kirby/documentation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fluxcd : adding repo example with some apps

Browse Source
This commit is contained in:
kirby 2025-05-28 16:00:46 +02:00
parent 00a5e56c27
commit e5738c5c3f
111 changed files with 18051 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
fluxcd/repo/apps/base/http-broadcaster/app/hr-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,122 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: http-broadcaster
spec:
chart:
spec:
chart: myChart
reconcileStrategy: ChartVersion
version: "2.x.x"
sourceRef:
kind: HelmRepository
name: myChart
namespace: infrastructure
interval: 10m0s
values:
environment:
fullnameOverride: "http-broadcaster"
app:
name: "app"
image:
repository: gitlabregistry.example.com/infrastructure/http-broadcaster
pullPolicy: IfNotPresent
tag:
labels:
technology: "go"
role: "api"
resources:
requests:
memory: 64Mi
cpu: 200m
limits:
memory: 64Mi
cpu: 400m
containerPort:
broadcaster: 6081
readinessProbe:
exec:
command:
- curl
- -f
- -L
- -m
- "5"
- "127.0.0.1:6081/healthcheck"
livenessProbe:
exec:
command:
- curl
- -f
- -L
- -m
- "5"
- "127.0.0.1:6081/healthcheck"
command:
- "/bin/sh"
- "-c"
- "[ -f /vault/secrets/.env ] && http-broadcaster --metrics"
lifecycle: {}
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
# Generic sidecars
nginx:
enabled: false
fpmExporter:
enabled: false
elasticAgent:
enabled: false
logrotate:
enabled: false
imagePullSecrets:
- name: registry-credentials
vault:
enabled: true
serviceAccount:
create: true
service:
extraPorts:
- name: web
port: 6081
targetPort: 6081
ingress:
enabled: true
autoIngress:
enabled: true
path: "/"
port: 6081
replicaCount: 2
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 1
targetCPUUtilizationPercentage: 40

6
fluxcd/repo/apps/base/http-broadcaster/app/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hr-http-broadcaster.yaml

59
fluxcd/repo/apps/base/k6-operator/hr-k6-operator.yaml Normal file
View File

@ -0,0 +1,59 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: k6-operator
spec:
chart:
spec:
# https://github.com/grafana/k6-operator/blob/main/charts/k6-operator/values.yaml
chart: k6-operator
reconcileStrategy: ChartVersion
version: "3.x.x"
sourceRef:
kind: HelmRepository
name: grafana
namespace: infrastructure
interval: 10m0s
values:
fullnameOverride: "k6-operator"
customLabels:
team: "infrastructure"
manager:
replicas: 1
serviceAccount:
name: "k6-operator-controller"
create: true
image:
registry: ghcr.io
repository: grafana/k6-operator
tag: controller-v0.0.19
pullPolicy: IfNotPresent
livenessProbe: {}
readinessProbe: {}
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
env:
# Indique que seul le namespace infrastructure est surveille.
- name: WATCH_NAMESPACE
value: 'infrastructure'
authProxy:
# Disable/Enable authentication on metric endpoint
enabled: false
installCRDs: true
namespace:
create: false
prometheus:
enabled: false

5
fluxcd/repo/apps/base/k6-operator/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hr-k6-operator.yaml

6
fluxcd/repo/apps/production/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- remote
- system

31
fluxcd/repo/apps/production/system/http-broadcaster/app/hr-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: http-broadcaster
spec:
chart:
spec:
chart: myChart
reconcileStrategy: ChartVersion
version: "2.x.x"
sourceRef:
kind: HelmRepository
name: myChart
namespace: infrastructure
interval: 10m0s
values:
environment: "prd"
app:
image:
tag: 2.1.5 # {"$imagepolicy": "system:http-broadcaster:tag"}
autoscaling:
enabled: false
vault:
path: "app/data/http-broadcaster/prd/envVars"
ingress:
autoIngress:
host: "purgatory.example.com"
metrics:
enabled: true
serviceMonitor:
enabled: true

6
fluxcd/repo/apps/production/system/http-broadcaster/app/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../base/http-broadcaster/app
patches:
- path: hr-http-broadcaster.yaml

28
fluxcd/repo/apps/production/system/http-broadcaster/automations/iua-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,28 @@
---
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
name: http-broadcaster
labels:
team: system
spec:
git:
checkout:
ref:
branch: main
commit:
author:
email: fluxcdbot@example.com
name: fluxcdbot
messageTemplate: 'deps(apps/production): {{ .AutomationObject }} ImageUpdateAutomation'
push:
branch: main
interval: 3m0s
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
update:
path: ./apps/production/system/http-broadcaster
strategy: Setters

6
fluxcd/repo/apps/production/system/http-broadcaster/automations/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- iua-http-broadcaster.yaml
- policy-http-broadcaster.yaml
- registry-http-broadcaster.yaml

15
fluxcd/repo/apps/production/system/http-broadcaster/automations/policy-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImagePolicy
metadata:
name: http-broadcaster
labels:
team: system
spec:
imageRepositoryRef:
name: http-broadcaster
filterTags:
pattern: '^v?(?P<rv>[0-9]+\.[0-9]+\.[0-9]+)$'
extract: '$rv'
policy:
semver:
range: '^2.x.x-0'

13
fluxcd/repo/apps/production/system/http-broadcaster/automations/registry-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageRepository
metadata:
name: http-broadcaster
labels:
team: system
spec:
secretRef:
name: registry-credentials
image: gitlabregistry.example.com/infrastructure/http-broadcaster
interval: 5m0s
exclusionList:
- "_dev$"

6
fluxcd/repo/apps/production/system/http-broadcaster/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: system
resources:
- app
- automations

5
fluxcd/repo/apps/production/system/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- http-broadcaster

5
fluxcd/repo/apps/staging/infrastructure/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../k6-operator

7
fluxcd/repo/apps/staging/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- remote
- system
- infrastructure

37
fluxcd/repo/apps/staging/system/http-broadcaster/app/hr-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: http-broadcaster
spec:
chart:
spec:
chart: myChart
reconcileStrategy: ChartVersion
version: "2.x.x"
sourceRef:
kind: HelmRepository
name: myChart
namespace: infrastructure
interval: 10m0s
values:
environment: "stg"
app:
image:
tag: 2.2.0-rc.1 # {"$imagepolicy": "system:http-broadcaster:tag"}
autoscaling:
enabled: false
vault:
path: "app/data/http-broadcaster/stg/envVars"
# Test to verify that Traefik is not rejecting requests for being
# outside limit size.
ingress:
middlewares:
buffering:
enabled: false
autoIngress:
host: "purgatory.stg.example.com"
# Telling the chart that we want the service to be scrape.
metrics:
enabled: true
serviceMonitor:
enabled: true

6
fluxcd/repo/apps/staging/system/http-broadcaster/app/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../base/http-broadcaster/app
patches:
- path: hr-http-broadcaster.yaml

