platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

niks3: Add nix binary cache

Browse Source
This commit is contained in:
Moritz Jörg
2026-06-09 13:27:27 +02:00
parent 5df05acd46
commit 2aed9ead11
17 changed files with 227 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files
helmfile.d/niks3.yaml.gotmpl
+27
View File
@@ -0,0 +1,27 @@
bases:
- ../envs/environments.yaml.gotmpl
commonLabels:
tier: system
releases:
- name: manifests
namespace: niks3
chart: manifests
condition: niks3.enabled
missingFileHandler: Info
values:
- ../values/env.yaml
- ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
- ../values/niks3/env.yaml.gotmpl
- ../values/niks3/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/niks3/manifests
- manifests
values/attic/env-oceanbox.yaml.gotmpl
-2
View File
@@ -1,2 +0,0 @@
attic:
enabled: false
values/attic/manifests/attic.yaml
-27
View File
@@ -1,27 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: attic
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: attic
server: "https://kubernetes.default.svc"
sources:
- repoURL: https://git.oceanbox.io/oceanbox/manifests.git
targetRevision: HEAD
path: values/attic/manifests
project: aux
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
automated:
prune: true
# selfHeal: false
values/attic/manifests/cm.yaml
-167
View File
@@ -1,167 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: attic
name: attic-config
namespace: attic
data:
config.toml: |
# src: https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
# Socket address to listen on
listen = "[::]:8080"
# Allowed `Host` headers
#
# This _must_ be configured for production use. If unconfigured or the
# list is empty, all `Host` headers are allowed.
allowed-hosts = []
# The canonical API endpoint of this server
#
# This is the endpoint exposed to clients in `cache-config` responses.
#
# This _must_ be configured for production use. If not configured, the
# API endpoint is synthesized from the client's `Host` header which may
# be insecure.
#
# The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
# not `https://domain.tld/attic`).
api-endpoint = "https://attic.srv.oceanbox.io/"
# Whether to soft-delete caches
#
# If this is enabled, caches are soft-deleted instead of actually
# removed from the database. Note that soft-deleted caches cannot
# have their names reused as long as the original database records
# are there.
#soft-delete-caches = false
# Whether to require fully uploading a NAR if it exists in the global cache.
#
# If set to false, simply knowing the NAR hash is enough for
# an uploader to gain access to an existing NAR in the global
# cache.
#require-proof-of-possession = true
# Database connection
[database]
# Connection URL
#
# For production use it's recommended to use PostgreSQL.
url = "postgresql://app:mZP1BnmnpDU33B7UZvomYKOSS1laRJ4bvUR7jNDZ1AJqPdNxH2rLXykghczg7Bgy@attic-db-rw:5432/app"
# Whether to enable sending on periodic heartbeat queries
#
# If enabled, a heartbeat query will be sent every minute
#heartbeat = false
# File storage configuration
[storage]
# Storage type
#
# Can be "local" or "s3".
type = "local"
# ## Local storage
# The directory to store all files under
path = "/attic"
# ## S3 Storage (set type to "s3" and uncomment below)
# The AWS region
#region = "us-east-1"
# The name of the bucket
#bucket = "some-bucket"
# Custom S3 endpoint
#
# Set this if you are using an S3-compatible object storage (e.g., Minio).
#endpoint = "https://xxx.r2.cloudflarestorage.com"
# Credentials
#
# If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
# `AWS_SECRET_ACCESS_KEY` environment variables.
#[storage.credentials]
# access_key_id = ""
# secret_access_key = ""
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
[chunking]
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 65536 # chunk files that are 64 KiB or larger
# The preferred minimum size of a chunk, in bytes
min-size = 16384 # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 65536 # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 262144 # 256 KiB
# Compression
[compression]
# Compression type
#
# Can be "none", "brotli", "zstd", or "xz"
type = "zstd"
# Compression level
#level = 8
# Garbage collection
[garbage-collection]
