platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

wip: unify sys and apps

Browse Source
This commit is contained in:
Jonas Juselius
2025-05-06 16:00:57 +02:00
parent 4590ddc30a
commit 7de100a4d4
204 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/templates/resources/cluster-auth-rbac.yaml
+47
View File
@@ -0,0 +1,47 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: kube-system
name: cluster-admin
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: 'system:masters'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system-default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: kube-system
name: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
apps/templates/resources/dashboards/argocd.yaml
+4260
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/cilium-policy-verdicts.yaml
+1116
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/cnpg-postgres.yaml
+3908
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/dotdc-grafana-dashboards-kubernetes.yaml
+21313
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/gitlab-runner.yaml
+1822
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/ingress-nginx.yaml
+2309
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/persistent-volume-usage.yaml
+1592
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/rabbitmq.yaml
+372
View File
@@ -0,0 +1,372 @@
{{- if .Values.rabbitmq_operator.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rabbitmq-overview-dashboard
namespace: prometheus
labels:
grafana_dashboard: "1"
data:
# https://grafana.com/grafana/dashboards/10991
rabbitmq-overview-dashboard.json.url: "https://github.com/rabbitmq/rabbitmq-server/raw/e57c579d1a71b283469defdd0d6d45313e6d6daf/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-Overview.json"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rabbitmq-queue-grafana-dashboard
namespace: prometheus
labels:
grafana_dashboard: "1"
data:
rabbitmq-queue-grafana-dashboard.json: |-
{
"__inputs":[
{
"name":"DS_PROMETHEUS",
"label":"prometheus",
"description":"",
"type":"datasource",
"pluginId":"prometheus",
"pluginName":"Prometheus"
}
],
"__elements":{
},
"__requires":[
{
"type":"grafana",
"id":"grafana",
"name":"Grafana",
"version":"8.3.4"
},
{
"type":"datasource",
"id":"prometheus",
"name":"Prometheus",
"version":"1.0.0"
},
{
"type":"panel",
"id":"timeseries",
"name":"Time series",
"version":""
}
],
"annotations":{
"list":[
{
"builtIn":1,
"datasource":{
"type":"datasource",
"uid":"grafana"
},
"enable":true,
"hide":true,
"iconColor":"rgba(0, 211, 255, 1)",
"name":"Annotations & Alerts",
"target":{
"limit":100,
"matchAny":false,
"tags":[
],
"type":"dashboard"
},
"type":"dashboard"
}
]
},
"editable":true,
"fiscalYearStartMonth":0,
"graphTooltip":0,
"id":null,
"links":[
],
"liveNow":false,
"panels":[
{
"datasource":{
"type":"prometheus",
"uid":"${DS_PROMETHEUS}"
},
"fieldConfig":{
"defaults":{
"color":{
"mode":"palette-classic"
},
"custom":{
"axisCenteredZero":false,
"axisColorMode":"text",
"axisLabel":"Messages",
"axisPlacement":"left",
"axisSoftMin":0,
"barAlignment":0,
"drawStyle":"line",
"fillOpacity":0,
"gradientMode":"none",
"hideFrom":{
"graph":false,
"legend":false,
"tooltip":false,
"viz":false
},
"lineInterpolation":"linear",
"lineWidth":1,
"pointSize":5,
"scaleDistribution":{
"type":"linear"
},
"showPoints":"auto",
"spanNulls":false,
"stacking":{
"group":"A",
"mode":"none"
},
"thresholdsStyle":{
"mode":"off"
}
},
"mappings":[
],
"thresholds":{
"mode":"absolute",
"steps":[
{
"color":"green",
"value":null
},
{
"color":"red",
"value":80
}
]
}
},
"overrides":[
{
"matcher":{
"id":"byName",
"options":"Consumers"
},
"properties":[
{
"id":"custom.axisPlacement",
"value":"right"
},
{
"id":"unit",
"value":"prefix:"
},
{
"id":"custom.axisLabel",
"value":"Consumers"
}
]
},
{
"matcher":{
"id":"byName",
"options":"Messages"
},
"properties":[
{
"id":"custom.drawStyle",
"value":"line"
},
{
"id":"custom.fillOpacity",
"value":0
}
]
}
]
},
"gridPos":{
"h":20,
"w":24,
"x":0,
"y":0
},
"id":2,
"options":{
"legend":{
"calcs":[
],
"displayMode":"list",