28
fluxcd/repo/apps/staging/system/http-broadcaster/automations/iua-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,28 @@
---
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
name: http-broadcaster
labels:
team: system
spec:
git:
checkout:
ref:
branch: main
commit:
author:
email: fluxcdbot@example.com
name: fluxcdbot
messageTemplate: 'deps(apps/staging): {{ .AutomationObject }} ImageUpdateAutomation'
push:
branch: main
interval: 3m0s
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
update:
path: ./apps/staging/system/http-broadcaster
strategy: Setters

7
fluxcd/repo/apps/staging/system/http-broadcaster/automations/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- iua-http-broadcaster.yaml
- policy-http-broadcaster.yaml
- registry-http-broadcaster.yaml
- receiver-http-broadcaster.yaml

15
fluxcd/repo/apps/staging/system/http-broadcaster/automations/policy-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImagePolicy
metadata:
name: http-broadcaster
labels:
team: system
spec:
imageRepositoryRef:
name: http-broadcaster
filterTags:
pattern: '^v?(?P<rv>[0-9]+\.[0-9]+\.[0-9]+-(?:alpha|beta|rc)\.[0-9]+)$'
extract: '$rv'
policy:
semver:
range: '^2.x.x-0'

15
fluxcd/repo/apps/staging/system/http-broadcaster/automations/receiver-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
name: http-broadcaster-app
spec:
type: generic
secretRef:
name: webhook-receiver-token
resources:
- apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageRepository
name: http-broadcaster-app
- apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
name: http-broadcaster

13
fluxcd/repo/apps/staging/system/http-broadcaster/automations/registry-http-broadcaster.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImageRepository
metadata:
name: http-broadcaster
labels:
team: system
spec:
secretRef:
name: registry-credentials
image: gitlabregistry.example.com/infrastructure/http-broadcaster
interval: 5m0s
exclusionList:
- "_dev$"

6
fluxcd/repo/apps/staging/system/http-broadcaster/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: system
resources:
- app
- automations

5
fluxcd/repo/apps/staging/system/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- http-broadcaster

44
fluxcd/repo/clusters/cluster1-prd/dependencies.yaml Normal file
View File

@ -0,0 +1,44 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: namespaces
namespace: flux-system
spec:
interval: 1m0s
path: ./infrastructure/base/namespaces
prune: false # Prevent resources from being deleted when it is removed from the yaml file
sourceRef:
kind: GitRepository
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: infrastructure
namespace: flux-system
spec:
interval: 1m0s
path: ./infrastructure/production
prune: true
wait: true
timeout: 3m0s
sourceRef:
kind: GitRepository
name: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apps
namespace: flux-system
spec:
interval: 5m0s
dependsOn:
- name: infrastructure
sourceRef:
kind: GitRepository
name: flux-system
path: ./apps/production
prune: true
wait: true

14446
fluxcd/repo/clusters/cluster1-prd/flux-system/gotk-components.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

27
fluxcd/repo/clusters/cluster1-prd/flux-system/gotk-sync.yaml Normal file
View File

@ -0,0 +1,27 @@
# This manifest was generated by flux. DO NOT EDIT.
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: main
secretRef:
name: flux-system
url:
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./clusters/cluster1-prd
prune: true
sourceRef:
kind: GitRepository
name: flux-system

5
fluxcd/repo/clusters/cluster1-prd/flux-system/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml

117
fluxcd/repo/infrastructure/base/external-secrets/core/hr-external-secrets.yaml Normal file
View File

@ -0,0 +1,117 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
spec:
chart:
spec:
chart: external-secrets
reconcileStrategy: ChartVersion
version: "0.14.x"
sourceRef:
kind: HelmRepository
name: external-secrets-operator
namespace: infrastructure
interval: 10m0s
values:
replicaCount: 3
affinity: {}
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createPushSecret: true
leaderElect: true
concurrent: 3
serviceAccount:
create: true
automount: true
rbac:
create: true
resources:
requests:
cpu: 10m
memory: 32Mi
serviceMonitor:
enabled: false
interval: 30s
scrapeTimeout: 25s
metrics:
service:
enabled: false
podDisruptionBudget:
enabled: true
minAvailable: 1
# maxUnavailable: 1
webhook:
create: true
replicaCount: 1
rbac:
create: true
serviceAccount:
create: true
automount: true
podDisruptionBudget:
enabled: true
minAvailable: 1
# maxUnavailable: 1
serviceMonitor:
enabled: false
interval: 30s
scrapeTimeout: 25s
metrics:
service:
enabled: false
resources:
requests:
cpu: 10m
memory: 32Mi
affinity: {}
certController:
create: true
requeueInterval: "5m"
replicaCount: 1
rbac:
create: true
serviceAccount:
create: true
automount: true
podDisruptionBudget:
enabled: true
minAvailable: 1
# maxUnavailable: 1
serviceMonitor:
enabled: false
interval: 30s
scrapeTimeout: 25s
metrics:
service:
enabled: false
resources:
requests:
cpu: 10m
memory: 32Mi
affinity: {}

5
fluxcd/repo/infrastructure/base/external-secrets/core/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- hr-external-secrets.yaml

29
fluxcd/repo/infrastructure/base/external-secrets/dependencies.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-external-secrets-core
namespace: flux-system
spec:
interval: 5m
path: ./infrastructure/base/external-secrets/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-external-secrets-resources
namespace: flux-system
spec:
dependsOn:
- name: inf-external-secrets-core
interval: 5m
path: ./infrastructure/base/external-secrets/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

4
fluxcd/repo/infrastructure/base/external-secrets/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- dependencies.yaml

9
fluxcd/repo/infrastructure/base/external-secrets/resources/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- vault-secret-store.yaml
- vault-secret-store-app.yaml
- registry-credentials.yaml
- longhorn-s3-backup-secret.yaml

24
fluxcd/repo/infrastructure/base/external-secrets/resources/longhorn-s3-backup-secret.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
name: longhorn-s3-backup-secret
spec:
externalSecretName: "longhorn-s3-backup-secret"
refreshTime: "1h"
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
- infrastructure
externalSecretSpec:
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
refreshInterval: "72h"
target:
name: longhorn-s3-backup-secret
deletionPolicy: Retain
dataFrom:
- extract:
key: kubernetes-secrets/longhorn/s3-backup-secret

31
fluxcd/repo/infrastructure/base/external-secrets/resources/registry-credentials.yaml Normal file
View File

@ -0,0 +1,31 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
name: registry-credentials
spec:
externalSecretName: "registry-credentials"
refreshTime: "1h"
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
- system
- flux-system
- namespace1
externalSecretSpec:
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: registry-credentials
deletionPolicy: Retain
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: "{{ .auths }}"
data:
- secretKey: auths
remoteRef:
key: kubernetes-secrets/registry-credentials