# The frequency to run garbage collection at
#
# By default it's 12 hours. You can use natural language
# to specify the interval, like "1 day".
#
# If zero, automatic garbage collection is disabled, but
# it can still be run manually with `atticd --mode garbage-collector-once`.
interval = "1 week"
# Default retention period
#
# Zero (default) means time-based garbage-collection is
# disabled by default. You can enable it on a per-cache basis.
default-retention-period = "6 months"
[jwt]
# WARNING: Changing _anything_ in this section will break any existing
# tokens. If you need to regenerate them, ensure that you use the the
# correct secret and include the `iss` and `aud` claims.
# JWT `iss` claim
#
# Set this to the JWT issuer that you want to validate.
# If this is set, all received JWTs will validate that the `iss` claim
# matches this value.
#token-bound-issuer = "some-issuer"
# JWT `aud` claim
#
# Set this to the JWT audience(s) that you want to validate.
# If this is set, all received JWTs will validate that the `aud` claim
# contains at least one of these values.
#token-bound-audiences = ["some-audience1", "some-audience2"]
[jwt.signing]
# JWT RS256 secret key
#
# Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
# You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
# environment variable.
token-rs256-secret-base64 = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBdlZrMHQyZUtvdjhpV3prVFFtQzJtRklvd0gxc2liNlVpUFhUaGVwcURiWHMyaERFCnFYa1pKUXRjTnY0T2RtcldmZ2tsbjVyblJNQk5yL1B5dE05OFFMVVJnbzFSU2VTeUVjcmxSU1N4MElVRlhkM3YKV0U0aTJJTktsSzgxblJoY0o4czRUM09iYUpvSUQweEpqS2IzMkhxZmpOSU1vcVdBRk1ES2YyMUM5OWxQeTRXSgpVUUVnYTRzbHo5RzZHVi8wZW5qbFNMa2RRNjEvdEwyRE1ISHgvV2VRUEtpWkF4c2Fwczd3ZVJiNVBrS3J0MVlGClRxa1lJSjY3eDFiNDR1N0NmdWdVbHhMM2JCQ1lqVXVXNnoxdGU3T2ZQUUhoM1FPU2lFZTczQ3I4dU1lSkplV0wKN2VKc1hWSG9uVzBMZWl0aDk5WmJTUTF3YlhieDVPZzNTQ3ZWYnkyZE90Y3Rud2Y2aDN5YlJ3SUNoc24xbk4zMwowRkMyOXlFY0ExQ2VFVzRsMVVHNmxoMGw5cEpiWEhRNlFJS1paempaTlgxZTRGRW5TdytGNGhXd3R1Z2JtKzZnCnVPdEE5QVJxYndJOTFLeEtoT204Q0RJQlRwWThSZG1SaElicWUrc3czT3p3dGk0eTVkU3FMREsrT3Y5b05ucngKQW9TN21TaXNQeDVJS3JwaFhMT3JvVmI2L1puSmNOK3ljaExuenptMDY2Zk5RaTBLNHhzaitvWkphaXVjZnBacAphSElHZGpaY1U3aE5FUzdJNVliVEFqUDdkaDRzdXJnMk1xTUtxbUxsa2ZPcGFoRTlMQTZVVFZRZHZLVFVGNWZwCkdYSnhaT1RKWlpiOGNQTFYxZFdXbnBMaEZNV2h2OUZQTCtDVGZQVUFvQmtmOTE3TzFLdkE3bGsvcTJzQ0F3RUEKQVFLQ0FnQU9WZ3k1dmlzdkFDWTN4ZkNCWEJVM0h6RmFzYVJnSVgvWmh0TkhGbUtGT3pyOW43dGtJWGtYNXU1SwpjNTNndFdJY0ZORTJibUlJUUk4aFBWVW8vM1NtNlk2ejFjTkwxdmJzaGZJcDlBZEtoR2ZOblpvYmszN3I2YlRoCjRRb3NKTVlGZFV1RUtIcWh4dGZKWUx0STNQTnkvb1hLQWJWWE16U3BYWmQzWW14cG01aUJEbEZCUXRhVGpldUUKK3BvZWhiZGE5b0JWcXo1ZCsycnA0bGRtZVpvYTE1YUNJVG5FbEc3R0puRHFtaVN3NUJkZ1FERVNyWmJZRVd5aQpRU0dDL1JUWXl2V1VJcWw5RXh5WnhobGRJaitCMkMyOFRzSXRHN0lpZzF2ajVaVlE0RHF3RmRzc1hiSmF0bkxvClNITlFBcXplT09xY2Mxb0p6N0dzNVRBYVZNZEtEQXZCZm1JMFBMcDNqNmVFOFFIYlduMHk2NzVYbnlqWllLUUcKaWx5R0pUNVRzMWZHWHlPSXBrNG4yQjM1V3dHcjIyTkxnYUd5cnZjRkgxN3JoZGVnaGlrZFJRd1FOcXRsZjBIZApMWDVRQWVwcUt3SE9uR1BGVy9XU2xGU0lEdkt1VFZSVGtvQmFSMTA3OFpiS2JXckZBbEdqYTFvbnNXQUh1YW5UClh5dFE4dWoxUEFFeWFMZUJEaUJxRVJ2am1VVFQ1ZktCOTdaVnRJenVBZ0lyWWZ6YjIyVEk2VFJ6OVZiQ2VyWG8KdTc0cnoxMjM2TXMrbmg5Y2xYd3VtQlBOU1d1eE9OdldOWEZ6VWdIOURzdlFRMWRsMFRJWEFQMGhFYkRHRkNBQwowUlg2M0lpcXFzUG1ZZUZNTGR5K2tVWjViNzI1TlhXWFRHbDRnQ1Y3NFVRU01ya0xrUUtDQVFFQStobXIwYjdnClVYcWRKaGtLRXVsa29IVzVuYzZ4QmhobCtuTkFucVFSTm5tQWpiaDlCeDVpLzQ2WUwxcHFYQUY5cTNIRlowSDIKZEJRZXN2Q0pxbmtSTHVwTi95VE1KSlo0ZE5kMHZqRzZ0UGhMUjZuRmRabHU0TFBRMXRKcU5XZkhZeCtwQ3N2SQo4Wkx3VG8rRGFxSjArZDk3WWF0b0dWNUZHOWtUSjhBYWFXb0Q1R1AyOGtOd0djKzI0b2VNYnJtU0ppQ2I2UlJoCjA5WWJaMGpXdkFHaXJyMzFOTW5nR0dtVmRPMThoOXVMUStLNzFUQWt1eFEzZEhpUzh6UVd6YythRnM1THgyUnIKeXppcEJhR3VySmFJQ05XNklFQm5ndFcvZEZaYXpMbjhQcDVrQlJzQ1NyN1JpQkNFSFZmeHBYVFNoS3cwVWp4NQo2a0gwc01YZnFoOFpMUUtDQVFFQXdkQ3BPUXBRa1RhK0t6Z0VrWGdMVnk2QmZJKzRWdC9BYjRtK2pFSm85aUIzCnN4dEtKNU5tNXltNldXcmFWS25zekxNZy85Mi9vSVZreUlNSklrOWNYdEpuaEU5ak1aVzc2ZjhYbW5CUnJIMnAKVHVmNWtYWWdVUHZLQ2g1U1g5Q2w0UHJENHNSb3cwNHJjbHVxSE1MT2g1MncxUmJPalRrb05tNXBHWlFoVkhxeApaUzh3aVk3bzhLNFZJQXZOVlZOdGlIZFNOY2Y0cDMxL0F6SU5aQjJWdlczeWJHTWNIdDByekQ5TkpZLzhTekc3CktEME5mRTgzeng2OWxHTlhUcURGSnBTV2ZNVlFwSGVCM0FTRTV1YVhVM1c5S3EwN2NDOEJWSHRaK3B5a1B0RTYKOHgrZE9NYWh6UElaMjRqbkIzZkVsaWc0Rk5zd01LZm9aeDdKYUJLRjl3S0NBUUVBdWJUTUgwOWpVenovYVdXWQpWRmlYVG9wN3pGRElvNlVFUEFiT1NiMjd4ajVNRlcrUzd2RkNRMDZIZEVubnhlK1pkKzlmeS85djE5dUV2QXZkCnZRWnVtdTZDQWQwNTlFVUNwb2ZCZU9TR0paQmtuWTdUUHpJeDRZbkRuVy9hUzFPRyt2UnNXY2JkcTNzWEVzNS8KbjNPSDltNWFPRGpGY0dqT1doSkNwZlovNWh4QlRacG9xSlVvclJIT1U4Q2dweXNGK1dlblBWZlVHQzdZWkVYeQpwT0YyQWRpdE5ZaGM3T09oaFpRK0xzYjNUdTRSMlFnSmpoeEIzU3NXdXAzSC9RU1UvekFwbHFIYlpLZnE0WEtmCnVDbUNVMFVZRXBDZ0M4ZFpoVElGOUJSNTE2bFd6Vyt6c1BxbHJTbk9YOWVJWi9vcHd6ZjNGY1V3SmFEWjUxVFcKY29UcTlRS0NBUUVBckhtVTdpYkl0Y0Zpa0RGa2wxT2R1L0t0MW54TFRqd0dFdndnYnM3MmV2ay9yRXEvdmVKRgpzN2NGbDJjb2JpbGRpbmhxQ0doOGpFdkkrVXJxeVBhWXUrVS9xNVcrTHpVUnFkV1JXcVZUZVUzR2FtcXpSQWc4CkQvVlJ3WmxrTXRJSm0rRnNpcFBBcXZVWVlzZEI1aUJTREl0Ky90SXg4NmtHcVJHdVE4MzNyeWNVVUhnakdIYnQKd3FrWU1aRnZJOXgvWCs3WFlQYll4Nnc5YUVtVmN4K0V6ck5XQmJCWktQb25iTFowWDlYM2JhOE8zMnNkWWg5WgpDZDlRVkFubmV4aEUrZVZHMmpmNVlMTGRCRCtkU2FHd3p0dTdBSXh5bFkydkFGQlpMVlZTTUhpZm5oWG5Jc3hZCjFub29HcDZGQWJkS1lWbmZObWdzUlZCVzE5V2s1QkYvMXdLQ0FRRUFqVnR1RXdYZzU5NERIaVN4UjlWbGRBaHYKcXF5dlpieVhPT2pnNHNKZjFLUlpxZkkzV28yL05IQWN0MlZlREE1bnlEM001YndHWEwrdVZGaUlMVk1ZMUp0WQp6MmlHWHgwZVdlbFJya2tRZHFncTI1TE9BQ2dxYTFMNW9tQS9tMGcwQWljWVdYa1FYSXpXRkhwb0ZqcU9KZHpTCnZ0MHhLV2lpWHUxVk5YeDJibFR1dXBCa1JUZUlQNTVxdWdyOUh0ZmY1MHc5MHhwTllaMFR3d0lDMG1neVVMMWEKRkdVdHlPUTlqVFBUUUdGM3h6REJCQ2U2MW5uZUV0TThRMEJ1MXh3Rm90aWFYSE9NaGhiMFBndVkzNHhiekNHYgpHcTlsWjVaN2lRVXByUWNNYjhrUzZ1WFk3VHBDTmUzaDBiTTM5dVlKeHNYNXUzcmVNRWsyZlBNT3dnTlFjdz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
values/attic/manifests/deployment.yaml
-63
View File
@@ -1,63 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: attic
spec:
selector:
matchLabels:
app: attic
strategy:
type: Recreate
template:
metadata:
labels:
app: attic
spec:
containers:
- name: attic
image: ghcr.io/zhaofengli/attic:latest
args:
- -f
- /config.toml
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
env:
- name: ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
value: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBdlZrMHQyZUtvdjhpV3prVFFtQzJtRklvd0gxc2liNlVpUFhUaGVwcURiWHMyaERFCnFYa1pKUXRjTnY0T2RtcldmZ2tsbjVyblJNQk5yL1B5dE05OFFMVVJnbzFSU2VTeUVjcmxSU1N4MElVRlhkM3YKV0U0aTJJTktsSzgxblJoY0o4czRUM09iYUpvSUQweEpqS2IzMkhxZmpOSU1vcVdBRk1ES2YyMUM5OWxQeTRXSgpVUUVnYTRzbHo5RzZHVi8wZW5qbFNMa2RRNjEvdEwyRE1ISHgvV2VRUEtpWkF4c2Fwczd3ZVJiNVBrS3J0MVlGClRxa1lJSjY3eDFiNDR1N0NmdWdVbHhMM2JCQ1lqVXVXNnoxdGU3T2ZQUUhoM1FPU2lFZTczQ3I4dU1lSkplV0wKN2VKc1hWSG9uVzBMZWl0aDk5WmJTUTF3YlhieDVPZzNTQ3ZWYnkyZE90Y3Rud2Y2aDN5YlJ3SUNoc24xbk4zMwowRkMyOXlFY0ExQ2VFVzRsMVVHNmxoMGw5cEpiWEhRNlFJS1paempaTlgxZTRGRW5TdytGNGhXd3R1Z2JtKzZnCnVPdEE5QVJxYndJOTFLeEtoT204Q0RJQlRwWThSZG1SaElicWUrc3czT3p3dGk0eTVkU3FMREsrT3Y5b05ucngKQW9TN21TaXNQeDVJS3JwaFhMT3JvVmI2L1puSmNOK3ljaExuenptMDY2Zk5RaTBLNHhzaitvWkphaXVjZnBacAphSElHZGpaY1U3aE5FUzdJNVliVEFqUDdkaDRzdXJnMk1xTUtxbUxsa2ZPcGFoRTlMQTZVVFZRZHZLVFVGNWZwCkdYSnhaT1RKWlpiOGNQTFYxZFdXbnBMaEZNV2h2OUZQTCtDVGZQVUFvQmtmOTE3TzFLdkE3bGsvcTJzQ0F3RUEKQVFLQ0FnQU9WZ3k1dmlzdkFDWTN4ZkNCWEJVM0h6RmFzYVJnSVgvWmh0TkhGbUtGT3pyOW43dGtJWGtYNXU1SwpjNTNndFdJY0ZORTJibUlJUUk4aFBWVW8vM1NtNlk2ejFjTkwxdmJzaGZJcDlBZEtoR2ZOblpvYmszN3I2YlRoCjRRb3NKTVlGZFV1RUtIcWh4dGZKWUx0STNQTnkvb1hLQWJWWE16U3BYWmQzWW14cG01aUJEbEZCUXRhVGpldUUKK3BvZWhiZGE5b0JWcXo1ZCsycnA0bGRtZVpvYTE1YUNJVG5FbEc3R0puRHFtaVN3NUJkZ1FERVNyWmJZRVd5aQpRU0dDL1JUWXl2V1VJcWw5RXh5WnhobGRJaitCMkMyOFRzSXRHN0lpZzF2ajVaVlE0RHF3RmRzc1hiSmF0bkxvClNITlFBcXplT09xY2Mxb0p6N0dzNVRBYVZNZEtEQXZCZm1JMFBMcDNqNmVFOFFIYlduMHk2NzVYbnlqWllLUUcKaWx5R0pUNVRzMWZHWHlPSXBrNG4yQjM1V3dHcjIyTkxnYUd5cnZjRkgxN3JoZGVnaGlrZFJRd1FOcXRsZjBIZApMWDVRQWVwcUt3SE9uR1BGVy9XU2xGU0lEdkt1VFZSVGtvQmFSMTA3OFpiS2JXckZBbEdqYTFvbnNXQUh1YW5UClh5dFE4dWoxUEFFeWFMZUJEaUJxRVJ2am1VVFQ1ZktCOTdaVnRJenVBZ0lyWWZ6YjIyVEk2VFJ6OVZiQ2VyWG8KdTc0cnoxMjM2TXMrbmg5Y2xYd3VtQlBOU1d1eE9OdldOWEZ6VWdIOURzdlFRMWRsMFRJWEFQMGhFYkRHRkNBQwowUlg2M0lpcXFzUG1ZZUZNTGR5K2tVWjViNzI1TlhXWFRHbDRnQ1Y3NFVRU01ya0xrUUtDQVFFQStobXIwYjdnClVYcWRKaGtLRXVsa29IVzVuYzZ4QmhobCtuTkFucVFSTm5tQWpiaDlCeDVpLzQ2WUwxcHFYQUY5cTNIRlowSDIKZEJRZXN2Q0pxbmtSTHVwTi95VE1KSlo0ZE5kMHZqRzZ0UGhMUjZuRmRabHU0TFBRMXRKcU5XZkhZeCtwQ3N2SQo4Wkx3VG8rRGFxSjArZDk3WWF0b0dWNUZHOWtUSjhBYWFXb0Q1R1AyOGtOd0djKzI0b2VNYnJtU0ppQ2I2UlJoCjA5WWJaMGpXdkFHaXJyMzFOTW5nR0dtVmRPMThoOXVMUStLNzFUQWt1eFEzZEhpUzh6UVd6YythRnM1THgyUnIKeXppcEJhR3VySmFJQ05XNklFQm5ndFcvZEZaYXpMbjhQcDVrQlJzQ1NyN1JpQkNFSFZmeHBYVFNoS3cwVWp4NQo2a0gwc01YZnFoOFpMUUtDQVFFQXdkQ3BPUXBRa1RhK0t6Z0VrWGdMVnk2QmZJKzRWdC9BYjRtK2pFSm85aUIzCnN4dEtKNU5tNXltNldXcmFWS25zekxNZy85Mi9vSVZreUlNSklrOWNYdEpuaEU5ak1aVzc2ZjhYbW5CUnJIMnAKVHVmNWtYWWdVUHZLQ2g1U1g5Q2w0UHJENHNSb3cwNHJjbHVxSE1MT2g1MncxUmJPalRrb05tNXBHWlFoVkhxeApaUzh3aVk3bzhLNFZJQXZOVlZOdGlIZFNOY2Y0cDMxL0F6SU5aQjJWdlczeWJHTWNIdDByekQ5TkpZLzhTekc3CktEME5mRTgzeng2OWxHTlhUcURGSnBTV2ZNVlFwSGVCM0FTRTV1YVhVM1c5S3EwN2NDOEJWSHRaK3B5a1B0RTYKOHgrZE9NYWh6UElaMjRqbkIzZkVsaWc0Rk5zd01LZm9aeDdKYUJLRjl3S0NBUUVBdWJUTUgwOWpVenovYVdXWQpWRmlYVG9wN3pGRElvNlVFUEFiT1NiMjd4ajVNRlcrUzd2RkNRMDZIZEVubnhlK1pkKzlmeS85djE5dUV2QXZkCnZRWnVtdTZDQWQwNTlFVUNwb2ZCZU9TR0paQmtuWTdUUHpJeDRZbkRuVy9hUzFPRyt2UnNXY2JkcTNzWEVzNS8KbjNPSDltNWFPRGpGY0dqT1doSkNwZlovNWh4QlRacG9xSlVvclJIT1U4Q2dweXNGK1dlblBWZlVHQzdZWkVYeQpwT0YyQWRpdE5ZaGM3T