. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + replicas: + description: 'replicas indicates how many replicas should be created + for each KubeVirt infrastructure component (like virt-api or + virt-controller). Defaults to 2. WARNING: this is an advanced + feature that prevents auto-scaling for core kubevirt components. + Please use with caution!' + type: integer + type: object + type: object + status: + description: KubeVirtStatus represents information pertaining to a KubeVirt + deployment. + properties: + conditions: + items: + description: KubeVirtCondition represents a condition of a KubeVirt + deployment + properties: + lastProbeTime: + format: date-time + nullable: true + type: string + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + defaultArchitecture: + type: string + generations: + items: + description: GenerationStatus keeps track of the generation for + a given resource so that decisions about forced updates can be + made. + properties: + group: + description: group is the group of the thing you're tracking + type: string + hash: + description: hash is an optional field set for resources without + generation that are content sensitive like secrets and configmaps + type: string + lastGeneration: + description: lastGeneration is the last generation of the workload + controller involved + format: int64 + type: integer + name: + description: name is the name of the thing you're tracking + type: string + namespace: + description: namespace is where the thing you're tracking is + type: string + resource: + description: resource is the resource type of the thing you're + tracking + type: string + required: + - group + - lastGeneration + - name + - resource + type: object + type: array + x-kubernetes-list-type: atomic + observedDeploymentConfig: + type: string + observedDeploymentID: + type: string + observedGeneration: + format: int64 + type: integer + observedKubeVirtRegistry: + type: string + observedKubeVirtVersion: + type: string + operatorVersion: + type: string + outdatedVirtualMachineInstanceWorkloads: + type: integer + phase: + description: KubeVirtPhase is a label for the phase of a KubeVirt + deployment at the current time. + type: string + targetDeploymentConfig: + type: string + targetDeploymentID: + type: string + targetKubeVirtRegistry: + type: string + targetKubeVirtVersion: + type: string + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: kubevirt-cluster-critical +value: 1000000000 +globalDefault: false +description: "This priority class should be used for core kubevirt components only." +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubevirt.io:operator + labels: + operator.kubevirt.io: "" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + kubevirt.io: "" + name: kubevirt-operator + namespace: kubevirt +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + kubevirt.io: "" + name: kubevirt-operator + namespace: kubevirt +rules: +- apiGroups: + - "" + resourceNames: + - kubevirt-ca + - kubevirt-export-ca + - kubevirt-virt-handler-certs + - kubevirt-virt-handler-server-certs + - kubevirt-operator-certs + - kubevirt-virt-api-certs + - kubevirt-controller-certs + - kubevirt-exportproxy-certs + resources: + - secrets + verbs: + - create + - get + - list + - watch + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - create + - get + - list + - watch + - patch + - delete +- apiGroups: + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + kubevirt.io: "" + name: kubevirt-operator-rolebinding + namespace: kubevirt +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubevirt-operator +subjects: +- kind: ServiceAccount + name: kubevirt-operator + namespace: kubevirt +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubevirt.io: "" + name: kubevirt-operator +rules: +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list + - watch + - patch + - update + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - endpoints + - pods/exec + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - delete + - update + - create + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - patch + - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - watch + - list + - create + - delete + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - delete + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + verbs: + - create + - get + - list + - watch +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - get + - patch + - update +- apiGroups: + - security.openshift.io + resourceNames: + - kubevirt-handler + - kubevirt-controller + resources: + - securitycontextconstraints + verbs: + - get + - list + - watch + - update + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - delete + - update + - patch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - watch + - create + - delete + - update + - patch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + - prometheusrules + verbs: + - get + - list + - watch + - create + - delete + - update + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - patch +- apiGroups: + - flavor.kubevirt.io + resources: + - virtualmachineflavors + - virtualmachineclusterflavors + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - delete + - patch +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get +- apiGroups: + - kubevirt.io + resources: + - virtualmachines/status + verbs: + - patch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstancemigrations + verbs: + - create + - get + - list + - watch + - patch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstancepresets + verbs: + - watch + - list +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - limitranges + verbs: + - watch + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinerestores + - virtualmachinesnapshotcontents + verbs: + - get + - list + - watch +- apiGroups: + - cdi.kubevirt.io + resources: + - datasources + - datavolumes + verbs: + - get + - list + - watch +- apiGroups: + - instancetype.kubevirt.io + resources: + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - list + - watch +- apiGroups: + - migrations.kubevirt.io + resources: + - migrationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - create + - list + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - patch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - delete + - create + - patch +- apiGroups: + - "" + resources: + - pods + - configmaps + - endpoints + - services + verbs: + - get + - list + - watch + - delete + - update + - create + - patch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - delete + - update + - create + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - update + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create +- apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - list +- apiGroups: + - apps + resources: + - controllerrevisions + verbs: + - watch + - list + - create + - delete + - get + - update +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +- apiGroups: + - snapshot.kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - export.kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - pool.kubevirt.io + resources: + - virtualmachinepools + - virtualmachinepools/finalizers + - virtualmachinepools/status + - virtualmachinepools/scale + verbs: + - watch + - list + - create + - delete + - update + - patch + - get +- apiGroups: + - kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/addvolume + - virtualmachineinstances/removevolume + - virtualmachineinstances/freeze + - virtualmachineinstances/unfreeze + - virtualmachineinstances/softreboot + verbs: + - update +- apiGroups: + - cdi.kubevirt.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - instancetype.kubevirt.io + resources: + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - list + - watch +- apiGroups: + - migrations.kubevirt.io + resources: + - migrationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - clone.kubevirt.io + resources: + - virtualmachineclones + - virtualmachineclones/status + - virtualmachineclones/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - resourcequotas + verbs: + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - list + - get + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - list + - get + - watch +- apiGroups: + - kubevirt.io + resources: + - virtualmachineinstances + verbs: + - update + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - patch + - list + - watch + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list + - watch +- apiGroups: + - migrations.kubevirt.io + resources: + - migrationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - export.kubevirt.io + resources: + - virtualmachineexports + verbs: + - get + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - list + - watch +- apiGroups: + - "" + resourceNames: + - kubevirt-export-ca + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - subresources.kubevirt.io + resources: + - version + - guestfs + verbs: + - get + - list +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/console + - virtualmachineinstances/vnc + - virtualmachineinstances/vnc/screenshot + - virtualmachineinstances/portforward + - virtualmachineinstances/guestosinfo + - virtualmachineinstances/filesystemlist + - virtualmachineinstances/userlist + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/pause + - virtualmachineinstances/unpause + - virtualmachineinstances/addvolume + - virtualmachineinstances/removevolume + - virtualmachineinstances/freeze + - virtualmachineinstances/unfreeze + - virtualmachineinstances/softreboot + verbs: + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/expand-spec + - virtualmachines/portforward + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/start + - virtualmachines/stop + - virtualmachines/restart + - virtualmachines/addvolume + - virtualmachines/removevolume + - virtualmachines/migrate + - virtualmachines/memorydump + - virtualmachines/addinterface + verbs: + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - expand-vm-spec + verbs: + - update +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + - virtualmachineinstancepresets + - virtualmachineinstancereplicasets + - virtualmachineinstancemigrations + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinesnapshotcontents + - virtualmachinerestores + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - export.kubevirt.io + resources: + - virtualmachineexports + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - clone.kubevirt.io + resources: + - virtualmachineclones + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - instancetype.kubevirt.io + resources: + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - pool.kubevirt.io + resources: + - virtualmachinepools + verbs: + - get + - delete + - create + - update + - patch + - list + - watch + - deletecollection +- apiGroups: + - migrations.kubevirt.io + resources: + - migrationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/console + - virtualmachineinstances/vnc + - virtualmachineinstances/vnc/screenshot + - virtualmachineinstances/portforward + - virtualmachineinstances/guestosinfo + - virtualmachineinstances/filesystemlist + - virtualmachineinstances/userlist + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachineinstances/pause + - virtualmachineinstances/unpause + - virtualmachineinstances/addvolume + - virtualmachineinstances/removevolume + - virtualmachineinstances/freeze + - virtualmachineinstances/unfreeze + - virtualmachineinstances/softreboot + verbs: + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/expand-spec + - virtualmachines/portforward + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/start + - virtualmachines/stop + - virtualmachines/restart + - virtualmachines/addvolume + - virtualmachines/removevolume + - virtualmachines/migrate + - virtualmachines/memorydump + - virtualmachines/addinterface + verbs: + - update +- apiGroups: + - subresources.kubevirt.io + resources: + - expand-vm-spec + verbs: + - update +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + - virtualmachineinstancepresets + - virtualmachineinstancereplicasets + - virtualmachineinstancemigrations + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinesnapshotcontents + - virtualmachinerestores + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - export.kubevirt.io + resources: + - virtualmachineexports + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - clone.kubevirt.io + resources: + - virtualmachineclones + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - instancetype.kubevirt.io + resources: + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - pool.kubevirt.io + resources: + - virtualmachinepools + verbs: + - get + - delete + - create + - update + - patch + - list + - watch +- apiGroups: + - kubevirt.io + resources: + - kubevirts + verbs: + - get + - list +- apiGroups: + - migrations.kubevirt.io + resources: + - migrationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - subresources.kubevirt.io + resources: + - virtualmachines/expand-spec + - virtualmachineinstances/guestosinfo + - virtualmachineinstances/filesystemlist + - virtualmachineinstances/userlist + verbs: + - get +- apiGroups: + - subresources.kubevirt.io + resources: + - expand-vm-spec + verbs: + - update +- apiGroups: + - kubevirt.io + resources: + - virtualmachines + - virtualmachineinstances + - virtualmachineinstancepresets + - virtualmachineinstancereplicasets + - virtualmachineinstancemigrations + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.kubevirt.io + resources: + - virtualmachinesnapshots + - virtualmachinesnapshotcontents + - virtualmachinerestores + verbs: + - get + - list + - watch +- apiGroups: + - export.kubevirt.io + resources: + - virtualmachineexports + verbs: + - get + - list + - watch +- apiGroups: + - clone.kubevirt.io + resources: + - virtualmachineclones + verbs: + - get + - list + - watch +- apiGroups: + - instancetype.kubevirt.io + resources: + - virtualmachineinstancetypes + - virtualmachineclusterinstancetypes + - virtualmachinepreferences + - virtualmachineclusterpreferences + verbs: + - get + - list + - watch +- apiGroups: + - pool.kubevirt.io + resources: + - virtualmachinepools + verbs: + - get + - list + - watch +- apiGroups: + - migrations.kubevirt.io + resources: + - migrationpolicies + verbs: + - get + - list + - watch +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + kubevirt.io: "" + name: kubevirt-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubevirt-operator +subjects: +- kind: ServiceAccount + name: kubevirt-operator + namespace: kubevirt + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + kubevirt.io: virt-operator + name: virt-operator + namespace: kubevirt +spec: + replicas: 2 + selector: + matchLabels: + kubevirt.io: virt-operator + strategy: + type: RollingUpdate + template: + metadata: + labels: + kubevirt.io: virt-operator + name: virt-operator + prometheus.kubevirt.io: "true" + name: virt-operator + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: kubevirt.io + operator: In + values: + - virt-operator + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --port + - "8443" + - -v + - "2" + command: + - virt-operator + env: + - name: VIRT_OPERATOR_IMAGE + value: quay.io/kubevirt/virt-operator:v1.0.0 + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.annotations['olm.targetNamespaces'] + - name: KUBEVIRT_VERSION + value: v1.0.0 + image: quay.io/kubevirt/virt-operator:v1.0.0 + imagePullPolicy: IfNotPresent + name: virt-operator + ports: + - containerPort: 8443 + name: metrics + protocol: TCP + - containerPort: 8444 + name: webhooks + protocol: TCP + readinessProbe: + httpGet: + path: /metrics + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 10 + resources: + requests: + cpu: 10m + memory: 450Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/virt-operator/certificates + name: kubevirt-operator-certs + readOnly: true + - mountPath: /profile-data + name: profile-data + nodeSelector: + kubernetes.io/os: linux + priorityClassName: kubevirt-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: kubevirt-operator + tolerations: + - key: CriticalAddonsOnly + operator: Exists + volumes: + - name: kubevirt-operator-certs + secret: + optional: true + secretName: kubevirt-operator-certs + - emptyDir: {} + name: profile-data diff --git a/kubevirt/update.sh b/kubevirt/update.sh new file mode 100644 index 0000000..33c7bab --- /dev/null +++ b/kubevirt/update.sh @@ -0,0 +1,4 @@ +RELEASE=v1.0.0 + +wget https://github.com/kubevirt/kubevirt/releases/download/${RELEASE}/kubevirt-operator.yaml +wget https://github.com/kubevirt/kubevirt/releases/download/${RELEASE}/kubevirt-cr.yaml diff --git a/local-storage/kustomization.yaml b/local-storage/kustomization.yaml new file mode 100644 index 0000000..f725530 --- /dev/null +++ b/local-storage/kustomization.yaml @@ -0,0 +1,14 @@ +resources: +- local-storage.yaml + + +patchesStrategicMerge: +- |- + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + name: local-path + annotations: + $patch: delete +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization diff --git a/local-storage/local-storage.yaml b/local-storage/local-storage.yaml new file mode 100644 index 0000000..4e2e1dd --- /dev/null +++ b/local-storage/local-storage.yaml @@ -0,0 +1,159 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-path-provisioner-service-account + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: local-path-provisioner-role +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims", "configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: local-path-provisioner-bind +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: local-path-provisioner-role +subjects: +- kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: local-path-provisioner + namespace: kube-system +spec: + revisionHistoryLimit: 0 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app: local-path-provisioner + template: + metadata: + labels: + app: local-path-provisioner + spec: + priorityClassName: "system-node-critical" + serviceAccountName: local-path-provisioner-service-account + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + containers: + - name: local-path-provisioner + image: rancher/local-path-provisioner:v0.0.24 + imagePullPolicy: IfNotPresent + command: + - local-path-provisioner + - start + - --config + - /etc/config/config.json + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: config-volume + configMap: + name: local-path-config +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-path + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: rancher.io/local-path +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: Delete +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: local-path-config + namespace: kube-system +data: + config.json: |- + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["/var/lib/rancher/k3s/storage"] + } + ] + } + setup: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + mkdir -m 0777 -p ${absolutePath} + chmod 700 ${absolutePath}/.. + teardown: |- + #!/bin/sh + while getopts "m:s:p:" opt + do + case $opt in + p) + absolutePath=$OPTARG + ;; + s) + sizeInBytes=$OPTARG + ;; + m) + volMode=$OPTARG + ;; + esac + done + rm -rf ${absolutePath} + helperPod.yaml: |- + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: rancher/mirrored-library-busybox:1.34.1 + imagePullPolicy: IfNotPresent diff --git a/longhorn/deploy.sh b/longhorn/deploy.sh new file mode 100644 index 0000000..4da83e5 --- /dev/null +++ b/longhorn/deploy.sh @@ -0,0 +1,3 @@ +helm repo add longhorn https://charts.longhorn.io && helm repo update + +helm upgrade -i --create-namespace -n longhorn-system longhorn longhorn/longhorn -f values.yaml diff --git a/longhorn/diff.sh b/longhorn/diff.sh new file mode 100644 index 0000000..7d232e9 --- /dev/null +++ b/longhorn/diff.sh @@ -0,0 +1 @@ +helm diff upgrade -n longhorn-system longhorn longhorn/longhorn -f values.yaml diff --git a/longhorn/ingress.yaml b/longhorn/ingress.yaml new file mode 100644 index 0000000..7a49267 --- /dev/null +++ b/longhorn/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: longhorn + namespace: longhorn-system +spec: + ingressClassName: haproxy + rules: + - host: longhorn.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http diff --git a/longhorn/longhorn-backups-user-minio.yaml b/longhorn/longhorn-backups-user-minio.yaml new file mode 100644 index 0000000..f4b1efa --- /dev/null +++ b/longhorn/longhorn-backups-user-minio.yaml @@ -0,0 +1,25 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: "longhorn-backups-user-minio" + namespace: "longhorn-system" +spec: + refreshInterval: "30s" + secretStoreRef: + name: bitwarden + kind: ClusterSecretStore + target: + name: "longhorn-backups-user-minio" + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + key: "longhorn-backups on minio" + property: access-key + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + key: "longhorn-backups on minio" + property: secret-key + - secretKey: AWS_ENDPOINTS + remoteRef: + key: "longhorn-backups on minio" + property: endpoint diff --git a/longhorn/longhorn-backups-user.yaml b/longhorn/longhorn-backups-user.yaml new file mode 100644 index 0000000..4086cbd --- /dev/null +++ b/longhorn/longhorn-backups-user.yaml @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: longhorn-backups-user + namespace: longhorn-system +spec: + refreshInterval: "60s" + secretStoreRef: + name: bitwarden + kind: ClusterSecretStore + target: + name: longhorn-backups-user + data: + - secretKey: CIFS_PASSWORD + remoteRef: + key: 'longhorn-backups user' + property: password + - secretKey: CIFS_USERNAME + remoteRef: + key: 'longhorn-backups user' + property: username diff --git a/longhorn/oauth2-proxy-secret.yaml b/longhorn/oauth2-proxy-secret.yaml new file mode 100644 index 0000000..72948b6 --- /dev/null +++ b/longhorn/oauth2-proxy-secret.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: generators.external-secrets.io/v1alpha1 +kind: Password +metadata: + name: cookie-secret + namespace: longhorn-system +spec: + length: 32 + digits: 5 + symbols: 3 + symbolCharacters: "-_" + noUpper: false + allowRepeat: true +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: "oauth2-proxy" + namespace: longhorn-system +spec: + refreshInterval: "30m" + target: + name: oauth2-proxy + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: "cookie-secret" + rewrite: + - regexp: + source: ".*" + target: "cookie_secret" + diff --git a/longhorn/oauth2-proxy.yaml b/longhorn/oauth2-proxy.yaml new file mode 100644 index 0000000..4761d14 --- /dev/null +++ b/longhorn/oauth2-proxy.yaml @@ -0,0 +1,90 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: longhorn-system +spec: + replicas: 1 + selector: + matchLabels: + app: oauth2-proxy + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: oauth2-proxy + spec: + containers: + - name: oauth2-proxy-http + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie_secret + - name: OAUTH2_PROXY_UPSTREAMS + value: http://longhorn-frontend.longhorn-system.svc:80 + args: + - --http-address=0.0.0.0:4180 + - --whitelist-domain=strudelline.net:* + - --whitelist-domain=.strudelline.net:* + - --cookie-domain=strudelline.net + - --email-domain=werts.us + - --email-domain=strudelline.net + - --email-domain=andariese.net + - --cookie-secure + - --skip-provider-button + - --set-xauthrequest + - --provider=oidc + - --oidc-issuer-url=https://auth.werts.us/realms/werts + - --trusted-ip=172.16.0.0/16 + - --cookie-csrf-per-request + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - containerPort: 4180 + name: http + protocol: TCP + terminationGracePeriodSeconds: 2 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: longhorn-system +spec: + ports: + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 + selector: + app: oauth2-proxy diff --git a/longhorn/sc-nvme.yaml b/longhorn/sc-nvme.yaml new file mode 100644 index 0000000..23ced1e --- /dev/null +++ b/longhorn/sc-nvme.yaml @@ -0,0 +1,13 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: nvme +parameters: + dataLocality: disabled + fsType: ext4 + diskSelector: nvme + numberOfReplicas: "1" +provisioner: driver.longhorn.io +reclaimPolicy: Delete +volumeBindingMode: Immediate diff --git a/longhorn/storageclass.yaml b/longhorn/storageclass.yaml new file mode 100644 index 0000000..967aa13 --- /dev/null +++ b/longhorn/storageclass.yaml @@ -0,0 +1,26 @@ +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: ssd +provisioner: driver.longhorn.io +allowVolumeExpansion: true +reclaimPolicy: Delete +volumeBindingMode: Immediate +parameters: + numberOfReplicas: "1" + staleReplicaTimeout: "2880" # 48 hours in minutes + fromBackup: "" + fsType: "ext4" + diskSelector: "ssd" + # nodeSelector: "storage,fast" + # recurringJobSelector: '[ + # { + # "name":"snap", + # "isGroup":true, + # }, + # { + # "name":"backup", + # "isGroup":false, + # } + # ]' + diff --git a/longhorn/values.yaml b/longhorn/values.yaml new file mode 100644 index 0000000..888182e --- /dev/null +++ b/longhorn/values.yaml @@ -0,0 +1,25 @@ +defaultSettings: + taintToleration: role=storage:NoExecute +longhornDriver: + tolerations: + - effect: NoExecute + key: role + operator: Equal + value: storage +longhornManager: + tolerations: + - effect: NoExecute + key: role + operator: Equal + value: storage +longhornUI: + tolerations: + - effect: NoExecute + key: role + operator: Equal + value: storage +persistence: + defaultClass: false + defaultClassReplicaCount: "1" + defaultNodeSelector: + selector: role:storage diff --git a/mastodon/application.yaml b/mastodon/application.yaml deleted file mode 100644 index ebaa549..0000000 --- a/mastodon/application.yaml +++ /dev/null @@ -1,403 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: mastodon - namespace: argocd -spec: - destination: - name: in-cluster - namespace: mastodon - project: default - source: - path: . - repoURL: https://gitea.gitea.svc.cluster.local:3000/infra/mastodon-chart - targetRevision: main - helm: - values: | - image: - repository: ghcr.io/mastodon/mastodon - # https://github.com/mastodon/mastodon/pkgs/container/mastodon - # - # alternatively, use `latest` for the latest release or `edge` for the image - # built from the most recent commit - # - # tag: latest - tag: "latest" - # use `Always` when using `latest` tag - pullPolicy: IfNotPresent - - mastodon: - # -- create an initial administrator user; the password is autogenerated and will - # have to be reset - createAdmin: - # @ignored - enabled: false - # @ignored - username: not_gargron - # @ignored - email: not@example.com - cron: - # -- run `tootctl media remove` every week - removeMedia: - # @ignored - enabled: true - # @ignored - schedule: "0 0 * * 0" - # -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71 - locale: en - local_domain: werts.us - # -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation - # You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described - # Example: mastodon.example.com - web_domain: mastodon.werts.us - # -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled. - singleUserMode: false - # -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch - authorizedFetch: false - # -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode - limitedFederationMode: true - persistence: - assets: - # -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits - # scalability, since it requires the Rails and Sidekiq pods to run on the - # same node. - accessMode: ReadWriteMany - resources: - requests: - storage: 10Gi - storageClassName: nfs - system: - accessMode: ReadWriteOnce - resources: - requests: - storage: 10Gi - storageClassName: local - s3: - enabled: false - access_key: "" - access_secret: "" - # -- you can also specify the name of an existing Secret - # with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY - existingSecret: "mastodon-secrets-s3" - bucket: "mastodon" - endpoint: "https://minio.strudelline.net" - hostname: "" - region: "" - permission: "" - # -- If you have a caching proxy, enter its base URL here. - alias_host: "" - # these must be set manually; autogenerated keys are rotated on each upgrade - secrets: - secret_key_base: "" - otp_secret: "" - vapid: - private_key: "" - public_key: "" - # -- you can also specify the name of an existing Secret - # with keys SECRET_KEY_BASE and OTP_SECRET and - # VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY - existingSecret: "mastodon-secrets-secrets" - sidekiq: - # -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext - podSecurityContext: {} - # -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext - securityContext: {} - # -- Resources for all Sidekiq Deployments unless overwritten - resources: {} - # -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity - affinity: {} - # limits: - # cpu: "1" - # memory: 768Mi - # requests: - # cpu: 250m - # memory: 512Mi - workers: - - name: all-queues - # -- Number of threads / parallel sidekiq jobs that are executed per Pod - concurrency: 25 - # -- Number of Pod replicas deployed by the Deployment - replicas: 1 - # -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources - resources: {} - # -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity - affinity: {} - # -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency - # See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument - queues: - - default,8 - - push,6 - - ingress,4 - - mailers,2 - - pull - - scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica. - #- name: push-pull - # concurrency: 50 - # resources: {} - # replicas: 2 - # queues: - # - push - # - pull - #- name: mailers - # concurrency: 25 - # replicas: 2 - # queues: - # - mailers - #- name: default - # concurrency: 25 - # replicas: 2 - # queues: - # - default - smtp: - auth_method: plain - ca_file: /etc/ssl/certs/ca-certificates.crt - delivery_method: smtp - domain: - enable_starttls: 'auto' - from_address: notifications@example.com - return_path: - openssl_verify_mode: peer - port: 587 - reply_to: - server: smtp.mailgun.org - tls: false - login: - password: - # -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and - # password must be located in keys named `login` and `password` respectively. - existingSecret: mastdon-secrets-smtp - streaming: - port: 4000 - # -- this should be set manually since os.cpus() returns the number of CPUs on - # the node running the pod, which is unrelated to the resources allocated to - # the pod by k8s - workers: 1 - # -- The base url for streaming can be set if the streaming API is deployed to - # a different domain/subdomain. - base_url: null - # -- Number of Streaming Pods running - replicas: 1 - # -- Affinity for Streaming Pods, overwrites .Values.affinity - affinity: {} - # -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext - podSecurityContext: {} - # -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext - securityContext: {} - # -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources - resources: {} - # limits: - # cpu: "500m" - # memory: 512Mi - # requests: - # cpu: 250m - # memory: 128Mi - web: - port: 3000 - # -- Number of Web Pods running - replicas: 1 - # -- Affinity for Web Pods, overwrites .Values.affinity - affinity: {} - # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext - podSecurityContext: {} - # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext - securityContext: {} - # -- (Web Container) Resources for Web Pods, overwrites .Values.resources - resources: {} - # limits: - # cpu: "1" - # memory: 1280Mi - # requests: - # cpu: 250m - # memory: 768Mi - # -- Puma-specific options. Below values are based on default behavior in - # config/puma.rb when no custom values are provided. - minThreads: "5" - maxThreads: "5" - workers: "2" - persistentTimeout: "20" - - metrics: - statsd: - # -- Enable statsd publishing via STATSD_ADDR environment variable - address: "" - - # Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements - preparedStatements: true - - ingress: - enabled: true - annotations: - # For choosing an ingress ingressClassName is preferred over annotations - # kubernetes.io/ingress.class: nginx - # - # To automatically request TLS certificates use one of the following - # kubernetes.io/tls-acme: "true" - # cert-manager.io/cluster-issuer: "letsencrypt" - # - # ensure that NGINX's upload size matches Mastodon's - # for the K8s ingress controller: - # nginx.ingress.kubernetes.io/proxy-body-size: 40m - # for the NGINX ingress controller: - # nginx.org/client-max-body-size: 40m - # -- you can specify the ingressClassName if it differs from the default - ingressClassName: - hosts: - - host: mastodon.werts.us - paths: - - path: '/' - - # -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters - elasticsearch: - # `false` will disable full-text search - # - # if you enable ES after the initial install, you will need to manually run - # RAILS_ENV=production bundle exec rake chewy:sync - # (https://docs.joinmastodon.org/admin/optional/elasticsearch/) - # @ignored - enabled: true - # @ignored - image: - tag: 7 - - # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters - postgresql: - # -- disable if you want to use an existing db; in which case the values below - # must match those of that external postgres instance - enabled: true - # postgresqlHostname: preexisting-postgresql - # postgresqlPort: 5432 - auth: - database: mastodon_production - username: mastodon - # you must set a password; the password generated by the postgresql chart will - # be rotated on each upgrade: - # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade - password: "" - # Set the password for the "postgres" admin user - # set this to the same value as above if you've previously installed - # this chart and you're having problems getting mastodon to connect to the DB - # postgresPassword: "" - # you can also specify the name of an existing Secret - # with a key of password set to the password you want - existingSecret: "mastodon-secrets-postgres" - - # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters - redis: - # disable if you want to use an existing redis instance; in which case the - # values below must match those of that external redis instance - enabled: true - hostname: "" - port: 6379 - auth: - # -- you must set a password; the password generated by the redis chart will be - # rotated on each upgrade: - password: "" - # you can also specify the name of an existing Secret - # with a key of redis-password set to the password you want - existingSecret: "mastodon-secrets-redis" - - # @ignored - service: - type: ClusterIP - port: 80 - - externalAuth: - oidc: - # -- OpenID Connect support is proposed in PR #16221 and awaiting merge. - enabled: true - display_name: "werts.us" - issuer: https://auth.werts.us/realms/werts - discovery: true - scope: "openid,profile" - uid_field: uid - client_id: mastodon - client_secret: eJ7ytP63vdMr8tK5KDyvYwr7ce6pSXhtc1x5GSx5yVOLzOl66Tb6OqwSWt776zhKkt18xFpPAGF2WdkUM7Y7HN - redirect_uri: https://mastodon.werts.us/auth/auth/openid_connect/callback - assume_email_is_verified: true - # client_auth_method: - # response_type: - # response_mode: - # display: - # prompt: - # send_nonce: - # send_scope_to_token_endpoint: - # idp_logout_redirect_uri: - # http_scheme: - # host: - # port: - # jwks_uri: - # auth_endpoint: - # token_endpoint: - # user_info_endpoint: - # end_session_endpoint: - - # -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 - # - # if you manually change the UID/GID environment variables, ensure these values - # match: - podSecurityContext: - runAsUser: 991 - runAsGroup: 991 - fsGroup: 991 - - # @ignored - securityContext: {} - - serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- Annotations to add to the service account - annotations: {} - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - - # Custom annotations to apply to all created deployment objects. These can be - # used to help mastodon interact with other services in the cluster. - deploymentAnnotations: {} - - # -- Kubernetes manages pods for jobs and pods for deployments differently, so you might - # need to apply different annotations to the two different sets of pods. The annotations - # set with podAnnotations will be added to all deployment-managed pods. - podAnnotations: {} - - # If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will - # cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes. - revisionPodAnnotation: true - - # The annotations set with jobAnnotations will be added to all job pods. - jobAnnotations: {} - - # -- Default resources for all Deployments and jobs unless overwritten - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - # @ignored - nodeSelector: {} - - # @ignored - tolerations: [] - - # -- Affinity for all pods unless overwritten - affinity: {} - syncPolicy: - automated: - prune: true - selfHeal: true - retry: - backoff: - duration: 5s - factor: 2 - maxDuration: 3m0s - limit: 10 - syncOptions: - - CreateNamespace=true diff --git a/matrix/db.yaml b/matrix/db.yaml index db26f8d..a5da2c9 100644 --- a/matrix/db.yaml +++ b/matrix/db.yaml @@ -1,20 +1,20 @@ apiVersion: postgres-operator.crunchydata.com/v1beta1 kind: PostgresCluster metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"postgres-operator.crunchydata.com/v1beta1","kind":"PostgresCluster","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/instance":"argo1-cluster-resources"},"name":"synapse-werts-db","namespace":"synapse"},"spec":{"backups":{"pgbackrest":{"image":"registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-2","repos":[{"name":"repo1","volume":{"volumeClaimSpec":{"accessModes":["ReadWriteMany"],"resources":{"requests":{"storage":"100Gi"}},"storageClassName":"nfs"}}}]}},"image":"registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2","instances":[{"dataVolumeClaimSpec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"50Gi"}},"storageClassName":"ssd"},"replicas":1}],"postgresVersion":14}} + creationTimestamp: "2023-04-15T00:57:21Z" + finalizers: + - postgres-operator.crunchydata.com/finalizer + generation: 7 + labels: + argocd.argoproj.io/instance: argo1-cluster-resources name: synapse-werts-db namespace: synapse + resourceVersion: "170903554" + uid: cb69574a-b5d3-43a2-956b-93e3fb052700 spec: - image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2 - postgresVersion: 14 - instances: - - replicas: 1 - dataVolumeClaimSpec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: 50Gi - storageClassName: ssd backups: pgbackrest: image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-2 @@ -23,8 +23,78 @@ spec: volume: volumeClaimSpec: accessModes: - - "ReadWriteMany" + - ReadWriteMany resources: requests: storage: 100Gi storageClassName: nfs + image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2 + instances: + - dataVolumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Gi + storageClassName: ssd + name: "" + replicas: 1 + userInterface: + pgAdmin: + image: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-17 + dataVolumeClaimSpec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: 1Gi + paused: false + port: 5432 + postgresVersion: 14 + shutdown: false +status: + conditions: + - lastTransitionTime: "2023-09-10T21:54:16Z" + message: pgBackRest dedicated repository host is ready + observedGeneration: 7 + reason: RepoHostReady + status: "True" + type: PGBackRestRepoHostReady + - lastTransitionTime: "2023-04-15T00:57:47Z" + message: pgBackRest replica create repo is ready for backups + observedGeneration: 7 + reason: StanzaCreated + status: "True" + type: PGBackRestReplicaRepoReady + - lastTransitionTime: "2023-04-15T00:58:59Z" + message: pgBackRest replica creation is now possible + observedGeneration: 7 + reason: RepoBackupComplete + status: "True" + type: PGBackRestReplicaCreate + databaseRevision: 7c4db5dbb6 + instances: + - name: "00" + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 + monitoring: + exporterConfiguration: 559c4c97d6 + observedGeneration: 7 + patroni: + systemIdentifier: "7222074515295850583" + pgbackrest: + repoHost: + apiVersion: apps/v1 + kind: StatefulSet + ready: true + repos: + - bound: true + name: repo1 + replicaCreateBackupComplete: true + stanzaCreated: true + volume: pvc-fa674c9a-8f36-447e-aa02-ea8d257c0b78 + proxy: + pgBouncer: + postgresRevision: 5c9966f6bc + usersRevision: 8454d6665f diff --git a/matrix/deployment.yaml b/matrix/deployment.yaml index 184f243..05fec8c 100644 --- a/matrix/deployment.yaml +++ b/matrix/deployment.yaml @@ -24,7 +24,7 @@ spec: - env: - name: SYNAPSE_CONFIG_PATH value: /config/homeserver.yaml - image: matrixdotorg/synapse:v1.71.0 + image: matrixdotorg/synapse:v1.92.3 imagePullPolicy: IfNotPresent name: synapse ports: @@ -59,4 +59,3 @@ spec: - name: config secret: secretName: synapse-werts-config - diff --git a/matrix/ingress.yaml b/matrix/ingress.yaml index b1cf7b3..ae99999 100644 --- a/matrix/ingress.yaml +++ b/matrix/ingress.yaml @@ -1,23 +1,10 @@ -apiVersion: v1 -kind: Service -metadata: - name: maubot - namespace: synapse -spec: - externalName: noctowl.cascade.strudelline.net - type: ExternalName - ports: - - name: http - port: 29316 - targetPort: 29316 ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: synapse-werts namespace: synapse spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: chat.werts.us http: @@ -28,15 +15,11 @@ spec: service: name: maubot port: - number: 29316 + number: 8080 - path: / pathType: Prefix backend: service: - name: synapse-werts + name: synapse-werts-untls-shim port: - number: 8008 - tls: - - hosts: - - chat.werts.us - secretName: wildcard-tls + number: 80 diff --git a/matrix/maubot-pvc.yaml b/matrix/maubot-pvc.yaml new file mode 100644 index 0000000..56c40a3 --- /dev/null +++ b/matrix/maubot-pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: maubot-data + namespace: synapse +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: longhorn + volumeMode: Filesystem diff --git a/matrix/maubot-svc.yaml b/matrix/maubot-svc.yaml new file mode 100644 index 0000000..36f9213 --- /dev/null +++ b/matrix/maubot-svc.