18
fluxcd/repo/infrastructure/base/external-secrets/resources/vault-secret-store-app.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-secret-store-app
spec:
provider:
vault:
server: "https://vault.example.com"
path: "app"
version: "v2"
auth:
appRole:
path: "approle"
roleId: "" # k8s-external-secrets
secretRef:
name: "vault-k8s-external-secrets"
namespace: infrastructure
key: "secret-id"

18
fluxcd/repo/infrastructure/base/external-secrets/resources/vault-secret-store.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault-secret-store
spec:
provider:
vault:
server: "https://vault.example.com"
path: "kubernetes-secrets"
version: "v2"
auth:
appRole:
path: "approle"
roleId: ""
secretRef:
name: "vault-k8s-external-secrets"
namespace: infrastructure
key: "secret-id"

27
fluxcd/repo/infrastructure/base/gatekeeper/core/hr-gatekeeper.yaml Normal file
View File

@ -0,0 +1,27 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: gatekeeper
namespace: gatekeeper
spec:
chart:
spec:
chart: gatekeeper
reconcileStrategy: ChartVersion
version: "3.13.x"
sourceRef:
kind: HelmRepository
name: gatekeeper
namespace: infrastructure
interval: 10m0s
values:
replicas: 1
enableTLSHealthcheck: true
logDenies: true
logMutations: true
controllerManager:
exemptNamespaces: ["infrastructure"]
postInstall:
labelNamespace:
enabled: false

4
fluxcd/repo/infrastructure/base/gatekeeper/core/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hr-gatekeeper.yaml

29
fluxcd/repo/infrastructure/base/gatekeeper/dependencies.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-gatekeeper-core
namespace: gatekeeper
spec:
interval: 5m
path: ./infrastructure/base/gatekeeper/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-gatekeeper-resources
namespace: gatekeeper
spec:
dependsOn:
- name: inf-gatekeeper-core
interval: 5m
path: ./infrastructure/base/gatekeeper/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

5
fluxcd/repo/infrastructure/base/gatekeeper/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: gatekeeper
resources:
- dependencies.yaml

47
fluxcd/repo/infrastructure/base/gatekeeper/resources/affinity-datascience.yaml Normal file
View File

@ -0,0 +1,47 @@
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: affinity-datascience
spec:
applyTo:
- groups:
- ""
kinds:
- Pod
versions:
- v1
location: spec.affinity
match:
kinds:
- apiGroups:
- '*'
kinds:
- Pod
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- disigas
- dilre
- difunds
- dicaplink
- dimatchdom
- dimatchname
- discoring
- dijal
- procol
namespaces:
- privateapi
scope: Namespaced
parameters:
assign:
value:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: InstanceUsage
operator: In
values:
- datascience

23
fluxcd/repo/infrastructure/base/gatekeeper/resources/block-latest-tags.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedTags
metadata:
name: block-latest-tags
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- data-entry-management
- diffusion
- digital-marketing
- privateapi
- produits
- smartexchange
- vidocq
- flux-system
- infrastructure
scope: Namespaced
parameters:
tags: ["latest"]
exemptImages: []

80
fluxcd/repo/infrastructure/base/gatekeeper/resources/disallowed-tags.yaml Normal file
View File

@ -0,0 +1,80 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: disallowedtags
spec:
crd:
spec:
names:
kind: DisallowedTags
validation:
openAPIV3Schema:
type: object
properties:
exemptImages:
description: >-
Any container that uses an image that matches an entry in this list will be excluded
from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`.
It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name)
in order to avoid unexpectedly exempting images from an untrusted repository.
type: array
items:
type: string
tags:
type: array
description: Disallowed container image tags.
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdisallowedtags
import data.lib.exempt_container.is_exempt
violation[{"msg": msg}] {
container := input_containers[_]
not is_exempt(container)
tags := [forbid | tag = input.parameters.tags[_] ; forbid = endswith(container.image, concat(":", ["", tag]))]
any(tags)
msg := sprintf("container <%v> uses a disallowed tag <%v>; disallowed tags are %v", [container.name, container.image, input.parameters.tags])
}
violation[{"msg": msg}] {
container := input_containers[_]
not is_exempt(container)
tag := [contains(container.image, ":")]
not all(tag)
msg := sprintf("container <%v> didn't specify an image tag <%v>", [container.name, container.image])
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}
input_containers[c] {
c := input.review.object.spec.ephemeralContainers[_]
}
libs:
- |
package lib.exempt_container
is_exempt(container) {
exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", [])
img := container.image
exemption := exempt_images[_]
_matches_exemption(img, exemption)
}
_matches_exemption(img, exemption) {
not endswith(exemption, "*")
exemption == img
}
_matches_exemption(img, exemption) {
endswith(exemption, "*")
prefix := trim_suffix(exemption, "*")
startswith(img, prefix)
}

16
fluxcd/repo/infrastructure/base/gatekeeper/resources/gatekeeper-podmonitor.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: gatekeeper
spec:
namespaceSelector:
matchNames:
- gatekeeper
selector:
matchExpressions:
- key: app
operator: In
values:
- gatekeeper
podMetricsEndpoints:
- port: metrics

10
fluxcd/repo/infrastructure/base/gatekeeper/resources/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- affinity-datascience.yaml
- block-latest-tags.yaml
- disallowed-tags.yaml
- ndots-dns.yaml
- toleration-datasience.yaml
- gatekeeper-podmonitor.yaml

38
fluxcd/repo/infrastructure/base/gatekeeper/resources/ndots-dns.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: ndots-dns
spec:
applyTo:
- groups:
- ""
kinds:
- Pod
versions:
- v1
location: spec.dnsConfig
match:
kinds:
- apiGroups:
- '*'
kinds:
- Pod
namespaces:
- data-entry-management
- diffusion
- digital-marketing
- privateapi
- produits
- vidocq
- smartexchange
- identite-solvabilite
- alertes
- flux-system
scope: Namespaced
parameters:
assign:
value:
options:
- name: ndots
value: "1"
- name: no-aaaa

44
fluxcd/repo/infrastructure/base/gatekeeper/resources/toleration-datasience.yaml Normal file
View File

@ -0,0 +1,44 @@
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
name: toleration-datascience
spec:
applyTo:
- groups:
- ""
kinds:
- Pod
versions:
- v1
location: spec.tolerations
match:
kinds:
- apiGroups:
- '*'
kinds:
- Pod
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- disigas
- dilre
- difunds
- dicaplink
- dimatchdom
- dimatchname
- discoring
- dijal
- procol
namespaces:
- privateapi
scope: Namespaced
parameters:
assign:
value:
- effect: NoSchedule
key: InstanceUsage
operator: Equal
value: datascience

10
fluxcd/repo/infrastructure/base/helm-private-repositories/helm-private-repositories.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: myOrg
spec:
secretRef:
name: helm-registry-gitlab
interval: 10m0s
url: https://gitlab.example.com/api/v4/projects/<projectID>/packages/helm/stable

15
fluxcd/repo/infrastructure/base/helm-private-repositories/helm-registry-gitlab.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: helm-registry-gitlab
spec:
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
refreshInterval: "1h"
target:
name: helm-registry-gitlab
deletionPolicy: Retain
dataFrom:
- extract:
key: kubernetes-secrets/helm-registry-gitlab