09oaFpRK0xzYjNUdTRSMlFnSmpoeEIzU3NXdXAzSC9RU1UvekFwbHFIYlpLZnE0WEtmCnVDbUNVMFVZRXBDZ0M4ZFpoVElGOUJSNTE2bFd6Vyt6c1BxbHJTbk9YOWVJWi9vcHd6ZjNGY1V3SmFEWjUxVFcKY29UcTlRS0NBUUVBckhtVTdpYkl0Y0Zpa0RGa2wxT2R1L0t0MW54TFRqd0dFdndnYnM3MmV2ay9yRXEvdmVKRgpzN2NGbDJjb2JpbGRpbmhxQ0doOGpFdkkrVXJxeVBhWXUrVS9xNVcrTHpVUnFkV1JXcVZUZVUzR2FtcXpSQWc4CkQvVlJ3WmxrTXRJSm0rRnNpcFBBcXZVWVlzZEI1aUJTREl0Ky90SXg4NmtHcVJHdVE4MzNyeWNVVUhnakdIYnQKd3FrWU1aRnZJOXgvWCs3WFlQYll4Nnc5YUVtVmN4K0V6ck5XQmJCWktQb25iTFowWDlYM2JhOE8zMnNkWWg5WgpDZDlRVkFubmV4aEUrZVZHMmpmNVlMTGRCRCtkU2FHd3p0dTdBSXh5bFkydkFGQlpMVlZTTUhpZm5oWG5Jc3hZCjFub29HcDZGQWJkS1lWbmZObWdzUlZCVzE5V2s1QkYvMXdLQ0FRRUFqVnR1RXdYZzU5NERIaVN4UjlWbGRBaHYKcXF5dlpieVhPT2pnNHNKZjFLUlpxZkkzV28yL05IQWN0MlZlREE1bnlEM001YndHWEwrdVZGaUlMVk1ZMUp0WQp6MmlHWHgwZVdlbFJya2tRZHFncTI1TE9BQ2dxYTFMNW9tQS9tMGcwQWljWVdYa1FYSXpXRkhwb0ZqcU9KZHpTCnZ0MHhLV2lpWHUxVk5YeDJibFR1dXBCa1JUZUlQNTVxdWdyOUh0ZmY1MHc5MHhwTllaMFR3d0lDMG1neVVMMWEKRkdVdHlPUTlqVFBUUUdGM3h6REJCQ2U2MW5uZUV0TThRMEJ1MXh3Rm90aWFYSE9NaGhiMFBndVkzNHhiekNHYgpHcTlsWjVaN2lRVXByUWNNYjhrUzZ1WFk3VHBDTmUzaDBiTTM5dVlKeHNYNXUzcmVNRWsyZlBNT3dnTlFjdz09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg=="
# valueFrom:
# secretKeyRef:
# name: server
# key: token
- name: ATTIC_SERVER_DATABASE_URL
value: "postgresql://app:mZP1BnmnpDU33B7UZvomYKOSS1laRJ4bvUR7jNDZ1AJqPdNxH2rLXykghczg7Bgy@attic-db-rw:5432/app"
# valueFrom:
# secretKeyRef:
# name: database
# key: url
volumeMounts:
- name: data
mountPath: /attic
- name: attic-config
mountPath: /config.toml
subPath: config.toml
volumes:
- name: server
secret:
secretName: server
- name: attic-config
configMap:
defaultMode: 420
name: attic-config
- name: data
persistentVolumeClaim:
claimName: attic
values/attic/manifests/ingress.yaml
-28
View File
@@ -1,28 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
haproxy.org/backend-protocol: h1
haproxy.org/timeout-server: 600s
labels:
app.kubernetes.io/component: attic
name: attic
namespace: attic
spec:
ingressClassName: haproxy
rules:
- host: attic.srv.oceanbox.io
http:
paths:
- backend:
service:
name: attic
port:
name: http
path: /
pathType: Prefix
tls:
- hosts:
- attic.srv.oceanbox.io
secretName: attic.srv.oceanbox.io-tls
values/attic/manifests/policies/allow-cache-nixos.yaml
-13
View File
@@ -1,13 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-cache-nixos
