From e811f24237ce3e35dfec3f36a89fcf9861ca7958 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 29 Jan 2022 21:46:14 +0100 Subject: [PATCH 001/334] feat: added environment changes --- .tekton/pipelines/pipeline.yaml | 2 +- Vagrantfile | 70 ++++++++++++++++++++++++ apps/blog/deployment.yaml | 2 +- apps/blog/ingress.yaml | 4 +- apps/dendrite/values.yaml | 4 +- apps/element/values.yaml | 8 +-- apps/hajimari/values.yaml | 2 +- apps/jellyfin/values.yaml | 2 +- apps/paperless/values.yaml | 2 +- apps/seafile/values.yaml | 2 +- bootstrap/argocd/values.yaml | 2 +- bootstrap/root/apply.sh | 2 +- bootstrap/root/values-seed.yaml | 2 +- metal/inventories/prod.yml | 5 +- metal/roles/pxe_server/defaults/main.yml | 2 +- platform/authentik/values.yaml | 2 +- platform/gitea/files/init_gitops_repo.py | 2 +- platform/gitea/values.yaml | 2 +- platform/tekton-pipelines/ingress.yaml | 2 +- platform/trow/templates/ingress.yaml | 2 +- platform/trow/values.yaml | 4 +- platform/vault/values.yaml | 2 +- system/cert-manager/values.yaml | 2 +- system/cloudflared/values.yaml | 4 +- system/monitoring-system/values.yaml | 2 +- 25 files changed, 101 insertions(+), 34 deletions(-) create mode 100644 Vagrantfile diff --git a/.tekton/pipelines/pipeline.yaml b/.tekton/pipelines/pipeline.yaml index 7796fa1b38..2030d0e951 100644 --- a/.tekton/pipelines/pipeline.yaml +++ b/.tekton/pipelines/pipeline.yaml @@ -39,7 +39,7 @@ spec: - name: CONTEXT value: ./tools - name: IMAGE - value: registry.khuedoan.com/tools:latest + value: registry.jupiter.mein.nl/tools:latest - name: EXTRA_ARGS value: - --cache=true diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000000..f3c4fa50c0 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,70 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "ubuntu/focal64" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Enable provisioning with a shell script. Additional provisioners such as + # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the + # documentation for more information about their specific syntax and use. + # config.vm.provision "shell", inline: <<-SHELL + # apt-get update + # apt-get install -y apache2 + # SHELL +end diff --git a/apps/blog/deployment.yaml b/apps/blog/deployment.yaml index 9ef6626c15..22f2adb7b1 100644 --- a/apps/blog/deployment.yaml +++ b/apps/blog/deployment.yaml @@ -17,5 +17,5 @@ spec: spec: containers: - name: blog - image: registry.khuedoan.com/blog:latest + image: registry.jupiter.mein.nl/blog:latest imagePullPolicy: Always diff --git a/apps/blog/ingress.yaml b/apps/blog/ingress.yaml index 5d99b96295..8b579e5ca0 100644 --- a/apps/blog/ingress.yaml +++ b/apps/blog/ingress.yaml @@ -4,12 +4,12 @@ metadata: name: blog annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: homelab-tunnel.khuedoan.com + external-dns.alpha.kubernetes.io/target: homelab-tunnel.jupiter.mein.nl external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' spec: ingressClassName: nginx rules: - - host: &host blog.khuedoan.com + - host: &host blog.jupiter.mein.nl http: paths: - pathType: ImplementationSpecific diff --git a/apps/dendrite/values.yaml b/apps/dendrite/values.yaml index 77bf807f17..c18942894b 100644 --- a/apps/dendrite/values.yaml +++ b/apps/dendrite/values.yaml @@ -5,7 +5,7 @@ dendrite: pullPolicy: IfNotPresent configuration: version: 2 - servername: &host matrix.khuedoan.com + servername: &host matrix.jupiter.mein.nl database: host: "dendrite-postgresql:5432" user: "dendrite" @@ -48,7 +48,7 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hosts: diff --git a/apps/element/values.yaml b/apps/element/values.yaml index fcc8b0acd7..4ee2f16c98 100644 --- a/apps/element/values.yaml +++ b/apps/element/values.yaml @@ -4,10 +4,10 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hosts: - - host: &host chat.khuedoan.com + - host: &host chat.jupiter.mein.nl paths: - path: / pathType: Prefix @@ -17,5 +17,5 @@ elementweb: - *host config: default: - base_url: https://matrix.khuedoan.com - server_name: khuedoan.com + base_url: https://matrix.jupiter.mein.nl + server_name: jupiter.mein.nl diff --git a/apps/hajimari/values.yaml b/apps/hajimari/values.yaml index cad60beeb9..84baa57119 100644 --- a/apps/hajimari/values.yaml +++ b/apps/hajimari/values.yaml @@ -14,7 +14,7 @@ hajimari: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host home.khuedoan.com + - host: &host home.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/apps/jellyfin/values.yaml b/apps/jellyfin/values.yaml index e85c390fcb..df13a5915c 100644 --- a/apps/jellyfin/values.yaml +++ b/apps/jellyfin/values.yaml @@ -6,7 +6,7 @@ jellyfin: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host jellyfin.khuedoan.com + - host: &host jellyfin.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 340fe49147..005eca1e99 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -6,7 +6,7 @@ paperless: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host paperless.khuedoan.com + - host: &host paperless.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index a943746d56..38c6c1adb5 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -6,7 +6,7 @@ seafile: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host seafile.khuedoan.com + - host: &host seafile.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/bootstrap/argocd/values.yaml b/bootstrap/argocd/values.yaml index e1dbcfb5c1..967535b280 100644 --- a/bootstrap/argocd/values.yaml +++ b/bootstrap/argocd/values.yaml @@ -45,7 +45,7 @@ argo-cd: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - &host argocd.khuedoan.com + - &host argocd.jupiter.mein.nl tls: - secretName: argocd-tls-certificate hosts: diff --git a/bootstrap/root/apply.sh b/bootstrap/root/apply.sh index 2cabf0d3e3..f058ba574a 100755 --- a/bootstrap/root/apply.sh +++ b/bootstrap/root/apply.sh @@ -1,6 +1,6 @@ #!/bin/sh -curl -fks --connect-timeout 5 https://git.khuedoan.com \ +curl -fks --connect-timeout 5 https://git.jupiter.mein.nl \ || extra_args="--values values-seed.yaml" helm template \ diff --git a/bootstrap/root/values-seed.yaml b/bootstrap/root/values-seed.yaml index ae729830c4..60766a7846 100644 --- a/bootstrap/root/values-seed.yaml +++ b/bootstrap/root/values-seed.yaml @@ -1,2 +1,2 @@ gitops: - repo: https://github.com/khuedoan/homelab + repo: https://github.com/petermein/homelab diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml index 7f6474ab77..68c8f87a42 100644 --- a/metal/inventories/prod.yml +++ b/metal/inventories/prod.yml @@ -2,9 +2,6 @@ metal: children: masters: hosts: - metal0: {ansible_host: 192.168.1.110, mac: '00:23:24:d1:f3:f0', disk: sda, network_interface: eno1} - metal1: {ansible_host: 192.168.1.111, mac: '00:23:24:d1:f4:d6', disk: sda, network_interface: eno1} - metal2: {ansible_host: 192.168.1.112, mac: '00:23:24:e7:04:60', disk: sda, network_interface: eno1} + metal0: {ansible_host: 192.168.1.8, mac: '1c:69:7a:ac:21:f2', disk: sda, network_interface: enp89s0} workers: hosts: - metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f5:69', disk: sda, network_interface: eno1} diff --git a/metal/roles/pxe_server/defaults/main.yml b/metal/roles/pxe_server/defaults/main.yml index 37869774b1..337ffd8c31 100644 --- a/metal/roles/pxe_server/defaults/main.yml +++ b/metal/roles/pxe_server/defaults/main.yml @@ -1,3 +1,3 @@ iso_url: "https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.5-x86_64-minimal.iso" iso_checksum: "sha256:4eb2ae6b06876205f2209e4504110fe4115b37540c21ecfbbc0ebc11084cb779" -timezone: Asia/Ho_Chi_Minh +timezone: Europa/Amesterdam diff --git a/platform/authentik/values.yaml b/platform/authentik/values.yaml index 77a07a6d33..7712f98920 100644 --- a/platform/authentik/values.yaml +++ b/platform/authentik/values.yaml @@ -10,7 +10,7 @@ authentik: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host authentik.khuedoan.com + - host: &host authentik.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/platform/gitea/files/init_gitops_repo.py b/platform/gitea/files/init_gitops_repo.py index 20e13b72f6..a5a66265a2 100755 --- a/platform/gitea/files/init_gitops_repo.py +++ b/platform/gitea/files/init_gitops_repo.py @@ -12,7 +12,7 @@ gitea_host = os.getenv('GITEA_HOST', "gitea-http:3000") gitea_user = os.environ['GITEA_USER'] gitea_pass = os.environ['GITEA_PASSWORD'] -seed_repo = "https://github.com/khuedoan/homelab" +seed_repo = "https://github.com/petermein/homelab" org = "ops" repo = "homelab" gitea_url = f"http://{gitea_user}:{gitea_pass}@{gitea_host}" diff --git a/platform/gitea/values.yaml b/platform/gitea/values.yaml index 689fcb62c4..19a3f950eb 100644 --- a/platform/gitea/values.yaml +++ b/platform/gitea/values.yaml @@ -5,7 +5,7 @@ gitea: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host git.khuedoan.com + - host: &host git.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/platform/tekton-pipelines/ingress.yaml b/platform/tekton-pipelines/ingress.yaml index 87a01b3325..43f2ec5d22 100644 --- a/platform/tekton-pipelines/ingress.yaml +++ b/platform/tekton-pipelines/ingress.yaml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: &host tekton.khuedoan.com + - host: &host tekton.jupiter.mein.nl http: paths: - pathType: ImplementationSpecific diff --git a/platform/trow/templates/ingress.yaml b/platform/trow/templates/ingress.yaml index 69c18316ca..7e9365e76d 100644 --- a/platform/trow/templates/ingress.yaml +++ b/platform/trow/templates/ingress.yaml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: &host registry.khuedoan.com + - host: &host registry.jupiter.mein.nl http: paths: - pathType: ImplementationSpecific diff --git a/platform/trow/values.yaml b/platform/trow/values.yaml index f9d3197b7c..399fa26474 100644 --- a/platform/trow/values.yaml +++ b/platform/trow/values.yaml @@ -1,6 +1,6 @@ trow: trow: - domain: registry.khuedoan.com + domain: registry.jupiter.mein.nl # user: user # password: password validation: @@ -19,7 +19,7 @@ trow: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/proxy-body-size: '0' hosts: - - host: &host registry.khuedoan.com + - host: &host registry.jupiter.mein.nl paths: - / tls: diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml index dc2126e41e..cd28171dc6 100644 --- a/platform/vault/values.yaml +++ b/platform/vault/values.yaml @@ -10,7 +10,7 @@ vault: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host vault.khuedoan.com + - host: &host vault.jupiter.mein.nl tls: - secretName: vault-tls-certificate hosts: diff --git a/system/cert-manager/values.yaml b/system/cert-manager/values.yaml index 4592a271a1..a4119703d4 100644 --- a/system/cert-manager/values.yaml +++ b/system/cert-manager/values.yaml @@ -6,4 +6,4 @@ cert-manager: enabled: true issuer: - email: mail@khuedoan.com + email: mail@jupiter.mein.nl diff --git a/system/cloudflared/values.yaml b/system/cloudflared/values.yaml index 0a786546ea..f5f469968d 100644 --- a/system/cloudflared/values.yaml +++ b/system/cloudflared/values.yaml @@ -5,8 +5,8 @@ cloudflared: tunnel: homelab ingress: # It is safe to put a wildcard here - # Please see https://homelab.khuedoan.com/reference/faq.html#is-it-safe-to-use-wildcard-in-cloudflare-tunnel-ingress-config - - hostname: '*.khuedoan.com' + # Please see https://homelab.jupiter.mein.nl/reference/faq.html#is-it-safe-to-use-wildcard-in-cloudflare-tunnel-ingress-config + - hostname: '*.jupiter.mein.nl' service: https://ingress-nginx-controller.ingress-nginx originRequest: noTLSVerify: true diff --git a/system/monitoring-system/values.yaml b/system/monitoring-system/values.yaml index 94e2c5853d..71b5849f39 100644 --- a/system/monitoring-system/values.yaml +++ b/system/monitoring-system/values.yaml @@ -6,7 +6,7 @@ kube-prometheus-stack: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - &host grafana.khuedoan.com + - &host grafana.jupiter.mein.nl tls: - secretName: grafana-general-tls hosts: From 9615e25cd426588f5276173d6ab9359e91e3b16d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 30 Jan 2022 09:34:07 +0100 Subject: [PATCH 002/334] feat: added environment changes --- Vagrantfile | 70 ++++++++++++++++++++++++ apps/blog/deployment.yaml | 2 +- apps/blog/ingress.yaml | 4 +- apps/dendrite/values.yaml | 4 +- apps/element/values.yaml | 8 +-- apps/hajimari/values.yaml | 2 +- apps/jellyfin/values.yaml | 2 +- apps/paperless/values.yaml | 2 +- apps/seafile/values.yaml | 2 +- bootstrap/argocd/values.yaml | 2 +- bootstrap/root/apply.sh | 2 +- bootstrap/root/values-seed.yaml | 2 +- metal/inventories/prod.yml | 5 +- metal/roles/pxe_server/defaults/main.yml | 2 +- platform/authentik/values.yaml | 2 +- platform/gitea/files/init_gitops_repo.py | 2 +- platform/gitea/values.yaml | 2 +- platform/tekton-pipelines/ingress.yaml | 2 +- platform/trow/templates/ingress.yaml | 2 +- platform/trow/values.yaml | 4 +- platform/vault/values.yaml | 2 +- system/cert-manager/values.yaml | 2 +- system/cloudflared/values.yaml | 4 +- system/monitoring-system/values.yaml | 2 +- 24 files changed, 100 insertions(+), 33 deletions(-) create mode 100644 Vagrantfile diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000000..f3c4fa50c0 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,70 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + config.vm.box = "ubuntu/focal64" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # NOTE: This will enable public access to the opened port + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine and only allow access + # via 127.0.0.1 to disable public access + # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Enable provisioning with a shell script. Additional provisioners such as + # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the + # documentation for more information about their specific syntax and use. + # config.vm.provision "shell", inline: <<-SHELL + # apt-get update + # apt-get install -y apache2 + # SHELL +end diff --git a/apps/blog/deployment.yaml b/apps/blog/deployment.yaml index 9ef6626c15..22f2adb7b1 100644 --- a/apps/blog/deployment.yaml +++ b/apps/blog/deployment.yaml @@ -17,5 +17,5 @@ spec: spec: containers: - name: blog - image: registry.khuedoan.com/blog:latest + image: registry.jupiter.mein.nl/blog:latest imagePullPolicy: Always diff --git a/apps/blog/ingress.yaml b/apps/blog/ingress.yaml index 5d99b96295..8b579e5ca0 100644 --- a/apps/blog/ingress.yaml +++ b/apps/blog/ingress.yaml @@ -4,12 +4,12 @@ metadata: name: blog annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: homelab-tunnel.khuedoan.com + external-dns.alpha.kubernetes.io/target: homelab-tunnel.jupiter.mein.nl external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' spec: ingressClassName: nginx rules: - - host: &host blog.khuedoan.com + - host: &host blog.jupiter.mein.nl http: paths: - pathType: ImplementationSpecific diff --git a/apps/dendrite/values.yaml b/apps/dendrite/values.yaml index 77bf807f17..c18942894b 100644 --- a/apps/dendrite/values.yaml +++ b/apps/dendrite/values.yaml @@ -5,7 +5,7 @@ dendrite: pullPolicy: IfNotPresent configuration: version: 2 - servername: &host matrix.khuedoan.com + servername: &host matrix.jupiter.mein.nl database: host: "dendrite-postgresql:5432" user: "dendrite" @@ -48,7 +48,7 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hosts: diff --git a/apps/element/values.yaml b/apps/element/values.yaml index fcc8b0acd7..4ee2f16c98 100644 --- a/apps/element/values.yaml +++ b/apps/element/values.yaml @@ -4,10 +4,10 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hosts: - - host: &host chat.khuedoan.com + - host: &host chat.jupiter.mein.nl paths: - path: / pathType: Prefix @@ -17,5 +17,5 @@ elementweb: - *host config: default: - base_url: https://matrix.khuedoan.com - server_name: khuedoan.com + base_url: https://matrix.jupiter.mein.nl + server_name: jupiter.mein.nl diff --git a/apps/hajimari/values.yaml b/apps/hajimari/values.yaml index cad60beeb9..84baa57119 100644 --- a/apps/hajimari/values.yaml +++ b/apps/hajimari/values.yaml @@ -14,7 +14,7 @@ hajimari: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host home.khuedoan.com + - host: &host home.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/apps/jellyfin/values.yaml b/apps/jellyfin/values.yaml index e85c390fcb..df13a5915c 100644 --- a/apps/jellyfin/values.yaml +++ b/apps/jellyfin/values.yaml @@ -6,7 +6,7 @@ jellyfin: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host jellyfin.khuedoan.com + - host: &host jellyfin.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 340fe49147..005eca1e99 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -6,7 +6,7 @@ paperless: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host paperless.khuedoan.com + - host: &host paperless.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index a943746d56..38c6c1adb5 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -6,7 +6,7 @@ seafile: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host seafile.khuedoan.com + - host: &host seafile.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/bootstrap/argocd/values.yaml b/bootstrap/argocd/values.yaml index e1dbcfb5c1..967535b280 100644 --- a/bootstrap/argocd/values.yaml +++ b/bootstrap/argocd/values.yaml @@ -45,7 +45,7 @@ argo-cd: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - &host argocd.khuedoan.com + - &host argocd.jupiter.mein.nl tls: - secretName: argocd-tls-certificate hosts: diff --git a/bootstrap/root/apply.sh b/bootstrap/root/apply.sh index 2cabf0d3e3..f058ba574a 100755 --- a/bootstrap/root/apply.sh +++ b/bootstrap/root/apply.sh @@ -1,6 +1,6 @@ #!/bin/sh -curl -fks --connect-timeout 5 https://git.khuedoan.com \ +curl -fks --connect-timeout 5 https://git.jupiter.mein.nl \ || extra_args="--values values-seed.yaml" helm template \ diff --git a/bootstrap/root/values-seed.yaml b/bootstrap/root/values-seed.yaml index ae729830c4..60766a7846 100644 --- a/bootstrap/root/values-seed.yaml +++ b/bootstrap/root/values-seed.yaml @@ -1,2 +1,2 @@ gitops: - repo: https://github.com/khuedoan/homelab + repo: https://github.com/petermein/homelab diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml index 7f6474ab77..68c8f87a42 100644 --- a/metal/inventories/prod.yml +++ b/metal/inventories/prod.yml @@ -2,9 +2,6 @@ metal: children: masters: hosts: - metal0: {ansible_host: 192.168.1.110, mac: '00:23:24:d1:f3:f0', disk: sda, network_interface: eno1} - metal1: {ansible_host: 192.168.1.111, mac: '00:23:24:d1:f4:d6', disk: sda, network_interface: eno1} - metal2: {ansible_host: 192.168.1.112, mac: '00:23:24:e7:04:60', disk: sda, network_interface: eno1} + metal0: {ansible_host: 192.168.1.8, mac: '1c:69:7a:ac:21:f2', disk: sda, network_interface: enp89s0} workers: hosts: - metal3: {ansible_host: 192.168.1.113, mac: '00:23:24:d1:f5:69', disk: sda, network_interface: eno1} diff --git a/metal/roles/pxe_server/defaults/main.yml b/metal/roles/pxe_server/defaults/main.yml index 37869774b1..337ffd8c31 100644 --- a/metal/roles/pxe_server/defaults/main.yml +++ b/metal/roles/pxe_server/defaults/main.yml @@ -1,3 +1,3 @@ iso_url: "https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.5-x86_64-minimal.iso" iso_checksum: "sha256:4eb2ae6b06876205f2209e4504110fe4115b37540c21ecfbbc0ebc11084cb779" -timezone: Asia/Ho_Chi_Minh +timezone: Europa/Amesterdam diff --git a/platform/authentik/values.yaml b/platform/authentik/values.yaml index 77a07a6d33..7712f98920 100644 --- a/platform/authentik/values.yaml +++ b/platform/authentik/values.yaml @@ -10,7 +10,7 @@ authentik: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host authentik.khuedoan.com + - host: &host authentik.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/platform/gitea/files/init_gitops_repo.py b/platform/gitea/files/init_gitops_repo.py index 20e13b72f6..a5a66265a2 100755 --- a/platform/gitea/files/init_gitops_repo.py +++ b/platform/gitea/files/init_gitops_repo.py @@ -12,7 +12,7 @@ gitea_host = os.getenv('GITEA_HOST', "gitea-http:3000") gitea_user = os.environ['GITEA_USER'] gitea_pass = os.environ['GITEA_PASSWORD'] -seed_repo = "https://github.com/khuedoan/homelab" +seed_repo = "https://github.com/petermein/homelab" org = "ops" repo = "homelab" gitea_url = f"http://{gitea_user}:{gitea_pass}@{gitea_host}" diff --git a/platform/gitea/values.yaml b/platform/gitea/values.yaml index 689fcb62c4..19a3f950eb 100644 --- a/platform/gitea/values.yaml +++ b/platform/gitea/values.yaml @@ -5,7 +5,7 @@ gitea: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host git.khuedoan.com + - host: &host git.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/platform/tekton-pipelines/ingress.yaml b/platform/tekton-pipelines/ingress.yaml index 87a01b3325..43f2ec5d22 100644 --- a/platform/tekton-pipelines/ingress.yaml +++ b/platform/tekton-pipelines/ingress.yaml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: &host tekton.khuedoan.com + - host: &host tekton.jupiter.mein.nl http: paths: - pathType: ImplementationSpecific diff --git a/platform/trow/templates/ingress.yaml b/platform/trow/templates/ingress.yaml index 69c18316ca..7e9365e76d 100644 --- a/platform/trow/templates/ingress.yaml +++ b/platform/trow/templates/ingress.yaml @@ -8,7 +8,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: &host registry.khuedoan.com + - host: &host registry.jupiter.mein.nl http: paths: - pathType: ImplementationSpecific diff --git a/platform/trow/values.yaml b/platform/trow/values.yaml index f9d3197b7c..399fa26474 100644 --- a/platform/trow/values.yaml +++ b/platform/trow/values.yaml @@ -1,6 +1,6 @@ trow: trow: - domain: registry.khuedoan.com + domain: registry.jupiter.mein.nl # user: user # password: password validation: @@ -19,7 +19,7 @@ trow: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/proxy-body-size: '0' hosts: - - host: &host registry.khuedoan.com + - host: &host registry.jupiter.mein.nl paths: - / tls: diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml index dc2126e41e..cd28171dc6 100644 --- a/platform/vault/values.yaml +++ b/platform/vault/values.yaml @@ -10,7 +10,7 @@ vault: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host vault.khuedoan.com + - host: &host vault.jupiter.mein.nl tls: - secretName: vault-tls-certificate hosts: diff --git a/system/cert-manager/values.yaml b/system/cert-manager/values.yaml index 4592a271a1..a4119703d4 100644 --- a/system/cert-manager/values.yaml +++ b/system/cert-manager/values.yaml @@ -6,4 +6,4 @@ cert-manager: enabled: true issuer: - email: mail@khuedoan.com + email: mail@jupiter.mein.nl diff --git a/system/cloudflared/values.yaml b/system/cloudflared/values.yaml index 0a786546ea..f5f469968d 100644 --- a/system/cloudflared/values.yaml +++ b/system/cloudflared/values.yaml @@ -5,8 +5,8 @@ cloudflared: tunnel: homelab ingress: # It is safe to put a wildcard here - # Please see https://homelab.khuedoan.com/reference/faq.html#is-it-safe-to-use-wildcard-in-cloudflare-tunnel-ingress-config - - hostname: '*.khuedoan.com' + # Please see https://homelab.jupiter.mein.nl/reference/faq.html#is-it-safe-to-use-wildcard-in-cloudflare-tunnel-ingress-config + - hostname: '*.jupiter.mein.nl' service: https://ingress-nginx-controller.ingress-nginx originRequest: noTLSVerify: true diff --git a/system/monitoring-system/values.yaml b/system/monitoring-system/values.yaml index 94e2c5853d..71b5849f39 100644 --- a/system/monitoring-system/values.yaml +++ b/system/monitoring-system/values.yaml @@ -6,7 +6,7 @@ kube-prometheus-stack: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - &host grafana.khuedoan.com + - &host grafana.jupiter.mein.nl tls: - secretName: grafana-general-tls hosts: From 5b1d6b3856e036a14d6179bec8307b6423dddc5f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Jan 2022 20:16:09 +0100 Subject: [PATCH 003/334] feat: test non internal redirect --- platform/gitea/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/platform/gitea/values.yaml b/platform/gitea/values.yaml index 016cda7cfc..22e2c60747 100644 --- a/platform/gitea/values.yaml +++ b/platform/gitea/values.yaml @@ -3,6 +3,7 @@ gitea: enabled: true className: nginx annotations: + external-dns.alpha.kubernetes.io/exclude: true cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host git.jupiter.mein.nl @@ -20,7 +21,7 @@ gitea: config: server: LANDING_PAGE: explore - ROOT_URL: https://git.khuedoan.com + ROOT_URL: https://git.jupiter.mein.nl persistence: storageClass: longhorn postgresql: From 5ef998b4e47850833bcaa3bd1a8f0b1d0c90d181 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Jan 2022 20:27:53 +0100 Subject: [PATCH 004/334] fix: test quoting annotations --- platform/gitea/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/gitea/values.yaml b/platform/gitea/values.yaml index 22e2c60747..e5f26803e7 100644 --- a/platform/gitea/values.yaml +++ b/platform/gitea/values.yaml @@ -3,7 +3,7 @@ gitea: enabled: true className: nginx annotations: - external-dns.alpha.kubernetes.io/exclude: true + external-dns.alpha.kubernetes.io/exclude: 'true' cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host git.jupiter.mein.nl From db252b0594b3cfca1caaa19152986e994bb9815e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Jan 2022 20:45:20 +0100 Subject: [PATCH 005/334] feat: added home to exclude from dns --- apps/hajimari/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/hajimari/values.yaml b/apps/hajimari/values.yaml index 84baa57119..db0cd97ce1 100644 --- a/apps/hajimari/values.yaml +++ b/apps/hajimari/values.yaml @@ -12,6 +12,7 @@ hajimari: enabled: true ingressClassName: nginx annotations: + external-dns.alpha.kubernetes.io/exclude: 'true' cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host home.jupiter.mein.nl From d46e3a15d8ef3dd5fae215efa68156d95aacedbe Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Jan 2022 21:29:04 +0100 Subject: [PATCH 006/334] feat: small updates --- .gitignore | 2 + Vagrantfile | 70 ---- external/backblaze.tf | 2 +- external/cloudflare.tf | 4 +- ...cloudflared.tf => cloudflared.tf.disabled} | 2 +- external/terraform.tfstate.backup | 359 ++++++++++++++++++ external/versions.tf | 7 +- metal/Makefile | 4 +- metal/ansible.cfg | 13 +- metal/group_vars/all.yml | 1 + 10 files changed, 379 insertions(+), 85 deletions(-) delete mode 100644 Vagrantfile rename external/{cloudflared.tf => cloudflared.tf.disabled} (95%) create mode 100644 external/terraform.tfstate.backup diff --git a/.gitignore b/.gitignore index 7c8492b492..e05bd3eb3e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .vagrant/ .venv/ +.ssh/ book/ *.iso @@ -8,3 +9,4 @@ book/ *.tgz *kubeconfig.yaml Chart.lock +.DS_Store \ No newline at end of file diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index f3c4fa50c0..0000000000 --- a/Vagrantfile +++ /dev/null @@ -1,70 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -# All Vagrant configuration is done below. The "2" in Vagrant.configure -# configures the configuration version (we support older styles for -# backwards compatibility). Please don't change it unless you know what -# you're doing. -Vagrant.configure("2") do |config| - # The most common configuration options are documented and commented below. - # For a complete reference, please see the online documentation at - # https://docs.vagrantup.com. - - # Every Vagrant development environment requires a box. You can search for - # boxes at https://vagrantcloud.com/search. - config.vm.box = "ubuntu/focal64" - - # Disable automatic box update checking. If you disable this, then - # boxes will only be checked for updates when the user runs - # `vagrant box outdated`. This is not recommended. - # config.vm.box_check_update = false - - # Create a forwarded port mapping which allows access to a specific port - # within the machine from a port on the host machine. In the example below, - # accessing "localhost:8080" will access port 80 on the guest machine. - # NOTE: This will enable public access to the opened port - # config.vm.network "forwarded_port", guest: 80, host: 8080 - - # Create a forwarded port mapping which allows access to a specific port - # within the machine from a port on the host machine and only allow access - # via 127.0.0.1 to disable public access - # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1" - - # Create a private network, which allows host-only access to the machine - # using a specific IP. - # config.vm.network "private_network", ip: "192.168.33.10" - - # Create a public network, which generally matched to bridged network. - # Bridged networks make the machine appear as another physical device on - # your network. - # config.vm.network "public_network" - - # Share an additional folder to the guest VM. The first argument is - # the path on the host to the actual folder. The second argument is - # the path on the guest to mount the folder. And the optional third - # argument is a set of non-required options. - # config.vm.synced_folder "../data", "/vagrant_data" - - # Provider-specific configuration so you can fine-tune various - # backing providers for Vagrant. These expose provider-specific options. - # Example for VirtualBox: - # - # config.vm.provider "virtualbox" do |vb| - # # Display the VirtualBox GUI when booting the machine - # vb.gui = true - # - # # Customize the amount of memory on the VM: - # vb.memory = "1024" - # end - # - # View the documentation for the provider you are using for more - # information on available options. - - # Enable provisioning with a shell script. Additional provisioners such as - # Ansible, Chef, Docker, Puppet and Salt are also available. Please see the - # documentation for more information about their specific syntax and use. - # config.vm.provision "shell", inline: <<-SHELL - # apt-get update - # apt-get install -y apache2 - # SHELL -end diff --git a/external/backblaze.tf b/external/backblaze.tf index 249021a7ab..06cb53cbc4 100644 --- a/external/backblaze.tf +++ b/external/backblaze.tf @@ -1,5 +1,5 @@ resource "b2_bucket" "backup" { - bucket_name = "khuedoan-homelab-backup" + bucket_name = "infratron-homelab" bucket_type = "allPrivate" } diff --git a/external/cloudflare.tf b/external/cloudflare.tf index 56048ce15f..fcbc95f6ad 100644 --- a/external/cloudflare.tf +++ b/external/cloudflare.tf @@ -1,5 +1,5 @@ -data "cloudflare_zone" "khuedoan_com" { - name = "khuedoan.com" +data "cloudflare_zone" "mein_nl" { + zone_id = "f2dbeb2dca3e055df71df866b8188ce7" } data "cloudflare_api_token_permission_groups" "all" {} diff --git a/external/cloudflared.tf b/external/cloudflared.tf.disabled similarity index 95% rename from external/cloudflared.tf rename to external/cloudflared.tf.disabled index 33f633f18e..60eb51ce5b 100644 --- a/external/cloudflared.tf +++ b/external/cloudflared.tf.disabled @@ -11,7 +11,7 @@ resource "cloudflare_argo_tunnel" "homelab" { # Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. resource "cloudflare_record" "tunnel" { - zone_id = data.cloudflare_zone.khuedoan_com.id + zone_id = data.cloudflare_zone.mein_nl.id type = "CNAME" name = "homelab-tunnel" value = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com" diff --git a/external/terraform.tfstate.backup b/external/terraform.tfstate.backup new file mode 100644 index 0000000000..ca82ca7757 --- /dev/null +++ b/external/terraform.tfstate.backup @@ -0,0 +1,359 @@ +{ + "version": 4, + "terraform_version": "1.1.4", + "serial": 9, + "lineage": "247a1195-7fec-d552-ad03-59b12b32cd72", + "outputs": {}, + "resources": [ + { + "mode": "data", + "type": "cloudflare_api_token_permission_groups", + "name": "all", + "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "780b36afee7102151ac52c2f3f9a616e", + "permissions": { + "API Tokens Read": "0cc3a61731504c89b99ec1be78b77aa0", + "API Tokens Write": "686d18d5ac6c441c867cbf6771e58a0a", + "Access: Apps and Policies Read": "eb258a38ea634c86a0c89da6b27cb6b6", + "Access: Apps and Policies Revoke": "6c9d1cfcfc6840a987d1b5bfb880a841", + "Access: Apps and Policies Write": "959972745952452f8be2452be8cbb9f2", + "Access: Audit Logs Read": "b05b28e839c54467a7d6cba5d3abb5a3", + "Access: Certificates Read": "4f3196a5c95747b6ad82e34e1d0a694f", + "Access: Certificates Write": "29d3afbfd4054af9accdd1118815ed05", + "Access: Device Posture Read": "0f4841f80adb4bada5a09493300e7f8d", + "Access: Device Posture Write": "2fc1072ee6b743828db668fcb3f9dee7", + "Access: Organizations, Identity Providers, and Groups Read": "26bc23f853634eb4bff59983b9064fde", + "Access: Organizations, Identity Providers, and Groups Revoke": "7121a0c7e9ed46e3829f9cca2bb572aa", + "Access: Organizations, Identity Providers, and Groups Write": "bfe0d8686a584fa680f4c53b5eb0de6d", + "Access: Service Tokens Read": "91f7ce32fa614d73b7e1fc8f0e78582b", + "Access: Service Tokens Write": "a1c0fec57cf94af79479a6d827fa518c", + "Account Analytics Read": "b89a480218d04ceb98b4fe57ca29dc1f", + "Account Firewall Access Rules Read": "de7a688cc47d43bd9ea700b467a09c96", + "Account Firewall Access Rules Write": "a416acf9ef5a4af19fb11ed3b96b1fe6", + "Account Rule Lists Read": "4f1071168de8466e9808de86febfc516", + "Account Rule Lists Write": "2edbf20661fd4661b0fe10e9e12f485c", + "Account Rulesets Read": "fb39996ee9044d2a8725921e02744b39", + "Account Rulesets Write": "56907406c3d548ed902070ec4df0e328", + "Account Settings Read": "c1fde68c7bcc44588cbb6ddbc16d6480", + "Account Settings Write": "1af1fa2adc104452b74a9a3364202f20", + "Account WAF Read": "56b2af4817c84ad99187911dc3986c23", + "Account WAF Write": "cde8c82463b6414ca06e46b9633f52a6", + "Analytics Read": "9c88f9c5bce24ce7af9a958ba9c504db", + "Apps Write": "094547ab6e77498c8c4dfa87fadd5c51", + "Argo Tunnel Read": "efea2ab8357b47888938f101ae5e053f", + "Argo Tunnel Write": "c07321b023e944ff818fec44d8203567", + "Billing Read": "7cf72faf220841aabcfdfab81c43c4f6", + "Billing Write": "6c80e02421494afc9ae14414ed442632", + "Bot Management Read": "07bea2220b2343fa9fae15656c0d8e88", + "Bot Management Write": "3b94c49258ec4573b06d51d99b6416c0", + "Cache Purge": "e17beae8b8cb423a99b1730f21238bed", + "DDoS Protection Read": "af1c363c35ba45b9a8c682ae50eb3f99", + "DDoS Protection Write": "d44ed14bcc4340b194d3824d60edad3f", + "DNS Firewall Read": "5f48a472240a4b489a21d43bd19a06e1", + "DNS Firewall Write": "da6d2d6f2ec8442eaadda60d13f42bca", + "DNS Read": "82e64a83756745bbbb1c9c2701bf816b", + "DNS Write": "4755a26eedb94da69e1066d98aa820be", + "Firewall Services Read": "4ec32dfcb35641c5bb32d5ef1ab963b4", + "Firewall Services Write": "43137f8d07884d3198dc0ee77ca6e79b", + "HTTP DDoS Managed Ruleset Read": "c49f8d15f9f44885a544d945ef5aa6ae", + "HTTP DDoS Managed Ruleset Write": "b88a3aa889474524bccea5cf18f122bf", + "Health Checks Read": "fac65912d42144aa86b7dd33281bf79e", + "Health Checks Write": "e0dc25a0fbdf4286b1ea100e3256b0e3", + "IP Prefixes: BGP On Demand Read": "e763fae6ee95443b8f56f19213c5f2a5", + "IP Prefixes: BGP On Demand Write": "2ae23e4939d54074b7d252d27ce75a77", + "IP Prefixes: Read": "27beb7f8333b41e2b946f0e23cd8091e", + "IP Prefixes: Write": "92b8234e99f64e05bbbc59e1dc0f76b6", + "Images Read": "0cf6473ad41449e7b7b743d14fc20c60", + "Images Write": "618ec6c64a3a42f8b08bdcb147ded4e4", + "L4 DDoS Managed Ruleset Read": "4657621393f94f83b8ef94adba382e48", + "L4 DDoS Managed Ruleset Write": "7a4c3574054a4d0ba7c692893ba8bdd4", + "Load Balancers Read": "e9a975f628014f1d85b723993116f7d5", + "Load Balancers Write": "6d7f2f5f5b1d4a0e9081fdc98d432fd1", + "Load Balancing: Monitors and Pools Read": "9d24387c6e8544e2bc4024a03991339f", + "Load Balancing: Monitors and Pools Write": "d2a1802cc9a34e30852f8b33869b2f3c", + "Logs Read": "6a315a56f18441e59ed03352369ae956", + "Logs Write": "96163bd1b0784f62b3e44ed8c2ab1eb6", + "Magic Firewall Packet Captures - Read PCAPs API": "3a46c728a0a040d5a65cd8e2f3bc6935", + "Magic Firewall Packet Captures - Write PCAPs API": "4ea7d6421801452dbf07cef853a5ef39", + "Magic Firewall Read": "02b71f12bb0748e9af8126494e181342", + "Magic Firewall Write": "8bd1dac84d3d43e7bfb43145f010a15c", + "Magic Transit Prefix Read": "967ecf860a244dd1911a0331a0af582a", + "Magic Transit Prefix Write": "0bc09a3cd4b54605990df4e307f138e1", + "Mass URL Redirects Read": "429a068902904c5a9ed9fc267c67da9a", + "Mass URL Redirects Write": "abe78e2276664f4db588c1f675a77486", + "Memberships Read": "3518d0f75557482e952c6762d3e64903", + "Memberships Write": "9201bc6f42d440968aaab0c6f17ebb1d", + "Page Rules Read": "b415b70a4fd1412886f164451f20405c", + "Page Rules Write": "ed07f6c337da4195b4e72a1fb2c6bcae", + "Rule Policies Read": "58abbad6d2ce40abb2594fbe932a2e0e", + "Rule Policies Write": "61ddc58f1da14f95b33b41213360cbeb", + "SSL and Certificates Read": "7b7216b327b04b8fbc8f524e1f9b7531", + "SSL and Certificates Write": "c03055bc037c4ea9afb9a9f104b7b721", + "Sanitize Read": "853643ed57244ed1a05a7c024af9ab5a", + "Sanitize Write": "89bb8c37d46042e98b84560eaaa6379f", + "Select Configuration Read": "595409c54a24444b80a495620b2d614c", + "Select Configuration Write": "235eac9bb64942b49cb805cc851cb000", + "Stream Read": "de21485a24744b76a004aa153898f7fe", + "Stream Write": "714f9c13a5684c2885a793f5edb36f59", + "Teams Read": "3f376c8e6f764a938b848bd01c8995c4", + "Teams Report": "efb81b5cd37d49f3be1da9363a6d7a19", + "Teams Write": "b33f02c6f7284e05a6f20741c0bb0567", + "Transform Rules Read": "a9a99455bf3245f6a5a244f909d74830", + "Transform Rules Write": "ae16e88bc7814753a1894c7ce187ab72", + "User Details Read": "8acbe5bb0d54464ab867149d7f7cf8ac", + "User Details Write": "55a5e17cc99e4a3fa1f3432d262f2e55", + "Waiting Rooms Read": "cab5202d07ef47beae788e6bc95cb6fe", + "Waiting Rooms Write": "24fc124dc8254e0db468e60bf410c800", + "Web3 Hostnames Read": "8e31f574901c42e8ad89140b28d42112", + "Web3 Hostnames Write": "5ea6da42edb34811a78d1b007557c0ca", + "Workers KV Storage Read": "8b47d2786a534c08a1f94ee8f9f599ef", + "Workers KV Storage Write": "f7f0eda5697f475c90846e879bab8666", + "Workers R2 Storage Read": "b4992e1108244f5d8bfbd5744320c2e1", + "Workers R2 Storage Write": "bf7481a1826f439697cb59a20b22293e", + "Workers Routes Read": "2072033d694d415a936eaeb94e6405b8", + "Workers Routes Write": "28f4b596e7d643029c524985477ae49a", + "Workers Scripts Read": "1a71c399035b4950a1bd1466bbe4f420", + "Workers Scripts Write": "e086da7e2179491d91ee5f35b3ca210a", + "Workers Tail Read": "05880cd1bdc24d8bae0be2136972816b", + "Zone Read": "c8fed203ed3043cba015a93ad1616f1f", + "Zone Settings Read": "517b21aee92c4d89936c976ba6e4be55", + "Zone Settings Write": "3030687196b94b638145a3953da2b699", + "Zone Transform Rules Read": "211a4c0feb3e43b3a2d41f1443a433e7", + "Zone Transform Rules Write": "0ac90a90249747bca6b047d97f0803e9", + "Zone WAF Read": "dbc512b354774852af2b5a5f4ba3d470", + "Zone WAF Write": "fb6778dc191143babbfaa57993f1d275", + "Zone Write": "e6d2666161e84845a636613608cee8d5" + } + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "data", + "type": "cloudflare_zone", + "name": "mein_nl", + "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "bade361765d704ba91e29296a025e4e3", + "id": "f2dbeb2dca3e055df71df866b8188ce7", + "name": "mein.nl", + "name_servers": [ + "jacqueline.ns.cloudflare.com", + "keanu.ns.cloudflare.com" + ], + "paused": false, + "plan": "Free Website", + "status": "active", + "vanity_name_servers": [], + "zone_id": "f2dbeb2dca3e055df71df866b8188ce7" + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "data", + "type": "http", + "name": "public_ipv4", + "provider": "provider[\"registry.terraform.io/hashicorp/http\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "body": "213.34.1.38\n", + "id": "https://ipv4.icanhazip.com", + "request_headers": null, + "response_headers": { + "Access-Control-Allow-Methods": "GET", + "Access-Control-Allow-Origin": "*", + "Alt-Svc": "h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400", + "Cf-Ray": "6d62f519dcaf0b53-AMS", + "Content-Length": "12", + "Content-Type": "text/plain", + "Date": "Mon, 31 Jan 2022 12:31:30 GMT", + "Expect-Ct": "max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"", + "Server": "cloudflare", + "Set-Cookie": "__cf_bm=eSPCketSwmEdhrJ9DS.bASDM_Wr4Yh5uLjuYyWJGhhg-1643632290-0-AVvMyngW1S0sTTVxMnNaQhmFORFQISMOc2SFfNv6P4QfnNH94IJo3w4M2KUtUd5uMFkTveKsacmUMM87cEfA4LE=; path=/; expires=Mon, 31-Jan-22 13:01:30 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None", + "Vary": "Accept-Encoding" + }, + "url": "https://ipv4.icanhazip.com" + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "managed", + "type": "b2_bucket", + "name": "backup", + "provider": "provider[\"registry.terraform.io/backblaze/b2\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "account_id": "42ed5f32e413", + "bucket_id": "a462aefd15efb3027ee40113", + "bucket_info": null, + "bucket_name": "infratron-homelab", + "bucket_type": "allPrivate", + "cors_rules": [], + "default_server_side_encryption": [ + { + "algorithm": "", + "mode": "none" + } + ], + "file_lock_configuration": [ + { + "default_retention": [], + "is_file_lock_enabled": false + } + ], + "id": "a462aefd15efb3027ee40113", + "lifecycle_rules": [], + "options": [ + "s3" + ], + "revision": 2 + }, + "sensitive_attributes": [], + "private": "bnVsbA==" + } + ] + }, + { + "mode": "managed", + "type": "cloudflare_api_token", + "name": "cert_manager", + "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "condition": [ + { + "request_ip": [ + { + "in": [ + "213.34.1.38/32" + ], + "not_in": null + } + ] + } + ], + "id": "774665d78721200897b10501ea37272d", + "issued_on": "2022-01-31T12:31:46Z", + "modified_on": "2022-01-31T12:31:46Z", + "name": "homelab_cert_manager", + "policy": [ + { + "effect": "allow", + "permission_groups": [ + "c8fed203ed3043cba015a93ad1616f1f", + "4755a26eedb94da69e1066d98aa820be" + ], + "resources": { + "com.cloudflare.api.account.zone.*": "*" + } + } + ], + "status": "active", + "value": "hKSWqAXuQitglD4rpxyoUGh-A-ojZzFJdBLv2C76" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.cloudflare_api_token_permission_groups.all", + "data.http.public_ipv4" + ] + } + ] + }, + { + "mode": "managed", + "type": "cloudflare_api_token", + "name": "external_dns", + "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "condition": [ + { + "request_ip": [ + { + "in": [ + "213.34.1.38/32" + ], + "not_in": null + } + ] + } + ], + "id": "0f8e9cd48e207b7b607ad2151041412c", + "issued_on": "2022-01-31T12:31:46Z", + "modified_on": "2022-01-31T12:31:46Z", + "name": "homelab_external_dns", + "policy": [ + { + "effect": "allow", + "permission_groups": [ + "c8fed203ed3043cba015a93ad1616f1f", + "4755a26eedb94da69e1066d98aa820be" + ], + "resources": { + "com.cloudflare.api.account.zone.*": "*" + } + } + ], + "status": "active", + "value": "n7pog40deazFcF4ymKZ53z1M4fAICHuVoqZF2cgX" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.cloudflare_api_token_permission_groups.all", + "data.http.public_ipv4" + ] + } + ] + }, + { + "mode": "managed", + "type": "random_password", + "name": "backup_repo_password", + "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "none", + "keepers": null, + "length": 64, + "lower": true, + "min_lower": 0, + "min_numeric": 0, + "min_special": 0, + "min_upper": 0, + "number": true, + "override_special": null, + "result": "rATN4QEZjlNeXoj65ywc9aI1MxO9zqg7ZYaM5Tr9fWiB3y8KpnMpae9guS5zZtOZ", + "special": false, + "upper": true + }, + "sensitive_attributes": [], + "private": "bnVsbA==" + } + ] + } + ] +} diff --git a/external/versions.tf b/external/versions.tf index a11b1d48d2..b2ea9eff28 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -1,13 +1,8 @@ terraform { required_version = "~> 1.1.0" - backend "remote" { - hostname = "app.terraform.io" - organization = "khuedoan" + backend "local" { - workspaces { - name = "homelab-external" - } } required_providers { diff --git a/metal/Makefile b/metal/Makefile index 0f96cb6842..378486c689 100644 --- a/metal/Makefile +++ b/metal/Makefile @@ -4,8 +4,8 @@ env ?= "prod" default: boot cluster -~/.ssh/id_ed25519: - ssh-keygen -t ed25519 -f "$@" +# ~/.ssh/id_ed25519: +# ssh-keygen -t ed25519 -f "$@" boot: ~/.ssh/id_ed25519 ansible-playbook \ diff --git a/metal/ansible.cfg b/metal/ansible.cfg index f81604ed91..e376da1ded 100644 --- a/metal/ansible.cfg +++ b/metal/ansible.cfg @@ -1,4 +1,11 @@ [defaults] -host_key_checking=false -stdout_callback=debug -stderr_callback=debug +host_key_checking = False +stdout_callback = debug +stderr_callback = debug + +[persistent_connection] +command_timeout=600 + +[paramiko_connection] +host_key_auto_add = True +look_for_keys = False \ No newline at end of file diff --git a/metal/group_vars/all.yml b/metal/group_vars/all.yml index 8828020be5..48b1999bc4 100644 --- a/metal/group_vars/all.yml +++ b/metal/group_vars/all.yml @@ -1,4 +1,5 @@ ansible_user: root ansible_ssh_private_key_file: ~/.ssh/id_ed25519 +ansible_ssh_pass: "sT56NaFH" ssh_public_key: "{{lookup('file', '~/.ssh/id_ed25519.pub') }}" dns_server: "8.8.8.8" From 1529f8e7987bd7707b7c84927f85869cfc8aae0f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Feb 2022 08:08:29 +0100 Subject: [PATCH 007/334] fix: moved to different tunnel name --- apps/blog/ingress.yaml | 2 +- apps/dendrite/values.yaml | 2 +- apps/element/values.yaml | 2 +- external/cloudflared.tf | 36 ++++++++++++++++++++++++++++++++++++ 4 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 external/cloudflared.tf diff --git a/apps/blog/ingress.yaml b/apps/blog/ingress.yaml index 8b579e5ca0..cc996d6da4 100644 --- a/apps/blog/ingress.yaml +++ b/apps/blog/ingress.yaml @@ -4,7 +4,7 @@ metadata: name: blog annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: homelab-tunnel.jupiter.mein.nl + external-dns.alpha.kubernetes.io/target: jupiter-tunnel.jupiter.mein.nl external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' spec: ingressClassName: nginx diff --git a/apps/dendrite/values.yaml b/apps/dendrite/values.yaml index c18942894b..fce9ab2590 100644 --- a/apps/dendrite/values.yaml +++ b/apps/dendrite/values.yaml @@ -48,7 +48,7 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hosts: diff --git a/apps/element/values.yaml b/apps/element/values.yaml index 4ee2f16c98..2056bc223e 100644 --- a/apps/element/values.yaml +++ b/apps/element/values.yaml @@ -4,7 +4,7 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hosts: - host: &host chat.jupiter.mein.nl diff --git a/external/cloudflared.tf b/external/cloudflared.tf new file mode 100644 index 0000000000..674f308535 --- /dev/null +++ b/external/cloudflared.tf @@ -0,0 +1,36 @@ +resource "random_password" "tunnel_secret" { + length = 64 + special = false +} + +resource "cloudflare_argo_tunnel" "jupiter" { + account_id = var.cloudflare_account_id + name = "jk" + secret = base64encode(random_password.tunnel_secret.result) +} + +# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. +resource "cloudflare_record" "tunnel" { + zone_id = data.cloudflare_zone.mein_nl.id + type = "CNAME" + name = "jupiter-tunnel" + value = "${cloudflare_argo_tunnel.jupiter.id}.cfargotunnel.com" + proxied = false + ttl = 1 # Auto +} + +resource "kubernetes_secret" "cloudflared_credentials" { + metadata { + name = "cloudflared-credentials" + namespace = "cloudflared" + } + + data = { + "credentials.json" = jsonencode({ + AccountTag = var.cloudflare_account_id + TunnelName = cloudflare_argo_tunnel.jupiter.name + TunnelID = cloudflare_argo_tunnel.jupiter.id + TunnelSecret = base64encode(random_password.tunnel_secret.result) + }) + } +} From cb4b5c3ec43e5b0dd9d9281caf94d98795880558 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Feb 2022 08:16:36 +0100 Subject: [PATCH 008/334] delete: moved blog, dendrite and upgrade to bin --- {apps => bin}/blog/deployment.yaml | 0 {apps => bin}/blog/ingress.yaml | 0 {apps => bin}/blog/kustomization.yaml | 0 {apps => bin}/blog/service.yaml | 0 {apps => bin}/dendrite/Chart.yaml | 0 {apps => bin}/dendrite/values.yaml | 0 {system => bin}/system-upgrade/k3s/agent.yaml | 0 {system => bin}/system-upgrade/k3s/kustomization.yaml | 0 {system => bin}/system-upgrade/k3s/server.yaml | 0 {system => bin}/system-upgrade/kustomization.yaml | 0 {system => bin}/system-upgrade/rocky-linux/kustomization.yaml | 0 {system => bin}/system-upgrade/rocky-linux/upgrade.yaml | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename {apps => bin}/blog/deployment.yaml (100%) rename {apps => bin}/blog/ingress.yaml (100%) rename {apps => bin}/blog/kustomization.yaml (100%) rename {apps => bin}/blog/service.yaml (100%) rename {apps => bin}/dendrite/Chart.yaml (100%) rename {apps => bin}/dendrite/values.yaml (100%) rename {system => bin}/system-upgrade/k3s/agent.yaml (100%) rename {system => bin}/system-upgrade/k3s/kustomization.yaml (100%) rename {system => bin}/system-upgrade/k3s/server.yaml (100%) rename {system => bin}/system-upgrade/kustomization.yaml (100%) rename {system => bin}/system-upgrade/rocky-linux/kustomization.yaml (100%) rename {system => bin}/system-upgrade/rocky-linux/upgrade.yaml (100%) diff --git a/apps/blog/deployment.yaml b/bin/blog/deployment.yaml similarity index 100% rename from apps/blog/deployment.yaml rename to bin/blog/deployment.yaml diff --git a/apps/blog/ingress.yaml b/bin/blog/ingress.yaml similarity index 100% rename from apps/blog/ingress.yaml rename to bin/blog/ingress.yaml diff --git a/apps/blog/kustomization.yaml b/bin/blog/kustomization.yaml similarity index 100% rename from apps/blog/kustomization.yaml rename to bin/blog/kustomization.yaml diff --git a/apps/blog/service.yaml b/bin/blog/service.yaml similarity index 100% rename from apps/blog/service.yaml rename to bin/blog/service.yaml diff --git a/apps/dendrite/Chart.yaml b/bin/dendrite/Chart.yaml similarity index 100% rename from apps/dendrite/Chart.yaml rename to bin/dendrite/Chart.yaml diff --git a/apps/dendrite/values.yaml b/bin/dendrite/values.yaml similarity index 100% rename from apps/dendrite/values.yaml rename to bin/dendrite/values.yaml diff --git a/system/system-upgrade/k3s/agent.yaml b/bin/system-upgrade/k3s/agent.yaml similarity index 100% rename from system/system-upgrade/k3s/agent.yaml rename to bin/system-upgrade/k3s/agent.yaml diff --git a/system/system-upgrade/k3s/kustomization.yaml b/bin/system-upgrade/k3s/kustomization.yaml similarity index 100% rename from system/system-upgrade/k3s/kustomization.yaml rename to bin/system-upgrade/k3s/kustomization.yaml diff --git a/system/system-upgrade/k3s/server.yaml b/bin/system-upgrade/k3s/server.yaml similarity index 100% rename from system/system-upgrade/k3s/server.yaml rename to bin/system-upgrade/k3s/server.yaml diff --git a/system/system-upgrade/kustomization.yaml b/bin/system-upgrade/kustomization.yaml similarity index 100% rename from system/system-upgrade/kustomization.yaml rename to bin/system-upgrade/kustomization.yaml diff --git a/system/system-upgrade/rocky-linux/kustomization.yaml b/bin/system-upgrade/rocky-linux/kustomization.yaml similarity index 100% rename from system/system-upgrade/rocky-linux/kustomization.yaml rename to bin/system-upgrade/rocky-linux/kustomization.yaml diff --git a/system/system-upgrade/rocky-linux/upgrade.yaml b/bin/system-upgrade/rocky-linux/upgrade.yaml similarity index 100% rename from system/system-upgrade/rocky-linux/upgrade.yaml rename to bin/system-upgrade/rocky-linux/upgrade.yaml From b4639f4cb9bee14f535a8e10701c08130361e1e8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Feb 2022 08:39:01 +0100 Subject: [PATCH 009/334] delete: moved cloudflared external-dns to bin --- {system => bin}/cloudflared/Chart.yaml | 0 {system => bin}/cloudflared/values.yaml | 0 {system => bin}/external-dns/Chart.yaml | 0 {system => bin}/external-dns/values.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {system => bin}/cloudflared/Chart.yaml (100%) rename {system => bin}/cloudflared/values.yaml (100%) rename {system => bin}/external-dns/Chart.yaml (100%) rename {system => bin}/external-dns/values.yaml (100%) diff --git a/system/cloudflared/Chart.yaml b/bin/cloudflared/Chart.yaml similarity index 100% rename from system/cloudflared/Chart.yaml rename to bin/cloudflared/Chart.yaml diff --git a/system/cloudflared/values.yaml b/bin/cloudflared/values.yaml similarity index 100% rename from system/cloudflared/values.yaml rename to bin/cloudflared/values.yaml diff --git a/system/external-dns/Chart.yaml b/bin/external-dns/Chart.yaml similarity index 100% rename from system/external-dns/Chart.yaml rename to bin/external-dns/Chart.yaml diff --git a/system/external-dns/values.yaml b/bin/external-dns/values.yaml similarity index 100% rename from system/external-dns/values.yaml rename to bin/external-dns/values.yaml From df06de4cc1605d68eab9debd6d50061bea305d8f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Feb 2022 12:59:23 +0100 Subject: [PATCH 010/334] feat: updating longhorn values --- system/longhorn-system/values.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/system/longhorn-system/values.yaml b/system/longhorn-system/values.yaml index 3995ebffa3..610ad10559 100644 --- a/system/longhorn-system/values.yaml +++ b/system/longhorn-system/values.yaml @@ -4,3 +4,18 @@ longhorn: persistence: # If you have three or more nodes for storage, use 3; otherwise use 2 defaultClassReplicaCount: 1 # TODO run DR test to see if we actually need 3 + guaranteedEngineManagerCPU: 15 + guaranteedReplicaManagerCPU: 15 + replicaSoftAntiAffinity: true + +ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - &host longhorn.jupiter.mein.nl + tls: + - secretName: longhorn-general-tls + hosts: + - *host \ No newline at end of file From 1dfa75516244673f1631f8c1300d24f64c485ef8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Feb 2022 23:54:47 +0100 Subject: [PATCH 011/334] fix: external-dns back again --- {bin => system}/external-dns/Chart.yaml | 0 {bin => system}/external-dns/values.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {bin => system}/external-dns/Chart.yaml (100%) rename {bin => system}/external-dns/values.yaml (100%) diff --git a/bin/external-dns/Chart.yaml b/system/external-dns/Chart.yaml similarity index 100% rename from bin/external-dns/Chart.yaml rename to system/external-dns/Chart.yaml diff --git a/bin/external-dns/values.yaml b/system/external-dns/values.yaml similarity index 100% rename from bin/external-dns/values.yaml rename to system/external-dns/values.yaml From f787b268af9b8dd4ed014568ac4bf05ba26d72cf Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:03:27 +0100 Subject: [PATCH 012/334] feat: new app privatebin --- apps/privatebin/Chart.yaml | 7 +++++++ apps/privatebin/values.yaml | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 apps/privatebin/Chart.yaml create mode 100644 apps/privatebin/values.yaml diff --git a/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml new file mode 100644 index 0000000000..81b600777b --- /dev/null +++ b/apps/privatebin/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: privatebin +version: 0.0.0 +dependencies: + - name: privatebin + version: 0.10.1 + repository: https://privatebin.github.io/helm-chart diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml new file mode 100644 index 0000000000..f9a6ce7966 --- /dev/null +++ b/apps/privatebin/values.yaml @@ -0,0 +1,16 @@ +privatebin: + ingress: + main: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host privatebin.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: privatebin-tls-certificate + hosts: + - *host \ No newline at end of file From 20f7047da03cf4a1f7b05ca9d35eeb895a6d182e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:09:28 +0100 Subject: [PATCH 013/334] fix: moved ingress up --- apps/privatebin/values.yaml | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index f9a6ce7966..e0640c00ce 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -1,16 +1,15 @@ privatebin: ingress: - main: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host privatebin.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: privatebin-tls-certificate - hosts: - - *host \ No newline at end of file + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host privatebin.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: privatebin-tls-certificate + hosts: + - *host \ No newline at end of file From 2caa2376dadc3c6b92b1eaeca0fd8246f93ac5ca Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:15:35 +0100 Subject: [PATCH 014/334] fix: test path --- apps/privatebin/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index e0640c00ce..0722ed2c30 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -1,14 +1,11 @@ privatebin: ingress: enabled: true - ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host privatebin.jupiter.mein.nl - paths: - - path: / - pathType: Prefix + path: "/" tls: - secretName: privatebin-tls-certificate hosts: From 64032af12760580065cb21f96a71a3e3438a5946 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:19:54 +0100 Subject: [PATCH 015/334] fix: absolute path --- apps/privatebin/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index 0722ed2c30..d05ff0bfd1 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -5,7 +5,8 @@ privatebin: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host privatebin.jupiter.mein.nl - path: "/" + paths: + - / tls: - secretName: privatebin-tls-certificate hosts: From f71beb74c95bb79781eed4b825c3dc38606b84e2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:22:36 +0100 Subject: [PATCH 016/334] fix: add ingress class nginx --- apps/privatebin/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index d05ff0bfd1..a4d01226e9 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -1,12 +1,13 @@ privatebin: ingress: enabled: true + ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host privatebin.jupiter.mein.nl paths: - - / + -gti ad / tls: - secretName: privatebin-tls-certificate hosts: From bbfcaafc079fa44e06ebe77f5d3233567ee780e2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:24:32 +0100 Subject: [PATCH 017/334] fiix: type values --- apps/privatebin/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index a4d01226e9..5de5f05b37 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -7,7 +7,7 @@ privatebin: hosts: - host: &host privatebin.jupiter.mein.nl paths: - -gti ad / + - / tls: - secretName: privatebin-tls-certificate hosts: From 6d1eb5b45a39be032c00b2c63e3c65e5bb0269c3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 00:29:36 +0100 Subject: [PATCH 018/334] feat: added className --- apps/privatebin/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index 5de5f05b37..eb1dc3fa2b 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -1,7 +1,7 @@ privatebin: ingress: enabled: true - ingressClassName: nginx + className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: From a9d150c0b66a006aa169c8a59487c61d04e92433 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 19:15:45 +0100 Subject: [PATCH 019/334] feat: added dex --- platform/dex/Chart.yaml | 8 ++ platform/dex/values.yaml | 232 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+) create mode 100644 platform/dex/Chart.yaml create mode 100644 platform/dex/values.yaml diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml new file mode 100644 index 0000000000..2cf89d3f15 --- /dev/null +++ b/platform/dex/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +name: dex +version: 0.6.5 +dependencies: + - name: gitea + version: 0.6.5 + repository: https://charts.dexidp.io + diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml new file mode 100644 index 0000000000..ebefed79e4 --- /dev/null +++ b/platform/dex/values.yaml @@ -0,0 +1,232 @@ +# Default values for dex. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Number of replicas (pods) to launch. +replicaCount: 1 + +image: + # -- Name of the image repository to pull the container image from. + repository: ghcr.io/dexidp/dex + + # -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. + pullPolicy: IfNotPresent + + # -- Image tag override for the default value (chart appVersion). + tag: "" + +# -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). +imagePullSecrets: [] + +# -- A name in place of the chart name for `app:` labels. +nameOverride: "" + +# -- A name to substitute for the full names of resources. +fullnameOverride: "" + +# -- A list of hosts and IPs that will be injected into the pod's hosts file if specified. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) +hostAliases: [] + +https: + # -- Enable the HTTPS endpoint. + enabled: false + +grpc: + # -- Enable the gRPC endpoint. + # Read more in the [documentation](https://dexidp.io/docs/api/). + enabled: false + +configSecret: + # -- Enable creating a secret from the values passed to `config`. + # If set to false, name must point to an existing secret. + create: true + + # -- The name of the secret to mount as configuration in the pod. + # If not set and create is true, a name is generated using the fullname template. + # Must point to secret that contains at least a `config.yaml` key. + name: "" + +# -- Application configuration. +# See the [official documentation](https://dexidp.io/docs/). +config: {} + +# -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. +volumes: [] + +# -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. +volumeMounts: [] + +# -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. +envFrom: [] + +# -- Additional environment variables passed directly to containers. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. +env: {} + +# -- Similar to env but with support for all possible configurations. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. +envVars: [] +# - name: SOME_ENV_VAR +# value: value +# - name: SOME_ENV_VAR2 +# valueFrom: +# secretKeyRef: +# name: secret-name +# key: secret-key +# - name: SOME_ENV_VAR3 +# valueFrom: +# configMapKeyRef: +# name: config-map-name +# key: config-map-key + +serviceAccount: + # -- Enable service account creation. + create: true + + # -- Annotations to be added to the service account. + annotations: {} + + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + +rbac: + # -- Specifies whether RBAC resources should be created. + # If disabled, the operator is responsible for creating the necessary resources based on the templates. + create: true + +# -- Annotations to be added to pods. +podAnnotations: {} + +podDisruptionBudget: + # -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). + # It is **highly recommended** for webhooks as disruptions can prevent launching new pods. + enabled: false + + # -- (int/percentage) Number or percentage of pods that must remain available. + minAvailable: + + # -- (int/percentage) Number or percentage of pods that can be unavailable. + maxUnavailable: + +# -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). +priorityClassName: "" + +# -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. +podSecurityContext: {} + # fsGroup: 2000 + +# -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + # -- Annotations to be added to the service. + annotations: {} + + # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). + type: ClusterIP + + # -- Internal cluster service IP (when applicable) + clusterIP: "" + + ports: + http: + # -- HTTP service port + port: 5556 + + # -- (int) HTTP node port (when applicable) + nodePort: + + https: + # -- HTTPS service port + port: 5554 + + # -- (int) HTTPS node port (when applicable) + nodePort: + + grpc: + # -- gRPC service port + port: 5557 + + # -- (int) gRPC node port (when applicable) + nodePort: + +ingress: + # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). + enabled: false + + # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). + className: "nginx" + + # -- Annotations to be added to the ingress. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # -- Ingress host configuration. + # @default -- See [values.yaml](values.yaml). + hosts: + - host: &host dex.jupiter.mein.nl + paths: + - path: / + pathType: ImplementationSpecific + + # -- Ingress TLS configuration. + # @default -- See [values.yaml](values.yaml). + tls: + - secretName: dex-tls-certificate + hosts: + - *host + +# -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. +# @default -- No requests or limits. +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- Autoscaling configuration (see [values.yaml](values.yaml) for details). +# @default -- Disabled by default. +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. +nodeSelector: {} + +# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. +tolerations: [] + +# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. +# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. +affinity: {} + +# -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. +strategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate \ No newline at end of file From 94d3ede17601935e6b50332bb61d88d2fd3ea9c5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 19:25:06 +0100 Subject: [PATCH 020/334] fix: typo in dex --- platform/dex/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 2cf89d3f15..1115030bbf 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: dex version: 0.6.5 dependencies: - - name: gitea + - name: dex version: 0.6.5 repository: https://charts.dexidp.io From a885f409b421dea1d78c1b61268b48c46d15dfae Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 19:58:00 +0100 Subject: [PATCH 021/334] chore: start on integrating dex and authentik --- platform/dex/.gitignore | 1 + platform/dex/values.yaml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 platform/dex/.gitignore diff --git a/platform/dex/.gitignore b/platform/dex/.gitignore new file mode 100644 index 0000000000..a539470003 --- /dev/null +++ b/platform/dex/.gitignore @@ -0,0 +1 @@ +config.yaml \ No newline at end of file diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index ebefed79e4..0fcc424cd5 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -40,12 +40,12 @@ grpc: configSecret: # -- Enable creating a secret from the values passed to `config`. # If set to false, name must point to an existing secret. - create: true + create: false # -- The name of the secret to mount as configuration in the pod. # If not set and create is true, a name is generated using the fullname template. # Must point to secret that contains at least a `config.yaml` key. - name: "" + name: "dex" # -- Application configuration. # See the [official documentation](https://dexidp.io/docs/). @@ -229,4 +229,4 @@ affinity: {} strategy: {} # rollingUpdate: # maxUnavailable: 1 - # type: RollingUpdate \ No newline at end of file + # type: RollingUpdate From db2c5bd82625ce08364ba7b6445cc22264a9b6d2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:02:14 +0100 Subject: [PATCH 022/334] chore: renamed secret --- platform/dex/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 0fcc424cd5..c52d9c1352 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -45,7 +45,7 @@ configSecret: # -- The name of the secret to mount as configuration in the pod. # If not set and create is true, a name is generated using the fullname template. # Must point to secret that contains at least a `config.yaml` key. - name: "dex" + name: "config" # -- Application configuration. # See the [official documentation](https://dexidp.io/docs/). From dbdac21500313c6ef7b27caee805143815528384 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:26:09 +0100 Subject: [PATCH 023/334] fix: wrong fields? --- platform/dex/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index c52d9c1352..5f5d48dd14 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -37,6 +37,8 @@ grpc: # Read more in the [documentation](https://dexidp.io/docs/api/). enabled: false +configSecretName: "config" + configSecret: # -- Enable creating a secret from the values passed to `config`. # If set to false, name must point to an existing secret. From 3fa3bbded9b1e4f87f1015c23ed306bd2f5edd28 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:31:03 +0100 Subject: [PATCH 024/334] chore: try next --- platform/dex/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 5f5d48dd14..ba9262143c 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -37,7 +37,8 @@ grpc: # Read more in the [documentation](https://dexidp.io/docs/api/). enabled: false -configSecretName: "config" +dex: + configSecretName: "config" configSecret: # -- Enable creating a secret from the values passed to `config`. From ed683a5bc96f1c344d47611f7581e52b89cf090a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:44:11 +0100 Subject: [PATCH 025/334] chore: added config to values --- platform/dex/values.yaml | 226 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 222 insertions(+), 4 deletions(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index ba9262143c..4daca0f3b6 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -37,9 +37,6 @@ grpc: # Read more in the [documentation](https://dexidp.io/docs/api/). enabled: false -dex: - configSecretName: "config" - configSecret: # -- Enable creating a secret from the values passed to `config`. # If set to false, name must point to an existing secret. @@ -52,7 +49,228 @@ configSecret: # -- Application configuration. # See the [official documentation](https://dexidp.io/docs/). -config: {} +config: + # The base path of Dex and the external name of the OpenID Connect service. + # This is the canonical URL that all clients MUST use to refer to Dex. If a + # path is provided, Dex's HTTP service will listen at a non-root URL. + issuer: https://dex.jupiter.mein.nl + + # The storage configuration determines where Dex stores its state. + # Supported options include: + # - SQL flavors + # - key-value stores (eg. etcd) + # - Kubernetes Custom Resources + # + # See the documentation (https://dexidp.io/docs/storage/) for further information. + storage: + type: memory + + # type: sqlite3 + # config: + # file: /var/dex/dex.db + + # type: mysql + # config: + # host: 127.0.0.1 + # port: 3306 + # database: dex + # user: mysql + # password: mysql + # ssl: + # mode: "false" + + # type: postgres + # config: + # host: 127.0.0.1 + # port: 5432 + # database: dex + # user: postgres + # password: postgres + # ssl: + # mode: disable + + # type: etcd + # config: + # endpoints: + # - http://127.0.0.1:2379 + # namespace: dex/ + + # type: kubernetes + # config: + # kubeConfigFile: $HOME/.kube/config + + # HTTP service configuration + web: + http: 127.0.0.1:5556 + + # Uncomment to enable HTTPS endpoint. + # https: 127.0.0.1:5554 + # tlsCert: /etc/dex/tls.crt + # tlsKey: /etc/dex/tls.key + + # Dex UI configuration + # frontend: + # issuer: dex + # logoURL: theme/logo.png + # dir: "" + # theme: light + + # Telemetry configuration + # telemetry: + # http: 127.0.0.1:5558 + + # logger: + # level: "debug" + # format: "text" # can also be "json" + + # gRPC API configuration + # Uncomment this block to enable the gRPC API. + # See the documentation (https://dexidp.io/docs/api/) for further information. + # grpc: + # addr: 127.0.0.1:5557 + # tlsCert: examples/grpc-client/server.crt + # tlsKey: examples/grpc-client/server.key + # tlsClientCA: examples/grpc-client/ca.crt + + # Expiration configuration for tokens, signing keys, etc. + # expiry: + # deviceRequests: "5m" + # signingKeys: "6h" + # idTokens: "24h" + + # OAuth2 configuration + # oauth2: + # # use ["code", "token", "id_token"] to enable implicit flow for web-only clients + # responseTypes: [ "code" ] # also allowed are "token" and "id_token" + # + # # By default, Dex will ask for approval to share data with application + # # (approval for sharing data from connected IdP to Dex is separate process on IdP) + # skipApprovalScreen: false + # + # # If only one authentication method is enabled, the default behavior is to + # # go directly to it. For connected IdPs, this redirects the browser away + # # from application to upstream provider such as the Google login page + # alwaysShowLoginScreen: false + # + # # Uncomment to use a specific connector for password grants + # passwordConnector: local + + # Static clients registered in Dex by default. + # + # Alternatively, clients may be added through the gRPC API. + # staticClients: + # - id: example-app + # redirectURIs: + # - 'http://127.0.0.1:5555/callback' + # name: 'Example App' + # secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + + # Connectors are used to authenticate users agains upstream identity providers. + # + # See the documentation (https://dexidp.io/docs/connectors/) for further information. + # connectors: [] + + # Enable the password database. + # + # It's a "virtual" connector (identity provider) that stores + # login credentials in Dex's store. + enablePasswordDB: true + + # If this option isn't chosen users may be added through the gRPC API. + # A static list of passwords for the password connector. + # + # Alternatively, passwords my be added/updated through the gRPC API. + # staticPasswords: [] + + connectors: + - type: oidc + id: authentik + name: Jupiter + config: + # Canonical URL of the provider, also used for configuration discovery. + # This value MUST match the value returned in the provider config discovery. + # + # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig + issuer: https://authentik.jupiter.mein.nl + + # Connector config values starting with a "$" will read from the environment. + clientID: d27f287e32bb0126c2a18871d0fa1705c31b0bee + clientSecret: 1c2fd1b956809eb285530483869baf4a470076ce4915dfa05e731a8f9f49bbae8471b6fe219abdf863d3adfb7c804096124918c6300c22d048b199556813f94d + + # Dex's issuer URL + "/callback" + redirectURI: http://dex.jupiter.mein.nl/callback + + + # Some providers require passing client_secret via POST parameters instead + # of basic auth, despite the OAuth2 RFC discouraging it. Many of these + # cases are caught internally, but some may need to uncomment the + # following field. + # + # basicAuthUnsupported: true + + # Google supports whitelisting allowed domains when using G Suite + # (Google Apps). The following field can be set to a list of domains + # that can log in: + # + # hostedDomains: + # - example.com + + # List of additional scopes to request in token response + # Default is profile and email + # Full list at https://dexidp.io/docs/custom-scopes-claims-clients/ + # scopes: + # - profile + # - email + # - groups + + # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process + # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP + # This can be overridden with the below option + # insecureSkipEmailVerified: true + + # Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed + # meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector + # doesn't allow groups claims. If you are okay with having potentially stale group claims you can use + # this option to enable groups claims through the oidc connector on a per-connector basis. + # This can be overridden with the below option + # insecureEnableGroups: true + + # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims + # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain + # all the claims requested. + # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo + # getUserInfo: true + + # The set claim is used as user id. + # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims + # Default: sub + # userIDKey: nickname + + # The set claim is used as user name. + # Default: name + # userNameKey: nickname + + # For offline_access, the prompt parameter is set by default to "prompt=consent". + # However this is not supported by all OIDC providers, some of them support different + # value for prompt, like "prompt=login" or "prompt=none" + # promptType: consent + + # Some providers return non-standard claims (eg. mail). + # Use claimMapping to map those claims to standard claims: + # https://openid.net/specs/openid-connect-core-1_0.html#Claims + # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token. + claimMapping: + # The set claim is used as preferred username. + # Default: preferred_username + # preferred_username: other_user_name + + # The set claim is used as email. + # Default: email + # email: mail + + # The set claim is used as groups. + # Default: groups + # groups: "cognito:groups" # -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. From 8863cce61e717d200f3f33665b024e314f1376e2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:49:16 +0100 Subject: [PATCH 026/334] chore: again --- platform/dex/values.yaml | 907 ++++++++++++++++++++------------------- 1 file changed, 454 insertions(+), 453 deletions(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 4daca0f3b6..f92634d08c 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -1,453 +1,454 @@ -# Default values for dex. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- Number of replicas (pods) to launch. -replicaCount: 1 - -image: - # -- Name of the image repository to pull the container image from. - repository: ghcr.io/dexidp/dex - - # -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. - pullPolicy: IfNotPresent - - # -- Image tag override for the default value (chart appVersion). - tag: "" - -# -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). -imagePullSecrets: [] - -# -- A name in place of the chart name for `app:` labels. -nameOverride: "" - -# -- A name to substitute for the full names of resources. -fullnameOverride: "" - -# -- A list of hosts and IPs that will be injected into the pod's hosts file if specified. -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) -hostAliases: [] - -https: - # -- Enable the HTTPS endpoint. - enabled: false - -grpc: - # -- Enable the gRPC endpoint. - # Read more in the [documentation](https://dexidp.io/docs/api/). - enabled: false - -configSecret: - # -- Enable creating a secret from the values passed to `config`. - # If set to false, name must point to an existing secret. - create: false - - # -- The name of the secret to mount as configuration in the pod. - # If not set and create is true, a name is generated using the fullname template. - # Must point to secret that contains at least a `config.yaml` key. - name: "config" - -# -- Application configuration. -# See the [official documentation](https://dexidp.io/docs/). -config: - # The base path of Dex and the external name of the OpenID Connect service. - # This is the canonical URL that all clients MUST use to refer to Dex. If a - # path is provided, Dex's HTTP service will listen at a non-root URL. - issuer: https://dex.jupiter.mein.nl - - # The storage configuration determines where Dex stores its state. - # Supported options include: - # - SQL flavors - # - key-value stores (eg. etcd) - # - Kubernetes Custom Resources - # - # See the documentation (https://dexidp.io/docs/storage/) for further information. - storage: - type: memory - - # type: sqlite3 - # config: - # file: /var/dex/dex.db - - # type: mysql - # config: - # host: 127.0.0.1 - # port: 3306 - # database: dex - # user: mysql - # password: mysql - # ssl: - # mode: "false" - - # type: postgres - # config: - # host: 127.0.0.1 - # port: 5432 - # database: dex - # user: postgres - # password: postgres - # ssl: - # mode: disable - - # type: etcd - # config: - # endpoints: - # - http://127.0.0.1:2379 - # namespace: dex/ - - # type: kubernetes - # config: - # kubeConfigFile: $HOME/.kube/config - - # HTTP service configuration - web: - http: 127.0.0.1:5556 - - # Uncomment to enable HTTPS endpoint. - # https: 127.0.0.1:5554 - # tlsCert: /etc/dex/tls.crt - # tlsKey: /etc/dex/tls.key - - # Dex UI configuration - # frontend: - # issuer: dex - # logoURL: theme/logo.png - # dir: "" - # theme: light - - # Telemetry configuration - # telemetry: - # http: 127.0.0.1:5558 - - # logger: - # level: "debug" - # format: "text" # can also be "json" - - # gRPC API configuration - # Uncomment this block to enable the gRPC API. - # See the documentation (https://dexidp.io/docs/api/) for further information. - # grpc: - # addr: 127.0.0.1:5557 - # tlsCert: examples/grpc-client/server.crt - # tlsKey: examples/grpc-client/server.key - # tlsClientCA: examples/grpc-client/ca.crt - - # Expiration configuration for tokens, signing keys, etc. - # expiry: - # deviceRequests: "5m" - # signingKeys: "6h" - # idTokens: "24h" - - # OAuth2 configuration - # oauth2: - # # use ["code", "token", "id_token"] to enable implicit flow for web-only clients - # responseTypes: [ "code" ] # also allowed are "token" and "id_token" - # - # # By default, Dex will ask for approval to share data with application - # # (approval for sharing data from connected IdP to Dex is separate process on IdP) - # skipApprovalScreen: false - # - # # If only one authentication method is enabled, the default behavior is to - # # go directly to it. For connected IdPs, this redirects the browser away - # # from application to upstream provider such as the Google login page - # alwaysShowLoginScreen: false - # - # # Uncomment to use a specific connector for password grants - # passwordConnector: local - - # Static clients registered in Dex by default. - # - # Alternatively, clients may be added through the gRPC API. - # staticClients: - # - id: example-app - # redirectURIs: - # - 'http://127.0.0.1:5555/callback' - # name: 'Example App' - # secret: ZXhhbXBsZS1hcHAtc2VjcmV0 - - # Connectors are used to authenticate users agains upstream identity providers. - # - # See the documentation (https://dexidp.io/docs/connectors/) for further information. - # connectors: [] - - # Enable the password database. - # - # It's a "virtual" connector (identity provider) that stores - # login credentials in Dex's store. - enablePasswordDB: true - - # If this option isn't chosen users may be added through the gRPC API. - # A static list of passwords for the password connector. - # - # Alternatively, passwords my be added/updated through the gRPC API. - # staticPasswords: [] - - connectors: - - type: oidc - id: authentik - name: Jupiter - config: - # Canonical URL of the provider, also used for configuration discovery. - # This value MUST match the value returned in the provider config discovery. - # - # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig - issuer: https://authentik.jupiter.mein.nl - - # Connector config values starting with a "$" will read from the environment. - clientID: d27f287e32bb0126c2a18871d0fa1705c31b0bee - clientSecret: 1c2fd1b956809eb285530483869baf4a470076ce4915dfa05e731a8f9f49bbae8471b6fe219abdf863d3adfb7c804096124918c6300c22d048b199556813f94d - - # Dex's issuer URL + "/callback" - redirectURI: http://dex.jupiter.mein.nl/callback - - - # Some providers require passing client_secret via POST parameters instead - # of basic auth, despite the OAuth2 RFC discouraging it. Many of these - # cases are caught internally, but some may need to uncomment the - # following field. - # - # basicAuthUnsupported: true - - # Google supports whitelisting allowed domains when using G Suite - # (Google Apps). The following field can be set to a list of domains - # that can log in: - # - # hostedDomains: - # - example.com - - # List of additional scopes to request in token response - # Default is profile and email - # Full list at https://dexidp.io/docs/custom-scopes-claims-clients/ - # scopes: - # - profile - # - email - # - groups - - # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process - # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP - # This can be overridden with the below option - # insecureSkipEmailVerified: true - - # Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed - # meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector - # doesn't allow groups claims. If you are okay with having potentially stale group claims you can use - # this option to enable groups claims through the oidc connector on a per-connector basis. - # This can be overridden with the below option - # insecureEnableGroups: true - - # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims - # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain - # all the claims requested. - # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo - # getUserInfo: true - - # The set claim is used as user id. - # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims - # Default: sub - # userIDKey: nickname - - # The set claim is used as user name. - # Default: name - # userNameKey: nickname - - # For offline_access, the prompt parameter is set by default to "prompt=consent". - # However this is not supported by all OIDC providers, some of them support different - # value for prompt, like "prompt=login" or "prompt=none" - # promptType: consent - - # Some providers return non-standard claims (eg. mail). - # Use claimMapping to map those claims to standard claims: - # https://openid.net/specs/openid-connect-core-1_0.html#Claims - # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token. - claimMapping: - # The set claim is used as preferred username. - # Default: preferred_username - # preferred_username: other_user_name - - # The set claim is used as email. - # Default: email - # email: mail - - # The set claim is used as groups. - # Default: groups - # groups: "cognito:groups" - -# -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. -volumes: [] - -# -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. -volumeMounts: [] - -# -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. -envFrom: [] - -# -- Additional environment variables passed directly to containers. -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. -env: {} - -# -- Similar to env but with support for all possible configurations. -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. -envVars: [] -# - name: SOME_ENV_VAR -# value: value -# - name: SOME_ENV_VAR2 -# valueFrom: -# secretKeyRef: -# name: secret-name -# key: secret-key -# - name: SOME_ENV_VAR3 -# valueFrom: -# configMapKeyRef: -# name: config-map-name -# key: config-map-key - -serviceAccount: - # -- Enable service account creation. - create: true - - # -- Annotations to be added to the service account. - annotations: {} - - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - -rbac: - # -- Specifies whether RBAC resources should be created. - # If disabled, the operator is responsible for creating the necessary resources based on the templates. - create: true - -# -- Annotations to be added to pods. -podAnnotations: {} - -podDisruptionBudget: - # -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). - # It is **highly recommended** for webhooks as disruptions can prevent launching new pods. - enabled: false - - # -- (int/percentage) Number or percentage of pods that must remain available. - minAvailable: - - # -- (int/percentage) Number or percentage of pods that can be unavailable. - maxUnavailable: - -# -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). -priorityClassName: "" - -# -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. -podSecurityContext: {} - # fsGroup: 2000 - -# -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - # -- Annotations to be added to the service. - annotations: {} - - # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). - type: ClusterIP - - # -- Internal cluster service IP (when applicable) - clusterIP: "" - - ports: - http: - # -- HTTP service port - port: 5556 - - # -- (int) HTTP node port (when applicable) - nodePort: - - https: - # -- HTTPS service port - port: 5554 - - # -- (int) HTTPS node port (when applicable) - nodePort: - - grpc: - # -- gRPC service port - port: 5557 - - # -- (int) gRPC node port (when applicable) - nodePort: - -ingress: - # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). - enabled: false - - # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). - className: "nginx" - - # -- Annotations to be added to the ingress. - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - - # -- Ingress host configuration. - # @default -- See [values.yaml](values.yaml). - hosts: - - host: &host dex.jupiter.mein.nl - paths: - - path: / - pathType: ImplementationSpecific - - # -- Ingress TLS configuration. - # @default -- See [values.yaml](values.yaml). - tls: - - secretName: dex-tls-certificate - hosts: - - *host - -# -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. -# @default -- No requests or limits. -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# -- Autoscaling configuration (see [values.yaml](values.yaml) for details). -# @default -- Disabled by default. -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. -nodeSelector: {} - -# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. -tolerations: [] - -# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. -# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. -affinity: {} - -# -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. -strategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate +dex: + # Default values for dex. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + # -- Number of replicas (pods) to launch. + replicaCount: 1 + + image: + # -- Name of the image repository to pull the container image from. + repository: ghcr.io/dexidp/dex + + # -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. + pullPolicy: IfNotPresent + + # -- Image tag override for the default value (chart appVersion). + tag: "" + + # -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). + imagePullSecrets: [] + + # -- A name in place of the chart name for `app:` labels. + nameOverride: "" + + # -- A name to substitute for the full names of resources. + fullnameOverride: "" + + # -- A list of hosts and IPs that will be injected into the pod's hosts file if specified. + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) + hostAliases: [] + + https: + # -- Enable the HTTPS endpoint. + enabled: false + + grpc: + # -- Enable the gRPC endpoint. + # Read more in the [documentation](https://dexidp.io/docs/api/). + enabled: false + + configSecret: + # -- Enable creating a secret from the values passed to `config`. + # If set to false, name must point to an existing secret. + create: false + + # -- The name of the secret to mount as configuration in the pod. + # If not set and create is true, a name is generated using the fullname template. + # Must point to secret that contains at least a `config.yaml` key. + name: "config" + + # -- Application configuration. + # See the [official documentation](https://dexidp.io/docs/). + config: + # The base path of Dex and the external name of the OpenID Connect service. + # This is the canonical URL that all clients MUST use to refer to Dex. If a + # path is provided, Dex's HTTP service will listen at a non-root URL. + issuer: https://dex.jupiter.mein.nl + + # The storage configuration determines where Dex stores its state. + # Supported options include: + # - SQL flavors + # - key-value stores (eg. etcd) + # - Kubernetes Custom Resources + # + # See the documentation (https://dexidp.io/docs/storage/) for further information. + storage: + type: memory + + # type: sqlite3 + # config: + # file: /var/dex/dex.db + + # type: mysql + # config: + # host: 127.0.0.1 + # port: 3306 + # database: dex + # user: mysql + # password: mysql + # ssl: + # mode: "false" + + # type: postgres + # config: + # host: 127.0.0.1 + # port: 5432 + # database: dex + # user: postgres + # password: postgres + # ssl: + # mode: disable + + # type: etcd + # config: + # endpoints: + # - http://127.0.0.1:2379 + # namespace: dex/ + + # type: kubernetes + # config: + # kubeConfigFile: $HOME/.kube/config + + # HTTP service configuration + web: + http: 127.0.0.1:5556 + + # Uncomment to enable HTTPS endpoint. + # https: 127.0.0.1:5554 + # tlsCert: /etc/dex/tls.crt + # tlsKey: /etc/dex/tls.key + + # Dex UI configuration + # frontend: + # issuer: dex + # logoURL: theme/logo.png + # dir: "" + # theme: light + + # Telemetry configuration + # telemetry: + # http: 127.0.0.1:5558 + + # logger: + # level: "debug" + # format: "text" # can also be "json" + + # gRPC API configuration + # Uncomment this block to enable the gRPC API. + # See the documentation (https://dexidp.io/docs/api/) for further information. + # grpc: + # addr: 127.0.0.1:5557 + # tlsCert: examples/grpc-client/server.crt + # tlsKey: examples/grpc-client/server.key + # tlsClientCA: examples/grpc-client/ca.crt + + # Expiration configuration for tokens, signing keys, etc. + # expiry: + # deviceRequests: "5m" + # signingKeys: "6h" + # idTokens: "24h" + + # OAuth2 configuration + # oauth2: + # # use ["code", "token", "id_token"] to enable implicit flow for web-only clients + # responseTypes: [ "code" ] # also allowed are "token" and "id_token" + # + # # By default, Dex will ask for approval to share data with application + # # (approval for sharing data from connected IdP to Dex is separate process on IdP) + # skipApprovalScreen: false + # + # # If only one authentication method is enabled, the default behavior is to + # # go directly to it. For connected IdPs, this redirects the browser away + # # from application to upstream provider such as the Google login page + # alwaysShowLoginScreen: false + # + # # Uncomment to use a specific connector for password grants + # passwordConnector: local + + # Static clients registered in Dex by default. + # + # Alternatively, clients may be added through the gRPC API. + # staticClients: + # - id: example-app + # redirectURIs: + # - 'http://127.0.0.1:5555/callback' + # name: 'Example App' + # secret: ZXhhbXBsZS1hcHAtc2VjcmV0 + + # Connectors are used to authenticate users agains upstream identity providers. + # + # See the documentation (https://dexidp.io/docs/connectors/) for further information. + # connectors: [] + + # Enable the password database. + # + # It's a "virtual" connector (identity provider) that stores + # login credentials in Dex's store. + enablePasswordDB: true + + # If this option isn't chosen users may be added through the gRPC API. + # A static list of passwords for the password connector. + # + # Alternatively, passwords my be added/updated through the gRPC API. + # staticPasswords: [] + + connectors: + - type: oidc + id: authentik + name: Jupiter + config: + # Canonical URL of the provider, also used for configuration discovery. + # This value MUST match the value returned in the provider config discovery. + # + # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig + issuer: https://authentik.jupiter.mein.nl + + # Connector config values starting with a "$" will read from the environment. + clientID: d27f287e32bb0126c2a18871d0fa1705c31b0bee + clientSecret: 1c2fd1b956809eb285530483869baf4a470076ce4915dfa05e731a8f9f49bbae8471b6fe219abdf863d3adfb7c804096124918c6300c22d048b199556813f94d + + # Dex's issuer URL + "/callback" + redirectURI: http://dex.jupiter.mein.nl/callback + + + # Some providers require passing client_secret via POST parameters instead + # of basic auth, despite the OAuth2 RFC discouraging it. Many of these + # cases are caught internally, but some may need to uncomment the + # following field. + # + # basicAuthUnsupported: true + + # Google supports whitelisting allowed domains when using G Suite + # (Google Apps). The following field can be set to a list of domains + # that can log in: + # + # hostedDomains: + # - example.com + + # List of additional scopes to request in token response + # Default is profile and email + # Full list at https://dexidp.io/docs/custom-scopes-claims-clients/ + # scopes: + # - profile + # - email + # - groups + + # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process + # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP + # This can be overridden with the below option + # insecureSkipEmailVerified: true + + # Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed + # meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector + # doesn't allow groups claims. If you are okay with having potentially stale group claims you can use + # this option to enable groups claims through the oidc connector on a per-connector basis. + # This can be overridden with the below option + # insecureEnableGroups: true + + # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims + # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain + # all the claims requested. + # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo + # getUserInfo: true + + # The set claim is used as user id. + # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims + # Default: sub + # userIDKey: nickname + + # The set claim is used as user name. + # Default: name + # userNameKey: nickname + + # For offline_access, the prompt parameter is set by default to "prompt=consent". + # However this is not supported by all OIDC providers, some of them support different + # value for prompt, like "prompt=login" or "prompt=none" + # promptType: consent + + # Some providers return non-standard claims (eg. mail). + # Use claimMapping to map those claims to standard claims: + # https://openid.net/specs/openid-connect-core-1_0.html#Claims + # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token. + claimMapping: + # The set claim is used as preferred username. + # Default: preferred_username + # preferred_username: other_user_name + + # The set claim is used as email. + # Default: email + # email: mail + + # The set claim is used as groups. + # Default: groups + # groups: "cognito:groups" + + # -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. + volumes: [] + + # -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. + volumeMounts: [] + + # -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. + envFrom: [] + + # -- Additional environment variables passed directly to containers. + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. + env: {} + + # -- Similar to env but with support for all possible configurations. + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. + envVars: [] + # - name: SOME_ENV_VAR + # value: value + # - name: SOME_ENV_VAR2 + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: SOME_ENV_VAR3 + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + serviceAccount: + # -- Enable service account creation. + create: true + + # -- Annotations to be added to the service account. + annotations: {} + + # -- The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + + rbac: + # -- Specifies whether RBAC resources should be created. + # If disabled, the operator is responsible for creating the necessary resources based on the templates. + create: true + + # -- Annotations to be added to pods. + podAnnotations: {} + + podDisruptionBudget: + # -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). + # It is **highly recommended** for webhooks as disruptions can prevent launching new pods. + enabled: false + + # -- (int/percentage) Number or percentage of pods that must remain available. + minAvailable: + + # -- (int/percentage) Number or percentage of pods that can be unavailable. + maxUnavailable: + + # -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). + priorityClassName: "" + + # -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. + podSecurityContext: {} + # fsGroup: 2000 + + # -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + # -- Annotations to be added to the service. + annotations: {} + + # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). + type: ClusterIP + + # -- Internal cluster service IP (when applicable) + clusterIP: "" + + ports: + http: + # -- HTTP service port + port: 5556 + + # -- (int) HTTP node port (when applicable) + nodePort: + + https: + # -- HTTPS service port + port: 5554 + + # -- (int) HTTPS node port (when applicable) + nodePort: + + grpc: + # -- gRPC service port + port: 5557 + + # -- (int) gRPC node port (when applicable) + nodePort: + + ingress: + # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). + enabled: false + + # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). + className: "nginx" + + # -- Annotations to be added to the ingress. + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # -- Ingress host configuration. + # @default -- See [values.yaml](values.yaml). + hosts: + - host: &host dex.jupiter.mein.nl + paths: + - path: / + pathType: ImplementationSpecific + + # -- Ingress TLS configuration. + # @default -- See [values.yaml](values.yaml). + tls: + - secretName: dex-tls-certificate + hosts: + - *host + + # -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. + # @default -- No requests or limits. + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- Autoscaling configuration (see [values.yaml](values.yaml) for details). + # @default -- Disabled by default. + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + # -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. + nodeSelector: {} + + # -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. + tolerations: [] + + # -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. + # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. + affinity: {} + + # -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. + strategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate From f096bac313ef725900506721af21ccaee39ca548 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:52:46 +0100 Subject: [PATCH 027/334] chore: new url --- platform/dex/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index f92634d08c..6b1f3d0127 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -192,7 +192,7 @@ dex: # This value MUST match the value returned in the provider config discovery. # # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig - issuer: https://authentik.jupiter.mein.nl + issuer: https://authentik.jupiter.mein.nl/application/o/dex/ # Connector config values starting with a "$" will read from the environment. clientID: d27f287e32bb0126c2a18871d0fa1705c31b0bee From 76b5b16b92f78dc1629fff479d0c1f3361c7df62 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:54:23 +0100 Subject: [PATCH 028/334] chore: removed config --- platform/dex/values.yaml | 223 +-------------------------------------- 1 file changed, 1 insertion(+), 222 deletions(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 6b1f3d0127..905617ca16 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -50,228 +50,7 @@ dex: # -- Application configuration. # See the [official documentation](https://dexidp.io/docs/). - config: - # The base path of Dex and the external name of the OpenID Connect service. - # This is the canonical URL that all clients MUST use to refer to Dex. If a - # path is provided, Dex's HTTP service will listen at a non-root URL. - issuer: https://dex.jupiter.mein.nl - - # The storage configuration determines where Dex stores its state. - # Supported options include: - # - SQL flavors - # - key-value stores (eg. etcd) - # - Kubernetes Custom Resources - # - # See the documentation (https://dexidp.io/docs/storage/) for further information. - storage: - type: memory - - # type: sqlite3 - # config: - # file: /var/dex/dex.db - - # type: mysql - # config: - # host: 127.0.0.1 - # port: 3306 - # database: dex - # user: mysql - # password: mysql - # ssl: - # mode: "false" - - # type: postgres - # config: - # host: 127.0.0.1 - # port: 5432 - # database: dex - # user: postgres - # password: postgres - # ssl: - # mode: disable - - # type: etcd - # config: - # endpoints: - # - http://127.0.0.1:2379 - # namespace: dex/ - - # type: kubernetes - # config: - # kubeConfigFile: $HOME/.kube/config - - # HTTP service configuration - web: - http: 127.0.0.1:5556 - - # Uncomment to enable HTTPS endpoint. - # https: 127.0.0.1:5554 - # tlsCert: /etc/dex/tls.crt - # tlsKey: /etc/dex/tls.key - - # Dex UI configuration - # frontend: - # issuer: dex - # logoURL: theme/logo.png - # dir: "" - # theme: light - - # Telemetry configuration - # telemetry: - # http: 127.0.0.1:5558 - - # logger: - # level: "debug" - # format: "text" # can also be "json" - - # gRPC API configuration - # Uncomment this block to enable the gRPC API. - # See the documentation (https://dexidp.io/docs/api/) for further information. - # grpc: - # addr: 127.0.0.1:5557 - # tlsCert: examples/grpc-client/server.crt - # tlsKey: examples/grpc-client/server.key - # tlsClientCA: examples/grpc-client/ca.crt - - # Expiration configuration for tokens, signing keys, etc. - # expiry: - # deviceRequests: "5m" - # signingKeys: "6h" - # idTokens: "24h" - - # OAuth2 configuration - # oauth2: - # # use ["code", "token", "id_token"] to enable implicit flow for web-only clients - # responseTypes: [ "code" ] # also allowed are "token" and "id_token" - # - # # By default, Dex will ask for approval to share data with application - # # (approval for sharing data from connected IdP to Dex is separate process on IdP) - # skipApprovalScreen: false - # - # # If only one authentication method is enabled, the default behavior is to - # # go directly to it. For connected IdPs, this redirects the browser away - # # from application to upstream provider such as the Google login page - # alwaysShowLoginScreen: false - # - # # Uncomment to use a specific connector for password grants - # passwordConnector: local - - # Static clients registered in Dex by default. - # - # Alternatively, clients may be added through the gRPC API. - # staticClients: - # - id: example-app - # redirectURIs: - # - 'http://127.0.0.1:5555/callback' - # name: 'Example App' - # secret: ZXhhbXBsZS1hcHAtc2VjcmV0 - - # Connectors are used to authenticate users agains upstream identity providers. - # - # See the documentation (https://dexidp.io/docs/connectors/) for further information. - # connectors: [] - - # Enable the password database. - # - # It's a "virtual" connector (identity provider) that stores - # login credentials in Dex's store. - enablePasswordDB: true - - # If this option isn't chosen users may be added through the gRPC API. - # A static list of passwords for the password connector. - # - # Alternatively, passwords my be added/updated through the gRPC API. - # staticPasswords: [] - - connectors: - - type: oidc - id: authentik - name: Jupiter - config: - # Canonical URL of the provider, also used for configuration discovery. - # This value MUST match the value returned in the provider config discovery. - # - # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig - issuer: https://authentik.jupiter.mein.nl/application/o/dex/ - - # Connector config values starting with a "$" will read from the environment. - clientID: d27f287e32bb0126c2a18871d0fa1705c31b0bee - clientSecret: 1c2fd1b956809eb285530483869baf4a470076ce4915dfa05e731a8f9f49bbae8471b6fe219abdf863d3adfb7c804096124918c6300c22d048b199556813f94d - - # Dex's issuer URL + "/callback" - redirectURI: http://dex.jupiter.mein.nl/callback - - - # Some providers require passing client_secret via POST parameters instead - # of basic auth, despite the OAuth2 RFC discouraging it. Many of these - # cases are caught internally, but some may need to uncomment the - # following field. - # - # basicAuthUnsupported: true - - # Google supports whitelisting allowed domains when using G Suite - # (Google Apps). The following field can be set to a list of domains - # that can log in: - # - # hostedDomains: - # - example.com - - # List of additional scopes to request in token response - # Default is profile and email - # Full list at https://dexidp.io/docs/custom-scopes-claims-clients/ - # scopes: - # - profile - # - email - # - groups - - # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process - # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP - # This can be overridden with the below option - # insecureSkipEmailVerified: true - - # Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed - # meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector - # doesn't allow groups claims. If you are okay with having potentially stale group claims you can use - # this option to enable groups claims through the oidc connector on a per-connector basis. - # This can be overridden with the below option - # insecureEnableGroups: true - - # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims - # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain - # all the claims requested. - # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo - # getUserInfo: true - - # The set claim is used as user id. - # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims - # Default: sub - # userIDKey: nickname - - # The set claim is used as user name. - # Default: name - # userNameKey: nickname - - # For offline_access, the prompt parameter is set by default to "prompt=consent". - # However this is not supported by all OIDC providers, some of them support different - # value for prompt, like "prompt=login" or "prompt=none" - # promptType: consent - - # Some providers return non-standard claims (eg. mail). - # Use claimMapping to map those claims to standard claims: - # https://openid.net/specs/openid-connect-core-1_0.html#Claims - # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token. - claimMapping: - # The set claim is used as preferred username. - # Default: preferred_username - # preferred_username: other_user_name - - # The set claim is used as email. - # Default: email - # email: mail - - # The set claim is used as groups. - # Default: groups - # groups: "cognito:groups" + config: {} # -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. From 54e9336b064c113e91eef4de3170b03c682c782d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:56:38 +0100 Subject: [PATCH 029/334] chore: dex enable ingress --- platform/dex/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 905617ca16..14991d319e 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -166,7 +166,7 @@ dex: ingress: # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). - enabled: false + enabled: true # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). className: "nginx" From 123b9c7a241116f411771ee89ab0dc79b6ddc754 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 20:58:50 +0100 Subject: [PATCH 030/334] chore: tls --- platform/dex/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 14991d319e..41a9bd624c 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -172,8 +172,8 @@ dex: className: "nginx" # -- Annotations to be added to the ingress. - annotations: {} - # kubernetes.io/ingress.class: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod # kubernetes.io/tls-acme: "true" # -- Ingress host configuration. From 01a7abac7e46614a808fa5f8feacc0a71c224428 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 21:54:30 +0100 Subject: [PATCH 031/334] feat: new dex style --- platform/dex/Chart.yaml | 9 +- platform/dex/secret.yaml | 11 + .../dex/templates/dex-k8s-authenticator.yaml | 33 ++ platform/dex/templates/dex.yaml | 33 ++ platform/dex/values.yaml | 306 +++++------------- 5 files changed, 156 insertions(+), 236 deletions(-) create mode 100644 platform/dex/secret.yaml create mode 100644 platform/dex/templates/dex-k8s-authenticator.yaml create mode 100644 platform/dex/templates/dex.yaml diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 1115030bbf..08ebc122e9 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -1,8 +1,7 @@ apiVersion: v2 name: dex -version: 0.6.5 +version: 1.2.0 dependencies: - - name: dex - version: 0.6.5 - repository: https://charts.dexidp.io - + - name: adfinis + version: security-apps-0.39.1 + repository: https://charts.adfinis.com diff --git a/platform/dex/secret.yaml b/platform/dex/secret.yaml new file mode 100644 index 0000000000..ac08d7dad6 --- /dev/null +++ b/platform/dex/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + config.yaml: Y29ubmVjdG9yczoKLSB0eXBlOiBvaWRjCiAgaWQ6IGF1dGhlbnRpawogIG5hbWU6IEp1cGl0ZXIKICBjb25maWc6CiAgICAjIENhbm9uaWNhbCBVUkwgb2YgdGhlIHByb3ZpZGVyLCBhbHNvIHVzZWQgZm9yIGNvbmZpZ3VyYXRpb24gZGlzY292ZXJ5LgogICAgIyBUaGlzIHZhbHVlIE1VU1QgbWF0Y2ggdGhlIHZhbHVlIHJldHVybmVkIGluIHRoZSBwcm92aWRlciBjb25maWcgZGlzY292ZXJ5LgogICAgIwogICAgIyBTZWU6IGh0dHBzOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1kaXNjb3ZlcnktMV8wLmh0bWwjUHJvdmlkZXJDb25maWcKICAgIGlzc3VlcjogaHR0cHM6Ly9hdXRoZW50aWsuanVwaXRlci5tZWluLm5sCgogICAgIyBDb25uZWN0b3IgY29uZmlnIHZhbHVlcyBzdGFydGluZyB3aXRoIGEgIiQiIHdpbGwgcmVhZCBmcm9tIHRoZSBlbnZpcm9ubWVudC4KICAgIGNsaWVudElEOiBkMjdmMjg3ZTMyYmIwMTI2YzJhMTg4NzFkMGZhMTcwNWMzMWIwYmVlCiAgICBjbGllbnRTZWNyZXQ6IDFjMmZkMWI5NTY4MDllYjI4NTUzMDQ4Mzg2OWJhZjRhNDcwMDc2Y2U0OTE1ZGZhMDVlNzMxYThmOWY0OWJiYWU4NDcxYjZmZTIxOWFiZGY4NjNkM2FkZmI3YzgwNDA5NjEyNDkxOGM2MzAwYzIyZDA0OGIxOTk1NTY4MTNmOTRkCgogICAgIyBEZXgncyBpc3N1ZXIgVVJMICsgIi9jYWxsYmFjayIKICAgIHJlZGlyZWN0VVJJOiBodHRwOi8vZGV4Lmp1cGl0ZXIubWVpbi5ubC9jYWxsYmFjawoKCiAgICAjIFNvbWUgcHJvdmlkZXJzIHJlcXVpcmUgcGFzc2luZyBjbGllbnRfc2VjcmV0IHZpYSBQT1NUIHBhcmFtZXRlcnMgaW5zdGVhZAogICAgIyBvZiBiYXNpYyBhdXRoLCBkZXNwaXRlIHRoZSBPQXV0aDIgUkZDIGRpc2NvdXJhZ2luZyBpdC4gTWFueSBvZiB0aGVzZQogICAgIyBjYXNlcyBhcmUgY2F1Z2h0IGludGVybmFsbHksIGJ1dCBzb21lIG1heSBuZWVkIHRvIHVuY29tbWVudCB0aGUKICAgICMgZm9sbG93aW5nIGZpZWxkLgogICAgIwogICAgIyBiYXNpY0F1dGhVbnN1cHBvcnRlZDogdHJ1ZQogICAgCiAgICAjIEdvb2dsZSBzdXBwb3J0cyB3aGl0ZWxpc3RpbmcgYWxsb3dlZCBkb21haW5zIHdoZW4gdXNpbmcgRyBTdWl0ZQogICAgIyAoR29vZ2xlIEFwcHMpLiBUaGUgZm9sbG93aW5nIGZpZWxkIGNhbiBiZSBzZXQgdG8gYSBsaXN0IG9mIGRvbWFpbnMKICAgICMgdGhhdCBjYW4gbG9nIGluOgogICAgIwogICAgIyBob3N0ZWREb21haW5zOgogICAgIyAgLSBleGFtcGxlLmNvbQoKICAgICMgTGlzdCBvZiBhZGRpdGlvbmFsIHNjb3BlcyB0byByZXF1ZXN0IGluIHRva2VuIHJlc3BvbnNlCiAgICAjIERlZmF1bHQgaXMgcHJvZmlsZSBhbmQgZW1haWwKICAgICMgRnVsbCBsaXN0IGF0IGh0dHBzOi8vZGV4aWRwLmlvL2RvY3MvY3VzdG9tLXNjb3Blcy1jbGFpbXMtY2xpZW50cy8KICAgICMgc2NvcGVzOgogICAgIyAgLSBwcm9maWxlCiAgICAjICAtIGVtYWlsCiAgICAjICAtIGdyb3VwcwoKICAgICMgU29tZSBwcm92aWRlcnMgcmV0dXJuIGNsYWltcyB3aXRob3V0ICJlbWFpbF92ZXJpZmllZCIsIHdoZW4gdGhleSBoYWQgbm8gdXNhZ2Ugb2YgZW1haWxzIHZlcmlmaWNhdGlvbiBpbiBlbnJvbGxtZW50IHByb2Nlc3MKICAgICMgb3IgaWYgdGhleSBhcmUgYWN0aW5nIGFzIGEgcHJveHkgZm9yIGFub3RoZXIgSURQIGV0YyBBV1MgQ29nbml0byB3aXRoIGFuIHVwc3RyZWFtIFNBTUwgSURQCiAgICAjIFRoaXMgY2FuIGJlIG92ZXJyaWRkZW4gd2l0aCB0aGUgYmVsb3cgb3B0aW9uCiAgICAjIGluc2VjdXJlU2tpcEVtYWlsVmVyaWZpZWQ6IHRydWUgCgogICAgIyBHcm91cHMgY2xhaW1zIChsaWtlIHRoZSByZXN0IG9mIG9pZGMgY2xhaW1zIHRocm91Z2ggZGV4KSBvbmx5IHJlZnJlc2ggd2hlbiB0aGUgaWQgdG9rZW4gaXMgcmVmcmVzaGVkCiAgICAjIG1lYW5pbmcgdGhlIHJlZ3VsYXIgcmVmcmVzaCBmbG93IGRvZXNuJ3QgdXBkYXRlIHRoZSBncm91cHMgY2xhaW0uIEFzIHN1Y2ggYnkgZGVmYXVsdCB0aGUgb2lkYyBjb25uZWN0b3IKICAgICMgZG9lc24ndCBhbGxvdyBncm91cHMgY2xhaW1zLiBJZiB5b3UgYXJlIG9rYXkgd2l0aCBoYXZpbmcgcG90ZW50aWFsbHkgc3RhbGUgZ3JvdXAgY2xhaW1zIHlvdSBjYW4gdXNlCiAgICAjIHRoaXMgb3B0aW9uIHRvIGVuYWJsZSBncm91cHMgY2xhaW1zIHRocm91Z2ggdGhlIG9pZGMgY29ubmVjdG9yIG9uIGEgcGVyLWNvbm5lY3RvciBiYXNpcy4KICAgICMgVGhpcyBjYW4gYmUgb3ZlcnJpZGRlbiB3aXRoIHRoZSBiZWxvdyBvcHRpb24KICAgICMgaW5zZWN1cmVFbmFibGVHcm91cHM6IHRydWUKCiAgICAjIFdoZW4gZW5hYmxlZCwgdGhlIE9wZW5JRCBDb25uZWN0b3Igd2lsbCBxdWVyeSB0aGUgVXNlckluZm8gZW5kcG9pbnQgZm9yIGFkZGl0aW9uYWwgY2xhaW1zLiBVc2VySW5mbyBjbGFpbXMKICAgICMgdGFrZSBwcmlvcml0eSBvdmVyIGNsYWltcyByZXR1cm5lZCBieSB0aGUgSURUb2tlbi4gVGhpcyBvcHRpb24gc2hvdWxkIGJlIHVzZWQgd2hlbiB0aGUgSURUb2tlbiBkb2Vzbid0IGNvbnRhaW4KICAgICMgYWxsIHRoZSBjbGFpbXMgcmVxdWVzdGVkLgogICAgIyBodHRwczovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtY29yZS0xXzAuaHRtbCNVc2VySW5mbwogICAgIyBnZXRVc2VySW5mbzogdHJ1ZQoKICAgICMgVGhlIHNldCBjbGFpbSBpcyB1c2VkIGFzIHVzZXIgaWQuCiAgICAjIENsYWltcyBsaXN0IGF0IGh0dHBzOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1jb3JlLTFfMC5odG1sI0NsYWltcwogICAgIyBEZWZhdWx0OiBzdWIKICAgICMgdXNlcklES2V5OiBuaWNrbmFtZQoKICAgICMgVGhlIHNldCBjbGFpbSBpcyB1c2VkIGFzIHVzZXIgbmFtZS4KICAgICMgRGVmYXVsdDogbmFtZQogICAgIyB1c2VyTmFtZUtleTogbmlja25hbWUKCiAgICAjIEZvciBvZmZsaW5lX2FjY2VzcywgdGhlIHByb21wdCBwYXJhbWV0ZXIgaXMgc2V0IGJ5IGRlZmF1bHQgdG8gInByb21wdD1jb25zZW50Ii4gCiAgICAjIEhvd2V2ZXIgdGhpcyBpcyBub3Qgc3VwcG9ydGVkIGJ5IGFsbCBPSURDIHByb3ZpZGVycywgc29tZSBvZiB0aGVtIHN1cHBvcnQgZGlmZmVyZW50CiAgICAjIHZhbHVlIGZvciBwcm9tcHQsIGxpa2UgInByb21wdD1sb2dpbiIgb3IgInByb21wdD1ub25lIgogICAgIyBwcm9tcHRUeXBlOiBjb25zZW50CgogICAgIyBTb21lIHByb3ZpZGVycyByZXR1cm4gbm9uLXN0YW5kYXJkIGNsYWltcyAoZWcuIG1haWwpLgogICAgIyBVc2UgY2xhaW1NYXBwaW5nIHRvIG1hcCB0aG9zZSBjbGFpbXMgdG8gc3RhbmRhcmQgY2xhaW1zOgogICAgIyBodHRwczovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtY29yZS0xXzAuaHRtbCNDbGFpbXMKICAgICMgY2xhaW1NYXBwaW5nIGNhbiBvbmx5IG1hcCBhIG5vbi1zdGFuZGFyZCBjbGFpbSB0byBhIHN0YW5kYXJkIG9uZSBpZiBpdCdzIG5vdCByZXR1cm5lZCBpbiB0aGUgaWRfdG9rZW4uCiAgICBjbGFpbU1hcHBpbmc6CiAgICAgICMgVGhlIHNldCBjbGFpbSBpcyB1c2VkIGFzIHByZWZlcnJlZCB1c2VybmFtZS4KICAgICAgIyBEZWZhdWx0OiBwcmVmZXJyZWRfdXNlcm5hbWUKICAgICAgIyBwcmVmZXJyZWRfdXNlcm5hbWU6IG90aGVyX3VzZXJfbmFtZQoKICAgICAgIyBUaGUgc2V0IGNsYWltIGlzIHVzZWQgYXMgZW1haWwuCiAgICAgICMgRGVmYXVsdDogZW1haWwKICAgICAgIyBlbWFpbDogbWFpbAoKICAgICAgIyBUaGUgc2V0IGNsYWltIGlzIHVzZWQgYXMgZ3JvdXBzLgogICAgICAjIERlZmF1bHQ6IGdyb3VwcwogICAgICAjIGdyb3VwczogImNvZ25pdG86Z3JvdXBzIg== +kind: Secret +metadata: + creationTimestamp: "2022-02-02T19:01:15Z" + name: config + namespace: dex + resourceVersion: "830248" + uid: cf1f4bad-6f8c-4dde-a57d-07b0eb4113d6 +type: Opaque diff --git a/platform/dex/templates/dex-k8s-authenticator.yaml b/platform/dex/templates/dex-k8s-authenticator.yaml new file mode 100644 index 0000000000..2a9d93a333 --- /dev/null +++ b/platform/dex/templates/dex-k8s-authenticator.yaml @@ -0,0 +1,33 @@ +{{ if .Values.dexK8sAuthenticator.enabled }} +{{ template "argoconfig.application" (list . "security-apps.dexK8sAuthenticator") }} +{{ end }} + +{{- define "security-apps.dexK8sAuthenticator" -}}{{- $app := unset .Values.dexK8sAuthenticator "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} +metadata: + name: {{ template "common.fullname" . }}-{{ $name }} +spec: + {{- if $app.project }} + project: {{ $app.project | quote }} + {{- end }} + source: + repoURL: {{ $app.repoURL | quote }} + path: {{ $app.repoPath | quote }} + targetRevision: {{ $app.targetRevision | quote }} + helm: + releaseName: {{ $name | quote }} + values: |- + nameOverride: {{ $name | quote }} + {{- $app.values | toYaml | nindent 8 }} + {{- if $app.destination }} + destination: + {{ $app.destination | toYaml | nindent 4 }} + {{- end }} + {{- if $app.syncPolicy }} + syncPolicy: + {{ $app.syncPolicy | toYaml | nindent 4 }} + {{- end }} + {{- if $app.ignoreDifferences }} + ignoreDifferences: + {{ $app.ignoreDifferences | toYaml | nindent 4 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/platform/dex/templates/dex.yaml b/platform/dex/templates/dex.yaml new file mode 100644 index 0000000000..0d8321ce7d --- /dev/null +++ b/platform/dex/templates/dex.yaml @@ -0,0 +1,33 @@ +{{ if .Values.dex.enabled }} +{{ template "argoconfig.application" (list . "security-apps.dex") }} +{{ end }} + +{{- define "security-apps.dex" -}}{{- $app := unset .Values.dex "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} +metadata: + name: {{ template "common.fullname" . }}-{{ $name }} +spec: + {{- if $app.project }} + project: {{ $app.project | quote }} + {{- end }} + source: + repoURL: {{ $app.repoURL | quote }} + chart: {{ $app.chart | quote }} + targetRevision: {{ $app.targetRevision | quote }} + helm: + releaseName: {{ $name | quote }} + values: |- + nameOverride: {{ $name | quote }} + {{- $app.values | toYaml | nindent 8 }} + {{- if $app.destination }} + destination: + {{ $app.destination | toYaml | nindent 4 }} + {{- end }} + {{- if $app.syncPolicy }} + syncPolicy: + {{ $app.syncPolicy | toYaml | nindent 4 }} + {{- end }} + {{- if $app.ignoreDifferences }} + ignoreDifferences: + {{ $app.ignoreDifferences | toYaml | nindent 4 }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 41a9bd624c..61eb4bd636 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -1,233 +1,77 @@ +dexK8sAuthenticator: + enabled: true + project: infra-dex-k8s-authenticator + values: + global: + deployEnv: prod + dexK8sAuthenticator: + debug: false + web_path_prefix: / + #logoUrl: http:// + #tlsCert: /path/to/dex-client.crt + #tlsKey: /path/to/dex-client.key + clusters: + - name: jupiter-cluster + short_description: "Jupiter Cluster" + description: "Jupiter Mein Cluster" + client_secret: "client_Secret" + issuer: https://dex.jupiter.mein.nl + k8s_master_uri: https://k8s.jupiter.mein.nl + client_id: my-cluster + redirect_uri: https://login.jupiter.mein.nl/callback/my-cluster + k8s_ca_uri: https://url-to-your-ca.crt + ingress: + enabled: true + annotations: {} + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: nginx + hosts: &host login.jupiter.mein.nl + # ingress.tls -- Ingress TLS options + tls: + - secretName: customer-center-tls + hosts: + - *host dex: - # Default values for dex. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. - - # -- Number of replicas (pods) to launch. - replicaCount: 1 - - image: - # -- Name of the image repository to pull the container image from. - repository: ghcr.io/dexidp/dex - - # -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. - pullPolicy: IfNotPresent - - # -- Image tag override for the default value (chart appVersion). - tag: "" - - # -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). - imagePullSecrets: [] - - # -- A name in place of the chart name for `app:` labels. - nameOverride: "" - - # -- A name to substitute for the full names of resources. - fullnameOverride: "" - - # -- A list of hosts and IPs that will be injected into the pod's hosts file if specified. - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) - hostAliases: [] - - https: - # -- Enable the HTTPS endpoint. - enabled: false - - grpc: - # -- Enable the gRPC endpoint. - # Read more in the [documentation](https://dexidp.io/docs/api/). - enabled: false - - configSecret: - # -- Enable creating a secret from the values passed to `config`. - # If set to false, name must point to an existing secret. - create: false - - # -- The name of the secret to mount as configuration in the pod. - # If not set and create is true, a name is generated using the fullname template. - # Must point to secret that contains at least a `config.yaml` key. - name: "config" - - # -- Application configuration. - # See the [official documentation](https://dexidp.io/docs/). - config: {} - - # -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. - volumes: [] - - # -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. - volumeMounts: [] - - # -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. - envFrom: [] - - # -- Additional environment variables passed directly to containers. - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. - env: {} - - # -- Similar to env but with support for all possible configurations. - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. - envVars: [] - # - name: SOME_ENV_VAR - # value: value - # - name: SOME_ENV_VAR2 - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - # - name: SOME_ENV_VAR3 - # valueFrom: - # configMapKeyRef: - # name: config-map-name - # key: config-map-key - - serviceAccount: - # -- Enable service account creation. - create: true - - # -- Annotations to be added to the service account. - annotations: {} - - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - - rbac: - # -- Specifies whether RBAC resources should be created. - # If disabled, the operator is responsible for creating the necessary resources based on the templates. - create: true - - # -- Annotations to be added to pods. - podAnnotations: {} - - podDisruptionBudget: - # -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). - # It is **highly recommended** for webhooks as disruptions can prevent launching new pods. - enabled: false - - # -- (int/percentage) Number or percentage of pods that must remain available. - minAvailable: - - # -- (int/percentage) Number or percentage of pods that can be unavailable. - maxUnavailable: - - # -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). - priorityClassName: "" - - # -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. - podSecurityContext: {} - # fsGroup: 2000 - - # -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - - service: - # -- Annotations to be added to the service. - annotations: {} - - # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). - type: ClusterIP - - # -- Internal cluster service IP (when applicable) - clusterIP: "" - - ports: - http: - # -- HTTP service port - port: 5556 - - # -- (int) HTTP node port (when applicable) - nodePort: - - https: - # -- HTTPS service port - port: 5554 - - # -- (int) HTTPS node port (when applicable) - nodePort: - - grpc: - # -- gRPC service port - port: 5557 - - # -- (int) gRPC node port (when applicable) - nodePort: - - ingress: - # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). - enabled: true - - # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). - className: "nginx" - - # -- Annotations to be added to the ingress. - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - # kubernetes.io/tls-acme: "true" - - # -- Ingress host configuration. - # @default -- See [values.yaml](values.yaml). - hosts: - - host: &host dex.jupiter.mein.nl - paths: - - path: / - pathType: ImplementationSpecific - - # -- Ingress TLS configuration. - # @default -- See [values.yaml](values.yaml). - tls: - - secretName: dex-tls-certificate + enabled: true + project: infra-dex + values: + ingress: + enabled: true hosts: - - *host - - # -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. - # @default -- No requests or limits. - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - # -- Autoscaling configuration (see [values.yaml](values.yaml) for details). - # @default -- Disabled by default. - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - - # -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. - nodeSelector: {} - - # -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. - tolerations: [] - - # -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. - # See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. - affinity: {} - - # -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. - strategy: {} - # rollingUpdate: - # maxUnavailable: 1 - # type: RollingUpdate + - &dex dex.jupiter.mein.nl + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + kubernetes.io/ingress.class: nginx + tls: + - secretName: customer-center-tls + hosts: + - *dex + grpc: false + config: + connectors: + - type: oidc + id: authentik + name: Jupiter + config: + # Canonical URL of the provider, also used for configuration discovery. + # This value MUST match the value returned in the provider config discovery. + # + # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig + issuer: https://authentik.jupiter.mein.nl/application/o/dex/ + + # Connector config values starting with a "$" will read from the environment. + clientID: d27f287e32bb0126c2a18871d0fa1705c31b0bee + clientSecret: 1c2fd1b956809eb285530483869baf4a470076ce4915dfa05e731a8f9f49bbae8471b6fe219abdf863d3adfb7c804096124918c6300c22d048b199556813f94d + + # Dex's issuer URL + "/callback" + redirectURI: http://dex.jupiter.mein.nl/callback + issuer: 'https://dex.jupiter.mein.nl' + staticClients: + - id: "oidc-auth-client" + redirectURIs: + - 'https://login.jupiter.mein.nl/callback' + name: 'oidc-auth-client' + secret: 'Secret' + enablePasswordDB: false + oauth2: + alwaysShowLoginScreen: false \ No newline at end of file From 2eebc552241c8aa77f925b2e270056f5a5fe62d8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 21:57:54 +0100 Subject: [PATCH 032/334] fix: yaml format --- platform/dex/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 61eb4bd636..d49584c6cf 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -22,7 +22,7 @@ dexK8sAuthenticator: k8s_ca_uri: https://url-to-your-ca.crt ingress: enabled: true - annotations: {} + annotations: cert-manager.io/cluster-issuer: letsencrypt-prod kubernetes.io/ingress.class: nginx hosts: &host login.jupiter.mein.nl From 646747640f275341e4b1a35f50dbdec80831c92b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 22:00:20 +0100 Subject: [PATCH 033/334] fix: version --- platform/dex/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 08ebc122e9..7e239f988b 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -2,6 +2,6 @@ apiVersion: v2 name: dex version: 1.2.0 dependencies: - - name: adfinis - version: security-apps-0.39.1 + - name: security-apps + version: 0.39.1 repository: https://charts.adfinis.com From 23a6487eab4cd2c102ea68a0847f1dabba3441d7 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 22:04:10 +0100 Subject: [PATCH 034/334] fix: --- platform/dex/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 7e239f988b..737134f46f 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: dex -version: 1.2.0 +version: 0.39.1 dependencies: - name: security-apps version: 0.39.1 From db8c6c8d2f0356425271f648e6db0d84151eb2b3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 2 Feb 2022 22:07:35 +0100 Subject: [PATCH 035/334] fix: --- .../dex/templates/dex-k8s-authenticator.yaml | 33 ------------------- platform/dex/templates/dex.yaml | 33 ------------------- 2 files changed, 66 deletions(-) delete mode 100644 platform/dex/templates/dex-k8s-authenticator.yaml delete mode 100644 platform/dex/templates/dex.yaml diff --git a/platform/dex/templates/dex-k8s-authenticator.yaml b/platform/dex/templates/dex-k8s-authenticator.yaml deleted file mode 100644 index 2a9d93a333..0000000000 --- a/platform/dex/templates/dex-k8s-authenticator.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.dexK8sAuthenticator.enabled }} -{{ template "argoconfig.application" (list . "security-apps.dexK8sAuthenticator") }} -{{ end }} - -{{- define "security-apps.dexK8sAuthenticator" -}}{{- $app := unset .Values.dexK8sAuthenticator "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} -metadata: - name: {{ template "common.fullname" . }}-{{ $name }} -spec: - {{- if $app.project }} - project: {{ $app.project | quote }} - {{- end }} - source: - repoURL: {{ $app.repoURL | quote }} - path: {{ $app.repoPath | quote }} - targetRevision: {{ $app.targetRevision | quote }} - helm: - releaseName: {{ $name | quote }} - values: |- - nameOverride: {{ $name | quote }} - {{- $app.values | toYaml | nindent 8 }} - {{- if $app.destination }} - destination: - {{ $app.destination | toYaml | nindent 4 }} - {{- end }} - {{- if $app.syncPolicy }} - syncPolicy: - {{ $app.syncPolicy | toYaml | nindent 4 }} - {{- end }} - {{- if $app.ignoreDifferences }} - ignoreDifferences: - {{ $app.ignoreDifferences | toYaml | nindent 4 }} - {{- end }} -{{- end -}} \ No newline at end of file diff --git a/platform/dex/templates/dex.yaml b/platform/dex/templates/dex.yaml deleted file mode 100644 index 0d8321ce7d..0000000000 --- a/platform/dex/templates/dex.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.dex.enabled }} -{{ template "argoconfig.application" (list . "security-apps.dex") }} -{{ end }} - -{{- define "security-apps.dex" -}}{{- $app := unset .Values.dex "enabled" -}}{{- $name := default $app.destination.namespace $app.name -}} -metadata: - name: {{ template "common.fullname" . }}-{{ $name }} -spec: - {{- if $app.project }} - project: {{ $app.project | quote }} - {{- end }} - source: - repoURL: {{ $app.repoURL | quote }} - chart: {{ $app.chart | quote }} - targetRevision: {{ $app.targetRevision | quote }} - helm: - releaseName: {{ $name | quote }} - values: |- - nameOverride: {{ $name | quote }} - {{- $app.values | toYaml | nindent 8 }} - {{- if $app.destination }} - destination: - {{ $app.destination | toYaml | nindent 4 }} - {{- end }} - {{- if $app.syncPolicy }} - syncPolicy: - {{ $app.syncPolicy | toYaml | nindent 4 }} - {{- end }} - {{- if $app.ignoreDifferences }} - ignoreDifferences: - {{ $app.ignoreDifferences | toYaml | nindent 4 }} - {{- end }} -{{- end -}} \ No newline at end of file From a8ae1ef98978069adf44420131838567182bd95d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 3 Feb 2022 08:36:24 +0100 Subject: [PATCH 036/334] config: add whitelist to ingress --- system/ingress-nginx/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 75be6ef188..8f4efd0851 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,5 +1,8 @@ ingress-nginx: controller: + config: + entries: + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32 admissionWebhooks: timeoutSeconds: 30 metrics: From bfcc5417100273032e9dbfb0fd37ad6fd69911a0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 3 Feb 2022 08:52:07 +0100 Subject: [PATCH 037/334] config: add whitelist --- system/ingress-nginx/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 8f4efd0851..99d6f47a3c 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,8 +1,7 @@ ingress-nginx: controller: config: - entries: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32 + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32 admissionWebhooks: timeoutSeconds: 30 metrics: From b1baa72560f1d49daaead2b42ff526b91a66c24e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 3 Feb 2022 08:56:26 +0100 Subject: [PATCH 038/334] config: add local to whitelist --- system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 99d6f47a3c..e26f1fdb3f 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: config: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32 + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24 admissionWebhooks: timeoutSeconds: 30 metrics: From 1b8874dcf0e54c7d5266640196e1fd7217953fa5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 3 Feb 2022 09:28:50 +0100 Subject: [PATCH 039/334] config: temp add cni --- system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index e26f1fdb3f..e5d9c9679b 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: config: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24 + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0./32 admissionWebhooks: timeoutSeconds: 30 metrics: From 4e59d5ec27fb990f3dcf739ebe692f1d2a6eb5e2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 16:16:40 +0100 Subject: [PATCH 040/334] fix: cni added to whitelist --- system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index e5d9c9679b..231224835f 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: config: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0./32 + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/32 admissionWebhooks: timeoutSeconds: 30 metrics: From ef000d3e15a890da03642272be48cb1e0a835c55 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 16:20:01 +0100 Subject: [PATCH 041/334] fix: moved to cidr 24 block --- system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 231224835f..7617788baf 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: config: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/32 + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/24 admissionWebhooks: timeoutSeconds: 30 metrics: From 640f76cf1760d72ed5200c8b6e37f9dd09763652 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 16:41:39 +0100 Subject: [PATCH 042/334] feat: started on homeassistant --- home/homeassistant/Chart.yaml | 7 ++ home/homeassistant/values.yaml | 139 +++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+) create mode 100644 home/homeassistant/Chart.yaml create mode 100644 home/homeassistant/values.yaml diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml new file mode 100644 index 0000000000..55a6476ab0 --- /dev/null +++ b/home/homeassistant/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: homeassistant +version: 0.0.0 +dependencies: + - name: home-assistant + version: 12.0.1 + repository: https://k8s-at-home.com/charts/ diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml new file mode 100644 index 0000000000..b5c079a20b --- /dev/null +++ b/home/homeassistant/values.yaml @@ -0,0 +1,139 @@ +homeassistant: + image: + # -- image repository + repository: homeassistant/home-assistant + # -- image tag + tag: 2021.12.7 + # -- image pull policy + pullPolicy: IfNotPresent + + # -- environment variables. + # @default -- See below + env: + # -- Set the container timezone + TZ: Europa/Amsterdam + + # -- Configures service settings for the chart. Normally this does not need to be modified. + # @default -- See values.yaml + service: + main: + ports: + http: + port: 8123 + + ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host paperless.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: paperless-tls-certificate + hosts: + - *host + + # -- Enable devices to be discoverable + # hostNetwork: true + + # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet + # dnsPolicy: ClusterFirstWithHostNet + + securityContext: + # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine + privileged: # true + + # -- Configure persistence settings for the chart under this key. + # @default -- See values.yaml + persistence: + config: + enabled: false + # -- Configure a hostPathMount to mount a USB device in the container. + # @default -- See values.yaml + usb: + enabled: false + type: hostPath + hostPath: /path/to/device + + # -- Enable and configure mariadb database subchart under this key. + # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) + # @default -- See values.yaml + mariadb: + enabled: false + architecture: standalone + auth: + database: home-assistant + username: home-assistant + password: home-assistant-pass + rootPassword: home-assistantrootpass + primary: + persistence: + enabled: false + # storageClass: "" + + # -- Enable and configure postgresql database subchart under this key. + # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) + # @default -- See values.yaml + postgresql: + enabled: false + image: + repository: bitnami/postgresql + tag: 14.1.0 + postgresqlUsername: home-assistant + postgresqlPassword: home-assistant-pass + postgresqlDatabase: home-assistant + persistence: + enabled: false + # storageClass: "" + + # -- Enable and configure influxdb database subchart under this key. + # For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) + # @default -- See values.yaml + influxdb: + enabled: false + architecture: standalone + database: home_assistant + authEnabled: false + persistence: + enabled: false + # storageClass: "" + # size: 8Gi + + metrics: + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: false + serviceMonitor: + interval: 1m + scrapeTimeout: 30s + labels: {} + ## See https://www.home-assistant.io/docs/authentication/ for where to find + ## long lived access token creation under your account profile, which is + ## needed to monitor Home Assistant + # bearerTokenSecret: + # name: "" + # key: "" + + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + labels: {} + # -- Configure additionial rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: [] + # - alert: HomeAssistantAbsent + # annotations: + # description: Home Assistant has disappeared from Prometheus service discovery. + # summary: Home Assistant is down. + # expr: | + # absent(up{job=~".*home-assistant.*"} == 1) + # for: 5m + # labels: + # severity: critical \ No newline at end of file From 61e8aba4b8e5b1401085188ff965a86673ca2e94 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 16:47:24 +0100 Subject: [PATCH 043/334] config: started on configuring homeassistant --- home/homeassistant/values.yaml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index b5c079a20b..0d8fe403e0 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -30,12 +30,12 @@ homeassistant: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host paperless.jupiter.mein.nl + - host: &host homeassistant.europa.jupiter.mein.nl paths: - path: / pathType: Prefix tls: - - secretName: paperless-tls-certificate + - secretName: homeassistant-tls-certificate hosts: - *host @@ -75,13 +75,13 @@ homeassistant: primary: persistence: enabled: false - # storageClass: "" + storageClass: "" # -- Enable and configure postgresql database subchart under this key. # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) # @default -- See values.yaml postgresql: - enabled: false + enabled: true image: repository: bitnami/postgresql tag: 14.1.0 @@ -89,27 +89,29 @@ homeassistant: postgresqlPassword: home-assistant-pass postgresqlDatabase: home-assistant persistence: - enabled: false - # storageClass: "" + enabled: true + storageClass: longhorn + size: 4Gi # -- Enable and configure influxdb database subchart under this key. # For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) # @default -- See values.yaml influxdb: - enabled: false + enabled: true architecture: standalone database: home_assistant authEnabled: false persistence: - enabled: false - # storageClass: "" - # size: 8Gi + enabled: true + storageClass: longhorn + size: 8Gi - metrics: + metrics: &metrics # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. # @default -- See values.yaml - enabled: false + enabled: true serviceMonitor: + enabled: true interval: 1m scrapeTimeout: 30s labels: {} From 7f206d991bd92675d5bb32d9815d845032b11593 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 17:04:05 +0100 Subject: [PATCH 044/334] config: nested values --- home/homeassistant/values.yaml | 247 ++++++++++++++++----------------- 1 file changed, 123 insertions(+), 124 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 0d8fe403e0..30900be03a 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -1,141 +1,140 @@ -homeassistant: - image: - # -- image repository - repository: homeassistant/home-assistant - # -- image tag - tag: 2021.12.7 - # -- image pull policy - pullPolicy: IfNotPresent +image: + # -- image repository + repository: homeassistant/home-assistant + # -- image tag + tag: 2021.12.7 + # -- image pull policy + pullPolicy: IfNotPresent + +# -- environment variables. +# @default -- See below +env: + # -- Set the container timezone + TZ: Europa/Amsterdam - # -- environment variables. - # @default -- See below - env: - # -- Set the container timezone - TZ: Europa/Amsterdam +# -- Configures service settings for the chart. Normally this does not need to be modified. +# @default -- See values.yaml +service: + main: + ports: + http: + port: 8123 - # -- Configures service settings for the chart. Normally this does not need to be modified. +ingress: + # -- Enable and configure ingress settings for the chart under this key. # @default -- See values.yaml - service: main: - ports: - http: - port: 8123 - - ingress: - # -- Enable and configure ingress settings for the chart under this key. - # @default -- See values.yaml - main: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host homeassistant.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: homeassistant-tls-certificate - hosts: - - *host - - # -- Enable devices to be discoverable - # hostNetwork: true + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host homeassistant.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: homeassistant-tls-certificate + hosts: + - *host - # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet - # dnsPolicy: ClusterFirstWithHostNet +# -- Enable devices to be discoverable +# hostNetwork: true - securityContext: - # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine - privileged: # true +# -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet +# dnsPolicy: ClusterFirstWithHostNet - # -- Configure persistence settings for the chart under this key. - # @default -- See values.yaml - persistence: - config: - enabled: false - # -- Configure a hostPathMount to mount a USB device in the container. - # @default -- See values.yaml - usb: - enabled: false - type: hostPath - hostPath: /path/to/device +securityContext: + # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine + privileged: # true - # -- Enable and configure mariadb database subchart under this key. - # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) +# -- Configure persistence settings for the chart under this key. +# @default -- See values.yaml +persistence: + config: + enabled: false + # -- Configure a hostPathMount to mount a USB device in the container. # @default -- See values.yaml - mariadb: + usb: enabled: false - architecture: standalone - auth: - database: home-assistant - username: home-assistant - password: home-assistant-pass - rootPassword: home-assistantrootpass - primary: - persistence: - enabled: false - storageClass: "" + type: hostPath + hostPath: /path/to/device - # -- Enable and configure postgresql database subchart under this key. - # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) - # @default -- See values.yaml - postgresql: - enabled: true - image: - repository: bitnami/postgresql - tag: 14.1.0 - postgresqlUsername: home-assistant - postgresqlPassword: home-assistant-pass - postgresqlDatabase: home-assistant +# -- Enable and configure mariadb database subchart under this key. +# For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) +# @default -- See values.yaml +mariadb: + enabled: false + architecture: standalone + auth: + database: home-assistant + username: home-assistant + password: home-assistant-pass + rootPassword: home-assistantrootpass + primary: persistence: - enabled: true - storageClass: longhorn - size: 4Gi + enabled: false + storageClass: "" - # -- Enable and configure influxdb database subchart under this key. - # For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) - # @default -- See values.yaml - influxdb: +# -- Enable and configure postgresql database subchart under this key. +# For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) +# @default -- See values.yaml +postgresql: + enabled: true + image: + repository: bitnami/postgresql + tag: 14.1.0 + postgresqlUsername: home-assistant + postgresqlPassword: home-assistant-pass + postgresqlDatabase: home-assistant + persistence: enabled: true - architecture: standalone - database: home_assistant - authEnabled: false - persistence: - enabled: true - storageClass: longhorn - size: 8Gi + storageClass: longhorn + size: 4Gi - metrics: &metrics - # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. - # @default -- See values.yaml +# -- Enable and configure influxdb database subchart under this key. +# For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) +# @default -- See values.yaml +influxdb: + enabled: true + architecture: standalone + database: home_assistant + authEnabled: false + persistence: enabled: true - serviceMonitor: - enabled: true - interval: 1m - scrapeTimeout: 30s - labels: {} - ## See https://www.home-assistant.io/docs/authentication/ for where to find - ## long lived access token creation under your account profile, which is - ## needed to monitor Home Assistant - # bearerTokenSecret: - # name: "" - # key: "" + storageClass: longhorn + size: 8Gi - # -- Enable and configure Prometheus Rules for the chart under this key. - # @default -- See values.yaml - prometheusRule: - enabled: false - labels: {} - # -- Configure additionial rules for the chart under this key. - # @default -- See prometheusrules.yaml - rules: [] - # - alert: HomeAssistantAbsent - # annotations: - # description: Home Assistant has disappeared from Prometheus service discovery. - # summary: Home Assistant is down. - # expr: | - # absent(up{job=~".*home-assistant.*"} == 1) - # for: 5m - # labels: - # severity: critical \ No newline at end of file +metrics: &metrics + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: true + serviceMonitor: + enabled: true + interval: 1m + scrapeTimeout: 30s + labels: {} + ## See https://www.home-assistant.io/docs/authentication/ for where to find + ## long lived access token creation under your account profile, which is + ## needed to monitor Home Assistant + # bearerTokenSecret: + # name: "" + # key: "" + + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + labels: {} + # -- Configure additionial rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: [] + # - alert: HomeAssistantAbsent + # annotations: + # description: Home Assistant has disappeared from Prometheus service discovery. + # summary: Home Assistant is down. + # expr: | + # absent(up{job=~".*home-assistant.*"} == 1) + # for: 5m + # labels: + # severity: critical \ No newline at end of file From 2f22255a3fad47a145c9f26cdcb1d48b682a1f79 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 17:05:36 +0100 Subject: [PATCH 045/334] config: other nested value ha --- home/homeassistant/values.yaml | 247 +++++++++++++++++---------------- 1 file changed, 124 insertions(+), 123 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 30900be03a..7b76c839e8 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -1,140 +1,141 @@ -image: - # -- image repository - repository: homeassistant/home-assistant - # -- image tag - tag: 2021.12.7 - # -- image pull policy - pullPolicy: IfNotPresent - -# -- environment variables. -# @default -- See below -env: - # -- Set the container timezone - TZ: Europa/Amsterdam +home-assistant: + image: + # -- image repository + repository: homeassistant/home-assistant + # -- image tag + tag: 2021.12.7 + # -- image pull policy + pullPolicy: IfNotPresent -# -- Configures service settings for the chart. Normally this does not need to be modified. -# @default -- See values.yaml -service: - main: - ports: - http: - port: 8123 + # -- environment variables. + # @default -- See below + env: + # -- Set the container timezone + TZ: Europa/Amsterdam -ingress: - # -- Enable and configure ingress settings for the chart under this key. + # -- Configures service settings for the chart. Normally this does not need to be modified. # @default -- See values.yaml + service: main: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host homeassistant.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: homeassistant-tls-certificate - hosts: - - *host + ports: + http: + port: 8123 -# -- Enable devices to be discoverable -# hostNetwork: true + ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host homeassistant.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: homeassistant-tls-certificate + hosts: + - *host -# -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet -# dnsPolicy: ClusterFirstWithHostNet + # -- Enable devices to be discoverable + # hostNetwork: true -securityContext: - # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine - privileged: # true + # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet + # dnsPolicy: ClusterFirstWithHostNet -# -- Configure persistence settings for the chart under this key. -# @default -- See values.yaml -persistence: - config: - enabled: false - # -- Configure a hostPathMount to mount a USB device in the container. - # @default -- See values.yaml - usb: - enabled: false - type: hostPath - hostPath: /path/to/device + securityContext: + # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine + privileged: # true -# -- Enable and configure mariadb database subchart under this key. -# For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) -# @default -- See values.yaml -mariadb: - enabled: false - architecture: standalone - auth: - database: home-assistant - username: home-assistant - password: home-assistant-pass - rootPassword: home-assistantrootpass - primary: - persistence: + # -- Configure persistence settings for the chart under this key. + # @default -- See values.yaml + persistence: + config: enabled: false - storageClass: "" + # -- Configure a hostPathMount to mount a USB device in the container. + # @default -- See values.yaml + usb: + enabled: false + type: hostPath + hostPath: /path/to/device -# -- Enable and configure postgresql database subchart under this key. -# For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) -# @default -- See values.yaml -postgresql: - enabled: true - image: - repository: bitnami/postgresql - tag: 14.1.0 - postgresqlUsername: home-assistant - postgresqlPassword: home-assistant-pass - postgresqlDatabase: home-assistant - persistence: - enabled: true - storageClass: longhorn - size: 4Gi + # -- Enable and configure mariadb database subchart under this key. + # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) + # @default -- See values.yaml + mariadb: + enabled: false + architecture: standalone + auth: + database: home-assistant + username: home-assistant + password: home-assistant-pass + rootPassword: home-assistantrootpass + primary: + persistence: + enabled: false + storageClass: "" -# -- Enable and configure influxdb database subchart under this key. -# For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) -# @default -- See values.yaml -influxdb: - enabled: true - architecture: standalone - database: home_assistant - authEnabled: false - persistence: + # -- Enable and configure postgresql database subchart under this key. + # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) + # @default -- See values.yaml + postgresql: enabled: true - storageClass: longhorn - size: 8Gi + image: + repository: bitnami/postgresql + tag: 14.1.0 + postgresqlUsername: home-assistant + postgresqlPassword: home-assistant-pass + postgresqlDatabase: home-assistant + persistence: + enabled: true + storageClass: longhorn + size: 4Gi -metrics: &metrics - # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # -- Enable and configure influxdb database subchart under this key. + # For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) # @default -- See values.yaml - enabled: true - serviceMonitor: + influxdb: enabled: true - interval: 1m - scrapeTimeout: 30s - labels: {} - ## See https://www.home-assistant.io/docs/authentication/ for where to find - ## long lived access token creation under your account profile, which is - ## needed to monitor Home Assistant - # bearerTokenSecret: - # name: "" - # key: "" + architecture: standalone + database: home_assistant + authEnabled: false + persistence: + enabled: true + storageClass: longhorn + size: 8Gi - # -- Enable and configure Prometheus Rules for the chart under this key. - # @default -- See values.yaml - prometheusRule: - enabled: false - labels: {} - # -- Configure additionial rules for the chart under this key. - # @default -- See prometheusrules.yaml - rules: [] - # - alert: HomeAssistantAbsent - # annotations: - # description: Home Assistant has disappeared from Prometheus service discovery. - # summary: Home Assistant is down. - # expr: | - # absent(up{job=~".*home-assistant.*"} == 1) - # for: 5m - # labels: - # severity: critical \ No newline at end of file + metrics: &metrics + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: true + serviceMonitor: + enabled: true + interval: 1m + scrapeTimeout: 30s + labels: {} + ## See https://www.home-assistant.io/docs/authentication/ for where to find + ## long lived access token creation under your account profile, which is + ## needed to monitor Home Assistant + # bearerTokenSecret: + # name: "" + # key: "" + + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + labels: {} + # -- Configure additionial rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: [] + # - alert: HomeAssistantAbsent + # annotations: + # description: Home Assistant has disappeared from Prometheus service discovery. + # summary: Home Assistant is down. + # expr: | + # absent(up{job=~".*home-assistant.*"} == 1) + # for: 5m + # labels: + # severity: critical \ No newline at end of file From 125253a2b4f29abbb6fc1f0b1dc5f40e1f6b0e01 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 17:21:24 +0100 Subject: [PATCH 046/334] config: persitence true --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 7b76c839e8..636ff039b6 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -53,7 +53,7 @@ home-assistant: # @default -- See values.yaml persistence: config: - enabled: false + enabled: true # -- Configure a hostPathMount to mount a USB device in the container. # @default -- See values.yaml usb: From 8f00032a37a3152d195fb3ad8394aa9f9c5c20e5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 17:38:15 +0100 Subject: [PATCH 047/334] config: add persistence --- home/homeassistant/values.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 636ff039b6..41faa099d6 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -54,6 +54,11 @@ home-assistant: persistence: config: enabled: true + type: pvc + accessMode: ReadWriteOnce + size: 1Gi + storageClass: longhorn + # -- Configure a hostPathMount to mount a USB device in the container. # @default -- See values.yaml usb: From b649b78b7cd182361f0b49bff75b96cc57eafd10 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 19:57:00 +0100 Subject: [PATCH 048/334] config: move to host networking --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 41faa099d6..e1e70fc325 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -40,7 +40,7 @@ home-assistant: - *host # -- Enable devices to be discoverable - # hostNetwork: true + hostNetwork: true # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet # dnsPolicy: ClusterFirstWithHostNet From d5d853344416c68b7d1a5d54e5f160ee3501a7a4 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 20:02:51 +0100 Subject: [PATCH 049/334] config: added vscode addon --- home/homeassistant/values.yaml | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index e1e70fc325..f068e20d43 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -143,4 +143,34 @@ home-assistant: # absent(up{job=~".*home-assistant.*"} == 1) # for: 5m # labels: - # severity: critical \ No newline at end of file + # severity: critical + +addons: + codeserver: + enabled: true + image: + repository: codercom/code-server + tag: 3.9.0 + workingDir: "/config" + args: + - --auth + - "none" + - --user-data-dir + - "/config/.vscode" + - --extensions-dir + - "/config/.vscode" + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + hosts: + - host: &config omeassistant-config.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *config + volumeMounts: + - name: config + mountPath: /config \ No newline at end of file From 2c928819c18656b1ad7d5d79ceb00648fefdcb21 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 20:05:41 +0100 Subject: [PATCH 050/334] config: nested addons --- home/homeassistant/values.yaml | 56 +++++++++++++++++----------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index f068e20d43..41e255e105 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -145,32 +145,32 @@ home-assistant: # labels: # severity: critical -addons: - codeserver: - enabled: true - image: - repository: codercom/code-server - tag: 3.9.0 - workingDir: "/config" - args: - - --auth - - "none" - - --user-data-dir - - "/config/.vscode" - - --extensions-dir - - "/config/.vscode" - ingress: + addons: + codeserver: enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - hosts: - - host: &config omeassistant-config.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - *config - volumeMounts: - - name: config - mountPath: /config \ No newline at end of file + image: + repository: codercom/code-server + tag: 3.9.0 + workingDir: "/config" + args: + - --auth + - "none" + - --user-data-dir + - "/config/.vscode" + - --extensions-dir + - "/config/.vscode" + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + hosts: + - host: &config omeassistant-config.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *config + volumeMounts: + - name: config + mountPath: /config \ No newline at end of file From 084de960a8da7aba9765aa6e772c24820690a832 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 20:09:05 +0100 Subject: [PATCH 051/334] config: typo in hostname ha code server --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 41e255e105..b9e0aa1273 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -164,7 +164,7 @@ home-assistant: annotations: kubernetes.io/ingress.class: "nginx" hosts: - - host: &config omeassistant-config.europa.jupiter.mein.nl + - host: &config homeassistant-config.europa.jupiter.mein.nl paths: - path: / pathType: Prefix From e3b65c1347c4bfc26acfe0a6cb1998de870735f8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 20:15:12 +0100 Subject: [PATCH 052/334] config: added tls to config addon --- home/homeassistant/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index b9e0aa1273..010a6dbd4f 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -161,8 +161,9 @@ home-assistant: - "/config/.vscode" ingress: enabled: true + ingressClassName: nginx annotations: - kubernetes.io/ingress.class: "nginx" + cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &config homeassistant-config.europa.jupiter.mein.nl paths: From 78f49b6d860bced39798deeaf6608b187b6e2634 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 20:27:51 +0100 Subject: [PATCH 053/334] root: added home application set --- bootstrap/root/apply.sh | 3 ++- bootstrap/root/values.yaml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bootstrap/root/apply.sh b/bootstrap/root/apply.sh index f058ba574a..8d65f58fee 100755 --- a/bootstrap/root/apply.sh +++ b/bootstrap/root/apply.sh @@ -13,4 +13,5 @@ helm template \ kubectl --namespace argocd wait --timeout=300s --for condition=ResourcesUpToDate \ applicationset/system \ applicationset/platform \ - applicationset/apps + applicationset/apps \ + applicationset/home diff --git a/bootstrap/root/values.yaml b/bootstrap/root/values.yaml index 37e96eec1e..a6b5b7cf0f 100644 --- a/bootstrap/root/values.yaml +++ b/bootstrap/root/values.yaml @@ -7,3 +7,4 @@ stacks: - name: system - name: platform - name: apps + - name: home \ No newline at end of file From a6d56012037778e715ccf96555ec425ab7719422 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 21:03:22 +0100 Subject: [PATCH 054/334] config: renovate token --- platform/renovate/values.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/platform/renovate/values.yaml b/platform/renovate/values.yaml index 2a1c9c9dd6..06041bf6f3 100644 --- a/platform/renovate/values.yaml +++ b/platform/renovate/values.yaml @@ -4,13 +4,12 @@ renovate: schedule: '*/5 * * * *' # TODO remove after testing suspend: false renovate: - # TODO generate token automatically, this is just for testing config: | { "platform": "gitea", - "endpoint": "https://git.khuedoan.com/api/v1", + "endpoint": "https://git.jupiter.mein.nl/api/v1", "gitAuthor": "Renovate Bot ", - "token": "31a914fe134384e4044a7d3f7f965bea7a5be5b0", + "token": "7e81319c795c27d16483211cedd81f27058b02c2", "autodiscover": false, "repositories": [ "ops/homelab" From 7204c162264efe1e9014f6f3ffb74b0fcea46d98 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 21:44:53 +0100 Subject: [PATCH 055/334] feat: added pihole --- home/pihole/Chart.yaml | 7 + home/pihole/values.yaml | 401 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 408 insertions(+) create mode 100644 home/pihole/Chart.yaml create mode 100644 home/pihole/values.yaml diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml new file mode 100644 index 0000000000..c09591da6a --- /dev/null +++ b/home/pihole/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: pihole +version: 0.0.0 +dependencies: + - name: pihole + version: 2.5.3 + repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml new file mode 100644 index 0000000000..bf6f6e18aa --- /dev/null +++ b/home/pihole/values.yaml @@ -0,0 +1,401 @@ +# Default values for pihole. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- The number of replicas +replicaCount: 1 + +# -- The `spec.strategyTpye` for updates +strategyType: RollingUpdate + +# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. +maxSurge: 1 + +# -- The maximum number of Pods that can be unavailable during updating +maxUnavailable: 1 + +image: + # -- the repostory to pull the image from + repository: "pihole/pihole" + # -- the docker tag, if left empty it will get it from the chart's appVersion + tag: "" + # -- the pull policy + pullPolicy: IfNotPresent + +dualStack: + # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` + enabled: false + +dnsHostPort: + # -- set this to true to enable dnsHostPort + enabled: false + # -- default port for this pod + port: 53 + +# -- Configuration for the DNS service on port 53 +serviceDns: + + # -- deploys a mixed (TCP + UDP) Service instead of separate ones + mixedService: false + + # -- `spec.type` for the DNS Service + type: NodePort + + # -- The port of the DNS service + port: 53 + + # -- Optional node port for the DNS service + nodePort: "" + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DNS Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service + loadBalancerIPv6: "" + + # -- Annotations for the DNS service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +# -- Configuration for the DHCP service on port 67 +serviceDhcp: + + # -- Generate a Service resource for DHCP traffic + enabled: true + + # -- `spec.type` for the DHCP Service + type: NodePort + + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the DHCP Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +# -- Configuration for the web interface service +serviceWeb: + # -- Configuration for the HTTP web interface listener + http: + + # -- Generate a service for HTTP traffic + enabled: true + + # -- The port of the web HTTP service + port: 80 + + # -- Configuration for the HTTPS web interface listener + https: + # -- Generate a service for HTTPS traffic + enabled: true + + # -- The port of the web HTTPS service + port: 443 + + # -- `spec.type` for the web interface Service + type: ClusterIP + + # -- `spec.externalTrafficPolicy` for the web interface Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the web interface Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + +virtualHost: pi.hole + +# -- Configuration for the Ingress +ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host pihole.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + +# -- Probes configuration +probes: + # -- probes.liveness -- Configure the healthcheck for the ingress controller + liveness: + # -- Generate a liveness probe + enabled: true + initialDelaySeconds: 60 + failureThreshold: 10 + timeoutSeconds: 5 + readiness: + # -- Generate a readiness probe + enabled: true + initialDelaySeconds: 60 + failureThreshold: 3 + timeoutSeconds: 5 + +# -- We usually recommend not to specify default resources and to leave this as a conscious +# -- choice for the user. This also increases chances charts run on environments with little +# -- resources, such as Minikube. If you do want to specify resources, uncomment the following +# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. +resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# -- `spec.PersitentVolumeClaim` configuration +persistentVolumeClaim: + # -- set to true to use pvc + enabled: false + + # -- specify an existing `PersistentVolumeClaim` to use + # existingClaim: "" + + # -- Annotations for the `PersitentVolumeClaim` + annotations: {} + + accessModes: + - ReadWriteOnce + + size: "500Mi" + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + + ## subPath: "pihole" + +nodeSelector: {} + +tolerations: [] + +# -- Specify a priorityClassName +# priorityClassName: "" + +# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] +# - maxSkew: +# topologyKey: +# whenUnsatisfiable: +# labelSelector: + +affinity: {} + +# -- Administrator password when not using an existing secret (see below) +# adminPassword: "admin" + +# -- Use an existing secret for the admin password. +admin: + # -- Specify an existing secret to use as admin password + existingSecret: "pihole-admin" + # -- Specify the key inside the secret to use + passwordKey: "password" + +# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use +extraEnvVars: + TZ: Europe/Amsterdam + +# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. +extraEnvVarsSecret: {} + # env_var: + # name: secret-name + # key: secret-key + +# -- default upstream DNS 1 server to use +DNS1: "1.1.1.1" +# -- default upstream DNS 2 server to use +DNS2: "8.8.8.8" + +antiaff: + # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) + enabled: false + # -- Here you can set the pihole release (you set in `helm install ...`) + # you want to avoid + avoidRelease: pihole1 + # -- Here you can choose between preferred or required + strict: true + +doh: + # -- set to true to enabled DNS over HTTPs via cloudflared + enabled: false + name: "cloudflared" + repository: "crazymax/cloudflared" + tag: latest + pullPolicy: IfNotPresent + # -- Here you can pass environment variables to the DoH container, for example: + envVars: {} + # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" + + # -- Probes configuration + probes: + # -- Configure the healthcheck for the doh container + liveness: + # -- set to true to enable liveness probe + enabled: true + # -- defines the initial delay for the liveness probe + initialDelaySeconds: 60 + # -- defines the failure threshold for the liveness probe + failureThreshold: 10 + # -- defines the timeout in secondes for the liveness probe + timeoutSeconds: 5 + +dnsmasq: + # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration + upstreamServers: [] + # - server=/foo.bar/192.168.178.10 + # - server=/bar.foo/192.168.178.11 + + # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. + customDnsEntries: [] + # - address=/foo.bar/192.168.178.10 + # - address=/bar.foo/192.168.178.11 + + # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like + additionalHostsEntries: [] + # - 192.168.0.3 host4 + # - 192.168.0.4 host5 + + # -- Static DHCP config + staticDhcpEntries: [] + # staticDhcpEntries: + # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME + + # -- Other options + customSettings: + # otherSettings: + # - rebind-domain-ok=/plex.direct/ + + # -- Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + customCnameEntries: [] + # Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + +# -- list of adlists to import during initial start of the container +adlists: {} + # If you want to provide blocklists, add them here. + # - https://hosts-file.net/grm.txt + # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts + +# -- list of whitelisted domains to import during initial start of the container +whitelist: {} + # If you want to provide whitelisted domains, add them here. + # - clients4.google.com + +# -- list of blacklisted domains to import during initial start of the container +blacklist: {} + # If you want to have special domains blacklisted, add them here + # - *.blackist.com + +# -- list of blacklisted regex expressions to import during initial start of the container +regex: {} + # Add regular expression blacklist items + # - (^|\.)facebook\.com$ + +# -- values that should be added to pihole-FTL.conf +ftl: {} + # Add values for pihole-FTL.conf + # MAXDBDAYS: 14 + +# -- port the container should use to expose HTTP traffic +webHttp: "80" + +# -- port the container should use to expose HTTPS traffic +webHttps: "443" + +# -- hostname of pod +hostname: "" + +# -- should the container use host network +hostNetwork: "false" + +# -- should container run in privileged mode +privileged: "false" + +customVolumes: + # -- set this to true to enable custom volumes + enabled: false + # -- any volume type can be used here + config: {} + # hostPath: + # path: "/mnt/data" + +# -- any extra volumes you might want +extraVolumes: {} + # external-conf: + # configMap: + # name: pi-hole-lighttpd-external-conf + +# -- any extra volume mounts you might want +extraVolumeMounts: {} + # external-conf: + # mountPath: /etc/lighttpd/external.conf + # subPath: external.conf + +# -- Additional annotations for pods +podAnnotations: {} + # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) + # prometheus.io/port: '9617' + # prometheus.io/scrape: 'true' + +monitoring: + # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. + podMonitor: + # -- set this to true to enable podMonitor + enabled: false + # -- Sidecar configuration + sidecar: + # -- set this to true to enable podMonitor as sidecar + enabled: false + port: 9617 + image: + repository: ekofr/pihole-exporter + tag: 0.0.10 + pullPolicy: IfNotPresent + resources: + limits: + memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +podDnsConfig: + enabled: true + policy: "None" + nameservers: + - 127.0.0.1 + - 8.8.8.8 \ No newline at end of file From 6bb8a1a057a6b9a4bf60d5db8b6c44cd9e79c969 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 21:50:04 +0100 Subject: [PATCH 056/334] config: update ingress pihole --- home/pihole/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index bf6f6e18aa..94d90cecec 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -131,7 +131,8 @@ ingress: - path: / pathType: Prefix tls: - - hosts: + - secretName: hajimari-tls-certificate + hosts: - *host # -- Probes configuration From aaf21e6d069910c7945677d0d83430860f59045d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 21:51:38 +0100 Subject: [PATCH 057/334] config: nested pi hole --- home/pihole/values.yaml | 727 ++++++++++++++++++++-------------------- 1 file changed, 364 insertions(+), 363 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 94d90cecec..1c8cd3f3c4 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -1,402 +1,403 @@ -# Default values for pihole. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +pihole: + # Default values for pihole. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. -# -- The number of replicas -replicaCount: 1 + # -- The number of replicas + replicaCount: 1 -# -- The `spec.strategyTpye` for updates -strategyType: RollingUpdate + # -- The `spec.strategyTpye` for updates + strategyType: RollingUpdate -# -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. -maxSurge: 1 + # -- The maximum number of Pods that can be created over the desired number of `ReplicaSet` during updating. + maxSurge: 1 -# -- The maximum number of Pods that can be unavailable during updating -maxUnavailable: 1 + # -- The maximum number of Pods that can be unavailable during updating + maxUnavailable: 1 -image: - # -- the repostory to pull the image from - repository: "pihole/pihole" - # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "" - # -- the pull policy - pullPolicy: IfNotPresent + image: + # -- the repostory to pull the image from + repository: "pihole/pihole" + # -- the docker tag, if left empty it will get it from the chart's appVersion + tag: "" + # -- the pull policy + pullPolicy: IfNotPresent -dualStack: - # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` - enabled: false + dualStack: + # -- set this to true to enable creation of DualStack services or creation of separate IPv6 services if `serviceDns.type` is set to `"LoadBalancer"` + enabled: false -dnsHostPort: - # -- set this to true to enable dnsHostPort - enabled: false - # -- default port for this pod - port: 53 + dnsHostPort: + # -- set this to true to enable dnsHostPort + enabled: false + # -- default port for this pod + port: 53 -# -- Configuration for the DNS service on port 53 -serviceDns: + # -- Configuration for the DNS service on port 53 + serviceDns: - # -- deploys a mixed (TCP + UDP) Service instead of separate ones - mixedService: false + # -- deploys a mixed (TCP + UDP) Service instead of separate ones + mixedService: false - # -- `spec.type` for the DNS Service - type: NodePort + # -- `spec.type` for the DNS Service + type: NodePort - # -- The port of the DNS service - port: 53 + # -- The port of the DNS service + port: 53 - # -- Optional node port for the DNS service - nodePort: "" + # -- Optional node port for the DNS service + nodePort: "" - # -- `spec.externalTrafficPolicy` for the DHCP Service - externalTrafficPolicy: Local + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local - # -- A fixed `spec.loadBalancerIP` for the DNS Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service - loadBalancerIPv6: "" + # -- A fixed `spec.loadBalancerIP` for the DNS Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service + loadBalancerIPv6: "" - # -- Annotations for the DNS service - annotations: {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc + # -- Annotations for the DNS service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc -# -- Configuration for the DHCP service on port 67 -serviceDhcp: + # -- Configuration for the DHCP service on port 67 + serviceDhcp: - # -- Generate a Service resource for DHCP traffic - enabled: true + # -- Generate a Service resource for DHCP traffic + enabled: true - # -- `spec.type` for the DHCP Service - type: NodePort + # -- `spec.type` for the DHCP Service + type: NodePort - # -- `spec.externalTrafficPolicy` for the DHCP Service - externalTrafficPolicy: Local + # -- `spec.externalTrafficPolicy` for the DHCP Service + externalTrafficPolicy: Local - # -- A fixed `spec.loadBalancerIP` for the DHCP Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service - loadBalancerIPv6: "" + # -- A fixed `spec.loadBalancerIP` for the DHCP Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service + loadBalancerIPv6: "" - # -- Annotations for the DHCP service - annotations: {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc + # -- Annotations for the DHCP service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc -# -- Configuration for the web interface service -serviceWeb: - # -- Configuration for the HTTP web interface listener - http: + # -- Configuration for the web interface service + serviceWeb: + # -- Configuration for the HTTP web interface listener + http: - # -- Generate a service for HTTP traffic - enabled: true + # -- Generate a service for HTTP traffic + enabled: true - # -- The port of the web HTTP service - port: 80 + # -- The port of the web HTTP service + port: 80 - # -- Configuration for the HTTPS web interface listener - https: - # -- Generate a service for HTTPS traffic - enabled: true + # -- Configuration for the HTTPS web interface listener + https: + # -- Generate a service for HTTPS traffic + enabled: true - # -- The port of the web HTTPS service - port: 443 - - # -- `spec.type` for the web interface Service - type: ClusterIP - - # -- `spec.externalTrafficPolicy` for the web interface Service - externalTrafficPolicy: Local - - # -- A fixed `spec.loadBalancerIP` for the web interface Service - loadBalancerIP: "" - # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service - loadBalancerIPv6: "" - - # -- Annotations for the DHCP service - annotations: {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc - -virtualHost: pi.hole - -# -- Configuration for the Ingress -ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host pihole.