5
fluxcd/repo/infrastructure/base/helm-private-repositories/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-private-repositories.yaml
- helm-registry-gitlab.yaml

147
fluxcd/repo/infrastructure/base/helm-public-repositories/helm-repository-public.yaml Normal file
View File

@ -0,0 +1,147 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bitnami
spec:
interval: 360m0s
url: https://charts.bitnami.com/bitnami
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bitnami-oci
spec:
type: "oci"
interval: 360m0s
url: oci://registry-1.docker.io/bitnamicharts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bitnami-labs
spec:
interval: 360m0s
url: https://bitnami-labs.github.io/sealed-secrets
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: elastic
spec:
interval: 360m0s
url: https://helm.elastic.co
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets-operator
spec:
interval: 360m0s
url: https://charts.external-secrets.io
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: fairwinds-stable
spec:
interval: 360m0s
url: https://charts.fairwinds.com/stable
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: gatekeeper
spec:
interval: 360m0s
url: https://open-policy-agent.github.io/gatekeeper/charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: gitlab
spec:
interval: 360m0s
url: https://charts.gitlab.io
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: grafana
spec:
interval: 360m0s
url: https://grafana.github.io/helm-charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: kedacore
spec:
interval: 360m0s
url: https://kedacore.github.io/charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: ingress-nginx
spec:
interval: 360m0s
url: https://kubernetes.github.io/ingress-nginx
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: prometheus-community
spec:
interval: 360m0s
url: https://prometheus-community.github.io/helm-charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: prometheus-msteams
spec:
interval: 360m0s
url: https://prometheus-msteams.github.io/prometheus-msteams/
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: traefik
spec:
interval: 360m0s
url: https://traefik.github.io/charts
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: velero-repo
namespace: flux-system
spec:
interval: 1h
url: https://vmware-tanzu.github.io/helm-charts
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: mercure
namespace: flux-system
spec:
interval: 1h
url: https://charts.mercure.rocks
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: longhorn-repo
namespace: flux-system
spec:
interval: 1h
url: https://charts.longhorn.io
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: aqua
spec:
interval: 360m0s
url: https://aquasecurity.github.io/helm-charts/

4
fluxcd/repo/infrastructure/base/helm-public-repositories/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-repository-public.yaml

130
fluxcd/repo/infrastructure/base/keda/hr-keda.yaml Normal file
View File

@ -0,0 +1,130 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: keda
spec:
chart:
spec:
chart: keda
sourceRef:
kind: HelmRepository
name: kedacore
namespace: infrastructure
version: "2.16.x"
install:
crds: Create
upgrade:
crds: CreateReplace
interval: 30m
values:
image:
keda:
repository: ghcr.io/kedacore/keda
metricsApiServer:
repository: ghcr.io/kedacore/keda-metrics-apiserver
webhooks:
repository: ghcr.io/kedacore/keda-admission-webhooks
pullPolicy: IfNotPresent
# -- Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces
watchNamespace: ""
operator:
# -- Capability to configure the number of replicas for KEDA operator.
# While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic.
# You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover.
# Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability).
replicaCount: 2
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- keda-operator
topologyKey: "kubernetes.io/hostname"
metricsServer:
replicaCount: 2
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- keda-operator-metrics-apiserver
topologyKey: "kubernetes.io/hostname"
webhooks:
enabled: true
replicaCount: 2
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- keda-operator
topologyKey: "kubernetes.io/hostname"
# -- [Failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy) to use with KEDA admission webhooks
failurePolicy: Ignore
# We provides the default values that we describe in our docs:
# https://keda.sh/docs/latest/operate/cluster/
# If you want to specify the resources (or totally remove the defaults), change or comment the following
# lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer'
# and remove/comment the default values
resources:
# -- Manage [resource request & limits] of KEDA operator pod
operator:
limits:
cpu: 1
memory: 1000Mi
requests:
cpu: 100m
memory: 1000Mi
# -- Manage [resource request & limits] of KEDA metrics apiserver pod
metricServer:
limits:
cpu: 1
memory: 1000Mi
requests:
cpu: 100m
memory: 1000Mi
# -- Manage [resource request & limits] of KEDA admission webhooks pod
webhooks:
limits:
cpu: 50m
memory: 1000Mi
requests:
cpu: 10m
memory: 1000Mi
tolerations: []
priorityClassName: ""
prometheus:
metricServer:
enabled: true
port: 8080
portName: metrics
serviceMonitor:
enabled: true
operator:
enabled: true
port: 8080
serviceMonitor:
enabled: true
webhooks:
enabled: true
port: 8080
serviceMonitor:
enabled: true

4
fluxcd/repo/infrastructure/base/keda/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hr-keda.yaml

32
fluxcd/repo/infrastructure/base/longhorn/hr-longhorn.yaml Normal file
View File

@ -0,0 +1,32 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: longhorn
spec:
chart:
spec:
chart: longhorn
reconcileStrategy: ChartVersion
version: "1.8.x"
sourceRef:
kind: HelmRepository
name: longhorn-repo
namespace: infrastructure
interval: 10m0s
# https://github.com/longhorn/charts/blob/v1.8.x/charts/longhorn/values.yaml
values:
defaultBackupStore:
backupTarget: "s3://ilg-longhorn-backup-inf@fr-par/"
backupTargetCredentialSecret: "longhorn-s3-backup-secret"
ingress:
enabled: true
ingressClassName: "traefik"
annotations:
"traefik.ingress.kubernetes.io/router.middlewares": infrastructure-longhorn-dashboard-basic-auth@kubernetescrd
metrics:
serviceMonitor:
enabled: true

5
fluxcd/repo/infrastructure/base/longhorn/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- hr-longhorn.yaml

4
fluxcd/repo/infrastructure/base/namespaces/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespaces.yaml

10
fluxcd/repo/infrastructure/base/namespaces/namespaces.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: namespace1
---
apiVersion: v1
kind: Namespace
metadata:
name: system

18
fluxcd/repo/infrastructure/base/prometheus/alerts/alerts-flux.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
release: prometheus
name: alerts-flux.rules
namespace: monitoring
spec:
groups:
- name: Flux
rules:
- alert: ReconciliationFailure
expr: max(gotk_reconcile_condition{status="False",type="Ready"}) by (exported_namespace, name, kind) + on(exported_namespace, name, kind) (max(gotk_reconcile_condition{status="Deleted"}) by (exported_namespace, name, kind)) * 2 == 1
for: 10m
labels:
severity: warning
annotations:
summary: '{{ $labels.kind }} {{ $labels.exported_namespace }}/{{ $labels.name }} reconciliation has been failing for more than ten minutes.'