namespace: ncps
spec:
egress:
- toFQDNs:
- matchPattern: 'cache.nixos.org'
- matchPattern: 'nix-community.cachix.org'
endpointSelector:
matchLabels:
app: nix-cache
values/attic/manifests/pvc.yaml
-12
View File
@@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: attic
labels:
app: attic
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
values/attic/manifests/secret.yaml
-6
View File
@@ -1,6 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: server
stringData:
token: "ref+sops://secrets.yml#attic/jwtToken"
values/niks3/env-ekman.yaml.gotmpl
+2
View File
@@ -0,0 +1,2 @@
niks3:
enabled: true
values/attic/env.yaml.gotmpl → values/niks3/env.yaml.gotmpl
+1 -1
View File
@@ -1,3 +1,3 @@
attic:
niks3:
enabled: false
autosync: false
values/attic/manifests/cluster.yaml → values/niks3/manifests/cluster.yaml
+3 -3
View File
@@ -1,10 +1,10 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: attic-db
namespace: attic
name: niks3-db
namespace: niks3
labels:
app: attic-db
app: niks3-db
spec:
instances: 1
primaryUpdateStrategy: unsupervised
values/niks3/manifests/deployment.yaml
+73
View File
@@ -0,0 +1,73 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: niks3
spec:
selector:
matchLabels:
app: niks3
strategy:
type: Recreate
template:
metadata:
labels:
app: niks3
spec:
containers:
- name: niks3
image: ghcr.io/mic92/niks3:v1.6.1
ports:
- name: http
containerPort: 5751
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
env:
- name: NIKS3_DB
valueFrom:
secretKeyRef:
name: niks3-db-app
key: uri
- name: NIKS3_API_TOKEN
valueFrom:
secretKeyRef:
name: server
key: api-token
- name: NIKS3_S3_ENDPOINT
value: "10.255.241.30:30080"
- name: NIKS3_S3_BUCKET
value: "niks3"
- name: NIKS3_S3_REGION
value: "default"
- name: NIKS3_S3_USE_SSL
value: "false"
- name: NIKS3_S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: server
key: s3-access-key
- name: NIKS3_S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: server
key: s3-secret-key
- name: NIKS3_ENABLE_READ_PROXY
value: "true"
- name: NIKS3_CACHE_URL
value: "https://cache.ekman.oceanbox.io"
- name: NIKS3_SIGN_KEY_PATHS
value: "/secrets/sign-key"
volumeMounts:
- name: server
mountPath: /secrets
readOnly: true
volumes:
- name: server
secret:
secretName: server
values/niks3/manifests/ingress.yaml
+28
View File