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: hajimari-tls-certificate - hosts: - - *host + # -- The port of the web HTTPS service + port: 443 -# -- Probes configuration -probes: - # -- probes.liveness -- Configure the healthcheck for the ingress controller - liveness: - # -- Generate a liveness probe - enabled: true - initialDelaySeconds: 60 - failureThreshold: 10 - timeoutSeconds: 5 - readiness: - # -- Generate a readiness probe + # -- `spec.type` for the web interface Service + type: ClusterIP + + # -- `spec.externalTrafficPolicy` for the web interface Service + externalTrafficPolicy: Local + + # -- A fixed `spec.loadBalancerIP` for the web interface Service + loadBalancerIP: "" + # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service + loadBalancerIPv6: "" + + # -- Annotations for the DHCP service + annotations: {} + # metallb.universe.tf/address-pool: network-services + # metallb.universe.tf/allow-shared-ip: pihole-svc + + virtualHost: pi.hole + + # -- Configuration for the Ingress + ingress: enabled: true - initialDelaySeconds: 60 - failureThreshold: 3 - timeoutSeconds: 5 - -# -- We usually recommend not to specify default resources and to leave this as a conscious -# -- choice for the user. This also increases chances charts run on environments with little -# -- resources, such as Minikube. If you do want to specify resources, uncomment the following -# -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. -resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -# -- `spec.PersitentVolumeClaim` configuration -persistentVolumeClaim: - # -- set to true to use pvc - enabled: false - - # -- specify an existing `PersistentVolumeClaim` to use - # existingClaim: "" - - # -- Annotations for the `PersitentVolumeClaim` - annotations: {} - - accessModes: - - ReadWriteOnce - - size: "500Mi" - - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## If subPath is set mount a sub folder of a volume instead of the root of the volume. - ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). - - ## subPath: "pihole" - -nodeSelector: {} - -tolerations: [] - -# -- Specify a priorityClassName -# priorityClassName: "" - -# Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -topologySpreadConstraints: [] -# - maxSkew: -# topologyKey: -# whenUnsatisfiable: -# labelSelector: - -affinity: {} - -# -- Administrator password when not using an existing secret (see below) -# adminPassword: "admin" - -# -- Use an existing secret for the admin password. -admin: - # -- Specify an existing secret to use as admin password - existingSecret: "pihole-admin" - # -- Specify the key inside the secret to use - passwordKey: "password" - -# -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use -extraEnvVars: - TZ: Europe/Amsterdam - -# -- extraEnvVarsSecret is a list of secrets to load in as environment variables. -extraEnvVarsSecret: {} - # env_var: - # name: secret-name - # key: secret-key - -# -- default upstream DNS 1 server to use -DNS1: "1.1.1.1" -# -- default upstream DNS 2 server to use -DNS2: "8.8.8.8" - -antiaff: - # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) - enabled: false - # -- Here you can set the pihole release (you set in `helm install ...`) - # you want to avoid - avoidRelease: pihole1 - # -- Here you can choose between preferred or required - strict: true - -doh: - # -- set to true to enabled DNS over HTTPs via cloudflared - enabled: false - name: "cloudflared" - repository: "crazymax/cloudflared" - tag: latest - pullPolicy: IfNotPresent - # -- Here you can pass environment variables to the DoH container, for example: - envVars: {} - # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host pihole.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: hajimari-tls-certificate + hosts: + - *host # -- Probes configuration probes: - # -- Configure the healthcheck for the doh container + # -- probes.liveness -- Configure the healthcheck for the ingress controller liveness: - # -- set to true to enable liveness probe + # -- Generate a liveness probe enabled: true - # -- defines the initial delay for the liveness probe initialDelaySeconds: 60 - # -- defines the failure threshold for the liveness probe failureThreshold: 10 - # -- defines the timeout in secondes for the liveness probe + timeoutSeconds: 5 + readiness: + # -- Generate a readiness probe + enabled: true + initialDelaySeconds: 60 + failureThreshold: 3 timeoutSeconds: 5 -dnsmasq: - # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration - upstreamServers: [] - # - server=/foo.bar/192.168.178.10 - # - server=/bar.foo/192.168.178.11 - - # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. - customDnsEntries: [] - # - address=/foo.bar/192.168.178.10 - # - address=/bar.foo/192.168.178.11 - - # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like - additionalHostsEntries: [] - # - 192.168.0.3 host4 - # - 192.168.0.4 host5 - - # -- Static DHCP config - staticDhcpEntries: [] - # staticDhcpEntries: - # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME - - # -- Other options - customSettings: - # otherSettings: - # - rebind-domain-ok=/plex.direct/ - - # -- Here we specify custom cname entries that should point to `A` records or - # elements in customDnsEntries array. - # The format should be: - # - cname=cname.foo.bar,foo.bar - # - cname=cname.bar.foo,bar.foo - # - cname=cname record,dns record - customCnameEntries: [] - # Here we specify custom cname entries that should point to `A` records or - # elements in customDnsEntries array. - # The format should be: - # - cname=cname.foo.bar,foo.bar - # - cname=cname.bar.foo,bar.foo - # - cname=cname record,dns record - -# -- list of adlists to import during initial start of the container -adlists: {} - # If you want to provide blocklists, add them here. - # - https://hosts-file.net/grm.txt - # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts - -# -- list of whitelisted domains to import during initial start of the container -whitelist: {} - # If you want to provide whitelisted domains, add them here. - # - clients4.google.com - -# -- list of blacklisted domains to import during initial start of the container -blacklist: {} - # If you want to have special domains blacklisted, add them here - # - *.blackist.com - -# -- list of blacklisted regex expressions to import during initial start of the container -regex: {} - # Add regular expression blacklist items - # - (^|\.)facebook\.com$ - -# -- values that should be added to pihole-FTL.conf -ftl: {} - # Add values for pihole-FTL.conf - # MAXDBDAYS: 14 - -# -- port the container should use to expose HTTP traffic -webHttp: "80" - -# -- port the container should use to expose HTTPS traffic -webHttps: "443" - -# -- hostname of pod -hostname: "" - -# -- should the container use host network -hostNetwork: "false" - -# -- should container run in privileged mode -privileged: "false" - -customVolumes: - # -- set this to true to enable custom volumes - enabled: false - # -- any volume type can be used here - config: {} - # hostPath: - # path: "/mnt/data" - -# -- any extra volumes you might want -extraVolumes: {} - # external-conf: - # configMap: - # name: pi-hole-lighttpd-external-conf - -# -- any extra volume mounts you might want -extraVolumeMounts: {} - # external-conf: - # mountPath: /etc/lighttpd/external.conf - # subPath: external.conf - -# -- Additional annotations for pods -podAnnotations: {} - # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) - # prometheus.io/port: '9617' - # prometheus.io/scrape: 'true' - -monitoring: - # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. - podMonitor: - # -- set this to true to enable podMonitor + # -- We usually recommend not to specify default resources and to leave this as a conscious + # -- choice for the user. This also increases chances charts run on environments with little + # -- resources, such as Minikube. If you do want to specify resources, uncomment the following + # -- lines, adjust them as necessary, and remove the curly braces after 'resources:'. + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # -- `spec.PersitentVolumeClaim` configuration + persistentVolumeClaim: + # -- set to true to use pvc enabled: false - # -- Sidecar configuration - sidecar: - # -- set this to true to enable podMonitor as sidecar + + # -- specify an existing `PersistentVolumeClaim` to use + # existingClaim: "" + + # -- Annotations for the `PersitentVolumeClaim` + annotations: {} + + accessModes: + - ReadWriteOnce + + size: "500Mi" + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## If subPath is set mount a sub folder of a volume instead of the root of the volume. + ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). + + ## subPath: "pihole" + + nodeSelector: {} + + tolerations: [] + + # -- Specify a priorityClassName + # priorityClassName: "" + + # Reference: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: + # topologyKey: + # whenUnsatisfiable: + # labelSelector: + + affinity: {} + + # -- Administrator password when not using an existing secret (see below) + # adminPassword: "admin" + + # -- Use an existing secret for the admin password. + admin: + # -- Specify an existing secret to use as admin password + existingSecret: "pihole-admin" + # -- Specify the key inside the secret to use + passwordKey: "password" + + # -- extraEnvironmentVars is a list of extra enviroment variables to set for pihole to use + extraEnvVars: + TZ: Europe/Amsterdam + + # -- extraEnvVarsSecret is a list of secrets to load in as environment variables. + extraEnvVarsSecret: {} + # env_var: + # name: secret-name + # key: secret-key + + # -- default upstream DNS 1 server to use + DNS1: "1.1.1.1" + # -- default upstream DNS 2 server to use + DNS2: "8.8.8.8" + + antiaff: + # -- set to true to enable antiaffinity (example: 2 pihole DNS in the same cluster) + enabled: false + # -- Here you can set the pihole release (you set in `helm install ...`) + # you want to avoid + avoidRelease: pihole1 + # -- Here you can choose between preferred or required + strict: true + + doh: + # -- set to true to enabled DNS over HTTPs via cloudflared enabled: false - port: 9617 - image: - repository: ekofr/pihole-exporter - tag: 0.0.10 - pullPolicy: IfNotPresent - resources: - limits: - memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -podDnsConfig: - enabled: true - policy: "None" - nameservers: - - 127.0.0.1 - - 8.8.8.8 \ No newline at end of file + name: "cloudflared" + repository: "crazymax/cloudflared" + tag: latest + pullPolicy: IfNotPresent + # -- Here you can pass environment variables to the DoH container, for example: + envVars: {} + # TUNNEL_DNS_UPSTREAM: "https://1.1.1.2/dns-query,https://1.0.0.2/dns-query" + + # -- Probes configuration + probes: + # -- Configure the healthcheck for the doh container + liveness: + # -- set to true to enable liveness probe + enabled: true + # -- defines the initial delay for the liveness probe + initialDelaySeconds: 60 + # -- defines the failure threshold for the liveness probe + failureThreshold: 10 + # -- defines the timeout in secondes for the liveness probe + timeoutSeconds: 5 + + dnsmasq: + # -- Add upstream dns servers. All lines will be added to the pihole dnsmasq configuration + upstreamServers: [] + # - server=/foo.bar/192.168.178.10 + # - server=/bar.foo/192.168.178.11 + + # -- Add custom dns entries to override the dns resolution. All lines will be added to the pihole dnsmasq configuration. + customDnsEntries: [] + # - address=/foo.bar/192.168.178.10 + # - address=/bar.foo/192.168.178.11 + + # -- Dnsmasq reads the /etc/hosts file to resolve ips. You can add additional entries if you like + additionalHostsEntries: [] + # - 192.168.0.3 host4 + # - 192.168.0.4 host5 + + # -- Static DHCP config + staticDhcpEntries: [] + # staticDhcpEntries: + # - dhcp-host=MAC_ADDRESS,IP_ADDRESS,HOSTNAME + + # -- Other options + customSettings: + # otherSettings: + # - rebind-domain-ok=/plex.direct/ + + # -- Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + customCnameEntries: [] + # Here we specify custom cname entries that should point to `A` records or + # elements in customDnsEntries array. + # The format should be: + # - cname=cname.foo.bar,foo.bar + # - cname=cname.bar.foo,bar.foo + # - cname=cname record,dns record + + # -- list of adlists to import during initial start of the container + adlists: {} + # If you want to provide blocklists, add them here. + # - https://hosts-file.net/grm.txt + # - https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts + + # -- list of whitelisted domains to import during initial start of the container + whitelist: {} + # If you want to provide whitelisted domains, add them here. + # - clients4.google.com + + # -- list of blacklisted domains to import during initial start of the container + blacklist: {} + # If you want to have special domains blacklisted, add them here + # - *.blackist.com + + # -- list of blacklisted regex expressions to import during initial start of the container + regex: {} + # Add regular expression blacklist items + # - (^|\.)facebook\.com$ + + # -- values that should be added to pihole-FTL.conf + ftl: {} + # Add values for pihole-FTL.conf + # MAXDBDAYS: 14 + + # -- port the container should use to expose HTTP traffic + webHttp: "80" + + # -- port the container should use to expose HTTPS traffic + webHttps: "443" + + # -- hostname of pod + hostname: "" + + # -- should the container use host network + hostNetwork: "false" + + # -- should container run in privileged mode + privileged: "false" + + customVolumes: + # -- set this to true to enable custom volumes + enabled: false + # -- any volume type can be used here + config: {} + # hostPath: + # path: "/mnt/data" + + # -- any extra volumes you might want + extraVolumes: {} + # external-conf: + # configMap: + # name: pi-hole-lighttpd-external-conf + + # -- any extra volume mounts you might want + extraVolumeMounts: {} + # external-conf: + # mountPath: /etc/lighttpd/external.conf + # subPath: external.conf + + # -- Additional annotations for pods + podAnnotations: {} + # Example below allows Prometheus to scape on metric port (requires pihole-exporter sidecar enabled) + # prometheus.io/port: '9617' + # prometheus.io/scrape: 'true' + + monitoring: + # -- Preferably adding prometheus scrape annotations rather than enabling podMonitor. + podMonitor: + # -- set this to true to enable podMonitor + enabled: false + # -- Sidecar configuration + sidecar: + # -- set this to true to enable podMonitor as sidecar + enabled: false + port: 9617 + image: + repository: ekofr/pihole-exporter + tag: 0.0.10 + pullPolicy: IfNotPresent + resources: + limits: + memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + podDnsConfig: + enabled: true + policy: "None" + nameservers: + - 127.0.0.1 + - 8.8.8.8 \ No newline at end of file From 7900cf1741911ea8afff0b0517bac08bbc10b6a5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 21:53:48 +0100 Subject: [PATCH 058/334] config: typo in host config --- home/pihole/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 1c8cd3f3c4..524052f870 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -132,9 +132,9 @@ pihole: - path: / pathType: Prefix tls: - - secretName: hajimari-tls-certificate + - secretName: pihole-tls-certificate hosts: - - *host + - *host # -- Probes configuration probes: From 38bcbef85598e18be02cb1300609d88654bdf3cb Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:14:04 +0100 Subject: [PATCH 059/334] config: wrong secret --- home/pihole/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 524052f870..a55e4ce3cf 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -127,14 +127,14 @@ pihole: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host pihole.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix + - host: &host pihole.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix tls: - - secretName: pihole-tls-certificate - hosts: - - *host + - secretName: pihole-tls-certificate + hosts: + - *host # -- Probes configuration probes: @@ -215,7 +215,7 @@ pihole: # -- Use an existing secret for the admin password. admin: # -- Specify an existing secret to use as admin password - existingSecret: "pihole-admin" + existingSecret: "pihole-password" # -- Specify the key inside the secret to use passwordKey: "password" From 9de55473095edba4663a56e1245b33d29f41103d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:15:51 +0100 Subject: [PATCH 060/334] config: small fixes --- home/pihole/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index a55e4ce3cf..ef078fe407 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -119,7 +119,7 @@ pihole: # metallb.universe.tf/allow-shared-ip: pihole-svc virtualHost: pi.hole - +g # -- Configuration for the Ingress ingress: enabled: true From 2f396185477fda8ea05162b38ccafadd77fd842b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:16:57 +0100 Subject: [PATCH 061/334] config: typo --- home/pihole/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index ef078fe407..a55e4ce3cf 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -119,7 +119,7 @@ pihole: # metallb.universe.tf/allow-shared-ip: pihole-svc virtualHost: pi.hole -g + # -- Configuration for the Ingress ingress: enabled: true From b43a886e9d9b14edc0c932b03f3f928c549c07dc Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:19:13 +0100 Subject: [PATCH 062/334] config: path --- home/pihole/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index a55e4ce3cf..10c7727586 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -129,8 +129,8 @@ pihole: hosts: - host: &host pihole.europa.jupiter.mein.nl paths: - - path: / - pathType: Prefix + - path: / + pathType: Prefix tls: - secretName: pihole-tls-certificate hosts: From 1e907c1152b41e667b60b281e561e567a1f500a3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:22:40 +0100 Subject: [PATCH 063/334] config: unusual ingress --- home/pihole/values.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 10c7727586..175d7235b1 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -127,10 +127,8 @@ pihole: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host pihole.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix + - &host pihole.europa.jupiter.mein.nl + path: / tls: - secretName: pihole-tls-certificate hosts: From 9920e876fad2e7d23967fa093ca6d3f72172508d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:35:08 +0100 Subject: [PATCH 064/334] config: loadblancer test on dns --- home/pihole/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 175d7235b1..3183c21c27 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -40,7 +40,7 @@ pihole: mixedService: false # -- `spec.type` for the DNS Service - type: NodePort + type: LoadBalancer # -- The port of the DNS service port: 53 From 00a8070990cfb3b2c3b1009e1cb468dcd1f00447 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:35:52 +0100 Subject: [PATCH 065/334] config: more load balancers --- home/pihole/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 3183c21c27..0506263821 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -68,7 +68,7 @@ pihole: enabled: true # -- `spec.type` for the DHCP Service - type: NodePort + type: LoadBalancer # -- `spec.externalTrafficPolicy` for the DHCP Service externalTrafficPolicy: Local From ac7588db3c4ac8370cf59d0dd318b5ea16c02efb Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Feb 2022 22:38:58 +0100 Subject: [PATCH 066/334] config: fixed lb ip --- home/pihole/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 0506263821..7850b652ba 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -52,7 +52,7 @@ pihole: externalTrafficPolicy: Local # -- A fixed `spec.loadBalancerIP` for the DNS Service - loadBalancerIP: "" + loadBalancerIP: "192.168.1.225" # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service loadBalancerIPv6: "" @@ -74,7 +74,7 @@ pihole: externalTrafficPolicy: Local # -- A fixed `spec.loadBalancerIP` for the DHCP Service - loadBalancerIP: "" + loadBalancerIP: "192.168.1.225" # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service loadBalancerIPv6: "" From 9bffcd79287f49b5eb5849a380135c03df2a3293 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 5 Feb 2022 09:41:07 +0100 Subject: [PATCH 067/334] config: back to nodeport --- home/pihole/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 7850b652ba..175d7235b1 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -40,7 +40,7 @@ pihole: mixedService: false # -- `spec.type` for the DNS Service - type: LoadBalancer + type: NodePort # -- The port of the DNS service port: 53 @@ -52,7 +52,7 @@ pihole: externalTrafficPolicy: Local # -- A fixed `spec.loadBalancerIP` for the DNS Service - loadBalancerIP: "192.168.1.225" + loadBalancerIP: "" # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service loadBalancerIPv6: "" @@ -68,13 +68,13 @@ pihole: enabled: true # -- `spec.type` for the DHCP Service - type: LoadBalancer + type: NodePort # -- `spec.externalTrafficPolicy` for the DHCP Service externalTrafficPolicy: Local # -- A fixed `spec.loadBalancerIP` for the DHCP Service - loadBalancerIP: "192.168.1.225" + loadBalancerIP: "" # -- A fixed `spec.loadBalancerIP` for the IPv6 DHCP Service loadBalancerIPv6: "" From 378bd9a891d8a2b55b229113e4f4d805de3848fc Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 5 Feb 2022 10:08:45 +0100 Subject: [PATCH 068/334] config: move vault to production mode --- platform/vault/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml index cd28171dc6..e33023a57f 100644 --- a/platform/vault/values.yaml +++ b/platform/vault/values.yaml @@ -16,4 +16,4 @@ vault: hosts: - *host dev: - enabled: true # TODO disable vault dev mode + enabled: false From 0d180cea32a8f892ceca153a62ff58eec7b56a97 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 5 Feb 2022 10:12:31 +0100 Subject: [PATCH 069/334] config: or not need to reset vault --- platform/vault/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml index e33023a57f..4ccb04acef 100644 --- a/platform/vault/values.yaml +++ b/platform/vault/values.yaml @@ -16,4 +16,4 @@ vault: hosts: - *host dev: - enabled: false + enabled: true From 2dfaedd521be81a64a23c1d7e3633e2c823d48ba Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 6 Feb 2022 11:52:43 +0100 Subject: [PATCH 070/334] update: ha to 2022.2.2 --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 010a6dbd4f..c10784dde0 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2021.12.7 + tag: 2022.2.2 # -- image pull policy pullPolicy: IfNotPresent From 0e783b6913dc1815ad0590ef9ff1090b3b6b9c32 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 6 Feb 2022 15:15:26 +0100 Subject: [PATCH 071/334] config: correct timezone --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index c10784dde0..dee30c5455 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -11,7 +11,7 @@ home-assistant: # @default -- See below env: # -- Set the container timezone - TZ: Europa/Amsterdam + TZ: Europe/Amsterdam # -- Configures service settings for the chart. Normally this does not need to be modified. # @default -- See values.yaml From ca08854fb8bbf92034ee7aa62384780e7b5d9bae Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 6 Feb 2022 15:16:56 +0100 Subject: [PATCH 072/334] config: added tls secret name --- home/homeassistant/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index dee30c5455..8bee49e59d 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -170,8 +170,9 @@ home-assistant: - path: / pathType: Prefix tls: - - hosts: - - *config + - secretName: home-assistant-config-tls-certificate + hosts: + - *config volumeMounts: - name: config mountPath: /config \ No newline at end of file From c7d081392ad9dd0090cf3349bc9f8f180d9efefe Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 6 Feb 2022 15:43:32 +0100 Subject: [PATCH 073/334] config: added websocket annotations --- home/homeassistant/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 8bee49e59d..5eed7106c6 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -28,6 +28,7 @@ home-assistant: enabled: true ingressClassName: nginx annotations: + nginx.org/websocket-services: home-assistant cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: &host homeassistant.europa.jupiter.mein.nl From 7bf33fc08376019ae22b27fa5c3fef4fc3168b2c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 7 Feb 2022 09:47:44 +0100 Subject: [PATCH 074/334] feat: added kaniko --- home/homeassistant/values.yaml | 14 +++++- platform/tekton-pipelines/kaniko.yaml | 62 +++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 platform/tekton-pipelines/kaniko.yaml diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 5eed7106c6..fcc1ee01db 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.2.2 + tag: 2022.2.3 # -- image pull policy pullPolicy: IfNotPresent @@ -176,4 +176,14 @@ home-assistant: - *config volumeMounts: - name: config - mountPath: /config \ No newline at end of file + mountPath: /config + + # git: + # enabled: true + # user: + # name: homeassistant-bot + # email: homeassitant@jupiter.mein.nl + + + + \ No newline at end of file diff --git a/platform/tekton-pipelines/kaniko.yaml b/platform/tekton-pipelines/kaniko.yaml new file mode 100644 index 0000000000..896394ce75 --- /dev/null +++ b/platform/tekton-pipelines/kaniko.yaml @@ -0,0 +1,62 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: kaniko + labels: + app.kubernetes.io/version: "0.5" + annotations: + tekton.dev/pipelines.minVersion: "0.17.0" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "Build and upload container image using Kaniko" + tekton.dev/platforms: "linux/amd64" +spec: + description: >- + This Task builds source into a container image using Google's kaniko tool. + + Kaniko doesn't depend on a Docker daemon and executes each + command within a Dockerfile completely in userspace. This enables + building container images in environments that can't easily or + securely run a Docker daemon, such as a standard Kubernetes cluster. + + params: + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [] + - name: BUILDER_IMAGE + description: The image on which builds will run (default is v1.5.1) + default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5 + workspaces: + - name: source + description: Holds the context and docker file + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE-DIGEST + description: Digest of the image just built. + + steps: + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS[*]) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. + - --destination=$(params.IMAGE) + - --digest-file=/tekton/results/IMAGE-DIGEST + # kaniko assumes it is running as root, which means this example fails on platforms + # that default to run containers as random uid (like OpenShift). Adding this securityContext + # makes it explicit that it needs to run as root. + securityContext: + runAsUser: 0 From e311362ac16c8dffa0c41e90a3b9c9432dbef747 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 15:34:20 +0100 Subject: [PATCH 075/334] feat: added new home/influxdb ] --- home/influxdb/Chart.yaml | 7 +++++++ home/influxdb/values.yaml | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 home/influxdb/Chart.yaml create mode 100644 home/influxdb/values.yaml diff --git a/home/influxdb/Chart.yaml b/home/influxdb/Chart.yaml new file mode 100644 index 0000000000..cebd423a2e --- /dev/null +++ b/home/influxdb/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: influxdb +version: 0.0.0 +dependencies: + - name: influxdb + version: 2.5.3 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml new file mode 100644 index 0000000000..9a7c737f05 --- /dev/null +++ b/home/influxdb/values.yaml @@ -0,0 +1,10 @@ + influxdb: + image: + tag: 2.1.1-debian-10-r48 + architecture: standalone + auth: + existingSecret: influxdb-secret + persistence: + enabled: true + storageClass: longhorn + size: 8Gi \ No newline at end of file From 382a7476996a7b42ecefaa3ace62523c04d9f0dc Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 15:35:00 +0100 Subject: [PATCH 076/334] feat: added postgres --- home/postgres/Chart.yaml | 0 home/postgres/values.yaml | 10 ++++++++++ 2 files changed, 10 insertions(+) create mode 100644 home/postgres/Chart.yaml create mode 100644 home/postgres/values.yaml diff --git a/home/postgres/Chart.yaml b/home/postgres/Chart.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/home/postgres/values.yaml b/home/postgres/values.yaml new file mode 100644 index 0000000000..155898e486 --- /dev/null +++ b/home/postgres/values.yaml @@ -0,0 +1,10 @@ + postgresql: + image: + repository: bitnami/postgresql + tag: 14.1.0 + auth: + existingSecret: postgresql-secret + persistence: + enabled: true + storageClass: longhorn + size: 4Gi \ No newline at end of file From f8ff7d2e51d8d87a9acff126fc55fcf830615004 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 15:35:11 +0100 Subject: [PATCH 077/334] feat: added adminer --- home/adminer/Chart.yaml | 9 +++++ home/adminer/values.yaml | 85 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 home/adminer/Chart.yaml create mode 100644 home/adminer/values.yaml diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml new file mode 100644 index 0000000000..5d7776909d --- /dev/null +++ b/home/adminer/Chart.yaml @@ -0,0 +1,9 @@ + +apiVersion: v2 +name: adminer +version: 0.0.0 +dependencies: + - name: adminer + version: 0.1.6 + repository: https://cetic.github.io/helm-charts + diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml new file mode 100644 index 0000000000..5087ec9e40 --- /dev/null +++ b/home/adminer/values.yaml @@ -0,0 +1,85 @@ +# Default values for adminer. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: adminer + tag: 4.8.1-standalone + pullPolicy: IfNotPresent + pullSecrets: [] + +# See envs from https://hub.docker.com/_/adminer/ +config: + plugins: "" + design: "pepa-linha" + externalserver: "" + +nameOverride: "" +fullnameOverride: "" + +service: + type: NodePort + port: 80 + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + enabled: false + annotations: {} + tls: [] + hosts: [] + path: / + +# kubectl create secret generic ca --from-file=ca.pem +# cat > login-ssl.php << EOF +# "/secrets/ca.pem")); +# EOF +# kubectl create configmap plugins-enabled --from-file=login-ssl.php +# volumeMounts: +# - name: ca +# mountPath: "/secrets/" +# readOnly: true +# - name: plugins-enabled +# mountPath: "/var/www/html/plugins-enabled/" +# readOnly: true + +# volumes: +# - name: ca +# secret: +# secretName: ca +# - name: plugins-enabled +# configMap: +# name: plugins-enabled + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} \ No newline at end of file From 7e3585070d28669426d977707e3b6797587bd5c2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 15:39:36 +0100 Subject: [PATCH 078/334] config: added ingress for adminer --- home/adminer/values.yaml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml index 5087ec9e40..d7035f4f2b 100644 --- a/home/adminer/values.yaml +++ b/home/adminer/values.yaml @@ -37,11 +37,19 @@ service: ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: - enabled: false - annotations: {} - tls: [] - hosts: [] - path: / + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host adminer.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: adminer-tls-certificate + hosts: + - *host # kubectl create secret generic ca --from-file=ca.pem # cat > login-ssl.php << EOF From e9ed603f02ac61ac75fb10a04af0396d1e49a624 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 15:49:52 +0100 Subject: [PATCH 079/334] config: ingress indenting --- home/adminer/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml index d7035f4f2b..7a2ace2477 100644 --- a/home/adminer/values.yaml +++ b/home/adminer/values.yaml @@ -42,14 +42,14 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host adminer.jupiter.mein.nl + - host: &config homeassistant-config.europa.jupiter.mein.nl paths: - path: / pathType: Prefix tls: - - secretName: adminer-tls-certificate + - secretName: home-assistant-config-tls-certificate hosts: - - *host + - *config # kubectl create secret generic ca --from-file=ca.pem # cat > login-ssl.php << EOF From db2186c1b1f70e7aa4c958c4cca1cd2341666990 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 16:40:44 +0100 Subject: [PATCH 080/334] config: try overwrite of ingress --- home/adminer/Chart.yaml | 6 ++-- home/adminer/templates/ingress.yaml | 43 +++++++++++++++++++++++++++++ home/adminer/values.yaml | 6 ++-- 3 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 home/adminer/templates/ingress.yaml diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 5d7776909d..a4526bcb4a 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -1,9 +1,7 @@ - apiVersion: v2 name: adminer version: 0.0.0 dependencies: - - name: adminer - version: 0.1.6 + - name: adminer-assistant + version: 0.1.7 repository: https://cetic.github.io/helm-charts - diff --git a/home/adminer/templates/ingress.yaml b/home/adminer/templates/ingress.yaml new file mode 100644 index 0000000000..da99006fd5 --- /dev/null +++ b/home/adminer/templates/ingress.yaml @@ -0,0 +1,43 @@ +--- +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "adminer.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "adminer.fullname" . }}-ingress + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "adminer.name" . | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.className }} +ingressClassName: {{ .Values.ingress.className | quote }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ . }} + http: + paths: + - path: {{ $ingressPath }} + backend: + serviceName: {{ $fullName }} + servicePort: http + {{- end }} +{{- end }} diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml index 7a2ace2477..b7a0a50b36 100644 --- a/home/adminer/values.yaml +++ b/home/adminer/values.yaml @@ -42,14 +42,14 @@ ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &config homeassistant-config.europa.jupiter.mein.nl + - host: &host adminer.europa.jupiter.mein.nl paths: - path: / pathType: Prefix tls: - - secretName: home-assistant-config-tls-certificate + - secretName: adminer-tls-certificate hosts: - - *config + - *host # kubectl create secret generic ca --from-file=ca.pem # cat > login-ssl.php << EOF From 0b89d2812aeaa5d389586b6d4b882db41f905d1e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 16:41:25 +0100 Subject: [PATCH 081/334] fix: wrong name on chart --- home/adminer/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index a4526bcb4a..38fdee4aeb 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -2,6 +2,6 @@ apiVersion: v2 name: adminer version: 0.0.0 dependencies: - - name: adminer-assistant + - name: adminer version: 0.1.7 repository: https://cetic.github.io/helm-charts From 709af92de44c18c1620dfe1a0e99476f1d436499 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Feb 2022 16:46:04 +0100 Subject: [PATCH 082/334] config: indent --- home/adminer/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/adminer/templates/ingress.yaml b/home/adminer/templates/ingress.yaml index da99006fd5..f625a3b5de 100644 --- a/home/adminer/templates/ingress.yaml +++ b/home/adminer/templates/ingress.yaml @@ -18,7 +18,7 @@ metadata: {{- end }} spec: {{- if .Values.ingress.className }} -ingressClassName: {{ .Values.ingress.className | quote }} + ingressClassName: {{ .Values.ingress.className | quote }} {{- end }} {{- if .Values.ingress.tls }} tls: From c8d7b4abf9b59ba165ce9ef8698b686c6ddd1552 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:21:11 +0100 Subject: [PATCH 083/334] config: fork adminer --- home/adminer/Chart.yaml | 2 +- home/adminer/helm-adminer | 1 + home/adminer/templates/ingress.yaml | 43 ----------------------------- 3 files changed, 2 insertions(+), 44 deletions(-) create mode 160000 home/adminer/helm-adminer delete mode 100644 home/adminer/templates/ingress.yaml diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 38fdee4aeb..a6c2f3a5d0 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,4 +4,4 @@ version: 0.0.0 dependencies: - name: adminer version: 0.1.7 - repository: https://cetic.github.io/helm-charts + repository: 'file://../helm-adminer' diff --git a/home/adminer/helm-adminer b/home/adminer/helm-adminer new file mode 160000 index 0000000000..00aea7b531 --- /dev/null +++ b/home/adminer/helm-adminer @@ -0,0 +1 @@ +Subproject commit 00aea7b531921ddec47a1ee58bf7b79bd7466162 diff --git a/home/adminer/templates/ingress.yaml b/home/adminer/templates/ingress.yaml deleted file mode 100644 index f625a3b5de..0000000000 --- a/home/adminer/templates/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "adminer.fullname" . -}} -{{- $ingressPath := .Values.ingress.path -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ template "adminer.fullname" . }}-ingress - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "adminer.name" . | quote }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if .Values.ingress.className }} - ingressClassName: {{ .Values.ingress.className | quote }} -{{- end }} -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . }} - http: - paths: - - path: {{ $ingressPath }} - backend: - serviceName: {{ $fullName }} - servicePort: http - {{- end }} -{{- end }} From 9857dcc10600a09d89eddd92fe3aeeb5efbd20d2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:22:41 +0100 Subject: [PATCH 084/334] config: change path of helm subchart --- home/adminer/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index a6c2f3a5d0..2249b78e78 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,4 +4,4 @@ version: 0.0.0 dependencies: - name: adminer version: 0.1.7 - repository: 'file://../helm-adminer' + repository: 'file:///helm-adminer' From 9f34e330a82e65bbd4a0eb3d6ed155cf757225a3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:23:31 +0100 Subject: [PATCH 085/334] config: relative subpath --- home/adminer/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 2249b78e78..2f02f06e3c 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,4 +4,4 @@ version: 0.0.0 dependencies: - name: adminer version: 0.1.7 - repository: 'file:///helm-adminer' + repository: 'file://./helm-adminer' From 39973a6f47b9956cb3f00053b23212ce99c65b41 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:25:22 +0100 Subject: [PATCH 086/334] config: chart lock --- home/adminer/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 2f02f06e3c..e2edf7b9c2 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -3,5 +3,5 @@ name: adminer version: 0.0.0 dependencies: - name: adminer - version: 0.1.7 + version: 0.2.0 repository: 'file://./helm-adminer' From 5df3ff2ec14371cca461221b47a9df6bad8bc2d0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:31:06 +0100 Subject: [PATCH 087/334] config: moved subrepo --- home/adminer/Chart.yaml | 1 - .../charts/adminer/.circleci/config.yml | 14 ++ .../.github/ISSUE_TEMPLATE/bug_report.md | 34 +++ .../.github/ISSUE_TEMPLATE/feature_request.md | 28 +++ .../adminer/.github/PULL_REQUEST_TEMPLATE.md | 40 ++++ home/adminer/charts/adminer/.gitignore | 7 + home/adminer/charts/adminer/.helmignore | 26 +++ home/adminer/charts/adminer/Chart.yaml | 26 +++ home/adminer/charts/adminer/LICENSE | 201 ++++++++++++++++++ home/adminer/charts/adminer/README.md | 107 ++++++++++ .../charts/adminer/templates/NOTES.txt | 19 ++ .../charts/adminer/templates/_helpers.tpl | 32 +++ .../charts/adminer/templates/deployment.yaml | 74 +++++++ .../charts/adminer/templates/ingress.yaml | 82 +++++++ .../charts/adminer/templates/service.yaml | 32 +++ home/adminer/charts/adminer/values.yaml | 85 ++++++++ home/adminer/helm-adminer | 1 - 17 files changed, 807 insertions(+), 2 deletions(-) create mode 100644 home/adminer/charts/adminer/.circleci/config.yml create mode 100644 home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md create mode 100644 home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md create mode 100644 home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md create mode 100644 home/adminer/charts/adminer/.gitignore create mode 100644 home/adminer/charts/adminer/.helmignore create mode 100644 home/adminer/charts/adminer/Chart.yaml create mode 100644 home/adminer/charts/adminer/LICENSE create mode 100644 home/adminer/charts/adminer/README.md create mode 100644 home/adminer/charts/adminer/templates/NOTES.txt create mode 100644 home/adminer/charts/adminer/templates/_helpers.tpl create mode 100644 home/adminer/charts/adminer/templates/deployment.yaml create mode 100644 home/adminer/charts/adminer/templates/ingress.yaml create mode 100644 home/adminer/charts/adminer/templates/service.yaml create mode 100644 home/adminer/charts/adminer/values.yaml delete mode 160000 home/adminer/helm-adminer diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index e2edf7b9c2..03b9d2c644 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,4 +4,3 @@ version: 0.0.0 dependencies: - name: adminer version: 0.2.0 - repository: 'file://./helm-adminer' diff --git a/home/adminer/charts/adminer/.circleci/config.yml b/home/adminer/charts/adminer/.circleci/config.yml new file mode 100644 index 0000000000..5309c82587 --- /dev/null +++ b/home/adminer/charts/adminer/.circleci/config.yml @@ -0,0 +1,14 @@ +version: 2 +jobs: + build: + docker: + - image: alpine + steps: + - checkout + - run: + name: helm-github-pages + environment: + - GITHUB_PAGES_REPO: cetic/helm-charts + - HELM_CHART: adminer + - HELM_VERSION: 3.2.4 + command: wget -O - https://raw.githubusercontent.com/cetic/helm-chart-publisher/master/publish.sh | sh \ No newline at end of file diff --git a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000000..9af2bccefc --- /dev/null +++ b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,34 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '[cetic/adminer] issue title' +labels: '' +assignees: '' + +--- + + + +**Describe the bug** +A clear and concise description of what the bug is. + +**Version of Helm and Kubernetes**: + + +**What happened**: + + +**What you expected to happen**: + + +**How to reproduce it** (as minimally and precisely as possible): + + +**Anything else we need to know**: + + diff --git a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000000..84c4aa6ff0 --- /dev/null +++ b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,28 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '[cetic/adminer] issue title' +labels: '' +assignees: '' + +--- + + + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. + diff --git a/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md b/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000000..b2e13b69d2 --- /dev/null +++ b/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,40 @@ + + +#### What this PR does / why we need it: + +#### Which issue this PR fixes +*(optional, in `fixes #(, fixes #, ...)` format, will close that issue when PR gets merged)* + - fixes # + +#### Special notes for your reviewer: + +#### Checklist +[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] +- [ ] [DCO](https://github.com/helm/charts/blob/master/CONTRIBUTING.md#sign-your-work) signed +- [ ] Chart Version bumped +- [ ] Variables are documented in the README.md diff --git a/home/adminer/charts/adminer/.gitignore b/home/adminer/charts/adminer/.gitignore new file mode 100644 index 0000000000..0a22b3bc79 --- /dev/null +++ b/home/adminer/charts/adminer/.gitignore @@ -0,0 +1,7 @@ +*.tgz + +# Helm Charts dependencies +/charts +*.lock + +.idea diff --git a/home/adminer/charts/adminer/.helmignore b/home/adminer/charts/adminer/.helmignore new file mode 100644 index 0000000000..fbdd321f57 --- /dev/null +++ b/home/adminer/charts/adminer/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store + +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ + +# Common backup files +*.swp +*.bak +*.tmp +*~ + +# Various IDEs +.project +.idea/ +*.tmproj + +.circleci/ diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml new file mode 100644 index 0000000000..dc0798d9b7 --- /dev/null +++ b/home/adminer/charts/adminer/Chart.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v2 +name: adminer +appVersion: 4.8.1 +version: 0.2.0 +description: Adminer is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB +home: https://www.adminer.org +icon: https://raw.githubusercontent.com/Kong/docker-official-docs/master/adminer/logo.png +keywords: + - adminer + - postgres + - mysql + - sqlite + - elasticsearch + - mongodb + - database + - sql +source: + - https://github.com/cetic/helm-adminer +maintainers: + - name: fzalila + email: faiez.zalila@cetic.be + url: https://github.com/fzalila + - name: alexnuttinck + email: alexandre.nuttinck@cetic.be + url: https://github.com/alexnuttinck diff --git a/home/adminer/charts/adminer/LICENSE b/home/adminer/charts/adminer/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/home/adminer/charts/adminer/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/home/adminer/charts/adminer/README.md b/home/adminer/charts/adminer/README.md new file mode 100644 index 0000000000..25eef8257a --- /dev/null +++ b/home/adminer/charts/adminer/README.md @@ -0,0 +1,107 @@ +# Helm Chart for Adminer + +[![CircleCI](https://circleci.com/gh/cetic/helm-adminer.svg?style=svg)](https://circleci.com/gh/cetic/helm-adminer/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-adminer.svg?label=release) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Adminer](https://www.adminer.org) in a Kubernetes cluster. + +## Prerequisites + +- Kubernetes cluster 1.10+ +- Helm 3.0.0+ +- PV provisioner support in the underlying infrastructure. + +## Installation + +### Add Helm repository + +```bash +helm repo add cetic https://cetic.github.io/helm-charts +helm repo update +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure the way how to expose Adminer service: + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +### Install the chart + +Install the Adminer helm chart with a release name `my-release`: + +```bash +helm install --name my-release cetic/adminer +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: + +```bash +helm delete --purge my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Adminer chart and the default values. + +| Parameter | Description | Default | +| --------------------------------- | ----------------------------------------------------------------------- | --------------------------- | +| **Image** | +| `image.repository` | Image | `adminer` | +| `image.tag` | Image tag | `4.7.7-standalone` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets for private registry | `[]` | +| **Config** | +| `config.plugins` | List of plugins to install. You can find the list of plugins on [GitHub](https://github.com/vrana/adminer/tree/master/plugins)| ``| +| `config.design` | A bundled design to use. You can find the list of designs on [GitHub](https://github.com/vrana/adminer/tree/master/designs)| ``| +| `config.externalserver` | The default host | `` | +| **Service** | +| `service.type` | Service type | `NodePort` | +| `service.port` | The service port | `80` | +| `service.annotations` | Custom annotations for service | `{}` | +| `service.labels` | Additional custom labels for the service | `{}` | +| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges`| Address that are allowed when svc is `LoadBalancer` | `[]` | +| **Ingress** | +| `ingress.enabled` | Enables Ingress | `false` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.labels` | Custom labels | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| **Resources** | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| **Tolerations** | +| `tolerations` | Add tolerations | `[]` | +| **NodeSelector** | +| `nodeSelector` | node labels for pod assignment | `{}` | +| **Affinity** | +| `affinity` | node/pod affinities | `{}` | +| **LivenessProbe** | +| `livenessProbe` | Liveness probe settings | `nil` | +| **ReadnessProbe** | +| `readinessProbe` | Readiness probe settings | `nil` | +| `volumeMounts` | Add volumeMount to the adminer container | `nil` | +| `volumes` | Add volumes to the pod | `nil` | + +## Credits + +Initially inspired from https://github.com/mogaal/helm-charts/tree/master/adminer. + +## Contributing + +Feel free to contribute by making a [pull request](https://github.com/cetic/helm-adminer/pull/new/master). + +Please read the official [Contribution Guide](https://github.com/helm/charts/blob/master/CONTRIBUTING.md) from Helm for more information on how you can contribute to this Chart. + +## License + +[Apache License 2.0](/LICENSE.md) + diff --git a/home/adminer/charts/adminer/templates/NOTES.txt b/home/adminer/charts/adminer/templates/NOTES.txt new file mode 100644 index 0000000000..7d187a5890 --- /dev/null +++ b/home/adminer/charts/adminer/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ if $.Values.ingress.host }}{{.Values.ingress.host}}{{else}}your-cluster-ip{{end}}{{ $.Values.ingress.path }} + {{if not $.Values.ingress.host}} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "adminer.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "adminer.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "adminer.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "adminer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/home/adminer/charts/adminer/templates/_helpers.tpl b/home/adminer/charts/adminer/templates/_helpers.tpl new file mode 100644 index 0000000000..d223408a51 --- /dev/null +++ b/home/adminer/charts/adminer/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "adminer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "adminer.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "adminer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/home/adminer/charts/adminer/templates/deployment.yaml b/home/adminer/charts/adminer/templates/deployment.yaml new file mode 100644 index 0000000000..7b1db5fbd0 --- /dev/null +++ b/home/adminer/charts/adminer/templates/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "adminer.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + helm.sh/chart: {{ include "adminer.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + env: + - name: ADMINER_PLUGINS + value: {{ .Values.config.plugins }} + - name: ADMINER_DESIGN + value: {{ .Values.config.design }} + - name: ADMINER_DEFAULT_SERVER + value: {{ .Values.config.externalserver }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/home/adminer/charts/adminer/templates/ingress.yaml b/home/adminer/charts/adminer/templates/ingress.yaml new file mode 100644 index 0000000000..8ea7d9c67c --- /dev/null +++ b/home/adminer/charts/adminer/templates/ingress.yaml @@ -0,0 +1,82 @@ +{{- if .Values.ingress.enabled -}} +{{- $architecture := .Values.architecture }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations .Values.ingress.certManager }} + annotations: + {{- if .Values.ingress.certManager }} + kubernetes.io/tls-acme: "true" + {{- end }} + {{- if .Values.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + {{- if eq $architecture "high-availability" }} + - path: /write + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + {{- $relayServiceName := printf "%s-%s" (include "common.names.fullname" .) "relay" }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $relayServiceName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + - path: {{ default "/" .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + {{- if $.Values.ingress.extraPaths }} + {{- toYaml $.Values.ingress.extraPaths | nindent 10 }} + {{- end }} + {{- if eq $architecture "high-availability" }} + - path: /write + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ $.Values.ingress.pathType }} + {{- end }} + {{- $relayServiceName := printf "%s-%s" (include "common.names.fullname" $) "relay" }} + backend: {{- include "common.ingress.backend" (dict "serviceName" $relayServiceName "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned)) .Values.ingress.extraTls }} + tls: + {{- if and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned) }} + - hosts: + - {{ .Values.ingress.hostname | quote }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/home/adminer/charts/adminer/templates/service.yaml b/home/adminer/charts/adminer/templates/service.yaml new file mode 100644 index 0000000000..1ab66d386f --- /dev/null +++ b/home/adminer/charts/adminer/templates/service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "adminer.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + helm.sh/chart: {{ include "adminer.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ with .Values.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "adminer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/home/adminer/charts/adminer/values.yaml b/home/adminer/charts/adminer/values.yaml new file mode 100644 index 0000000000..4928835d3b --- /dev/null +++ b/home/adminer/charts/adminer/values.yaml @@ -0,0 +1,85 @@ +# Default values for adminer. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: adminer + tag: 4.8.1-standalone + pullPolicy: IfNotPresent + pullSecrets: [] + +# See envs from https://hub.docker.com/_/adminer/ +config: + plugins: "" + design: "pepa-linha" + externalserver: "" + +nameOverride: "" +fullnameOverride: "" + +service: + type: NodePort + port: 80 + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + enabled: false + annotations: {} + tls: [] + hosts: [] + path: / + +# kubectl create secret generic ca --from-file=ca.pem +# cat > login-ssl.php << EOF +# "/secrets/ca.pem")); +# EOF +# kubectl create configmap plugins-enabled --from-file=login-ssl.php +# volumeMounts: +# - name: ca +# mountPath: "/secrets/" +# readOnly: true +# - name: plugins-enabled +# mountPath: "/var/www/html/plugins-enabled/" +# readOnly: true + +# volumes: +# - name: ca +# secret: +# secretName: ca +# - name: plugins-enabled +# configMap: +# name: plugins-enabled + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/home/adminer/helm-adminer b/home/adminer/helm-adminer deleted file mode 160000 index 00aea7b531..0000000000 --- a/home/adminer/helm-adminer +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 00aea7b531921ddec47a1ee58bf7b79bd7466162 From 96791b9c64490efa1ad55731b3c7ffce76399b38 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:32:46 +0100 Subject: [PATCH 088/334] config: moved to depend chart --- home/adminer/values.yaml | 161 ++++++++++++++++++++------------------- 1 file changed, 81 insertions(+), 80 deletions(-) diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml index b7a0a50b36..af5a44c234 100644 --- a/home/adminer/values.yaml +++ b/home/adminer/values.yaml @@ -1,93 +1,94 @@ -# Default values for adminer. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +adminer: + # Default values for adminer. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. -replicaCount: 1 + replicaCount: 1 -image: - repository: adminer - tag: 4.8.1-standalone - pullPolicy: IfNotPresent - pullSecrets: [] + image: + repository: adminer + tag: 4.8.1-standalone + pullPolicy: IfNotPresent + pullSecrets: [] -# See envs from https://hub.docker.com/_/adminer/ -config: - plugins: "" - design: "pepa-linha" - externalserver: "" + # See envs from https://hub.docker.com/_/adminer/ + config: + plugins: "" + design: "pepa-linha" + externalserver: "" -nameOverride: "" -fullnameOverride: "" + nameOverride: "" + fullnameOverride: "" -service: - type: NodePort - port: 80 - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: + service: + type: NodePort + port: 80 + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 -## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## -ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host adminer.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: adminer-tls-certificate - hosts: - - *host + ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host adminer.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: adminer-tls-certificate + hosts: + - *host -# kubectl create secret generic ca --from-file=ca.pem -# cat > login-ssl.php << EOF -# "/secrets/ca.pem")); -# EOF -# kubectl create configmap plugins-enabled --from-file=login-ssl.php -# volumeMounts: -# - name: ca -# mountPath: "/secrets/" -# readOnly: true -# - name: plugins-enabled -# mountPath: "/var/www/html/plugins-enabled/" -# readOnly: true + # kubectl create secret generic ca --from-file=ca.pem + # cat > login-ssl.php << EOF + # "/secrets/ca.pem")); + # EOF + # kubectl create configmap plugins-enabled --from-file=login-ssl.php + # volumeMounts: + # - name: ca + # mountPath: "/secrets/" + # readOnly: true + # - name: plugins-enabled + # mountPath: "/var/www/html/plugins-enabled/" + # readOnly: true -# volumes: -# - name: ca -# secret: -# secretName: ca -# - name: plugins-enabled -# configMap: -# name: plugins-enabled + # volumes: + # - name: ca + # secret: + # secretName: ca + # - name: plugins-enabled + # configMap: + # name: plugins-enabled -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi -nodeSelector: {} + nodeSelector: {} -tolerations: [] + tolerations: [] -affinity: {} \ No newline at end of file + affinity: {} \ No newline at end of file From b94eccacf27975e1b6415a5b0aefb32af6999082 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:38:48 +0100 Subject: [PATCH 089/334] config: new default values for ingress --- home/adminer/charts/adminer/values.yaml | 83 +++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 5 deletions(-) diff --git a/home/adminer/charts/adminer/values.yaml b/home/adminer/charts/adminer/values.yaml index 4928835d3b..c7b6b3e0f8 100644 --- a/home/adminer/charts/adminer/values.yaml +++ b/home/adminer/charts/adminer/values.yaml @@ -34,14 +34,87 @@ service: # loadBalancerSourceRanges: # - 10.10.10.0/24 -## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## ingress: + ## @param ingress.enabled Enable ingress controller resource + ## enabled: false - annotations: {} - tls: [] - hosts: [] + ## @param ingress.tls Create TLS Secret + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## DEPRECATED: Use ingress.annotations instead of ingress.certManager + ## certManager: false + ## + + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: influxdb.local + ## @param ingress.path Ingress path*' in order to use this + ## with ALB ingress controllers. + ## path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: influxdb.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Additional arbitrary path/backend objects + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - influxdb.local + ## secretName: influxdb.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## - name: influxdb.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" # kubectl create secret generic ca --from-file=ca.pem # cat > login-ssl.php << EOF From 8db75dcf2d163729b9ad27872f58539b0f6a0c7d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:41:32 +0100 Subject: [PATCH 090/334] config: added common section --- home/adminer/charts/adminer/values.yaml | 36 +++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/home/adminer/charts/adminer/values.yaml b/home/adminer/charts/adminer/values.yaml index c7b6b3e0f8..09918285ff 100644 --- a/home/adminer/charts/adminer/values.yaml +++ b/home/adminer/charts/adminer/values.yaml @@ -16,8 +16,44 @@ config: design: "pepa-linha" externalserver: "" +## @section Common parameters + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override influxdb.fullname template with a string (will prepend the release name) +## nameOverride: "" +## @param fullnameOverride String to fully override influxdb.fullname template with a string +## fullnameOverride: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity service: type: NodePort From c7a27888b68585a5584a208e82b773b190e5801c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:43:09 +0100 Subject: [PATCH 091/334] config: included common library chart --- home/adminer/charts/adminer/Chart.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml index dc0798d9b7..52afa99ba4 100644 --- a/home/adminer/charts/adminer/Chart.yaml +++ b/home/adminer/charts/adminer/Chart.yaml @@ -24,3 +24,7 @@ maintainers: - name: alexnuttinck email: alexandre.nuttinck@cetic.be url: https://github.com/alexnuttinck +dependencies: + - name: common + version: 1.11.1 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 4cfc17ef684c16924b1ce0bd07eafa2e3126fdf1 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 08:45:51 +0100 Subject: [PATCH 092/334] config: added common? --- home/adminer/charts/adminer/Chart.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml index 52afa99ba4..e708cce7da 100644 --- a/home/adminer/charts/adminer/Chart.yaml +++ b/home/adminer/charts/adminer/Chart.yaml @@ -6,6 +6,13 @@ version: 0.2.0 description: Adminer is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB home: https://www.adminer.org icon: https://raw.githubusercontent.com/Kong/docker-official-docs/master/adminer/logo.png +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +engine: gotpl keywords: - adminer - postgres @@ -24,7 +31,3 @@ maintainers: - name: alexnuttinck email: alexandre.nuttinck@cetic.be url: https://github.com/alexnuttinck -dependencies: - - name: common - version: 1.11.1 - repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 51bba3541934ac11676ce0e0171f633e0eb600e8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 09:08:21 +0100 Subject: [PATCH 093/334] config: try wihtout ignore --- home/adminer/charts/adminer/.gitignore | 4 ++-- home/adminer/charts/adminer/Chart.yaml | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/home/adminer/charts/adminer/.gitignore b/home/adminer/charts/adminer/.gitignore index 0a22b3bc79..3f18c1655b 100644 --- a/home/adminer/charts/adminer/.gitignore +++ b/home/adminer/charts/adminer/.gitignore @@ -1,7 +1,7 @@ *.tgz # Helm Charts dependencies -/charts -*.lock +#/charts +#*.lock .idea diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml index e708cce7da..7f3c6e76df 100644 --- a/home/adminer/charts/adminer/Chart.yaml +++ b/home/adminer/charts/adminer/Chart.yaml @@ -22,8 +22,6 @@ keywords: - mongodb - database - sql -source: - - https://github.com/cetic/helm-adminer maintainers: - name: fzalila email: faiez.zalila@cetic.be From d6dd0a7154c1bee03f16d114ef939ea4ebcd9ae9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 12 Feb 2022 09:13:01 +0100 Subject: [PATCH 094/334] config: test --- home/adminer/Chart.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 03b9d2c644..41159c6a04 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,3 +4,9 @@ version: 0.0.0 dependencies: - name: adminer version: 0.2.0 + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +engine: gotpl \ No newline at end of file From 2e5f834ccba3bdfbfebc064530fef56256f363ac Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 09:19:08 +0100 Subject: [PATCH 095/334] config: simpeler version of ingress --- .../charts/adminer/templates/ingress.yaml | 35 ++++--------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/home/adminer/charts/adminer/templates/ingress.yaml b/home/adminer/charts/adminer/templates/ingress.yaml index 8ea7d9c67c..56cb3432a8 100644 --- a/home/adminer/charts/adminer/templates/ingress.yaml +++ b/home/adminer/charts/adminer/templates/ingress.yaml @@ -1,10 +1,8 @@ -{{- if .Values.ingress.enabled -}} -{{- $architecture := .Values.architecture }} +{{- if .Values.ingress.enabled }} apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels.standard" . | nindent 4 }} {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} @@ -15,7 +13,7 @@ metadata: kubernetes.io/tls-acme: "true" {{- end }} {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }} {{- end }} {{- if .Values.commonAnnotations }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -33,15 +31,7 @@ spec: {{- if .Values.ingress.extraPaths }} {{- toYaml .Values.ingress.extraPaths | nindent 10 }} {{- end }} - {{- if eq $architecture "high-availability" }} - - path: /write - {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.ingress.pathType }} - {{- end }} - {{- $relayServiceName := printf "%s-%s" (include "common.names.fullname" .) "relay" }} - backend: {{- include "common.ingress.backend" (dict "serviceName" $relayServiceName "servicePort" "http" "context" $) | nindent 14 }} - {{- end }} - - path: {{ default "/" .Values.ingress.path }} + - path: {{ .Values.ingress.path }} {{- if eq "true" (include "common.ingress.supportsPathType" .) }} pathType: {{ .Values.ingress.pathType }} {{- end }} @@ -51,32 +41,21 @@ spec: - host: {{ .name | quote }} http: paths: - {{- if $.Values.ingress.extraPaths }} - {{- toYaml $.Values.ingress.extraPaths | nindent 10 }} - {{- end }} - {{- if eq $architecture "high-availability" }} - - path: /write - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ $.Values.ingress.pathType }} - {{- end }} - {{- $relayServiceName := printf "%s-%s" (include "common.names.fullname" $) "relay" }} - backend: {{- include "common.ingress.backend" (dict "serviceName" $relayServiceName "servicePort" "http" "context" $) | nindent 14 }} - {{- end }} - path: {{ default "/" .path }} {{- if eq "true" (include "common.ingress.supportsPathType" $) }} pathType: {{ default "ImplementationSpecific" .pathType }} {{- end }} backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} {{- end }} - {{- if or (and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned)) .Values.ingress.extraTls }} + {{- if or .Values.ingress.tls .Values.ingress.extraTls }} tls: - {{- if and .Values.ingress.tls (or .Values.ingress.certManager .Values.ingress.selfSigned) }} + {{- if .Values.ingress.tls }} - hosts: - - {{ .Values.ingress.hostname | quote }} + - {{ .Values.ingress.hostname }} secretName: {{ printf "%s-tls" .Values.ingress.hostname }} {{- end }} {{- if .Values.ingress.extraTls }} - {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }} {{- end }} {{- end }} {{- end }} \ No newline at end of file From b422f74c29989ae98f12bcde866654b0eee24bc2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 09:27:02 +0100 Subject: [PATCH 096/334] config: new ingress template with new config --- home/adminer/Chart.yaml | 10 ++++---- home/adminer/charts/adminer/values.yaml | 2 +- home/adminer/values.yaml | 31 ++++++++++++++----------- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 41159c6a04..9ec9cc2fdb 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,9 +4,9 @@ version: 0.0.0 dependencies: - name: adminer version: 0.2.0 - - name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 1.x.x + # - name: common + # repository: https://charts.bitnami.com/bitnami + # tags: + # - bitnami-common + # version: 1.x.x engine: gotpl \ No newline at end of file diff --git a/home/adminer/charts/adminer/values.yaml b/home/adminer/charts/adminer/values.yaml index 09918285ff..f557909cbc 100644 --- a/home/adminer/charts/adminer/values.yaml +++ b/home/adminer/charts/adminer/values.yaml @@ -91,7 +91,7 @@ ingress: apiVersion: "" ## @param ingress.hostname Default host for the ingress resource ## - hostname: influxdb.local + hostname: adminer.local ## @param ingress.path Ingress path*' in order to use this ## with ALB ingress controllers. ## diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml index af5a44c234..18a9bc3b8e 100644 --- a/home/adminer/values.yaml +++ b/home/adminer/values.yaml @@ -37,20 +37,23 @@ adminer: ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## - ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host adminer.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: adminer-tls-certificate - hosts: - - *host +## Configure the ingress resource that allows you to access the +## ®abbitMQ installation. Set up the URL +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + enabled: true + path: / + pathType: ImplementationSpecific + hostname: adminer.jupiter.mein.nl + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: true + selfSigned: false + extraHosts: [] + extraTls: [] + secrets: [] + ingressClassName: "nginx" # kubectl create secret generic ca --from-file=ca.pem # cat > login-ssl.php << EOF From fb04414a22bfeb5e08a5e29f76f9dde06614dc55 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 09:29:43 +0100 Subject: [PATCH 097/334] config: indent --- home/adminer/values.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml index 18a9bc3b8e..770b685207 100644 --- a/home/adminer/values.yaml +++ b/home/adminer/values.yaml @@ -41,19 +41,19 @@ adminer: ## ®abbitMQ installation. Set up the URL ## ref: https://kubernetes.io/docs/user-guide/ingress/ ## -ingress: - enabled: true - path: / - pathType: ImplementationSpecific - hostname: adminer.jupiter.mein.nl - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - tls: true - selfSigned: false - extraHosts: [] - extraTls: [] - secrets: [] - ingressClassName: "nginx" + ingress: + enabled: true + path: / + pathType: ImplementationSpecific + hostname: adminer.jupiter.mein.nl + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: true + selfSigned: false + extraHosts: [] + extraTls: [] + secrets: [] + ingressClassName: "nginx" # kubectl create secret generic ca --from-file=ca.pem # cat > login-ssl.php << EOF From 5719b819b834b5b2765900500e386d6f47034f9f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 09:31:08 +0100 Subject: [PATCH 098/334] config: add common again --- home/adminer/Chart.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 9ec9cc2fdb..41159c6a04 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -4,9 +4,9 @@ version: 0.0.0 dependencies: - name: adminer version: 0.2.0 - # - name: common - # repository: https://charts.bitnami.com/bitnami - # tags: - # - bitnami-common - # version: 1.x.x + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x engine: gotpl \ No newline at end of file From bfd70b75440acf4665dc22badb6fc6b1b29c5074 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 09:44:19 +0100 Subject: [PATCH 099/334] feat: postgresql --- home/postgres/Chart.yaml | 0 home/postgres/values.yaml | 10 - home/postgresql/Chart.yaml | 1323 ++++++++++++++++++++++++++++++++++ home/postgresql/values.yaml | 1331 +++++++++++++++++++++++++++++++++++ 4 files changed, 2654 insertions(+), 10 deletions(-) delete mode 100644 home/postgres/Chart.yaml delete mode 100644 home/postgres/values.yaml create mode 100644 home/postgresql/Chart.yaml create mode 100644 home/postgresql/values.yaml diff --git a/home/postgres/Chart.yaml b/home/postgres/Chart.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/home/postgres/values.yaml b/home/postgres/values.yaml deleted file mode 100644 index 155898e486..0000000000 --- a/home/postgres/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ - postgresql: - image: - repository: bitnami/postgresql - tag: 14.1.0 - auth: - existingSecret: postgresql-secret - persistence: - enabled: true - storageClass: longhorn - size: 4Gi \ No newline at end of file diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml new file mode 100644 index 0000000000..c1787eac61 --- /dev/null +++ b/home/postgresql/Chart.yaml @@ -0,0 +1,1323 @@ +## @section Global parameters +## Please, note that this will override the parameters, including dependencies, configured to use the global value +## +global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + storageClass: "" + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`) + ## + auth: + postgresPassword: "" + username: "" + password: "" + database: "" + existingSecret: "" + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity + +## @section PostgreSQL common parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry PostgreSQL image registry +## @param image.repository PostgreSQL image repository +## @param image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 14.1.0-debian-10-r80 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run +## +auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user + ## + replicationPassword: "" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials + ## `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret + ## The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user), + ## `password` (which is the password for the custom user to create when `auth.username` is set), + ## and `replication-password` (which is the password for replication user). + ## The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and + ## picked from this secret in this case. + ## The value is evaluated as a template. + ## + existingSecret: "" + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false +## @param architecture PostgreSQL architecture (`standalone` or `replication`) +## +architecture: standalone +## Replication configuration +## Ignored if `architecture` is `standalone` +## +replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: 0 + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## @param audit.logHostname Log client hostnames +## @param audit.logConnections Add client log-in operations to the log file +## @param audit.logDisconnections Add client log-outs operations to the log file +## @param audit.pgAuditLog Add operations to log using the pgAudit extension +## @param audit.pgAuditLogCatalog Log catalog using pgAudit +## @param audit.clientMinMessages Message log level to share with the user +## @param audit.logLinePrefix Template for log line prefix (default if not set) +## @param audit.logTimezone Timezone for the log timestamps +## +audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## @param ldap.url LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## @param ldap.baseDN Root DN to begin the search for the user in +## @param ldap.bindDN DN of user to bind to LDAP +## @param ldap.bind_password Password for the user to bind to LDAP +## @param ldap.search_attr Attribute to match against the user name in the search +## @param ldap.search_filter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## @param ldap.tls Set to `1` to use TLS encryption +## +ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: "" + search_attr: "" + search_filter: "" + scheme: "" + tls: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## +postgresqlDataDir: /bitnami/postgresql/data +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## Start PostgreSQL pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` +## ref: https://github.com/docker-library/postgres/issues/416 +## ref: https://github.com/containerd/containerd/issues/3654 +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" + +## @section PostgreSQL Primary parameters +## +primary: + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers + ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers + ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enable container security context + ## @param primary.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: {} + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section PostgreSQL read only replica parameters +## +readReplicas: + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: 1 + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enable container security context + ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: {} + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section NetworkPolicy parameters + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## Ingress Rules + ## + ingressRules: + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL primary node. + ## + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL read-only nodes. + ## + readReplicasAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + +## @section Volume Permissions parameters + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r327 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + runAsUser: 0 + +## @section Other Parameters + +## Service account for PostgreSQL to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: false + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Creates role for ServiceAccount +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false + +## @section Metrics Parameters + +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository + ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.10.1-debian-10-r14 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container + ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## + resources: + limits: {} + requests: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/user-guide/services/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] \ No newline at end of file diff --git a/home/postgresql/values.yaml b/home/postgresql/values.yaml new file mode 100644 index 0000000000..7ed3908938 --- /dev/null +++ b/home/postgresql/values.yaml @@ -0,0 +1,1331 @@ +postgresql: + ## @section Global parameters + ## Please, note that this will override the parameters, including dependencies, configured to use the global value + ## + global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + storageClass: "" + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`) + ## + auth: + postgresPassword: "" + username: "" + password: "" + database: "" + existingSecret: "" + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: "" + + ## @section Common parameters + ## + + ## @param kubeVersion Override Kubernetes version + ## + kubeVersion: "" + ## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) + ## + nameOverride: "" + ## @param fullnameOverride String to fully override common.names.fullname template + ## + fullnameOverride: "" + ## @param clusterDomain Kubernetes Cluster Domain + ## + clusterDomain: cluster.local + ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) + ## + extraDeploy: [] + ## @param commonLabels Add labels to all the deployed resources + ## + commonLabels: {} + ## @param commonAnnotations Add annotations to all the deployed resources + ## + commonAnnotations: {} + ## Enable diagnostic mode in the statefulset + ## + diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity + + ## @section PostgreSQL common parameters + ## + + ## Bitnami PostgreSQL image version + ## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ + ## @param image.registry PostgreSQL image registry + ## @param image.repository PostgreSQL image repository + ## @param image.tag PostgreSQL image tag (immutable tags are recommended) + ## @param image.pullPolicy PostgreSQL image pull policy + ## @param image.pullSecrets Specify image pull secrets + ## @param image.debug Specify if debug values should be set + ## + image: + registry: docker.io + repository: bitnami/postgresql + tag: 14.1.0-debian-10-r80 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false + ## Authentication parameters + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run + ## + auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user + ## + replicationPassword: "" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials + ## `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret + ## The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user), + ## `password` (which is the password for the custom user to create when `auth.username` is set), + ## and `replication-password` (which is the password for replication user). + ## The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and + ## picked from this secret in this case. + ## The value is evaluated as a template. + ## + existingSecret: "postgres-secret" + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false + ## @param architecture PostgreSQL architecture (`standalone` or `replication`) + ## + architecture: standalone + ## Replication configuration + ## Ignored if `architecture` is `standalone` + ## + replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: 0 + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application + ## @param containerPorts.postgresql PostgreSQL container port + ## + containerPorts: + postgresql: 5432 + ## Audit settings + ## https://github.com/bitnami/bitnami-docker-postgresql#auditing + ## @param audit.logHostname Log client hostnames + ## @param audit.logConnections Add client log-in operations to the log file + ## @param audit.logDisconnections Add client log-outs operations to the log file + ## @param audit.pgAuditLog Add operations to log using the pgAudit extension + ## @param audit.pgAuditLogCatalog Log catalog using pgAudit + ## @param audit.clientMinMessages Message log level to share with the user + ## @param audit.logLinePrefix Template for log line prefix (default if not set) + ## @param audit.logTimezone Timezone for the log timestamps + ## + audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" + ## LDAP configuration + ## @param ldap.enabled Enable LDAP support + ## @param ldap.url LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` + ## @param ldap.server IP address or name of the LDAP server. + ## @param ldap.port Port number on the LDAP server to connect to + ## @param ldap.prefix String to prepend to the user name when forming the DN to bind + ## @param ldap.suffix String to append to the user name when forming the DN to bind + ## @param ldap.baseDN Root DN to begin the search for the user in + ## @param ldap.bindDN DN of user to bind to LDAP + ## @param ldap.bind_password Password for the user to bind to LDAP + ## @param ldap.search_attr Attribute to match against the user name in the search + ## @param ldap.search_filter The search filter to use when doing search+bind authentication + ## @param ldap.scheme Set to `ldaps` to use LDAPS + ## @param ldap.tls Set to `1` to use TLS encryption + ## + ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: "" + search_attr: "" + search_filter: "" + scheme: "" + tls: "" + ## @param postgresqlDataDir PostgreSQL data dir folder + ## + postgresqlDataDir: /bitnami/postgresql/data + ## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) + ## + postgresqlSharedPreloadLibraries: "pgaudit" + ## Start PostgreSQL pod(s) without limitations on shm memory. + ## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` + ## ref: https://github.com/docker-library/postgres/issues/416 + ## ref: https://github.com/containerd/containerd/issues/3654 + ## + shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" + ## TLS configuration + ## + tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" + + ## @section PostgreSQL Primary parameters + ## + primary: + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers + ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers + ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enable container security context + ## @param primary.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: {} + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "longhorn" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + + ## @section PostgreSQL read only replica parameters + ## + readReplicas: + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: 1 + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enable container security context + ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: {} + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + + ## @section NetworkPolicy parameters + + ## Add networkpolicies + ## + networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## Ingress Rules + ## + ingressRules: + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL primary node. + ## + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL read-only nodes. + ## + readReplicasAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## @section Volume Permissions parameters + + ## Init containers parameters: + ## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node + ## + volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r327 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + runAsUser: 0 + + ## @section Other Parameters + + ## Service account for PostgreSQL to use. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: false + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## Creates role for ServiceAccount + ## @param rbac.create Create Role and RoleBinding (required for PSP to work) + ## + rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + ## Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + psp: + create: false + + ## @section Metrics Parameters + + metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository + ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.10.1-debian-10-r14 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container + ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## + resources: + limits: {} + requests: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/user-guide/services/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] + + postgresql: + image: + repository: bitnami/postgresql + tag: 14.1.0 + auth: + existingSecret: \ No newline at end of file From fb4c539abe9b283aae2eee5dcec054c899097643 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 09:50:52 +0100 Subject: [PATCH 100/334] config: values/chart mixup --- home/postgresql/Chart.yaml | 1330 +----------------------------------- 1 file changed, 7 insertions(+), 1323 deletions(-) diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index c1787eac61..19f6ce564c 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -1,1323 +1,7 @@ -## @section Global parameters -## Please, note that this will override the parameters, including dependencies, configured to use the global value -## -global: - ## @param global.imageRegistry Global Docker image registry - ## - imageRegistry: "" - ## @param global.imagePullSecrets Global Docker registry secret names as an array - ## e.