397
fluxcd/repo/infrastructure/base/prometheus/core/hr-kube-prometheus-stack.yaml Normal file
View File

@ -0,0 +1,397 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: prometheus
spec:
upgrade:
remediation:
retries: -1
chart:
spec:
chart: kube-prometheus-stack
version: "54.x.x"
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: infrastructure
interval: 30m0s
values:
fullnameOverride: "prometheus"
## Create default rules for monitoring the cluster
##
defaultRules:
create: true
rules:
etcd: false
kubernetesSystem: false
kubeScheduler: false
kubeProxy: false
configReloaders: true
general: true
k8s: true
kubeApiserverAvailability: true
kubeApiserverBurnrate: true
kubeApiserverHistogram: true
kubeApiserverSlos: true
kubeControllerManager: true
kubelet: true
kubePrometheusGeneral: true
kubePrometheusNodeRecording: true
kubernetesApps: true
kubernetesResources: true
kubernetesStorage: true
kubeSchedulerAlerting: true
kubeSchedulerRecording: true
kubeStateMetrics: true
network: true
node: true
nodeExporterAlerting: true
nodeExporterRecording: true
prometheus: true
prometheusOperator: true
global:
rbac:
create: true
alertmanager:
enabled: true
config:
global:
resolve_timeout: 5m
route:
group_by:
- job
- alertname
receiver: 'null'
routes:
- receiver: 'null'
matchers:
- alertname =~ "InfoInhibitor|Watchdog"
receivers:
- name: 'null'
templates:
- '/etc/alertmanager/config/*.tmpl'
serviceMonitor:
interval: ""
selfMonitor: true
alertmanagerSpec:
replicas: 1
retention: 120h
storage: {}
# volumeClaimTemplate:
# spec:
# storageClassName: gluster
# accessModes: ["ReadWriteOnce"]
# resources:
# requests:
# storage: 50Gi
# selector: {}
resources:
requests:
cpu: 10m
memory: 64Mi
limits:
cpu: 501m
memory: 64Mi
podAntiAffinity: "soft"
podAntiAffinityTopologyKey: kubernetes.io/hostname
grafana:
enabled: false
kubeApiServer:
enabled: true
tlsConfig:
# serverName: kubernetes
insecureSkipVerify: true
serviceMonitor:
interval: ""
proxyUrl: ""
kubelet:
enabled: true
namespace: kube-system
serviceMonitor:
additionalLabels: {}
cAdvisor: true
cAdvisorMetricRelabelings:
- action: drop
regex: >-
container_cpu_(load_average_10s|system_seconds_total|user_seconds_total)
sourceLabels:
- __name__
- action: drop
regex: >-
container_fs_(io_current|io_time_seconds_total|io_time_weighted_seconds_total|reads_merged_total|sector_reads_total|sector_writes_total|writes_merged_total)
sourceLabels:
- __name__
- action: drop
regex: container_memory_(mapped_file|swap)
sourceLabels:
- __name__
- action: drop
regex: container_(file_descriptors|tasks_state|threads_max)
sourceLabels:
- __name__
- action: drop
regex: container_spec.*
sourceLabels:
- __name__
- action: drop
regex: .+;
sourceLabels:
- id
- pod
cAdvisorRelabelings:
- sourceLabels:
- __metrics_path__
targetLabel: metrics_path
https: true
interval: ''
metricRelabelings: []
probes: true
probesMetricRelabelings: []
probesRelabelings:
- sourceLabels:
- __metrics_path__
targetLabel: metrics_path
proxyUrl: ''
relabelings:
- sourceLabels:
- __metrics_path__
targetLabel: metrics_path
resource: false
kubeControllerManager:
enabled: false
serviceMonitor:
enabled: false
interval: ""
proxyUrl: ""
https: null
insecureSkipVerify: null
serverName: null
coreDns:
enabled: true
service:
port: 9153
targetPort: 9153
# selector:
# k8s-app: kube-dns
serviceMonitor:
interval: ""
kubeDns:
enabled: false
kubeEtcd:
enabled: false
serviceMonitor:
enabled: false
interval: ""
proxyUrl: ""
scheme: http
insecureSkipVerify: false
kubeScheduler:
enabled: false
serviceMonitor:
enabled: false
interval: ""
https: null
insecureSkipVerify: null
kubeProxy:
enabled: false
serviceMonitor:
enabled: false
interval: ""
https: false
kubeStateMetrics:
enabled: true
kube-state-metrics:
prometheus:
monitor:
enabled: true
interval: ""
selfMonitor:
enabled: true
nodeExporter:
enabled: true
prometheus-node-exporter:
extraArgs:
- --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
- --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
prometheus:
monitor:
enabled: true
interval: ""
prometheusOperator:
enabled: true
serviceMonitor:
interval: ""
scrapeTimeout: ""
selfMonitor: true
resources:
requests:
cpu: 125m
memory: 128Mi
limits:
cpu: 500m
memory: 128Mi
# Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico),
# because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working
##
hostNetwork: false
dnsConfig: {}
# nameservers:
# - 1.2.3.4
# searches:
# - ns1.svc.cluster-domain.example
# - my.dns.search.suffix
# options:
# - name: ndots
# value: "2"
# - name: edns0
# Enable vertical pod autoscaler support for prometheus-operator
verticalPodAutoscaler:
enabled: false
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: []
# Define the max allowed resources for the pod
maxAllowed: {}
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: {}
# cpu: 200m
# memory: 100Mi
updatePolicy:
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updateMode: Auto
prometheusConfigReloader:
resources:
requests:
cpu: 10m
memory: 35Mi
limits:
cpu: 500m
memory: 1024Mi
prometheus:
enabled: true
thanosService:
enabled: false
thanosServiceMonitor:
enabled: false
interval: ""
thanosServiceExternal:
enabled: false
podDisruptionBudget:
enabled: true
minAvailable: 1
maxUnavailable: ""
ingress:
enabled: false
ingressClassName: nginx
# hosts:
# - prometheus.domain.com
hosts: []
## Paths to use for ingress rules - one path should match the prometheusSpec.routePrefix
##
paths: []
# - /
pathType: Prefix
serviceMonitor:
interval: ""
selfMonitor: true
prometheusSpec:
## If true, pass --storage.tsdb.max-block-duration=2h to prometheus. This is already done if using Thanos
##
disableCompaction: false
scrapeInterval: "15s"
scrapeTimeout: "10s"
evaluationInterval: "1m"
enableAdminAPI: false
priorityClassName: "system-cluster-critical"
remoteWrite:
- url: https://mimir.example.com/api/v1/push
ruleNamespaceSelector: {}
ruleSelectorNilUsesHelmValues: false
ruleSelector: {}
serviceMonitorSelectorNilUsesHelmValues: false
serviceMonitorSelector: {}
serviceMonitorNamespaceSelector: {}
podMonitorSelectorNilUsesHelmValues: false
podMonitorSelector: {}
podMonitorNamespaceSelector: {}
probeSelectorNilUsesHelmValues: true
probeSelector: {}
probeNamespaceSelector: {}
retention: 1d
retentionSize: "25GiB"
## Enable compression of the write-ahead log using Snappy.
##
walCompression: false
replicas: 1
podAntiAffinity: "soft"
podAntiAffinityTopologyKey: kubernetes.io/hostname
resources:
limits:
cpu: 2000m
memory: 6000Mi
requests:
cpu: 900m
memory: 6000Mi
thanos: {}
# objectStorageConfig:
# key: objstore.yml
# name: thanos-objstore-config