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: maubot + name: maubot + namespace: synapse +spec: + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 + selector: + app: maubot + type: ClusterIP diff --git a/matrix/maubot.yaml b/matrix/maubot.yaml new file mode 100644 index 0000000..64ab4dd --- /dev/null +++ b/matrix/maubot.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: maubot + namespace: synapse + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: maubot + strategy: + type: Recreate + template: + metadata: + labels: + app: maubot + spec: + containers: + - name: maubot + #image: debian:11 + #command: ["bash", "-c", "sleep 1000000"] + image: dock.mau.dev/maubot/maubot:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + protocol: TCP + volumeMounts: + - mountPath: /old-data + name: old-data-pv + - mountPath: /data + name: data-pv + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 0 + volumes: + - name: old-data-pv + nfs: + path: /volume1/docker-compose-mounts/maubot + server: 172.16.18.1 + - name: data-pv + persistentVolumeClaim: + claimName: maubot-data diff --git a/matrix/untls-shim.yaml b/matrix/untls-shim.yaml new file mode 100644 index 0000000..63e7a2d --- /dev/null +++ b/matrix/untls-shim.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: "synapse-werts-untls-shim" + namespace: synapse +data: + haproxy.cfg: | + global + log stdout format raw local0 + stats timeout 30s + user haproxy + group haproxy + + defaults + log global + mode http + option httplog + option dontlognull + balance source + timeout connect 5000 + timeout client 50000 + timeout server 50000 + http-reuse never + option disable-h2-upgrade + + frontend http80 + bind *:80 + http-request capture req.hdr(Host) len 255 + default_backend httpnodes + + backend httpnodes + option forwardfor + http-request add-header x-forwarded-proto https + server s1 synapse-werts.synapse.svc.cluster.local:8008 check + + frontend stats + mode http + option httplog + bind *:8404 + http-request capture req.hdr(X-Forwarded-For) len 64 + http-request capture req.hdr(Host) len 255 + stats enable + stats uri / + stats refresh 10s + stats admin if LOCALHOST +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "synapse-werts-untls-shim" + namespace: "synapse" + annotations: + "reloader.stakater.com/auto": "true" +spec: + replicas: 1 + selector: + matchLabels: + app: "synapse-werts-untls-shim" + strategy: + type: RollingUpdate + template: + metadata: + labels: + app: "synapse-werts-untls-shim" + spec: + containers: + - image: haproxy:latest + name: haproxy + volumeMounts: + - mountPath: /usr/local/etc/haproxy/haproxy.cfg + name: config + subPath: haproxy.cfg + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 8404 + name: stats + protocol: TCP + restartPolicy: Always + volumes: + - name: config + configMap: + name: "synapse-werts-untls-shim" +--- +apiVersion: v1 +kind: Service +metadata: + name: "synapse-werts-untls-shim" + namespace: "synapse" +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http-80 + port: 80 + protocol: TCP + targetPort: http + - name: https-8404 + port: 8404 + protocol: TCP + targetPort: stats + selector: + app: "synapse-werts-untls-shim" + type: ClusterIP diff --git a/metallb/NEEDS_HELM b/metallb/NEEDS_HELM new file mode 100644 index 0000000..d8a63ca --- /dev/null +++ b/metallb/NEEDS_HELM @@ -0,0 +1 @@ +needs its helm chart from argo1 placed here and its resources adopted diff --git a/multus/TODO b/multus/TODO new file mode 100644 index 0000000..57ceee2 --- /dev/null +++ b/multus/TODO @@ -0,0 +1,3 @@ +cluster-network-addons is installed somehow +helm install multus +install the network addons config manifest diff --git a/multus/network-addons-config.yaml b/multus/network-addons-config.yaml new file mode 100644 index 0000000..8e84607 --- /dev/null +++ b/multus/network-addons-config.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: networkaddonsoperator.network.kubevirt.io/v1 +kind: NetworkAddonsConfig +metadata: + name: cluster +spec: + imagePullPolicy: IfNotPresent + kubeMacPool: {} + linuxBridge: {} + diff --git a/node-sysctls/set-sysctls-ds.yaml b/node-init/node-init.yaml similarity index 59% rename from node-sysctls/set-sysctls-ds.yaml rename to node-init/node-init.yaml index 15e5ee0..f8b7425 100644 --- a/node-sysctls/set-sysctls-ds.yaml +++ b/node-init/node-init.yaml @@ -25,20 +25,48 @@ spec: # this is implemented dorkily like this to cause it to be recreated # whenever there's a change. this is intended to eventually be moved # into a helm chart to use in argocd where this will make more sense - - name: init-node + - name: set-sysctls image: alpine:3.7 command: ["sh", "-c"] args: - |- + set -x while [ $# -gt 0 ];do nsenter --mount=/proc/1/ns/mnt -- sysctl "$1" shift done + - unused + - net.core.rmem_max=67108864 + - net.core.wmem_max=67108864 + - net.ipv4.tcp_rmem=4096 87380 33554432 + - net.ipv4.tcp_wmem=4096 65536 33554432 + - net.ipv4.tcp_mtu_probing=1 - fs.inotify.max_user_instances=511 - fs.inotify.max_user_watches=524288 - vm.max_map_count=262144 securityContext: privileged: true + - name: install-packages + image: alpine:3.7 + command: ["sh", "-c"] + args: + - |- + nsenter --mount=/proc/1/ns/mnt -- dpkg --configure -a + for f in open-iscsi uuid htop curl nfs-common iptables qemu-kvm virtinst neovim htop ethtool iproute2 moreutils;do + echo "installing $f" + nsenter --mount=/proc/1/ns/mnt -- apt-get install -y "$f" + shift + done + securityContext: + privileged: true + - name: iptables + image: alpine:3.7 + command: ["nsenter", "--mount=/proc/1/ns/mnt", "--", "sh", "-c"] + args: + - |- + iptables -A FORWARD -i br0 -j ACCEPT + securityContext: + privileged: true containers: - name: finished-sleep-forever image: k8s.gcr.io/pause:3.1 diff --git a/nordproxy/.gitignore b/nordproxy/.gitignore new file mode 100644 index 0000000..0d3a016 --- /dev/null +++ b/nordproxy/.gitignore @@ -0,0 +1 @@ +*.ovpn diff --git a/nordproxy/deployment.yaml b/nordproxy/deployment.yaml index 16b4e0c..0b4df3d 100644 --- a/nordproxy/deployment.yaml +++ b/nordproxy/deployment.yaml @@ -112,6 +112,3 @@ spec: app: nordproxy sessionAffinity: None type: LoadBalancer - - - diff --git a/nordproxy/import-vpnconfig.sh b/nordproxy/import-vpnconfig.sh new file mode 100644 index 0000000..1090b4d --- /dev/null +++ b/nordproxy/import-vpnconfig.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +kubectl -n nordproxy delete configmap openvpn-config || echo "didn't find a configmap to delete... continuing" +kubectl -n nordproxy create configmap openvpn-config "--from-file=vpn.conf=$1" diff --git a/nvidia/README.md b/nvidia/README.md index b224a0b..c5bbad7 100644 --- a/nvidia/README.md +++ b/nvidia/README.md @@ -15,7 +15,7 @@ It installs the RuntimeClass needed to target the nvidia runtime and installs the device plugin with GFD (node finder for GPUs) via helm. -# Wrap up +# Testing With these two pieces installed, you should be able to find a GPU-bearing node. diff --git a/nvidia/deploy.sh b/nvidia/deploy.sh new file mode 100644 index 0000000..f299c13 --- /dev/null +++ b/nvidia/deploy.sh @@ -0,0 +1,13 @@ +helm repo add nvidia-k8s-device-plugin https://nvidia.github.io/k8s-device-plugin +helm upgrade -i -n kube-system --create-namespace \ + --set runtimeClassName=nvidia \ + --set gfd.enabled=true \ + nvidia-device-plugin nvidia-k8s-device-plugin/nvidia-device-plugin + +kubectl apply -f - << EOF +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: nvidia +handler: nvidia +EOF diff --git a/nvidia/gpu-test.yaml b/nvidia/gpu-test.yaml new file mode 100644 index 0000000..57d8a57 --- /dev/null +++ b/nvidia/gpu-test.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: default + name: gpu-test +spec: + replicas: 0 + selector: + matchLabels: + app: gpu-test + strategy: + type: Recreate + template: + metadata: + labels: + app: gpu-test + spec: + containers: + - name: gpu-test + image: xychelsea/ffmpeg-nvidia:latest-jupyter + restartPolicy: Always diff --git a/nvidia/nvidia-runtime-class.yaml b/nvidia/nvidia-runtime-class.yaml new file mode 100644 index 0000000..99dbc4b --- /dev/null +++ b/nvidia/nvidia-runtime-class.yaml @@ -0,0 +1,6 @@ +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: nvidia +handler: nvidia + diff --git a/opsdroid/deploy.yaml b/opsdroid/deploy.yaml deleted file mode 100644 index 1f7244d..0000000 --- a/opsdroid/deploy.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: opsdroid - annotations: - wildcard-tls.kn8v.com/copy: "true" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: "opsdroid" - namespace: "opsdroid" -data: - configuration.yaml: | - connectors: - websocket: {} - - skills: - hello: {} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "opsdroid" - namespace: "opsdroid" - annotations: - "reloader.stakater.com/auto": "true" -spec: - replicas: 1 - selector: - matchLabels: - app: "opsdroid" - strategy: - type: RollingUpdate - template: - metadata: - labels: - app: "opsdroid" - spec: - containers: - - image: ghcr.io/opsdroid/opsdroid:latest - name: opsdroid - volumeMounts: - - mountPath: /home/opsdroid/.config/opsdroid/configuration.yaml - name: config - subPath: configuration.yaml - restartPolicy: Always - volumes: - - name: config - configMap: - name: "opsdroid" ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: opsdroid - name: opsdroid-http - namespace: opsdroid - annotations: - metallb.universe.tf/allow-shared-ip: 172.16.17.23 - metallb.universe.tf/loadBalancerIPs: 172.16.17.23 -spec: - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - port: 80 - name: ssh - protocol: TCP - targetPort: 8080 - selector: - app: opsdroid - type: LoadBalancer - diff --git a/peertube/application.yaml b/peertube/application.yaml deleted file mode 100644 index bf75bbc..0000000 --- a/peertube/application.yaml +++ /dev/null @@ -1,253 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: peertube-werts - namespace: argocd -spec: - destination: - name: in-cluster - namespace: peertube-werts - project: default - source: - chart: peertube - repoURL: https://ananace.gitlab.io/charts - targetRevision: 0.3.4 - helm: - values: | - image: - repository: chocobozzz/peertube - pullPolicy: IfNotPresent - ## Overrides the image tag whose default is the chart appVersion. - # tag: production-bullseye - config: - serverName: tube.werts.us - ## Generate with somethingl like `openssl rand -hex 32` - will auto-generate if left blank - secret: 1165b3438b487d6dc52fc9d63ff78ef46a7e568a8daebdafd6f416d899aefbc6 - - admin: - email: peertube@strudelline.net - - ## Mail transfer setup, need to provide a hostname for SMTP - mail: - transport: smtp - # sendmail: - hostname: smtp.mailgun.org - port: 465 - username: peertube@strudelline.net - fromAddress: peertube@strudelline.net - - ## Password can be set either directly or with an existing secret. - # password: - - existingSecret: peertube-smtp - existingSecretKey: smtp-password - - ## Data storage on S3 - will still require persistence even if enabled. - objectStorage: - enabled: false - - endpoint: https://minio.strudelline.net - region: syno-cascade-1 - # uploadACL: public-read - maxUploadPart: 128MB - - accessKey: 3MvLDZE2XiK5XlbE - secretKey: xmA9bJGlcFArtwHStJnqQTyZQjiyR1jv - - streaming: - bucket_name: peertube-streaming - # prefix: - base_url: https://minio.strudelline.net/peertube-streaming - - videos: - bucket_name: peertube-videos - # prefix: - base_url: https://minio.strudelline.net/peertube-videos - - ## Main persistent storage, will be used for uploads, processing, plugins, etc - persistence: - enabled: true - - size: 1000Gi - storageClass: nfs - - ## Additional configuration to set on the main production.yaml configuration. - ## See https://github.com/Chocobozzz/PeerTube/blob/develop/config/production.yaml.example - ## - extraConfig: - ## It's recommended to limit this to only your internal cluster network - trust_proxy: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/24 - - fc00::/7 - # - loopback - - instance: - description: "WerTube" - - ## Extra environment variables to set on Peertube - ## - extraEnv: - - name: http_proxy - value: http://172.16.17.180:4080 - - name: https_proxy - value: http://172.16.17.180:4080 - - name: HTTP_PROXY - value: http://172.16.17.180:4080 - - name: HTTPS_PROXY - value: http://172.16.17.180:4080 - # - name: TZ - # value: Europe/Stockholm - extraSecret: {} - # PEERTUBE_INSTANCE_TERMS: "These are some very secret terms-of-service" - - ## Extra values to set on the pod spec. - ## Can be used for setting things like host aliases, overhead, custom schedulers, etc - ## - extraPodSpec: {} - - ## Self-deployed PostgreSQL database - ## See: https://github.com/bitnami/charts/tree/master/bitnami/postgresql - ## - postgresql: - enabled: false - - auth: - database: peertube - username: peertube - - # existingSecret: - # secretKeys: - # userPasswordKey: password - - persistence: - enabled: true - - ## Externally managed PostgreSQL, required if postgresql.enabled=false - ## - externalPostgresql: - host: peertube-db-primary.peertube-werts.svc - port: 5432 - - database: peertube-db - username: peertube-db - # password: - # ssl: true - - existingSecret: peertube-db-pguser-peertube-db - existingSecretKey: password - - ## Self-deployed Redis database - ## See: https://github.com/bitnami/charts/tree/master/bitnami/redis - ## - redis: - enabled: true - architecture: standalone - - auth: - enabled: true - password: peertube-98fuhaewulfh - - # existingSecret: redis-secret - # existingSecretPasswordKey: redis-password - - master: - kind: Deployment - persistence: - enabled: true - - ## Externally managed Redis, required if redis.enabled=false - ## - externalRedis: - host: - # port: 6379 - # db: 0 - - # password: - - # existingSecret: - # existingSecretKey: redis-password - - ## Default probes, using ping API to avoid excessive echo - ## - livenessProbe: - httpGet: - path: /api/v1/ping - port: http - readinessProbe: - httpGet: - path: /api/v1/ping - port: http - - serviceAccount: - ## Specifies whether a service account should be created - create: true - ## Annotations to add to the service account - annotations: {} - ## The name of the service account to use. - ## If not set and create is true, a name is generated using the fullname template - # name: - - podAnnotations: {} - - podSecurityContext: - fsGroup: 999 - - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 999 - # capabilities: - # drop: - # - ALL - - service: - type: ClusterIP - port: 80 - rtmpPort: 1935 - - ingress: - enabled: true - className: istio - paths: - - path: / - pathType: Prefix - #tls: - #- hosts: - # - tube.werts.us - # secretName: wildcard-tls - - resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 3 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - - nodeSelector: {} - - tolerations: [] - - affinity: {} - - syncPolicy: - automated: - prune: true - selfHeal: true - retry: - backoff: - duration: 5s - factor: 2 - maxDuration: 3m0s - limit: 10 - syncOptions: - - CreateNamespace=true diff --git a/peertube/db.yaml b/peertube/db.yaml new file mode 100644 index 0000000..eed68fb --- /dev/null +++ b/peertube/db.yaml @@ -0,0 +1,30 @@ +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: peertube-db + namespace: peertube-werts +spec: + image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2 + postgresVersion: 14 + instances: + - replicas: 1 + dataVolumeClaimSpec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: 1Gi + storageClassName: local-path + backups: + pgbackrest: + image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-2 + repos: + - name: repo1 + volume: + volumeClaimSpec: + accessModes: + - "ReadWriteMany" + resources: + requests: + storage: 5Gi + storageClassName: nfs diff --git a/peertube/deploy.sh b/peertube/deploy.sh new file mode 100644 index 0000000..65bf098 --- /dev/null +++ b/peertube/deploy.sh @@ -0,0 +1 @@ +helm upgrade -i --create-namespace -n peertube-werts peertube-werts ananace-charts/peertube -f values.yaml diff --git a/peertube/diff.sh b/peertube/diff.sh new file mode 100644 index 0000000..a95a614 --- /dev/null +++ b/peertube/diff.sh @@ -0,0 +1 @@ +helm diff upgrade -n peertube-werts peertube-werts ananace-charts/peertube -f values.yaml diff --git a/peertube/ns.yaml b/peertube/ns.yaml new file mode 100644 index 0000000..2bd0013 --- /dev/null +++ b/peertube/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: peertube-werts diff --git a/peertube/values.yaml b/peertube/values.yaml new file mode 100644 index 0000000..3cb7bb2 --- /dev/null +++ b/peertube/values.yaml @@ -0,0 +1,225 @@ +image: + repository: chocobozzz/peertube + pullPolicy: IfNotPresent + ## Overrides the image tag whose default is the chart appVersion. + # tag: production-bullseye +config: + serverName: tube.werts.us + ## Generate with somethingl like `openssl rand -hex 32` - will auto-generate if left blank + secret: 1165b3438b487d6dc52fc9d63ff78ef46a7e568a8daebdafd6f416d899aefbc6 + + admin: + email: peertube@strudelline.net + + ## Mail transfer setup, need to provide a hostname for SMTP + mail: + transport: smtp + # sendmail: + hostname: smtp.mailgun.org + port: 465 + username: peertube@strudelline.net + fromAddress: peertube@strudelline.net + + ## Password can be set either directly or with an existing secret. + # password: + + existingSecret: peertube-smtp + existingSecretKey: smtp-password + + ## Data storage on S3 - will still require persistence even if enabled. + objectStorage: + enabled: false + + endpoint: https://minio.strudelline.net + region: syno-cascade-1 + # uploadACL: public-read + maxUploadPart: 128MB + + accessKey: 3MvLDZE2XiK5XlbE + secretKey: xmA9bJGlcFArtwHStJnqQTyZQjiyR1jv + + streaming: + bucket_name: peertube-streaming + # prefix: + base_url: https://minio.strudelline.net/peertube-streaming + + videos: + bucket_name: peertube-videos + # prefix: + base_url: https://minio.strudelline.net/peertube-videos + + ## Main persistent storage, will be used for uploads, processing, plugins, etc + persistence: + enabled: true + + size: 1000Gi + storageClass: nfs + +## Additional configuration to set on the main production.yaml configuration. +## See https://github.com/Chocobozzz/PeerTube/blob/develop/config/production.yaml.example +## +extraConfig: + ## It's recommended to limit this to only your internal cluster network + trust_proxy: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/24 + - fc00::/7 + # - loopback + + instance: + description: "WerTube" + +## Extra environment variables to set on Peertube +## +extraEnv: +- name: http_proxy + value: http://172.16.17.180:4080 +- name: https_proxy + value: http://172.16.17.180:4080 +- name: HTTP_PROXY + value: http://172.16.17.180:4080 +- name: HTTPS_PROXY + value: http://172.16.17.180:4080 + # - name: TZ + # value: Europe/Stockholm +extraSecret: {} + # PEERTUBE_INSTANCE_TERMS: "These are some very secret terms-of-service" + +## Extra values to set on the pod spec. +## Can be used for setting things like host aliases, overhead, custom schedulers, etc +## +extraPodSpec: {} + +## Self-deployed PostgreSQL database +## See: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +## +postgresql: + enabled: false + + auth: + database: peertube + username: peertube + + # existingSecret: + # secretKeys: + # userPasswordKey: password + + persistence: + enabled: true + +## Externally managed PostgreSQL, required if postgresql.enabled=false +## +externalPostgresql: + host: peertube-db-primary.peertube-werts.svc + port: 5432 + + database: peertube-db + username: peertube-db + # password: + # ssl: true + + existingSecret: peertube-db-pguser-peertube-db + existingSecretKey: password + +## Self-deployed Redis database +## See: https://github.com/bitnami/charts/tree/master/bitnami/redis +## +redis: + enabled: true + architecture: standalone + + auth: + enabled: true + password: peertube-98fuhaewulfh + + # existingSecret: redis-secret + # existingSecretPasswordKey: redis-password + + master: + kind: Deployment + persistence: + enabled: true + storageClass: longhorn + +## Externally managed Redis, required if redis.enabled=false +## +externalRedis: + host: + # port: 6379 + # db: 0 + + # password: + + # existingSecret: + # existingSecretKey: redis-password + +## Default probes, using ping API to avoid excessive echo +## +livenessProbe: + httpGet: + path: /api/v1/ping + port: http +readinessProbe: + httpGet: + path: /api/v1/ping + port: http + +serviceAccount: + ## Specifies whether a service account should be created + create: true + ## Annotations to add to the service account + annotations: {} + ## The name of the service account to use. + ## If not set and create is true, a name is generated using the fullname template + # name: + +podAnnotations: {} + +podSecurityContext: + fsGroup: 999 + +securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 999 + # capabilities: + # drop: + # - ALL + +service: + type: ClusterIP + port: 80 + rtmpPort: 1935 + +ingress: + enabled: true + className: haproxy + paths: + - path: / + pathType: Prefix + #tls: + #- hosts: + # - tube.werts.us + # secretName: wildcard-tls + +resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/pihole/cm.yaml b/pihole/cm.yaml new file mode 100644 index 0000000..25d4d7e --- /dev/null +++ b/pihole/cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: pihole-dnsmasq + namespace: pihole +data: + 05-custom-config.conf: | + rebind-domain-ok=/.werts.us/ + rebind-domain-ok=/.plex.direct/ diff --git a/pihole/deployment.yaml b/pihole/deployment.yaml new file mode 100644 index 0000000..1292ce1 --- /dev/null +++ b/pihole/deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: pihole + name: pihole + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: pihole + strategy: + type: Recreate + template: + metadata: + labels: + app: pihole + annotations: + k8s.v1.cni.cncf.io/networks: '[{ + "namespace": "cascade", + "name": "br0-static", + "ips": ["172.16.1.8/12"] + }]' + spec: + hostname: pihole + dnsConfig: + nameservers: + - 127.0.0.1 + searches: + - cascade.strudelline.net + dnsPolicy: "ClusterFirstWithHostNet" + containers: + - image: pihole/pihole:latest + name: pihole + env: + - name: TZ + value: America/Chicago + - name: PIHOLE_BASE + value: /data + - name: VIRTUAL_HOST + value: pihole.strudelline.net + - name: PIHOLE_DOMAIN + value: cascade.strudelline.net + volumeMounts: + - name: pihole-etc + mountPath: /etc/pihole + - name: pihole-dnsmasq + mountPath: /etc/dnsmasq.d/05-custom-config.conf + subPath: 05-custom-config.conf + - name: pihole-data + mountPath: /data + restartPolicy: Always + volumes: + - name: pihole-etc + persistentVolumeClaim: + claimName: pihole-etc + - name: pihole-dnsmasq + configMap: + name: pihole-dnsmasq + - name: pihole-data + persistentVolumeClaim: + claimName: pihole-data diff --git a/pihole/ingress.yaml b/pihole/ingress.yaml new file mode 100644 index 0000000..4baf957 --- /dev/null +++ b/pihole/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: pihole + namespace: pihole +spec: + ingressClassName: haproxy + rules: + - host: pihole.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pihole-frontend + port: + number: 80 diff --git a/pihole/ns.yaml b/pihole/ns.yaml new file mode 100644 index 0000000..9693809 --- /dev/null +++ b/pihole/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pihole diff --git a/pihole/pvc.yaml b/pihole/pvc.yaml new file mode 100644 index 0000000..6f9ae7c --- /dev/null +++ b/pihole/pvc.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pihole-data + namespace: pihole +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: longhorn + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pihole-dnsmasq + namespace: pihole +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 50Mi + storageClassName: longhorn + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pihole-etc + namespace: pihole +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5368709120 + storageClassName: longhorn + volumeMode: Filesystem diff --git a/pihole/svc.yaml b/pihole/svc.yaml new file mode 100644 index 0000000..82f67f6 --- /dev/null +++ b/pihole/svc.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: pihole + name: pihole-frontend + namespace: pihole +spec: + selector: + app: pihole + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + clusterIP: None + type: ClusterIP diff --git a/profanity/ingress.yaml b/profanity/ingress.yaml index 9ae96dc..21394e1 100644 --- a/profanity/ingress.yaml +++ b/profanity/ingress.yaml @@ -4,7 +4,7 @@ metadata: name: profanity namespace: profanity spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: profanity.strudelline.net http: @@ -16,7 +16,3 @@ spec: name: profanity port: number: 5000 - tls: - - hosts: - - profanity.strudelline.net - secretName: wildcard-tls diff --git a/readarr/deployment.yaml b/readarr/deployment.yaml new file mode 100644 index 0000000..a9d11f8 --- /dev/null +++ b/readarr/deployment.yaml @@ -0,0 +1,156 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: readarr + namespace: readarr +spec: + ingressClassName: haproxy + rules: + - host: readarr.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: readarr + port: + number: 8787 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: readarr + name: readarr +spec: + replicas: 0 + selector: + matchLabels: + app: readarr + strategy: + type: Recreate + template: + metadata: + labels: + app: readarr + spec: + terminationGracePeriodSeconds: 0 + restartPolicy: Always + initContainers: + - name: killswitch + image: xjasonlyu/tun2socks:latest + command: ["sh","-c"] + args: + - | + iptables -t mangle -A POSTROUTING -o eth0 -d 172.16.0.0/12 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -d 10.0.0.0/8 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -j DROP + securityContext: + capabilities: + add: ["NET_ADMIN","SYS_TIME"] + volumes: + - name: config + nfs: + server: 172.16.18.1 + path: /volume1/k8s-volumes/readarr-config + - name: dropbox + nfs: + server: 172.16.18.1 + path: /volume1/dropbox + - name: audiobooks + nfs: + server: 172.16.18.1 + path: /volume1/audiobooks + containers: + - name: readarr + image: lscr.io/linuxserver/readarr:develop + env: + - name: TZ + value: America/Chicago + - name: PUID + value: "1029" + - name: PGID + value: "101" + volumeMounts: + - mountPath: /volume1/audiobooks + name: audiobooks + - mountPath: /volume1/dropbox + name: dropbox + - mountPath: /config + name: config + - name: vpn + image: xjasonlyu/tun2socks:latest + command: ["sh","-c"] + args: + - | + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + exec /entrypoint.sh + env: + - name: TUN + value: tun0 + - name: PROXY + value: socks5://172.16.17.180:1080 + - name: TUN_EXCLUDED_ROUTES + value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + securityContext: + capabilities: + add: ["NET_ADMIN","SYS_TIME"] +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: readarr + name: readarr + namespace: readarr +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: readarr + port: 8787 + protocol: TCP + targetPort: 8787 + selector: + app: readarr + sessionAffinity: None + type: ClusterIP +#apiVersion: v1 +#kind: Service +#metadata: +# annotations: +# metallb.universe.tf/allow-shared-ip: 172.16.17.180 +# metallb.universe.tf/loadBalancerIPs: 172.16.17.180 +# labels: +# app: nordproxy +# name: nordproxy +# namespace: nordproxy +#spec: +# ipFamilies: +# - IPv4 +# ipFamilyPolicy: SingleStack +# ports: +# - name: dns +# port: 53 +# protocol: UDP +# targetPort: 5353 +# - name: socks +# port: 1080 +# protocol: TCP +# targetPort: 1080 +# - name: gost-auto +# port: 4080 +# protocol: TCP +# targetPort: 4080 +# - name: http +# port: 8080 +# protocol: TCP +# targetPort: 8080 +# selector: +# app: nordproxy +# sessionAffinity: None +# type: LoadBalancer diff --git a/readarr/ns.yaml b/readarr/ns.yaml new file mode 100644 index 0000000..3e7830a --- /dev/null +++ b/readarr/ns.