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - ## @param global.storageClass Global StorageClass for Persistent Volume(s) - ## - storageClass: "" - postgresql: - ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) - ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) - ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) - ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) - ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`) - ## - auth: - postgresPassword: "" - username: "" - password: "" - database: "" - existingSecret: "" - ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) - ## - service: - ports: - postgresql: "" - -## @section Common parameters -## - -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname template -## -fullnameOverride: "" -## @param clusterDomain Kubernetes Cluster Domain -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) -## -extraDeploy: [] -## @param commonLabels Add labels to all the deployed resources -## -commonLabels: {} -## @param commonAnnotations Add annotations to all the deployed resources -## -commonAnnotations: {} -## Enable diagnostic mode in the statefulset -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the statefulset - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the statefulset - ## - args: - - infinity - -## @section PostgreSQL common parameters -## - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## @param image.registry PostgreSQL image registry -## @param image.repository PostgreSQL image repository -## @param image.tag PostgreSQL image tag (immutable tags are recommended) -## @param image.pullPolicy PostgreSQL image pull policy -## @param image.pullSecrets Specify image pull secrets -## @param image.debug Specify if debug values should be set -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 14.1.0-debian-10-r80 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## Authentication parameters -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run -## -auth: - ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user - ## - enablePostgresUser: true - ## @param auth.postgresPassword Password for the "postgres" admin user - ## - postgresPassword: "" - ## @param auth.username Name for a custom user to create - ## - username: "" - ## @param auth.password Password for the custom user to create - ## - password: "" - ## @param auth.database Name for a custom database to create - ## - database: "" - ## @param auth.replicationUsername Name of the replication user - ## - replicationUsername: repl_user - ## @param auth.replicationPassword Password for the replication user - ## - replicationPassword: "" - ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials - ## `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret - ## The secret must contain the keys `postgres-password` (which is the password for "postgres" admin user), - ## `password` (which is the password for the custom user to create when `auth.username` is set), - ## and `replication-password` (which is the password for replication user). - ## The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and - ## picked from this secret in this case. - ## The value is evaluated as a template. - ## - existingSecret: "" - ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable - ## - usePasswordFiles: false -## @param architecture PostgreSQL architecture (`standalone` or `replication`) -## -architecture: standalone -## Replication configuration -## Ignored if `architecture` is `standalone` -## -replication: - ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` - ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. - ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT - ## - synchronousCommit: "off" - numSynchronousReplicas: 0 - ## @param replication.applicationName Cluster application name. Useful for advanced replication settings - ## - applicationName: my_application -## @param containerPorts.postgresql PostgreSQL container port -## -containerPorts: - postgresql: 5432 -## Audit settings -## https://github.com/bitnami/bitnami-docker-postgresql#auditing -## @param audit.logHostname Log client hostnames -## @param audit.logConnections Add client log-in operations to the log file -## @param audit.logDisconnections Add client log-outs operations to the log file -## @param audit.pgAuditLog Add operations to log using the pgAudit extension -## @param audit.pgAuditLogCatalog Log catalog using pgAudit -## @param audit.clientMinMessages Message log level to share with the user -## @param audit.logLinePrefix Template for log line prefix (default if not set) -## @param audit.logTimezone Timezone for the log timestamps -## -audit: - logHostname: false - logConnections: false - logDisconnections: false - pgAuditLog: "" - pgAuditLogCatalog: "off" - clientMinMessages: error - logLinePrefix: "" - logTimezone: "" -## LDAP configuration -## @param ldap.enabled Enable LDAP support -## @param ldap.url LDAP URL beginning in the form `ldap[s]://host[:port]/basedn` -## @param ldap.server IP address or name of the LDAP server. -## @param ldap.port Port number on the LDAP server to connect to -## @param ldap.prefix String to prepend to the user name when forming the DN to bind -## @param ldap.suffix String to append to the user name when forming the DN to bind -## @param ldap.baseDN Root DN to begin the search for the user in -## @param ldap.bindDN DN of user to bind to LDAP -## @param ldap.bind_password Password for the user to bind to LDAP -## @param ldap.search_attr Attribute to match against the user name in the search -## @param ldap.search_filter The search filter to use when doing search+bind authentication -## @param ldap.scheme Set to `ldaps` to use LDAPS -## @param ldap.tls Set to `1` to use TLS encryption -## -ldap: - enabled: false - url: "" - server: "" - port: "" - prefix: "" - suffix: "" - baseDN: "" - bindDN: "" - bind_password: "" - search_attr: "" - search_filter: "" - scheme: "" - tls: "" -## @param postgresqlDataDir PostgreSQL data dir folder -## -postgresqlDataDir: /bitnami/postgresql/data -## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) -## -postgresqlSharedPreloadLibraries: "pgaudit" -## Start PostgreSQL pod(s) without limitations on shm memory. -## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` -## ref: https://github.com/docker-library/postgres/issues/416 -## ref: https://github.com/containerd/containerd/issues/3654 -## -shmVolume: - ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) - ## - enabled: true - ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs - ## Note: the size of the tmpfs counts against container's memory limit - ## e.g: - ## sizeLimit: 1Gi - ## - sizeLimit: "" -## TLS configuration -## -tls: - ## @param tls.enabled Enable TLS traffic support - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates - ## - autoGenerated: false - ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's - ## - preferServerCiphers: true - ## @param tls.certificatesSecret Name of an existing secret that contains the certificates - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate - ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html - ## - certCAFilename: "" - ## @param tls.crlFilename File containing a Certificate Revocation List - ## - crlFilename: "" - -## @section PostgreSQL Primary parameters -## -primary: - ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap - ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html - ## - configuration: "" - ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration - ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html - ## e.g:# - ## pgHbaConfiguration: |- - ## local all all trust - ## host all all localhost trust - ## host mydatabase mysuser 192.168.0.0/24 md5 - ## - pgHbaConfiguration: "" - ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration - ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored - ## - existingConfigmap: "" - ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: "" - ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration - ## NOTE: `primary.extendedConfiguration` will be ignored - ## - existingExtendedConfigmap: "" - ## Initdb configuration - ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#specifying-initdb-arguments - ## - initdb: - ## @param primary.initdb.args PostgreSQL initdb extra arguments - ## - args: "" - ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log - ## - postgresqlWalDir: "" - ## @param primary.initdb.scripts Dictionary of initdb scripts - ## Specify dictionary of scripts to be run at first boot - ## e.g: - ## scripts: - ## my_init_script.sh: | - ## #!/bin/sh - ## echo "Do something." - ## - scripts: {} - ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot - ## NOTE: This will override `primary.initdb.scripts` - ## - scriptsConfigMap: "" - ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) - ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` - ## - scriptsSecret: "" - ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts - ## - user: "" - ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts - ## - password: "" - ## Configure current cluster's primary server to be the standby server in other cluster. - ## This will allow cross cluster replication and provide cross cluster high availability. - ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. - ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not - ## @param primary.standby.primaryHost The Host of replication primary in the other cluster - ## @param primary.standby.primaryPort The Port of replication primary in the other cluster - ## - standby: - enabled: false - primaryHost: "" - primaryPort: "" - ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes - ## - extraEnvVarsCM: "" - ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes - ## - extraEnvVarsSecret: "" - ## @param primary.command Override default container command (useful when using custom images) - ## - command: [] - ## @param primary.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers - ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers - ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers - ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe - ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param primary.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param primary.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL Primary resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers - ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers - ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers - ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param primary.podSecurityContext.enabled Enable security context - ## @param primary.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param primary.containerSecurityContext.enabled Enable container security context - ## @param primary.containerSecurityContext.runAsUser User ID for the container - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param primary.hostAliases PostgreSQL primary pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) - ## - labels: {} - ## @param primary.annotations Annotations for PostgreSQL primary pods - ## - annotations: {} - ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) - ## - podLabels: {} - ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) - ## - podAnnotations: {} - ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL Primary node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param primary.affinity Affinity for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: {} - ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) - ## - priorityClassName: "" - ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type - ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) - ## - extraVolumeMounts: [] - ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) - ## - extraVolumes: [] - ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) - ## - extraPodSpec: {} - ## PostgreSQL Primary service configuration - ## - service: - ## @param primary.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param primary.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param primary.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param primary.service.annotations Annotations for PostgreSQL primary service - ## - annotations: {} - ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param primary.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service - ## - extraPorts: [] - ## PostgreSQL Primary persistence configuration - ## - persistence: - ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC - ## - enabled: true - ## @param primary.persistence.existingClaim Name of an existing PVC to use - ## - existingClaim: "" - ## @param primary.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param primary.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param primary.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param primary.persistence.dataSource Custom PVC data source - ## - dataSource: {} - -## @section PostgreSQL read only replica parameters -## -readReplicas: - ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas - ## - replicaCount: 1 - ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsCM: "" - ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsSecret: "" - ## @param readReplicas.command Override default container command (useful when using custom images) - ## - command: [] - ## @param readReplicas.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers - ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers - ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers - ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe - ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL read only resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers - ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.podSecurityContext.enabled Enable security context - ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.containerSecurityContext.enabled Enable container security context - ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) - ## - labels: {} - ## @param readReplicas.annotations Annotations for PostgreSQL read only pods - ## - annotations: {} - ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) - ## - podLabels: {} - ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) - ## - podAnnotations: {} - ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL read only node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: {} - ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) - ## - priorityClassName: "" - ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type - ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) - ## - extraVolumeMounts: [] - ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) - ## - extraVolumes: [] - ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) - ## - extraPodSpec: {} - ## PostgreSQL read only service configuration - ## - service: - ## @param readReplicas.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param readReplicas.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service - ## - annotations: {} - ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service - ## - extraPorts: [] - ## PostgreSQL read only persistence configuration - ## - persistence: - ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC - ## - enabled: true - ## @param readReplicas.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param readReplicas.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param readReplicas.persistence.dataSource Custom PVC data source - ## - dataSource: {} - -## @section NetworkPolicy parameters - -## Add networkpolicies -## -networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## Ingress Rules - ## - ingressRules: - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL primary node. - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL read-only nodes. - ## - readReplicasAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} - -## @section Volume Permissions parameters - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume - ## - enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets - ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r327 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests - ## - resources: - limits: {} - requests: {} - ## Init container' Security Context - ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser - ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container - ## - containerSecurityContext: - runAsUser: 0 - -## @section Other Parameters - -## Service account for PostgreSQL to use. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod - ## - create: false - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: true - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## Creates role for ServiceAccount -## @param rbac.create Create Role and RoleBinding (required for PSP to work) -## -rbac: - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## Pod Security Policy -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later -## -psp: - create: false - -## @section Metrics Parameters - -metrics: - ## @param metrics.enabled Start a prometheus exporter - ## - enabled: false - ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry - ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository - ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) - ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy - ## @param metrics.image.pullSecrets Specify image pull secrets - ## - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.10.1-debian-10-r14 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param metrics.customMetrics Define additional custom metrics - ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file - ## customMetrics: - ## pg_database: - ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" - ## metrics: - ## - name: - ## usage: "LABEL" - ## description: "Name of the database" - ## - size_bytes: - ## usage: "GAUGE" - ## description: "Size of the database in bytes" - ## - customMetrics: {} - ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter - ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables - ## For example: - ## extraEnvVars: - ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS - ## value: "true" - ## - extraEnvVars: [] - ## PostgreSQL Prometheus exporter containers' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context - ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser - ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe - ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port - ## - containerPorts: - metrics: 9187 - ## PostgreSQL Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container - ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container - ## - resources: - limits: {} - requests: {} - ## Service configuration - ## - service: - ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port - ## - ports: - metrics: 9187 - ## @param metrics.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## - clusterIP: "" - ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ - ## - sessionAffinity: None - ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus - ## - labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint - ## - honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator - ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - labels: {} - ## @param metrics.prometheusRule.rules PrometheusRule definitions - ## Make sure to constraint the rules to the current postgresql service. - ## rules: - ## - alert: HugeReplicationLag - ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 - ## for: 1m - ## labels: - ## severity: critical - ## annotations: - ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). - ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). - ## - rules: [] \ No newline at end of file +apiVersion: v2 +name: postgresql +version: 0.0.0 +dependencies: + - name: postgresql + version: 11.0.3 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file From d63f275bce633942d009c61d2f0456564e5f4194 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 10:07:37 +0100 Subject: [PATCH 101/334] config: removed homeassistant --- home/homeassistant/values.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index fcc1ee01db..46c07cd087 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -99,19 +99,6 @@ home-assistant: storageClass: longhorn size: 4Gi - # -- Enable and configure influxdb database subchart under this key. - # For more options see [influxdb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/influxdb) - # @default -- See values.yaml - influxdb: - enabled: true - architecture: standalone - database: home_assistant - authEnabled: false - persistence: - enabled: true - storageClass: longhorn - size: 8Gi - metrics: &metrics # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. # @default -- See values.yaml From c87b39ab42a042a9f9c14e4dcc25e30029c6c4a0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 10:35:11 +0100 Subject: [PATCH 102/334] config: influxdb --- home/influxdb/values.yaml | 1358 ++++++++++++++++++++++++++++++++++++- 1 file changed, 1350 insertions(+), 8 deletions(-) diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index 9a7c737f05..c1b3bd0e22 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1,10 +1,1352 @@ + +influxdb: + + ## @section Global parameters + ## Global Docker image parameters + ## Please, note that this will override the image parameters, including dependencies, configured to use the global value + ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + + ## @param global.imageRegistry Global Docker image registry + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## @param global.storageClass Global storage class for dynamic provisioning + ## + global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + + ## @section Common parameters + + ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) + ## + kubeVersion: "" + ## @param nameOverride String to partially override influxdb.fullname template with a string (will prepend the release name) + ## + nameOverride: "" + ## @param fullnameOverride String to fully override influxdb.fullname template with a string + ## + fullnameOverride: "" + ## @param clusterDomain Default Kubernetes cluster domain + ## + clusterDomain: cluster.local + ## @param commonAnnotations Annotations to add to all deployed objects + ## + commonAnnotations: {} + ## @param commonLabels Labels to add to all deployed objects + ## + commonLabels: {} + ## @param extraDeploy Array of extra objects to deploy with the release + ## + extraDeploy: [] + + ## Enable diagnostic mode in the deployment + ## + diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + + ## @section InfluxDB™ parameters + + ## Bitnami InfluxDB™ image + ## ref: https://hub.docker.com/r/bitnami/influxdb/tags/ + ## @param image.registry InfluxDB™ image registry + ## @param image.repository InfluxDB™ image repository + ## @param image.tag InfluxDB™ image tag (immutable tags are recommended) + ## @param image.pullPolicy InfluxDB™ image pull policy + ## @param image.pullSecrets Specify docker-registry secret names as an array + ## @param image.debug Specify if debug logs should be enabled + ## + image: + registry: docker.io + repository: bitnami/influxdb + tag: 2.1.1-debian-10-r50 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false + ## @param architecture InfluxDB™ architecture (`standalone` or `high-availability`) + ## + architecture: standalone + ## Authentication parameters + ## + auth: + ## @param auth.enabled Enable/disable authentication (Variable to keep compatibility with InfluxDB™ v1, in v2 it will be ignored) + ## + enabled: true + ## @param auth.usePasswordFiles Whether to use files to provide secrets instead of env vars. + ## + usePasswordFiles: false + ## InfluxDB™ admin credentials + ## + admin: + ## @param auth.admin.username InfluxDB™ admin user name + ## + username: admin + ## @param auth.admin.password InfluxDB™ admin user's password + ## + password: "" + ## @param auth.admin.token InfluxDB™ admin user's token. Only valid with InfluxDB™ v2 + ## + token: "" + ## @param auth.admin.org InfluxDB™ admin user's org. Only valid with InfluxDB™ v2 + ## + org: primary + ## @param auth.admin.bucket InfluxDB™ admin user's bucket. Only valid with InfluxDB™ v2 + ## + bucket: primary + ## @param auth.createUserToken Whether to create tokens for the different users. Take into account these tokens are going to be created by CLI randomly and they will not be accessible from a secret. See more influxdb 2.0 [auth ref](https://docs.influxdata.com/influxdb/v2.0/security/tokens/) + ## You should take into account these tokens are going to be created by CLI + ## so it is not possible to get them by k8s secrets nor to provide them though + ## values + ## See more influxdb 2.0 auth ref: https://docs.influxdata.com/influxdb/v2.0/security/tokens/ + ## + createUserToken: false + ## InfluxDB™ credentials for user with 'admin' privileges on the db specified at 'database' parameter + ## + user: + ## @param auth.user.username Name for InfluxDB™ user with 'admin' privileges on the bucket specified at `auth.user.bucket` and `auth.user.org` or `auth.admin.org` + ## + username: "" + ## @param auth.user.password InfluxDB™ password for `user.name` user + ## + password: "" + ## @param auth.user.org Org to be created on first run + ## + org: "" + ## @param auth.user.bucket Bucket to be created on first run + ## already create. If it is not null a new bucket will be created. + ## + bucket: "" + ## InfluxDB™ credentials for user with 'read' privileges on the db specified at 'database' parameter + ## @param auth.readUser.username Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` + ## @param auth.readUser.password InfluxDB™ password for `auth.readUser.username` user + ## + readUser: + username: "" + password: "" + ## InfluxDB™ credentials for user with 'write' privileges on the db specified at 'database' parameter + ## @param auth.writeUser.username Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` + ## @param auth.writeUser.password InfluxDB™ password for `auth.writeUser.username` user + ## + writeUser: + username: "" + password: "" + ## @param auth.existingSecret Name of existing Secret object with InfluxDB™ credentials (`auth.admin.password`, `auth.user.password`, `auth.readUser.password`, and `auth.writeUser.password` will be ignored and picked up from this secret) + ## + existingSecret: "influxdb-secret" + ## InfluxDB™ backend parameters + ## influxdb: + ## @param influxdb.configuration Specify content for influxdb.conf + ## Alternatively, you can put your influxdb.conf under the files/conf/ directory + ## + ## configuration: |- + ## reporting-disabled = false + ## bind-address = "127.0.0.1:8088" + ## [meta] + ## dir = "/bitnami/influxdb/meta" + ## ... + ## + configuration: "" + ## @param influxdb.existingConfiguration Name of existing ConfigMap object with the InfluxDB™ configuration (`influxdb.configuration` will be ignored). + ## + existingConfiguration: "" + ## @param influxdb.initdbScripts Dictionary of initdb scripts + ## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory + ## + ## initdbScripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + initdbScripts: {} + ## @param influxdb.initdbScriptsCM Name of existing ConfigMap object with the initdb scripts (`influxdb.initdbScripts` will be ignored). + ## + initdbScriptsCM: "" + ## @param influxdb.initdbScriptsSecret Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`) + ## + initdbScriptsSecret: "" + ## @param influxdb.replicaCount The number of InfluxDB™ replicas to deploy + ## + replicaCount: 1 + ## @param influxdb.podAffinityPreset InfluxDB™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param influxdb.podAntiAffinityPreset InfluxDB™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param influxdb.nodeAffinityPreset.type InfluxDB™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + type: "" + ## @param influxdb.nodeAffinityPreset.key InfluxDB™ Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param influxdb.nodeAffinityPreset.values InfluxDB™ Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param influxdb.affinity InfluxDB™ Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param influxdb.nodeSelector InfluxDB™ Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param influxdb.tolerations InfluxDB™ Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param influxdb.podAnnotations Annotations for InfluxDB™ pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param influxdb.podLabels Extra labels for InfluxDB™ pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param influxdb.hostAliases InfluxDB™ pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param influxdb.updateStrategy.type InfluxDB™ statefulset/deployment strategy type + ## Statefulset ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## Deployment ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param influxdb.priorityClassName InfluxDB™ pods' priorityClassName + ## + priorityClassName: "" + ## @param influxdb.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param influxdb.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param influxdb.podManagementPolicy podManagementPolicy to manage scaling operation of InfluxDB™ pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: OrderedReady + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param influxdb.podSecurityContext.enabled Enabled InfluxDB™ pods' Security Context + ## @param influxdb.podSecurityContext.fsGroup Set InfluxDB™ pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param influxdb.containerSecurityContext.enabled Enabled InfluxDB™ containers' Security Context + ## @param influxdb.containerSecurityContext.runAsUser Set InfluxDB™ containers' Security Context runAsUser + ## @param influxdb.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## InfluxDB™ pods' resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param influxdb.resources.limits The resources limits for the container + ## @param influxdb.resources.requests The requested resources for the container + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + requests: {} + ## @param influxdb.command Override default container command (useful when using custom images) + ## + command: [] + ## @param influxdb.args Override default container args (useful when using custom images) + ## + args: [] + ## @param influxdb.lifecycleHooks for the InfluxDB™ container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param influxdb.extraEnvVars Array containing extra env vars to configure InfluxDB™ + ## For example: + ## extraEnvVars: + ## - name: INFLUXDB_DATA_QUERY_LOG_ENABLED + ## value: "true" + ## + extraEnvVars: [] + ## @param influxdb.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for InfluxDB™ nodes + ## + extraEnvVarsCM: "" + ## @param influxdb.extraEnvVarsSecret Name of existing Secret containing extra env vars for InfluxDB™ nodes + ## + extraEnvVarsSecret: "" + ## @param influxdb.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts + ## + extraVolumes: [] + ## @param influxdb.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. + ## + extraVolumeMounts: [] + ## @param influxdb.containerPorts.http InfluxDB™ container HTTP port + ## @param influxdb.containerPorts.rpc InfluxDB™ container RPC port + ## + containerPorts: + http: 8086 + rpc: 8088 + + ## Configure extra options for InfluxDB™ containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param influxdb.startupProbe.enabled Enable startupProbe + ## @param influxdb.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param influxdb.startupProbe.periodSeconds Period seconds for startupProbe + ## @param influxdb.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param influxdb.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param influxdb.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 180 + periodSeconds: 45 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 6 + ## @param influxdb.livenessProbe.enabled Enable livenessProbe + ## @param influxdb.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param influxdb.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param influxdb.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param influxdb.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param influxdb.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 180 + periodSeconds: 45 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 6 + ## @param influxdb.readinessProbe.enabled Enable readinessProbe + ## @param influxdb.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param influxdb.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param influxdb.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param influxdb.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param influxdb.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 60 + periodSeconds: 45 + timeoutSeconds: 30 + successThreshold: 1 + failureThreshold: 6 + ## @param influxdb.customStartupProbe Override default startup probe + ## + customStartupProbe: {} + ## @param influxdb.customLivenessProbe Override default liveness probe + ## + customLivenessProbe: {} + ## @param influxdb.customReadinessProbe Override default readiness probe + ## + customReadinessProbe: {} + ## @param influxdb.sidecars Add additional sidecar containers to the InfluxDB™ pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param influxdb.initContainers Add additional init containers to the InfluxDB™ pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + + ## Service parameters + ## + service: + ## @param influxdb.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) + ## + type: ClusterIP + ## @param influxdb.service.ports.http InfluxDB™ HTTP port + ## @param influxdb.service.ports.rpc InfluxDB™ RPC port + ## + ports: + http: 8086 + rpc: 8088 + ## @param influxdb.service.nodePorts [object] Specify the nodePort(s) value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + rpc: "" + ## @param influxdb.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param influxdb.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + loadBalancerSourceRanges: [] + ## @param influxdb.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param influxdb.service.externalTrafficPolicy InfluxDB™ service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param influxdb.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param influxdb.service.annotations Annotations for InfluxDB™ service + ## + annotations: {} + ## @param influxdb.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param influxdb.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + + ## @section InfluxDB Relay™ parameters + + relay: + ## Bitnami InfluxDB Relay™ image + ## ref: https://hub.docker.com/r/bitnami/influxdb-relay/tags/ + ## @param relay.image.registry InfluxDB Relay™ image registry + ## @param relay.image.repository InfluxDB Relay™ image repository + ## @param relay.image.tag InfluxDB Relay™ image tag (immutable tags are recommended) + ## @param relay.image.pullPolicy InfluxDB Relay™ image pull policy + ## @param relay.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/influxdb-relay + tag: 0.20200717.0-scratch-r14 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param relay.configuration [string] InfluxDB Relay™ Configuration. Specify content for relay.toml + ## Alternatively, you can put your relay.toml under the files/conf/ directory + ## + configuration: |- + [[http]] + # Name of the HTTP server, used for display purposes only. + name = "relay-server" + + # TCP address to bind to, for HTTP server. + bind-addr = "0.0.0.0:9096" + + # Array of InfluxDB™ instances to use as backends for Relay. + output = [ + {{- $influxdbReplicaCount := int .Values.influxdb.replicaCount }} + {{- $influxdbFullname := include "common.names.fullname" . }} + {{- $influxdbHeadlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} + {{- $releaseName := .Release.Namespace }} + {{- $clusterDomain:= .Values.clusterDomain }} + {{- range $e, $i := until $influxdbReplicaCount }} + { name="{{ $influxdbFullname }}-{{ $i }}", location="http://{{ $influxdbFullname }}-{{ $i }}.{{ $influxdbHeadlessServiceName }}.{{ $releaseName }}.svc.{{ $clusterDomain }}:8086/write", timeout="10s"}, + {{- end }} + ] + ## @param relay.existingConfiguration Name of existing ConfigMap object with the InfluxDB Relay™ configuration (`relay.configuration` will be ignored) + ## NOTE: This will override relay.configuration + ## + existingConfiguration: "" + ## @param relay.replicaCount The number of InfluxDB Relay™ replicas to deploy + ## + replicaCount: 1 + ## @param relay.updateStrategy.type InfluxDB Relay™ deployment strategy type. + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## e.g: + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param relay.podAnnotations Annotations for InfluxDB Relay™ pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param relay.podLabels Extra labels for InfluxDB Relay™ pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param relay.hostAliases InfluxDB Relay™ pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param relay.podAffinityPreset InfluxDB Relay™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param relay.podAntiAffinityPreset InfluxDB Relay™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param relay.nodeAffinityPreset.type InfluxDB Relay™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + type: "" + ## @param relay.nodeAffinityPreset.key InfluxDB Relay™ Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param relay.nodeAffinityPreset.values InfluxDB Relay™ Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param relay.affinity InfluxDB Relay™ Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param relay.nodeSelector InfluxDB Relay™ Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param relay.tolerations InfluxDB Relay™ Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param relay.priorityClassName InfluxDB Relay™ pods' priorityClassName + ## + priorityClassName: "" + ## @param relay.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param relay.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param relay.podSecurityContext.enabled Enabled InfluxDB Relay™ pods' Security Context + ## @param relay.podSecurityContext.fsGroup Set InfluxDB Relay™ pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param relay.containerSecurityContext.enabled Enabled InfluxDB Relay™ containers' Security Context + ## @param relay.containerSecurityContext.runAsUser Set InfluxDB Relay™ containers' Security Context runAsUser + ## @param relay.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## InfluxDB Relay™ pods' resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param relay.resources.limits The resources limits for the container + ## @param relay.resources.requests The requested resources for the container + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 128Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 128Mi + requests: {} + ## @param relay.command Override default container command (useful when using custom images) + ## + command: [] + ## @param relay.args Override default container args (useful when using custom images) + ## + args: [] + ## @param relay.lifecycleHooks for the InfluxDB Relay™ container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param relay.extraEnvVars Array containing extra env vars to configure InfluxDB Relay™ + ## For example: + ## extraEnvVars: + ## - name: INFLUXDB_DATA_QUERY_LOG_ENABLED + ## value: "true" + ## + extraEnvVars: [] + ## @param relay.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for InfluxDB Relay™ nodes + ## + extraEnvVarsCM: "" + ## @param relay.extraEnvVarsSecret Name of existing Secret containing extra env vars for InfluxDB Relay™ nodes + ## + extraEnvVarsSecret: "" + ## @param relay.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts + ## + extraVolumes: [] + ## @param relay.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. + ## + extraVolumeMounts: [] + + ## Configure extra options for InfluxDB Relay™ containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param relay.startupProbe.enabled Enable startupProbe + ## @param relay.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param relay.startupProbe.periodSeconds Period seconds for startupProbe + ## @param relay.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param relay.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param relay.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## @param relay.livenessProbe.enabled Enable livenessProbe + ## @param relay.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param relay.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param relay.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param relay.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param relay.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## @param relay.readinessProbe.enabled Enable readinessProbe + ## @param relay.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param relay.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param relay.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param relay.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param relay.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + ## @param relay.customStartupProbe Override default startup probe + ## + customStartupProbe: {} + ## @param relay.customLivenessProbe Override default liveness probe + ## + customLivenessProbe: {} + ## @param relay.customReadinessProbe Override default readiness probe + ## + customReadinessProbe: {} + ## @param relay.containerPorts [object] Container ports + ## + containerPorts: + http: 9096 + ## @param relay.sidecars Add additional sidecar containers to the InfluxDB Relay™ pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param relay.initContainers Add additional init containers to the InfluxDB Relay™ pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Service parameters + ## + service: + ## @param relay.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) + ## + type: ClusterIP + ## @param relay.service.ports.http InfluxDB Relay™ HTTP port + ## + ports: + http: 9096 + ## @param relay.service.nodePorts.http Kubernetes HTTP node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + ## @param relay.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param relay.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + loadBalancerSourceRanges: [] + ## @param relay.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param relay.service.annotations Annotations for InfluxDB Relay™ service + ## + annotations: {} + ## @param relay.service.externalTrafficPolicy InfluxDB Relay™ service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param relay.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param relay.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same mongos Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param relay.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + ## @section InfluxDB Collectd™ parameters + + collectd: + ## @param collectd.enabled InfluxDB Collectd™ service enable + ## + enabled: false + service: + ## @param collectd.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) + ## + type: ClusterIP + ## @param collectd.service.port InfluxDB Collectd™ UDP port (should match with corresponding port in influxdb.conf) + ## This requires corresponding configuration in influxdb.conf to enable + ## collectd block + ## + port: 25826 + ## @param collectd.service.nodePort Kubernetes HTTP node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePort: "" + ## @param collectd.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param collectd.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + loadBalancerSourceRanges: [] + ## @param collectd.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param collectd.service.externalTrafficPolicy InfluxDB Collectd™ service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param collectd.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param collectd.service.annotations Annotations for InfluxDB Collectd™ service + ## metallb.universe.tf/allow-shared-ip: "true" + ## + annotations: {} + ## @param collectd.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same mongos Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param collectd.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + ## @section Exposing parameters + + ## Configure the ingress resource that allows you to access the + ## influxdb installation. Set up the URL + ## ref: https://kubernetes.io/docs/user-guide/ingress/ + ## + ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: true + ## @param ingress.tls Create TLS Secret + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: true + ## DEPRECATED: Use ingress.annotations instead of ingress.certManager + ## certManager: false + ## + + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: influxdb.jupiter.mein.nl + ## @param ingress.path Ingress path*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: influxdb.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Additional arbitrary path/backend objects + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - influxdb.local + ## secretName: influxdb.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## - name: influxdb.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "nginx" + + ## @section Metrics parameters + + ## Prometheus metrics + ## ref: https://docs.influxdata.com/influxdb/v1.7/administration/server_monitoring/#influxdb-metrics-http-endpoint + ## + metrics: + ## @param metrics.enabled Enable the export of Prometheus metrics + ## + enabled: false + service: + ## @param metrics.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) + ## + type: ClusterIP + ## @param metrics.service.port InfluxDB™ Prometheus port + ## + port: 9122 + ## @param metrics.service.nodePort Kubernetes HTTP node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePort: "" + ## @param metrics.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param metrics.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + loadBalancerSourceRanges: [] + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param metrics.service.annotations [object] Annotations for the Prometheus metrics service + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.port }}" + prometheus.io/path: "/metrics" + ## @param metrics.service.externalTrafficPolicy Service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same mongos Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## e.g: + ## namespace: monitoring + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## e.g: + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## NetworkPolicy parameters + ## + networkPolicy: + ## @param networkPolicy.enabled Enable NetworkPolicy + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## client labels will have network access to the ports InfluxDB™ is listening + ## on. When true, InfluxDB™ will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## Persistence parameters + ## + persistence: + ## @param persistence.enabled Enable data persistence + ## + enabled: true + ## @param persistence.existingClaim Use a existing PVC which must be created manually before bound + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param persistence.storageClass Specify the `storageClass` used to provision the volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "longhorn" + ## @param persistence.accessModes Access mode of data volume + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size Size of data volume + ## + size: 8Gi + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + + ## Pod Service Account + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## + serviceAccount: + ## @param serviceAccount.enabled Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) + ## + enabled: false + ## @param serviceAccount.name Name of an already existing service account. Setting this value disables the automatic service account creation + ## + name: "" + + ## Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + psp: + create: false + + ## Role Based Access + ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ + ## @param rbac.create Create Role and RoleBinding (required for PSP to work) + ## + rbac: + create: false + + ## @section Volume permissions parameters + + ## Init Container parameters + ## Change the owner and group of the persistent volume mountpoint to 'runAsUser:fsGroup' + ## values from the securityContext section. + ## + volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image name + ## @param volumePermissions.image.tag Init container volume-permissions image tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## image: - tag: 2.1.1-debian-10-r48 - architecture: standalone - auth: - existingSecret: influxdb-secret - persistence: - enabled: true - storageClass: longhorn - size: 8Gi \ No newline at end of file + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r313 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.runAsUser User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") + ## + securityContext: + runAsUser: 0 + + ## @section InfluxDB™ backup parameters + + backup: + ## @param backup.enabled Enable InfluxDB™ backup + ## + enabled: false + ## @param backup.directory Directory where backups are stored + ## + directory: "/backups" + ## @param backup.retentionDays Retention time in days for backups (older backups are deleted) + ## + retentionDays: 10 + ## Cronjob configuration + ## This cronjob is used to create InfluxDB™ backups + ## + cronjob: + ## @param backup.cronjob.schedule Schedule in Cron format to save snapshots + ## See https://en.wikipedia.org/wiki/Cron + ## + schedule: "0 2 * * *" + ## @param backup.cronjob.historyLimit Number of successful finished jobs to retain + ## + historyLimit: 1 + ## @param backup.cronjob.podAnnotations Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## K8s Security Context for Backup Cronjob pods + ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param backup.cronjob.securityContext.enabled Enable security context for InfluxDB™ + ## @param backup.cronjob.securityContext.fsGroup Group ID for the InfluxDB™ filesystem + ## @param backup.cronjob.securityContext.runAsUser Group ID for the InfluxDB™ filesystem + ## + securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + ## @param backup.podAffinityPreset Backup ™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param backup.podAntiAffinityPreset Backup™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param backup.nodeAffinityPreset.type Backup™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + type: "" + ## @param backup.nodeAffinityPreset.key Backup™ Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param backup.nodeAffinityPreset.values Backup™ Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param backup.affinity Backup™ Affinity for backup pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param backup.nodeSelector Backup™ Node labels for backup pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param backup.tolerations Backup™ Tolerations for backup pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## Storage providers where to upload backups + ## + uploadProviders: + ## Google Storage Bucket configuration + ## @param backup.uploadProviders.google.enabled enable upload to google storage bucket + ## @param backup.uploadProviders.google.secret json secret with serviceaccount data to access Google storage bucket + ## @param backup.uploadProviders.google.secretKey service account secret key name + ## @param backup.uploadProviders.google.existingSecret Name of existing secret object with Google serviceaccount json credentials + ## @param backup.uploadProviders.google.bucketName google storage bucket name name + ## + google: + enabled: false + secret: "" + secretKey: "key.json" + existingSecret: "" + bucketName: "gs://bucket/influxdb" + ## Bitnami Google Cloud SDK image + ## ref: https://hub.docker.com/r/bitnami/google-cloud-sdk/tags/ + ## @param backup.uploadProviders.google.image.registry Google Cloud SDK image registry + ## @param backup.uploadProviders.google.image.repository Google Cloud SDK image name + ## @param backup.uploadProviders.google.image.tag Google Cloud SDK image tag + ## @param backup.uploadProviders.google.image.pullPolicy Google Cloud SDK image pull policy + ## @param backup.uploadProviders.google.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/google-cloud-sdk + tag: 0.369.0-debian-10-r0 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Azure Storage Container configuration + ## + azure: + ## @param backup.uploadProviders.azure.enabled Enable upload to azure storage container + ## @param backup.uploadProviders.azure.secret Secret with credentials to access Azure storage + ## @param backup.uploadProviders.azure.secretKey Service account secret key name + ## @param backup.uploadProviders.azure.existingSecret Name of existing secret object + ## @param backup.uploadProviders.azure.containerName Destination container + enabled: false + secret: "" + secretKey: "connection-string" + existingSecret: "" + containerName: "influxdb-container" + ## Bitnami Azure CLI image + ## ref: https://hub.docker.com/r/bitnami/azure-cli/tags/ + ## @param backup.uploadProviders.azure.image.registry Azure CLI image registry + ## @param backup.uploadProviders.azure.image.repository Azure CLI image repository + ## @param backup.uploadProviders.azure.image.tag Azure CLI image tag (immutable tags are recommended) + ## @param backup.uploadProviders.azure.image.pullPolicy Azure CLI image pull policy + ## @param backup.uploadProviders.azure.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/azure-cli + tag: 2.32.0-debian-10-r14 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + aws: + ## @param backup.uploadProviders.aws.enabled Enable upload to aws s3 bucket + ## @param backup.uploadProviders.aws.accessKeyID Access Key ID to access aws s3 + ## @param backup.uploadProviders.aws.secretAccessKey Secret Access Key to access aws s3 + ## @param backup.uploadProviders.aws.region Region of aws s3 bucket + ## @param backup.uploadProviders.aws.existingSecret Name of existing secret object + ## @param backup.uploadProviders.aws.bucketName aws s3 bucket name + enabled: false + accessKeyID: "" + secretAccessKey: "" + region: "us-east-1" + existingSecret: "" + bucketName: "s3://bucket/influxdb" + ## Bitnami AWS CLI image + ## ref: https://hub.docker.com/r/bitnami/aws-cli/tags + ## @param backup.uploadProviders.aws.image.registry AWS CLI image registry + ## @param backup.uploadProviders.aws.image.repository AWS CLI image repository + ## @param backup.uploadProviders.aws.image.tag AWS CLI image tag (immutable tags are recommended) + ## @param backup.uploadProviders.aws.image.pullPolicy AWS CLI image pull policy + ## @param backup.uploadProviders.aws.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/aws-cli + tag: 2.4.7-debian-10-r4 + ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] \ No newline at end of file From a41589d5865ff76c5f30fa606663e5d071cf4480 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 13 Feb 2022 10:36:12 +0100 Subject: [PATCH 103/334] config: upgrade influxdb chart --- home/influxdb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/influxdb/Chart.yaml b/home/influxdb/Chart.yaml index cebd423a2e..9d0cf8ca0e 100644 --- a/home/influxdb/Chart.yaml +++ b/home/influxdb/Chart.yaml @@ -3,5 +3,5 @@ name: influxdb version: 0.0.0 dependencies: - name: influxdb - version: 2.5.3 + version: 3.0.2 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From d595a26300ee05b653beb2adc1a594d0fcca3fb2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 09:31:32 +0100 Subject: [PATCH 104/334] feat: added seperate mariadb istance --- home/mariadb-galera/Chart.yaml | 7 + home/mariadb-galera/values.yaml | 912 ++++++++++++++++++++++++++++++++ 2 files changed, 919 insertions(+) create mode 100644 home/mariadb-galera/Chart.yaml create mode 100644 home/mariadb-galera/values.yaml diff --git a/home/mariadb-galera/Chart.yaml b/home/mariadb-galera/Chart.yaml new file mode 100644 index 0000000000..93449ce556 --- /dev/null +++ b/home/mariadb-galera/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: mariadb-galera +version: 0.0.0 +dependencies: + - name: mariadb-galera + version: 11.0.3 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/mariadb-galera/values.yaml b/home/mariadb-galera/values.yaml new file mode 100644 index 0000000000..b7bf2cc08b --- /dev/null +++ b/home/mariadb-galera/values.yaml @@ -0,0 +1,912 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + +## @section Common parameters + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template with a string +## +fullnameOverride: "" +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param schedulerName Name of the Kubernetes scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param clusterDomain Kubernetes DNS Domain name to use +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] + +## Diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command [array] Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args [array] Args to override all containers in the deployment + ## + args: + - infinity + +## @section MariaDB Galera parameters + +## Bitnami MariaDB Galera image +## ref: https://hub.docker.com/r/bitnami/mariadb-galera/tags/ +## @param image.registry MariaDB Galera image registry +## @param image.repository MariaDB Galera image repository +## @param image.tag MariaDB Galera image tag (immutable tags are recommended) +## @param image.pullPolicy MariaDB Galera image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/mariadb-galera + tag: 10.6.5-debian-10-r66 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel +## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy +## +podManagementPolicy: OrderedReady +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## MariaDB Gallera K8s svc properties +## +service: + ## @param service.type Kubernetes service type + ## + type: ClusterIP + ## @param service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.ports.mysql MariaDB service port + ## + ports: + mysql: 3306 + ## @param service.nodePorts.mysql Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## e.g: + ## nodePort: + ## mysql: 30001 + ## + nodePorts: + mysql: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.externalIPs External IP list to use with ClusterIP service type + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when svc is `LoadBalancer` + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.annotations Additional annotations for MariaDB Galera service + ## This can be used toset the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## Useful for setting `service.alpha.kubernetes.io/tolerate-unready-endpoints="true"` when using peer-finder. + ## + annotations: {} + ## @param service.headless.publishNotReadyAddresses Publish not Ready MariaDB Galera pods' IPs in the headless service. + ## Required for peer discovery during cluster bootstrap (1st chart installation), optional afterwards. + ## + publishNotReadyAddresses: true +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## @param serviceAccount.create Specify whether a ServiceAccount should be created +## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. +## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account +## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. +## +serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + annotations: {} +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param extraEnvVars Array containing extra env vars to configure MariaDB Galera replicas +## For example: +## extraEnvVars: +## - name: TZ +## value: "Europe/Paris" +## +extraEnvVars: [] +## @param extraEnvVarsCM ConfigMap containing extra env vars to configure MariaDB Galera replicas +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret containing extra env vars to configure MariaDB Galera replicas +## +extraEnvVarsSecret: "" +## Role Based Access +## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Specify whether RBAC resources should be created and used + ## + create: false +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## @param podSecurityContext.enabled Enable security context +## @param podSecurityContext.fsGroup Group ID for the container filesystem +## @param podSecurityContext.runAsUser User ID for the container +## +podSecurityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled galera's container Security Context +## @param containerSecurityContext.runAsUser Set galera's container Security Context runAsUser +## @param containerSecurityContext.runAsNonRoot Set galera's container Security Context runAsNonRoot +containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true +## Database credentials for root (admin) user +## +rootUser: + ## @param rootUser.user Username for the admin user. + ## + user: root + ## @param rootUser.password Password for the admin user. Ignored if existing secret is provided. + ## Password is ignored if existingSecret is specified. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-the-root-password-on-first-run + ## + password: "" + ## @param rootUser.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. + ## If it is not force, a random password will be generated. + ## + forcePassword: false +## @param existingSecret Use existing secret for password details (`rootUser.password`, `db.password`, `galera.mariabackup.password` will be ignored and picked up from this secret) +## The secret has to contain the keys mariadb-root-password, mariadb-galera-mariabackup-password and mariadb-password. +## +existingSecret: "mariadb-secret" +## @param usePasswordFiles Mount credentials as a files instead of using an environment variable. +## +usePasswordFiles: false +## @param customPasswordFiles Use custom password files when `usePasswordFiles` is set to `true`. Define path for keys `root`, `user`, and `mariabackup`. +## Example: +## customPasswordFiles: +## root: /vault/secrets/mariadb-root +## user: /vault/secrets/mariadb-user +## mariabackup: /vault/secrets/mariadb-galera-mariabackup +## +customPasswordFiles: {} +## Custom db configuration +## +db: + ## @param db.user Username of new user to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run + ## + user: "" + ## @param db.password Password for the new user. Ignored if existing secret is provided. + ## + password: "" + ## @param db.name Name for new database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run + ## + name: my_database + ## @param db.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. + ## If it is not force, a random password will be generated. + ## + forcePassword: false +## Galera configuration +## +galera: + ## @param galera.name Galera cluster name + ## + name: galera + ## Bootstraping options + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#bootstraping + ## + bootstrap: + ## @param galera.bootstrap.forceBootstrap Option to force the boostraping from the indicated node in `galera.bootstarp.bootstrapFromNode` + ## + forceBootstrap: false + ## @param galera.bootstrap.bootstrapFromNode Node to bootstrap from, you will need to change this parameter in case you want to bootstrap from other node + ## + bootstrapFromNode: 0 + ## @param galera.bootstrap.forceSafeToBootstrap Force `safe_to_bootstrap: 1` in `grastate.date` file + ## This will set safe_to_bootstrap=1 in the node indicated by bootstrapFromNode. + ## + forceSafeToBootstrap: false + ## Credentials to perform backups + ## + mariabackup: + ## @param galera.mariabackup.user MariaBackup username + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-up-a-multi-master-cluster + ## + user: mariabackup + ## @param galera.mariabackup.password MariaBackup password. Password is ignored if existingSecret is specified. + ## + password: "" + ## @param galera.mariabackup.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. + ## If it is not force, a random password will be generated. + ## + forcePassword: false +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## @param ldap.uri LDAP URL beginning in the form `ldap` +## @param ldap.base LDAP base DN +## @param ldap.binddn LDAP bind DN +## @param ldap.bindpw LDAP bind password +## @param ldap.bslookup LDAP base lookup +## @param ldap.filter LDAP custom filter +## @param ldap.map LDAP custom map +## @param ldap.nss_initgroups_ignoreusers LDAP ignored users +## @param ldap.scope LDAP search scope +## @param ldap.tls_reqcert LDAP TLS check on server certificates +## +ldap: + enabled: false + uri: "" + base: "" + binddn: "" + bindpw: "" + bslookup: "" + filter: "" + map: "" + nss_initgroups_ignoreusers: root,nslcd + scope: "" + tls_reqcert: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS support for replication traffic + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.certificatesSecret Name of the secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" +## @param mariadbConfiguration [string] Configuration for the MariaDB server +## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file +## Alternatively, you can put your my.cnf under the files/ directory +## +mariadbConfiguration: |- + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + plugin_dir=/opt/bitnami/mariadb/plugin + + [mysqld] + default_storage_engine=InnoDB + basedir=/opt/bitnami/mariadb + datadir=/bitnami/mariadb/data + plugin_dir=/opt/bitnami/mariadb/plugin + tmpdir=/opt/bitnami/mariadb/tmp + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid + bind_address=0.0.0.0 + + ## Character set + ## + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 + + ## MyISAM + ## + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP + + ## Safety + ## + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 + + ## Binary Logging + ## + log_bin=mysql-bin + expire_logs_days=14 + # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql + sync_binlog=0 + # Required for Galera + binlog_format=row + + ## Caches and Limits + ## + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 + + ## InnoDB + ## + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda + + ## Logging + ## + log_error=/opt/bitnami/mariadb/logs/mysqld.log + slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log + log_queries_not_using_indexes=1 + slow_query_log=1 + + ## SSL + ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem + # ssl_ca=/certs/ca.pem + # ssl_cert=/certs/server-cert.pem + # ssl_key=/certs/server-key.pem + + [galera] + wsrep_on=ON + wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so + wsrep_sst_method=mariabackup + wsrep_slave_threads=4 + wsrep_cluster_address=gcomm:// + wsrep_cluster_name=galera + wsrep_sst_auth="root:" + # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit + innodb_flush_log_at_trx_commit=2 + # MYISAM REPLICATION SUPPORT # + wsrep_replicate_myisam=ON + + [mariadb] + plugin_load_add=auth_pam + + ## Data-at-Rest Encryption + ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem + # plugin_load_add=file_key_management + # file_key_management_filename=/encryption/keyfile.enc + # file_key_management_filekey=FILE:/encryption/keyfile.key + # file_key_management_encryption_algorithm=AES_CTR + # encrypt_binlog=ON + # encrypt_tmp_files=ON + + ## InnoDB/XtraDB Encryption + # innodb_encrypt_tables=ON + # innodb_encrypt_temporary_tables=ON + # innodb_encrypt_log=ON + # innodb_encryption_threads=4 + # innodb_encryption_rotate_key_age=1 + + ## Aria Encryption + # aria_encrypt_tables=ON + # encrypt_tmp_disk_tables=ON +## @param configurationConfigMap ConfigMap with the MariaDB configuration files (Note: Overrides `mariadbConfiguration`). The value is evaluated as a template. +## +configurationConfigMap: "" +## initdb scripts +## @param initdbScripts Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## e.g: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/sh +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) +## +initdbScriptsConfigMap: "" +## @param extraFlags MariaDB additional command line flags +## Can be used to specify command line flags, for example: +## e.g: +## extraFlags: "--max-connect-errors=1000 --max_connections=155" +## +extraFlags: "" +## @param replicaCount Desired number of cluster nodes +## +replicaCount: 3 +## @param updateStrategy.type updateStrategy for MariaDB Master StatefulSet +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate +## @param podLabels Extra labels for MariaDB Galera pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for MariaDB Galera pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints Topology Spread Constraints for pods assignment +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## E.g. +## topologySpreadConstraints: +## - maxSkew: 1 +## topologyKey: topology.kubernetes.io/zone +## whenUnsatisfiable: DoNotSchedule +## +topologySpreadConstraints: {} +## @param lifecycleHooks for the galera container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +## Galera container port +## @param containerPorts.mysql mariadb database container port +## @param containerPorts.galera galera cluster container port +## @param containerPorts.ist galera IST container port +## @param containerPorts.sst galera SST container port +## +containerPorts: + mysql: 3306 + # Note: Container image is not aware of changes in the following container's ports + galera: 4567 + ist: 4568 + sst: 4444 + +persistence: + ## @param persistence.enabled Enable persistence using PVC + ## + enabled: true + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` + ## + existingClaim: "" + ## @param persistence.subPath Subdirectory of the volume to mount + ## + subPath: "" + ## @param persistence.mountPath Path to mount the volume at + ## + mountPath: /bitnami/mariadb + ## @param persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param persistence.storageClass Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "longhorn" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size Persistent Volume Size + ## + size: 8Gi +## @param priorityClassName Priority Class Name for Statefulset +## +priorityClassName: "" +## @param initContainers Additional init containers (this value is evaluated as a template) +## extraInitContainers: +## - name: do-something +## image: bitnami/minideb +## command: ['do', 'something'] +## +initContainers: [] +## @param extraContainers Additional containers (this value is evaluated as a template) +## +extraContainers: [] +## extraVolumes and extraVolumeMounts allows you to mount other volumes +## @param extraVolumes Extra volumes +## @param extraVolumeMounts Mount extra volume(s) +## Example Use Cases: +## mount certificates to enable data-in-transit encryption +## mount keys for data-at-rest encryption using file plugin +## e.g: +## extraVolumes: +## - name: mariadb-certs +## secret: +## defaultMode: 288 +## secretName: mariadb-certs +## - name: mariadb-encryption +## secret: +## defaultMode: 288 +## secretName: mariadb-encryption +## +extraVolumes: [] +## extraVolumeMounts: +## - name: mariadb-certs +## mountPath: /certs +## readOnly: true +## - name: mariadb-encryption +## mountPath: /encryption +## readOnly: true +## +extraVolumeMounts: [] +## MariaDB Galera containers' resource requests and limits +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits The resources limits for the container +## @param resources.requests The requested resources for the container +## +resources: + ## Example: + ## limits: + ## cpu: 0.5 + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 0.5 + ## memory: 256Mi + requests: {} +## MariaDB Galera containers' liveness probe +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Turn on and off liveness probe +## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated +## @param livenessProbe.periodSeconds How often to perform the probe +## @param livenessProbe.timeoutSeconds When the probe times out +## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe +## @param livenessProbe.successThreshold Minimum consecutive successes for the probe +## +livenessProbe: + enabled: true + ## Initializing the database could take some time + ## + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 +## MariaDB Galera containers' readiness probe +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Turn on and off readiness probe +## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated +## @param readinessProbe.periodSeconds How often to perform the probe +## @param readinessProbe.timeoutSeconds When the probe times out +## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe +## @param readinessProbe.successThreshold Minimum consecutive successes for the probe +## +readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 +## MariaDB Galera containers' startup probe +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param startupProbe.enabled Turn on and off startup probe +## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated +## @param startupProbe.periodSeconds How often to perform the probe +## @param startupProbe.timeoutSeconds When the probe times out +## @param startupProbe.failureThreshold Minimum consecutive failures for the probe +## @param startupProbe.successThreshold Minimum consecutive successes for the probe +## +startupProbe: + enabled: false + ## Initializing the database could take some time + ## + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + ## Let's wait 600 seconds by default, it should give enough time in any cluster for mysql to init + ## + failureThreshold: 48 +## @param customStartupProbe Custom liveness probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Custom liveness probe for the Web component +## +customLivenessProbe: {} +## @param customReadinessProbe Custom rediness probe for the Web component +## +customReadinessProbe: {} +## Pod disruption budget configuration +## +podDisruptionBudget: + ## @param podDisruptionBudget.create Specifies whether a Pod disruption budget should be created + ## + create: false + ## @param podDisruptionBudget.minAvailable Minimum number / percentage of pods that should remain scheduled + ## + minAvailable: 1 + ## @param podDisruptionBudget.maxUnavailable Maximum number / percentage of pods that may be made unavailable + ## + maxUnavailable: "" +## Prometheus exporter configuration +## +metrics: + ## @param metrics.enabled Start a side-car prometheus exporter + ## + enabled: false + ## Bitnami MySQL Prometheus exporter image + ## ref: https://hub.docker.com/r/bitnami/mysqld-exporter/tags/ + ## @param metrics.image.registry MariaDB Prometheus exporter image registry + ## @param metrics.image.repository MariaDB Prometheus exporter image repository + ## @param metrics.image.tag MariaDB Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy MariaDB Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets MariaDB Prometheus exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/mysqld-exporter + tag: 0.13.0-debian-10-r236 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.extraFlags MariaDB Prometheus exporter additional command line flags + ## Can be used to specify command line flags + ## E.g.: + ## extraFlags: + ## - --collect.binlog_size + ## + extraFlags: [] + ## MySQL Prometheus exporter containers' resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for the container + ## @param metrics.resources.requests The requested resources for the container + ## + resources: + ## Example: + ## limits: + ## cpu: 0.5 + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 0.5 + ## memory: 256Mi + requests: {} + ## MySQL Prometheus exporter service parameters + ## @param metrics.service.type Prometheus exporter service type + ## @param metrics.service.port Prometheus exporter service port + ## @param metrics.service.annotations [object] Prometheus exporter service annotations + ## + service: + type: ClusterIP + port: 9104 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9104" + ## @param metrics.service.loadBalancerIP Load Balancer IP if the Prometheus metrics server type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param metrics.service.clusterIP Prometheus metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param metrics.service.loadBalancerSourceRanges Prometheus metrics service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.externalTrafficPolicy Prometheus metrics service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Optional namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval How frequently to scrape metrics (use by default, falling back to Prometheus' default) + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.selector [object] ServiceMonitor selector labels + ## Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + prometheus: kube-prometheus + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## e.g: + ## - sourceLabels: + ## - "__name__" + ## targetLabel: "__name__" + ## action: replace + ## regex: '(.*)' + ## replacement: 'example_prefix_$1' + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.labels ServiceMonitor extra labels + ## + labels: {} + + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRules: + ## @param metrics.prometheusRules.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true`, and makes little sense without ServiceMonitor) + ## + enabled: false + ## @param metrics.prometheusRules.selector [object] Additional labels to add to the PrometheusRule so it is picked up by the operator + ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator' + ## + selector: + app: prometheus-operator + release: prometheus + ## @param metrics.prometheusRules.rules PrometheusRule rules to configure + ## e.g: + ## - alert: MariaDB-Down + ## annotations: + ## message: 'MariaDB instance {{ $labels.instance }} is down' + ## summary: MariaDB instance is down + ## expr: absent(up{job="mariadb-galera"} == 1) + ## labels: + ## severity: warning + ## service: mariadb-galera + ## for: 5m + ## + rules: {} \ No newline at end of file From b1bf829993af0e4bb993b68f216b570980abeb1b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 09:35:39 +0100 Subject: [PATCH 105/334] feat: added redis --- home/redis/Chart.yaml | 7 + home/redis/values.yaml | 1485 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1492 insertions(+) create mode 100644 home/redis/Chart.yaml create mode 100644 home/redis/values.yaml diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml new file mode 100644 index 0000000000..d50c3da429 --- /dev/null +++ b/home/redis/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: redis +version: 0.0.0 +dependencies: + - name: redis + version: 16.4.0 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/values.yaml b/home/redis/values.yaml new file mode 100644 index 0000000000..e6cfff4fc5 --- /dev/null +++ b/home/redis/values.yaml @@ -0,0 +1,1485 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.redis.password Global Redis™ password (overrides `auth.password`) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + redis: + password: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section Redis™ Image parameters +## + +## Bitnami Redis™ image +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## @param image.registry Redis™ image registry +## @param image.repository Redis™ image repository +## @param image.tag Redis™ image tag (immutable tags are recommended) +## @param image.pullPolicy Redis™ image pull policy +## @param image.pullSecrets Redis™ image pull secrets +## @param image.debug Enable image debug mode +## +image: + registry: docker.io + repository: bitnami/redis + tag: 6.2.6-debian-10-r120 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + +## @section Redis™ common configuration parameters +## https://github.com/bitnami/bitnami-docker-redis#configuration +## + +## @param architecture Redis™ architecture. Allowed values: `standalone` or `replication` +## +architecture: replication +## Redis™ Authentication parameters +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +auth: + ## @param auth.enabled Enable password authentication + ## + enabled: true + ## @param auth.sentinel Enable password authentication on sentinels too + ## + sentinel: true + ## @param auth.password Redis™ password + ## Defaults to a random 10-character alphanumeric string if not set + ## + password: "" + ## @param auth.existingSecret The name of an existing secret with Redis™ credentials + ## NOTE: When it's set, the previous `auth.password` parameter is ignored + ## + existingSecret: "redis-secret" + ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingSecret` parameter is set + ## + existingSecretPasswordKey: "" + ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable + ## + usePasswordFiles: false +## @param commonConfiguration [string] Common configuration to be added into the ConfigMap +## ref: https://redis.io/topics/config +## +commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" +## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis™ nodes +## +existingConfigmap: "" + +## @section Redis™ master configuration parameters +## + +master: + ## @param master.configuration Configuration for Redis™ master nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param master.disableCommands Array with Redis™ commands to disable on master nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param master.command Override default container command (useful when using custom images) + ## + command: [] + ## @param master.args Override default container args (useful when using custom images) + ## + args: [] + ## @param master.preExecCmds Additional commands to run prior to starting Redis™ master + ## + preExecCmds: [] + ## @param master.extraFlags Array with additional command line flags for Redis™ master + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param master.extraEnvVars Array with extra environment variables to add to Redis™ master nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ master nodes + ## + extraEnvVarsCM: "" + ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ master nodes + ## + extraEnvVarsSecret: "" + ## @param master.containerPorts.redis Container port to open on Redis™ master nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param master.startupProbe.enabled Enable startupProbe on Redis™ master nodes + ## @param master.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param master.startupProbe.periodSeconds Period seconds for startupProbe + ## @param master.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param master.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param master.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.livenessProbe.enabled Enable livenessProbe on Redis™ master nodes + ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.readinessProbe.enabled Enable readinessProbe on Redis™ master nodes + ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param master.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ master resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param master.resources.limits The resources limits for the Redis™ master containers + ## @param master.resources.requests The requested resources for the Redis™ master containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.podSecurityContext.enabled Enabled Redis™ master pods' Security Context + ## @param master.podSecurityContext.fsGroup Set Redis™ master pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.containerSecurityContext.enabled Enabled Redis™ master containers' Security Context + ## @param master.containerSecurityContext.runAsUser Set Redis™ master containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param master.kind Use either Deployment or StatefulSet (default) + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ + ## + kind: StatefulSet + ## @param master.schedulerName Alternate scheduler for Redis™ master pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param master.updateStrategy.type Redis™ master statefulset strategy type + ## @skip master.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param master.priorityClassName Redis™ master pods' priorityClassName + ## + priorityClassName: "" + ## @param master.hostAliases Redis™ master pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param master.podLabels Extra labels for Redis™ master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param master.podAnnotations Annotations for Redis™ master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ master pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node master.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set + ## + key: "" + ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param master.affinity Affinity for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param master.nodeSelector Node labels for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param master.tolerations Tolerations for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param master.topologySpreadConstraints Spread Constraints for Redis™ master pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param master.lifecycleHooks for the Redis™ master container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis™ master pod(s) + ## + extraVolumes: [] + ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ master container(s) + ## + extraVolumeMounts: [] + ## @param master.sidecars Add additional sidecar containers to the Redis™ master pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param master.initContainers Add additional init containers to the Redis™ master pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param master.persistence.enabled Enable persistence on Redis™ master nodes using Persistent Volume Claims + ## + enabled: true + ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param master.persistence.path The path the volume will be mounted at on Redis™ master containers + ## NOTE: Useful when using different Redis™ images + ## + path: /data + ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis™ master containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param master.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "longhorn" + ## @param master.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param master.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param master.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param master.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param master.persistence.dataSource Custom PVC data source + dataSource: {} + ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires master.persistence.enabled: true + ## + existingClaim: "" + ## Redis™ master service parameters + ## + service: + ## @param master.service.type Redis™ master service type + ## + type: ClusterIP + ## @param master.service.ports.redis Redis™ master service port + ## + ports: + redis: 6379 + ## @param master.service.nodePorts.redis Node port for Redis™ master + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param master.service.externalTrafficPolicy Redis™ master service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param master.