5
fluxcd/repo/infrastructure/base/prometheus/core/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- hr-kube-prometheus-stack.yaml

34
fluxcd/repo/infrastructure/base/prometheus/dependencies.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-prometheus-core
namespace: infrastructure
spec:
interval: 5m
path: ./infrastructure/base/prometheus/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
healthChecks:
- apiVersion: apps/v1
kind: Deployment
name: prometheus-operator
namespace: infrastructure
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-prometheus-resources
namespace: infrastructure
spec:
dependsOn:
- name: inf-prometheus-core
interval: 5m
path: ./infrastructure/base/prometheus/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

5
fluxcd/repo/infrastructure/base/prometheus/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- dependencies.yaml

24
fluxcd/repo/infrastructure/base/prometheus/resources/flux-podmonitor.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: flux-system
labels:
app.kubernetes.io/part-of: flux
release: prometheus
spec:
namespaceSelector:
matchNames:
- flux-system
selector:
matchExpressions:
- key: app
operator: In
values:
- helm-controller
- source-controller
- kustomize-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
podMetricsEndpoints:
- port: http-prom

15
fluxcd/repo/infrastructure/base/prometheus/resources/http-broadcaster-servicemonitor.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: http-broadcaster
spec:
endpoints:
- interval: 30s
port: web
scheme: http
scrapeTimeout: 29s
namespaceSelector:
any: true
selector:
matchLabels:
app.kubernetes.io/name: "http-broadcaster"

10
fluxcd/repo/infrastructure/base/prometheus/resources/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- flux-podmonitor.yaml
- php-fpm-exporters-servicemonitor.yaml
- rabbitmq-servicemonitor.yaml
- python-metrics-servicemonitor.yaml
- php-metrics-servicemonitor.yaml
- http-broadcaster-servicemonitor.yaml

15
fluxcd/repo/infrastructure/base/prometheus/resources/php-fpm-exporters-servicemonitor.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: php-fpm-exporters
spec:
endpoints:
- interval: 15s
port: php-fpm-exporter
scheme: http
scrapeTimeout: 14s
namespaceSelector:
any: true
selector:
matchLabels:
k8s.example.com/php-fpm-exporter-scrape: 'true'

16
fluxcd/repo/infrastructure/base/prometheus/resources/php-metrics-servicemonitor.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: php-metrics
spec:
endpoints:
- interval: 15s
port: php-metrics
path: /metrics
scheme: http
scrapeTimeout: 14s
namespaceSelector:
any: true
selector:
matchLabels:
k8s.example.com/php-metrics-scrape: 'true'

16
fluxcd/repo/infrastructure/base/prometheus/resources/python-metrics-servicemonitor.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: python-metrics
spec:
endpoints:
- interval: 15s
port: metrics
path: /metrics
scheme: http
scrapeTimeout: 14s
namespaceSelector:
any: true
selector:
matchLabels:
k8s.example.com/python-metrics-scrape: 'true'

42
fluxcd/repo/infrastructure/base/prometheus/resources/rabbitmq-servicemonitor.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: rabbitmq
namespace: rabbitmq-operator
spec:
endpoints:
- port: prometheus
scheme: http
interval: 15s
scrapeTimeout: 14s
- port: prometheus-tls
scheme: https
interval: 15s
scrapeTimeout: 14s
tlsConfig:
insecureSkipVerify: true
- port: prometheus
scheme: http
path: /metrics/detailed
params:
family:
- queue_coarse_metrics
- queue_metrics
interval: 15s
scrapeTimeout: 14s
- port: prometheus-tls
scheme: https
path: /metrics/detailed
params:
family:
- queue_coarse_metrics
- queue_metrics
interval: 15s
scrapeTimeout: 14s
tlsConfig:
insecureSkipVerify: true
selector:
matchLabels:
app.kubernetes.io/component: rabbitmq
namespaceSelector:
any: true

250
fluxcd/repo/infrastructure/base/traefik/core/hr-traefik.yaml Normal file
View File

@ -0,0 +1,250 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: traefik
spec:
chart:
spec:
chart: traefik
reconcileStrategy: ChartVersion
version: "35.x.x"
sourceRef:
kind: HelmRepository
name: traefik
namespace: infrastructure
interval: 10m0s
values:
image:
registry: docker.io
repository: traefik
tag: ""
pullPolicy: IfNotPresent
commonLabels: {}
deployment:
enabled: true
# -- Deployment or DaemonSet
kind: DaemonSet
# -- Number of pods of the deployment (only applies when kind == Deployment)
replicas: 1
terminationGracePeriodSeconds: 60
minReadySeconds: 0
dnsConfig:
options:
- name: ndots
value: '1'
ingressClass:
enabled: true
isDefaultClass: true
name: "traefik"
ingressRoute:
dashboard:
enabled: true
annotations: {}
labels: {}
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
# By default, it's using traefik entrypoint, which is not exposed.
# /!\ Do not expose your dashboard without any protection over the internet /!\
entryPoints: ["traefik"]
middlewares: []
healthcheck:
enabled: true
annotations: {}
labels: {}
matchRule: PathPrefix(`/ping`)
entryPoints: ["traefik", "web", "websecure"]
middlewares: []
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: null
providers:
kubernetesCRD:
enabled: true
# -- Allows IngressRoute to reference resources in namespace other than theirs
allowCrossNamespace: false
# -- Allows to reference ExternalName services in IngressRoute
allowExternalNameServices: false
# -- Allows to return 503 when there is no endpoints available
allowEmptyServices: false
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# - "default"
kubernetesIngress:
enabled: true
# -- Allows to reference ExternalName services in Ingress
allowExternalNameServices: false
# -- Allows to return 503 when there is no endpoints available
allowEmptyServices: false
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# - "default"
# IP used for Kubernetes Ingress endpoints
publishedService:
enabled: false
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
logs:
general:
# -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
level: ERROR
access:
enabled: true
# format: json
# bufferingSize: 100
## Filtering
# -- https://docs.traefik.io/observability/access-logs/#filtering
filters: {}
# statuscodes: "200,300-302"
# retryattempts: true
# minduration: 10ms
fields:
general:
# -- Available modes: keep, drop, redact.
defaultmode: keep
# -- Names of the fields to limit.
names: {}
## Examples:
# ClientUsername: drop
headers:
# -- Available modes: keep, drop, redact.
defaultmode: drop
# -- Names of the headers to limit.
names: {}
## Examples:
# User-Agent: redact
# Authorization: drop
# Content-Type: keep
metrics:
prometheus:
entryPoint: metrics
service:
enabled: true
serviceMonitor:
metricRelabelings: []
relabelings: []
jobLabel: traefik
interval: 30s
honorLabels: true
globalArguments:
- "--global.checknewversion"
additionalArguments:
- "--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8"
ports:
traefik:
port: 9000
# -- You SHOULD NOT expose the traefik port on production deployments.
# If you want to access it from outside your cluster,
# use `kubectl port-forward` or create a secure ingress
expose: false
exposedPort: 9000
protocol: TCP
exposeInternal: false
web:
port: 8000
hostPort: 80
# containerPort: 8000
expose: true
exposedPort: 80
protocol: TCP
exposeInternal: false
websecure:
port: 8443
hostPort: 443
expose: true
exposedPort: 443
protocol: TCP
exposeInternal: false
http3:
enabled: false
middlewares: []
metrics:
port: 9100
expose: false
exposedPort: 9100
protocol: TCP
exposeInternal: false
service:
enabled: true
single: true
type: ClusterIP
annotations: {}
annotationsTCP: {}
annotationsUDP: {}
labels: {}
autoscaling:
enabled: false
# -- If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
# and replicas>1, a pod anti-affinity is recommended and will be set if the
# affinity is left as default.
hostNetwork: false
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
rbac:
enabled: true
# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
# If set to true, installs Role and RoleBinding. Providers will only watch target namespace.
namespaced: false
# Enable user-facing roles
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
# aggregateTo: [ "admin" ]
# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
podSecurityPolicy:
enabled: false
resources:
requests:
cpu: "100m"
memory: "150Mi"
limits:
memory: "150Mi"
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ template "traefik.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
topologyKey: kubernetes.io/hostname
priorityClassName: "system-cluster-critical"
securityContext:
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
tolerations:
- effect: NoSchedule
key: InstanceUsage
operator: Equal
value: datascience