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: readarr + diff --git a/sonarr/deployment.yaml b/sonarr/deployment.yaml index f5a73e9..f8bc190 100644 --- a/sonarr/deployment.yaml +++ b/sonarr/deployment.yaml @@ -10,7 +10,7 @@ metadata: name: sonarr namespace: sonarr spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: sonarr.strudelline.net http: @@ -57,9 +57,8 @@ spec: add: ["NET_ADMIN","SYS_TIME"] volumes: - name: config - nfs: - server: 172.16.18.1 - path: /volume1/k8s-volumes/sonarr-config + persistentVolumeClaim: + claimName: sonarr-config - name: dropbox nfs: server: 172.16.18.1 diff --git a/sonarr/pvc.yaml b/sonarr/pvc.yaml new file mode 100644 index 0000000..5b6d635 --- /dev/null +++ b/sonarr/pvc.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: sonarr-config + namespace: sonarr +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: longhorn + volumeMode: Filesystem diff --git a/toots-werts/db.yaml b/toots-werts/db.yaml new file mode 100644 index 0000000..4cde2be --- /dev/null +++ b/toots-werts/db.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: toots-werts + name: pleroma-db-init +data: + init.sql: | + ALTER DATABASE "pleroma-db" OWNER TO "pleroma-db"; +--- +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: pleroma-db + namespace: toots-werts +spec: + image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2 + postgresVersion: 14 + databaseInitSQL: + key: init.sql + name: pleroma-db-init + instances: + - replicas: 1 + dataVolumeClaimSpec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: 1Gi + storageClassName: local-path + backups: + pgbackrest: + image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-2 + repos: + - name: repo1 + volume: + volumeClaimSpec: + accessModes: + - "ReadWriteMany" + resources: + requests: + storage: 5Gi + storageClassName: nfs diff --git a/toots-werts/deployment.yaml b/toots-werts/deployment.yaml new file mode 100644 index 0000000..f746136 --- /dev/null +++ b/toots-werts/deployment.yaml @@ -0,0 +1,179 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pleroma-uploads + namespace: toots-werts +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Gi + storageClassName: nfs +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: toots-werts + name: pleroma-config +data: + config.exs: | + import Config + + config :pleroma, :instance, + healthcheck: true + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + ssl: true, + ssl_opts: [ + verify: :verify_none + ] + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "toots.werts.us", scheme: "https"] + + config :pleroma, Pleroma.Emails.Mailer, + adapter: Swoosh.Adapters.SMTP, + enabled: true, + relay: "smtp.mailgun.org", + username: "pleroma-admin@strudelline.net", + password: "245eaf795de6ea505d190a4aa2b2a046-28e9457d-e1805793", + port: 465, + ssl: true, + tls: :always, + auth: :always + + config :ueberauth, Ueberauth.Strategy.Keycloak.OAuth, + client_id: System.get_env("KEYCLOAK_CLIENT_ID"), + client_secret: System.get_env("KEYCLOAK_CLIENT_SECRET"), + site: "https://auth.werts.us/", + authorize_url: "https://auth.werts.us/realms/werts/protocol/openid-connect/auth", + token_url: "https://auth.werts.us/realms/werts/protocol/openid-connect/token", + userinfo_url: "https://auth.werts.us/realms/werts/protocol/openid-connect/userinfo", + token_method: :post + + config :ueberauth, Ueberauth, + providers: [ + keycloak: {Ueberauth.Strategy.Keycloak, [uid_field: :email, default_scope: "profile"]} + ] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: toots-werts + name: pleroma + annotations: + "reloader.stakater.com/auto": "true" +spec: + replicas: 1 + selector: + matchLabels: + app: pleroma + strategy: + type: Recreate + template: + metadata: + labels: + app: pleroma + spec: + containers: + - name: pleroma + image: jamesandariese/pleroma:latest-keycloak + imagePullPolicy: Always + env: + - name: DB_USER + valueFrom: + secretKeyRef: + key: user + name: pleroma-db-pguser-pleroma-db + - name: DB_PASS + valueFrom: + secretKeyRef: + key: password + name: pleroma-db-pguser-pleroma-db + - name: DB_HOST + valueFrom: + secretKeyRef: + key: host + name: pleroma-db-pguser-pleroma-db + - name: DB_NAME + valueFrom: + secretKeyRef: + key: dbname + name: pleroma-db-pguser-pleroma-db + - name: KEYCLOAK_CLIENT_ID + valueFrom: + secretKeyRef: + key: client_id + name: toots-oidc + - name: KEYCLOAK_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: client_secret + name: toots-oidc + - name: OAUTH_CONSUMER_STRATEGIES + value: keycloak:ueberauth_keycloak_strategy + - name: INSTANCE_NAME + value: WerToots + - name: ADMIN_EMAIL + value: pleroma-admin@strudelline.net + - name: NOTIFY_EMAIL + value: pleroma-admin@strudelline.net + - name: DOMAIN + value: toots.werts.us + - name: PORT + value: "4000" + volumeMounts: + - mountPath: /var/lib/pleroma/uploads + name: pleroma-uploads + - mountPath: /var/lib/pleroma/config.exs + name: pleroma-config + subPath: config.exs + volumes: + - name: pleroma-uploads + persistentVolumeClaim: + claimName: pleroma-uploads + - name: pleroma-config + configMap: + name: pleroma-config + defaultMode: 0444 + restartPolicy: Always +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: toots + namespace: toots-werts +spec: + ingressClassName: haproxy + rules: + - host: toots.werts.us + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pleroma + port: + number: 4000 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: pleroma + name: pleroma + namespace: toots-werts +spec: + selector: + app: pleroma + ports: + - name: http + port: 4000 + protocol: TCP + targetPort: 4000 + clusterIP: None + type: ClusterIP diff --git a/toots-werts/ns.yaml b/toots-werts/ns.yaml new file mode 100644 index 0000000..a33cb78 --- /dev/null +++ b/toots-werts/ns.yaml @@ -0,0 +1,6 @@ + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: toots-werts diff --git a/tubearchivist/diff.sh b/tubearchivist/diff.sh new file mode 100644 index 0000000..d9945d4 --- /dev/null +++ b/tubearchivist/diff.sh @@ -0,0 +1,2 @@ +helm diff upgrade -n tubearchivist tubearchivist tubearchivist/tubearchivist -f values.yaml + diff --git a/tubearchivist/ingress.yaml b/tubearchivist/ingress.yaml new file mode 100644 index 0000000..35c4cb0 --- /dev/null +++ b/tubearchivist/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tubearchivist + namespace: tubearchivist +spec: + ingressClassName: haproxy + rules: + - host: tubearchivist.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: tubearchivist + port: + name: http diff --git a/tubearchivist/oauth2-proxy-secret.yaml b/tubearchivist/oauth2-proxy-secret.yaml new file mode 100644 index 0000000..4350e0e --- /dev/null +++ b/tubearchivist/oauth2-proxy-secret.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: generators.external-secrets.io/v1alpha1 +kind: Password +metadata: + name: cookie-secret + namespace: tubearchivist +spec: + length: 32 + digits: 5 + symbols: 3 + symbolCharacters: "-_" + noUpper: false + allowRepeat: true +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: "oauth2-proxy" + namespace: tubearchivist +spec: + refreshInterval: "30m" + target: + name: oauth2-proxy + dataFrom: + - sourceRef: + generatorRef: + apiVersion: generators.external-secrets.io/v1alpha1 + kind: Password + name: "cookie-secret" + rewrite: + - regexp: + source: ".*" + target: "cookie_secret" + diff --git a/tubearchivist/template.sh b/tubearchivist/template.sh new file mode 100644 index 0000000..5180e1e --- /dev/null +++ b/tubearchivist/template.sh @@ -0,0 +1,6 @@ +# helm repo add tubearchivist https://insuusvenerati.github.io/helm-charts/ + +1>&2 echo "THIS IS NOT SAFE TO USE TO SIMPLY OVERWRITE TUBEARCHIVIST.YAML" +sleep 5 +helm template -n tubearchivist tubearchivist tubearchivist/tubearchivist -f values.yaml + diff --git a/tubearchivist/tubearchivist.yaml b/tubearchivist/tubearchivist.yaml new file mode 100644 index 0000000..cafde94 --- /dev/null +++ b/tubearchivist/tubearchivist.yaml @@ -0,0 +1,1070 @@ +--- +# Source: tubearchivist/charts/redis/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: true +metadata: + name: tubearchivist-redis + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm +--- +# Source: tubearchivist/charts/elasticsearch/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: tubearchivist-elasticsearch + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: elasticsearch + helm.sh/chart: elasticsearch-19.5.12 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm +data: + my_elasticsearch.yml: |- + path: + repo: /usr/share/elasticsearch/data/snapshot +--- +# Source: tubearchivist/charts/redis/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: tubearchivist-redis-configuration + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm +data: + redis.conf: |- + # User-supplied common configuration: + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + # Enable Redis Json module + loadmodule /opt/redis-stack/lib/rejson.so + # End of common configuration + master.conf: |- + dir /data + # User-supplied master configuration: + rename-command FLUSHDB "" + rename-command FLUSHALL "" + # End of master configuration + replica.conf: |- + dir /data + # User-supplied replica configuration: + rename-command FLUSHDB "" + rename-command FLUSHALL "" + # End of replica configuration +--- +# Source: tubearchivist/charts/redis/templates/health-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: tubearchivist-redis-health + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm +data: + ping_readiness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ + -p $REDIS_PORT \ + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_local.sh: |- + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ + -p $REDIS_PORT \ + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') + if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ] && [ "$responseFirstWord" != "MASTERDOWN" ]; then + echo "$response" + exit 1 + fi + ping_readiness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_master.sh: |- + #!/bin/bash + + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ + ping + ) + if [ "$?" -eq "124" ]; then + echo "Timed out" + exit 1 + fi + responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') + if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ]; then + echo "$response" + exit 1 + fi + ping_readiness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? + "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? + exit $exit_status + ping_liveness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? + "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? + exit $exit_status +--- +# Source: tubearchivist/charts/redis/templates/scripts-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: tubearchivist-redis-scripts + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm +data: + start-master.sh: | + #!/bin/bash + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + if [[ -f /opt/bitnami/redis/mounted-etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + if [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + ARGS=("--port" "${REDIS_PORT}") + ARGS+=("--protected-mode" "no") + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + exec redis-server "${ARGS[@]}" + start-replica.sh: | + #!/bin/bash + + get_port() { + hostname="$1" + type="$2" + + port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") + port=${!port_var} + + if [ -z "$port" ]; then + case $type in + "SENTINEL") + echo 26379 + ;; + "REDIS") + echo 6379 + ;; + esac + else + echo $port + fi + } + + get_full_hostname() { + hostname="$1" + full_hostname="${hostname}.