@@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
oceanbox.io/expose: internal
labels:
app.kubernetes.io/component: niks3
name: niks3
namespace: niks3
spec:
ingressClassName: nginx
rules:
- host: cache.ekman.oceanbox.io
http:
paths:
- backend:
service:
name: niks3
port:
name: http
path: /
pathType: Prefix
tls:
- hosts:
- cache.ekman.oceanbox.io
secretName: cache.ekman.oceanbox.io-tls
values/niks3/manifests/niks3.yaml
+42
View File
@@ -0,0 +1,42 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: niks3
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: niks3
server: https://kubernetes.default.svc
project: aux
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfile.d
plugin:
name: helmfile-cmp
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
- name: HELMFILE_ENVIRONMENT
value: default
- name: HELMFILE_FILE_PATH
value: niks3.yaml.gotmpl
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
{{- if .Values.niks3.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
values/niks3/manifests/policies/allow-egress.yaml
+47
View File
@@ -0,0 +1,47 @@
{{- if .Values.clusterConfig.cilium.enabled }}
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-egress
namespace: niks3
spec:
# ekman has no cluster-wide allow-namespace-traffic baseline (unlike hel1/oceanbox),
# so once niks3 is selected by an egress rule it is default-deny for egress and every
# destination must be listed explicitly: RGW (S3), in-namespace PostgreSQL, and DNS.
description: niks3 egress to Ceph RGW (S3), in-namespace PostgreSQL, and kube-dns
endpointSelector:
matchLabels:
app: niks3
egress:
# Ceph RadosGW (S3 object storage backend) via NodePort
- toCIDR:
- 10.255.241.30/32
- 10.255.241.31/32
- 10.255.241.32/32
toPorts:
- ports:
- port: "30080"
protocol: TCP
# PostgreSQL (CNPG niks3-db cluster, same namespace)
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: niks3
toPorts:
- ports:
- port: "5432"
protocol: TCP
# DNS resolution
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
rules:
dns:
- matchPattern: "*"
{{- end }}
values/attic/manifests/svc.yaml → values/niks3/manifests/svc.yaml
+4 -4
View File
@@ -1,14 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: attic
name: niks3
labels:
app: attic
app: niks3
spec:
type: ClusterIP
selector:
app: attic
app: niks3
ports:
- name: http
port: 8080
port: 5751
targetPort: http