"placement":"bottom",
"showLegend":true
},
"tooltip":{
"mode":"single",
"sort":"none"
}
},
"targets":[
{
"datasource":{
"type":"prometheus",
"uid":"${DS_PROMETHEUS}"
},
"editorMode":"code",
"expr":"(rabbitmq_detailed_queue_messages{namespace=\"$namespace\", queue=\"$queue\"} * on (instance, job) rabbitmq_identity_info{namespace=\"$namespace\",rabbitmq_cluster=\"$rabbitmq_cluster\"})",
"legendFormat":"Messages ({{`{{job}}`}} | {{`{{instance}}`}})",
"range":true,
"refId":"A"
},
{
"datasource":{
"type":"prometheus",
"uid":"${DS_PROMETHEUS}"
},
"editorMode":"code",
"expr":"rabbitmq_detailed_queue_consumers{namespace=\"$namespace\", queue=\"$queue\"} * on (instance, job) rabbitmq_identity_info{namespace=\"$namespace\",rabbitmq_cluster=\"$rabbitmq_cluster\"}",
"legendFormat":"Consumers ({{`{{job}}`}} | {{`{{instance}}`}})",
"range":true,
"refId":"B"
}
],
"title":"Queue messages and consumers",
"type":"timeseries"
}
],
"refresh":"10s",
"revision":1,
"schemaVersion":38,
"style":"dark",
"tags":[
"rabbitmq-prometheus"
],
"templating":{
"list":[
{
"current":{
"selected":false,
"text":"default",
"value":"default"
},
"hide":2,
"includeAll":false,
"label":"datasource",
"multi":false,
"name":"DS_PROMETHEUS",
"options":[
],
"query":"prometheus",
"refresh":1,
"regex":"",
"skipUrlSync":false,
"type":"datasource",
"datasource":"${DS_PROMETHEUS}"
},
{
"current":{
},
"datasource":{
"type":"prometheus",
"uid":"${DS_PROMETHEUS}"
},
"definition":"label_values(rabbitmq_identity_info, namespace)",
"hide":0,
"includeAll":false,
"label":"Namespace",
"multi":false,
"name":"namespace",
"options":[
],
"query":{
"query":"label_values(rabbitmq_identity_info, namespace)",
"refId":"StandardVariableQuery"
},
"refresh":2,
"regex":"",
"skipUrlSync":false,
"sort":1,
"tagValuesQuery":"",
"tagsQuery":"",
"type":"query",
"useTags":false
},
{
"current":{
},
"datasource":{
"type":"prometheus",
"uid":"${DS_PROMETHEUS}"
},
"definition":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
"hide":0,
"includeAll":false,
"label":"RabbitMQ Cluster",
"multi":false,
"name":"rabbitmq_cluster",
"options":[
],
"query":{
"query":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
"refId":"StandardVariableQuery"
},
"refresh":2,
"regex":"",
"skipUrlSync":false,
"sort":1,
"tagValuesQuery":"",
"tagsQuery":"",
"type":"query",
"useTags":false
},
{
"current":{
},
"datasource":{
"type":"prometheus",
"uid":"${DS_PROMETHEUS}"
},
"definition":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\"})",
"hide":0,
"includeAll":false,
"label":"Queue",
"multi":false,
"name":"queue",
"options":[
],
"query":{
"query":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\", rabbitmq_cluster=\"$rabbitmq_cluster\"})",
"refId":"StandardVariableQuery"
},
"refresh":2,
"regex":"/.*queue=\"([^\"]+)\".*/",
"skipUrlSync":false,
"sort":0,
"tagValuesQuery":"",
"tagsQuery":"",
"type":"query",
"useTags":false
}
]
},
"time":{
"from":"now-15m",
"to":"now"
},
"timepicker":{
},
"timezone":"",
"title":"RabbitMQ-Queue",
"uid":"j9t8vwH7k",
"version":3,
"weekStart":""
}
{{- end }}
apps/templates/resources/dashboards/velero.yaml
+2214
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/dashboards/x509-exporter-dashbaoard.yaml
+2011
View File
File diff suppressed because it is too large Load Diff
apps/templates/resources/external-clusterrole.yaml
+209
View File
@@ -0,0 +1,209 @@
{{- if .Values.cluster_config.external_kubectl_access.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-access
rules:
- apiGroups:
- ""
resources:
- pods
- serviceaccounts
- namespaces
- events
- persistentvolumeclaims
- persistentvolumes
- bindings
- componentstatuses
- podtemplates
- replicationcontrollers
- resourcequotas
- services
- nodes
- limitranges
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- delete
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- statefulsets
- replicasets
- daemonsets
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
- networkpolicies
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- clusterrolebindings
- rolebindings