${HEADLESS_SERVICE}" + echo "${full_hostname}" + } + + REDISPORT=$(get_port "$HOSTNAME" "REDIS") + + [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" + [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" + if [[ -f /opt/bitnami/redis/mounted-etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + if [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + + echo "" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf + echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf + ARGS=("--port" "${REDIS_PORT}") + ARGS+=("--replicaof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + ARGS+=("--protected-mode" "no") + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + exec redis-server "${ARGS[@]}" +--- +# Source: tubearchivist/charts/elasticsearch/templates/master/svc-headless.yaml +apiVersion: v1 +kind: Service +metadata: + name: tubearchivist-elasticsearch-master-hl + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: elasticsearch + helm.sh/chart: elasticsearch-19.5.12 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master +spec: + type: ClusterIP + publishNotReadyAddresses: true + ports: + - name: tcp-rest-api + port: 9200 + targetPort: rest-api + - name: tcp-transport + port: 9300 + targetPort: transport + selector: + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master +--- +# Source: tubearchivist/charts/elasticsearch/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: tubearchivist-elasticsearch + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: elasticsearch + helm.sh/chart: elasticsearch-19.5.12 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master + annotations: +spec: + type: ClusterIP + sessionAffinity: None + ports: + - name: tcp-rest-api + port: 9200 + targetPort: rest-api + nodePort: null + - name: tcp-transport + port: 9300 + nodePort: null + selector: + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master +--- +# Source: tubearchivist/charts/redis/templates/headless-svc.yaml +apiVersion: v1 +kind: Service +metadata: + name: tubearchivist-redis-headless + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + annotations: + +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-redis + port: 6379 + targetPort: redis + selector: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist +--- +# Source: tubearchivist/charts/redis/templates/master/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: tubearchivist-redis-master + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master +spec: + type: ClusterIP + internalTrafficPolicy: Cluster + sessionAffinity: None + ports: + - name: tcp-redis + port: 6379 + targetPort: redis + nodePort: null + selector: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master +--- +# Source: tubearchivist/charts/redis/templates/replicas/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: tubearchivist-redis-replicas + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: replica +spec: + type: ClusterIP + internalTrafficPolicy: Cluster + sessionAffinity: None + ports: + - name: tcp-redis + port: 6379 + targetPort: redis + nodePort: null + selector: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: replica +--- +# Source: tubearchivist/templates/common.yaml +apiVersion: v1 +kind: Service +metadata: + name: tubearchivist + labels: + app.kubernetes.io/service: tubearchivist + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tubearchivist + app.kubernetes.io/version: v0.3.4 + helm.sh/chart: tubearchivist-0.8.6 + annotations: +spec: + type: ClusterIP + ports: + - port: 4180 + targetPort: 4180 + protocol: TCP + name: http + selector: + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/name: tubearchivist +--- +# Source: tubearchivist/templates/common.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tubearchivist + labels: + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tubearchivist + app.kubernetes.io/version: v0.3.4 + helm.sh/chart: tubearchivist-0.8.6 +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: tubearchivist + app.kubernetes.io/instance: tubearchivist + template: + metadata: + labels: + app.kubernetes.io/name: tubearchivist + app.kubernetes.io/instance: tubearchivist + spec: + + serviceAccountName: default + automountServiceAccountToken: true + dnsPolicy: ClusterFirst + enableServiceLinks: true + securityContext: + sysctls: + - name: net.ipv4.tcp_rmem + value: "4096 87380 33554432" + - name: net.ipv4.tcp_wmem + value: "4096 65536 33554432" + initContainers: + - name: killswitch + image: xjasonlyu/tun2socks:latest + command: ["sh","-c"] + args: + - | + iptables -t mangle -A POSTROUTING -o eth0 -d 172.16.0.0/12 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -d 10.0.0.0/8 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -j DROP + securityContext: + capabilities: + add: ["NET_ADMIN","SYS_TIME"] + containers: + - name: tubearchivist + image: "bbilly1/tubearchivist:v0.4.4" + imagePullPolicy: IfNotPresent + env: + - name: ELASTIC_PASSWORD + value: changeme + - name: ES_URL + value: http://tubearchivist-elasticsearch:9200 + - name: HOST_GID + value: "100" + - name: HOST_UID + value: "1029" + - name: REDIS_HOST + value: tubearchivist-redis-master + - name: TA_AUTH_PROXY_LOGOUT_URL + value: https://tubearchivist.strudelline.net/oauth2/sign_out + - name: TA_AUTH_PROXY_USERNAME_HEADER + value: HTTP_X_FORWARDED_PREFERRED_USERNAME + - name: TA_ENABLE_AUTH_PROXY + value: "true" + - name: TA_HOST + value: tubearchivist.strudelline.net + - name: TA_PASSWORD + value: changeme + - name: TA_USERNAME + value: james + - name: TA_MEDIA_DIR + value: /youtube + ports: + - name: http-insecure + containerPort: 8000 + protocol: TCP + volumeMounts: + - name: cache + mountPath: /cache + - name: youtube + mountPath: /youtube + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + tcpSocket: + port: 8000 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + tcpSocket: + port: 8000 + timeoutSeconds: 1 + startupProbe: + failureThreshold: 30 + initialDelaySeconds: 0 + periodSeconds: 5 + tcpSocket: + port: 8000 + timeoutSeconds: 1 + - name: vpn + image: xjasonlyu/tun2socks:latest + command: ["sh","-c"] + args: + - | + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + exec /entrypoint.sh + env: + - name: TUN + value: tun0 + - name: PROXY + value: socks5://172.16.17.180:1080 + - name: TUN_EXCLUDED_ROUTES + value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + securityContext: + capabilities: + add: ["NET_ADMIN","SYS_TIME"] + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie_secret + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:8000 + args: + - --http-address=0.0.0.0:4180 + - --whitelist-domain=strudelline.net:* + - --whitelist-domain=.strudelline.net:* + - --cookie-domain=strudelline.net + - --email-domain=werts.us + - --email-domain=strudelline.net + - --email-domain=andariese.net + - --skip-auth-route=GET=^/api/ + - --skip-auth-route=OPTIONS=^/api/ + - --cookie-secure + - --skip-provider-button + - --set-xauthrequest + - --pass-user-headers + - --provider=oidc + - --oidc-issuer-url=https://auth.werts.us/realms/werts + - --cookie-csrf-per-request + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - containerPort: 4180 + name: http + protocol: TCP + volumes: + - name: cache + nfs: + server: 172.16.18.1 + path: /volume1/youtube/tubearchivist-cache + - name: youtube + nfs: + server: 172.16.18.1 + path: /volume1/youtube +--- +# Source: tubearchivist/charts/elasticsearch/templates/master/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: tubearchivist-elasticsearch-master + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: elasticsearch + helm.sh/chart: elasticsearch-19.5.12 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master + ## Istio Labels: https://istio.io/docs/ops/deployment/requirements/ + app: master +spec: + replicas: 1 + podManagementPolicy: Parallel + selector: + matchLabels: + app.kubernetes.io/name: elasticsearch + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master + serviceName: tubearchivist-elasticsearch-master-hl + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: elasticsearch + helm.sh/chart: elasticsearch-19.5.12 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master + ## Istio Labels: https://istio.io/docs/ops/deployment/requirements/ + app: master + annotations: + spec: + serviceAccountName: default + + affinity: + podAffinity: + + podAntiAffinity: + + nodeAffinity: + + securityContext: + fsGroup: 1001 + initContainers: + ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) + - name: sysctl + image: docker.io/bitnami/bitnami-shell:11-debian-11-r87 + imagePullPolicy: "IfNotPresent" + command: + - /bin/bash + - -ec + - | + CURRENT=`sysctl -n vm.max_map_count`; + DESIRED="262144"; + if [ "$DESIRED" -gt "$CURRENT" ]; then + sysctl -w vm.max_map_count=262144; + fi; + CURRENT=`sysctl -n fs.file-max`; + DESIRED="65536"; + if [ "$DESIRED" -gt "$CURRENT" ]; then + sysctl -w fs.file-max=65536; + fi; + securityContext: + privileged: true + runAsUser: 0 + resources: + limits: {} + requests: {} + containers: + - name: elasticsearch + image: docker.io/bitnami/elasticsearch:8.6.0 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsNonRoot: true + runAsUser: 1001 + env: + - name: BITNAMI_DEBUG + value: "false" + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ELASTICSEARCH_IS_DEDICATED_NODE + value: "no" + - name: ELASTICSEARCH_NODE_ROLES + value: "master" + - name: ELASTICSEARCH_TRANSPORT_PORT_NUMBER + value: "9300" + - name: ELASTICSEARCH_HTTP_PORT_NUMBER + value: "9200" + - name: ELASTICSEARCH_CLUSTER_NAME + value: "elastic" + - name: ELASTICSEARCH_CLUSTER_HOSTS + value: "tubearchivist-elasticsearch-master-hl.tubearchivist.svc.cluster.local," + - name: ELASTICSEARCH_TOTAL_NODES + value: "1" + - name: ELASTICSEARCH_CLUSTER_MASTER_HOSTS + value: tubearchivist-elasticsearch-master-0 + - name: ELASTICSEARCH_MINIMUM_MASTER_NODES + value: "1" + - name: ELASTICSEARCH_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).tubearchivist-elasticsearch-master-hl.tubearchivist.svc.cluster.local" + - name: ELASTICSEARCH_HEAP_SIZE + value: "128m" + - name: discovery.type + value: single-node + - name: xpack.security.enabled + value: "true" + - name: ELASTIC_PASSWORD + value: changeme + ports: + - name: rest-api + containerPort: 9200 + - name: transport + containerPort: 9300 + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 90 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /opt/bitnami/scripts/elasticsearch/healthcheck.sh + readinessProbe: + failureThreshold: 5 + initialDelaySeconds: 90 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + exec: + command: + - /opt/bitnami/scripts/elasticsearch/healthcheck.sh + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 1000m + memory: 1Gi + volumeMounts: + - name: data + mountPath: /bitnami/elasticsearch/data + - mountPath: /opt/bitnami/elasticsearch/config/my_elasticsearch.yml + name: config + subPath: my_elasticsearch.yml + - mountPath: /usr/share/elasticsearch/data/snapshot + name: snapshot + volumes: + - name: config + configMap: + name: tubearchivist-elasticsearch + - emptyDir: {} + name: snapshot + volumeClaimTemplates: + - metadata: + name: "data" + annotations: + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "1Gi" +--- +# Source: tubearchivist/charts/redis/templates/master/application.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: tubearchivist-redis-master + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master + serviceName: tubearchivist-redis-headless + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: master + annotations: + checksum/configmap: 6a77e4814a2ada8d778312f1dbb23d2bc70b3c58426f248621921d7e1d399cc5 + checksum/health: dcc4f80ad839504f4e0a945663bae8a4d4cbcb10b20f7dc02a2018d3f89cb4df + checksum/scripts: 88b6fade24db5b2cf1750b4ef7faee863ae3eb70c54c2caaa39770511845c95d + checksum/secret: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + spec: + + securityContext: + fsGroup: 1001 + serviceAccountName: tubearchivist-redis + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + terminationGracePeriodSeconds: 30 + containers: + - name: redis + image: docker.io/redis/redis-stack-server:6.2.6-v3 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 1001 + command: + - /bin/bash + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-master.sh + env: + - name: BITNAMI_DEBUG + value: "false" + - name: REDIS_REPLICATION_MODE + value: master + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + - name: REDIS_TLS_ENABLED + value: "no" + - name: REDIS_PORT + value: "6379" + ports: + - name: redis + containerPort: 6379 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 5 + # One second longer than command timeout should prevent generation of zombie processes. + timeoutSeconds: 6 + successThreshold: 1 + failureThreshold: 5 + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh 5 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 5 + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh 1 + resources: + limits: {} + requests: {} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + - name: redis-data + mountPath: /data + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc/ + - name: tmp + mountPath: /tmp + volumes: + - name: start-scripts + configMap: + name: tubearchivist-redis-scripts + defaultMode: 0755 + - name: health + configMap: + name: tubearchivist-redis-health + defaultMode: 0755 + - name: config + configMap: + name: tubearchivist-redis-configuration + - name: redis-tmp-conf + emptyDir: {} + - name: tmp + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: master + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "1Gi" +--- +# Source: tubearchivist/charts/redis/templates/replicas/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: tubearchivist-redis-replicas + namespace: "tubearchivist" + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: replica +spec: + replicas: 0 + selector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: replica + serviceName: tubearchivist-redis-headless + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: redis + helm.sh/chart: redis-17.7.3 + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: replica + annotations: + checksum/configmap: 6a77e4814a2ada8d778312f1dbb23d2bc70b3c58426f248621921d7e1d399cc5 + checksum/health: dcc4f80ad839504f4e0a945663bae8a4d4cbcb10b20f7dc02a2018d3f89cb4df + checksum/scripts: 88b6fade24db5b2cf1750b4ef7faee863ae3eb70c54c2caaa39770511845c95d + checksum/secret: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + spec: + + securityContext: + fsGroup: 1001 + serviceAccountName: tubearchivist-redis + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: replica + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + terminationGracePeriodSeconds: 30 + containers: + - name: redis + image: docker.io/redis/redis-stack-server:6.2.6-v3 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsUser: 1001 + command: + - /bin/bash + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-replica.sh + env: + - name: BITNAMI_DEBUG + value: "false" + - name: REDIS_REPLICATION_MODE + value: replica + - name: REDIS_MASTER_HOST + value: tubearchivist-redis-master-0.tubearchivist-redis-headless.tubearchivist.svc.cluster.local + - name: REDIS_MASTER_PORT_NUMBER + value: "6379" + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + - name: REDIS_TLS_ENABLED + value: "no" + - name: REDIS_PORT + value: "6379" + ports: + - name: redis + containerPort: 6379 + startupProbe: + failureThreshold: 22 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + tcpSocket: + port: redis + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 6 + successThreshold: 1 + failureThreshold: 5 + exec: + command: + - sh + - -c + - /health/ping_liveness_local_and_master.sh 5 + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 5 + exec: + command: + - sh + - -c + - /health/ping_readiness_local_and_master.sh 1 + resources: + limits: {} + requests: {} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + - name: redis-data + mountPath: /data + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + volumes: + - name: start-scripts + configMap: + name: tubearchivist-redis-scripts + defaultMode: 0755 + - name: health + configMap: + name: tubearchivist-redis-health + defaultMode: 0755 + - name: config + configMap: + name: tubearchivist-redis-configuration + - name: redis-tmp-conf + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/instance: tubearchivist + app.kubernetes.io/component: replica + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "8Gi" diff --git a/tubearchivist/values.yaml b/tubearchivist/values.yaml new file mode 100644 index 0000000..9b076bc --- /dev/null +++ b/tubearchivist/values.yaml @@ -0,0 +1,22 @@ +--- +image: + tag: "v0.4.4" + +persistence: + youtube: + enabled: true + type: nfs + server: 172.16.18.1 + path: /volume1/youtube + cache: + enabled: true + type: emptyDir + sizeLimit: 5Gi + +env: + TA_HOST: "tubearchive.strudelline.net" + HOST_UID: 1029 + HOST_GID: 100 + TA_AUTH_PROXY_LOGOUT_URL: "https://tubearchive.strudelline.net/oauth2/sign_out" + TA_AUTH_USERNAME_HEADER: X-Auth-Username + TA_ENABLE_AUTH_PROXY: True diff --git a/tubesync/deployment.yaml b/tubesync/deployment.yaml new file mode 100644 index 0000000..532d476 --- /dev/null +++ b/tubesync/deployment.yaml @@ -0,0 +1,122 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tubesync + namespace: tubesync +spec: + ingressClassName: haproxy + rules: + - host: tubesync.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + number: 4180 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: tubesync + name: tubesync + annotations: + "reloader.stakater.com/auto": "true" +spec: + replicas: 1 + selector: + matchLabels: + app: tubesync + strategy: + type: Recreate + template: + metadata: + labels: + app: tubesync + spec: + terminationGracePeriodSeconds: 0 + restartPolicy: Always + securityContext: + sysctls: + - name: net.ipv4.tcp_rmem + value: "4096 87380 33554432" + - name: net.ipv4.tcp_wmem + value: "4096 65536 33554432" + initContainers: + - name: killswitch + image: xjasonlyu/tun2socks:latest + command: ["sh","-c"] + args: + - | + iptables -t mangle -A POSTROUTING -o eth0 -d 172.16.0.0/12 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -d 10.0.0.0/8 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j ACCEPT + iptables -t mangle -A POSTROUTING -o eth0 -j DROP + securityContext: + capabilities: + add: ["NET_ADMIN","SYS_TIME"] + volumes: + - name: data + persistentVolumeClaim: + claimName: tubesync-data + - name: video + nfs: + server: 172.16.18.1 + path: /volume1/video + containers: + - name: tubesync + image: ghcr.io/meeb/tubesync:latest + env: + - name: TZ + value: America/Chicago + - name: PUID + value: "1029" + - name: PGID + value: "101" + volumeMounts: + - mountPath: /downloads + name: video + - mountPath: /config + name: data + - name: vpn + image: xjasonlyu/tun2socks:latest + command: ["sh","-c"] + args: + - | + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + exec /entrypoint.sh + env: + - name: TUN + value: tun0 + - name: PROXY + value: socks5://172.16.17.180:1080 + - name: TUN_EXCLUDED_ROUTES + value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + securityContext: + capabilities: + add: ["NET_ADMIN","SYS_TIME"] +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: tubesync + name: tubesync + namespace: tubesync +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: tubesync + port: 4848 + protocol: TCP + targetPort: 4848 + selector: + app: tubesync + sessionAffinity: None + type: ClusterIP diff --git a/tubesync/ingress.yaml b/tubesync/ingress.yaml new file mode 100644 index 0000000..d23cb97 --- /dev/null +++ b/tubesync/ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: frigate + namespace: frigate +spec: + ingressClassName: haproxy + rules: + - host: frigate.strudelline.net + http: + paths: + #- path: /oauth2 + - path: / + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http + #- path: / + # pathType: Prefix + # backend: + # service: + # name: frigate + # port: + # number: 5000 diff --git a/tubesync/oauth2-proxy-cookie-secret-sealed.yaml b/tubesync/oauth2-proxy-cookie-secret-sealed.yaml new file mode 100644 index 0000000..1a50e64 --- /dev/null +++ b/tubesync/oauth2-proxy-cookie-secret-sealed.yaml @@ -0,0 +1,22 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "oauth2-proxy", + "namespace": "tubesync", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "oauth2-proxy", + "namespace": "tubesync", + "creationTimestamp": null + }, + "type": "Opaque" + }, + "encryptedData": { + "cookie_secret": "AgABaI8qBjsnpl+I2SMb/0aUmLfX/yJd4Ee2BxvQNk9QQtPEb/bZC+cC5YdmjCJ+cubgfNqoRGrqve6f19fnhEJ11fsVcikBfuGKCmZy67Derl5cZHK6J/8PjoFJXHShDCO4HmmiC8euwwU5e0Ee5T6nf3Z2mHZW+WFL00L4892EYHzyTYj2prvZqNNzjTXsv1ktP7K7ZOliGRg+jqpwJiyjtesNPeJZF0pNLm7MxlRf/rpvaVePgIxkb6jEUIKv42xh21lj8M5gss22QuSu+XKXTW0Buu3Z0KDahX6nSiF3WxDvtFdM0lktAcGPJ8sx2NcOCkOSV0rLGi5L4cC+/lwhUVFK554AmvFRe0tJcIbDvqmiJRQk/JusqWcCHc9ofdiJcGWtw09hsPdm7yLoqrag7Cb/M/oMXQUi/mRYMJo90jp1uuD1R0pYs5QxIGNT76ZLDuiqvlLj7zbjAnugSoDcPUIRSWchrKRYEkBiK1rEQkMpHG7+1/ySCHCNFgl9CoD1BZiO96ZelsOI3I2nI6PgGp7yDnvbrKNrS1BVEIWw89yQYaQrfpz0EO7o87axFkbDYYNEoJdEwMvN+Mrya1xfjjkucWiCpLhpRIp90edfBIuHF0cC1TWAkHXzc+WL+r0NalesPg5UixKkZG210SUuuKIJE92F69Es33O4YPWzvQ0neLGiiYT1kB/jpyRzeXHzzIp7jbhCNOhmOB2a/1Mhj0DAHvcpRMBa2fmHeLkS1KgOFDVPiKUegjNOrg==" + } + } +} diff --git a/tubesync/oauth2-proxy.yaml b/tubesync/oauth2-proxy.yaml new file mode 100644 index 0000000..519a7ad --- /dev/null +++ b/tubesync/oauth2-proxy.yaml @@ -0,0 +1,100 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: tubesync +spec: + replicas: 1 + selector: + matchLabels: + app: oauth2-proxy + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: oauth2-proxy + spec: + initContainers: + - name: password-creator + image: httpd:alpine3.19 + command: + - /usr/local/apache2/bin/htpasswd + - -Bbc + - /xfr/htpasswd + - "$(OIDC_BYPASS_USERNAME)" + - "$(OIDC_BYPASS_PASSWORD)" + envFrom: + - secretRef: + name: oidc-bypass-user + volumeMounts: + - name: htpasswd-xfr + mountPath: /xfr + containers: + - name: oauth2-proxy-http + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-client + key: client_id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-client + key: client_secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie_secret + - name: OAUTH2_PROXY_UPSTREAMS + value: http://tubesync:4848 + args: + - --http-address=0.0.0.0:4180 + - --whitelist-domain=strudelline.net:* + - --whitelist-domain=.strudelline.net:* + - --cookie-domain=strudelline.net + - --email-domain=werts.us + - --email-domain=strudelline.net + - --email-domain=andariese.net + - --cookie-secure + - --skip-provider-button + - --htpasswd-file=/xfr/htpasswd + - --set-xauthrequest + - --provider=oidc + - --oidc-issuer-url=https://auth.werts.us/realms/werts + - --cookie-csrf-per-request + volumeMounts: + - name: htpasswd-xfr + mountPath: /xfr + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - containerPort: 4180 + name: http + protocol: TCP + volumes: + - name: htpasswd-xfr + emptyDir: + medium: Memory + sizeLimit: 1Mi + - name: certs + secret: + secretName: wildcard-tls + terminationGracePeriodSeconds: 2 diff --git a/tubesync/oidc-bypass-user-sealed.yaml b/tubesync/oidc-bypass-user-sealed.yaml new file mode 100644 index 0000000..03c9cab --- /dev/null +++ b/tubesync/oidc-bypass-user-sealed.yaml @@ -0,0 +1,23 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "oidc-bypass-user", + "namespace": "tubesync", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "oidc-bypass-user", + "namespace": "tubesync", + "creationTimestamp": null + }, + "type": "Opaque" + }, + "encryptedData": { + "OIDC_BYPASS_PASSWORD": "AgAS/Y9wP/E3i5+fTzUGRkOMpmspjrm1gOdkPldGjVo0fDvVpZlvCaWtoTxcYoH4Epm/64C5R4djDxRvaTVcGo34/3pjfJKz2nCKyAdFAiTQT1h1ihw4m4Bg2LuRbwYq5SO++rb6KJT82ET7dxLjg9GpVVZk3hUTfegMC1bcYpMm9trJuxw4aySMGceyZcOf3cfZpTsHQol++m0iuz1046HEGZiea6LpOdetXoX9tvSeTxt/4t7vn+0h4F1gjAbGvpGU0u41ZyGvJwQXyCPhsIcgyJC2SQJQhFFdtQmsC8Z1GCt7g1klxcwiKyAddP0P1z734Q1p14OIziOzo6znKv7aoczgrrPg8HSDE2+vy3/IUQeCVrrd61vRlfk7wiFffajtyOBD1muecqnAPh/kHoc59DnilMyUDdhn0Vb2x9lDeHszyhhFSccm4J4vc0rJX4ksRLNb65JSL1DzvDldXDVCDuRo6mPenCJ/7MsisOt28sUDwZn1LHDXKxDl1xES+hnIYKrLM52LXG5JgPr4gARm2lbHqaGVsvD+o7VWMfBJWT0ZWQX+A1TnSQK4UcDOEAyehC28jHA+UVwjaB33AcDLOSs0OXF5+8tHrLaiiuQ8qfoVNe5Kp8UhkpSW4M926fcFxj/HkBhhEWTSF+iQu1DgZ3BqRfbAnj8mJnCP/1k1gKg+fcNHcR0AsixK1SFZpzPIm7pDI5yci8Ja4ZjbsMnN0dOlVMbMiec47NYo5hzVVw==", + "OIDC_BYPASS_USERNAME": "AgCci+eppW4CA5KvXJORQAURlSWmjssz6U3rp27uHsA1JvtsJDZA5JBsfA7wC/lDlKY2flVuECWQb3MUDbrovielIuEniscHfxDe0pW5ZtSwlsKMwkfQhxlEwFEHRh+h0NcmNV03Ho2lPl/n6IRVkOuG+SkvWsL8CfvPMQWnntdOPeFtVJYBZI/ejwvBc7u9ARgra/u7Ze3/6gfLpe6a1xM+jBjl689vaw99t+xMHtem0fY8b7YumAFCrVyiqmwQ/SpYZ+qO/YgeCEp6Vnixk8UH2AYOKCQ9hYu1OOh4FbA7C4PZZdO8pBg3uZuAdJA1l9X+2G/NzATbUd8FizEQ9ehyKe4QKxg18wT10VVJMZXnpfFqNWQuD81U+6Z4+BFT6sWEabQTOcHo7JKqzGcX8YCbvCISAoq3vIRmQiWiKNjQbVcqAUsxQqkYy4HeJu+4zBDs+bdY/hZvU435Io/I06Ul28kOMm6v2UjuOTwmhh332kxuyp2ijYxdmOocIwsP69B/WNOdSTXhx4wwENP030iZ2O6a5Un/qtOG65MyowvCJ0dm8E23DPMMHPNGAg3JNP5VYfKnubi82iEn4Vm2O9k8JkpIhNzgbpk78RKc/QkFlAq5gMy1AR2RAaOZI1bYjwsyTL1WtBZM+Gyr3KNaF/yjbBzmpBWnfNsyO1PhvtegsMOxLKqZctzYWxZex7LYOgugEStzOPE=" + } + } +} diff --git a/tubesync/pvc.yaml b/tubesync/pvc.yaml new file mode 100644 index 0000000..ac17123 --- /dev/null +++ b/tubesync/pvc.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: tubesync-data + namespace: tubesync +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: longhorn + volumeMode: Filesystem + diff --git a/uptime-kuma/deployment.yaml b/uptime-kuma/deployment.yaml new file mode 100644 index 0000000..490e9ee --- /dev/null +++ b/uptime-kuma/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: uptime-kuma + name: uptime-kuma +spec: + replicas: 1 + selector: + matchLabels: + app: uptime-kuma + strategy: + type: Recreate + template: + metadata: + labels: + app: uptime-kuma + spec: + containers: + - image: louislam/uptime-kuma:1.23.1-alpine + name: uptime-kuma + resources: {} + volumeMounts: + - mountPath: /app/data + name: uptime-kuma-data + restartPolicy: Always + volumes: + - name: uptime-kuma-data + persistentVolumeClaim: + claimName: uptime-kuma-data diff --git a/uptime-kuma/ingress.yaml b/uptime-kuma/ingress.yaml new file mode 100644 index 0000000..6575751 --- /dev/null +++ b/uptime-kuma/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: uptime-kuma + namespace: uptime-kuma +spec: + ingressClassName: haproxy + rules: + - host: uptime.strudelline.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: uptime-kuma + port: + number: 3001 diff --git a/uptime-kuma/ns.yaml b/uptime-kuma/ns.yaml new file mode 100644 index 0000000..92c7bb2 --- /dev/null +++ b/uptime-kuma/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: uptime-kuma diff --git a/uptime-kuma/pvc.yaml b/uptime-kuma/pvc.yaml new file mode 100644 index 0000000..892725c --- /dev/null +++ b/uptime-kuma/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: uptime-kuma-data + namespace: uptime-kuma +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi + storageClassName: longhorn diff --git a/uptime-kuma/svc.yaml b/uptime-kuma/svc.yaml new file mode 100644 index 0000000..7c683fb --- /dev/null +++ b/uptime-kuma/svc.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: uptime-kuma + name: uptime-kuma + namespace: uptime-kuma +spec: + selector: + app: uptime-kuma + ports: + - name: http + port: 3001 + protocol: TCP + targetPort: 3001 + clusterIP: None + type: ClusterIP diff --git a/vaultwarden/ingress.yaml b/vaultwarden/ingress.yaml index f2bf420..7aed471 100644 --- a/vaultwarden/ingress.yaml +++ b/vaultwarden/ingress.yaml @@ -4,7 +4,7 @@ metadata: name: vaultwarden namespace: vaultwarden spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: warden.strudelline.net http: @@ -16,7 +16,3 @@ spec: name: vaultwarden port: number: 80 - tls: - - hosts: - - warden.strudelline.net - secretName: wildcard-tls diff --git a/well-known-werts/cm.yaml b/well-known-werts/cm.yaml index 45a2b48..888a98b 100644 --- a/well-known-werts/cm.yaml +++ b/well-known-werts/cm.yaml @@ -1,10 +1,10 @@ +kind: ConfigMap +metadata: + name: well-known-werts-matrix + namespace: well-known-werts apiVersion: v1 data: client: | {"m.homeserver":{"base_url":"https://chat.werts.us/"}} server: | { "m.server": "chat.werts.us:443" } -kind: ConfigMap -metadata: - name: well-known-werts-matrix - namespace: well-known-werts diff --git a/wildcard-tls/wildcard-tls.yaml b/wildcard-tls/wildcard-tls.yaml index dcad63d..876b00a 100644 --- a/wildcard-tls/wildcard-tls.yaml +++ b/wildcard-tls/wildcard-tls.yaml @@ -11,11 +11,8 @@ spec: dnsNames: - strudelline.net - '*.strudelline.net' - - '*.notes.strudelline.net' - '*.notes.werts.us' - '*.minio.strudelline.net' - - notes.werts.us - - notes.strudelline.net - werts.us - '*.werts.us' - kn8v.com