5
fluxcd/repo/infrastructure/base/traefik/core/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- hr-traefik.yaml

29
fluxcd/repo/infrastructure/base/traefik/dependencies.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-traefik-core
namespace: flux-system
spec:
interval: 5m
path: ./infrastructure/base/traefik/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-traefik-resources
namespace: flux-system
spec:
dependsOn:
- name: inf-traefik-core
interval: 5m
path: ./infrastructure/base/traefik/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

4
fluxcd/repo/infrastructure/base/traefik/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- dependencies.yaml

18
fluxcd/repo/infrastructure/base/traefik/resources/ingress-route-public-dashboard-prd.yaml Normal file
View File

@ -0,0 +1,18 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-public-dashboard-prd
spec:
entryPoints:
- websecure
- web
routes:
- match: (Host(`traefik-dashboard.example.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)))
kind: Rule
middlewares:
- name: traefik-dashboard-basic-auth
namespace: infrastructure
services:
- name: api@internal
kind: TraefikService

7
fluxcd/repo/infrastructure/base/traefik/resources/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- middleware-traefik-dashboard-basic-auth.yaml
- secret-traefik-dashboard-basic-auth.yaml
- ingress-route-public-dashboard-prd.yaml

7
fluxcd/repo/infrastructure/base/traefik/resources/middleware-traefik-dashboard-basic-auth.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-basic-auth
spec:
basicAuth:
secret: traefik-dashboard-basic-auth

15
fluxcd/repo/infrastructure/base/traefik/resources/secret-traefik-dashboard-basic-auth.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: traefik-dashboard-basic-auth
spec:
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
refreshInterval: "6h"
target:
name: traefik-dashboard-basic-auth
deletionPolicy: Retain
dataFrom:
- extract:
key: kubernetes-secrets/traefik/traefik-dashboard-basic-auth

5
fluxcd/repo/infrastructure/staging/apps/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- longhorn

19
fluxcd/repo/infrastructure/staging/apps/longhorn/hr-longhorn.yaml Normal file
View File

@ -0,0 +1,19 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: longhorn
spec:
chart:
spec:
chart: longhorn
reconcileStrategy: ChartVersion
version: "1.8.x"
sourceRef:
kind: HelmRepository
name: longhorn-repo
namespace: infrastructure
interval: 10m0s
values:
ingress:
host: "longhorn.stg.example.com"

8
fluxcd/repo/infrastructure/staging/apps/longhorn/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/longhorn/
- recurringjob-backup-longhorn.yaml
- recurringjob-snapshot-longhorn.yaml
patches:
- path: hr-longhorn.yaml

13
fluxcd/repo/infrastructure/staging/apps/longhorn/recurringjob-backup-longhorn.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: backup-daily
namespace: infrastructure
spec:
cron: "0 19 * * *"
task: "backup"
groups:
- default
retain: 7
concurrency: 3

13
fluxcd/repo/infrastructure/staging/apps/longhorn/recurringjob-snapshot-longhorn.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: snapshot-hourly
namespace: infrastructure
spec:
cron: "0 * * * *"
task: "snapshot"
groups:
- default
retain: 3
concurrency: 3

7
fluxcd/repo/infrastructure/staging/fundamental-apps/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- traefik
- ../../base/prometheus/resources
- prometheus

35
fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/core/hr-kube-prometheus-stack.yaml Normal file
View File

@ -0,0 +1,35 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: prometheus
spec:
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
remediation:
retries: -1
chart:
spec:
chart: kube-prometheus-stack
version: "70.x.x"
sourceRef:
kind: HelmRepository
name: prometheus-community
namespace: infrastructure
interval: 30m0s
values:
prometheus:
prometheusSpec:
externalLabels:
source: prometheus-k8s-stg
ingress:
enabled: true
ingressClassName: traefik
hosts:
- kube-prometheus.stg.example.com
paths:
- /
pathType: Prefix

7
fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/core/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- ../../../../base/prometheus/core
patches:
- path: hr-kube-prometheus-stack.yaml

34
fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/dependencies.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-prometheus-core
namespace: infrastructure
spec:
interval: 5m
path: ./infrastructure/staging/fundamental-apps/prometheus/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
healthChecks:
- apiVersion: apps/v1
kind: Deployment
name: prometheus-operator
namespace: infrastructure
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-prometheus-resources
namespace: infrastructure
spec:
dependsOn:
- name: inf-prometheus-core
interval: 5m
path: ./infrastructure/base/prometheus/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

5
fluxcd/repo/infrastructure/staging/fundamental-apps/prometheus/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- dependencies.yaml

255
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/core/hr-traefik.yaml Normal file
View File