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
- storageclasses
- csistoragecapacities
- volumeattachments
- csidrivers
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- get
- list
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- get
- list
- watch
- apiGroups:
- talos.dev
resources:
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumexternalworkloads
- ciliumnetworkpolicies
- ciliumidentities
- ciliumnodes
- ciliumendpoints
- ciliumclusterwidenetworkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
{{- end }}
apps/templates/resources/external-clusterrolebinding.yaml
+14
View File
@@ -0,0 +1,14 @@
{{- if .Values.cluster_config.external_kubectl_access.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-access
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ .Values.cluster_config.external_kubectl_access.admin_group }}
{{- end }}
apps/templates/resources/kube-flannel-rbac.yaml
+42
View File
@@ -0,0 +1,42 @@
# Create the clusterrole and clusterrolebinding:
# $ kubectl create -f kube-flannel-rbac.yml
# Create the pod using the same namespace used by the flannel serviceaccount:
# $ kubectl create --namespace kube-system -f kube-flannel-legacy.yml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel-client
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel-client
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel-client
subjects:
- kind: User
name: flannel-client
apiGroup: rbac.authorization.k8s.io
apps/templates/resources/kube-proxy-rbac.yaml
+51
View File
@@ -0,0 +1,51 @@
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-proxy
subjects:
- kind: User
name: kube-proxy
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: kube-proxy
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-proxy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kube-proxy
rules:
- apiGroups:
- ""
resources:
- endpoints
- events
- services
- nodes
verbs: ["get", "watch", "list"]
- nonResourceURLs: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
- "events.k8s.io"
resources:
- events
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
apps/templates/resources/kyverno-cluster-admin.yaml
+17
View File
@@ -0,0 +1,17 @@
{{- if .Values.kyverno.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:generate-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
- kind: ServiceAccount
name: kyverno-background-controller
namespace: kyverno
{{- end }}
apps/templates/resources/kyverno-generate-cilium-network-policies.yaml
+29
View File
@@ -0,0 +1,29 @@
{{- if and (.Values.kyverno.enabled) (.Values.cilium.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generate-cilium-networkpolicies
rules:
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:generate-cilium-network-policies
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generate-cilium-networkpolicies
subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
- kind: ServiceAccount
name: kyverno-background-controller
namespace: kyverno
{{- end }}
apps/templates/resources/label-and-taint-nodes.yaml
+96
View File
@@ -0,0 +1,96 @@
{{ if .Values.cluster_config.nodes }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: label-and-taint-nodes
namespace: kube-system
spec:
backoffLimit: 1
template:
metadata:
annotations:
linkerd.io/inject: disable
spec:
restartPolicy: Never
serviceAccountName: label-and-taint-nodes
securityContext:
runAsUser: 12000
runAsGroup: 13000
fsGroup: 10000
affinity:
tolerations:
- key: unschedulable
value: "true"
effect: NoSchedule
containers:
- image: bitnami/kubectl:1.24
name: kubectl
resources: {}
securityContext:
allowPrivilegeEscalation: false
command:
- "/bin/sh"
- -c
- /tmp/scripts/script.sh
volumeMounts:
- name: scripts
mountPath: /tmp/scripts
volumes:
- name: scripts
configMap:
name: label-and-taint-scripts
defaultMode: 0755
---
apiVersion: v1
data:
script.sh: |
#! /bin/bash
{{- range $node := .Values.cluster_config.nodes }}
{{- range .labels }}
kubectl label nodes --overwrite=true {{ $node.name }} {{ . | quote }}
{{- end }}
{{- range .taints }}
