Adding Reflector and KubeClarity

manifests/workloads/applicationset-helm.yaml

@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: helm-workloads
+spec:
+  generators:
+  - list:
+      elements:
+      - namespace: kube-system
+        helmRepo: emberstack.github.io/helm-charts
+        appName: reflector
+        helmTargetRev: 7.1.216
+        valueBranch: main
+  template:
+    metadata:
+      name: '{{appName}}'
+    spec:
+      project: default
+      sources:
+      - repoURL: https://github.com/danmanners/homelab-kube-cluster.git
+        targetRevision: '{{targetRev}}'
+        ref: values
+      - repoUrl: '{{ helmRepo }}'
+        chart: '{{ appName }}'
+        targetRevision: '{{ helmTargetRev }}'
+        helm:
+          valueFiles:
+          - '$values/manifests/workloads/{{ appName }}/values.yaml'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{namespace}}'
+      syncPolicy:
+        automated:
+          prune: true
+        syncOptions:
+        - CreateNamespace=true

manifests/workloads/kubeclarity/ingress-basicAuth.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth
+type: Opaque
+stringData:
+  auth: dan:$apr1$QHLOMISK$KVnciXqcww8PDTflRKtTZ1

manifests/workloads/kubeclarity/kustomization.yaml

@@ -4,3 +4,5 @@ namespace: kubeclarity
 
 resources:
 - external-dns.yaml
+- postgresSecret.yaml
+- ingress-basicAuth.yaml

manifests/workloads/kubeclarity/postgresSecret.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: kubeclarity-postgresql-external
+  namespace: kubeclarity
+spec:
+  encryptedData:
+    secretKey: AgBPP/TI3HUni5Cy5nFvEDPS/zvo8rZqx+vWRNNgajuq/nUEJFxoJ6CkcvZKBZTfiJnjYsqduwQ+bEbCN0RsKitMWhJGMCVBPdvPTF6qqfrXurck7+DIacShz53ZUQ81Q0ngns7PaDZnzHSqNyJe9+Nb8hMjfM6WzNTR8KBAbbpFg7Aj0oINhqCoqbMa+CTNJp0MdTGb5aOC5om6KHudWg4r195MsQ4MyA5NZgKMtBDSDK/NeJA055D47alcSFzVA5ukyFmeREJl4TepCXjKmJYNEzYoNPM1JR5wGLru2MvsRznYdwXpDuvEMzABKKxhAFyUkdZXiGge4uTt+G7bamy+wmRkQNqSAp2/sZnh988n7yOujey0vrVBBrf/pgU5iIPi1AvZJ715zwopfwRe3opMcMqsDic1FpBp7Qgg8xy22bROvBCip7NflxJthy73XY5adClesU4it6GWK/c8pQnW/K+1LgyX9nHVb53d1T3+u4kh3uFm+PH3YfVTFNhkbeUFgmAPCrKHPIWNZLxV3vu7Fne0R6vwTY5gxni9SFDxWeON3OlNNL4a5f58D7jODTSC2baeq5X/7w9BrqfL/tQ1A5S9TvA1Z1W4mDFGnyLDFvsk1FyIdQ/PDyj3U5e6I7EzRu1XVQe+C0vpjt14PI6iIoj6o/0dCB0W7K/F+QcPNEH2syYvcjhVCOeR2p1D1olN1fNoxdmW1RbKebeZSZP588d6bL0q4oP0v5tIGfoBJ9p1aDeF9kbl5qdZE1Un4gj1Xv1Who99HnugUSA=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: kubeclarity-postgresql-external
+      namespace: kubeclarity
+    type: Opaque

manifests/workloads/kubeclarity/values.yaml

@@ -35,31 +35,25 @@ kubeclarity:
   service:
     type: ClusterIP
     port: 8080
-    annotations: {}
 
   ingress:
-    # Be careful when using ingress. As there is no authentication on Kubeclarity yet, your instance may be accessible.
-    # Make sure the ingress remains internal if you decide to enable it.
     enabled: true
-    labels: {}
-    annotations: {}
-
-    # Optionally use ingressClassName instead of deprecated annotation.
-    # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation
     ingressClassName: "nginx"
+    labels: {}
+    annotations:
+      cert-manager.io/cluster-issuer: acme-prod
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: basic-auth
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 
     hosts:
-    # hostname you want to use
     - host: kubeclarity.homelab.danmanners.com
 
     tls:
     - secretName: kubeclarity-tls
       hosts:
       - kubeclarity.homelab.danmanners.com
 
-  ## In case of postgres refresh interval of refreshing materialized views in seconds
-  # dbViewRefreshInterval: 5
-
   resources:
     requests:
       memory: "200Mi"
@@ -77,14 +71,6 @@ kubeclarity:
         memory: "200Mi"
         cpu: "200m"
 
-  ## Overrides global.affinity
-  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-  # affinity: {}
-
-  ## Overrides global.nodeSelector
-  # nodeSelector:
-  #   key1: value1
-
 ## End of KubeClarity Values
 #######################################################################################
 
@@ -270,7 +256,10 @@ kubeclarity-trivy-server:
 
   ## By default disable requirement for persistent storage
   persistence:
-    enabled: false
+    enabled: true
+    storageClass: ceph-rbd
+    accessMode: ReadWriteOnce
+    size: 5Gi
 
   podSecurityContext:
     runAsUser: 1001
@@ -302,17 +291,10 @@ kubeclarity-trivy-server:
 ## KubeClarity SBOM DB Values
 
 kubeclarity-sbom-db:
-  ## Docker Image values.
-  docker:
-    ## Use to overwrite the global docker params
-    ##
-    imageName: ""
-
   ## Logging level (debug, info, warning, error, fatal, panic).
   logLevel: warning
 
   servicePort: 8080
-
   resources:
     requests:
       memory: "20Mi"
@@ -340,20 +322,16 @@ kubeclarity-postgresql:
 
 # Use kubeclarity-postgresql-external if you want to reach an already existing PostgreSQL instance
 kubeclarity-postgresql-external:
-  enabled: false
+  enabled: true
   auth:
     existingSecret: kubeclarity-postgresql-secret
     username: kubeclarity
-    host: pgsql.hostname # replace this to reach your PostgreSQL instance
+    host: primary-rw.postgres.svc.cluster.local # replace this to reach your PostgreSQL instance
     port: 5432
     database: kubeclarity
     sslMode: disable
 
 # PostgreSQL connection information
 kubeclarity-postgresql-secret:
-  # Set create to true if you want this helm chart to create a secret holding pgsql password
-  # based on global.databasePassword value
-  # If create is set to false, a secret should already exist which has PostgreSQL
-  # password under secretKey key
-  create: true
-  secretKey: "postgres-password"
+  create: false
+  secretKey: "secretKey"

manifests/workloads/kustomization.yaml

@@ -4,3 +4,4 @@ namespace: argocd
 
 resources:
 - applicationset.yaml
+- applicationset-helm.yaml