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param master.service.clusterIP Redis™ master service Cluster IP + ## + clusterIP: "" + ## @param master.service.loadBalancerIP Redis™ master service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param master.service.loadBalancerSourceRanges Redis™ master service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param master.service.annotations Additional custom annotations for Redis™ master service + ## + annotations: {} + ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods + ## + terminationGracePeriodSeconds: 30 + +## @section Redis™ replicas configuration parameters +## + +replica: + ## @param replica.replicaCount Number of Redis™ replicas to deploy + ## + replicaCount: 3 + ## @param replica.configuration Configuration for Redis™ replicas nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param replica.disableCommands Array with Redis™ commands to disable on replicas nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param replica.command Override default container command (useful when using custom images) + ## + command: [] + ## @param replica.args Override default container args (useful when using custom images) + ## + args: [] + ## @param replica.preExecCmds Additional commands to run prior to starting Redis™ replicas + ## + preExecCmds: [] + ## @param replica.extraFlags Array with additional command line flags for Redis™ replicas + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param replica.extraEnvVars Array with extra environment variables to add to Redis™ replicas nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ replicas nodes + ## + extraEnvVarsCM: "" + ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ replicas nodes + ## + extraEnvVarsSecret: "" + ## @param replica.externalMaster.enabled Use external master for bootstrapping + ## @param replica.externalMaster.host External master host to bootstrap from + ## @param replica.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param replica.containerPorts.redis Container port to open on Redis™ replicas nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param replica.startupProbe.enabled Enable startupProbe on Redis™ replicas nodes + ## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param replica.startupProbe.periodSeconds Period seconds for startupProbe + ## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param replica.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis™ replicas nodes + ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis™ replicas nodes + ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ replicas resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param replica.resources.limits The resources limits for the Redis™ replicas containers + ## @param replica.resources.requests The requested resources for the Redis™ replicas containers + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 250m + # memory: 256Mi + requests: {} + # cpu: 250m + # memory: 256Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.podSecurityContext.enabled Enabled Redis™ replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroup Set Redis™ replicas pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.containerSecurityContext.enabled Enabled Redis™ replicas containers' Security Context + ## @param replica.containerSecurityContext.runAsUser Set Redis™ replicas containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param replica.schedulerName Alternate scheduler for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param replica.updateStrategy.type Redis™ replicas statefulset strategy type + ## @skip replica.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param replica.priorityClassName Redis™ replicas pods' priorityClassName + ## + priorityClassName: "" + ## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param replica.hostAliases Redis™ replicas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param replica.podLabels Extra labels for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param replica.podAnnotations Annotations for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ replicas pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set + ## + key: "" + ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param replica.affinity Affinity for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param replica.nodeSelector Node labels for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param replica.tolerations Tolerations for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param replica.topologySpreadConstraints Spread Constraints for Redis™ replicas pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param replica.lifecycleHooks for the Redis™ replica container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis™ replicas pod(s) + ## + extraVolumes: [] + ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ replicas container(s) + ## + extraVolumeMounts: [] + ## @param replica.sidecars Add additional sidecar containers to the Redis™ replicas pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param replica.initContainers Add additional init containers to the Redis™ replicas pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence Parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param replica.persistence.enabled Enable persistence on Redis™ replicas nodes using Persistent Volume Claims + ## + enabled: true + ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param replica.persistence.path The path the volume will be mounted at on Redis™ replicas containers + ## NOTE: Useful when using different Redis™ images + ## + path: /data + ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis™ replicas containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param replica.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param replica.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param replica.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param replica.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param replica.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param replica.persistence.dataSource Custom PVC data source + dataSource: {} + ## Redis™ replicas service parameters + ## + service: + ## @param replica.service.type Redis™ replicas service type + ## + type: ClusterIP + ## @param replica.service.ports.redis Redis™ replicas service port + ## + ports: + redis: 6379 + ## @param replica.service.nodePorts.redis Node port for Redis™ replicas + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param replica.service.externalTrafficPolicy Redis™ replicas service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param replica.service.clusterIP Redis™ replicas service Cluster IP + ## + clusterIP: "" + ## @param replica.service.loadBalancerIP Redis™ replicas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param replica.service.loadBalancerSourceRanges Redis™ replicas service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param replica.service.annotations Additional custom annotations for Redis™ replicas service + ## + annotations: {} + ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods + ## + terminationGracePeriodSeconds: 30 + ## Autoscaling configuration + ## + autoscaling: + ## @param replica.autoscaling.enabled Enable replica autoscaling settings + ## + enabled: false + ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling + ## + minReplicas: 1 + ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling + ## + maxReplicas: 11 + ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling + ## + targetCPU: "" + ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling + ## + targetMemory: "" + +## @section Redis™ Sentinel configuration parameters +## + +sentinel: + ## @param sentinel.enabled Use Redis™ Sentinel on Redis™ pods. + ## IMPORTANT: this will disable the master and replicas services and + ## create a single Redis™ service exposing both the Redis and Sentinel ports + ## + enabled: false + ## Bitnami Redis™ Sentinel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## @param sentinel.image.registry Redis™ Sentinel image registry + ## @param sentinel.image.repository Redis™ Sentinel image repository + ## @param sentinel.image.tag Redis™ Sentinel image tag (immutable tags are recommended) + ## @param sentinel.image.pullPolicy Redis™ Sentinel image pull policy + ## @param sentinel.image.pullSecrets Redis™ Sentinel image pull secrets + ## @param sentinel.image.debug Enable image debug mode + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + tag: 6.2.6-debian-10-r118 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param sentinel.masterSet Master set name + ## + masterSet: mymaster + ## @param sentinel.quorum Sentinel Quorum + ## + quorum: 2 + ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. + ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. + ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. + ## + automateClusterRecovery: false + ## Sentinel timing restrictions + ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis™ node is down + ## @param sentinel.failoverTimeout Timeout for performing a election failover + ## + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover + ## + parallelSyncs: 1 + ## @param sentinel.configuration Configuration for Redis™ Sentinel nodes + ## ref: https://redis.io/topics/sentinel + ## + configuration: "" + ## @param sentinel.command Override default container command (useful when using custom images) + ## + command: [] + ## @param sentinel.args Override default container args (useful when using custom images) + ## + args: [] + ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis™ Sentinel + ## + preExecCmds: [] + ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis™ Sentinel nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ Sentinel nodes + ## + extraEnvVarsCM: "" + ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ Sentinel nodes + ## + extraEnvVarsSecret: "" + ## @param sentinel.externalMaster.enabled Use external master for bootstrapping + ## @param sentinel.externalMaster.host External master host to bootstrap from + ## @param sentinel.externalMaster.port Port for Redis service external master host + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param sentinel.containerPorts.sentinel Container port to open on Redis™ Sentinel nodes + ## + containerPorts: + sentinel: 26379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param sentinel.startupProbe.enabled Enable startupProbe on Redis™ Sentinel nodes + ## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe + ## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis™ Sentinel nodes + ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis™ Sentinel nodes + ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ Sentinel resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sentinel.resources.limits The resources limits for the Redis™ Sentinel containers + ## @param sentinel.resources.requests The requested resources for the Redis™ Sentinel containers + ## + resources: + limits: {} + requests: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param sentinel.containerSecurityContext.enabled Enabled Redis™ Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.runAsUser Set Redis™ Sentinel containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param sentinel.lifecycleHooks for the Redis™ sentinel container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis™ Sentinel + ## + extraVolumes: [] + ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ Sentinel container(s) + ## + extraVolumeMounts: [] + ## Redis™ Sentinel service parameters + ## + service: + ## @param sentinel.service.type Redis™ Sentinel service type + ## + type: ClusterIP + ## @param sentinel.service.ports.redis Redis™ service port for Redis™ + ## @param sentinel.service.ports.sentinel Redis™ service port for Redis™ Sentinel + ports: + redis: 6379 + sentinel: 26379 + ## @param sentinel.service.nodePorts.redis Node port for Redis™ + ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## NOTE: By leaving these values blank, they will be generated by ports-configmap + ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port + ## + nodePorts: + redis: "" + sentinel: "" + ## @param sentinel.service.externalTrafficPolicy Redis™ Sentinel service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param sentinel.service.clusterIP Redis™ Sentinel service Cluster IP + ## + clusterIP: "" + ## @param sentinel.service.loadBalancerIP Redis™ Sentinel service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param sentinel.service.loadBalancerSourceRanges Redis™ Sentinel service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param sentinel.service.annotations Additional custom annotations for Redis™ Sentinel service + ## + annotations: {} + ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods + ## + terminationGracePeriodSeconds: 30 + +## @section Other Parameters +## + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## When set to false, only pods with the correct client label will have network access to the ports + ## Redis™ is listening on. When true, Redis™ will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules + ## + enabled: false +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Redis™ Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Specifies whether a PodDisruptionBudget should be created + ## + create: false + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction + ## + maxUnavailable: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic + ## + enabled: false + ## @param tls.authClients Require clients to authenticate + ## + authClients: true + ## @param tls.autoGenerated Enable autogenerated certificates + ## + autoGenerated: false + ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates + ## + existingSecret: "" + ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate Key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" + ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) + ## + dhParamsFilename: "" + +## @section Metrics Parameters +## + +metrics: + ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis™ metrics + ## + enabled: false + ## Bitnami Redis™ Exporter image + ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ + ## @param metrics.image.registry Redis™ Exporter image registry + ## @param metrics.image.repository Redis™ Exporter image repository + ## @param metrics.image.tag Redis™ Redis™ Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Redis™ Exporter image pull policy + ## @param metrics.image.pullSecrets Redis™ Exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.35.0-debian-10-r2 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.command Override default metrics container init command (useful when using custom images) + ## + command: [] + ## @param metrics.redisTargetHost A way to specify an alternative Redis™ hostname + ## Useful for certificate CN/SAN matching + ## + redisTargetHost: "localhost" + ## @param metrics.extraArgs Extra arguments for Redis™ exporter, for example: + ## e.g.: + ## extraArgs: + ## check-keys: myKey,myOtherKey + ## + extraArgs: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param metrics.containerSecurityContext.enabled Enabled Redis™ exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set Redis™ exporter containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis™ metrics sidecar + ## + extraVolumes: [] + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ metrics sidecar + ## + extraVolumeMounts: [] + ## Redis™ exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the Redis™ exporter container + ## @param metrics.resources.requests The requested resources for the Redis™ exporter container + ## + resources: + limits: {} + requests: {} + ## @param metrics.podLabels Extra labels for Redis™ exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param metrics.podAnnotations [object] Annotations for Redis™ exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + ## Redis™ exporter service parameters + ## + service: + ## @param metrics.service.type Redis™ exporter service type + ## + type: ClusterIP + ## @param metrics.service.port Redis™ exporter service port + ## + port: 9121 + ## @param metrics.service.externalTrafficPolicy Redis™ exporter service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param metrics.service.loadBalancerIP Redis™ exporter service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param metrics.service.loadBalancerSourceRanges Redis™ exporter service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.annotations Additional custom annotations for Redis™ exporter service + ## + annotations: {} + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created + ## + namespace: "" + ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabellings: [] + ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus + ## + additionalLabels: {} + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Custom Prometheus rules + ## e.g: + ## rules: + ## - alert: RedisDown + ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} down + ## description: Redis™ instance {{ "{{ $labels.instance }}" }} is down + ## - alert: RedisMemoryHigh + ## expr: > + ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 + ## / + ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} + ## > 90 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} is using too much memory + ## description: | + ## Redis™ instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + ## - alert: RedisKeyEviction + ## expr: | + ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 + ## for: 1s + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} has evicted keys + ## description: | + ## Redis™ instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + ## + rules: [] + +## @section Init Container Parameters +## + +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the *podSecurityContext/*containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param volumePermissions.image.registry Bitnami Shell image registry + ## @param volumePermissions.image.repository Bitnami Shell image repository + ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy + ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r329 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + containerSecurityContext: + runAsUser: 0 + +## init-sysctl container parameters +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +## +sysctl: + ## @param sysctl.enabled Enable init container to modify Kernel settings + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param sysctl.image.registry Bitnami Shell image registry + ## @param sysctl.image.repository Bitnami Shell image repository + ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy + ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r329 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) + ## + command: [] + ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` + ## + mountHostSys: false + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sysctl.resources.limits The resources limits for the init container + ## @param sysctl.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + +## @section useExternalDNS Parameters +## +## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. +## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled. +## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. +## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. +## +useExternalDNS: + enabled: false + suffix: "" + annotationKey: external-dns.alpha.kubernetes.io/ + additionalAnnotations: {} \ No newline at end of file From 22b1e45fa3dc6ebba4003dba5ee1a90fc97c0d7c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 09:38:06 +0100 Subject: [PATCH 106/334] config: other chart version galera --- home/mariadb-galera/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb-galera/Chart.yaml b/home/mariadb-galera/Chart.yaml index 93449ce556..dc73d36f2f 100644 --- a/home/mariadb-galera/Chart.yaml +++ b/home/mariadb-galera/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb-galera version: 0.0.0 dependencies: - name: mariadb-galera - version: 11.0.3 + version: 7.0.1 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 3c2e74bd70af819750203969c9937d1013f628a5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 15 Feb 2022 10:08:13 +0000 Subject: [PATCH 107/334] chore(deps): update all non-major dependencies helm releases --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- bin/dendrite/Chart.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/versions.tf | 4 ++-- home/homeassistant/values.yaml | 6 +++--- home/influxdb/values.yaml | 4 ++-- home/pihole/Chart.yaml | 2 +- home/pihole/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/postgresql/values.yaml | 2 +- platform/renovate/Chart.yaml | 2 +- system/cert-manager/Chart.yaml | 2 +- system/descheduler/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/loki/Chart.yaml | 2 +- 16 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 104eddd88b..165c887323 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.1.4 + image: hashicorp/terraform:1.1.5 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index d9a5ff54df..1a67f2881b 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.1.4 + image: hashicorp/terraform:1.1.5 command: - terraform args: diff --git a/bin/dendrite/Chart.yaml b/bin/dendrite/Chart.yaml index 451549069e..2635e311ca 100644 --- a/bin/dendrite/Chart.yaml +++ b/bin/dendrite/Chart.yaml @@ -3,5 +3,5 @@ name: dendrite version: 0.0.0 dependencies: - name: dendrite - version: 0.0.2 + version: 0.0.3 repository: https://locmai.github.io/charts # TODO switch to official chart diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 0003ae7129..b22c1ea8a1 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 3.32.1 + version: 3.33.5 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.9.1 diff --git a/external/versions.tf b/external/versions.tf index 2ab65ed12c..104eb7a343 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.8.0" + version = "~> 3.9.0" } b2 = { @@ -18,7 +18,7 @@ terraform { kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.7.0" + version = "~> 2.8.0" } http = { diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 46c07cd087..bb0752a864 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.2.3 + tag: 2022.2.6 # -- image pull policy pullPolicy: IfNotPresent @@ -90,7 +90,7 @@ home-assistant: enabled: true image: repository: bitnami/postgresql - tag: 14.1.0 + tag: 14.2.0 postgresqlUsername: home-assistant postgresqlPassword: home-assistant-pass postgresqlDatabase: home-assistant @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 3.9.0 + tag: 3.12.0 workingDir: "/config" args: - --auth diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index c1b3bd0e22..d9c18bdaf9 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.369.0-debian-10-r0 + tag: 0.372.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1337,7 +1337,7 @@ influxdb: image: registry: docker.io repository: bitnami/aws-cli - tag: 2.4.7-debian-10-r4 + tag: 2.4.16-debian-10-r4 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index c09591da6a..10635a0e46 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.5.3 + version: 2.5.6 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 175d7235b1..16e1e51916 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -384,7 +384,7 @@ pihole: port: 9617 image: repository: ekofr/pihole-exporter - tag: 0.0.10 + tag: v0.2.0 pullPolicy: IfNotPresent resources: limits: diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 19f6ce564c..fb0d192863 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.0.3 + version: 11.0.4 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/postgresql/values.yaml b/home/postgresql/values.yaml index 7ed3908938..c7cbe23694 100644 --- a/home/postgresql/values.yaml +++ b/home/postgresql/values.yaml @@ -1326,6 +1326,6 @@ postgresql: postgresql: image: repository: bitnami/postgresql - tag: 14.1.0 + tag: 14.2.0 auth: existingSecret: \ No newline at end of file diff --git a/platform/renovate/Chart.yaml b/platform/renovate/Chart.yaml index a45be2bdb9..da872b947f 100644 --- a/platform/renovate/Chart.yaml +++ b/platform/renovate/Chart.yaml @@ -3,5 +3,5 @@ name: renovate version: 0.0.0 dependencies: - name: renovate - version: 31.63.2 + version: 31.81.7 repository: https://docs.renovatebot.com/helm-charts diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index 45e4353e6b..373bf29d14 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.7.0 + version: v1.7.1 repository: https://charts.jetstack.io diff --git a/system/descheduler/Chart.yaml b/system/descheduler/Chart.yaml index 0538e7ae95..141e287734 100644 --- a/system/descheduler/Chart.yaml +++ b/system/descheduler/Chart.yaml @@ -3,5 +3,5 @@ name: descheduler version: 0.0.0 dependencies: - name: descheduler - version: 0.22.1 + version: 0.23.1 repository: https://kubernetes-sigs.github.io/descheduler/ diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 9c9553d8b9..4c25a755b6 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.0.16 + version: 4.0.17 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/loki/Chart.yaml b/system/loki/Chart.yaml index 5ac17e3d54..e532189833 100644 --- a/system/loki/Chart.yaml +++ b/system/loki/Chart.yaml @@ -3,5 +3,5 @@ name: loki version: 0.0.0 dependencies: - name: loki-stack - version: 2.5.1 + version: 2.6.1 repository: https://grafana.github.io/helm-charts From e25c6ae4d80dc290b66fe2a1a18b5fce18fa29a9 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 15 Feb 2022 10:08:19 +0000 Subject: [PATCH 108/334] chore(deps): update dependency alpine to v20210804 --- metal/roles/pxe_server/files/dhcp/Dockerfile | 2 +- metal/roles/pxe_server/files/tftp/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/metal/roles/pxe_server/files/dhcp/Dockerfile b/metal/roles/pxe_server/files/dhcp/Dockerfile index 0870e4a642..ef7d1b4223 100644 --- a/metal/roles/pxe_server/files/dhcp/Dockerfile +++ b/metal/roles/pxe_server/files/dhcp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3 +FROM alpine:20210804 RUN apk add dhcp diff --git a/metal/roles/pxe_server/files/tftp/Dockerfile b/metal/roles/pxe_server/files/tftp/Dockerfile index 5d632ac4cf..b218ce3882 100644 --- a/metal/roles/pxe_server/files/tftp/Dockerfile +++ b/metal/roles/pxe_server/files/tftp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3 +FROM alpine:20210804 RUN apk add tftp-hpa From c1ccd2d3412526226dda5d550579dab4a1d1ef77 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 11:28:11 +0100 Subject: [PATCH 109/334] docs: updated README.md --- README.md | 244 +----------------------------------------------------- 1 file changed, 1 insertion(+), 243 deletions(-) diff --git a/README.md b/README.md index b75546a590..9f0336b998 100644 --- a/README.md +++ b/README.md @@ -1,243 +1 @@ -# Khue's Homelab - - - -[![chat](https://img.shields.io/matrix/homelab:matrix.khuedoan.com?style=flat-square&logo=matrix&logoColor=white&label=chat)](https://matrix.to/#/#homelab:matrix.khuedoan.com) -[![tag](https://img.shields.io/github/v/tag/khuedoan/homelab?style=flat-square&logo=semver&logoColor=white)](https://github.com/khuedoan/homelab/tags) -[![document](https://img.shields.io/website?label=document&logo=gitbook&logoColor=white&style=flat-square&url=https%3A%2F%2Fhomelab.khuedoan.com)](https://homelab.khuedoan.com) -[![license](https://img.shields.io/github/license/khuedoan/homelab?style=flat-square&logo=gnu&logoColor=white)](https://www.gnu.org/licenses/gpl-3.0.html) -[![stars](https://img.shields.io/github/stars/khuedoan/homelab?logo=github&logoColor=white&color=gold&style=flat-square)](https://github.com/khuedoan/homelab) - -Current status: **ALPHA** - -This project utilizes [Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code) to automate provisioning, operating, and updating self-hosted services in my homelab. -It can be used as a highly customizable framework to build your own homelab. - - - - - - - - -## Overview - -This section provides a high level overview of the project. -For further information, please see the [documentation](https://homelab.khuedoan.com). - -### Hardware - -![Hardware](https://user-images.githubusercontent.com/27996771/98970963-25137200-2543-11eb-8f2d-f9a2d45756ef.JPG) - -- 4 × NEC SFF `PC-MK26ECZDR` (Japanese version of the ThinkCentre M700): - - CPU: `Intel Core i5-6600T @ 2.70GHz` - - RAM: `16GB` - - SSD: `128GB` -- TP-Link `TL-SG108` switch: - - Ports: `8` - - Speed: `1000Mbps` - -### Features - -Project status: **Alpha** (see [roadmap](#roadmap) below) - -- [x] Common applications: Gitea, Seafile, Jellyfin, Paperless... -- [x] Automated bare metal provisioning with PXE boot -- [x] Automated Kubernetes installation and management -- [x] Installing and managing applications using GitOps -- [x] Modular architecture, easy to add or remove features/components -- [x] Automated certificate management -- [x] Automatically update DNS records for exposed services -- [x] Expose services to the internet securely with [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/) -- [x] CI/CD platform -- [x] Private container registry -- [x] Distributed storage -- [ ] Monitoring and alerting 🚧 -- [ ] Support multiple environments (dev, stag, prod) 🚧 -- [ ] Automated offsite backups 🚧 -- [ ] Single sign-on 🚧 - -Screenshots of some user-facing applications are shown here, I will update them before each release. -They can't capture all of the project's features, but they are sufficient to get a concept of it. - -| ![](https://user-images.githubusercontent.com/27996771/149445807-0f869eb7-d8f5-4fef-ab97-ac281df91a06.png) | -| :--: | -| Homepage with Ingress discovery powered by [Hajimari](https://github.com/toboshii/hajimari) | - -| ![](https://user-images.githubusercontent.com/27996771/149444871-38889c9d-862f-41ff-8c05-8ece21da3e9c.png) | -| :--: | -| Git server powered by [Gitea](https://gitea.io/en-us/) | - -| ![](https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png) | -| :--: | -| Continuous integration with [Tekton](https://tekton.dev/) | - -| ![](https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png) | -| :--: | -| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) | - -| ![](https://user-images.githubusercontent.com/27996771/149446631-1c5d056b-1fdc-48e6-96ba-e1abe1762be0.png) | -| :--: | -| Monitoring dashboard powered by [Grafana](https://grafana.com/) | - -| ![](https://user-images.githubusercontent.com/27996771/149448510-7163310c-2049-4ccd-901d-f11f605bfc32.png) | -| :--: | -| [Matrix](https://matrix.org/) chat server powered by [Element](https://matrix.org/docs/projects/client/element) and [Dendrite](https://matrix.org/docs/projects/server/dendrite) | - -| ![](https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png) | -| :--: | -| Cluster management using [Lens](https://k8slens.dev/) (or you can just use `kubectl`) | - -| ![](https://user-images.githubusercontent.com/27996771/149452309-de4a893b-e94c-4ba8-9119-ea87449cf77e.png) | -| :--: | -| Secret management with [Vault](https://www.vaultproject.io/) | - -### Tech stack - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LogoNameDescription
AnsibleAutomate bare metal provisioning and configuration
ArgoCDGitOps tool built to deploy applications to Kubernetes
cert-managerCloud native certificate management
CloudflareDNS and Tunnel
DockerEphermeral PXE server and convenient tools container
GiteaSelf-hosted Git service
GrafanaOperational dashboards
HelmThe package manager for Kubernetes
K3sLightweight distribution of Kubernetes
KubernetesContainer-orchestration system, the backbone of this project
LokiLog aggregation system
LonghornCloud native distributed block storage for Kubernetes
MetalLBBare metal load-balancer for Kubernetes
NGINXKubernetes Ingress Controller
PrometheusSystems monitoring and alerting toolkit
Rocky LinuxBase OS for Kubernetes nodes
TektonCloud native solution for building CI/CD systems
TrowPrivate container registry
VaultSecrets and encryption management system
- -## Get Started - -- [Try it out on a VM](https://homelab.khuedoan.com/try_on_a_vm.html) without any hardware -- [Deploy on real hardware](https://homelab.khuedoan.com/deployment) for real workload - -## Roadmap - -See [roadmap](https://homelab.khuedoan.com/roadmap.html) and [open issues](https://github.com/khuedoan/homelab/issues) for a list of proposed features and known issues. - -## Contributing - -Any contributions you make, either big or small, are greatly appreciated. - -## License - -> Copyright (c) 2020, 2021, 2022 Khue Doan - -
- -Distributed under the GPLv3 License. - -This project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - -This project is distributed in the hope that it will be useful, but **WITHOUT ANY WARRANTY**; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -See the GNU General Public License for more details. - -You should have received a copy of the GNU General Public License along with this project (`LICENSE.md`). -If not, see . - -
- -## Acknowledgements - -- [ArgoCD usage in my coworker's homelab](https://github.com/locmai/humble) -- [README template](https://github.com/othneildrew/Best-README-Template) -- [Run the same Cloudflare Tunnel across many `cloudflared` processes](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel) -- [MAC address environment variable in GRUB config](https://askubuntu.com/questions/1272400/how-do-i-automate-network-installation-of-many-ubuntu-18-04-systems-with-efi-and) -- [Official k3s systemd service file](https://github.com/k3s-io/k3s/blob/master/k3s.service) -- [Official Cloudflare Tunnel examples](https://github.com/cloudflare/argo-tunnel-examples) -- [Initialize GitOps repository on Gitea and integrate with Tekton by RedHat](https://github.com/redhat-scholars/tekton-tutorial/tree/master/triggers) - -## Stargazers over time - -[![Stargazers over time](https://starchart.cc/khuedoan/homelab.svg)](https://starchart.cc/khuedoan/homelab) +# Jupiter Mein Homelab From db3be3e2173c59b5227167ad125680bcf697c34e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 12:58:37 +0100 Subject: [PATCH 110/334] feat: laravel sample app --- apps/sample-laravel/Chart.yaml | 0 apps/sample-laravel/base/ingress.yaml | 19 +++++++++++++++++++ apps/sample-laravel/base/kustomization.yaml | 4 ++++ apps/sample-laravel/base/svc.yaml | 11 +++++++++++ apps/sample-laravel/values.yaml | 0 5 files changed, 34 insertions(+) create mode 100644 apps/sample-laravel/Chart.yaml create mode 100644 apps/sample-laravel/base/ingress.yaml create mode 100644 apps/sample-laravel/base/kustomization.yaml create mode 100644 apps/sample-laravel/base/svc.yaml create mode 100644 apps/sample-laravel/values.yaml diff --git a/apps/sample-laravel/Chart.yaml b/apps/sample-laravel/Chart.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/apps/sample-laravel/base/ingress.yaml b/apps/sample-laravel/base/ingress.yaml new file mode 100644 index 0000000000..38df3fe0dd --- /dev/null +++ b/apps/sample-laravel/base/ingress.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: laravel-sample + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 +spec: + ingressClassName: nginx + rules: + - host: sample.europa.jupiter.mein.nl + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: sample-laravel-svc + port: + number: 8080 \ No newline at end of file diff --git a/apps/sample-laravel/base/kustomization.yaml b/apps/sample-laravel/base/kustomization.yaml new file mode 100644 index 0000000000..726e0c7e87 --- /dev/null +++ b/apps/sample-laravel/base/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - deployment.yaml + - svc.yaml + - ingress.yaml \ No newline at end of file diff --git a/apps/sample-laravel/base/svc.yaml b/apps/sample-laravel/base/svc.yaml new file mode 100644 index 0000000000..f339f94020 --- /dev/null +++ b/apps/sample-laravel/base/svc.yaml @@ -0,0 +1,11 @@ + + +apiVersion: v1 +kind: Service +metadata: + name: sample-laravel-svc +spec: + selector: + app: sample-laravel-app + ports: + - port: 8080 \ No newline at end of file diff --git a/apps/sample-laravel/values.yaml b/apps/sample-laravel/values.yaml new file mode 100644 index 0000000000..e69de29bb2 From b8a44e5a51da89db7846da5a19b301b75b97e6b2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 13:05:30 +0100 Subject: [PATCH 111/334] config: added deployment --- apps/sample-laravel/Chart.yaml | 0 apps/sample-laravel/base/deployment.yaml | 20 ++++++++++++++++++++ apps/sample-laravel/values.yaml | 0 3 files changed, 20 insertions(+) delete mode 100644 apps/sample-laravel/Chart.yaml create mode 100644 apps/sample-laravel/base/deployment.yaml delete mode 100644 apps/sample-laravel/values.yaml diff --git a/apps/sample-laravel/Chart.yaml b/apps/sample-laravel/Chart.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/apps/sample-laravel/base/deployment.yaml b/apps/sample-laravel/base/deployment.yaml new file mode 100644 index 0000000000..3d7eb5e91a --- /dev/null +++ b/apps/sample-laravel/base/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: sample-laravel-app + name: sample-laravel-app +spec: + replicas: 3 + selector: + matchLabels: + app: sample-laravel-app + template: + metadata: + labels: + app: sample-laravel-app + spec: + containers: + - name: sample-laravel-app + image: docker pull hashicorp/http-echo:latest + imagePullPolicy: Always \ No newline at end of file diff --git a/apps/sample-laravel/values.yaml b/apps/sample-laravel/values.yaml deleted file mode 100644 index e69de29bb2..0000000000 From 2dcb50f55d76dd1d9c1cbbef92d969a3bf3d1ab5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 15:40:41 +0100 Subject: [PATCH 112/334] config: removed stages for now --- apps/sample-laravel/{base => }/deployment.yaml | 0 apps/sample-laravel/{base => }/ingress.yaml | 0 apps/sample-laravel/{base => }/kustomization.yaml | 0 apps/sample-laravel/{base => }/svc.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename apps/sample-laravel/{base => }/deployment.yaml (100%) rename apps/sample-laravel/{base => }/ingress.yaml (100%) rename apps/sample-laravel/{base => }/kustomization.yaml (100%) rename apps/sample-laravel/{base => }/svc.yaml (100%) diff --git a/apps/sample-laravel/base/deployment.yaml b/apps/sample-laravel/deployment.yaml similarity index 100% rename from apps/sample-laravel/base/deployment.yaml rename to apps/sample-laravel/deployment.yaml diff --git a/apps/sample-laravel/base/ingress.yaml b/apps/sample-laravel/ingress.yaml similarity index 100% rename from apps/sample-laravel/base/ingress.yaml rename to apps/sample-laravel/ingress.yaml diff --git a/apps/sample-laravel/base/kustomization.yaml b/apps/sample-laravel/kustomization.yaml similarity index 100% rename from apps/sample-laravel/base/kustomization.yaml rename to apps/sample-laravel/kustomization.yaml diff --git a/apps/sample-laravel/base/svc.yaml b/apps/sample-laravel/svc.yaml similarity index 100% rename from apps/sample-laravel/base/svc.yaml rename to apps/sample-laravel/svc.yaml From 81c748e205c521e546bffd5a696161ef2020e33c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 16:39:02 +0100 Subject: [PATCH 113/334] config: beter image --- apps/sample-laravel/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/sample-laravel/deployment.yaml b/apps/sample-laravel/deployment.yaml index 3d7eb5e91a..a31d872bef 100644 --- a/apps/sample-laravel/deployment.yaml +++ b/apps/sample-laravel/deployment.yaml @@ -16,5 +16,5 @@ spec: spec: containers: - name: sample-laravel-app - image: docker pull hashicorp/http-echo:latest + image: hashicorp/http-echo:latest imagePullPolicy: Always \ No newline at end of file From 82827488e402028e38faa2e10e838c8f8a568562 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 19:26:46 +0100 Subject: [PATCH 114/334] config: no text miage --- apps/sample-laravel/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/sample-laravel/deployment.yaml b/apps/sample-laravel/deployment.yaml index a31d872bef..dafc82d139 100644 --- a/apps/sample-laravel/deployment.yaml +++ b/apps/sample-laravel/deployment.yaml @@ -16,5 +16,5 @@ spec: spec: containers: - name: sample-laravel-app - image: hashicorp/http-echo:latest + image: ealen/echo-server:latest imagePullPolicy: Always \ No newline at end of file From e57890884b47162629d06f47dd10b90501d21485 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 20:23:53 +0100 Subject: [PATCH 115/334] config: fix longhorn --- system/longhorn-system/values.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/system/longhorn-system/values.yaml b/system/longhorn-system/values.yaml index 610ad10559..54978d1d46 100644 --- a/system/longhorn-system/values.yaml +++ b/system/longhorn-system/values.yaml @@ -13,9 +13,6 @@ ingress: ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - &host longhorn.jupiter.mein.nl - tls: - - secretName: longhorn-general-tls - hosts: - - *host \ No newline at end of file + host: longhorn.jupiter.mein.nl + tls: true + tlsSecret: longhorn-tls-certificate \ No newline at end of file From 0788507502ce0a97e5f55fb75dbd2a56833ff387 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 20:25:42 +0100 Subject: [PATCH 116/334] config: indent --- system/longhorn-system/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/system/longhorn-system/values.yaml b/system/longhorn-system/values.yaml index 54978d1d46..cb344891a7 100644 --- a/system/longhorn-system/values.yaml +++ b/system/longhorn-system/values.yaml @@ -8,11 +8,11 @@ longhorn: guaranteedReplicaManagerCPU: 15 replicaSoftAntiAffinity: true -ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - host: longhorn.jupiter.mein.nl - tls: true - tlsSecret: longhorn-tls-certificate \ No newline at end of file + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + host: longhorn.jupiter.mein.nl + tls: true + tlsSecret: longhorn-tls-certificate \ No newline at end of file From 49c86ddbe59445056b7a8ba3b54194a7f46ad24c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:03:45 +0100 Subject: [PATCH 117/334] feat: samba --- system/samba/Chart.yaml | 7 +++ system/samba/values.yaml | 98 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 system/samba/Chart.yaml create mode 100644 system/samba/values.yaml diff --git a/system/samba/Chart.yaml b/system/samba/Chart.yaml new file mode 100644 index 0000000000..469b237e9a --- /dev/null +++ b/system/samba/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: paperless +version: 0.0.0 +dependencies: + - name: paperless + version: 8.3.0 + repository: https://k8s-at-home.com/charts/ diff --git a/system/samba/values.yaml b/system/samba/values.yaml new file mode 100644 index 0000000000..512655d68f --- /dev/null +++ b/system/samba/values.yaml @@ -0,0 +1,98 @@ +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml +# + +image: + # -- image repository + repository: ghcr.io/crazy-max/samba + # -- image tag + tag: 4.15.5 + # -- image pull policy + pullPolicy: Always + +# -- environment variables. See [image docs](https://github.com/crazy-max/docker-samba#environment-variables) for more details. +# @default -- See below +env: + # -- Set the container timezone + TZ: Europe/Amsterdam + # SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP) + # SAMBA_SERVER_STRING: Server string is the equivalent of the NT Description field. (default Docker Samba Server) + # SAMBA_LOG_LEVEL: Log level. (default 0) + # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) + # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) + # SAMBA_HOSTS_ALLOW: Set of hosts which are permitted to access a service. (default 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) + # SAMBA_INTERFACES: Allows you to override the default network interfaces list. + +# -- Configures service settings for the chart. +# @default -- See values.yaml +service: + main: + ports: + tcp: + enabled: true + protocol: TCP + port: 445 + netbios: + enabled: true + protocol: TCP + port: 139 + +ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + main: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host samba.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: samba-tls-certificate + hosts: + - *host + +# -- Configure persistence settings for the chart under this key. +# @default -- See values.yaml +persistence: + hostpath: + enabled: true + type: hostPath + hostPath: /pool0/home/renee + +configmap: + config: + # -- Store samba configuration as a ConfigMap + enabled: true + # -- Samba configuration. See [image documentation](https://github.com/crazy-max/docker-samba#configuration) for more information. + # @default -- See values.yaml + data: + config.yml: | + auth: + - user: renee + group: renee + uid: 1004 + gid: 1004 + password: mette01 + + + global: + - "force user = renee" + - "force group = renee" + + share: + - name: renee + path: /pool0/home/renee + browsable: yes + readonly: no + guestok: no + validusers: renee + writelist: renee + veto: no \ No newline at end of file From a3c0bae773cb5ffc225874b61bb0005ecc9c33c8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:05:58 +0100 Subject: [PATCH 118/334] config: values --- system/samba/Chart.yaml | 6 +- system/samba/values.yaml | 175 ++++++++++++++++++++------------------- 2 files changed, 91 insertions(+), 90 deletions(-) diff --git a/system/samba/Chart.yaml b/system/samba/Chart.yaml index 469b237e9a..b88ea62fa3 100644 --- a/system/samba/Chart.yaml +++ b/system/samba/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 -name: paperless +name: samba version: 0.0.0 dependencies: - - name: paperless - version: 8.3.0 + - name: samba + version: 4.15.5 repository: https://k8s-at-home.com/charts/ diff --git a/system/samba/values.yaml b/system/samba/values.yaml index 512655d68f..fbadcd2ea1 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -1,98 +1,99 @@ -# -# IMPORTANT NOTE -# -# This chart inherits from our common library chart. You can check the default values/options here: -# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml -# +samba: + # + # IMPORTANT NOTE + # + # This chart inherits from our common library chart. You can check the default values/options here: + # https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml + # -image: - # -- image repository - repository: ghcr.io/crazy-max/samba - # -- image tag - tag: 4.15.5 - # -- image pull policy - pullPolicy: Always + image: + # -- image repository + repository: ghcr.io/crazy-max/samba + # -- image tag + tag: 4.15.5 + # -- image pull policy + pullPolicy: Always -# -- environment variables. See [image docs](https://github.com/crazy-max/docker-samba#environment-variables) for more details. -# @default -- See below -env: - # -- Set the container timezone - TZ: Europe/Amsterdam - # SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP) - # SAMBA_SERVER_STRING: Server string is the equivalent of the NT Description field. (default Docker Samba Server) - # SAMBA_LOG_LEVEL: Log level. (default 0) - # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) - # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) - # SAMBA_HOSTS_ALLOW: Set of hosts which are permitted to access a service. (default 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) - # SAMBA_INTERFACES: Allows you to override the default network interfaces list. + # -- environment variables. See [image docs](https://github.com/crazy-max/docker-samba#environment-variables) for more details. + # @default -- See below + env: + # -- Set the container timezone + TZ: Europe/Amsterdam + # SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP) + # SAMBA_SERVER_STRING: Server string is the equivalent of the NT Description field. (default Docker Samba Server) + # SAMBA_LOG_LEVEL: Log level. (default 0) + # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) + # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) + # SAMBA_HOSTS_ALLOW: Set of hosts which are permitted to access a service. (default 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) + # SAMBA_INTERFACES: Allows you to override the default network interfaces list. -# -- Configures service settings for the chart. -# @default -- See values.yaml -service: - main: - ports: - tcp: - enabled: true - protocol: TCP - port: 445 - netbios: + # -- Configures service settings for the chart. + # @default -- See values.yaml + service: + main: + ports: + tcp: + enabled: true + protocol: TCP + port: 445 + netbios: + enabled: true + protocol: TCP + port: 139 + + ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + main: enabled: true - protocol: TCP - port: 139 + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host samba.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: samba-tls-certificate + hosts: + - *host -ingress: - # -- Enable and configure ingress settings for the chart under this key. + # -- Configure persistence settings for the chart under this key. # @default -- See values.yaml - main: - main: + persistence: + hostpath: enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host samba.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: samba-tls-certificate - hosts: - - *host - -# -- Configure persistence settings for the chart under this key. -# @default -- See values.yaml -persistence: - hostpath: - enabled: true - type: hostPath - hostPath: /pool0/home/renee + type: hostPath + hostPath: /pool0/home/renee -configmap: - config: - # -- Store samba configuration as a ConfigMap - enabled: true - # -- Samba configuration. See [image documentation](https://github.com/crazy-max/docker-samba#configuration) for more information. - # @default -- See values.yaml - data: - config.yml: | - auth: - - user: renee - group: renee - uid: 1004 - gid: 1004 - password: mette01 + configmap: + config: + # -- Store samba configuration as a ConfigMap + enabled: true + # -- Samba configuration. See [image documentation](https://github.com/crazy-max/docker-samba#configuration) for more information. + # @default -- See values.yaml + data: + config.yml: | + auth: + - user: renee + group: renee + uid: 1004 + gid: 1004 + password: mette01 - global: - - "force user = renee" - - "force group = renee" + global: + - "force user = renee" + - "force group = renee" - share: - - name: renee - path: /pool0/home/renee - browsable: yes - readonly: no - guestok: no - validusers: renee - writelist: renee - veto: no \ No newline at end of file + share: + - name: renee + path: /pool0/home/renee + browsable: yes + readonly: no + guestok: no + validusers: renee + writelist: renee + veto: no \ No newline at end of file From 260b0c6a0c2c3682bbb72e92f02c9494dbbae003 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:08:45 +0100 Subject: [PATCH 119/334] config: chart version --- system/samba/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/samba/Chart.yaml b/system/samba/Chart.yaml index b88ea62fa3..4e6fed73c8 100644 --- a/system/samba/Chart.yaml +++ b/system/samba/Chart.yaml @@ -3,5 +3,5 @@ name: samba version: 0.0.0 dependencies: - name: samba - version: 4.15.5 + version: 6.0.0 repository: https://k8s-at-home.com/charts/ From a4f968b2c8103b1782890958d0ccbce36e25095d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:11:40 +0100 Subject: [PATCH 120/334] config: ingress samba --- system/samba/values.yaml | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index fbadcd2ea1..9b5345d99b 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -45,20 +45,19 @@ samba: # -- Enable and configure ingress settings for the chart under this key. # @default -- See values.yaml main: - main: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host samba.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: samba-tls-certificate - hosts: - - *host + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host samba.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: samba-tls-certificate + hosts: + - *host # -- Configure persistence settings for the chart under this key. # @default -- See values.yaml From a7f16c71d79adcb93c604d9f6a549b2130c654db Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:25:45 +0100 Subject: [PATCH 121/334] config: host list --- system/samba/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index 9b5345d99b..4eb58b9c4d 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -24,7 +24,7 @@ samba: # SAMBA_LOG_LEVEL: Log level. (default 0) # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) - # SAMBA_HOSTS_ALLOW: Set of hosts which are permitted to access a service. (default 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) + SAMBA_HOSTS_ALLOW: 213.34.1.38/32 37.97.253.87/32 192.168.1.0/24 10.42.0.0/16 # SAMBA_INTERFACES: Allows you to override the default network interfaces list. # -- Configures service settings for the chart. From 53313d966de018bf2439c767f29ed2633950e8b8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:32:12 +0100 Subject: [PATCH 122/334] config: localhost --- system/samba/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index 4eb58b9c4d..096421bd9f 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -24,7 +24,7 @@ samba: # SAMBA_LOG_LEVEL: Log level. (default 0) # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) - SAMBA_HOSTS_ALLOW: 213.34.1.38/32 37.97.253.87/32 192.168.1.0/24 10.42.0.0/16 + SAMBA_HOSTS_ALLOW: 213.34.1.38/32 37.97.253.87/32 192.168.1.0/24 10.42.0.0/16 127.0.0.0/8 # SAMBA_INTERFACES: Allows you to override the default network interfaces list. # -- Configures service settings for the chart. From 02ab311182b9489597e0ab7476524907f4057753 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 21:38:48 +0100 Subject: [PATCH 123/334] config: test loadbalancer --- system/samba/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index 096421bd9f..e30ede3946 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -31,6 +31,7 @@ samba: # @default -- See values.yaml service: main: + type: LoadBalancer ports: tcp: enabled: true From 6e99c9218dfd074709bdb817e1ac551964849517 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 22:02:32 +0100 Subject: [PATCH 124/334] config: fix --- system/samba/values.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index e30ede3946..85c3e891bc 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -20,7 +20,7 @@ samba: # -- Set the container timezone TZ: Europe/Amsterdam # SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP) - # SAMBA_SERVER_STRING: Server string is the equivalent of the NT Description field. (default Docker Samba Server) + SAMBA_SERVER_STRING: europa # SAMBA_LOG_LEVEL: Log level. (default 0) # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) @@ -31,16 +31,12 @@ samba: # @default -- See values.yaml service: main: - type: LoadBalancer + # type: ClusterIP ports: tcp: enabled: true protocol: TCP port: 445 - netbios: - enabled: true - protocol: TCP - port: 139 ingress: # -- Enable and configure ingress settings for the chart under this key. From 82b3318a29383b272e64833986027a0a9622cfe5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 22:07:33 +0100 Subject: [PATCH 125/334] config: different port --- system/samba/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index 85c3e891bc..bae4d137bb 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -51,6 +51,8 @@ samba: paths: - path: / pathType: Prefix + port: + number: 445 tls: - secretName: samba-tls-certificate hosts: From 62aae4de30beb4fed83defd0d6da1e429db0f68d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 15 Feb 2022 22:14:05 +0100 Subject: [PATCH 126/334] config: disable ingress for now --- system/samba/values.yaml | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/system/samba/values.yaml b/system/samba/values.yaml index bae4d137bb..ba4263664e 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -31,32 +31,31 @@ samba: # @default -- See values.yaml service: main: - # type: ClusterIP + type: LoadBalancer ports: tcp: enabled: true protocol: TCP port: 445 - ingress: - # -- Enable and configure ingress settings for the chart under this key. - # @default -- See values.yaml - main: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host samba.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - port: - number: 445 - tls: - - secretName: samba-tls-certificate - hosts: - - *host + + # ingress: + # # -- Enable and configure ingress settings for the chart under this key. + # # @default -- See values.yaml + # main: + # enabled: true + # ingressClassName: nginx + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt-prod + # hosts: + # - host: &host samba.jupiter.mein.nl + # paths: + # - path: / + # pathType: Prefix + # tls: + # - secretName: samba-tls-certificate + # hosts: + # - *host # -- Configure persistence settings for the chart under this key. # @default -- See values.yaml From 69f380cb70e8266817303afb87e35cd775fcb9ef Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 27 Feb 2022 18:41:13 +0000 Subject: [PATCH 127/334] chore(deps): update all non-major dependencies helm releases --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/privatebin/Chart.yaml | 2 +- apps/seafile/Chart.yaml | 2 +- bootstrap/argocd/Chart.yaml | 4 ++-- home/homeassistant/values.yaml | 2 +- home/influxdb/Chart.yaml | 2 +- home/influxdb/values.yaml | 4 ++-- home/mariadb-galera/Chart.yaml | 2 +- home/pihole/Chart.yaml | 2 +- home/pihole/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- home/redis/values.yaml | 2 +- platform/dex/Chart.yaml | 2 +- platform/renovate/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- 17 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 165c887323..3cd71aee69 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.1.5 + image: hashicorp/terraform:1.1.6 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index 1a67f2881b..49f1ddaa38 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.1.5 + image: hashicorp/terraform:1.1.6 command: - terraform args: diff --git a/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml index 81b600777b..ef11d608d0 100644 --- a/apps/privatebin/Chart.yaml +++ b/apps/privatebin/Chart.yaml @@ -3,5 +3,5 @@ name: privatebin version: 0.0.0 dependencies: - name: privatebin - version: 0.10.1 + version: 0.11.0 repository: https://privatebin.github.io/helm-chart diff --git a/apps/seafile/Chart.yaml b/apps/seafile/Chart.yaml index 01f9bd33df..91e0881d64 100644 --- a/apps/seafile/Chart.yaml +++ b/apps/seafile/Chart.yaml @@ -3,5 +3,5 @@ name: seafile version: 0.0.0 dependencies: - name: seafile - version: 2.0.0 + version: 2.0.1 repository: https://k8s-at-home.com/charts diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index b22c1ea8a1..1210a569f5 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,8 +3,8 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 3.33.5 + version: 3.33.8 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset - version: 1.9.1 + version: 1.11.0 repository: https://argoproj.github.io/argo-helm diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index bb0752a864..7584064fb8 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.2.6 + tag: 2022.2.9 # -- image pull policy pullPolicy: IfNotPresent diff --git a/home/influxdb/Chart.yaml b/home/influxdb/Chart.yaml index 9d0cf8ca0e..b72f348c41 100644 --- a/home/influxdb/Chart.yaml +++ b/home/influxdb/Chart.yaml @@ -3,5 +3,5 @@ name: influxdb version: 0.0.0 dependencies: - name: influxdb - version: 3.0.2 + version: 3.0.6 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index d9c18bdaf9..d2fe6b3cb5 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.372.0-debian-10-r0 + tag: 0.374.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1337,7 +1337,7 @@ influxdb: image: registry: docker.io repository: bitnami/aws-cli - tag: 2.4.16-debian-10-r4 + tag: 2.4.19-debian-10-r4 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/mariadb-galera/Chart.yaml b/home/mariadb-galera/Chart.yaml index dc73d36f2f..cc6eea514c 100644 --- a/home/mariadb-galera/Chart.yaml +++ b/home/mariadb-galera/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb-galera version: 0.0.0 dependencies: - name: mariadb-galera - version: 7.0.1 + version: 7.0.6 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index 10635a0e46..8554833d07 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.5.6 + version: 2.5.7 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 16e1e51916..a87e1c3170 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -384,7 +384,7 @@ pihole: port: 9617 image: repository: ekofr/pihole-exporter - tag: v0.2.0 + tag: v0.3.0 pullPolicy: IfNotPresent resources: limits: diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index fb0d192863..dbcf5819bb 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.0.4 + version: 11.1.3 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index d50c3da429..4d5af5eb62 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.4.0 + version: 16.4.4 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/values.yaml b/home/redis/values.yaml index e6cfff4fc5..5fbc3e8d87 100644 --- a/home/redis/values.yaml +++ b/home/redis/values.yaml @@ -1214,7 +1214,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.35.0-debian-10-r2 + tag: 1.35.1-debian-10-r2 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 737134f46f..3a6db86a9e 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.39.1 dependencies: - name: security-apps - version: 0.39.1 + version: 0.42.0 repository: https://charts.adfinis.com diff --git a/platform/renovate/Chart.yaml b/platform/renovate/Chart.yaml index da872b947f..403e792d4c 100644 --- a/platform/renovate/Chart.yaml +++ b/platform/renovate/Chart.yaml @@ -3,5 +3,5 @@ name: renovate version: 0.0.0 dependencies: - name: renovate - version: 31.81.7 + version: 31.94.0 repository: https://docs.renovatebot.com/helm-charts diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 79692a118c..c3b22b2a96 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 0.11.0 + version: 0.12.1 repository: https://metallb.github.io/metallb From 3f389718cac6597e5a679a7e8c74f84a45037731 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 11:50:10 +0100 Subject: [PATCH 128/334] config: added safe boot to mariadb --- home/mariadb-galera/values.yaml | 1681 ++++++++++++++++--------------- 1 file changed, 841 insertions(+), 840 deletions(-) diff --git a/home/mariadb-galera/values.yaml b/home/mariadb-galera/values.yaml index b7bf2cc08b..96028b7aa7 100644 --- a/home/mariadb-galera/values.yaml +++ b/home/mariadb-galera/values.yaml @@ -1,792 +1,665 @@ -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +mariadb: + ## @section Global parameters + ## Global Docker image parameters + ## Please, note that this will override the image parameters, including dependencies, configured to use the global value + ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - storageClass: "" - -## @section Common parameters + ## @param global.imageRegistry Global Docker image registry + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname template with a string -## -fullnameOverride: "" -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param schedulerName Name of the Kubernetes scheduler (other than default) -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param clusterDomain Kubernetes DNS Domain name to use -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) -## -extraDeploy: [] + ## @section Common parameters -## Diagnostic mode in the deployment -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) + ## + kubeVersion: "" + ## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) + ## + nameOverride: "" + ## @param fullnameOverride String to fully override common.names.fullname template with a string + ## + fullnameOverride: "" + ## @param commonAnnotations Annotations to add to all deployed objects + ## + commonAnnotations: {} + ## @param commonLabels Labels to add to all deployed objects + ## + commonLabels: {} + ## @param schedulerName Name of the Kubernetes scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## - enabled: false - ## @param diagnosticMode.command [array] Command to override all containers in the deployment + schedulerName: "" + ## @param clusterDomain Kubernetes DNS Domain name to use ## - command: - - sleep - ## @param diagnosticMode.args [array] Args to override all containers in the deployment + clusterDomain: cluster.local + ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) ## - args: - - infinity + extraDeploy: [] -## @section MariaDB Galera parameters + ## Diagnostic mode in the deployment + ## + diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command [array] Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args [array] Args to override all containers in the deployment + ## + args: + - infinity -## Bitnami MariaDB Galera image -## ref: https://hub.docker.com/r/bitnami/mariadb-galera/tags/ -## @param image.registry MariaDB Galera image registry -## @param image.repository MariaDB Galera image repository -## @param image.tag MariaDB Galera image tag (immutable tags are recommended) -## @param image.pullPolicy MariaDB Galera image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled -## -image: - registry: docker.io - repository: bitnami/mariadb-galera - tag: 10.6.5-debian-10-r66 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel -## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy -## -podManagementPolicy: OrderedReady -## @param hostAliases Add deployment host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## MariaDB Gallera K8s svc properties -## -service: - ## @param service.type Kubernetes service type - ## - type: ClusterIP - ## @param service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service - ## e.g: - ## clusterIP: None + ## @section MariaDB Galera parameters + + ## Bitnami MariaDB Galera image + ## ref: https://hub.docker.com/r/bitnami/mariadb-galera/tags/ + ## @param image.registry MariaDB Galera image registry + ## @param image.repository MariaDB Galera image repository + ## @param image.tag MariaDB Galera image tag (immutable tags are recommended) + ## @param image.pullPolicy MariaDB Galera image pull policy + ## @param image.pullSecrets Specify docker-registry secret names as an array + ## @param image.debug Specify if debug logs should be enabled ## - clusterIP: "" - ## @param service.ports.mysql MariaDB service port + image: + registry: docker.io + repository: bitnami/mariadb-galera + tag: 10.6.5-debian-10-r66 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false + ## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel + ## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy ## - ports: - mysql: 3306 - ## @param service.nodePorts.mysql Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## e.g: - ## nodePort: - ## mysql: 30001 + podManagementPolicy: OrderedReady + ## @param hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## - nodePorts: - mysql: "" - ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + hostAliases: [] + ## MariaDB Gallera K8s svc properties ## - extraPorts: [] - ## @param service.externalIPs External IP list to use with ClusterIP service type - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + service: + ## @param service.type Kubernetes service type + ## + type: ClusterIP + ## @param service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.ports.mysql MariaDB service port + ## + ports: + mysql: 3306 + ## @param service.nodePorts.mysql Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## e.g: + ## nodePort: + ## mysql: 30001 + ## + nodePorts: + mysql: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.externalIPs External IP list to use with ClusterIP service type + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Addresses that are allowed when svc is `LoadBalancer` + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.annotations Additional annotations for MariaDB Galera service + ## This can be used toset the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## Useful for setting `service.alpha.kubernetes.io/tolerate-unready-endpoints="true"` when using peer-finder. + ## + annotations: {} + ## @param service.headless.publishNotReadyAddresses Publish not Ready MariaDB Galera pods' IPs in the headless service. + ## Required for peer discovery during cluster bootstrap (1st chart installation), optional afterwards. + ## + publishNotReadyAddresses: true + ## Pods Service Account + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ + ## @param serviceAccount.create Specify whether a ServiceAccount should be created + ## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + annotations: {} + ## @param command Override default container command (useful when using custom images) ## - externalIPs: [] - ## @param service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + command: [] + ## @param args Override default container args (useful when using custom images) ## - loadBalancerIP: "" - ## @param service.loadBalancerSourceRanges Addresses that are allowed when svc is `LoadBalancer` - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + args: [] + ## @param extraEnvVars Array containing extra env vars to configure MariaDB Galera replicas + ## For example: + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + extraEnvVars: [] + ## @param extraEnvVarsCM ConfigMap containing extra env vars to configure MariaDB Galera replicas ## - loadBalancerSourceRanges: [] - ## @param service.annotations Additional annotations for MariaDB Galera service - ## This can be used toset the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + extraEnvVarsCM: "" + ## @param extraEnvVarsSecret Secret containing extra env vars to configure MariaDB Galera replicas ## - annotations: {} - ## Headless service properties + extraEnvVarsSecret: "" + ## Role Based Access + ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## - headless: - ## @param service.headless.annotations Annotations for the headless service. - ## Useful for setting `service.alpha.kubernetes.io/tolerate-unready-endpoints="true"` when using peer-finder. + rbac: + ## @param rbac.create Specify whether RBAC resources should be created and used ## - annotations: {} - ## @param service.headless.publishNotReadyAddresses Publish not Ready MariaDB Galera pods' IPs in the headless service. - ## Required for peer discovery during cluster bootstrap (1st chart installation), optional afterwards. - ## - publishNotReadyAddresses: true -## Pods Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## @param serviceAccount.create Specify whether a ServiceAccount should be created -## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. -## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account -## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. -## -serviceAccount: - create: false - name: "" - automountServiceAccountToken: false - annotations: {} -## @param command Override default container command (useful when using custom images) -## -command: [] -## @param args Override default container args (useful when using custom images) -## -args: [] -## @param extraEnvVars Array containing extra env vars to configure MariaDB Galera replicas -## For example: -## extraEnvVars: -## - name: TZ -## value: "Europe/Paris" -## -extraEnvVars: [] -## @param extraEnvVarsCM ConfigMap containing extra env vars to configure MariaDB Galera replicas -## -extraEnvVarsCM: "" -## @param extraEnvVarsSecret Secret containing extra env vars to configure MariaDB Galera replicas -## -extraEnvVarsSecret: "" -## Role Based Access -## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ -## -rbac: - ## @param rbac.create Specify whether RBAC resources should be created and used - ## - create: false -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## @param podSecurityContext.enabled Enable security context -## @param podSecurityContext.fsGroup Group ID for the container filesystem -## @param podSecurityContext.runAsUser User ID for the container -## -podSecurityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 -## Configure Container Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param containerSecurityContext.enabled Enabled galera's container Security Context -## @param containerSecurityContext.runAsUser Set galera's container Security Context runAsUser -## @param containerSecurityContext.runAsNonRoot Set galera's container Security Context runAsNonRoot -containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true -## Database credentials for root (admin) user -## -rootUser: - ## @param rootUser.user Username for the admin user. - ## - user: root - ## @param rootUser.password Password for the admin user. Ignored if existing secret is provided. - ## Password is ignored if existingSecret is specified. - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-the-root-password-on-first-run - ## - password: "" - ## @param rootUser.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. - ## If it is not force, a random password will be generated. - ## - forcePassword: false -## @param existingSecret Use existing secret for password details (`rootUser.password`, `db.password`, `galera.mariabackup.password` will be ignored and picked up from this secret) -## The secret has to contain the keys mariadb-root-password, mariadb-galera-mariabackup-password and mariadb-password. -## -existingSecret: "mariadb-secret" -## @param usePasswordFiles Mount credentials as a files instead of using an environment variable. -## -usePasswordFiles: false -## @param customPasswordFiles Use custom password files when `usePasswordFiles` is set to `true`. Define path for keys `root`, `user`, and `mariabackup`. -## Example: -## customPasswordFiles: -## root: /vault/secrets/mariadb-root -## user: /vault/secrets/mariadb-user -## mariabackup: /vault/secrets/mariadb-galera-mariabackup -## -customPasswordFiles: {} -## Custom db configuration -## -db: - ## @param db.user Username of new user to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run - ## - user: "" - ## @param db.password Password for the new user. Ignored if existing secret is provided. - ## - password: "" - ## @param db.name Name for new database to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run - ## - name: my_database - ## @param db.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. - ## If it is not force, a random password will be generated. - ## - forcePassword: false -## Galera configuration -## -galera: - ## @param galera.name Galera cluster name - ## - name: galera - ## Bootstraping options - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#bootstraping - ## - bootstrap: - ## @param galera.bootstrap.forceBootstrap Option to force the boostraping from the indicated node in `galera.bootstarp.bootstrapFromNode` - ## - forceBootstrap: false - ## @param galera.bootstrap.bootstrapFromNode Node to bootstrap from, you will need to change this parameter in case you want to bootstrap from other node - ## - bootstrapFromNode: 0 - ## @param galera.bootstrap.forceSafeToBootstrap Force `safe_to_bootstrap: 1` in `grastate.date` file - ## This will set safe_to_bootstrap=1 in the node indicated by bootstrapFromNode. - ## - forceSafeToBootstrap: false - ## Credentials to perform backups - ## - mariabackup: - ## @param galera.mariabackup.user MariaBackup username - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-up-a-multi-master-cluster - ## - user: mariabackup - ## @param galera.mariabackup.password MariaBackup password. Password is ignored if existingSecret is specified. + create: false + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param podSecurityContext.enabled Enable security context + ## @param podSecurityContext.fsGroup Group ID for the container filesystem + ## @param podSecurityContext.runAsUser User ID for the container + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param containerSecurityContext.enabled Enabled galera's container Security Context + ## @param containerSecurityContext.runAsUser Set galera's container Security Context runAsUser + ## @param containerSecurityContext.runAsNonRoot Set galera's container Security Context runAsNonRoot + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Database credentials for root (admin) user + ## + rootUser: + ## @param rootUser.user Username for the admin user. + ## + user: root + ## @param rootUser.password Password for the admin user. Ignored if existing secret is provided. + ## Password is ignored if existingSecret is specified. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-the-root-password-on-first-run ## password: "" - ## @param galera.mariabackup.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. + ## @param rootUser.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. ## If it is not force, a random password will be generated. ## forcePassword: false -## LDAP configuration -## @param ldap.enabled Enable LDAP support -## @param ldap.uri LDAP URL beginning in the form `ldap` -## @param ldap.base LDAP base DN -## @param ldap.binddn LDAP bind DN -## @param ldap.bindpw LDAP bind password -## @param ldap.bslookup LDAP base lookup -## @param ldap.filter LDAP custom filter -## @param ldap.map LDAP custom map -## @param ldap.nss_initgroups_ignoreusers LDAP ignored users -## @param ldap.scope LDAP search scope -## @param ldap.tls_reqcert LDAP TLS check on server certificates -## -ldap: - enabled: false - uri: "" - base: "" - binddn: "" - bindpw: "" - bslookup: "" - filter: "" - map: "" - nss_initgroups_ignoreusers: root,nslcd - scope: "" - tls_reqcert: "" -## TLS configuration -## -tls: - ## @param tls.enabled Enable TLS support for replication traffic - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates - ## - autoGenerated: false - ## @param tls.certificatesSecret Name of the secret that contains the certificates - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## - certCAFilename: "" -## @param mariadbConfiguration [string] Configuration for the MariaDB server -## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file -## Alternatively, you can put your my.cnf under the files/ directory -## -mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin + ## @param existingSecret Use existing secret for password details (`rootUser.password`, `db.password`, `galera.mariabackup.password` will be ignored and picked up from this secret) + ## The secret has to contain the keys mariadb-root-password, mariadb-galera-mariabackup-password and mariadb-password. + ## + existingSecret: "mariadb-secret" + ## @param usePasswordFiles Mount credentials as a files instead of using an environment variable. + ## + usePasswordFiles: false + ## @param customPasswordFiles Use custom password files when `usePasswordFiles` is set to `true`. Define path for keys `root`, `user`, and `mariabackup`. + ## Example: + ## customPasswordFiles: + ## root: /vault/secrets/mariadb-root + ## user: /vault/secrets/mariadb-user + ## mariabackup: /vault/secrets/mariadb-galera-mariabackup + ## + customPasswordFiles: {} + ## Custom db configuration + ## + db: + ## @param db.user Username of new user to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run + ## + user: "" + ## @param db.password Password for the new user. Ignored if existing secret is provided. + ## + password: "" + ## @param db.name Name for new database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run + ## + name: my_database + ## @param db.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. + ## If it is not force, a random password will be generated. + ## + forcePassword: false + ## Galera configuration + ## + galera: + ## @param galera.name Galera cluster name + ## + name: galera + ## Bootstraping options + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#bootstraping + ## + bootstrap: + ## @param galera.bootstrap.forceBootstrap Option to force the boostraping from the indicated node in `galera.bootstarp.bootstrapFromNode` + ## + forceBootstrap: false + ## @param galera.bootstrap.bootstrapFromNode Node to bootstrap from, you will need to change this parameter in case you want to bootstrap from other node + ## + bootstrapFromNode: 0 + ## @param galera.bootstrap.forceSafeToBootstrap Force `safe_to_bootstrap: 1` in `grastate.date` file + ## This will set safe_to_bootstrap=1 in the node indicated by bootstrapFromNode. + ## + forceSafeToBootstrap: true + ## Credentials to perform backups + ## + mariabackup: + ## @param galera.mariabackup.user MariaBackup username + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-up-a-multi-master-cluster + ## + user: mariabackup + ## @param galera.mariabackup.password MariaBackup password. Password is ignored if existingSecret is specified. + ## + password: "" + ## @param galera.mariabackup.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. + ## If it is not force, a random password will be generated. + ## + forcePassword: false + ## LDAP configuration + ## @param ldap.enabled Enable LDAP support + ## @param ldap.uri LDAP URL beginning in the form `ldap` + ## @param ldap.base LDAP base DN + ## @param ldap.binddn LDAP bind DN + ## @param ldap.bindpw LDAP bind password + ## @param ldap.bslookup LDAP base lookup + ## @param ldap.filter LDAP custom filter + ## @param ldap.map LDAP custom map + ## @param ldap.nss_initgroups_ignoreusers LDAP ignored users + ## @param ldap.scope LDAP search scope + ## @param ldap.tls_reqcert LDAP TLS check on server certificates + ## + ldap: + enabled: false + uri: "" + base: "" + binddn: "" + bindpw: "" + bslookup: "" + filter: "" + map: "" + nss_initgroups_ignoreusers: root,nslcd + scope: "" + tls_reqcert: "" + ## TLS configuration + ## + tls: + ## @param tls.enabled Enable TLS support for replication traffic + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.certificatesSecret Name of the secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" + ## @param mariadbConfiguration [string] Configuration for the MariaDB server + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## Alternatively, you can put your my.cnf under the files/ directory + ## + mariadbConfiguration: |- + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + plugin_dir=/opt/bitnami/mariadb/plugin - [mysqld] - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 + [mysqld] + default_storage_engine=InnoDB + basedir=/opt/bitnami/mariadb + datadir=/bitnami/mariadb/data + plugin_dir=/opt/bitnami/mariadb/plugin + tmpdir=/opt/bitnami/mariadb/tmp + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid + bind_address=0.0.0.0 - ## Character set - ## - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 + ## Character set + ## + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 - ## MyISAM - ## - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP + ## MyISAM + ## + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP - ## Safety - ## - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY - sysdate_is_now=1 + ## Safety + ## + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 - ## Binary Logging - ## - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row + ## Binary Logging + ## + log_bin=mysql-bin + expire_logs_days=14 + # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql + sync_binlog=0 + # Required for Galera + binlog_format=row - ## Caches and Limits - ## - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 + ## Caches and Limits + ## + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 - ## InnoDB - ## - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda + ## InnoDB + ## + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda - ## Logging - ## - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 + ## Logging + ## + log_error=/opt/bitnami/mariadb/logs/mysqld.log + slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log + log_queries_not_using_indexes=1 + slow_query_log=1 - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem + ## SSL + ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem + # ssl_ca=/certs/ca.pem + # ssl_cert=/certs/server-cert.pem + # ssl_key=/certs/server-key.pem - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON + [galera] + wsrep_on=ON + wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so + wsrep_sst_method=mariabackup + wsrep_slave_threads=4 + wsrep_cluster_address=gcomm:// + wsrep_cluster_name=galera + wsrep_sst_auth="root:" + # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit + innodb_flush_log_at_trx_commit=2 + # MYISAM REPLICATION SUPPORT # + wsrep_replicate_myisam=ON - [mariadb] - plugin_load_add=auth_pam + [mariadb] + plugin_load_add=auth_pam - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON + ## Data-at-Rest Encryption + ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem + # plugin_load_add=file_key_management + # file_key_management_filename=/encryption/keyfile.enc + # file_key_management_filekey=FILE:/encryption/keyfile.key + # file_key_management_encryption_algorithm=AES_CTR + # encrypt_binlog=ON + # encrypt_tmp_files=ON - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 + ## InnoDB/XtraDB Encryption + # innodb_encrypt_tables=ON + # innodb_encrypt_temporary_tables=ON + # innodb_encrypt_log=ON + # innodb_encryption_threads=4 + # innodb_encryption_rotate_key_age=1 - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON -## @param configurationConfigMap ConfigMap with the MariaDB configuration files (Note: Overrides `mariadbConfiguration`). The value is evaluated as a template. -## -configurationConfigMap: "" -## initdb scripts -## @param initdbScripts Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## e.g: -## initdbScripts: -## my_init_script.sh: | -## #!