kubectl taint nodes --overwrite=true {{ $node.name }} {{ . | quote }}
{{- end }}
{{- end }}
kind: ConfigMap
metadata:
name: label-and-taint-scripts
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: label-and-taint-nodes
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: label-and-taint-nodes
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: label-and-taint-nodes
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: label-and-taint-nodes
subjects:
- kind: ServiceAccount
name: label-and-taint-nodes
namespace: kube-system
{{ end }}
apps/templates/resources/operator-role.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: az-kubernetes-operators-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: dd2aa2d6-269d-48fe-90cc-04fd5c08bd29
apps/templates/resources/pre-cert-manager.yaml
+225
View File
@@ -0,0 +1,225 @@
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: letsencrypt-production
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: {{ .Values.cluster_config.acme_email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: {{ .Values.cluster_config.acme_email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: ca-issuer
spec:
ca:
secretName: cluster-ca
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
name: selfsigning-issuer
spec:
selfSigned: {}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: front-proxy-client
subjects:
- kind: User
name: front-proxy-client
apiGroup: rbac.authorization.k8s.io
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: front-proxy-client
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: front-proxy-client
rules:
- apiGroups:
- "webhook.cert-manager.io"
resources:
- mutations
- validations
verbs: [ "*" ]
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
{{ if .Values.cluster_config.initca }}
# Pod to update certificates from master nodes
# only runs on control plane nodes (etcd)
# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
# Always create certs on initial creation,
# Otherwise, cert creation would not happen until cronJob runs
apiVersion: batch/v1
kind: Job
metadata:
name: cert-create
namespace: cert-manager
spec:
backoffLimit: 1
template:
metadata:
labels:
block-egress: "true"
annotations:
linkerd.io/inject: disabled
spec:
restartPolicy: Never
serviceAccountName: cert-secret-updater
securityContext:
runAsUser: 12000
runAsGroup: 13000
fsGroup: 10000
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io
operator: In
values:
- control-plane
tolerations:
- key: unschedulable
value: "true"
effect: NoSchedule
containers:
- image: bitnami/kubectl:1.24
name: kubectl
resources: {}
securityContext:
allowPrivilegeEscalation: false
command:
- "/bin/sh"
- -c
- /tmp/renew-certs/renew-certs.sh
volumeMounts:
- name: ca-pem
mountPath: /tmp/ca.pem
- name: ca-key-pem
mountPath: /tmp/ca-key.pem
- name: certs-script
mountPath: /tmp/renew-certs
volumes:
- name: ca-pem
hostPath:
path: {{.Values.cluster_config.initca}}/ca.pem
type: File
- name: ca-key-pem
hostPath:
path: {{.Values.cluster_config.initca}}/ca-key.pem
type: File
- name: certs-script
configMap:
name: renew-certs-script
defaultMode: 0755
---
apiVersion: v1
data:
renew-certs.sh: |
#! /bin/bash
kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
kubectl apply -f /tmp/new-secret.yaml
kind: ConfigMap
metadata:
name: renew-certs-script
namespace: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-secret-updater
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-secret-updater-role
namespace: cert-manager
rules:
- apiGroups:
- ""
resourceNames:
- cluster-ca
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-secret-updater-rbinding
namespace: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-secret-updater-role
subjects:
- kind: ServiceAccount
name: cert-secret-updater
namespace: cert-manager
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: cert-manager
spec:
podSelector:
matchLabels:
block-egress: "true"
policyTypes:
- Egress
---
{{ end }}
apps/templates/resources/pre-cilium.yaml
+23
View File
@@ -0,0 +1,23 @@
{{if and (.Values.cilium.enabled) (.Values.cilium.loadbalancerPool.enabled )}}