@ -0,0 +1,255 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: traefik
spec:
chart:
spec:
chart: traefik
reconcileStrategy: ChartVersion
version: "35.x.x"
sourceRef:
kind: HelmRepository
name: traefik
namespace: infrastructure
interval: 10m0s
values:
image:
registry: docker.io
repository: traefik
tag: ""
pullPolicy: IfNotPresent
commonLabels: {}
deployment:
enabled: true
# -- Deployment or DaemonSet
kind: DaemonSet
# -- Number of pods of the deployment (only applies when kind == Deployment)
replicas: 1
terminationGracePeriodSeconds: 60
minReadySeconds: 0
dnsConfig:
options:
- name: ndots
value: '1'
ingressClass:
enabled: true
isDefaultClass: true
name: "traefik"
ingressRoute:
dashboard:
enabled: true
annotations: {}
labels: {}
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
# By default, it's using traefik entrypoint, which is not exposed.
# /!\ Do not expose your dashboard without any protection over the internet /!\
entryPoints: ["traefik"]
middlewares: []
healthcheck:
enabled: true
annotations: {}
labels: {}
matchRule: PathPrefix(`/ping`)
entryPoints: ["traefik", "web", "websecure"]
middlewares: []
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: null
providers:
kubernetesCRD:
enabled: true
# -- Allows IngressRoute to reference resources in namespace other than theirs
allowCrossNamespace: false
# -- Allows to reference ExternalName services in IngressRoute
allowExternalNameServices: false
# -- Allows to return 503 when there is no endpoints available
allowEmptyServices: false
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# - "default"
kubernetesIngress:
enabled: true
# -- Allows to reference ExternalName services in Ingress
allowExternalNameServices: false
# -- Allows to return 503 when there is no endpoints available
allowEmptyServices: false
# -- Array of namespaces to watch. If left empty, Traefik watches all namespaces.
namespaces: []
# - "default"
# IP used for Kubernetes Ingress endpoints
publishedService:
enabled: false
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
logs:
general:
# -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
level: ERROR
access:
enabled: true
# format: json
# bufferingSize: 100
## Filtering
# -- https://docs.traefik.io/observability/access-logs/#filtering
filters: {}
# statuscodes: "200,300-302"
# retryattempts: true
# minduration: 10ms
fields:
general:
# -- Available modes: keep, drop, redact.
defaultmode: keep
# -- Names of the fields to limit.
names: {}
## Examples:
# ClientUsername: drop
headers:
# -- Available modes: keep, drop, redact.
defaultmode: drop
# -- Names of the headers to limit.
names: {}
## Examples:
# User-Agent: redact
# Authorization: drop
# Content-Type: keep
metrics:
prometheus:
entryPoint: metrics
service:
enabled: true
serviceMonitor:
enabled: true
metricRelabelings: []
relabelings: []
jobLabel: traefik
interval: 30s
honorLabels: true
globalArguments:
- "--global.checknewversion"
additionalArguments:
- "--entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8"
ports:
traefik:
port: 9000
# -- You SHOULD NOT expose the traefik port on production deployments.
# If you want to access it from outside your cluster,
# use `kubectl port-forward` or create a secure ingress
expose:
default: false
internal: false
exposedPort: 9000
protocol: TCP
web:
port: 8000
hostPort: 80
# containerPort: 8000
expose:
default: true
internal: false
exposedPort: 80
protocol: TCP
websecure:
port: 8443
hostPort: 443
expose:
default: true
internal: false
exposedPort: 443
protocol: TCP
http3:
enabled: false
middlewares: []
metrics:
port: 9100
expose:
default: false
internal: false
exposedPort: 9100
protocol: TCP
service:
enabled: true
single: true
type: ClusterIP
annotations: {}
annotationsTCP: {}
annotationsUDP: {}
labels: {}
autoscaling:
enabled: false
# -- If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
# and replicas>1, a pod anti-affinity is recommended and will be set if the
# affinity is left as default.
hostNetwork: false
# -- Whether Role Based Access Control objects like roles and rolebindings should be created
rbac:
enabled: true
# If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces.
# If set to true, installs Role and RoleBinding. Providers will only watch target namespace.
namespaced: false
# Enable user-facing roles
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
# aggregateTo: [ "admin" ]
# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
podSecurityPolicy:
enabled: false
resources:
requests:
cpu: "100m"
memory: "150Mi"
limits:
memory: "150Mi"
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ template "traefik.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
topologyKey: kubernetes.io/hostname
priorityClassName: "system-cluster-critical"
securityContext:
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
tolerations:
- effect: NoSchedule
key: InstanceUsage
operator: Equal
value: datascience

5
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/core/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- hr-traefik.yaml

29
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/dependencies.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-traefik-core
namespace: infrastructure
spec:
interval: 5m
path: ./infrastructure/staging/fundamental-apps/traefik/core
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: inf-traefik-resources
namespace: infrastructure
spec:
dependsOn:
- name: inf-traefik-core
interval: 5m
path: ./infrastructure/staging/fundamental-apps/traefik/resources
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system

4
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- dependencies.yaml

15
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/ingress-route-prometheus-pushgateway.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prometheus-pushgateway
namespace: infrastructure
spec:
entryPoints:
- websecure
- web
routes:
- match: Host(`promgw.stg.example.com`)
kind: Rule
services:
- name: prometheus-pushgateway
port: 9091

18
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/ingress-route-public-dashboard-stg.yaml Normal file
View File

@ -0,0 +1,18 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-public-dashboard-stg
spec:
entryPoints:
- websecure
- web
routes:
- match: (Host(`traefik-dashboard.stg.example.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)))
kind: Rule
middlewares:
- name: traefik-dashboard-basic-auth
namespace: infrastructure
services:
- name: api@internal
kind: TraefikService

18
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/ingress-route-public-longhorn-stg.yaml Normal file
View File

@ -0,0 +1,18 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: longhorn-public-dashboard-stg
spec:
entryPoints:
- websecure
- web
routes:
- match: Host(`longhorn.stg.example.com`)
kind: Rule
middlewares:
- name: longhorn-dashboard-basic-auth
namespace: infrastructure
services:
- name: infrastructure-longhorn-frontend-80@kubernetes
kind: TraefikService

11
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infrastructure
resources:
- middleware-traefik-dashboard-basic-auth.yaml
- middleware-longhorn-dashboard-basic-auth.yaml
- secret-traefik-dashboard-basic-auth.yaml
- secret-longhorn-dashboard-basic-auth.yaml
- ingress-route-public-dashboard-stg.yaml
- ingress-route-public-webservice.yaml
- ingress-route-prometheus-pushgateway.yaml

7
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/middleware-longhorn-dashboard-basic-auth.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: longhorn-dashboard-basic-auth
spec:
basicAuth:
secret: longhorn-dashboard-basic-auth

7
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/middleware-traefik-dashboard-basic-auth.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-basic-auth
spec:
basicAuth:
secret: traefik-dashboard-basic-auth

15
fluxcd/repo/infrastructure/staging/fundamental-apps/traefik/resources/secret-longhorn-dashboard-basic-auth.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: longhorn-dashboard-basic-auth
spec:
secretStoreRef:
name: vault-secret-store
kind: ClusterSecretStore
refreshInterval: "6h"
target:
name: longhorn-dashboard-basic-auth
deletionPolicy: Retain
dataFrom:
- extract:
key: kubernetes-secrets/longhorn/stg/dashboard-secret

Some files were not shown because too many files have changed in this diff Show More