/bin/sh -## echo "Do something." -## -initdbScripts: {} -## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) -## -initdbScriptsConfigMap: "" -## @param extraFlags MariaDB additional command line flags -## Can be used to specify command line flags, for example: -## e.g: -## extraFlags: "--max-connect-errors=1000 --max_connections=155" -## -extraFlags: "" -## @param replicaCount Desired number of cluster nodes -## -replicaCount: 3 -## @param updateStrategy.type updateStrategy for MariaDB Master StatefulSet -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - type: RollingUpdate -## @param podLabels Extra labels for MariaDB Galera pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @param podAnnotations Annotations for MariaDB Galera pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" + ## Aria Encryption + # aria_encrypt_tables=ON + # encrypt_tmp_disk_tables=ON + ## @param configurationConfigMap ConfigMap with the MariaDB configuration files (Note: Overrides `mariadbConfiguration`). The value is evaluated as a template. + ## + configurationConfigMap: "" + ## initdb scripts + ## @param initdbScripts Specify dictionary of scripts to be run at first boot + ## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory + ## e.g: + ## initdbScripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + initdbScripts: {} + ## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) + ## + initdbScriptsConfigMap: "" + ## @param extraFlags MariaDB additional command line flags + ## Can be used to specify command line flags, for example: + ## e.g: + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param replicaCount Desired number of cluster nodes + ## + replicaCount: 3 + ## @param updateStrategy.type updateStrategy for MariaDB Master StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param podLabels Extra labels for MariaDB Galera pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param podAnnotations Annotations for MariaDB Galera pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + podAnnotations: {} + ## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param tolerations Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param topologySpreadConstraints Topology Spread Constraints for pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set -## -affinity: {} -## @param nodeSelector Node labels for pod assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## @param tolerations Tolerations for pod assignment -## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param topologySpreadConstraints Topology Spread Constraints for pods assignment -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -## E.g. -## topologySpreadConstraints: -## - maxSkew: 1 -## topologyKey: topology.kubernetes.io/zone -## whenUnsatisfiable: DoNotSchedule -## -topologySpreadConstraints: {} -## @param lifecycleHooks for the galera container(s) to automate configuration before or after startup -## -lifecycleHooks: {} -## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ -## -## Galera container port -## @param containerPorts.mysql mariadb database container port -## @param containerPorts.galera galera cluster container port -## @param containerPorts.ist galera IST container port -## @param containerPorts.sst galera SST container port -## -containerPorts: - mysql: 3306 - # Note: Container image is not aware of changes in the following container's ports - galera: 4567 - ist: 4568 - sst: 4444 - -persistence: - ## @param persistence.enabled Enable persistence using PVC - ## - enabled: true - ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` - ## - existingClaim: "" - ## @param persistence.subPath Subdirectory of the volume to mount - ## - subPath: "" - ## @param persistence.mountPath Path to mount the volume at - ## - mountPath: /bitnami/mariadb - ## @param persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param persistence.storageClass Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "longhorn" - ## @param persistence.annotations Persistent Volume Claim annotations - ## - annotations: {} - ## @param persistence.accessModes Persistent Volume Access Modes - ## - accessModes: - - ReadWriteOnce - ## @param persistence.size Persistent Volume Size - ## - size: 8Gi -## @param priorityClassName Priority Class Name for Statefulset -## -priorityClassName: "" -## @param initContainers Additional init containers (this value is evaluated as a template) -## extraInitContainers: -## - name: do-something -## image: bitnami/minideb -## command: ['do', 'something'] -## -initContainers: [] -## @param extraContainers Additional containers (this value is evaluated as a template) -## -extraContainers: [] -## extraVolumes and extraVolumeMounts allows you to mount other volumes -## @param extraVolumes Extra volumes -## @param extraVolumeMounts Mount extra volume(s) -## Example Use Cases: -## mount certificates to enable data-in-transit encryption -## mount keys for data-at-rest encryption using file plugin -## e.g: -## extraVolumes: -## - name: mariadb-certs -## secret: -## defaultMode: 288 -## secretName: mariadb-certs -## - name: mariadb-encryption -## secret: -## defaultMode: 288 -## secretName: mariadb-encryption -## -extraVolumes: [] -## extraVolumeMounts: -## - name: mariadb-certs -## mountPath: /certs -## readOnly: true -## - name: mariadb-encryption -## mountPath: /encryption -## readOnly: true -## -extraVolumeMounts: [] -## MariaDB Galera containers' resource requests and limits -## We usually recommend not to specify default resources and to leave this as a conscious -## choice for the user. This also increases chances charts run on environments with little -## resources, such as Minikube. If you do want to specify resources, uncomment the following -## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for the container -## @param resources.requests The requested resources for the container -## -resources: - ## Example: - ## limits: - ## cpu: 0.5 - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 0.5 - ## memory: 256Mi - requests: {} -## MariaDB Galera containers' liveness probe -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes -## @param livenessProbe.enabled Turn on and off liveness probe -## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated -## @param livenessProbe.periodSeconds How often to perform the probe -## @param livenessProbe.timeoutSeconds When the probe times out -## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe -## @param livenessProbe.successThreshold Minimum consecutive successes for the probe -## -livenessProbe: - enabled: true - ## Initializing the database could take some time - ## - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 -## MariaDB Galera containers' readiness probe -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes -## @param readinessProbe.enabled Turn on and off readiness probe -## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated -## @param readinessProbe.periodSeconds How often to perform the probe -## @param readinessProbe.timeoutSeconds When the probe times out -## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe -## @param readinessProbe.successThreshold Minimum consecutive successes for the probe -## -readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 -## MariaDB Galera containers' startup probe -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes -## @param startupProbe.enabled Turn on and off startup probe -## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated -## @param startupProbe.periodSeconds How often to perform the probe -## @param startupProbe.timeoutSeconds When the probe times out -## @param startupProbe.failureThreshold Minimum consecutive failures for the probe -## @param startupProbe.successThreshold Minimum consecutive successes for the probe -## -startupProbe: - enabled: false - ## Initializing the database could take some time - ## - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - ## Let's wait 600 seconds by default, it should give enough time in any cluster for mysql to init - ## - failureThreshold: 48 -## @param customStartupProbe Custom liveness probe for the Web component -## -customStartupProbe: {} -## @param customLivenessProbe Custom liveness probe for the Web component -## -customLivenessProbe: {} -## @param customReadinessProbe Custom rediness probe for the Web component -## -customReadinessProbe: {} -## Pod disruption budget configuration -## -podDisruptionBudget: - ## @param podDisruptionBudget.create Specifies whether a Pod disruption budget should be created - ## - create: false - ## @param podDisruptionBudget.minAvailable Minimum number / percentage of pods that should remain scheduled - ## - minAvailable: 1 - ## @param podDisruptionBudget.maxUnavailable Maximum number / percentage of pods that may be made unavailable - ## - maxUnavailable: "" -## Prometheus exporter configuration -## -metrics: - ## @param metrics.enabled Start a side-car prometheus exporter - ## - enabled: false - ## Bitnami MySQL Prometheus exporter image - ## ref: https://hub.docker.com/r/bitnami/mysqld-exporter/tags/ - ## @param metrics.image.registry MariaDB Prometheus exporter image registry - ## @param metrics.image.repository MariaDB Prometheus exporter image repository - ## @param metrics.image.tag MariaDB Prometheus exporter image tag (immutable tags are recommended) - ## @param metrics.image.pullPolicy MariaDB Prometheus exporter image pull policy - ## @param metrics.image.pullSecrets MariaDB Prometheus exporter image pull secrets + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule ## - image: - registry: docker.io - repository: bitnami/mysqld-exporter - tag: 0.13.0-debian-10-r236 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName + topologySpreadConstraints: {} + ## @param lifecycleHooks for the galera container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + ## Galera container port + ## @param containerPorts.mysql mariadb database container port + ## @param containerPorts.galera galera cluster container port + ## @param containerPorts.ist galera IST container port + ## @param containerPorts.sst galera SST container port + ## + containerPorts: + mysql: 3306 + # Note: Container image is not aware of changes in the following container's ports + galera: 4567 + ist: 4568 + sst: 4444 + + persistence: + ## @param persistence.enabled Enable persistence using PVC ## - pullSecrets: [] - ## @param metrics.extraFlags MariaDB Prometheus exporter additional command line flags - ## Can be used to specify command line flags - ## E.g.: - ## extraFlags: - ## - --collect.binlog_size - ## - extraFlags: [] - ## MySQL Prometheus exporter containers' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + enabled: true + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` + ## + existingClaim: "" + ## @param persistence.subPath Subdirectory of the volume to mount + ## + subPath: "" + ## @param persistence.mountPath Path to mount the volume at + ## + mountPath: /bitnami/mariadb + ## @param persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param persistence.storageClass Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "longhorn" + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + ## @param persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size Persistent Volume Size + ## + size: 8Gi + ## @param priorityClassName Priority Class Name for Statefulset + ## + priorityClassName: "" + ## @param initContainers Additional init containers (this value is evaluated as a template) + ## extraInitContainers: + ## - name: do-something + ## image: bitnami/minideb + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param extraContainers Additional containers (this value is evaluated as a template) + ## + extraContainers: [] + ## extraVolumes and extraVolumeMounts allows you to mount other volumes + ## @param extraVolumes Extra volumes + ## @param extraVolumeMounts Mount extra volume(s) + ## Example Use Cases: + ## mount certificates to enable data-in-transit encryption + ## mount keys for data-at-rest encryption using file plugin + ## e.g: + ## extraVolumes: + ## - name: mariadb-certs + ## secret: + ## defaultMode: 288 + ## secretName: mariadb-certs + ## - name: mariadb-encryption + ## secret: + ## defaultMode: 288 + ## secretName: mariadb-encryption + ## + extraVolumes: [] + ## extraVolumeMounts: + ## - name: mariadb-certs + ## mountPath: /certs + ## readOnly: true + ## - name: mariadb-encryption + ## mountPath: /encryption + ## readOnly: true + ## + extraVolumeMounts: [] + ## MariaDB Galera containers' resource requests and limits ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for the container - ## @param metrics.resources.requests The requested resources for the container + ## @param resources.limits The resources limits for the container + ## @param resources.requests The requested resources for the container ## resources: ## Example: @@ -799,114 +672,242 @@ metrics: ## cpu: 0.5 ## memory: 256Mi requests: {} - ## MySQL Prometheus exporter service parameters - ## @param metrics.service.type Prometheus exporter service type - ## @param metrics.service.port Prometheus exporter service port - ## @param metrics.service.annotations [object] Prometheus exporter service annotations - ## - service: - type: ClusterIP - port: 9104 - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9104" - ## @param metrics.service.loadBalancerIP Load Balancer IP if the Prometheus metrics server type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## MariaDB Galera containers' liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param livenessProbe.enabled Turn on and off liveness probe + ## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated + ## @param livenessProbe.periodSeconds How often to perform the probe + ## @param livenessProbe.timeoutSeconds When the probe times out + ## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe + ## @param livenessProbe.successThreshold Minimum consecutive successes for the probe + ## + livenessProbe: + enabled: true + ## Initializing the database could take some time ## - loadBalancerIP: "" - ## @param metrics.service.clusterIP Prometheus metrics service Cluster IP - ## e.g.: - ## clusterIP: None - ## - clusterIP: "" - ## @param metrics.service.loadBalancerSourceRanges Prometheus metrics service Load Balancer sources - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## MariaDB Galera containers' readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param readinessProbe.enabled Turn on and off readiness probe + ## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated + ## @param readinessProbe.periodSeconds How often to perform the probe + ## @param readinessProbe.timeoutSeconds When the probe times out + ## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe + ## @param readinessProbe.successThreshold Minimum consecutive successes for the probe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## MariaDB Galera containers' startup probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param startupProbe.enabled Turn on and off startup probe + ## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated + ## @param startupProbe.periodSeconds How often to perform the probe + ## @param startupProbe.timeoutSeconds When the probe times out + ## @param startupProbe.failureThreshold Minimum consecutive failures for the probe + ## @param startupProbe.successThreshold Minimum consecutive successes for the probe + ## + startupProbe: + enabled: false + ## Initializing the database could take some time ## - loadBalancerSourceRanges: [] - ## @param metrics.service.externalTrafficPolicy Prometheus metrics service external traffic policy - ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + ## Let's wait 600 seconds by default, it should give enough time in any cluster for mysql to init ## - externalTrafficPolicy: Cluster - - ## Prometheus Operator ServiceMonitor configuration + failureThreshold: 48 + ## @param customStartupProbe Custom liveness probe for the Web component ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + customStartupProbe: {} + ## @param customLivenessProbe Custom liveness probe for the Web component + ## + customLivenessProbe: {} + ## @param customReadinessProbe Custom rediness probe for the Web component + ## + customReadinessProbe: {} + ## Pod disruption budget configuration + ## + podDisruptionBudget: + ## @param podDisruptionBudget.create Specifies whether a Pod disruption budget should be created ## - enabled: false - ## @param metrics.serviceMonitor.namespace Optional namespace which Prometheus is running in + create: false + ## @param podDisruptionBudget.minAvailable Minimum number / percentage of pods that should remain scheduled ## - namespace: "" - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + minAvailable: 1 + ## @param podDisruptionBudget.maxUnavailable Maximum number / percentage of pods that may be made unavailable ## - jobLabel: "" - ## @param metrics.serviceMonitor.interval How frequently to scrape metrics (use by default, falling back to Prometheus' default) - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## e.g: - ## interval: 10s + maxUnavailable: "" + ## Prometheus exporter configuration + ## + metrics: + ## @param metrics.enabled Start a side-car prometheus exporter ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## e.g: - ## scrapeTimeout: 10s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.selector [object] ServiceMonitor selector labels - ## Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## - selector: - prometheus: kube-prometheus - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## Value is evalued as a template - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## Value is evalued as a template - ## e.g: - ## - sourceLabels: - ## - "__name__" - ## targetLabel: "__name__" - ## action: replace - ## regex: '(.*)' - ## replacement: 'example_prefix_$1' + enabled: false + ## Bitnami MySQL Prometheus exporter image + ## ref: https://hub.docker.com/r/bitnami/mysqld-exporter/tags/ + ## @param metrics.image.registry MariaDB Prometheus exporter image registry + ## @param metrics.image.repository MariaDB Prometheus exporter image repository + ## @param metrics.image.tag MariaDB Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy MariaDB Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets MariaDB Prometheus exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/mysqld-exporter + tag: 0.13.0-debian-10-r236 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.extraFlags MariaDB Prometheus exporter additional command line flags + ## Can be used to specify command line flags + ## E.g.: + ## extraFlags: + ## - --collect.binlog_size ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + extraFlags: [] + ## MySQL Prometheus exporter containers' resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for the container + ## @param metrics.resources.requests The requested resources for the container ## - honorLabels: false - ## @param metrics.serviceMonitor.labels ServiceMonitor extra labels + resources: + ## Example: + ## limits: + ## cpu: 0.5 + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 0.5 + ## memory: 256Mi + requests: {} + ## MySQL Prometheus exporter service parameters + ## @param metrics.service.type Prometheus exporter service type + ## @param metrics.service.port Prometheus exporter service port + ## @param metrics.service.annotations [object] Prometheus exporter service annotations ## - labels: {} + service: + type: ClusterIP + port: 9104 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9104" + ## @param metrics.service.loadBalancerIP Load Balancer IP if the Prometheus metrics server type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param metrics.service.clusterIP Prometheus metrics service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param metrics.service.loadBalancerSourceRanges Prometheus metrics service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.externalTrafficPolicy Prometheus metrics service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster - ## Prometheus Operator PrometheusRule configuration - ## - prometheusRules: - ## @param metrics.prometheusRules.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true`, and makes little sense without ServiceMonitor) + ## Prometheus Operator ServiceMonitor configuration ## - enabled: false - ## @param metrics.prometheusRules.selector [object] Additional labels to add to the PrometheusRule so it is picked up by the operator - ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator' + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Optional namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval How frequently to scrape metrics (use by default, falling back to Prometheus' default) + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.selector [object] ServiceMonitor selector labels + ## Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + prometheus: kube-prometheus + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## e.g: + ## - sourceLabels: + ## - "__name__" + ## targetLabel: "__name__" + ## action: replace + ## regex: '(.*)' + ## replacement: 'example_prefix_$1' + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.labels ServiceMonitor extra labels + ## + labels: {} + + ## Prometheus Operator PrometheusRule configuration ## - selector: - app: prometheus-operator - release: prometheus - ## @param metrics.prometheusRules.rules PrometheusRule rules to configure - ## e.g: - ## - alert: MariaDB-Down - ## annotations: - ## message: 'MariaDB instance {{ $labels.instance }} is down' - ## summary: MariaDB instance is down - ## expr: absent(up{job="mariadb-galera"} == 1) - ## labels: - ## severity: warning - ## service: mariadb-galera - ## for: 5m - ## - rules: {} \ No newline at end of file + prometheusRules: + ## @param metrics.prometheusRules.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true`, and makes little sense without ServiceMonitor) + ## + enabled: false + ## @param metrics.prometheusRules.selector [object] Additional labels to add to the PrometheusRule so it is picked up by the operator + ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator' + ## + selector: + app: prometheus-operator + release: prometheus + ## @param metrics.prometheusRules.rules PrometheusRule rules to configure + ## e.g: + ## - alert: MariaDB-Down + ## annotations: + ## message: 'MariaDB instance {{ $labels.instance }} is down' + ## summary: MariaDB instance is down + ## expr: absent(up{job="mariadb-galera"} == 1) + ## labels: + ## severity: warning + ## service: mariadb-galera + ## for: 5m + ## + rules: {} \ No newline at end of file From 00168662594c79547a0ff7eb1b3ca618fc1bb768 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 11:56:15 +0100 Subject: [PATCH 129/334] config: force boostrap --- home/mariadb-galera/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb-galera/values.yaml b/home/mariadb-galera/values.yaml index 96028b7aa7..8e6f20ae9b 100644 --- a/home/mariadb-galera/values.yaml +++ b/home/mariadb-galera/values.yaml @@ -273,7 +273,7 @@ mariadb: bootstrap: ## @param galera.bootstrap.forceBootstrap Option to force the boostraping from the indicated node in `galera.bootstarp.bootstrapFromNode` ## - forceBootstrap: false + forceBootstrap: true ## @param galera.bootstrap.bootstrapFromNode Node to bootstrap from, you will need to change this parameter in case you want to bootstrap from other node ## bootstrapFromNode: 0 From f63bade304697588adb182cb9c3b0a1047bdfdd3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 12:04:11 +0100 Subject: [PATCH 130/334] README.md --- README.md | 248 +----------------------------------------------------- 1 file changed, 1 insertion(+), 247 deletions(-) diff --git a/README.md b/README.md index b5448dac0c..e51cdcc6d5 100644 --- a/README.md +++ b/README.md @@ -1,247 +1 @@ -<<<<<<< HEAD -# Jupiter Mein Homelab -======= -# Khue's Homelab - - - -[![chat](https://img.shields.io/matrix/homelab:matrix.khuedoan.com?style=flat-square&logo=matrix&logoColor=white&label=chat)](https://matrix.to/#/#homelab:matrix.khuedoan.com) -[![tag](https://img.shields.io/github/v/tag/khuedoan/homelab?style=flat-square&logo=semver&logoColor=white)](https://github.com/khuedoan/homelab/tags) -[![document](https://img.shields.io/website?label=document&logo=gitbook&logoColor=white&style=flat-square&url=https%3A%2F%2Fhomelab.khuedoan.com)](https://homelab.khuedoan.com) -[![license](https://img.shields.io/github/license/khuedoan/homelab?style=flat-square&logo=gnu&logoColor=white)](https://www.gnu.org/licenses/gpl-3.0.html) -[![stars](https://img.shields.io/github/stars/khuedoan/homelab?logo=github&logoColor=white&color=gold&style=flat-square)](https://github.com/khuedoan/homelab) - -Current status: **ALPHA** - -This project utilizes [Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code) and [GitOps](https://www.weave.works/technologies/gitops) to automate provisioning, operating, and updating self-hosted services in my homelab. -It can be used as a highly customizable framework to build your own homelab. - - - - - - - - -## Overview - -This section provides a high level overview of the project. -For further information, please see the [documentation](https://homelab.khuedoan.com). - -### Hardware - -![Hardware](https://user-images.githubusercontent.com/27996771/98970963-25137200-2543-11eb-8f2d-f9a2d45756ef.JPG) - -- 4 × NEC SFF `PC-MK26ECZDR` (Japanese version of the ThinkCentre M700): - - CPU: `Intel Core i5-6600T @ 2.70GHz` - - RAM: `16GB` - - SSD: `128GB` -- TP-Link `TL-SG108` switch: - - Ports: `8` - - Speed: `1000Mbps` - -### Features - -Project status: **Alpha** (see [roadmap](#roadmap) below) - -- [x] Common applications: Gitea, Seafile, Jellyfin, Paperless... -- [x] Automated bare metal provisioning with PXE boot -- [x] Automated Kubernetes installation and management -- [x] Installing and managing applications using GitOps -- [x] Modular architecture, easy to add or remove features/components -- [x] Automated certificate management -- [x] Automatically update DNS records for exposed services -- [x] Expose services to the internet securely with [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/) -- [x] CI/CD platform -- [x] Private container registry -- [x] Distributed storage -- [x] Support multiple environments (dev, stag, prod) -- [ ] Monitoring and alerting 🚧 -- [ ] Automated offsite backups 🚧 -- [ ] Single sign-on 🚧 - -Screenshots of some user-facing applications are shown here, I will update them before each release. -They can't capture all of the project's features, but they are sufficient to get a concept of it. - -| ![](https://user-images.githubusercontent.com/27996771/149445807-0f869eb7-d8f5-4fef-ab97-ac281df91a06.png) | -| :--: | -| Homepage with Ingress discovery powered by [Hajimari](https://github.com/toboshii/hajimari) | - -| ![](https://user-images.githubusercontent.com/27996771/149444871-38889c9d-862f-41ff-8c05-8ece21da3e9c.png) | -| :--: | -| Git server powered by [Gitea](https://gitea.io/en-us/) | - -| ![](https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png) | -| :--: | -| Continuous integration with [Tekton](https://tekton.dev/) | - -| ![](https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png) | -| :--: | -| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) | - -| ![](https://user-images.githubusercontent.com/27996771/149446631-1c5d056b-1fdc-48e6-96ba-e1abe1762be0.png) | -| :--: | -| Monitoring dashboard powered by [Grafana](https://grafana.com/) | - -| ![](https://user-images.githubusercontent.com/27996771/149448510-7163310c-2049-4ccd-901d-f11f605bfc32.png) | -| :--: | -| [Matrix](https://matrix.org/) chat server powered by [Element](https://matrix.org/docs/projects/client/element) and [Dendrite](https://matrix.org/docs/projects/server/dendrite) | - -| ![](https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png) | -| :--: | -| Cluster management using [Lens](https://k8slens.dev/) (or you can just use `kubectl`) | - -| ![](https://user-images.githubusercontent.com/27996771/149452309-de4a893b-e94c-4ba8-9119-ea87449cf77e.png) | -| :--: | -| Secret management with [Vault](https://www.vaultproject.io/) | - -### Tech stack - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LogoNameDescription
AnsibleAutomate bare metal provisioning and configuration
ArgoCDGitOps tool built to deploy applications to Kubernetes
cert-managerCloud native certificate management
CloudflareDNS and Tunnel
DockerEphermeral PXE server and convenient tools container
GiteaSelf-hosted Git service
GrafanaOperational dashboards
HelmThe package manager for Kubernetes
K3sLightweight distribution of Kubernetes
KubernetesContainer-orchestration system, the backbone of this project
LokiLog aggregation system
LonghornCloud native distributed block storage for Kubernetes
MetalLBBare metal load-balancer for Kubernetes
NGINXKubernetes Ingress Controller
PrometheusSystems monitoring and alerting toolkit
Rocky LinuxBase OS for Kubernetes nodes
TektonCloud native solution for building CI/CD systems
TrowPrivate container registry
VaultSecrets and encryption management system
- -## Get Started - -- [Try it out on a VM](https://homelab.khuedoan.com/try_on_a_vm.html) without any hardware -- [Deploy on real hardware](https://homelab.khuedoan.com/deployment) for real workload - -## Roadmap - -See [roadmap](https://homelab.khuedoan.com/roadmap.html) and [open issues](https://github.com/khuedoan/homelab/issues) for a list of proposed features and known issues. - -## Contributing - -Any contributions you make, either big or small, are greatly appreciated. - -## License - -> Copyright (c) 2020, 2021, 2022 Khue Doan - -
- -Distributed under the GPLv3 License. - -This project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - -This project is distributed in the hope that it will be useful, but **WITHOUT ANY WARRANTY**; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -See the GNU General Public License for more details. - -You should have received a copy of the GNU General Public License along with this project (`LICENSE.md`). -If not, see . - -
- -## Acknowledgements - -- [ArgoCD usage in my coworker's homelab](https://github.com/locmai/humble) -- [README template](https://github.com/othneildrew/Best-README-Template) -- [Run the same Cloudflare Tunnel across many `cloudflared` processes](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel) -- [MAC address environment variable in GRUB config](https://askubuntu.com/questions/1272400/how-do-i-automate-network-installation-of-many-ubuntu-18-04-systems-with-efi-and) -- [Official k3s systemd service file](https://github.com/k3s-io/k3s/blob/master/k3s.service) -- [Official Cloudflare Tunnel examples](https://github.com/cloudflare/argo-tunnel-examples) -- [Initialize GitOps repository on Gitea and integrate with Tekton by RedHat](https://github.com/redhat-scholars/tekton-tutorial/tree/master/triggers) - -## Stargazers over time - -[![Stargazers over time](https://starchart.cc/khuedoan/homelab.svg)](https://starchart.cc/khuedoan/homelab) ->>>>>>> 0a171ab708efd43fd34026408d092215681a7328 +# Jupiter Mein Homelab \ No newline at end of file From ba3b6b7afd10ab66e26699c83b4b98703b20c834 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 13:16:27 +0100 Subject: [PATCH 131/334] feat: moved away from galera --- home/mariadb/Chart.yaml | 7 + home/mariadb/values.yaml | 1248 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 1255 insertions(+) create mode 100644 home/mariadb/Chart.yaml create mode 100644 home/mariadb/values.yaml diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml new file mode 100644 index 0000000000..d6c121b3bd --- /dev/null +++ b/home/mariadb/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: mariadb +version: 0.0.0 +dependencies: + - name: mariadb + version: 1.11.1 + repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml new file mode 100644 index 0000000000..593fb151a4 --- /dev/null +++ b/home/mariadb/values.yaml @@ -0,0 +1,1248 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker Image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global storage class for dynamic provisioning +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + +## @section Common parameters + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override mariadb.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override mariadb.fullname +## +fullnameOverride: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param commonAnnotations Common annotations to add to all MariaDB resources (sub-charts are not considered) +## +commonAnnotations: {} +## @param commonLabels Common labels to add to all MariaDB resources (sub-charts are not considered) +## +commonLabels: {} +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section MariaDB common parameters + +## Bitnami MariaDB image +## ref: https://hub.docker.com/r/bitnami/mariadb/tags/ +## @param image.registry MariaDB image registry +## @param image.repository MariaDB image repository +## @param image.tag MariaDB image tag (immutable tags are recommended) +## @param image.pullPolicy MariaDB image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/mariadb + tag: 10.5.15-debian-10-r11 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image + ## + debug: false +## @param architecture MariaDB architecture (`standalone` or `replication`) +## +architecture: standalone +## MariaDB Authentication parameters +## +auth: + ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run + ## + rootPassword: "" + ## @param auth.database Name for a custom database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run + ## + database: my_database + ## @param auth.username Name for a custom user to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run + ## + username: "" + ## @param auth.password Password for the new user. Ignored if existing secret is provided + ## + password: "" + ## @param auth.replicationUser MariaDB replication user + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster + ## + replicationUser: replicator + ## @param auth.replicationPassword MariaDB replication user password. Ignored if existing secret is provided + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster + ## + replicationPassword: "" + ## @param auth.existingSecret Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` + ## + existingSecret: "" + ## @param auth.forcePassword Force users to specify required passwords + ## + forcePassword: false + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false + ## @param auth.customPasswordFiles Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` + ## Example: + ## customPasswordFiles: + ## root: /vault/secrets/mariadb-root + ## user: /vault/secrets/mariadb-user + ## replicator: /vault/secrets/mariadb-replicator + ## + customPasswordFiles: {} +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) +## +initdbScriptsConfigMap: "" + +## @section MariaDB Primary parameters + +## Mariadb Primary parameters +## +primary: + ## @param primary.command Override default container command on MariaDB Primary container(s) (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args on MariaDB Primary container(s) (useful when using custom images) + ## + args: [] + ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param primary.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + plugin_dir=/opt/bitnami/mariadb/plugin + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=16M + bind-address=:: + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 + plugin_dir=/opt/bitnami/mariadb/plugin + + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + ## @param primary.existingConfigmap Name of existing ConfigMap with MariaDB Primary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param primary.updateStrategy.type MariaDB primary statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param primary.rollingUpdatePartition Partition update strategy for Mariadb Primary statefulset + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + ## + rollingUpdatePartition: "" + ## @param primary.podAnnotations Additional pod annotations for MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param primary.podLabels Extra labels for MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param primary.podAffinityPreset MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Mariadb Primary node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key MariaDB primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values MariaDB primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param primary.topologySpreadConstraints Topology Spread Constraints for MariaDB primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param primary.priorityClassName Priority class for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## MariaDB primary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods + ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MariaDB primary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext + ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container + ## @param primary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param primary.resources.limits The resources limits for MariaDB primary containers + ## @param primary.resources.requests The requested resources for MariaDB primary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param primary.startupProbe.enabled Enable startupProbe + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param primary.customStartupProbe Override default startup probe for MariaDB primary containers + ## + customStartupProbe: {} + ## @param primary.customLivenessProbe Override default liveness probe for MariaDB primary containers + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Override default readiness probe for MariaDB primary containers + ## + customReadinessProbe: {} + ## @param primary.startupWaitOptions Override default builtin startup wait check options for MariaDB primary containers + ## `bitnami/mariadb` Docker image has built-in startup check mechanism, + ## which periodically checks if MariaDB service has started up and stops it + ## if all checks have failed after X tries. Use these to control these checks. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 + ## Example (with default options): + ## startupWaitOptions: + ## retries: 300 + ## waitTime: 2 + ## + startupWaitOptions: {} + ## @param primary.extraFlags MariaDB primary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param primary.extraEnvVars Extra environment variables to be set on MariaDB primary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB primary containers + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB primary containers + ## + extraEnvVarsSecret: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas + ## NOTE: When it's set the rest of persistence parameters are ignored + ## + existingClaim: "" + ## @param primary.persistence.subPath Subdirectory of the volume to mount at + ## + subPath: "" + ## @param primary.persistence.storageClass MariaDB primary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations + ## + annotations: {} + ## @param primary.persistence.accessModes MariaDB primary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size MariaDB primary persistent volume size + ## + size: 8Gi + ## @param primary.persistence.selector Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) + ## + extraVolumes: [] + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.initContainers Add additional init containers for the MariaDB Primary pod(s) + ## + initContainers: [] + ## @param primary.sidecars Add additional sidecar containers for the MariaDB Primary pod(s) + ## + sidecars: [] + ## MariaDB Primary Service parameters + ## + service: + ## @param primary.service.type MariaDB Primary Kubernetes service type + ## + type: ClusterIP + ## @param primary.service.ports.mysql MariaDB Primary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param primary.service.nodePorts.mysql MariaDB Primary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param primary.service.clusterIP MariaDB Primary Kubernetes service clusterIP IP + ## + clusterIP: "" + ## @param primary.service.loadBalancerIP MariaDB Primary loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Address that are allowed when MariaDB Primary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param primary.service.annotations Provide any additional annotations which may be required + ## + annotations: {} + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## MariaDB primary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB primary pods + ## + create: false + ## @param primary.pdb.minAvailable Minimum number/percentage of MariaDB primary pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction + ## + maxUnavailable: "" + ## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet + ## + revisionHistoryLimit: 10 + +## @section MariaDB Secondary parameters + +## Mariadb Secondary parameters +## +secondary: + ## @param secondary.replicaCount Number of MariaDB secondary replicas + ## + replicaCount: 1 + ## @param secondary.command Override default container command on MariaDB Secondary container(s) (useful when using custom images) + ## + command: [] + ## @param secondary.args Override default container args on MariaDB Secondary container(s) (useful when using custom images) + ## + args: [] + ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param secondary.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=16M + bind-address=0.0.0.0 + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 + + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + ## @param secondary.existingConfigmap Name of existing ConfigMap with MariaDB Secondary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param secondary.updateStrategy.type MariaDB secondary statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param secondary.rollingUpdatePartition Partition update strategy for Mariadb Secondary statefulset + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + ## + rollingUpdatePartition: "" + ## @param secondary.podAnnotations Additional pod annotations for MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param secondary.podLabels Extra labels for MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param secondary.podAffinityPreset MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param secondary.podAntiAffinityPreset MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Mariadb Secondary node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param secondary.nodeAffinityPreset.type MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param secondary.nodeAffinityPreset.key MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param secondary.nodeAffinityPreset.values MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param secondary.affinity Affinity for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param secondary.topologySpreadConstraints Topology Spread Constraints for MariaDB secondary pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param secondary.priorityClassName Priority class for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param secondary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param secondary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## MariaDB secondary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods + ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MariaDB secondary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext + ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container + ## @param secondary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MariaDB secondary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param secondary.resources.limits The resources limits for MariaDB secondary containers + ## @param secondary.resources.requests The requested resources for MariaDB secondary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param secondary.startupProbe.enabled Enable startupProbe + ## @param secondary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param secondary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param secondary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param secondary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param secondary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param secondary.livenessProbe.enabled Enable livenessProbe + ## @param secondary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param secondary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param secondary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param secondary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param secondary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param secondary.readinessProbe.enabled Enable readinessProbe + ## @param secondary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param secondary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param secondary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param secondary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param secondary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param secondary.customStartupProbe Override default startup probe for MariaDB secondary containers + ## + customStartupProbe: {} + ## @param secondary.customLivenessProbe Override default liveness probe for MariaDB secondary containers + ## + customLivenessProbe: {} + ## @param secondary.customReadinessProbe Override default readiness probe for MariaDB secondary containers + ## + customReadinessProbe: {} + ## @param secondary.startupWaitOptions Override default builtin startup wait check options for MariaDB secondary containers + ## `bitnami/mariadb` Docker image has built-in startup check mechanism, + ## which periodically checks if MariaDB service has started up and stops it + ## if all checks have failed after X tries. Use these to control these checks. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 + ## Example (with default options): + ## startupWaitOptions: + ## retries: 300 + ## waitTime: 2 + ## + startupWaitOptions: {} + ## @param secondary.extraFlags MariaDB secondary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param secondary.extraEnvVars Extra environment variables to be set on MariaDB secondary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" + ## + extraEnvVars: [] + ## @param secondary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB secondary containers + ## + extraEnvVarsCM: "" + ## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB secondary containers + ## + extraEnvVarsSecret: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` + ## + enabled: true + ## @param secondary.persistence.subPath Subdirectory of the volume to mount at + ## + subPath: "" + ## @param secondary.persistence.storageClass MariaDB secondary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param secondary.persistence.annotations MariaDB secondary persistent volume claim annotations + ## + annotations: {} + ## @param secondary.persistence.accessModes MariaDB secondary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param secondary.persistence.size MariaDB secondary persistent volume size + ## + size: 8Gi + ## @param secondary.persistence.selector Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) + ## + extraVolumes: [] + ## @param secondary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) + ## + extraVolumeMounts: [] + ## @param secondary.initContainers Add additional init containers for the MariaDB secondary pod(s) + ## + initContainers: [] + ## @param secondary.sidecars Add additional sidecar containers for the MariaDB secondary pod(s) + ## + sidecars: [] + ## MariaDB Secondary Service parameters + ## + service: + ## @param secondary.service.type MariaDB secondary Kubernetes service type + ## + type: ClusterIP + ## @param secondary.service.ports.mysql MariaDB secondary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param secondary.service.nodePorts.mysql MariaDB secondary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param secondary.service.clusterIP MariaDB secondary Kubernetes service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param secondary.service.loadBalancerIP MariaDB secondary loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param secondary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param secondary.service.loadBalancerSourceRanges Address that are allowed when MariaDB secondary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param secondary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param secondary.service.annotations Provide any additional annotations which may be required + ## + annotations: {} + ## @param secondary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param secondary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## MariaDB secondary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods + ## + create: false + ## @param secondary.pdb.minAvailable Minimum number/percentage of MariaDB secondary pods that should remain scheduled + ## + minAvailable: 1 + ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable + ## + maxUnavailable: "" + ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet + ## + revisionHistoryLimit: 10 + +## @section RBAC parameters + +## MariaDB pods ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable the creation of a ServiceAccount for MariaDB pods + ## + create: true + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the mariadb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Annotations for MariaDB Service Account + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + +## @section Volume Permissions parameters + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r349 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + +## @section Metrics parameters + +## Mysqld Prometheus exporter parameters +## +metrics: + ## @param metrics.enabled Start a side-car prometheus exporter + ## + enabled: false + ## @param metrics.image.registry Exporter image registry + ## @param metrics.image.repository Exporter image repository + ## @param metrics.image.tag Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mysqld-exporter + tag: 0.13.0-debian-10-r256 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.annotations [object] Annotations for the Exporter pod + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9104" + ## @param metrics.extraArgs [object] Extra args to be passed to mysqld_exporter + ## ref: https://github.com/prometheus/mysqld_exporter/ + ## E.g. + ## - --collect.auto_increment.columns + ## - --collect.binlog_size + ## - --collect.engine_innodb_status + ## - --collect.engine_tokudb_status + ## - --collect.global_status + ## - --collect.global_variables + ## - --collect.info_schema.clientstats + ## - --collect.info_schema.innodb_metrics + ## - --collect.info_schema.innodb_tablespaces + ## - --collect.info_schema.innodb_cmp + ## - --collect.info_schema.innodb_cmpmem + ## - --collect.info_schema.processlist + ## - --collect.info_schema.processlist.min_time + ## - --collect.info_schema.query_response_time + ## - --collect.info_schema.tables + ## - --collect.info_schema.tables.databases + ## - --collect.info_schema.tablestats + ## - --collect.info_schema.userstats + ## - --collect.perf_schema.eventsstatements + ## - --collect.perf_schema.eventsstatements.digest_text_limit + ## - --collect.perf_schema.eventsstatements.limit + ## - --collect.perf_schema.eventsstatements.timelimit + ## - --collect.perf_schema.eventswaits + ## - --collect.perf_schema.file_events + ## - --collect.perf_schema.file_instances + ## - --collect.perf_schema.indexiowaits + ## - --collect.perf_schema.tableiowaits + ## - --collect.perf_schema.tablelocks + ## - --collect.perf_schema.replication_group_member_stats + ## - --collect.slave_status + ## - --collect.slave_hosts + ## - --collect.heartbeat + ## - --collect.heartbeat.database + ## - --collect.heartbeat.table + ## + extraArgs: + primary: [] + secondary: [] + ## MariaDB metrics container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## Example: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: false + ## Mysqld Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for MariaDB prometheus exporter containers + ## @param metrics.resources.requests The requested resources for MariaDB prometheus exporter containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Configure extra options for readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + ## - alert: MariaDB-Down + ## expr: absent(up{job="mariadb"} == 1) + ## for: 5m + ## labels: + ## severity: warning + ## service: mariadb + ## annotations: + ## message: 'MariaDB instance {{ $labels.instance }} is down' + ## summary: MariaDB instance is down + ## + rules: [] + +## @section NetworkPolicy parameters + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the primary node. + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules [object] Custom network policy for the secondary nodes. + ## + ingressRules: + ## Allow access to the primary node only from the indicated: + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## Allow access to the secondary node only from the indicated: + secondaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} \ No newline at end of file From d3b240a13ec9f7c18693cf464db80ba17589a2b9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 13:17:03 +0100 Subject: [PATCH 132/334] config: added storage class --- home/mariadb/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 593fb151a4..9439aca692 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -425,7 +425,7 @@ primary: ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## - storageClass: "" + storageClass: "longhorn" ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations ## annotations: {} From d8a294528830222c72ec93378f16b2f69a0e84bc Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 13:19:24 +0100 Subject: [PATCH 133/334] config: add existsing secret --- home/mariadb/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 9439aca692..8bc76b2df6 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -121,7 +121,7 @@ auth: replicationPassword: "" ## @param auth.existingSecret Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` ## - existingSecret: "" + existingSecret: "mariadb-secret" ## @param auth.forcePassword Force users to specify required passwords ## forcePassword: false From 24f2e7e637682be0cd05beceef9209b1f4f0c40f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 13:27:47 +0100 Subject: [PATCH 134/334] config: upgrade chart version --- home/mariadb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index d6c121b3bd..1b64ff6dac 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 1.11.1 + version: 10.6.7 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 30a2153d8e4c76df19bf95c48959ce69a50242a2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 14:25:15 +0100 Subject: [PATCH 135/334] config: indent --- home/mariadb-galera/Chart.yaml | 7 - home/mariadb-galera/values.yaml | 913 ------------ home/mariadb/values.yaml | 2301 ++++++++++++++++--------------- 3 files changed, 1151 insertions(+), 2070 deletions(-) delete mode 100644 home/mariadb-galera/Chart.yaml delete mode 100644 home/mariadb-galera/values.yaml diff --git a/home/mariadb-galera/Chart.yaml b/home/mariadb-galera/Chart.yaml deleted file mode 100644 index cc6eea514c..0000000000 --- a/home/mariadb-galera/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: mariadb-galera -version: 0.0.0 -dependencies: - - name: mariadb-galera - version: 7.0.6 - repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/mariadb-galera/values.yaml b/home/mariadb-galera/values.yaml deleted file mode 100644 index 8e6f20ae9b..0000000000 --- a/home/mariadb-galera/values.yaml +++ /dev/null @@ -1,913 +0,0 @@ -mariadb: - ## @section Global parameters - ## Global Docker image parameters - ## Please, note that this will override the image parameters, including dependencies, configured to use the global value - ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass - - ## @param global.imageRegistry Global Docker image registry - ## @param global.imagePullSecrets Global Docker registry secret names as an array - ## @param global.storageClass Global StorageClass for Persistent Volume(s) - ## - global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - storageClass: "" - - ## @section Common parameters - - ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) - ## - kubeVersion: "" - ## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name) - ## - nameOverride: "" - ## @param fullnameOverride String to fully override common.names.fullname template with a string - ## - fullnameOverride: "" - ## @param commonAnnotations Annotations to add to all deployed objects - ## - commonAnnotations: {} - ## @param commonLabels Labels to add to all deployed objects - ## - commonLabels: {} - ## @param schedulerName Name of the Kubernetes scheduler (other than default) - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param clusterDomain Kubernetes DNS Domain name to use - ## - clusterDomain: cluster.local - ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) - ## - extraDeploy: [] - - ## Diagnostic mode in the deployment - ## - diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command [array] Command to override all containers in the deployment - ## - command: - - sleep - ## @param diagnosticMode.args [array] Args to override all containers in the deployment - ## - args: - - infinity - - ## @section MariaDB Galera parameters - - ## Bitnami MariaDB Galera image - ## ref: https://hub.docker.com/r/bitnami/mariadb-galera/tags/ - ## @param image.registry MariaDB Galera image registry - ## @param image.repository MariaDB Galera image repository - ## @param image.tag MariaDB Galera image tag (immutable tags are recommended) - ## @param image.pullPolicy MariaDB Galera image pull policy - ## @param image.pullSecrets Specify docker-registry secret names as an array - ## @param image.debug Specify if debug logs should be enabled - ## - image: - registry: docker.io - repository: bitnami/mariadb-galera - tag: 10.6.5-debian-10-r66 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false - ## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel - ## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy - ## - podManagementPolicy: OrderedReady - ## @param hostAliases Add deployment host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## MariaDB Gallera K8s svc properties - ## - service: - ## @param service.type Kubernetes service type - ## - type: ClusterIP - ## @param service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param service.ports.mysql MariaDB service port - ## - ports: - mysql: 3306 - ## @param service.nodePorts.mysql Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## e.g: - ## nodePort: - ## mysql: 30001 - ## - nodePorts: - mysql: "" - ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param service.externalIPs External IP list to use with ClusterIP service type - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips - ## - externalIPs: [] - ## @param service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param service.loadBalancerSourceRanges Addresses that are allowed when svc is `LoadBalancer` - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param service.annotations Additional annotations for MariaDB Galera service - ## This can be used toset the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - ## Headless service properties - ## - headless: - ## @param service.headless.annotations Annotations for the headless service. - ## Useful for setting `service.alpha.kubernetes.io/tolerate-unready-endpoints="true"` when using peer-finder. - ## - annotations: {} - ## @param service.headless.publishNotReadyAddresses Publish not Ready MariaDB Galera pods' IPs in the headless service. - ## Required for peer discovery during cluster bootstrap (1st chart installation), optional afterwards. - ## - publishNotReadyAddresses: true - ## Pods Service Account - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - ## @param serviceAccount.create Specify whether a ServiceAccount should be created - ## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. - ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account - ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. - ## - serviceAccount: - create: false - name: "" - automountServiceAccountToken: false - annotations: {} - ## @param command Override default container command (useful when using custom images) - ## - command: [] - ## @param args Override default container args (useful when using custom images) - ## - args: [] - ## @param extraEnvVars Array containing extra env vars to configure MariaDB Galera replicas - ## For example: - ## extraEnvVars: - ## - name: TZ - ## value: "Europe/Paris" - ## - extraEnvVars: [] - ## @param extraEnvVarsCM ConfigMap containing extra env vars to configure MariaDB Galera replicas - ## - extraEnvVarsCM: "" - ## @param extraEnvVarsSecret Secret containing extra env vars to configure MariaDB Galera replicas - ## - extraEnvVarsSecret: "" - ## Role Based Access - ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ - ## - rbac: - ## @param rbac.create Specify whether RBAC resources should be created and used - ## - create: false - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param podSecurityContext.enabled Enable security context - ## @param podSecurityContext.fsGroup Group ID for the container filesystem - ## @param podSecurityContext.runAsUser User ID for the container - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param containerSecurityContext.enabled Enabled galera's container Security Context - ## @param containerSecurityContext.runAsUser Set galera's container Security Context runAsUser - ## @param containerSecurityContext.runAsNonRoot Set galera's container Security Context runAsNonRoot - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - ## Database credentials for root (admin) user - ## - rootUser: - ## @param rootUser.user Username for the admin user. - ## - user: root - ## @param rootUser.password Password for the admin user. Ignored if existing secret is provided. - ## Password is ignored if existingSecret is specified. - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-the-root-password-on-first-run - ## - password: "" - ## @param rootUser.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. - ## If it is not force, a random password will be generated. - ## - forcePassword: false - ## @param existingSecret Use existing secret for password details (`rootUser.password`, `db.password`, `galera.mariabackup.password` will be ignored and picked up from this secret) - ## The secret has to contain the keys mariadb-root-password, mariadb-galera-mariabackup-password and mariadb-password. - ## - existingSecret: "mariadb-secret" - ## @param usePasswordFiles Mount credentials as a files instead of using an environment variable. - ## - usePasswordFiles: false - ## @param customPasswordFiles Use custom password files when `usePasswordFiles` is set to `true`. Define path for keys `root`, `user`, and `mariabackup`. - ## Example: - ## customPasswordFiles: - ## root: /vault/secrets/mariadb-root - ## user: /vault/secrets/mariadb-user - ## mariabackup: /vault/secrets/mariadb-galera-mariabackup - ## - customPasswordFiles: {} - ## Custom db configuration - ## - db: - ## @param db.user Username of new user to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run - ## - user: "" - ## @param db.password Password for the new user. Ignored if existing secret is provided. - ## - password: "" - ## @param db.name Name for new database to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run - ## - name: my_database - ## @param db.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. - ## If it is not force, a random password will be generated. - ## - forcePassword: false - ## Galera configuration - ## - galera: - ## @param galera.name Galera cluster name - ## - name: galera - ## Bootstraping options - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#bootstraping - ## - bootstrap: - ## @param galera.bootstrap.forceBootstrap Option to force the boostraping from the indicated node in `galera.bootstarp.bootstrapFromNode` - ## - forceBootstrap: true - ## @param galera.bootstrap.bootstrapFromNode Node to bootstrap from, you will need to change this parameter in case you want to bootstrap from other node - ## - bootstrapFromNode: 0 - ## @param galera.bootstrap.forceSafeToBootstrap Force `safe_to_bootstrap: 1` in `grastate.date` file - ## This will set safe_to_bootstrap=1 in the node indicated by bootstrapFromNode. - ## - forceSafeToBootstrap: true - ## Credentials to perform backups - ## - mariabackup: - ## @param galera.mariabackup.user MariaBackup username - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#setting-up-a-multi-master-cluster - ## - user: mariabackup - ## @param galera.mariabackup.password MariaBackup password. Password is ignored if existingSecret is specified. - ## - password: "" - ## @param galera.mariabackup.forcePassword Option to force users to specify a password. That is required for 'helm upgrade' to work properly. - ## If it is not force, a random password will be generated. - ## - forcePassword: false - ## LDAP configuration - ## @param ldap.enabled Enable LDAP support - ## @param ldap.uri LDAP URL beginning in the form `ldap` - ## @param ldap.base LDAP base DN - ## @param ldap.binddn LDAP bind DN - ## @param ldap.bindpw LDAP bind password - ## @param ldap.bslookup LDAP base lookup - ## @param ldap.filter LDAP custom filter - ## @param ldap.map LDAP custom map - ## @param ldap.nss_initgroups_ignoreusers LDAP ignored users - ## @param ldap.scope LDAP search scope - ## @param ldap.tls_reqcert LDAP TLS check on server certificates - ## - ldap: - enabled: false - uri: "" - base: "" - binddn: "" - bindpw: "" - bslookup: "" - filter: "" - map: "" - nss_initgroups_ignoreusers: root,nslcd - scope: "" - tls_reqcert: "" - ## TLS configuration - ## - tls: - ## @param tls.enabled Enable TLS support for replication traffic - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates - ## - autoGenerated: false - ## @param tls.certificatesSecret Name of the secret that contains the certificates - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## - certCAFilename: "" - ## @param mariadbConfiguration [string] Configuration for the MariaDB server - ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file - ## Alternatively, you can put your my.cnf under the files/ directory - ## - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - ## - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - ## - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - ## - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY - sysdate_is_now=1 - - ## Binary Logging - ## - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - ## - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - ## - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - ## - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - ## @param configurationConfigMap ConfigMap with the MariaDB configuration files (Note: Overrides `mariadbConfiguration`). The value is evaluated as a template. - ## - configurationConfigMap: "" - ## initdb scripts - ## @param initdbScripts Specify dictionary of scripts to be run at first boot - ## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory - ## e.g: - ## initdbScripts: - ## my_init_script.sh: | - ## #!/bin/sh - ## echo "Do something." - ## - initdbScripts: {} - ## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) - ## - initdbScriptsConfigMap: "" - ## @param extraFlags MariaDB additional command line flags - ## Can be used to specify command line flags, for example: - ## e.g: - ## extraFlags: "--max-connect-errors=1000 --max_connections=155" - ## - extraFlags: "" - ## @param replicaCount Desired number of cluster nodes - ## - replicaCount: 3 - ## @param updateStrategy.type updateStrategy for MariaDB Master StatefulSet - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - ## @param podLabels Extra labels for MariaDB Galera pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param podAnnotations Annotations for MariaDB Galera pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node affinity preset - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param affinity Affinity for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param nodeSelector Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param tolerations Tolerations for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param topologySpreadConstraints Topology Spread Constraints for pods assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## whenUnsatisfiable: DoNotSchedule - ## - topologySpreadConstraints: {} - ## @param lifecycleHooks for the galera container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - ## Galera container port - ## @param containerPorts.mysql mariadb database container port - ## @param containerPorts.galera galera cluster container port - ## @param containerPorts.ist galera IST container port - ## @param containerPorts.sst galera SST container port - ## - containerPorts: - mysql: 3306 - # Note: Container image is not aware of changes in the following container's ports - galera: 4567 - ist: 4568 - sst: 4444 - - persistence: - ## @param persistence.enabled Enable persistence using PVC - ## - enabled: true - ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` - ## - existingClaim: "" - ## @param persistence.subPath Subdirectory of the volume to mount - ## - subPath: "" - ## @param persistence.mountPath Path to mount the volume at - ## - mountPath: /bitnami/mariadb - ## @param persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param persistence.storageClass Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "longhorn" - ## @param persistence.annotations Persistent Volume Claim annotations - ## - annotations: {} - ## @param persistence.accessModes Persistent Volume Access Modes - ## - accessModes: - - ReadWriteOnce - ## @param persistence.size Persistent Volume Size - ## - size: 8Gi - ## @param priorityClassName Priority Class Name for Statefulset - ## - priorityClassName: "" - ## @param initContainers Additional init containers (this value is evaluated as a template) - ## extraInitContainers: - ## - name: do-something - ## image: bitnami/minideb - ## command: ['do', 'something'] - ## - initContainers: [] - ## @param extraContainers Additional containers (this value is evaluated as a template) - ## - extraContainers: [] - ## extraVolumes and extraVolumeMounts allows you to mount other volumes - ## @param extraVolumes Extra volumes - ## @param extraVolumeMounts Mount extra volume(s) - ## Example Use Cases: - ## mount certificates to enable data-in-transit encryption - ## mount keys for data-at-rest encryption using file plugin - ## e.g: - ## extraVolumes: - ## - name: mariadb-certs - ## secret: - ## defaultMode: 288 - ## secretName: mariadb-certs - ## - name: mariadb-encryption - ## secret: - ## defaultMode: 288 - ## secretName: mariadb-encryption - ## - extraVolumes: [] - ## extraVolumeMounts: - ## - name: mariadb-certs - ## mountPath: /certs - ## readOnly: true - ## - name: mariadb-encryption - ## mountPath: /encryption - ## readOnly: true - ## - extraVolumeMounts: [] - ## MariaDB Galera containers' resource requests and limits - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param resources.limits The resources limits for the container - ## @param resources.requests The requested resources for the container - ## - resources: - ## Example: - ## limits: - ## cpu: 0.5 - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 0.5 - ## memory: 256Mi - requests: {} - ## MariaDB Galera containers' liveness probe - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## @param livenessProbe.enabled Turn on and off liveness probe - ## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated - ## @param livenessProbe.periodSeconds How often to perform the probe - ## @param livenessProbe.timeoutSeconds When the probe times out - ## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe - ## @param livenessProbe.successThreshold Minimum consecutive successes for the probe - ## - livenessProbe: - enabled: true - ## Initializing the database could take some time - ## - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ## MariaDB Galera containers' readiness probe - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## @param readinessProbe.enabled Turn on and off readiness probe - ## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated - ## @param readinessProbe.periodSeconds How often to perform the probe - ## @param readinessProbe.timeoutSeconds When the probe times out - ## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe - ## @param readinessProbe.successThreshold Minimum consecutive successes for the probe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ## MariaDB Galera containers' startup probe - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## @param startupProbe.enabled Turn on and off startup probe - ## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated - ## @param startupProbe.periodSeconds How often to perform the probe - ## @param startupProbe.timeoutSeconds When the probe times out - ## @param startupProbe.failureThreshold Minimum consecutive failures for the probe - ## @param startupProbe.successThreshold Minimum consecutive successes for the probe - ## - startupProbe: - enabled: false - ## Initializing the database could take some time - ## - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - ## Let's wait 600 seconds by default, it should give enough time in any cluster for mysql to init - ## - failureThreshold: 48 - ## @param customStartupProbe Custom liveness probe for the Web component - ## - customStartupProbe: {} - ## @param customLivenessProbe Custom liveness probe for the Web component - ## - customLivenessProbe: {} - ## @param customReadinessProbe Custom rediness probe for the Web component - ## - customReadinessProbe: {} - ## Pod disruption budget configuration - ## - podDisruptionBudget: - ## @param podDisruptionBudget.create Specifies whether a Pod disruption budget should be created - ## - create: false - ## @param podDisruptionBudget.minAvailable Minimum number / percentage of pods that should remain scheduled - ## - minAvailable: 1 - ## @param podDisruptionBudget.maxUnavailable Maximum number / percentage of pods that may be made unavailable - ## - maxUnavailable: "" - ## Prometheus exporter configuration - ## - metrics: - ## @param metrics.enabled Start a side-car prometheus exporter - ## - enabled: false - ## Bitnami MySQL Prometheus exporter image - ## ref: https://hub.docker.com/r/bitnami/mysqld-exporter/tags/ - ## @param metrics.image.registry MariaDB Prometheus exporter image registry - ## @param metrics.image.repository MariaDB Prometheus exporter image repository - ## @param metrics.image.tag MariaDB Prometheus exporter image tag (immutable tags are recommended) - ## @param metrics.image.pullPolicy MariaDB Prometheus exporter image pull policy - ## @param metrics.image.pullSecrets MariaDB Prometheus exporter image pull secrets - ## - image: - registry: docker.io - repository: bitnami/mysqld-exporter - tag: 0.13.0-debian-10-r236 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param metrics.extraFlags MariaDB Prometheus exporter additional command line flags - ## Can be used to specify command line flags - ## E.g.: - ## extraFlags: - ## - --collect.binlog_size - ## - extraFlags: [] - ## MySQL Prometheus exporter containers' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for the container - ## @param metrics.resources.requests The requested resources for the container - ## - resources: - ## Example: - ## limits: - ## cpu: 0.5 - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 0.5 - ## memory: 256Mi - requests: {} - ## MySQL Prometheus exporter service parameters - ## @param metrics.service.type Prometheus exporter service type - ## @param metrics.service.port Prometheus exporter service port - ## @param metrics.service.annotations [object] Prometheus exporter service annotations - ## - service: - type: ClusterIP - port: 9104 - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9104" - ## @param metrics.service.loadBalancerIP Load Balancer IP if the Prometheus metrics server type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param metrics.service.clusterIP Prometheus metrics service Cluster IP - ## e.g.: - ## clusterIP: None - ## - clusterIP: "" - ## @param metrics.service.loadBalancerSourceRanges Prometheus metrics service Load Balancer sources - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param metrics.service.externalTrafficPolicy Prometheus metrics service external traffic policy - ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Optional namespace which Prometheus is running in - ## - namespace: "" - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## @param metrics.serviceMonitor.interval How frequently to scrape metrics (use by default, falling back to Prometheus' default) - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## e.g: - ## interval: 10s - ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## e.g: - ## scrapeTimeout: 10s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.selector [object] ServiceMonitor selector labels - ## Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## - selector: - prometheus: kube-prometheus - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## Value is evalued as a template - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## Value is evalued as a template - ## e.g: - ## - sourceLabels: - ## - "__name__" - ## targetLabel: "__name__" - ## action: replace - ## regex: '(.*)' - ## replacement: 'example_prefix_$1' - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false - ## @param metrics.serviceMonitor.labels ServiceMonitor extra labels - ## - labels: {} - - ## Prometheus Operator PrometheusRule configuration - ## - prometheusRules: - ## @param metrics.prometheusRules.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true`, and makes little sense without ServiceMonitor) - ## - enabled: false - ## @param metrics.prometheusRules.selector [object] Additional labels to add to the PrometheusRule so it is picked up by the operator - ## If using the [Helm Chart](https://github.com/helm/charts/tree/master/stable/prometheus-operator) this is the name of the Helm release and 'app: prometheus-operator' - ## - selector: - app: prometheus-operator - release: prometheus - ## @param metrics.prometheusRules.rules PrometheusRule rules to configure - ## e.g: - ## - alert: MariaDB-Down - ## annotations: - ## message: 'MariaDB instance {{ $labels.instance }} is down' - ## summary: MariaDB instance is down - ## expr: absent(up{job="mariadb-galera"} == 1) - ## labels: - ## severity: warning - ## service: mariadb-galera - ## for: 5m - ## - rules: {} \ No newline at end of file diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 8bc76b2df6..8f7ef10ced 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -1,1248 +1,1249 @@ -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +mariadb: + ## @section Global parameters + ## Global Docker image parameters + ## Please, note that this will override the image parameters, including dependencies, configured to use the global value + ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## @param global.imageRegistry Global Docker Image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global storage class for dynamic provisioning -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName + ## @param global.imageRegistry Global Docker Image registry + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## @param global.storageClass Global storage class for dynamic provisioning ## - imagePullSecrets: [] - storageClass: "" - -## @section Common parameters - -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override mariadb.fullname -## -nameOverride: "" -## @param fullnameOverride String to fully override mariadb.fullname -## -fullnameOverride: "" -## @param clusterDomain Default Kubernetes cluster domain -## -clusterDomain: cluster.local -## @param commonAnnotations Common annotations to add to all MariaDB resources (sub-charts are not considered) -## -commonAnnotations: {} -## @param commonLabels Common labels to add to all MariaDB resources (sub-charts are not considered) -## -commonLabels: {} -## @param schedulerName Name of the scheduler (other than default) to dispatch pods -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) -## -extraDeploy: [] - -## Enable diagnostic mode in the deployment -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the deployment - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the deployment - ## - args: - - infinity + global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" -## @section MariaDB common parameters + ## @section Common parameters -## Bitnami MariaDB image -## ref: https://hub.docker.com/r/bitnami/mariadb/tags/ -## @param image.registry MariaDB image registry -## @param image.repository MariaDB image repository -## @param image.tag MariaDB image tag (immutable tags are recommended) -## @param image.pullPolicy MariaDB image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled -## -image: - registry: docker.io - repository: bitnami/mariadb - tag: 10.5.15-debian-10-r11 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## It turns BASH and/or NAMI debugging in the image - ## - debug: false -## @param architecture MariaDB architecture (`standalone` or `replication`) -## -architecture: standalone -## MariaDB Authentication parameters -## -auth: - ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided. - ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run - ## - rootPassword: "" - ## @param auth.database Name for a custom database to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run - ## - database: my_database - ## @param auth.username Name for a custom user to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run + kubeVersion: "" + ## @param nameOverride String to partially override mariadb.fullname ## - username: "" - ## @param auth.password Password for the new user. Ignored if existing secret is provided + nameOverride: "" + ## @param fullnameOverride String to fully override mariadb.fullname ## - password: "" - ## @param auth.replicationUser MariaDB replication user - ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster + fullnameOverride: "" + ## @param clusterDomain Default Kubernetes cluster domain ## - replicationUser: replicator - ## @param auth.replicationPassword MariaDB replication user password. Ignored if existing secret is provided - ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster + clusterDomain: cluster.local + ## @param commonAnnotations Common annotations to add to all MariaDB resources (sub-charts are not considered) ## - replicationPassword: "" - ## @param auth.existingSecret Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` + commonAnnotations: {} + ## @param commonLabels Common labels to add to all MariaDB resources (sub-charts are not considered) ## - existingSecret: "mariadb-secret" - ## @param auth.forcePassword Force users to specify required passwords - ## - forcePassword: false - ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + commonLabels: {} + ## @param schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## - usePasswordFiles: false - ## @param auth.customPasswordFiles Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` - ## Example: - ## customPasswordFiles: - ## root: /vault/secrets/mariadb-root - ## user: /vault/secrets/mariadb-user - ## replicator: /vault/secrets/mariadb-replicator + schedulerName: "" + ## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) ## - customPasswordFiles: {} -## @param initdbScripts Dictionary of initdb scripts -## Specify dictionary of scripts to be run at first boot -## Example: -## initdbScripts: -## my_init_script.sh: | -## #!/bin/bash -## echo "Do something." -## -initdbScripts: {} -## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) -## -initdbScriptsConfigMap: "" - -## @section MariaDB Primary parameters + extraDeploy: [] -## Mariadb Primary parameters -## -primary: - ## @param primary.command Override default container command on MariaDB Primary container(s) (useful when using custom images) + ## Enable diagnostic mode in the deployment ## - command: [] - ## @param primary.args Override default container args on MariaDB Primary container(s) (useful when using custom images) - ## - args: [] - ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param primary.hostAliases Add deployment host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap - ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file - ## - configuration: |- - [mysqld] - skip-name-resolve - explicit_defaults_for_timestamp - basedir=/opt/bitnami/mariadb - plugin_dir=/opt/bitnami/mariadb/plugin - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - tmpdir=/opt/bitnami/mariadb/tmp - max_allowed_packet=16M - bind-address=:: - pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid - log-error=/opt/bitnami/mariadb/logs/mysqld.log - character-set-server=UTF8 - collation-server=utf8_general_ci + diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - default-character-set=UTF8 - plugin_dir=/opt/bitnami/mariadb/plugin + ## @section MariaDB common parameters - [manager] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid - ## @param primary.existingConfigmap Name of existing ConfigMap with MariaDB Primary configuration. - ## NOTE: When it's set the 'configuration' parameter is ignored + ## Bitnami MariaDB image + ## ref: https://hub.docker.com/r/bitnami/mariadb/tags/ + ## @param image.registry MariaDB image registry + ## @param image.repository MariaDB image repository + ## @param image.tag MariaDB image tag (immutable tags are recommended) + ## @param image.pullPolicy MariaDB image pull policy + ## @param image.pullSecrets Specify docker-registry secret names as an array + ## @param image.debug Specify if debug logs should be enabled ## - existingConfigmap: "" - ## @param primary.updateStrategy.type MariaDB primary statefulset strategy type - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete + image: + registry: docker.io + repository: bitnami/mariadb + tag: 10.5.15-debian-10-r11 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## - type: RollingUpdate - ## @param primary.rollingUpdatePartition Partition update strategy for Mariadb Primary statefulset - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - ## - rollingUpdatePartition: "" - ## @param primary.podAnnotations Additional pod annotations for MariaDB primary pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param primary.podLabels Extra labels for MariaDB primary pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param primary.podAffinityPreset MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param primary.podAntiAffinityPreset MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Mariadb Primary node affinity preset - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param primary.nodeAffinityPreset.type MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName ## - type: "" - ## @param primary.nodeAffinityPreset.key MariaDB primary node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image ## - key: "" - ## @param primary.nodeAffinityPreset.values MariaDB primary node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param primary.affinity Affinity for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param primary.tolerations Tolerations for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param primary.schedulerName Name of the k8s scheduler (other than default) - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param primary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB primary pods - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies - ## - podManagementPolicy: "" - ## @param primary.topologySpreadConstraints Topology Spread Constraints for MariaDB primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## whenUnsatisfiable: DoNotSchedule - ## - topologySpreadConstraints: {} - ## @param primary.priorityClassName Priority class for MariaDB primary pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ - ## - priorityClassName: "" - ## MariaDB primary Pod security context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods - ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## MariaDB primary container security context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext - ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container - ## @param primary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - ## MariaDB primary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param primary.resources.limits The resources limits for MariaDB primary containers - ## @param primary.resources.requests The requested resources for MariaDB primary containers - ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - requests: {} - ## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## @param primary.startupProbe.enabled Enable startupProbe - ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe - ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param primary.