apiVersion: "cilium.io/v2alpha1"
kind: CiliumLoadBalancerIPPool
metadata:
name: "loadbalancer"
spec:
blocks:
{{- range .Values.cilium.loadbalancerPool.cidr}}
- cidr: {{ . }}
{{- end }}
---
apiVersion: "cilium.io/v2alpha1"
kind: CiliumL2AnnouncementPolicy
metadata:
name: policy
spec:
nodeSelector:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: DoesNotExist
externalIPs: true
loadBalancerIPs: true
{{- end}}
apps/templates/resources/pre-gitlab-runner.yaml
+128
View File
@@ -0,0 +1,128 @@
{{- if and (.Values.gitlab_runner.enabled) (.Values.gitlab_runner.createCertSecret) }}
# Pod to update certificates from master nodes
# only runs on control plane nodes (etcd)
# Mounts cert files rotatet by nixos service.mgr and uses it to update gitlab secret
# Always create certs on initial creation,
# Otherwise, cert creation would not happen until cronJob runs
apiVersion: batch/v1
kind: Job
metadata:
name: cert-create
namespace: gitlab
spec:
template:
metadata:
labels:
block-egress: "true"
annotations:
linkerd.io/inject: disabled
spec:
restartPolicy: Never
serviceAccountName: cert-secret-updater
securityContext:
runAsUser: 12000
runAsGroup: 13000
fsGroup: 10000
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io
operator: In
values:
- control-plane
tolerations:
- key: unschedulable
value: "true"
effect: NoSchedule
containers:
- image: bitnami/kubectl:1.24
name: kubectl
resources: {}
securityContext:
allowPrivilegeEscalation: false
command:
- "/bin/sh"
- -c
- /tmp/renew-certs/renew-certs.sh
volumeMounts:
- name: ca-pem
mountPath: /tmp/ca.pem
- name: ca-key-pem
mountPath: /tmp/ca-key.pem
- name: certs-script
mountPath: /tmp/renew-certs
volumes:
- name: ca-pem
hostPath:
path: {{.Values.cluster_config.initca}}/ca.pem
type: File
- name: ca-key-pem
hostPath:
path: {{.Values.cluster_config.initca}}/ca-key.pem
type: File
- name: certs-script
configMap:
name: renew-certs-script
defaultMode: 0755
---
apiVersion: v1
data:
renew-certs.sh: |
#! /bin/bash
kubectl create secret tls -n gitlab itp-cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
kubectl apply -f /tmp/new-secret.yaml
kind: ConfigMap
metadata:
name: renew-certs-script
namespace: gitlab
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-secret-updater
namespace: gitlab
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-secret-updater-role
namespace: gitlab
rules:
- apiGroups:
- ""
resourceNames:
- itp-cluster-ca
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-secret-updater-rbinding
namespace: gitlab
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-secret-updater-role
subjects:
- kind: ServiceAccount
name: cert-secret-updater
namespace: gitlab
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: gitlab
spec:
podSelector:
matchLabels:
block-egress: "true"
policyTypes:
- Egress
---
{{- end }}
apps/templates/resources/pre-linkerd.yaml
+206
View File
@@ -0,0 +1,206 @@
{{ if .Values.linkerd.enabled }}
---
apiVersion: v1
kind: Namespace
metadata:
labels:
linkerd.io/control-plane-ns: linkerd
linkerd.io/is-control-plane: 'true'
config.linkerd.io/admission-webhooks: disabled
annotations:
linkerd.io/inject: disabled
argocd.argoproj.io/sync-wave: "-1"
name: linkerd
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-trust-anchor
namespace: linkerd
spec:
ca:
secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
revisionHistoryLimit: 5
secretName: linkerd-identity-issuer
duration: 48h0m0s
renewBefore: 25h0m0s
issuerRef:
name: linkerd-trust-anchor
kind: Issuer
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
usages:
- cert sign
- crl sign
- server auth
- client auth
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: webhook-issuer
namespace: linkerd
spec:
ca:
secretName: webhook-issuer-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-policy-validator
namespace: linkerd
spec:
revisionHistoryLimit: 5
secretName: linkerd-policy-validator-k8s-tls
duration: 24h0m0s
renewBefore: 1h0m0s
issuerRef:
name: webhook-issuer
kind: Issuer
commonName: linkerd-policy-validator.linkerd.svc
dnsNames:
- linkerd-policy-validator.linkerd.svc
privateKey:
algorithm: ECDSA
encoding: PKCS8
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-proxy-injector
namespace: linkerd
spec:
revisionHistoryLimit: 5
secretName: linkerd-proxy-injector-k8s-tls
duration: 24h0m0s
renewBefore: 1h0m0s
issuerRef:
name: webhook-issuer
kind: Issuer
commonName: linkerd-proxy-injector.linkerd.svc
dnsNames:
- linkerd-proxy-injector.linkerd.svc
privateKey:
algorithm: ECDSA
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-sp-validator
namespace: linkerd
spec:
revisionHistoryLimit: 5
secretName: linkerd-sp-validator-k8s-tls
duration: 24h0m0s
renewBefore: 1h0m0s
issuerRef:
name: webhook-issuer
kind: Issuer
commonName: linkerd-sp-validator.linkerd.svc
dnsNames:
- linkerd-sp-validator.linkerd.svc
privateKey:
algorithm: ECDSA
usages:
- server auth
---
{{ if .Values.linkerd.viz.enabled }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: webhook-issuer
namespace: linkerd-viz
spec:
ca:
secretName: webhook-issuer-tls
# ignore if not using the viz extension
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tap
namespace: linkerd-viz
spec:
revisionHistoryLimit: 5
secretName: tap-k8s-tls
duration: 24h0m0s
renewBefore: 1h0m0s
issuerRef:
name: webhook-issuer
kind: Issuer
commonName: tap.linkerd-viz.svc
dnsNames:
- tap.linkerd-viz.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-tap-injector
namespace: linkerd-viz
spec:
revisionHistoryLimit: 5
secretName: tap-injector-k8s-tls
duration: 24h0m0s
renewBefore: 1h0m0s
issuerRef:
name: webhook-issuer
kind: Issuer
commonName: tap-injector.linkerd-viz.svc
dnsNames:
- tap-injector.linkerd-viz.svc
privateKey:
algorithm: ECDSA
usages:
- server auth
---
{{ end }}
{{ if .Values.linkerd.jaeger.enabled }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: webhook-issuer
namespace: linkerd-jaeger
spec:
ca:
secretName: webhook-issuer-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: jaeger-injector
namespace: linkerd-jaeger
spec:
revisionHistoryLimit: 5
secretName: jaeger-injector-k8s-tls
duration: 24h0m0s
renewBefore: 1h0m0s
issuerRef:
name: webhook-issuer
kind: Issuer
commonName: jaeger-injector.linkerd-jaeger.svc
dnsNames:
- jaeger-injector.linkerd-jaeger.svc
privateKey:
algorithm: ECDSA
usages:
- server auth
{{ end }}
{{ end }}
apps/templates/resources/x509-certificates.yaml
+48
View File
@@ -0,0 +1,48 @@
{{- if .Values.x509_exporter.alerts }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
# Some labels for various prometheus matching
k8s-app: x509-exporter
prometheus: k8s
role: alert-rules
name: x509-exporter-x509-certificate-exporter
namespace: x509-exporter
spec:
groups:
- name: x509-certificate-exporter.rules
rules:
- alert: X509ExporterReadErrors
annotations:
description: Over the last 15 minutes, this x509-certificate-exporter instance has experienced errors reading certificate files or querying the Kubernetes API. This could be caused by a misconfiguration if triggered when the exporter starts.
summary: Increasing read errors for x509-certificate-exporter
expr: delta(x509_read_errors[15m]) > 0
for: 5m
labels:
severity: warning
- alert: CertificateError
annotations:
description: Certificate could not be decoded {{`{{`}}if $labels.secret_name {{`}}`}} in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
summary: Certificate cannot be decoded
expr: x509_cert_error > 0
for: 15m
labels:
severity: warning
- alert: CertificateRenewal
annotations:
description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" should be renewed {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
summary: Certificate should be renewed
expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28
for: 15m
labels:
severity: warning
- alert: CertificateExpiration
annotations:
description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" is about to expire {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
summary: Certificate is about to expire
expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14
for: 15m
labels:
severity: critical
{{- end }}