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 120 - periodSeconds: 15 - timeoutSeconds: 5 - failureThreshold: 10 - successThreshold: 1 - ## Configure extra options for liveness probe - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param primary.livenessProbe.enabled Enable livenessProbe - ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param primary.readinessProbe.enabled Enable readinessProbe - ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param primary.customStartupProbe Override default startup probe for MariaDB primary containers - ## - customStartupProbe: {} - ## @param primary.customLivenessProbe Override default liveness probe for MariaDB primary containers - ## - customLivenessProbe: {} - ## @param primary.customReadinessProbe Override default readiness probe for MariaDB primary containers - ## - customReadinessProbe: {} - ## @param primary.startupWaitOptions Override default builtin startup wait check options for MariaDB primary containers - ## `bitnami/mariadb` Docker image has built-in startup check mechanism, - ## which periodically checks if MariaDB service has started up and stops it - ## if all checks have failed after X tries. Use these to control these checks. - ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 - ## Example (with default options): - ## startupWaitOptions: - ## retries: 300 - ## waitTime: 2 - ## - startupWaitOptions: {} - ## @param primary.extraFlags MariaDB primary additional command line flags - ## Can be used to specify command line flags, for example: - ## E.g. - ## extraFlags: "--max-connect-errors=1000 --max_connections=155" - ## - extraFlags: "" - ## @param primary.extraEnvVars Extra environment variables to be set on MariaDB primary containers - ## E.g. - ## extraEnvVars: - ## - name: TZ - ## value: "Europe/Paris" + debug: false + ## @param architecture MariaDB architecture (`standalone` or `replication`) ## - extraEnvVars: [] - ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB primary containers + architecture: standalone + ## MariaDB Authentication parameters ## - extraEnvVarsCM: "" - ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB primary containers - ## - extraEnvVarsSecret: "" - ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir + auth: + ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run ## - enabled: true - ## @param primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas - ## NOTE: When it's set the rest of persistence parameters are ignored + rootPassword: "" + ## @param auth.database Name for a custom database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run ## - existingClaim: "" - ## @param primary.persistence.subPath Subdirectory of the volume to mount at + database: my_database + ## @param auth.username Name for a custom user to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run ## - subPath: "" - ## @param primary.persistence.storageClass MariaDB primary persistent volume storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) + username: "" + ## @param auth.password Password for the new user. Ignored if existing secret is provided ## - storageClass: "longhorn" - ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations + password: "" + ## @param auth.replicationUser MariaDB replication user + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster ## - annotations: {} - ## @param primary.persistence.accessModes MariaDB primary persistent volume access Modes + replicationUser: replicator + ## @param auth.replicationPassword MariaDB replication user password. Ignored if existing secret is provided + ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-up-a-replication-cluster ## - accessModes: - - ReadWriteOnce - ## @param primary.persistence.size MariaDB primary persistent volume size + replicationPassword: "" + ## @param auth.existingSecret Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` ## - size: 8Gi - ## @param primary.persistence.selector Selector to match an existing Persistent Volume - ## selector: - ## matchLabels: - ## app: my-app + existingSecret: "mariadb-secret" + ## @param auth.forcePassword Force users to specify required passwords ## - selector: {} - ## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) - ## - extraVolumes: [] - ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) - ## - extraVolumeMounts: [] - ## @param primary.initContainers Add additional init containers for the MariaDB Primary pod(s) - ## - initContainers: [] - ## @param primary.sidecars Add additional sidecar containers for the MariaDB Primary pod(s) + forcePassword: false + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false + ## @param auth.customPasswordFiles Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` + ## Example: + ## customPasswordFiles: + ## root: /vault/secrets/mariadb-root + ## user: /vault/secrets/mariadb-user + ## replicator: /vault/secrets/mariadb-replicator + ## + customPasswordFiles: {} + ## @param initdbScripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## Example: + ## initdbScripts: + ## my_init_script.sh: | + ## #!/bin/bash + ## echo "Do something." ## - sidecars: [] - ## MariaDB Primary Service parameters + initdbScripts: {} + ## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) ## - service: - ## @param primary.service.type MariaDB Primary Kubernetes service type + initdbScriptsConfigMap: "" + + ## @section MariaDB Primary parameters + + ## Mariadb Primary parameters + ## + primary: + ## @param primary.command Override default container command on MariaDB Primary container(s) (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args on MariaDB Primary container(s) (useful when using custom images) + ## + args: [] + ## @param primary.lifecycleHooks for the MariaDB Primary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param primary.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + plugin_dir=/opt/bitnami/mariadb/plugin + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=16M + bind-address=:: + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 + plugin_dir=/opt/bitnami/mariadb/plugin + + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + ## @param primary.existingConfigmap Name of existing ConfigMap with MariaDB Primary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param primary.updateStrategy.type MariaDB primary statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param primary.rollingUpdatePartition Partition update strategy for Mariadb Primary statefulset + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions ## - type: ClusterIP - ## @param primary.service.ports.mysql MariaDB Primary Kubernetes service port + rollingUpdatePartition: "" + ## @param primary.podAnnotations Additional pod annotations for MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## - ports: - mysql: 3306 - ## @param primary.service.nodePorts.mysql MariaDB Primary Kubernetes service node port - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + podAnnotations: {} + ## @param primary.podLabels Extra labels for MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## - nodePorts: - mysql: "" - ## @param primary.service.clusterIP MariaDB Primary Kubernetes service clusterIP IP + podLabels: {} + ## @param primary.podAffinityPreset MariaDB primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## - clusterIP: "" - ## @param primary.service.loadBalancerIP MariaDB Primary loadBalancerIP if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset MariaDB primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## - loadBalancerIP: "" - ## @param primary.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + podAntiAffinityPreset: soft + ## Mariadb Primary node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## - externalTrafficPolicy: Cluster - ## @param primary.service.loadBalancerSourceRanges Address that are allowed when MariaDB Primary service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type MariaDB primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key MariaDB primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values MariaDB primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB primary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param primary.topologySpreadConstraints Topology Spread Constraints for MariaDB primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param primary.priorityClassName Priority class for MariaDB primary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## MariaDB primary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param primary.podSecurityContext.enabled Enable security context for MariaDB primary pods + ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MariaDB primary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext + ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container + ## @param primary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param primary.resources.limits The resources limits for MariaDB primary containers + ## @param primary.resources.requests The requested resources for MariaDB primary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for MariaDB primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param primary.startupProbe.enabled Enable startupProbe + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param primary.customStartupProbe Override default startup probe for MariaDB primary containers + ## + customStartupProbe: {} + ## @param primary.customLivenessProbe Override default liveness probe for MariaDB primary containers + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Override default readiness probe for MariaDB primary containers + ## + customReadinessProbe: {} + ## @param primary.startupWaitOptions Override default builtin startup wait check options for MariaDB primary containers + ## `bitnami/mariadb` Docker image has built-in startup check mechanism, + ## which periodically checks if MariaDB service has started up and stops it + ## if all checks have failed after X tries. Use these to control these checks. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 + ## Example (with default options): + ## startupWaitOptions: + ## retries: 300 + ## waitTime: 2 + ## + startupWaitOptions: {} + ## @param primary.extraFlags MariaDB primary additional command line flags + ## Can be used to specify command line flags, for example: ## E.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" ## - loadBalancerSourceRanges: [] - ## @param primary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + extraFlags: "" + ## @param primary.extraEnvVars Extra environment variables to be set on MariaDB primary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" ## - extraPorts: [] - ## @param primary.service.annotations Provide any additional annotations which may be required + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB primary containers ## - annotations: {} - ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - sessionAffinityConfig: {} - ## MariaDB primary Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - ## - pdb: - ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB primary pods + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB primary containers ## - create: false - ## @param primary.pdb.minAvailable Minimum number/percentage of MariaDB primary pods that must still be available after the eviction + extraEnvVarsSecret: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param primary.persistence.enabled Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas + ## NOTE: When it's set the rest of persistence parameters are ignored + ## + existingClaim: "" + ## @param primary.persistence.subPath Subdirectory of the volume to mount at + ## + subPath: "" + ## @param primary.persistence.storageClass MariaDB primary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "longhorn" + ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations + ## + annotations: {} + ## @param primary.persistence.accessModes MariaDB primary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size MariaDB primary persistent volume size + ## + size: 8Gi + ## @param primary.persistence.selector Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB Primary pod(s) ## - minAvailable: 1 - ## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction + extraVolumes: [] + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB Primary container(s) ## - maxUnavailable: "" - ## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet - ## - revisionHistoryLimit: 10 + extraVolumeMounts: [] + ## @param primary.initContainers Add additional init containers for the MariaDB Primary pod(s) + ## + initContainers: [] + ## @param primary.sidecars Add additional sidecar containers for the MariaDB Primary pod(s) + ## + sidecars: [] + ## MariaDB Primary Service parameters + ## + service: + ## @param primary.service.type MariaDB Primary Kubernetes service type + ## + type: ClusterIP + ## @param primary.service.ports.mysql MariaDB Primary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param primary.service.nodePorts.mysql MariaDB Primary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param primary.service.clusterIP MariaDB Primary Kubernetes service clusterIP IP + ## + clusterIP: "" + ## @param primary.service.loadBalancerIP MariaDB Primary loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Address that are allowed when MariaDB Primary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param primary.service.annotations Provide any additional annotations which may be required + ## + annotations: {} + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## MariaDB primary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB primary pods + ## + create: false + ## @param primary.pdb.minAvailable Minimum number/percentage of MariaDB primary pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param primary.pdb.maxUnavailable Maximum number/percentage of MariaDB primary pods that can be unavailable after the eviction + ## + maxUnavailable: "" + ## @param primary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet + ## + revisionHistoryLimit: 10 -## @section MariaDB Secondary parameters + ## @section MariaDB Secondary parameters -## Mariadb Secondary parameters -## -secondary: - ## @param secondary.replicaCount Number of MariaDB secondary replicas - ## - replicaCount: 1 - ## @param secondary.command Override default container command on MariaDB Secondary container(s) (useful when using custom images) - ## - command: [] - ## @param secondary.args Override default container args on MariaDB Secondary container(s) (useful when using custom images) - ## - args: [] - ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param secondary.hostAliases Add deployment host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap - ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file - ## - configuration: |- - [mysqld] - skip-name-resolve - explicit_defaults_for_timestamp - basedir=/opt/bitnami/mariadb - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - tmpdir=/opt/bitnami/mariadb/tmp - max_allowed_packet=16M - bind-address=0.0.0.0 - pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid - log-error=/opt/bitnami/mariadb/logs/mysqld.log - character-set-server=UTF8 - collation-server=utf8_general_ci + ## Mariadb Secondary parameters + ## + secondary: + ## @param secondary.replicaCount Number of MariaDB secondary replicas + ## + replicaCount: 1 + ## @param secondary.command Override default container command on MariaDB Secondary container(s) (useful when using custom images) + ## + command: [] + ## @param secondary.args Override default container args on MariaDB Secondary container(s) (useful when using custom images) + ## + args: [] + ## @param secondary.lifecycleHooks for the MariaDB Secondary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param secondary.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mariadb + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + tmpdir=/opt/bitnami/mariadb/tmp + max_allowed_packet=16M + bind-address=0.0.0.0 + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + log-error=/opt/bitnami/mariadb/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - default-character-set=UTF8 + [client] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + default-character-set=UTF8 - [manager] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid - ## @param secondary.existingConfigmap Name of existing ConfigMap with MariaDB Secondary configuration. - ## NOTE: When it's set the 'configuration' parameter is ignored - ## - existingConfigmap: "" - ## @param secondary.updateStrategy.type MariaDB secondary statefulset strategy type - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete + [manager] + port=3306 + socket=/opt/bitnami/mariadb/tmp/mysql.sock + pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid + ## @param secondary.existingConfigmap Name of existing ConfigMap with MariaDB Secondary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param secondary.updateStrategy.type MariaDB secondary statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + ## @param secondary.rollingUpdatePartition Partition update strategy for Mariadb Secondary statefulset + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions ## - type: RollingUpdate - ## @param secondary.rollingUpdatePartition Partition update strategy for Mariadb Secondary statefulset - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - ## - rollingUpdatePartition: "" - ## @param secondary.podAnnotations Additional pod annotations for MariaDB secondary pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param secondary.podLabels Extra labels for MariaDB secondary pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param secondary.podAffinityPreset MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param secondary.podAntiAffinityPreset MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Mariadb Secondary node affinity preset - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param secondary.nodeAffinityPreset.type MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + rollingUpdatePartition: "" + ## @param secondary.podAnnotations Additional pod annotations for MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## - type: "" - ## @param secondary.nodeAffinityPreset.key MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" + podAnnotations: {} + ## @param secondary.podLabels Extra labels for MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## - key: "" - ## @param secondary.nodeAffinityPreset.values MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param secondary.affinity Affinity for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param secondary.topologySpreadConstraints Topology Spread Constraints for MariaDB secondary pods assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: topology.kubernetes.io/zone - ## whenUnsatisfiable: DoNotSchedule - ## - topologySpreadConstraints: {} - ## @param secondary.priorityClassName Priority class for MariaDB secondary pods assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ - ## - priorityClassName: "" - ## @param secondary.schedulerName Name of the k8s scheduler (other than default) - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param secondary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB secondary pods - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies - ## - podManagementPolicy: "" - ## MariaDB secondary Pod security context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods - ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## MariaDB secondary container security context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext - ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container - ## @param secondary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - ## MariaDB secondary container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param secondary.resources.limits The resources limits for MariaDB secondary containers - ## @param secondary.resources.requests The requested resources for MariaDB secondary containers - ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - requests: {} - ## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## @param secondary.startupProbe.enabled Enable startupProbe - ## @param secondary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param secondary.startupProbe.periodSeconds Period seconds for startupProbe - ## @param secondary.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param secondary.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param secondary.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 120 - periodSeconds: 15 - timeoutSeconds: 5 - failureThreshold: 10 - successThreshold: 1 - ## Configure extra options for liveness probe - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param secondary.livenessProbe.enabled Enable livenessProbe - ## @param secondary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param secondary.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param secondary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param secondary.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param secondary.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param secondary.readinessProbe.enabled Enable readinessProbe - ## @param secondary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param secondary.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param secondary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param secondary.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param secondary.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 - ## @param secondary.customStartupProbe Override default startup probe for MariaDB secondary containers - ## - customStartupProbe: {} - ## @param secondary.customLivenessProbe Override default liveness probe for MariaDB secondary containers - ## - customLivenessProbe: {} - ## @param secondary.customReadinessProbe Override default readiness probe for MariaDB secondary containers - ## - customReadinessProbe: {} - ## @param secondary.startupWaitOptions Override default builtin startup wait check options for MariaDB secondary containers - ## `bitnami/mariadb` Docker image has built-in startup check mechanism, - ## which periodically checks if MariaDB service has started up and stops it - ## if all checks have failed after X tries. Use these to control these checks. - ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 - ## Example (with default options): - ## startupWaitOptions: - ## retries: 300 - ## waitTime: 2 - ## - startupWaitOptions: {} - ## @param secondary.extraFlags MariaDB secondary additional command line flags - ## Can be used to specify command line flags, for example: - ## E.g. - ## extraFlags: "--max-connect-errors=1000 --max_connections=155" - ## - extraFlags: "" - ## @param secondary.extraEnvVars Extra environment variables to be set on MariaDB secondary containers - ## E.g. - ## extraEnvVars: - ## - name: TZ - ## value: "Europe/Paris" - ## - extraEnvVars: [] - ## @param secondary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB secondary containers - ## - extraEnvVarsCM: "" - ## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB secondary containers - ## - extraEnvVarsSecret: "" - ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` + podLabels: {} + ## @param secondary.podAffinityPreset MariaDB secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## - enabled: true - ## @param secondary.persistence.subPath Subdirectory of the volume to mount at + podAffinityPreset: "" + ## @param secondary.podAntiAffinityPreset MariaDB secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## - subPath: "" - ## @param secondary.persistence.storageClass MariaDB secondary persistent volume storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) + podAntiAffinityPreset: soft + ## Mariadb Secondary node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## - storageClass: "" - ## @param secondary.persistence.annotations MariaDB secondary persistent volume claim annotations + nodeAffinityPreset: + ## @param secondary.nodeAffinityPreset.type MariaDB secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param secondary.nodeAffinityPreset.key MariaDB secondary node label key to match Ignored if `secondary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param secondary.nodeAffinityPreset.values MariaDB secondary node label values to match. Ignored if `secondary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param secondary.affinity Affinity for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param secondary.nodeSelector Node labels for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param secondary.tolerations Tolerations for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param secondary.topologySpreadConstraints Topology Spread Constraints for MariaDB secondary pods assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: topology.kubernetes.io/zone + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: {} + ## @param secondary.priorityClassName Priority class for MariaDB secondary pods assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param secondary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param secondary.podManagementPolicy podManagementPolicy to manage scaling operation of MariaDB secondary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## MariaDB secondary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param secondary.podSecurityContext.enabled Enable security context for MariaDB secondary pods + ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MariaDB secondary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext + ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container + ## @param secondary.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MariaDB secondary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param secondary.resources.limits The resources limits for MariaDB secondary containers + ## @param secondary.resources.requests The requested resources for MariaDB secondary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for MariaDB Secondary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param secondary.startupProbe.enabled Enable startupProbe + ## @param secondary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param secondary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param secondary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param secondary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param secondary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 120 + periodSeconds: 15 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param secondary.livenessProbe.enabled Enable livenessProbe + ## @param secondary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param secondary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param secondary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param secondary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param secondary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param secondary.readinessProbe.enabled Enable readinessProbe + ## @param secondary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param secondary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param secondary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param secondary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param secondary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## @param secondary.customStartupProbe Override default startup probe for MariaDB secondary containers + ## + customStartupProbe: {} + ## @param secondary.customLivenessProbe Override default liveness probe for MariaDB secondary containers + ## + customLivenessProbe: {} + ## @param secondary.customReadinessProbe Override default readiness probe for MariaDB secondary containers + ## + customReadinessProbe: {} + ## @param secondary.startupWaitOptions Override default builtin startup wait check options for MariaDB secondary containers + ## `bitnami/mariadb` Docker image has built-in startup check mechanism, + ## which periodically checks if MariaDB service has started up and stops it + ## if all checks have failed after X tries. Use these to control these checks. + ## ref: https://github.com/bitnami/bitnami-docker-mariadb/pull/240 + ## Example (with default options): + ## startupWaitOptions: + ## retries: 300 + ## waitTime: 2 + ## + startupWaitOptions: {} + ## @param secondary.extraFlags MariaDB secondary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" ## - annotations: {} - ## @param secondary.persistence.accessModes MariaDB secondary persistent volume access Modes + extraFlags: "" + ## @param secondary.extraEnvVars Extra environment variables to be set on MariaDB secondary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" ## - accessModes: - - ReadWriteOnce - ## @param secondary.persistence.size MariaDB secondary persistent volume size + extraEnvVars: [] + ## @param secondary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MariaDB secondary containers ## - size: 8Gi - ## @param secondary.persistence.selector Selector to match an existing Persistent Volume - ## selector: - ## matchLabels: - ## app: my-app + extraEnvVarsCM: "" + ## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MariaDB secondary containers ## - selector: {} - ## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) - ## - extraVolumes: [] - ## @param secondary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) - ## - extraVolumeMounts: [] - ## @param secondary.initContainers Add additional init containers for the MariaDB secondary pod(s) - ## - initContainers: [] - ## @param secondary.sidecars Add additional sidecar containers for the MariaDB secondary pod(s) - ## - sidecars: [] - ## MariaDB Secondary Service parameters - ## - service: - ## @param secondary.service.type MariaDB secondary Kubernetes service type - ## - type: ClusterIP - ## @param secondary.service.ports.mysql MariaDB secondary Kubernetes service port - ## - ports: - mysql: 3306 - ## @param secondary.service.nodePorts.mysql MariaDB secondary Kubernetes service node port - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - mysql: "" - ## @param secondary.service.clusterIP MariaDB secondary Kubernetes service clusterIP IP - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param secondary.service.loadBalancerIP MariaDB secondary loadBalancerIP if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param secondary.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param secondary.service.loadBalancerSourceRanges Address that are allowed when MariaDB secondary service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## E.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + extraEnvVarsSecret: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ ## - loadBalancerSourceRanges: [] - ## @param secondary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + persistence: + ## @param secondary.persistence.enabled Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim` + ## + enabled: true + ## @param secondary.persistence.subPath Subdirectory of the volume to mount at + ## + subPath: "" + ## @param secondary.persistence.storageClass MariaDB secondary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param secondary.persistence.annotations MariaDB secondary persistent volume claim annotations + ## + annotations: {} + ## @param secondary.persistence.accessModes MariaDB secondary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param secondary.persistence.size MariaDB secondary persistent volume size + ## + size: 8Gi + ## @param secondary.persistence.selector Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MariaDB secondary pod(s) ## - extraPorts: [] - ## @param secondary.service.annotations Provide any additional annotations which may be required + extraVolumes: [] + ## @param secondary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MariaDB secondary container(s) ## - annotations: {} - ## @param secondary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param secondary.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - sessionAffinityConfig: {} - ## MariaDB secondary Pod Disruption Budget configuration - ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - ## - pdb: - ## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods + extraVolumeMounts: [] + ## @param secondary.initContainers Add additional init containers for the MariaDB secondary pod(s) ## - create: false - ## @param secondary.pdb.minAvailable Minimum number/percentage of MariaDB secondary pods that should remain scheduled + initContainers: [] + ## @param secondary.sidecars Add additional sidecar containers for the MariaDB secondary pod(s) ## - minAvailable: 1 - ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable + sidecars: [] + ## MariaDB Secondary Service parameters ## - maxUnavailable: "" - ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet - ## - revisionHistoryLimit: 10 + service: + ## @param secondary.service.type MariaDB secondary Kubernetes service type + ## + type: ClusterIP + ## @param secondary.service.ports.mysql MariaDB secondary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param secondary.service.nodePorts.mysql MariaDB secondary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param secondary.service.clusterIP MariaDB secondary Kubernetes service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param secondary.service.loadBalancerIP MariaDB secondary loadBalancerIP if service type is `LoadBalancer` + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param secondary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param secondary.service.loadBalancerSourceRanges Address that are allowed when MariaDB secondary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param secondary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param secondary.service.annotations Provide any additional annotations which may be required + ## + annotations: {} + ## @param secondary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param secondary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + sessionAffinityConfig: {} + ## MariaDB secondary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MariaDB secondary pods + ## + create: false + ## @param secondary.pdb.minAvailable Minimum number/percentage of MariaDB secondary pods that should remain scheduled + ## + minAvailable: 1 + ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MariaDB secondary pods that may be made unavailable + ## + maxUnavailable: "" + ## @param secondary.revisionHistoryLimit Maximum number of revisions that will be maintained in the StatefulSet + ## + revisionHistoryLimit: 10 -## @section RBAC parameters + ## @section RBAC parameters -## MariaDB pods ServiceAccount -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - ## @param serviceAccount.create Enable the creation of a ServiceAccount for MariaDB pods - ## - create: true - ## @param serviceAccount.name Name of the created ServiceAccount - ## If not set and create is true, a name is generated using the mariadb.fullname template - ## - name: "" - ## @param serviceAccount.annotations Annotations for MariaDB Service Account + ## MariaDB pods ServiceAccount + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## - annotations: {} - ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account - ## - automountServiceAccountToken: false -## Role Based Access -## ref: https://kubernetes.io/docs/admin/authorization/rbac/ -## -rbac: - ## @param rbac.create Whether to create and use RBAC resources or not + serviceAccount: + ## @param serviceAccount.create Enable the creation of a ServiceAccount for MariaDB pods + ## + create: true + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the mariadb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Annotations for MariaDB Service Account + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: false + ## Role Based Access + ## ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## - create: false + rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false -## @section Volume Permissions parameters + ## @section Volume Permissions parameters -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` - ## - enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## Init containers parameters: + ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r349 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName + volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` ## - pullSecrets: [] - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests - ## - resources: - limits: {} - requests: {} + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r349 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} -## @section Metrics parameters + ## @section Metrics parameters -## Mysqld Prometheus exporter parameters -## -metrics: - ## @param metrics.enabled Start a side-car prometheus exporter - ## - enabled: false - ## @param metrics.image.registry Exporter image registry - ## @param metrics.image.repository Exporter image repository - ## @param metrics.image.tag Exporter image tag (immutable tags are recommended) - ## @param metrics.image.pullPolicy Exporter image pull policy - ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## Mysqld Prometheus exporter parameters ## - image: - registry: docker.io - repository: bitnami/mysqld-exporter - tag: 0.13.0-debian-10-r256 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName + metrics: + ## @param metrics.enabled Start a side-car prometheus exporter ## - pullSecrets: [] - ## @param metrics.annotations [object] Annotations for the Exporter pod - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9104" - ## @param metrics.extraArgs [object] Extra args to be passed to mysqld_exporter - ## ref: https://github.com/prometheus/mysqld_exporter/ - ## E.g. - ## - --collect.auto_increment.columns - ## - --collect.binlog_size - ## - --collect.engine_innodb_status - ## - --collect.engine_tokudb_status - ## - --collect.global_status - ## - --collect.global_variables - ## - --collect.info_schema.clientstats - ## - --collect.info_schema.innodb_metrics - ## - --collect.info_schema.innodb_tablespaces - ## - --collect.info_schema.innodb_cmp - ## - --collect.info_schema.innodb_cmpmem - ## - --collect.info_schema.processlist - ## - --collect.info_schema.processlist.min_time - ## - --collect.info_schema.query_response_time - ## - --collect.info_schema.tables - ## - --collect.info_schema.tables.databases - ## - --collect.info_schema.tablestats - ## - --collect.info_schema.userstats - ## - --collect.perf_schema.eventsstatements - ## - --collect.perf_schema.eventsstatements.digest_text_limit - ## - --collect.perf_schema.eventsstatements.limit - ## - --collect.perf_schema.eventsstatements.timelimit - ## - --collect.perf_schema.eventswaits - ## - --collect.perf_schema.file_events - ## - --collect.perf_schema.file_instances - ## - --collect.perf_schema.indexiowaits - ## - --collect.perf_schema.tableiowaits - ## - --collect.perf_schema.tablelocks - ## - --collect.perf_schema.replication_group_member_stats - ## - --collect.slave_status - ## - --collect.slave_hosts - ## - --collect.heartbeat - ## - --collect.heartbeat.database - ## - --collect.heartbeat.table - ## - extraArgs: - primary: [] - secondary: [] - ## MariaDB metrics container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container - ## Example: - ## containerSecurityContext: - ## enabled: true - ## capabilities: - ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: true - ## - containerSecurityContext: enabled: false - ## Mysqld Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param metrics.resources.limits The resources limits for MariaDB prometheus exporter containers - ## @param metrics.resources.requests The requested resources for MariaDB prometheus exporter containers - ## - resources: + ## @param metrics.image.registry Exporter image registry + ## @param metrics.image.repository Exporter image repository + ## @param metrics.image.tag Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mysqld-exporter + tag: 0.13.0-debian-10-r256 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.annotations [object] Annotations for the Exporter pod + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9104" + ## @param metrics.extraArgs [object] Extra args to be passed to mysqld_exporter + ## ref: https://github.com/prometheus/mysqld_exporter/ + ## E.g. + ## - --collect.auto_increment.columns + ## - --collect.binlog_size + ## - --collect.engine_innodb_status + ## - --collect.engine_tokudb_status + ## - --collect.global_status + ## - --collect.global_variables + ## - --collect.info_schema.clientstats + ## - --collect.info_schema.innodb_metrics + ## - --collect.info_schema.innodb_tablespaces + ## - --collect.info_schema.innodb_cmp + ## - --collect.info_schema.innodb_cmpmem + ## - --collect.info_schema.processlist + ## - --collect.info_schema.processlist.min_time + ## - --collect.info_schema.query_response_time + ## - --collect.info_schema.tables + ## - --collect.info_schema.tables.databases + ## - --collect.info_schema.tablestats + ## - --collect.info_schema.userstats + ## - --collect.perf_schema.eventsstatements + ## - --collect.perf_schema.eventsstatements.digest_text_limit + ## - --collect.perf_schema.eventsstatements.limit + ## - --collect.perf_schema.eventsstatements.timelimit + ## - --collect.perf_schema.eventswaits + ## - --collect.perf_schema.file_events + ## - --collect.perf_schema.file_instances + ## - --collect.perf_schema.indexiowaits + ## - --collect.perf_schema.tableiowaits + ## - --collect.perf_schema.tablelocks + ## - --collect.perf_schema.replication_group_member_stats + ## - --collect.slave_status + ## - --collect.slave_hosts + ## - --collect.heartbeat + ## - --collect.heartbeat.database + ## - --collect.heartbeat.table + ## + extraArgs: + primary: [] + secondary: [] + ## MariaDB metrics container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container ## Example: - ## limits: - ## cpu: 100m - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 256Mi - requests: {} - ## Configure extra options for liveness probe - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param metrics.livenessProbe.enabled Enable livenessProbe - ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ## Configure extra options for readiness probe - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param metrics.readinessProbe.enabled Enable readinessProbe - ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ## Prometheus Service Monitor - ## ref: https://github.com/coreos/prometheus-operator - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in - ## - namespace: "" - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped - ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended - ## e.g: - ## scrapeTimeout: 30s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false - ## @param metrics.serviceMonitor.selector ServiceMonitor selector labels - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## - ## selector: - ## prometheus: my-prometheus - ## - selector: {} - ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true ## - labels: {} - ## Prometheus Operator PrometheusRule configuration - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + containerSecurityContext: + enabled: false + ## Mysqld Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for MariaDB prometheus exporter containers + ## @param metrics.resources.requests The requested resources for MariaDB prometheus exporter containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + requests: {} + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Configure extra options for readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} + ## Prometheus Operator PrometheusRule configuration ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - additionalLabels: {} - ## @param metrics.prometheusRule.rules Prometheus Rule definitions - ## - alert: MariaDB-Down - ## expr: absent(up{job="mariadb"} == 1) - ## for: 5m - ## labels: - ## severity: warning - ## service: mariadb - ## annotations: - ## message: 'MariaDB instance {{ $labels.instance }} is down' - ## summary: MariaDB instance is down - ## - rules: [] + prometheusRule: + ## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + ## - alert: MariaDB-Down + ## expr: absent(up{job="mariadb"} == 1) + ## for: 5m + ## labels: + ## severity: warning + ## service: mariadb + ## annotations: + ## message: 'MariaDB instance {{ $labels.instance }} is down' + ## summary: MariaDB instance is down + ## + rules: [] -## @section NetworkPolicy parameters + ## @section NetworkPolicy parameters -## Add networkpolicies -## -networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## Add networkpolicies ## - metrics: + networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the primary node. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules [object] Custom network policy for the secondary nodes. - ## - ingressRules: - ## Allow access to the primary node only from the indicated: - primaryAccessOnlyFrom: + ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: enabled: false ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: ## podSelector: - ## label: access + ## label: monitoring ## podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} - - ## Allow access to the secondary node only from the indicated: - secondaryAccessOnlyFrom: - enabled: false ## e.g: ## namespaceSelector: - ## label: ingress + ## label: monitoring ## namespaceSelector: {} + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the primary node. + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules [object] Custom network policy for the secondary nodes. + ## + ingressRules: + ## Allow access to the primary node only from the indicated: + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## Allow access to the secondary node only from the indicated: + secondaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: + ## customRules: + ## - to: ## - namespaceSelector: ## matchLabels: ## label: example - customRules: {} - - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - customRules: {} \ No newline at end of file + customRules: {} \ No newline at end of file From c5350a917f58f2c5fa1366b7856d73b37964a09c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 14:29:30 +0100 Subject: [PATCH 136/334] config: downgrade --- home/mariadb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 1b64ff6dac..4d75625fe5 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 10.6.7 + version: 10.3.7 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 20980fd9a26e3d8cfd0e08af1f71c427049ff672 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 28 Feb 2022 16:28:47 +0100 Subject: [PATCH 137/334] feat: nextcloud --- home/nextcloud/Chart.yaml | 7 + home/nextcloud/values.yaml | 473 +++++++++++++++++++++++++++++++++++++ 2 files changed, 480 insertions(+) create mode 100644 home/nextcloud/Chart.yaml create mode 100644 home/nextcloud/values.yaml diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml new file mode 100644 index 0000000000..2a7efd7c7b --- /dev/null +++ b/home/nextcloud/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: nextcloud +version: 0.0.0 +dependencies: + - name: nextcloud + version: 2.12.1 + repository: https://nextcloud.github.io/helm/ diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml new file mode 100644 index 0000000000..b5fe551404 --- /dev/null +++ b/home/nextcloud/values.yaml @@ -0,0 +1,473 @@ +nextcloud: + + ## Official nextcloud image version + ## ref: https://hub.docker.com/r/library/nextcloud/tags/ + ## + image: + repository: nextcloud + tag: 22.2.3-fpm-alpine + pullPolicy: IfNotPresent + # pullSecrets: + # - myRegistrKeySecretName + + nameOverride: "" + fullnameOverride: "" + podAnnotations: {} + deploymentAnnotations: {} + + # Number of replicas to be deployed + replicaCount: 1 + + ## Allowing use of ingress controllers + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## + ingress: + enabled: true + className: nginx + annotations: {} + nginx.ingress.kubernetes.io/proxy-body-size: 4G + # kubernetes.io/tls-acme: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod + # nginx.ingress.kubernetes.io/server-snippet: |- + # server_tokens off; + # proxy_hide_header X-Powered-By; + + # rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + # rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; + # location = /.well-known/carddav { + # return 301 $scheme://$host/remote.php/dav; + # } + # location = /.well-known/caldav { + # return 301 $scheme://$host/remote.php/dav; + # } + # location = /robots.txt { + # allow all; + # log_not_found off; + # access_log off; + # } + # location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + # deny all; + # } + # location ~ ^/(?:autotest|occ|issue|indie|db_|console) { + # deny all; + # } + tls: + - secretName: nextcloud-tls + hosts: + - nextcloud.jupiter.mein.nl + labels: {} + path: / + pathType: Prefix + + + # Allow configuration of lifecycle hooks + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + # postStartCommand: [] + # preStopCommand: [] + + nextcloud: + host: nextcloud.jupiter.mein.nl + + ## Use an existing secret + existingSecret: + enabled: true + secretName: nextcloud-secret + # usernameKey: username + # passwordKey: password + # tokenKey: serverinfo_token + # smtpUsernameKey: smtp_username + # smtpPasswordKey: smtp_password + update: 0 + # If web server is not binding default port, you can define it + # containerPort: 8080 + datadir: /var/www/html/data + persistence: + subPath: + mail: + enabled: true + fromAddress: jupiter + domain: mein.nl + smtp: + host: mein.nl + secure: ssl + port: 465 + authtype: LOGIN + # PHP Configuration files + # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true + phpConfigs: {} + # Default config files + # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself + # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config + defaultConfigs: + # To protect /var/www/html/config + .htaccess: true + # Redis default configuration + redis.config.php: false + # Apache configuration for rewrite urls + apache-pretty-urls.config.php: true + # Define APCu as local cache + apcu.config.php: true + # Apps directory configs + apps.config.php: true + # Used for auto configure database + autoconfig.php: true + # SMTP default configuration + smtp.config.php: true + # Extra config files created in /var/www/html/config/ + # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file + configs: + custom.config.php: |- + 'https', + 'overwrite.cli.url' => '__baseUrl__', + 'filelocking.enabled' => 'true', + 'loglevel' => '2', + 'enable_previews' => true, + 'trusted_domains' => array( + 0 => 'localhost', + 1 => '__baseUrl__' + ) + ); + + redis.config.php: |- + '\OC\Memcache\Redis', + 'memcache.locking' => '\OC\Memcache\Redis', + 'redis' => array( + 'host' => getenv('REDIS_HOST'), + 'port' => getenv('REDIS_HOST_PORT') ?: 6379, + 'password' => getenv('REDIS_HOST_PASSWORD') + ) + ); + + # For example, to use S3 as primary storage + # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3 + # + # configs: + # s3.config.php: |- + # array( + # 'class' => '\\OC\\Files\\ObjectStore\\S3', + # 'arguments' => array( + # 'bucket' => 'my-bucket', + # 'autocreate' => true, + # 'key' => 'xxx', + # 'secret' => 'xxx', + # 'region' => 'us-east-1', + # 'use_ssl' => true + # ) + # ) + # ); + + ## Strategy used to replace old pods + ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: + type: Recreate + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 1 + # maxUnavailable: 0 + + ## + ## Extra environment variables + extraEnv: + - name: REDIS_HOST + value: redis-master.redis.svc.cluster.local + + # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume + # to NextCloud pods in Kubernetes. This can then be configured in External Storage + extraVolumes: + # - name: nfs + # nfs: + # server: "10.0.0.1" + # path: "/nextcloud_data" + # readOnly: false + extraVolumeMounts: + # - name: nfs + # mountPath: "/legacy_data" + + # Extra secuurityContext parameters. For example you may need to define runAsNonRoot directive + # extraSecurityContext: + # runAsUser: "33" + # runAsGroup: "33" + # runAsNonRoot: true + # readOnlyRootFilesystem: true + + nginx: + ## You need to set an fpm version of the image for nextcloud if you want to use nginx! + enabled: false + image: + repository: nginx + tag: alpine + pullPolicy: IfNotPresent + + config: + # This generates the default nginx config as per the nextcloud documentation + default: true + # custom: |- + # worker_processes 1;.. + + resources: {} + + internalDatabase: + enabled: false + name: nextcloud + + ## + ## External database configuration + ## + externalDatabase: + enabled: true + + ## Supported database engines: mysql or postgresql + type: mysql + + ## Database host + host: mariadb.mariadb.svc.cluster.local + + ## Database name + database: nextcloud + + ## Use a existing secret + existingSecret: + enabled: true + secretName: nextcloud-db + # usernameKey: username + # passwordKey: password + + ## + ## MariaDB chart configuration + ## + mariadb: + ## Whether to deploy a mariadb server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters + enabled: false + + auth: + database: nextcloud + username: nextcloud + password: changeme + + architecture: standalone + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + primary: + persistence: + enabled: false + # storageClass: "" + accessMode: ReadWriteOnce + size: 8Gi + + ## + ## PostgreSQL chart configuration + ## for more options see https://github.com/bitnami/charts/tree/master/bitnami/postgresql + ## + postgresql: + enabled: false + postgresqlUsername: nextcloud + postgresqlPassword: changeme + postgresqlDatabase: nextcloud + persistence: + enabled: false + # storageClass: "" + + ## + ## Redis chart configuration + ## for more options see https://github.com/bitnami/charts/tree/master/bitnami/redis + ## + + redis: + enabled: false + auth: + enabled: true + password: 'changeme' + + ## Cronjob to execute Nextcloud background tasks + ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#webcron + ## + cronjob: + enabled: false + # Nexcloud image is used as default but only curl is needed + image: {} + # repository: nextcloud + # tag: 16.0.3-apache + # pullPolicy: IfNotPresent + # pullSecrets: + # - myRegistrKeySecretName + # Every 5 minutes + # Note: Setting this to any any other value than 5 minutes might + # cause issues with how nextcloud background jobs are executed + schedule: "* 0 * * *" + annotations: {} + # Set curl's insecure option if you use e.g. self-signed certificates + curlInsecure: false + failedJobsHistoryLimit: 5 + successfulJobsHistoryLimit: 2 + # If not set, nextcloud deployment one will be set + # resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + # If not set, nextcloud deployment one will be set + # nodeSelector: {} + + # If not set, nextcloud deployment one will be set + # tolerations: [] + + # If not set, nextcloud deployment one will be set + # affinity: {} + + service: + type: ClusterIP + port: 8080 + loadBalancerIP: nil + nodePort: nil + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + # Nextcloud Data (/var/www/html) + enabled: true + annotations: {} + ## nextcloud data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "longhorn" + + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + accessMode: ReadWriteOnce + size: 8Gi + + ## Use an additional pvc for the data directory rather than a subpath of the default PVC + ## Useful to store data on a different storageClass (e.g. on slower disks) + nextcloudData: + enabled: true + subPath: + annotations: {} + storageClass: "longhorn" + # existingClaim: + accessMode: ReadWriteOnce + size: 100Gi + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 30 + successThreshold: 1 + + + ## Enable pod autoscaling using HorizontalPodAutoscaler + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + ## + hpa: + enabled: false + cputhreshold: 60 + minPods: 1 + maxPods: 10 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + + ## Prometheus Exporter / Metrics + ## + metrics: + enabled: false + + replicaCount: 1 + # The metrics exporter needs to know how you serve Nextcloud either http or https + https: false + # Use API token if set, otherwise fall back to password authentication + # https://github.com/xperimental/nextcloud-exporter#token-authentication + # Currently you still need to set the token manually in your nextcloud install + token: "" + timeout: 5s + + image: + repository: xperimental/nextcloud-exporter + tag: 0.5.0 + pullPolicy: IfNotPresent + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + + ## Metrics exporter pod Annotation and Labels + # podAnnotations: {} + + # podLabels: {} + + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9205" + labels: {} + + rbac: + enabled: false + serviceaccount: + create: true + name: nextcloud-serviceaccount \ No newline at end of file From f7adecf0cbd3409ce525b2252578a5f18a8efa5b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 28 Feb 2022 19:05:17 +0000 Subject: [PATCH 138/334] chore(deps): update helm values nextcloud to v23 --- home/nextcloud/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index b5fe551404..9f8da8dbc5 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 22.2.3-fpm-alpine + tag: 23.0.2-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName From 806e5e26774fd9d1a9b71ae7b3526e672ab987cd Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 08:40:29 +0100 Subject: [PATCH 139/334] temp:disable nextcloud replicas --- home/nextcloud/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index b5fe551404..dd12933c9e 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -16,7 +16,7 @@ nextcloud: deploymentAnnotations: {} # Number of replicas to be deployed - replicaCount: 1 + replicaCount: 0 ## Allowing use of ingress controllers ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ From 01f24da31d5e847837586464cde4533d3f164ea5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 08:44:32 +0100 Subject: [PATCH 140/334] temp: enable nextcloud replicas --- home/nextcloud/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index dd12933c9e..b5fe551404 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -16,7 +16,7 @@ nextcloud: deploymentAnnotations: {} # Number of replicas to be deployed - replicaCount: 0 + replicaCount: 1 ## Allowing use of ingress controllers ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ From 4c796ed2f14babe21d2cb80c8cea12f4368fe23e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 08:49:06 +0100 Subject: [PATCH 141/334] config: disable custom config for now --- home/nextcloud/values.yaml | 52 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index b5fe551404..3e94dcedd1 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -118,31 +118,31 @@ nextcloud: # Extra config files created in /var/www/html/config/ # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file configs: - custom.config.php: |- - 'https', - 'overwrite.cli.url' => '__baseUrl__', - 'filelocking.enabled' => 'true', - 'loglevel' => '2', - 'enable_previews' => true, - 'trusted_domains' => array( - 0 => 'localhost', - 1 => '__baseUrl__' - ) - ); - - redis.config.php: |- - '\OC\Memcache\Redis', - 'memcache.locking' => '\OC\Memcache\Redis', - 'redis' => array( - 'host' => getenv('REDIS_HOST'), - 'port' => getenv('REDIS_HOST_PORT') ?: 6379, - 'password' => getenv('REDIS_HOST_PASSWORD') - ) - ); + # custom.config.php: |- + # 'https', + # 'overwrite.cli.url' => '__baseUrl__', + # 'filelocking.enabled' => 'true', + # 'loglevel' => '2', + # 'enable_previews' => true, + # 'trusted_domains' => array( + # 0 => 'localhost', + # 1 => '__baseUrl__' + # ) + # ); + + # redis.config.php: |- + # '\OC\Memcache\Redis', + # 'memcache.locking' => '\OC\Memcache\Redis', + # 'redis' => array( + # 'host' => getenv('REDIS_HOST'), + # 'port' => getenv('REDIS_HOST_PORT') ?: 6379, + # 'password' => getenv('REDIS_HOST_PASSWORD') + # ) + # ); # For example, to use S3 as primary storage # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3 @@ -167,7 +167,7 @@ nextcloud: ## Strategy used to replace old pods ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - strategy: + strategy: type: Recreate # type: RollingUpdate # rollingUpdate: From 4d1316b6580fdc19bc24acad4df9efb6c2f9c96d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 08:52:25 +0100 Subject: [PATCH 142/334] config: enable nginx for php-fpm --- home/nextcloud/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 3e94dcedd1..3433594678 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -201,7 +201,7 @@ nextcloud: nginx: ## You need to set an fpm version of the image for nextcloud if you want to use nginx! - enabled: false + enabled: true image: repository: nginx tag: alpine From 35109e248a3b212faa8c36ddf0e487b6b75523fa Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 08:55:11 +0100 Subject: [PATCH 143/334] config: enable tls --- home/nextcloud/values.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 3433594678..26c57f7510 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -24,10 +24,9 @@ nextcloud: ingress: enabled: true className: nginx - annotations: {} - nginx.ingress.kubernetes.io/proxy-body-size: 4G - # kubernetes.io/tls-acme: "true" - cert-manager.io/cluster-issuer: letsencrypt-prod + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 4G + cert-manager.io/cluster-issuer: letsencrypt-prod # nginx.ingress.kubernetes.io/server-snippet: |- # server_tokens off; # proxy_hide_header X-Powered-By; From 9ed2d4617c9e62624809b453254b7133abf0c32a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 09:00:38 +0100 Subject: [PATCH 144/334] config: enable custom config --- home/nextcloud/values.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 26c57f7510..e5149e4b98 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -103,7 +103,7 @@ nextcloud: # To protect /var/www/html/config .htaccess: true # Redis default configuration - redis.config.php: false + redis.config.php: true # Apache configuration for rewrite urls apache-pretty-urls.config.php: true # Define APCu as local cache @@ -117,19 +117,19 @@ nextcloud: # Extra config files created in /var/www/html/config/ # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file configs: - # custom.config.php: |- - # 'https', - # 'overwrite.cli.url' => '__baseUrl__', - # 'filelocking.enabled' => 'true', - # 'loglevel' => '2', - # 'enable_previews' => true, - # 'trusted_domains' => array( - # 0 => 'localhost', - # 1 => '__baseUrl__' - # ) - # ); + custom.config.php: |- + 'https', + 'overwrite.cli.url' => '__baseUrl__', + 'filelocking.enabled' => 'true', + 'loglevel' => '2', + 'enable_previews' => true, + 'trusted_domains' => array( + 0 => 'localhost', + 1 => '__baseUrl__' + ) + ); # redis.config.php: |- # Date: Tue, 1 Mar 2022 09:01:29 +0100 Subject: [PATCH 145/334] config: added nginx conf header --- home/nextcloud/values.yaml | 48 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index e5149e4b98..9fd508d86a 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -27,30 +27,30 @@ nextcloud: annotations: nginx.ingress.kubernetes.io/proxy-body-size: 4G cert-manager.io/cluster-issuer: letsencrypt-prod - # nginx.ingress.kubernetes.io/server-snippet: |- - # server_tokens off; - # proxy_hide_header X-Powered-By; - - # rewrite ^/.well-known/webfinger /public.php?service=webfinger last; - # rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; - # location = /.well-known/carddav { - # return 301 $scheme://$host/remote.php/dav; - # } - # location = /.well-known/caldav { - # return 301 $scheme://$host/remote.php/dav; - # } - # location = /robots.txt { - # allow all; - # log_not_found off; - # access_log off; - # } - # location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - # deny all; - # } - # location ~ ^/(?:autotest|occ|issue|indie|db_|console) { - # deny all; - # } + nginx.ingress.kubernetes.io/server-snippet: |- + server_tokens off; + proxy_hide_header X-Powered-By; + + rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; + location = /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location = /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:autotest|occ|issue|indie|db_|console) { + deny all; + } tls: - secretName: nextcloud-tls hosts: From b287b7a2203f3671ee7476f6391ad87a2988394f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 09:12:03 +0100 Subject: [PATCH 146/334] config: update sendgrid --- home/nextcloud/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 9fd508d86a..512aa31a9a 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -89,9 +89,9 @@ nextcloud: fromAddress: jupiter domain: mein.nl smtp: - host: mein.nl - secure: ssl - port: 465 + host: smtp.sendgrid.net + secure: tls + port: 587 authtype: LOGIN # PHP Configuration files # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true From c0ef7771242d93e6508d1f50504625a833df31c8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 09:19:11 +0100 Subject: [PATCH 147/334] fix: sender domain change --- home/nextcloud/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 512aa31a9a..751329e3c8 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -86,8 +86,8 @@ nextcloud: subPath: mail: enabled: true - fromAddress: jupiter - domain: mein.nl + fromAddress: nextcloud + domain: jupiter.mein.nl smtp: host: smtp.sendgrid.net secure: tls From e71c8aede7af5f133d8abf424e9f17999ab8454d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Mar 2022 10:31:28 +0100 Subject: [PATCH 148/334] config: added external url --- home/nextcloud/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 751329e3c8..a200150e30 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -25,6 +25,7 @@ nextcloud: enabled: true className: nginx annotations: + external-dns.alpha.kubernetes.io/exclude: 'true' nginx.ingress.kubernetes.io/proxy-body-size: 4G cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/server-snippet: |- From 80fd82d9db34d1b66a78ee977cde817e18388315 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 3 Mar 2022 23:54:03 +0000 Subject: [PATCH 149/334] chore(deps): update helm values codercom/code-server to v4 --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 7584064fb8..e242efd66c 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 3.12.0 + tag: 4.1.0 workingDir: "/config" args: - --auth From 3840d24b2ad789d8d2cda4539f5b094a02a86f08 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 4 Mar 2022 04:51:57 +0000 Subject: [PATCH 150/334] chore(deps): update all non-major dependencies helm releases --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- home/homeassistant/values.yaml | 2 +- home/influxdb/values.yaml | 4 ++-- home/mariadb/values.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/pihole/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- platform/renovate/Chart.yaml | 2 +- system/descheduler/Chart.yaml | 2 +- 11 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 3cd71aee69..ed86edcb1f 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.1.6 + image: hashicorp/terraform:1.1.7 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index 49f1ddaa38..b003af6ac8 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.1.6 + image: hashicorp/terraform:1.1.7 command: - terraform args: diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 1210a569f5..04c4c33ef8 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 3.33.8 + version: 3.35.0 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.11.0 diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 7584064fb8..623896a402 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.2.9 + tag: 2022.3.1 # -- image pull policy pullPolicy: IfNotPresent diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index d2fe6b3cb5..48458f61e4 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.374.0-debian-10-r0 + tag: 0.375.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1337,7 +1337,7 @@ influxdb: image: registry: docker.io repository: bitnami/aws-cli - tag: 2.4.19-debian-10-r4 + tag: 2.4.21-debian-10-r4 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 8f7ef10ced..3738510dc5 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -74,7 +74,7 @@ mariadb: image: registry: docker.io repository: bitnami/mariadb - tag: 10.5.15-debian-10-r11 + tag: 10.6.7-debian-10-r11 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index a200150e30..6c8900f6c4 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 22.2.3-fpm-alpine + tag: 22.2.5-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index 8554833d07..3a0aa5ab90 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.5.7 + version: 2.5.8 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index 4d5af5eb62..b2d76a4537 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.4.4 + version: 16.4.5 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/renovate/Chart.yaml b/platform/renovate/Chart.yaml index 403e792d4c..fe110d10d6 100644 --- a/platform/renovate/Chart.yaml +++ b/platform/renovate/Chart.yaml @@ -3,5 +3,5 @@ name: renovate version: 0.0.0 dependencies: - name: renovate - version: 31.94.0 + version: 31.97.3 repository: https://docs.renovatebot.com/helm-charts diff --git a/system/descheduler/Chart.yaml b/system/descheduler/Chart.yaml index 141e287734..866417de25 100644 --- a/system/descheduler/Chart.yaml +++ b/system/descheduler/Chart.yaml @@ -3,5 +3,5 @@ name: descheduler version: 0.0.0 dependencies: - name: descheduler - version: 0.23.1 + version: 0.23.2 repository: https://kubernetes-sigs.github.io/descheduler/ From f91bc49338d52a6835b5368d5320fe38f3338386 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Mar 2022 15:51:42 +0100 Subject: [PATCH 151/334] config: bind ipv4 --- home/mariadb/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 8f7ef10ced..2ff551ea88 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -181,7 +181,7 @@ mariadb: socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M - bind-address=:: + bind-address=127.0.0.1 pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid log-error=/opt/bitnami/mariadb/logs/mysqld.log character-set-server=UTF8 From 3a392645dc59759403b25a8853b0cdf3c220fdf5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Mar 2022 15:58:20 +0100 Subject: [PATCH 152/334] config: bind all mysql --- home/mariadb/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 82c8d20fd8..f9f5800972 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -181,7 +181,7 @@ mariadb: socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M - bind-address=127.0.0.1 + bind-address=0.0.0.0 pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid log-error=/opt/bitnami/mariadb/logs/mysqld.log character-set-server=UTF8 From b38204a31a11a3fbcbb384d5d97b6876cf17d5cf Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 4 Mar 2022 20:36:28 +0000 Subject: [PATCH 153/334] chore(deps): update all non-major dependencies helm releases --- apps/paperless/Chart.yaml | 2 +- apps/privatebin/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 469b237e9a..98848a835b 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -3,5 +3,5 @@ name: paperless version: 0.0.0 dependencies: - name: paperless - version: 8.3.0 + version: 8.4.0 repository: https://k8s-at-home.com/charts/ diff --git a/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml index ef11d608d0..edcd0b49cc 100644 --- a/apps/privatebin/Chart.yaml +++ b/apps/privatebin/Chart.yaml @@ -3,5 +3,5 @@ name: privatebin version: 0.0.0 dependencies: - name: privatebin - version: 0.11.0 + version: 0.12.1 repository: https://privatebin.github.io/helm-chart diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 4c25a755b6..6f4911d9e8 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.0.17 + version: 4.0.18 repository: https://kubernetes.github.io/ingress-nginx From 881b42b9e8126a16654d8f7f75d94713d28323cf Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 4 Mar 2022 22:28:34 +0100 Subject: [PATCH 154/334] Update values.yaml --- home/nextcloud/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 8b1f06be4a..928b8fb2fc 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -293,7 +293,7 @@ nextcloud: ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#webcron ## cronjob: - enabled: false + enabled: true # Nexcloud image is used as default but only curl is needed image: {} # repository: nextcloud @@ -304,10 +304,10 @@ nextcloud: # Every 5 minutes # Note: Setting this to any any other value than 5 minutes might # cause issues with how nextcloud background jobs are executed - schedule: "* 0 * * *" + schedule: "*/5 * * * *" annotations: {} # Set curl's insecure option if you use e.g. self-signed certificates - curlInsecure: false + curlInsecure: true failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 2 # If not set, nextcloud deployment one will be set @@ -470,4 +470,4 @@ nextcloud: enabled: false serviceaccount: create: true - name: nextcloud-serviceaccount \ No newline at end of file + name: nextcloud-serviceaccount From ae8d2015ff95c5735e03901ee922543273782c2d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Fri, 4 Mar 2022 22:32:17 +0000 Subject: [PATCH 155/334] chore(deps): update helm release renovate to v32 --- platform/renovate/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/renovate/Chart.yaml b/platform/renovate/Chart.yaml index fe110d10d6..852d104dc1 100644 --- a/platform/renovate/Chart.yaml +++ b/platform/renovate/Chart.yaml @@ -3,5 +3,5 @@ name: renovate version: 0.0.0 dependencies: - name: renovate - version: 31.97.3 + version: 32.0.1 repository: https://docs.renovatebot.com/helm-charts From 5c1b7eb2e610281e139681652e173326f20f4f64 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 5 Mar 2022 00:04:31 +0100 Subject: [PATCH 156/334] feat: added firefly III --- home/firefly/Chart.yaml | 10 ++ home/firefly/values.yaml | 215 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 225 insertions(+) create mode 100644 home/firefly/Chart.yaml create mode 100644 home/firefly/values.yaml diff --git a/home/firefly/Chart.yaml b/home/firefly/Chart.yaml new file mode 100644 index 0000000000..86c6cc089a --- /dev/null +++ b/home/firefly/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: firefly-iii +version: 0.0.0 +dependencies: + - name: firefly-iii + version: 1.2.1 + repository: https://firefly-iii.github.io/kubernetes + - name: importer + version: 1.1.3 + repository: https://firefly-iii.github.io/kubernetes \ No newline at end of file diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml new file mode 100644 index 0000000000..d583bc2db2 --- /dev/null +++ b/home/firefly/values.yaml @@ -0,0 +1,215 @@ +firefly-iii: + replicaCount: 1 + + image: + repository: "fireflyiii/core" + pullPolicy: IfNotPresent + tag: version-5.6.14 + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + persistence: + # -- If you set this to false, uploaded attachments are not stored persistently and will be lost with every restart of the pod + enabled: true + class: "longhorn" + accessModes: ReadWriteOnce + storage: 1Gi + # -- If you want to use an existing claim, set it here + existingClaim: "" + + # -- Environment variables for Firefly III. See docs at: https://github.com/firefly-iii/firefly-iii/blob/main/.env.example + config: + # -- Set this to the name of a secret to load environment variables from. If defined, values in the secret will override values in config.env + existingSecret: "firefly-iii-secret" + + # -- Directly defined environment variables. Use this for non-secret configuration values. + env: + DB_CONNECTION: mysql + DEFAULT_LANGUAGE: "nl_NL" + DEFAULT_LOCALE: "equal" + TZ: "Europe/Amsterdam" + TRUSTED_PROXIES: "**" + + # -- A cronjob for [recurring Firefly III tasks](https://docs.firefly-iii.org/firefly-iii/advanced-installation/cron/). + cronjob: + # -- Set to true to enable the CronJob. Note that you need to specify either cronjob.auth.existingSecret or cronjob.auth.token for it to actually be deployed. + enabled: true + + # -- Authorization for the CronJob. See https://docs.firefly-iii.org/firefly-iii/advanced-installation/cron/#request-a-page-over-the-web + auth: + # -- The name of a secret containing a data.token field with the cronjob token + existingSecret: "firefly-iii-cron-secret" + + # -- The token in plain text + token: "" + + # -- Annotations for the CronJob + annotations: {} + + # -- When to run the CronJob. Defaults to 03:00 as this is when Firefly III executes regular tasks. + schedule: "0 3 * * *" + + # -- How many pods to keep around for successful jobs + successfulJobsHistoryLimit: 3 + + # -- How many pods to keep around for failed jobs + failedJobsHistoryLimit: 1 + + # -- How to treat failed jobs + restartPolicy: OnFailure + + image: + repository: curlimages/curl + pullPolicy: IfNotPresent + tag: 7.81.0 + + imagePullSecrets: [] + + podAnnotations: {} + + securityContext: {} + + podSecurityContext: {} + + resources: {} + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + podAnnotations: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: true + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + + hosts: + - firefly.jupiter.mein.nl + tls: + - secretName: firefly-tls-certificate + hosts: + - firefly.jupiter.mein.nl + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +importer: + + replicaCount: 1 + + # -- The proxies that are trusted by the importer + trustedProxies: "**" + + fireflyiii: + # -- The URL at which Firefly III is available. If you change this value, click the "Reauthenticate" button on the importer after opening it! + url: "http://firefly-firefly-iii:80" + + # -- The URL at which you access Firefly III. Check https://docs.firefly-iii.org/data-importer/install/configure/#configure-fidi to find out if you should set this. + vanityUrl: "" + + auth: + # -- If you specify an existingSecret, it has to have the accessToken in a .spec.data.accessToken + existingSecret: "firefly-iii-importer-secret" + + # -- The access token in plain text + accessToken: "" + + image: + repository: fireflyiii/data-importer + pullPolicy: IfNotPresent + tag: "version-0.8.0" + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + podAnnotations: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + + hosts: + - importer.firefly.mein.jupiter.nl + tls: + - secretName: firefly-importer-tls-certificate + hosts: + - importer.firefly.mein.jupiter.nl + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} \ No newline at end of file From 6bf7e6945ebc2280d88f1398081da6b0193d6bcf Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 6 Mar 2022 16:36:26 +0000 Subject: [PATCH 157/334] chore(deps): update helm release argo-cd to v3.35.2 --- bootstrap/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 04c4c33ef8..cf1034f7fb 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 3.35.0 + version: 3.35.2 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.11.0 From 7133923f70b5696bccc47e046b8cc02389b02f87 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 6 Mar 2022 21:35:13 +0100 Subject: [PATCH 158/334] config: renovate limts --- platform/renovate/values.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/platform/renovate/values.yaml b/platform/renovate/values.yaml index 06041bf6f3..ce4bb37801 100644 --- a/platform/renovate/values.yaml +++ b/platform/renovate/values.yaml @@ -3,6 +3,11 @@ renovate: # schedule: '0 9 1 * *' # At 09:00 every month schedule: '*/5 * * * *' # TODO remove after testing suspend: false + concurrencyPolicy: 'Forbid' + failedJobsHistoryLimit: 5 + successfulJobsHistoryLimit: 5 + jobRestartPolicy: Never + jobBackoffLimit: 5 renovate: config: | { @@ -12,6 +17,6 @@ renovate: "token": "7e81319c795c27d16483211cedd81f27058b02c2", "autodiscover": false, "repositories": [ - "ops/homelab" + "petermein/homelab" ] } From 3ea7087463301cff776f0474229e92e2b45598d6 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 7 Mar 2022 09:07:14 +0100 Subject: [PATCH 159/334] disable: renovate --- platform/renovate/{Chart.yaml => Chart.yaml.disabled} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename platform/renovate/{Chart.yaml => Chart.yaml.disabled} (100%) diff --git a/platform/renovate/Chart.yaml b/platform/renovate/Chart.yaml.disabled similarity index 100% rename from platform/renovate/Chart.yaml rename to platform/renovate/Chart.yaml.disabled From 2df2efb88d046b0899992d96cbea064571d5fa3a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 7 Mar 2022 10:31:05 +0100 Subject: [PATCH 160/334] disabled: firefly --- home/firefly/{Chart.yaml => Chart.yaml.disabled} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename home/firefly/{Chart.yaml => Chart.yaml.disabled} (100%) diff --git a/home/firefly/Chart.yaml b/home/firefly/Chart.yaml.disabled similarity index 100% rename from home/firefly/Chart.yaml rename to home/firefly/Chart.yaml.disabled From f7067629b4a70504ff64237ba5df39edec44051b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 7 Mar 2022 10:45:08 +0100 Subject: [PATCH 161/334] disable: authentik db --- platform/authentik/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/platform/authentik/values.yaml b/platform/authentik/values.yaml index 7712f98920..ad33505c85 100644 --- a/platform/authentik/values.yaml +++ b/platform/authentik/values.yaml @@ -19,14 +19,15 @@ authentik: hosts: - *host +#TODO move to shared postgres postgresql: - enabled: true + enabled: false postgresqlPassword: *postgresql_password persistence: enabled: true storageClass: longhorn redis: - enabled: true + enabled: false master: persistence: enabled: true From 10658f2ac0f6c5c267f6e758145d08018bead871 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 7 Mar 2022 13:58:00 +0100 Subject: [PATCH 162/334] config: make privatebin external --- apps/privatebin/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index eb1dc3fa2b..11c07c7ea3 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -4,6 +4,7 @@ privatebin: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/exclude: 'true' hosts: - host: &host privatebin.jupiter.mein.nl paths: From f85b819154ae63e94e0bcb89385d99d212c84551 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 7 Mar 2022 14:07:24 +0100 Subject: [PATCH 163/334] config: enlarge pvc --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 623896a402..2ddb092a47 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -57,7 +57,7 @@ home-assistant: enabled: true type: pvc accessMode: ReadWriteOnce - size: 1Gi + size: 5Gi storageClass: longhorn # -- Configure a hostPathMount to mount a USB device in the container. From 85c7a7cca1c4a817d237c423bcd541fb0fc5fea7 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 8 Mar 2022 21:09:02 +0100 Subject: [PATCH 164/334] disable: postgres --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 2ddb092a47..6ad91dde4a 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -87,7 +87,7 @@ home-assistant: # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) # @default -- See values.yaml postgresql: - enabled: true + enabled: false image: repository: bitnami/postgresql tag: 14.2.0 From a89feb74a0a2eed3d292c8f02eab3ea979e8d10d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 11 Mar 2022 15:26:46 +0100 Subject: [PATCH 165/334] test: increase backup for testing --- system/k8up-operator/schedule.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/k8up-operator/schedule.yaml b/system/k8up-operator/schedule.yaml index 244c32e1cc..042842d6a7 100644 --- a/system/k8up-operator/schedule.yaml +++ b/system/k8up-operator/schedule.yaml @@ -6,7 +6,7 @@ spec: backend: s3: endpoint: s3.us-west-002.backblazeb2.com - bucket: khuedoan-homelab-backup + bucket: infratron-homelab accessKeyIDSecretRef: name: backblaze-credentials key: application-key-id @@ -17,7 +17,7 @@ spec: name: backblaze-credentials key: repo-password backup: - schedule: '0 8 * * *' + schedule: '*/5 * * * *' failedJobsHistoryLimit: 2 successfulJobsHistoryLimit: 2 # TODO From bdc83e57f4f09a4e8e2e22c9f71e97dcb2c3ac39 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 14 Mar 2022 08:33:46 +0100 Subject: [PATCH 166/334] config: made paperless external --- apps/paperless/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 005eca1e99..e4bff97b58 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -5,6 +5,7 @@ paperless: ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/exclude: 'true' hosts: - host: &host paperless.jupiter.mein.nl paths: From 550aaf8ec0e05c50b3f37bc72cd3bc8df2f702b5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 14 Mar 2022 19:46:00 +0000 Subject: [PATCH 167/334] chore(deps): update helm release authentik to v2022 --- platform/authentik/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index b2cc6b2241..4691ac63bb 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 4.0.3 + version: 2022.3.1 repository: https://charts.goauthentik.io From 6f0409971522d08407f9e25a9fc43d1faf3b4ff5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 09:36:44 +0100 Subject: [PATCH 168/334] config: setting up paperless for bilderdijklaan --- apps/paperless/values.yaml | 56 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index e4bff97b58..8e41f73dc4 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -1,4 +1,58 @@ paperless: + + env: + # -- Project name + COMPOSE_PROJECT_NAME: paperless + # -- Redis to use + PAPERLESS_REDIS: redis.redis + # -- OCR languages to install + PAPERLESS_OCR_LANGUAGE: nld + # USERMAP_UID: 1000 + # USERMAP_GID: 1000 + # PAPERLESS_TIME_ZONE: Europe/London + # -- Database host to use + PAPERLESS_DBHOST: postgresql.postgresql + # -- Port to use + PAPERLESS_PORT: 8000 + + envFrom: + - secretRef: + name: paperless-secret + + persistence: + # -- Configure persistence for data. + # @default -- See values.yaml + data: + enabled: true + mountPath: /usr/src/paperless/data + accessMode: ReadWriteOnce + storageClass: "longhorn" + + # -- Configure persistence for media. + # @default -- See values.yaml + media: + enabled: true + mountPath: /usr/src/paperless/media + accessMode: ReadWriteOnce + storageClass: "longhorn" + + # -- Configure volume to monitor for new documents. + # @default -- See values.yaml + consume: + enabled: true + mountPath: /usr/src/paperless/consume + accessMode: ReadWriteOnce + storageClass: "longhorn" + + # -- Configure export volume. + # @default -- See values.yaml + + export: + enabled: true + mountPath: /usr/src/paperless/export + accessMode: ReadWriteOnce + storageClass: "longhorn" + ingress: main: enabled: true @@ -15,5 +69,3 @@ paperless: - secretName: paperless-tls-certificate hosts: - *host - postgresql: - enabled: true From ca2398591cb76231658464ee6ccc0379d00830c6 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 09:50:53 +0100 Subject: [PATCH 169/334] config: removed postgres from paperless --- apps/paperless/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 8e41f73dc4..46ed8cc521 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -69,3 +69,6 @@ paperless: - secretName: paperless-tls-certificate hosts: - *host + + postgresql: + enabled: false \ No newline at end of file From b71662b5025ac1658f3519b5e34ffe1a6fb41af5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 09:54:18 +0100 Subject: [PATCH 170/334] config: persistence size --- apps/paperless/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 46ed8cc521..b62adf2a1e 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -27,6 +27,7 @@ paperless: mountPath: /usr/src/paperless/data accessMode: ReadWriteOnce storageClass: "longhorn" + size: 1Gi # -- Configure persistence for media. # @default -- See values.yaml @@ -35,6 +36,7 @@ paperless: mountPath: /usr/src/paperless/media accessMode: ReadWriteOnce storageClass: "longhorn" + size: 1Gi # -- Configure volume to monitor for new documents. # @default -- See values.yaml @@ -43,6 +45,7 @@ paperless: mountPath: /usr/src/paperless/consume accessMode: ReadWriteOnce storageClass: "longhorn" + size: 1Gi # -- Configure export volume. # @default -- See values.yaml @@ -52,6 +55,7 @@ paperless: mountPath: /usr/src/paperless/export accessMode: ReadWriteOnce storageClass: "longhorn" + size: 1Gi ingress: main: From cc9de67dc89885c2545528b85e22d82cd87ee155 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:02:05 +0100 Subject: [PATCH 171/334] config: added redis --- apps/paperless/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index b62adf2a1e..24f48c7302 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -4,7 +4,7 @@ paperless: # -- Project name COMPOSE_PROJECT_NAME: paperless # -- Redis to use - PAPERLESS_REDIS: redis.redis + PAPERLESS_REDIS: redis://redis.redis:6379 # -- OCR languages to install PAPERLESS_OCR_LANGUAGE: nld # USERMAP_UID: 1000 From 8da867c13b39eaa8f4a42e0a67f73853f1de437e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:10:50 +0100 Subject: [PATCH 172/334] config: eng for now untill we can update the image --- apps/paperless/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 24f48c7302..7adb98e29b 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -6,7 +6,8 @@ paperless: # -- Redis to use PAPERLESS_REDIS: redis://redis.redis:6379 # -- OCR languages to install - PAPERLESS_OCR_LANGUAGE: nld + PAPERLESS_OCR_LANGUAGE: eng + PAPERLESS_TIME_ZONE: "Europe/Amsterdam" # USERMAP_UID: 1000 # USERMAP_GID: 1000 # PAPERLESS_TIME_ZONE: Europe/London From aeee15961b8d0ca1e218fe45bfee7c43879be136 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:18:52 +0100 Subject: [PATCH 173/334] config: indenting secret --- apps/paperless/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 7adb98e29b..f5c9705643 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -17,8 +17,8 @@ paperless: PAPERLESS_PORT: 8000 envFrom: - - secretRef: - name: paperless-secret + - secretRef: + name: paperless-secret persistence: # -- Configure persistence for data. From 66a9ce9dc5603bac956cab7cabd578216335d8e6 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:21:47 +0100 Subject: [PATCH 174/334] config: settigns --- apps/paperless/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index f5c9705643..dab48f3b47 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -16,9 +16,9 @@ paperless: # -- Port to use PAPERLESS_PORT: 8000 - envFrom: - - secretRef: - name: paperless-secret + envFrom: + - secretRef: + name: paperless-secret persistence: # -- Configure persistence for data. From c03c0466f47b9f7711dd1c98254352dc4bd6929f Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:24:00 +0100 Subject: [PATCH 175/334] config: redis url --- apps/paperless/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index dab48f3b47..39dcf59eb8 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -4,7 +4,7 @@ paperless: # -- Project name COMPOSE_PROJECT_NAME: paperless # -- Redis to use - PAPERLESS_REDIS: redis://redis.redis:6379 + PAPERLESS_REDIS: redis://redis-master.redis:6379 # -- OCR languages to install PAPERLESS_OCR_LANGUAGE: eng PAPERLESS_TIME_ZONE: "Europe/Amsterdam" From aefbd01b805113f8e93a34c1a4c9a7e17e95027b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:27:55 +0100 Subject: [PATCH 176/334] config: disable redis password --- home/redis/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/redis/values.yaml b/home/redis/values.yaml index 5fbc3e8d87..1b77126958 100644 --- a/home/redis/values.yaml +++ b/home/redis/values.yaml @@ -106,7 +106,7 @@ architecture: replication auth: ## @param auth.enabled Enable password authentication ## - enabled: true + enabled: false ## @param auth.sentinel Enable password authentication on sentinels too ## sentinel: true From a2c3e79f4e0a1ea0e316c51086d99d5b743e7a05 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:34:56 +0100 Subject: [PATCH 177/334] config: remove secret ref --- home/redis/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/redis/values.yaml b/home/redis/values.yaml index 1b77126958..8f6ef8a1d3 100644 --- a/home/redis/values.yaml +++ b/home/redis/values.yaml @@ -117,7 +117,7 @@ auth: ## @param auth.existingSecret The name of an existing secret with Redis™ credentials ## NOTE: When it's set, the previous `auth.password` parameter is ignored ## - existingSecret: "redis-secret" + existingSecret: "" ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret ## NOTE: ignored unless `auth.existingSecret` parameter is set ## From 0449e95e0f4b1cdbe1562763aa90563b61f7d157 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 10:43:17 +0100 Subject: [PATCH 178/334] config: indent redis --- home/redis/values.yaml | 2761 ++++++++++++++++++++-------------------- 1 file changed, 1381 insertions(+), 1380 deletions(-) diff --git a/home/redis/values.yaml b/home/redis/values.yaml index 8f6ef8a1d3..ecc09b2743 100644 --- a/home/redis/values.yaml +++ b/home/redis/values.yaml @@ -1,1485 +1,1486 @@ -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) -## @param global.redis.password Global Redis™ password (overrides `auth.password`) -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName +redis: + ## @section Global parameters + ## Global Docker image parameters + ## Please, note that this will override the image parameters, including dependencies, configured to use the global value + ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass ## - imagePullSecrets: [] - storageClass: "" - redis: - password: "" - -## @section Common parameters -## -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname -## -fullnameOverride: "" -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param clusterDomain Kubernetes cluster domain name -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] - -## Enable diagnostic mode in the deployment -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the deployment + ## @param global.imageRegistry Global Docker image registry + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## @param global.redis.password Global Redis™ password (overrides `auth.password`) ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the deployment - ## - args: - - infinity - -## @section Redis™ Image parameters -## + global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + redis: + password: "" -## Bitnami Redis™ image -## ref: https://hub.docker.com/r/bitnami/redis/tags/ -## @param image.registry Redis™ image registry -## @param image.repository Redis™ image repository -## @param image.tag Redis™ image tag (immutable tags are recommended) -## @param image.pullPolicy Redis™ image pull policy -## @param image.pullSecrets Redis™ image pull secrets -## @param image.debug Enable image debug mode -## -image: - registry: docker.io - repository: bitnami/redis - tag: 6.2.6-debian-10-r120 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Enable debug mode + ## @section Common parameters ## - debug: false -## @section Redis™ common configuration parameters -## https://github.com/bitnami/bitnami-docker-redis#configuration -## - -## @param architecture Redis™ architecture. Allowed values: `standalone` or `replication` -## -architecture: replication -## Redis™ Authentication parameters -## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run -## -auth: - ## @param auth.enabled Enable password authentication - ## - enabled: false - ## @param auth.sentinel Enable password authentication on sentinels too + ## @param kubeVersion Override Kubernetes version ## - sentinel: true - ## @param auth.password Redis™ password - ## Defaults to a random 10-character alphanumeric string if not set + kubeVersion: "" + ## @param nameOverride String to partially override common.names.fullname ## - password: "" - ## @param auth.existingSecret The name of an existing secret with Redis™ credentials - ## NOTE: When it's set, the previous `auth.password` parameter is ignored + nameOverride: "" + ## @param fullnameOverride String to fully override common.names.fullname ## - existingSecret: "" - ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret - ## NOTE: ignored unless `auth.existingSecret` parameter is set - ## - existingSecretPasswordKey: "" - ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable - ## - usePasswordFiles: false -## @param commonConfiguration [string] Common configuration to be added into the ConfigMap -## ref: https://redis.io/topics/config -## -commonConfiguration: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" -## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis™ nodes -## -existingConfigmap: "" - -## @section Redis™ master configuration parameters -## - -master: - ## @param master.configuration Configuration for Redis™ master nodes - ## ref: https://redis.io/topics/config + fullnameOverride: "" + ## @param commonLabels Labels to add to all deployed objects ## - configuration: "" - ## @param master.disableCommands Array with Redis™ commands to disable on master nodes - ## Commands will be completely disabled by renaming each to an empty string. - ## ref: https://redis.io/topics/security#disabling-of-specific-commands + commonLabels: {} + ## @param commonAnnotations Annotations to add to all deployed objects ## - disableCommands: - - FLUSHDB - - FLUSHALL - ## @param master.command Override default container command (useful when using custom images) + commonAnnotations: {} + ## @param clusterDomain Kubernetes cluster domain name ## - command: [] - ## @param master.args Override default container args (useful when using custom images) + clusterDomain: cluster.local + ## @param extraDeploy Array of extra objects to deploy with the release ## - args: [] - ## @param master.preExecCmds Additional commands to run prior to starting Redis™ master - ## - preExecCmds: [] - ## @param master.extraFlags Array with additional command line flags for Redis™ master - ## e.g: - ## extraFlags: - ## - "--maxmemory-policy volatile-ttl" - ## - "--repl-backlog-size 1024mb" - ## - extraFlags: [] - ## @param master.extraEnvVars Array with extra environment variables to add to Redis™ master nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ master nodes - ## - extraEnvVarsCM: "" - ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ master nodes - ## - extraEnvVarsSecret: "" - ## @param master.containerPorts.redis Container port to open on Redis™ master nodes - ## - containerPorts: - redis: 6379 - ## Configure extra options for Redis™ containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param master.startupProbe.enabled Enable startupProbe on Redis™ master nodes - ## @param master.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param master.startupProbe.periodSeconds Period seconds for startupProbe - ## @param master.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param master.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param master.startupProbe.successThreshold Success threshold for startupProbe + extraDeploy: [] + + ## Enable diagnostic mode in the deployment ## - startupProbe: + diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## enabled: false - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param master.livenessProbe.enabled Enable livenessProbe on Redis™ master nodes - ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param master.readinessProbe.enabled Enable readinessProbe on Redis™ master nodes - ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - ## @param master.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Redis™ master resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param master.resources.limits The resources limits for the Redis™ master containers - ## @param master.resources.requests The requested resources for the Redis™ master containers - ## - resources: - limits: {} - requests: {} - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param master.podSecurityContext.enabled Enabled Redis™ master pods' Security Context - ## @param master.podSecurityContext.fsGroup Set Redis™ master pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param master.containerSecurityContext.enabled Enabled Redis™ master containers' Security Context - ## @param master.containerSecurityContext.runAsUser Set Redis™ master containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param master.kind Use either Deployment or StatefulSet (default) - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ - ## - kind: StatefulSet - ## @param master.schedulerName Alternate scheduler for Redis™ master pods - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param master.updateStrategy.type Redis™ master statefulset strategy type - ## @skip master.updateStrategy.rollingUpdate - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete + ## @param diagnosticMode.command Command to override all containers in the deployment ## - type: RollingUpdate - rollingUpdate: {} - ## @param master.priorityClassName Redis™ master pods' priorityClassName - ## - priorityClassName: "" - ## @param master.hostAliases Redis™ master pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param master.podLabels Extra labels for Redis™ master pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param master.podAnnotations Annotations for Redis™ master pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ master pods - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - ## - shareProcessNamespace: false - ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + + ## @section Redis™ Image parameters ## - podAntiAffinityPreset: soft - ## Node master.affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + + ## Bitnami Redis™ image + ## ref: https://hub.docker.com/r/bitnami/redis/tags/ + ## @param image.registry Redis™ image registry + ## @param image.repository Redis™ image repository + ## @param image.tag Redis™ image tag (immutable tags are recommended) + ## @param image.pullPolicy Redis™ image pull policy + ## @param image.pullSecrets Redis™ image pull secrets + ## @param image.debug Enable image debug mode ## - nodeAffinityPreset: - ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + image: + registry: docker.io + repository: bitnami/redis + tag: 6.2.6-debian-10-r120 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName ## - type: "" - ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set + pullSecrets: [] + ## Enable debug mode ## - key: "" - ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param master.affinity Affinity for Redis™ master pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set - ## - affinity: {} - ## @param master.nodeSelector Node labels for Redis™ master pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param master.tolerations Tolerations for Redis™ master pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param master.topologySpreadConstraints Spread Constraints for Redis™ master pod assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: node - ## whenUnsatisfiable: DoNotSchedule - ## - topologySpreadConstraints: {} - ## @param master.lifecycleHooks for the Redis™ master container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis™ master pod(s) - ## - extraVolumes: [] - ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ master container(s) - ## - extraVolumeMounts: [] - ## @param master.sidecars Add additional sidecar containers to the Redis™ master pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 + debug: false + + ## @section Redis™ common configuration parameters + ## https://github.com/bitnami/bitnami-docker-redis#configuration ## - sidecars: [] - ## @param master.initContainers Add additional init containers to the Redis™ master pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] + + ## @param architecture Redis™ architecture. Allowed values: `standalone` or `replication` ## - initContainers: [] - ## Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + architecture: replication + ## Redis™ Authentication parameters + ## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run ## - persistence: - ## @param master.persistence.enabled Enable persistence on Redis™ master nodes using Persistent Volume Claims + auth: + ## @param auth.enabled Enable password authentication ## - enabled: true - ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. + enabled: false + ## @param auth.sentinel Enable password authentication on sentinels too ## - medium: "" - ## @param master.persistence.path The path the volume will be mounted at on Redis™ master containers - ## NOTE: Useful when using different Redis™ images + sentinel: true + ## @param auth.password Redis™ password + ## Defaults to a random 10-character alphanumeric string if not set ## - path: /data - ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis™ master containers - ## NOTE: Useful in dev environments + password: "" + ## @param auth.existingSecret The name of an existing secret with Redis™ credentials + ## NOTE: When it's set, the previous `auth.password` parameter is ignored ## - subPath: "" - ## @param master.persistence.storageClass Persistent Volume storage class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + existingSecret: "" + ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingSecret` parameter is set ## - storageClass: "longhorn" - ## @param master.persistence.accessModes Persistent Volume access modes + existingSecretPasswordKey: "" + ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable ## - accessModes: - - ReadWriteOnce - ## @param master.persistence.size Persistent Volume size + usePasswordFiles: false + ## @param commonConfiguration [string] Common configuration to be added into the ConfigMap + ## ref: https://redis.io/topics/config + ## + commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + ## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis™ nodes + ## + existingConfigmap: "" + + ## @section Redis™ master configuration parameters + ## + + master: + ## @param master.configuration Configuration for Redis™ master nodes + ## ref: https://redis.io/topics/config ## - size: 8Gi - ## @param master.persistence.annotations Additional custom annotations for the PVC + configuration: "" + ## @param master.disableCommands Array with Redis™ commands to disable on master nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands ## - annotations: {} - ## @param master.persistence.selector Additional labels to match for the PVC - ## e.g: - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param master.persistence.dataSource Custom PVC data source - dataSource: {} - ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound - ## NOTE: requires master.persistence.enabled: true - ## - existingClaim: "" - ## Redis™ master service parameters - ## - service: - ## @param master.service.type Redis™ master service type + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param master.command Override default container command (useful when using custom images) ## - type: ClusterIP - ## @param master.service.ports.redis Redis™ master service port + command: [] + ## @param master.args Override default container args (useful when using custom images) ## - ports: - redis: 6379 - ## @param master.service.nodePorts.redis Node port for Redis™ master - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## NOTE: choose port between <30000-32767> + args: [] + ## @param master.preExecCmds Additional commands to run prior to starting Redis™ master ## - nodePorts: - redis: "" - ## @param master.service.externalTrafficPolicy Redis™ master service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + preExecCmds: [] + ## @param master.extraFlags Array with additional command line flags for Redis™ master + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" ## - externalTrafficPolicy: Cluster - ## @param master.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + extraFlags: [] + ## @param master.extraEnvVars Array with extra environment variables to add to Redis™ master nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" ## - extraPorts: [] - ## @param master.service.clusterIP Redis™ master service Cluster IP + extraEnvVars: [] + ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ master nodes ## - clusterIP: "" - ## @param master.service.loadBalancerIP Redis™ master service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + extraEnvVarsCM: "" + ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ master nodes ## - loadBalancerIP: "" - ## @param master.service.loadBalancerSourceRanges Redis™ master service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + extraEnvVarsSecret: "" + ## @param master.containerPorts.redis Container port to open on Redis™ master nodes ## - loadBalancerSourceRanges: [] - ## @param master.service.annotations Additional custom annotations for Redis™ master service + containerPorts: + redis: 6379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param master.startupProbe.enabled Enable startupProbe on Redis™ master nodes + ## @param master.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param master.startupProbe.periodSeconds Period seconds for startupProbe + ## @param master.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param master.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param master.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.livenessProbe.enabled Enable livenessProbe on Redis™ master nodes + ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.readinessProbe.enabled Enable readinessProbe on Redis™ master nodes + ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param master.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ master resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param master.resources.limits The resources limits for the Redis™ master containers + ## @param master.resources.requests The requested resources for the Redis™ master containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.podSecurityContext.enabled Enabled Redis™ master pods' Security Context + ## @param master.podSecurityContext.fsGroup Set Redis™ master pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.containerSecurityContext.enabled Enabled Redis™ master containers' Security Context + ## @param master.containerSecurityContext.runAsUser Set Redis™ master containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param master.kind Use either Deployment or StatefulSet (default) + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ + ## + kind: StatefulSet + ## @param master.schedulerName Alternate scheduler for Redis™ master pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param master.updateStrategy.type Redis™ master statefulset strategy type + ## @skip master.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param master.priorityClassName Redis™ master pods' priorityClassName + ## + priorityClassName: "" + ## @param master.hostAliases Redis™ master pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param master.podLabels Extra labels for Redis™ master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param master.podAnnotations Annotations for Redis™ master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ master pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node master.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set + ## + key: "" + ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param master.affinity Affinity for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param master.nodeSelector Node labels for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param master.tolerations Tolerations for Redis™ master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param master.topologySpreadConstraints Spread Constraints for Redis™ master pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule ## - annotations: {} - ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods - ## - terminationGracePeriodSeconds: 30 - -## @section Redis™ replicas configuration parameters -## - -replica: - ## @param replica.replicaCount Number of Redis™ replicas to deploy - ## - replicaCount: 3 - ## @param replica.configuration Configuration for Redis™ replicas nodes - ## ref: https://redis.io/topics/config - ## - configuration: "" - ## @param replica.disableCommands Array with Redis™ commands to disable on replicas nodes - ## Commands will be completely disabled by renaming each to an empty string. - ## ref: https://redis.io/topics/security#disabling-of-specific-commands - ## - disableCommands: - - FLUSHDB - - FLUSHALL - ## @param replica.command Override default container command (useful when using custom images) - ## - command: [] - ## @param replica.args Override default container args (useful when using custom images) - ## - args: [] - ## @param replica.preExecCmds Additional commands to run prior to starting Redis™ replicas - ## - preExecCmds: [] - ## @param replica.extraFlags Array with additional command line flags for Redis™ replicas - ## e.g: - ## extraFlags: - ## - "--maxmemory-policy volatile-ttl" - ## - "--repl-backlog-size 1024mb" - ## - extraFlags: [] - ## @param replica.extraEnvVars Array with extra environment variables to add to Redis™ replicas nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ replicas nodes - ## - extraEnvVarsCM: "" - ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ replicas nodes - ## - extraEnvVarsSecret: "" - ## @param replica.externalMaster.enabled Use external master for bootstrapping - ## @param replica.externalMaster.host External master host to bootstrap from - ## @param replica.externalMaster.port Port for Redis service external master host - ## - externalMaster: - enabled: false - host: "" - port: 6379 - ## @param replica.containerPorts.redis Container port to open on Redis™ replicas nodes - ## - containerPorts: - redis: 6379 - ## Configure extra options for Redis™ containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param replica.startupProbe.enabled Enable startupProbe on Redis™ replicas nodes - ## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param replica.startupProbe.periodSeconds Period seconds for startupProbe - ## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param replica.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis™ replicas nodes - ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis™ replicas nodes - ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - ## @param replica.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Redis™ replicas resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param replica.resources.limits The resources limits for the Redis™ replicas containers - ## @param replica.resources.requests The requested resources for the Redis™ replicas containers - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 250m - # memory: 256Mi - requests: {} - # cpu: 250m - # memory: 256Mi - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param replica.podSecurityContext.enabled Enabled Redis™ replicas pods' Security Context - ## @param replica.podSecurityContext.fsGroup Set Redis™ replicas pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param replica.containerSecurityContext.enabled Enabled Redis™ replicas containers' Security Context - ## @param replica.containerSecurityContext.runAsUser Set Redis™ replicas containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param replica.schedulerName Alternate scheduler for Redis™ replicas pods - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param replica.updateStrategy.type Redis™ replicas statefulset strategy type - ## @skip replica.updateStrategy.rollingUpdate - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete + topologySpreadConstraints: {} + ## @param master.lifecycleHooks for the Redis™ master container(s) to automate configuration before or after startup ## - type: RollingUpdate - rollingUpdate: {} - ## @param replica.priorityClassName Redis™ replicas pods' priorityClassName - ## - priorityClassName: "" - ## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies - ## - podManagementPolicy: "" - ## @param replica.hostAliases Redis™ replicas pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param replica.podLabels Extra labels for Redis™ replicas pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param replica.podAnnotations Annotations for Redis™ replicas pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ replicas pods - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - ## - shareProcessNamespace: false - ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + lifecycleHooks: {} + ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis™ master pod(s) ## - type: "" - ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set + extraVolumes: [] + ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ master container(s) ## - key: "" - ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param replica.affinity Affinity for Redis™ replicas pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set - ## - affinity: {} - ## @param replica.nodeSelector Node labels for Redis™ replicas pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param replica.tolerations Tolerations for Redis™ replicas pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param replica.topologySpreadConstraints Spread Constraints for Redis™ replicas pod assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## topologySpreadConstraints: - ## - maxSkew: 1 - ## topologyKey: node - ## whenUnsatisfiable: DoNotSchedule - ## - topologySpreadConstraints: {} - ## @param replica.lifecycleHooks for the Redis™ replica container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis™ replicas pod(s) - ## - extraVolumes: [] - ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ replicas container(s) - ## - extraVolumeMounts: [] - ## @param replica.sidecars Add additional sidecar containers to the Redis™ replicas pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param replica.initContainers Add additional init containers to the Redis™ replicas pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] - ## - initContainers: [] - ## Persistence Parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + extraVolumeMounts: [] + ## @param master.sidecars Add additional sidecar containers to the Redis™ master pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param master.initContainers Add additional init containers to the Redis™ master pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param master.persistence.enabled Enable persistence on Redis™ master nodes using Persistent Volume Claims + ## + enabled: true + ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param master.persistence.path The path the volume will be mounted at on Redis™ master containers + ## NOTE: Useful when using different Redis™ images + ## + path: /data + ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis™ master containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param master.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "longhorn" + ## @param master.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param master.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param master.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param master.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param master.persistence.dataSource Custom PVC data source + dataSource: {} + ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires master.persistence.enabled: true + ## + existingClaim: "" + ## Redis™ master service parameters + ## + service: + ## @param master.service.type Redis™ master service type + ## + type: ClusterIP + ## @param master.service.ports.redis Redis™ master service port + ## + ports: + redis: 6379 + ## @param master.service.nodePorts.redis Node port for Redis™ master + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param master.service.externalTrafficPolicy Redis™ master service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param master.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param master.service.clusterIP Redis™ master service Cluster IP + ## + clusterIP: "" + ## @param master.service.loadBalancerIP Redis™ master service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param master.service.loadBalancerSourceRanges Redis™ master service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param master.service.annotations Additional custom annotations for Redis™ master service + ## + annotations: {} + ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods + ## + terminationGracePeriodSeconds: 30 + + ## @section Redis™ replicas configuration parameters ## - persistence: - ## @param replica.persistence.enabled Enable persistence on Redis™ replicas nodes using Persistent Volume Claims - ## - enabled: true - ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. + + replica: + ## @param replica.replicaCount Number of Redis™ replicas to deploy ## - medium: "" - ## @param replica.persistence.path The path the volume will be mounted at on Redis™ replicas containers - ## NOTE: Useful when using different Redis™ images + replicaCount: 3 + ## @param replica.configuration Configuration for Redis™ replicas nodes + ## ref: https://redis.io/topics/config ## - path: /data - ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis™ replicas containers - ## NOTE: Useful in dev environments + configuration: "" + ## @param replica.disableCommands Array with Redis™ commands to disable on replicas nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands ## - subPath: "" - ## @param replica.persistence.storageClass Persistent Volume storage class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param replica.command Override default container command (useful when using custom images) ## - storageClass: "" - ## @param replica.persistence.accessModes Persistent Volume access modes + command: [] + ## @param replica.args Override default container args (useful when using custom images) ## - accessModes: - - ReadWriteOnce - ## @param replica.persistence.size Persistent Volume size + args: [] + ## @param replica.preExecCmds Additional commands to run prior to starting Redis™ replicas ## - size: 8Gi - ## @param replica.persistence.annotations Additional custom annotations for the PVC + preExecCmds: [] + ## @param replica.extraFlags Array with additional command line flags for Redis™ replicas + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" ## - annotations: {} - ## @param replica.persistence.selector Additional labels to match for the PVC + extraFlags: [] + ## @param replica.extraEnvVars Array with extra environment variables to add to Redis™ replicas nodes ## e.g: - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param replica.persistence.dataSource Custom PVC data source - dataSource: {} - ## Redis™ replicas service parameters - ## - service: - ## @param replica.service.type Redis™ replicas service type + ## extraEnvVars: + ## - name: FOO + ## value: "bar" ## - type: ClusterIP - ## @param replica.service.ports.redis Redis™ replicas service port + extraEnvVars: [] + ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ replicas nodes ## - ports: - redis: 6379 - ## @param replica.service.nodePorts.redis Node port for Redis™ replicas - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## NOTE: choose port between <30000-32767> + extraEnvVarsCM: "" + ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ replicas nodes ## - nodePorts: - redis: "" - ## @param replica.service.externalTrafficPolicy Redis™ replicas service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + extraEnvVarsSecret: "" + ## @param replica.externalMaster.enabled Use external master for bootstrapping + ## @param replica.externalMaster.host External master host to bootstrap from + ## @param replica.externalMaster.port Port for Redis service external master host ## - externalTrafficPolicy: Cluster - ## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param replica.containerPorts.redis Container port to open on Redis™ replicas nodes ## - extraPorts: [] - ## @param replica.service.clusterIP Redis™ replicas service Cluster IP + containerPorts: + redis: 6379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param replica.startupProbe.enabled Enable startupProbe on Redis™ replicas nodes + ## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param replica.startupProbe.periodSeconds Period seconds for startupProbe + ## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param replica.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis™ replicas nodes + ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis™ replicas nodes + ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ replicas resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param replica.resources.limits The resources limits for the Redis™ replicas containers + ## @param replica.resources.requests The requested resources for the Redis™ replicas containers + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 250m + # memory: 256Mi + requests: {} + # cpu: 250m + # memory: 256Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.podSecurityContext.enabled Enabled Redis™ replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroup Set Redis™ replicas pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.containerSecurityContext.enabled Enabled Redis™ replicas containers' Security Context + ## @param replica.containerSecurityContext.runAsUser Set Redis™ replicas containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param replica.schedulerName Alternate scheduler for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param replica.updateStrategy.type Redis™ replicas statefulset strategy type + ## @skip replica.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param replica.priorityClassName Redis™ replicas pods' priorityClassName + ## + priorityClassName: "" + ## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param replica.hostAliases Redis™ replicas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param replica.podLabels Extra labels for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param replica.podAnnotations Annotations for Redis™ replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ replicas pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set + ## + key: "" + ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param replica.affinity Affinity for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param replica.nodeSelector Node labels for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param replica.tolerations Tolerations for Redis™ replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param replica.topologySpreadConstraints Spread Constraints for Redis™ replicas pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule ## - clusterIP: "" - ## @param replica.service.loadBalancerIP Redis™ replicas service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + topologySpreadConstraints: {} + ## @param replica.lifecycleHooks for the Redis™ replica container(s) to automate configuration before or after startup ## - loadBalancerIP: "" - ## @param replica.service.loadBalancerSourceRanges Redis™ replicas service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + lifecycleHooks: {} + ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis™ replicas pod(s) ## - loadBalancerSourceRanges: [] - ## @param replica.service.annotations Additional custom annotations for Redis™ replicas service + extraVolumes: [] + ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ replicas container(s) ## - annotations: {} - ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods - ## - terminationGracePeriodSeconds: 30 - ## Autoscaling configuration + extraVolumeMounts: [] + ## @param replica.sidecars Add additional sidecar containers to the Redis™ replicas pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param replica.initContainers Add additional init containers to the Redis™ replicas pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence Parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param replica.persistence.enabled Enable persistence on Redis™ replicas nodes using Persistent Volume Claims + ## + enabled: true + ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param replica.persistence.path The path the volume will be mounted at on Redis™ replicas containers + ## NOTE: Useful when using different Redis™ images + ## + path: /data + ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis™ replicas containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param replica.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param replica.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param replica.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param replica.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param replica.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param replica.persistence.dataSource Custom PVC data source + dataSource: {} + ## Redis™ replicas service parameters + ## + service: + ## @param replica.service.type Redis™ replicas service type + ## + type: ClusterIP + ## @param replica.service.ports.redis Redis™ replicas service port + ## + ports: + redis: 6379 + ## @param replica.service.nodePorts.redis Node port for Redis™ replicas + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param replica.service.externalTrafficPolicy Redis™ replicas service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param replica.service.clusterIP Redis™ replicas service Cluster IP + ## + clusterIP: "" + ## @param replica.service.loadBalancerIP Redis™ replicas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param replica.service.loadBalancerSourceRanges Redis™ replicas service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param replica.service.annotations Additional custom annotations for Redis™ replicas service + ## + annotations: {} + ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods + ## + terminationGracePeriodSeconds: 30 + ## Autoscaling configuration + ## + autoscaling: + ## @param replica.autoscaling.enabled Enable replica autoscaling settings + ## + enabled: false + ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling + ## + minReplicas: 1 + ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling + ## + maxReplicas: 11 + ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling + ## + targetCPU: "" + ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling + ## + targetMemory: "" + + ## @section Redis™ Sentinel configuration parameters ## - autoscaling: - ## @param replica.autoscaling.enabled Enable replica autoscaling settings + + sentinel: + ## @param sentinel.enabled Use Redis™ Sentinel on Redis™ pods. + ## IMPORTANT: this will disable the master and replicas services and + ## create a single Redis™ service exposing both the Redis and Sentinel ports ## enabled: false - ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling - ## - minReplicas: 1 - ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling - ## - maxReplicas: 11 - ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling - ## - targetCPU: "" - ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling - ## - targetMemory: "" - -## @section Redis™ Sentinel configuration parameters -## + ## Bitnami Redis™ Sentinel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## @param sentinel.image.registry Redis™ Sentinel image registry + ## @param sentinel.image.repository Redis™ Sentinel image repository + ## @param sentinel.image.tag Redis™ Sentinel image tag (immutable tags are recommended) + ## @param sentinel.image.pullPolicy Redis™ Sentinel image pull policy + ## @param sentinel.image.pullSecrets Redis™ Sentinel image pull secrets + ## @param sentinel.image.debug Enable image debug mode + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + tag: 6.2.6-debian-10-r118 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param sentinel.masterSet Master set name + ## + masterSet: mymaster + ## @param sentinel.quorum Sentinel Quorum + ## + quorum: 2 + ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. + ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. + ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. + ## + automateClusterRecovery: false + ## Sentinel timing restrictions + ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis™ node is down + ## @param sentinel.failoverTimeout Timeout for performing a election failover + ## + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover + ## + parallelSyncs: 1 + ## @param sentinel.configuration Configuration for Redis™ Sentinel nodes + ## ref: https://redis.io/topics/sentinel + ## + configuration: "" + ## @param sentinel.command Override default container command (useful when using custom images) + ## + command: [] + ## @param sentinel.args Override default container args (useful when using custom images) + ## + args: [] + ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis™ Sentinel + ## + preExecCmds: [] + ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis™ Sentinel nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ Sentinel nodes + ## + extraEnvVarsCM: "" + ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ Sentinel nodes + ## + extraEnvVarsSecret: "" + ## @param sentinel.externalMaster.enabled Use external master for bootstrapping + ## @param sentinel.externalMaster.host External master host to bootstrap from + ## @param sentinel.externalMaster.port Port for Redis service external master host + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param sentinel.containerPorts.sentinel Container port to open on Redis™ Sentinel nodes + ## + containerPorts: + sentinel: 26379 + ## Configure extra options for Redis™ containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param sentinel.startupProbe.enabled Enable startupProbe on Redis™ Sentinel nodes + ## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe + ## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis™ Sentinel nodes + ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis™ Sentinel nodes + ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis™ Sentinel resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sentinel.resources.limits The resources limits for the Redis™ Sentinel containers + ## @param sentinel.resources.requests The requested resources for the Redis™ Sentinel containers + ## + resources: + limits: {} + requests: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param sentinel.containerSecurityContext.enabled Enabled Redis™ Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.runAsUser Set Redis™ Sentinel containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param sentinel.lifecycleHooks for the Redis™ sentinel container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis™ Sentinel + ## + extraVolumes: [] + ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ Sentinel container(s) + ## + extraVolumeMounts: [] + ## Redis™ Sentinel service parameters + ## + service: + ## @param sentinel.service.type Redis™ Sentinel service type + ## + type: ClusterIP + ## @param sentinel.service.ports.redis Redis™ service port for Redis™ + ## @param sentinel.service.ports.sentinel Redis™ service port for Redis™ Sentinel + ports: + redis: 6379 + sentinel: 26379 + ## @param sentinel.service.nodePorts.redis Node port for Redis™ + ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## NOTE: By leaving these values blank, they will be generated by ports-configmap + ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port + ## + nodePorts: + redis: "" + sentinel: "" + ## @param sentinel.service.externalTrafficPolicy Redis™ Sentinel service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param sentinel.service.clusterIP Redis™ Sentinel service Cluster IP + ## + clusterIP: "" + ## @param sentinel.service.loadBalancerIP Redis™ Sentinel service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param sentinel.service.loadBalancerSourceRanges Redis™ Sentinel service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param sentinel.service.annotations Additional custom annotations for Redis™ Sentinel service + ## + annotations: {} + ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods + ## + terminationGracePeriodSeconds: 30 -sentinel: - ## @param sentinel.enabled Use Redis™ Sentinel on Redis™ pods. - ## IMPORTANT: this will disable the master and replicas services and - ## create a single Redis™ service exposing both the Redis and Sentinel ports + ## @section Other Parameters ## - enabled: false - ## Bitnami Redis™ Sentinel image version - ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ - ## @param sentinel.image.registry Redis™ Sentinel image registry - ## @param sentinel.image.repository Redis™ Sentinel image repository - ## @param sentinel.image.tag Redis™ Sentinel image tag (immutable tags are recommended) - ## @param sentinel.image.pullPolicy Redis™ Sentinel image pull policy - ## @param sentinel.image.pullSecrets Redis™ Sentinel image pull secrets - ## @param sentinel.image.debug Enable image debug mode + + ## Network Policy configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## - image: - registry: docker.io - repository: bitnami/redis-sentinel - tag: 6.2.6-debian-10-r118 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## When set to false, only pods with the correct client label will have network access to the ports + ## Redis™ is listening on. When true, Redis™ will accept connections from any source + ## (with the correct destination port). ## - pullSecrets: [] - ## Enable debug mode + allowExternal: true + ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## PodSecurityPolicy configuration + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules ## - debug: false - ## @param sentinel.masterSet Master set name - ## - masterSet: mymaster - ## @param sentinel.quorum Sentinel Quorum - ## - quorum: 2 - ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. - ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. - ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. - ## - automateClusterRecovery: false - ## Sentinel timing restrictions - ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis™ node is down - ## @param sentinel.failoverTimeout Timeout for performing a election failover - ## - downAfterMilliseconds: 60000 - failoverTimeout: 18000 - ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover - ## - parallelSyncs: 1 - ## @param sentinel.configuration Configuration for Redis™ Sentinel nodes - ## ref: https://redis.io/topics/sentinel - ## - configuration: "" - ## @param sentinel.command Override default container command (useful when using custom images) - ## - command: [] - ## @param sentinel.args Override default container args (useful when using custom images) - ## - args: [] - ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis™ Sentinel - ## - preExecCmds: [] - ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis™ Sentinel nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ Sentinel nodes - ## - extraEnvVarsCM: "" - ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ Sentinel nodes - ## - extraEnvVarsSecret: "" - ## @param sentinel.externalMaster.enabled Use external master for bootstrapping - ## @param sentinel.externalMaster.host External master host to bootstrap from - ## @param sentinel.externalMaster.port Port for Redis service external master host - externalMaster: - enabled: false - host: "" - port: 6379 - ## @param sentinel.containerPorts.sentinel Container port to open on Redis™ Sentinel nodes - ## - containerPorts: - sentinel: 26379 - ## Configure extra options for Redis™ containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param sentinel.startupProbe.enabled Enable startupProbe on Redis™ Sentinel nodes - ## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe - ## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: enabled: false - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis™ Sentinel nodes - ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis™ Sentinel nodes - ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - ## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Redis™ Sentinel resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param sentinel.resources.limits The resources limits for the Redis™ Sentinel containers - ## @param sentinel.resources.requests The requested resources for the Redis™ Sentinel containers + ## RBAC configuration ## - resources: - limits: {} - requests: {} - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param sentinel.containerSecurityContext.enabled Enabled Redis™ Sentinel containers' Security Context - ## @param sentinel.containerSecurityContext.runAsUser Set Redis™ Sentinel containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param sentinel.lifecycleHooks for the Redis™ sentinel container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis™ Sentinel - ## - extraVolumes: [] - ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ Sentinel container(s) - ## - extraVolumeMounts: [] - ## Redis™ Sentinel service parameters - ## - service: - ## @param sentinel.service.type Redis™ Sentinel service type + rbac: + ## @param rbac.create Specifies whether RBAC resources should be created ## - type: ClusterIP - ## @param sentinel.service.ports.redis Redis™ service port for Redis™ - ## @param sentinel.service.ports.sentinel Redis™ service port for Redis™ Sentinel - ports: - redis: 6379 - sentinel: 26379 - ## @param sentinel.service.nodePorts.redis Node port for Redis™ - ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## NOTE: choose port between <30000-32767> - ## NOTE: By leaving these values blank, they will be generated by ports-configmap - ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port - ## - nodePorts: - redis: "" - sentinel: "" - ## @param sentinel.service.externalTrafficPolicy Redis™ Sentinel service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param sentinel.service.clusterIP Redis™ Sentinel service Cluster IP - ## - clusterIP: "" - ## @param sentinel.service.loadBalancerIP Redis™ Sentinel service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param sentinel.service.loadBalancerSourceRanges Redis™ Sentinel service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param sentinel.service.annotations Additional custom annotations for Redis™ Sentinel service - ## - annotations: {} - ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods - ## - terminationGracePeriodSeconds: 30 - -## @section Other Parameters -## - -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -## -networkPolicy: - ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources - ## - enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections - ## When set to false, only pods with the correct client label will have network access to the ports - ## Redis™ is listening on. When true, Redis™ will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraIngress: [] - ## @param networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} -## PodSecurityPolicy configuration -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -podSecurityPolicy: - ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later - ## - create: false - ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules - ## - enabled: false -## RBAC configuration -## -rbac: - ## @param rbac.create Specifies whether RBAC resources should be created - ## - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## ServiceAccount configuration -## -serviceAccount: - ## @param serviceAccount.create Specifies whether a ServiceAccount should be created - ## - create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server - ## - automountServiceAccountToken: true - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## Redis™ Pod Disruption Budget configuration -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -## -pdb: - ## @param pdb.create Specifies whether a PodDisruptionBudget should be created - ## - create: false - ## @param pdb.minAvailable Min number of pods that must still be available after the eviction - ## - minAvailable: 1 - ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction - ## - maxUnavailable: "" -## TLS configuration -## -tls: - ## @param tls.enabled Enable TLS traffic - ## - enabled: false - ## @param tls.authClients Require clients to authenticate - ## - authClients: true - ## @param tls.autoGenerated Enable autogenerated certificates - ## - autoGenerated: false - ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates - ## - existingSecret: "" - ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate Key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## - certCAFilename: "" - ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) - ## - dhParamsFilename: "" - -## @section Metrics Parameters -## - -metrics: - ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis™ metrics - ## - enabled: false - ## Bitnami Redis™ Exporter image - ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ - ## @param metrics.image.registry Redis™ Exporter image registry - ## @param metrics.image.repository Redis™ Exporter image repository - ## @param metrics.image.tag Redis™ Redis™ Exporter image tag (immutable tags are recommended) - ## @param metrics.image.pullPolicy Redis™ Exporter image pull policy - ## @param metrics.image.pullSecrets Redis™ Exporter image pull secrets - ## - image: - registry: docker.io - repository: bitnami/redis-exporter - tag: 1.35.1-debian-10-r2 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + create: false + ## @param rbac.rules Custom RBAC rules to set ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list ## - pullSecrets: [] - ## @param metrics.command Override default metrics container init command (useful when using custom images) - ## - command: [] - ## @param metrics.redisTargetHost A way to specify an alternative Redis™ hostname - ## Useful for certificate CN/SAN matching - ## - redisTargetHost: "localhost" - ## @param metrics.extraArgs Extra arguments for Redis™ exporter, for example: - ## e.g.: - ## extraArgs: - ## check-keys: myKey,myOtherKey - ## - extraArgs: {} - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param metrics.containerSecurityContext.enabled Enabled Redis™ exporter containers' Security Context - ## @param metrics.containerSecurityContext.runAsUser Set Redis™ exporter containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis™ metrics sidecar - ## - extraVolumes: [] - ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ metrics sidecar - ## - extraVolumeMounts: [] - ## Redis™ exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the Redis™ exporter container - ## @param metrics.resources.requests The requested resources for the Redis™ exporter container - ## - resources: - limits: {} - requests: {} - ## @param metrics.podLabels Extra labels for Redis™ exporter pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param metrics.podAnnotations [object] Annotations for Redis™ exporter pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9121" - ## Redis™ exporter service parameters + rules: [] + ## ServiceAccount configuration ## - service: - ## @param metrics.service.type Redis™ exporter service type + serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created ## - type: ClusterIP - ## @param metrics.service.port Redis™ exporter service port + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template ## - port: 9121 - ## @param metrics.service.externalTrafficPolicy Redis™ exporter service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + name: "" + ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server ## - externalTrafficPolicy: Cluster - ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## - extraPorts: [] - ## @param metrics.service.loadBalancerIP Redis™ exporter service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + annotations: {} + ## Redis™ Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param pdb.create Specifies whether a PodDisruptionBudget should be created ## - loadBalancerIP: "" - ## @param metrics.service.loadBalancerSourceRanges Redis™ exporter service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 + create: false + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction ## - loadBalancerSourceRanges: [] - ## @param metrics.service.annotations Additional custom annotations for Redis™ exporter service + minAvailable: 1 + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction ## - annotations: {} - ## Prometheus Service Monitor - ## ref: https://github.com/coreos/prometheus-operator - ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + maxUnavailable: "" + ## TLS configuration ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator + tls: + ## @param tls.enabled Enable TLS traffic ## enabled: false - ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created + ## @param tls.authClients Require clients to authenticate ## - namespace: "" - ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped + authClients: true + ## @param tls.autoGenerated Enable autogenerated certificates ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended + autoGenerated: false + ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + existingSecret: "" + ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. ## - relabellings: [] - ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. + certificatesSecret: "" + ## @param tls.certFilename Certificate filename ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + certFilename: "" + ## @param tls.certKeyFilename Certificate Key filename ## - honorLabels: false - ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename ## - additionalLabels: {} - ## Custom PrometheusRule to be defined - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + certCAFilename: "" + ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) + ## + dhParamsFilename: "" + + ## @section Metrics Parameters ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator + + metrics: + ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis™ metrics ## enabled: false - ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created - ## - namespace: "" - ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule - ## - additionalLabels: {} - ## @param metrics.prometheusRule.rules Custom Prometheus rules - ## e.g: - ## rules: - ## - alert: RedisDown - ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 - ## for: 2m - ## labels: - ## severity: error - ## annotations: - ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} down - ## description: Redis™ instance {{ "{{ $labels.instance }}" }} is down - ## - alert: RedisMemoryHigh - ## expr: > - ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 - ## / - ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} - ## > 90 - ## for: 2m - ## labels: - ## severity: error - ## annotations: - ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} is using too much memory - ## description: | - ## Redis™ instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. - ## - alert: RedisKeyEviction - ## expr: | - ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 - ## for: 1s - ## labels: - ## severity: error - ## annotations: - ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} has evicted keys - ## description: | - ## Redis™ instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. - ## - rules: [] - -## @section Init Container Parameters -## + ## Bitnami Redis™ Exporter image + ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ + ## @param metrics.image.registry Redis™ Exporter image registry + ## @param metrics.image.repository Redis™ Exporter image repository + ## @param metrics.image.tag Redis™ Redis™ Exporter image tag (immutable tags are recommended) + ## @param metrics.image.pullPolicy Redis™ Exporter image pull policy + ## @param metrics.image.pullSecrets Redis™ Exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.35.1-debian-10-r2 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.command Override default metrics container init command (useful when using custom images) + ## + command: [] + ## @param metrics.redisTargetHost A way to specify an alternative Redis™ hostname + ## Useful for certificate CN/SAN matching + ## + redisTargetHost: "localhost" + ## @param metrics.extraArgs Extra arguments for Redis™ exporter, for example: + ## e.g.: + ## extraArgs: + ## check-keys: myKey,myOtherKey + ## + extraArgs: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param metrics.containerSecurityContext.enabled Enabled Redis™ exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set Redis™ exporter containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis™ metrics sidecar + ## + extraVolumes: [] + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ metrics sidecar + ## + extraVolumeMounts: [] + ## Redis™ exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the Redis™ exporter container + ## @param metrics.resources.requests The requested resources for the Redis™ exporter container + ## + resources: + limits: {} + requests: {} + ## @param metrics.podLabels Extra labels for Redis™ exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param metrics.podAnnotations [object] Annotations for Redis™ exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + ## Redis™ exporter service parameters + ## + service: + ## @param metrics.service.type Redis™ exporter service type + ## + type: ClusterIP + ## @param metrics.service.port Redis™ exporter service port + ## + port: 9121 + ## @param metrics.service.externalTrafficPolicy Redis™ exporter service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param metrics.service.loadBalancerIP Redis™ exporter service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param metrics.service.loadBalancerSourceRanges Redis™ exporter service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.annotations Additional custom annotations for Redis™ exporter service + ## + annotations: {} + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created + ## + namespace: "" + ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabellings: [] + ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus + ## + additionalLabels: {} + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Custom Prometheus rules + ## e.g: + ## rules: + ## - alert: RedisDown + ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} down + ## description: Redis™ instance {{ "{{ $labels.instance }}" }} is down + ## - alert: RedisMemoryHigh + ## expr: > + ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 + ## / + ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} + ## > 90 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} is using too much memory + ## description: | + ## Redis™ instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + ## - alert: RedisKeyEviction + ## expr: | + ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 + ## for: 1s + ## labels: + ## severity: error + ## annotations: + ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} has evicted keys + ## description: | + ## Redis™ instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + ## + rules: [] -## 'volumePermissions' init container parameters -## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values -## based on the *podSecurityContext/*containerSecurityContext parameters -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## @section Init Container Parameters ## - enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param volumePermissions.image.registry Bitnami Shell image registry - ## @param volumePermissions.image.repository Bitnami Shell image repository - ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy - ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + + ## 'volumePermissions' init container parameters + ## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values + ## based on the *podSecurityContext/*containerSecurityContext parameters ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r329 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName + volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` ## - pullSecrets: [] - ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container - ## - resources: - limits: {} - requests: {} - ## Init container Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser - ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the - ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) - ## - containerSecurityContext: - runAsUser: 0 + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param volumePermissions.image.registry Bitnami Shell image registry + ## @param volumePermissions.image.repository Bitnami Shell image repository + ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy + ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r329 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + containerSecurityContext: + runAsUser: 0 -## init-sysctl container parameters -## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) -## -sysctl: - ## @param sysctl.enabled Enable init container to modify Kernel settings + ## init-sysctl container parameters + ## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) ## - enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param sysctl.image.registry Bitnami Shell image registry - ## @param sysctl.image.repository Bitnami Shell image repository - ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy - ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets - ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r329 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName + sysctl: + ## @param sysctl.enabled Enable init container to modify Kernel settings ## - pullSecrets: [] - ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) - ## - command: [] - ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param sysctl.image.registry Bitnami Shell image registry + ## @param sysctl.image.repository Bitnami Shell image repository + ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy + ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 10-debian-10-r329 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) + ## + command: [] + ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` + ## + mountHostSys: false + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sysctl.resources.limits The resources limits for the init container + ## @param sysctl.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + + ## @section useExternalDNS Parameters ## - mountHostSys: false - ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param sysctl.resources.limits The resources limits for the init container - ## @param sysctl.resources.requests The requested resources for the init container + ## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. + ## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled. + ## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. + ## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. ## - resources: - limits: {} - requests: {} - -## @section useExternalDNS Parameters -## -## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. -## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled. -## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. -## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. -## -useExternalDNS: - enabled: false - suffix: "" - annotationKey: external-dns.alpha.kubernetes.io/ - additionalAnnotations: {} \ No newline at end of file + useExternalDNS: + enabled: false + suffix: "" + annotationKey: external-dns.alpha.kubernetes.io/ + additionalAnnotations: {} \ No newline at end of file From 56343eb492b23c05ef855a089229725fde887be0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 11:00:06 +0100 Subject: [PATCH 179/334] config: added write many to serve ftp --- apps/paperless/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 39dcf59eb8..649abe9fbe 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -44,7 +44,7 @@ paperless: consume: enabled: true mountPath: /usr/src/paperless/consume - accessMode: ReadWriteOnce + accessMode: ReadWriteMany storageClass: "longhorn" size: 1Gi From 8155dfd7e25c5972ea7319140d4ecb9acf6c1f25 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 16 Mar 2022 19:42:59 +0100 Subject: [PATCH 180/334] feat: added sftp to paperless --- apps/paperless/Chart.yaml | 3 ++ apps/paperless/values.yaml | 67 +++++++++++++++++++++++++++++++++++++- 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 98848a835b..b91adb1135 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -5,3 +5,6 @@ dependencies: - name: paperless version: 8.4.0 repository: https://k8s-at-home.com/charts/ + - name: sftp + version: 5.1.5 + repository: https://emberstack.github.io/helm-charts diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 649abe9fbe..6a7d97587e 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -76,4 +76,69 @@ paperless: - *host postgresql: - enabled: false \ No newline at end of file + enabled: false + + sftp: + # Default values for sftp. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + replicaCount: 1 + + image: + repository: emberstack/sftp + tag: "" + pullPolicy: Always + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + configuration: null + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + storage: + volumeMounts: [] + volumes: [] + + initContainers: [] + + service: + type: ClusterIP + port: 22 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} \ No newline at end of file From acfbfac6477404830d31ebdfc26bd54d324796c3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 17 Mar 2022 08:34:50 +0100 Subject: [PATCH 181/334] feat: moved to crushftp --- apps/paperless/Chart.yaml | 6 ++-- apps/paperless/values.yaml | 74 +++++++++++++++++++++++++++++++------- 2 files changed, 64 insertions(+), 16 deletions(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index b91adb1135..3e7bfbe67e 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -5,6 +5,6 @@ dependencies: - name: paperless version: 8.4.0 repository: https://k8s-at-home.com/charts/ - - name: sftp - version: 5.1.5 - repository: https://emberstack.github.io/helm-charts + - name: crushftp + version: 1.0.2 + repository: https://greggbjensen.github.io/helm-crushftp diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 6a7d97587e..28ca15654a 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -78,24 +78,52 @@ paperless: postgresql: enabled: false - sftp: - # Default values for sftp. + crushftp: + + # Default values for crushftp. + + # Project specific + admin: + username: crushadmin + password: 'password' + protocol: http + port: 8080 + + tls: + secretName: crushftp-tls + volumes: + - name: paperless-consume + claimName: paperless-consume + mountPath: /mnt/FTP/Shared/scan + configVolume: + size: 1Gi + loadBalancerIp: 127.0.0.1 + + # Shared + shared: + hosts: + crushFtp: + root: scan.ftp.jupiter.mein.nl + prefix: ftp + ingress: + clusterIssuer: 'letsencrypt-prod' + storageClassName: default + # This is a YAML-formatted file. # Declare variables to be passed into your templates. replicaCount: 1 image: - repository: emberstack/sftp + repository: greggbjensen/crushftp + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. tag: "" - pullPolicy: Always imagePullSecrets: [] nameOverride: "" fullnameOverride: "" - configuration: null - serviceAccount: # Specifies whether a service account should be created create: true @@ -103,7 +131,9 @@ paperless: annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: + name: "" + + podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 @@ -115,15 +145,26 @@ paperless: # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 - storage: - volumeMounts: [] - volumes: [] - - initContainers: [] service: type: ClusterIP - port: 22 + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: ftp.jupiter.mein.nl + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: crushftp-tls + hosts: + - ftp.jupiter.mein.nl resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -137,6 +178,13 @@ paperless: # cpu: 100m # memory: 128Mi + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + nodeSelector: {} tolerations: [] From c11cc9b88e144e9c3e929c5b80adabd10e0dbf09 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 17 Mar 2022 08:47:10 +0100 Subject: [PATCH 182/334] config: indent --- apps/paperless/values.yaml | 214 ++++++++++++++++++------------------- 1 file changed, 107 insertions(+), 107 deletions(-) diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 28ca15654a..233c02b588 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -78,115 +78,115 @@ paperless: postgresql: enabled: false - crushftp: +crushftp: - # Default values for crushftp. - - # Project specific - admin: - username: crushadmin - password: 'password' - protocol: http - port: 8080 + # Default values for crushftp. + + # Project specific + admin: + username: crushadmin + password: 'password' + protocol: http + port: 8080 + + tls: + secretName: crushftp-tls + volumes: + - name: paperless-consume + claimName: paperless-consume + mountPath: /mnt/FTP/Shared/scan + configVolume: + size: 1Gi + loadBalancerIp: 127.0.0.1 + + # Shared + shared: + hosts: + crushFtp: + root: scan.ftp.jupiter.mein.nl + prefix: ftp + ingress: + clusterIssuer: 'letsencrypt-prod' + storageClassName: default + + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + replicaCount: 1 + + image: + repository: greggbjensen/crushftp + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + + imagePullSecrets: [] + nameOverride: "" + fullnameOverride: "" + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 80 + ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: ftp.jupiter.mein.nl + paths: + - path: / + pathType: ImplementationSpecific tls: - secretName: crushftp-tls - volumes: - - name: paperless-consume - claimName: paperless-consume - mountPath: /mnt/FTP/Shared/scan - configVolume: - size: 1Gi - loadBalancerIp: 127.0.0.1 + - secretName: crushftp-tls + hosts: + - ftp.jupiter.mein.nl + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 - # Shared - shared: - hosts: - crushFtp: - root: scan.ftp.jupiter.mein.nl - prefix: ftp - ingress: - clusterIssuer: 'letsencrypt-prod' - storageClassName: default - - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. - - replicaCount: 1 - - image: - repository: greggbjensen/crushftp - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - - imagePullSecrets: [] - nameOverride: "" - fullnameOverride: "" - - serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - - podAnnotations: {} - - podSecurityContext: {} - # fsGroup: 2000 - - securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - - service: - type: ClusterIP - port: 80 + nodeSelector: {} - ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: ftp.jupiter.mein.nl - paths: - - path: / - pathType: ImplementationSpecific - tls: - - secretName: crushftp-tls - hosts: - - ftp.jupiter.mein.nl - - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 1 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - - nodeSelector: {} - - tolerations: [] - - affinity: {} \ No newline at end of file + tolerations: [] + + affinity: {} \ No newline at end of file From 71d631a2ebcad4d887608d78dbf86665d565c629 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 24 Mar 2022 13:01:41 +0000 Subject: [PATCH 183/334] chore(deps): update dependency alpine to v20220316 --- metal/roles/pxe_server/files/dhcp/Dockerfile | 2 +- metal/roles/pxe_server/files/tftp/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/metal/roles/pxe_server/files/dhcp/Dockerfile b/metal/roles/pxe_server/files/dhcp/Dockerfile index 78590a9324..b6405ee336 100644 --- a/metal/roles/pxe_server/files/dhcp/Dockerfile +++ b/metal/roles/pxe_server/files/dhcp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20210804 +FROM alpine:20220316 RUN apk add dhcp diff --git a/metal/roles/pxe_server/files/tftp/Dockerfile b/metal/roles/pxe_server/files/tftp/Dockerfile index 1adac2bcc6..ada70c714d 100644 --- a/metal/roles/pxe_server/files/tftp/Dockerfile +++ b/metal/roles/pxe_server/files/tftp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20210804 +FROM alpine:20220316 RUN apk add busybox tftp-hpa From c573950797c3cce0edbe845710abd857cc6751ab Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Thu, 24 Mar 2022 23:48:50 +0000 Subject: [PATCH 184/334] chore(deps): update all non-major dependencies helm releases --- apps/paperless/Chart.yaml | 2 +- apps/privatebin/Chart.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 4 ++-- external/versions.tf | 4 ++-- home/firefly/values.yaml | 2 +- home/homeassistant/Chart.yaml | 2 +- home/homeassistant/values.yaml | 4 ++-- home/influxdb/values.yaml | 6 +++--- home/mariadb/Chart.yaml | 2 +- home/nextcloud/Chart.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- home/redis/values.yaml | 2 +- platform/gitea/Chart.yaml | 2 +- platform/trow/Chart.yaml | 2 +- platform/vault/files/generate-secrets/go.mod | 2 +- platform/vault/files/generate-secrets/go.sum | 2 ++ system/cert-manager/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- system/longhorn-system/Chart.yaml | 2 +- 22 files changed, 28 insertions(+), 26 deletions(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 3e7bfbe67e..7e9119817f 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -3,7 +3,7 @@ name: paperless version: 0.0.0 dependencies: - name: paperless - version: 8.4.0 + version: 8.5.0 repository: https://k8s-at-home.com/charts/ - name: crushftp version: 1.0.2 diff --git a/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml index edcd0b49cc..a04128c11e 100644 --- a/apps/privatebin/Chart.yaml +++ b/apps/privatebin/Chart.yaml @@ -3,5 +3,5 @@ name: privatebin version: 0.0.0 dependencies: - name: privatebin - version: 0.12.1 + version: 0.14.0 repository: https://privatebin.github.io/helm-chart diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index cf1034f7fb..9ed37aaff3 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 3.35.2 + version: 3.35.4 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.11.0 diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index ded55375f0..d2bb02545b 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,12 +2,12 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.8.0" + version = "~> 3.11.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.7.0" + version = "~> 2.9.0" } http = { diff --git a/external/versions.tf b/external/versions.tf index 98ae6b655e..cf2e235bfb 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,12 +8,12 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.9.0" + version = "~> 3.11.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.8.0" + version = "~> 2.9.0" } http = { diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml index d583bc2db2..c1b12255f3 100644 --- a/home/firefly/values.yaml +++ b/home/firefly/values.yaml @@ -63,7 +63,7 @@ firefly-iii: image: repository: curlimages/curl pullPolicy: IfNotPresent - tag: 7.81.0 + tag: 7.82.0 imagePullSecrets: [] diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml index 55a6476ab0..8d0d1ebdf5 100644 --- a/home/homeassistant/Chart.yaml +++ b/home/homeassistant/Chart.yaml @@ -3,5 +3,5 @@ name: homeassistant version: 0.0.0 dependencies: - name: home-assistant - version: 12.0.1 + version: 12.1.0 repository: https://k8s-at-home.com/charts/ diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index bf28369bb0..5a8b516b4d 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.3.1 + tag: 2022.3.7 # -- image pull policy pullPolicy: IfNotPresent @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.1.0 + tag: 4.2.0 workingDir: "/config" args: - --auth diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index 48458f61e4..e52864ef29 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.375.0-debian-10-r0 + tag: 0.378.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1300,7 +1300,7 @@ influxdb: image: registry: docker.io repository: bitnami/azure-cli - tag: 2.32.0-debian-10-r14 + tag: 2.34.1-debian-10-r14 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1337,7 +1337,7 @@ influxdb: image: registry: docker.io repository: bitnami/aws-cli - tag: 2.4.21-debian-10-r4 + tag: 2.4.27-debian-10-r4 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 4d75625fe5..a1fa120535 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 10.3.7 + version: 10.4.2 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index 2a7efd7c7b..e6d342d7c4 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 2.12.1 + version: 2.13.2 repository: https://nextcloud.github.io/helm/ diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 928b8fb2fc..7bd13718fb 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 23.0.2-fpm-alpine + tag: 23.0.3-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index dbcf5819bb..69503ea836 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.1.3 + version: 11.1.9 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index b2d76a4537..05bc4217b9 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.4.5 + version: 16.6.0 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/values.yaml b/home/redis/values.yaml index ecc09b2743..e67863240c 100644 --- a/home/redis/values.yaml +++ b/home/redis/values.yaml @@ -1215,7 +1215,7 @@ redis: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.35.1-debian-10-r2 + tag: 1.37.0-debian-10-r2 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 0bb7681b82..1280baec6f 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 5.0.1 + version: 5.0.3 repository: https://dl.gitea.io/charts/ diff --git a/platform/trow/Chart.yaml b/platform/trow/Chart.yaml index a7bddbe9dd..edc36eae5a 100644 --- a/platform/trow/Chart.yaml +++ b/platform/trow/Chart.yaml @@ -3,5 +3,5 @@ name: trow version: 0.0.0 dependencies: - name: trow - version: 0.3.4 + version: 0.3.5 repository: https://trow.io diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod index b68821ce1b..c3d40e4bcb 100644 --- a/platform/vault/files/generate-secrets/go.mod +++ b/platform/vault/files/generate-secrets/go.mod @@ -3,7 +3,7 @@ module git.khuedoan.com/khuedoan/homelab/vault/init go 1.17 require ( - github.com/hashicorp/vault/api v1.4.1 + github.com/hashicorp/vault/api v1.5.0 github.com/sethvargo/go-password v0.2.0 gopkg.in/yaml.v2 v2.4.0 ) diff --git a/platform/vault/files/generate-secrets/go.sum b/platform/vault/files/generate-secrets/go.sum index ba166312fe..f2deb7f68b 100644 --- a/platform/vault/files/generate-secrets/go.sum +++ b/platform/vault/files/generate-secrets/go.sum @@ -128,6 +128,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/vault/api v1.4.1 h1:mWLfPT0RhxBitjKr6swieCEP2v5pp/M//t70S3kMLRo= github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= +github.com/hashicorp/vault/api v1.5.0 h1:Bp6yc2bn7CWkOrVIzFT/Qurzx528bdavF3nz590eu28= +github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo= github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M= diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index 373bf29d14..c59ceee452 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.7.1 + version: v1.7.2 repository: https://charts.jetstack.io diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index a689520202..67111d4d3f 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 2.11.2 + version: 2.12.0 repository: https://weaveworks.github.io/kured diff --git a/system/longhorn-system/Chart.yaml b/system/longhorn-system/Chart.yaml index 33e2241244..78baec8e68 100644 --- a/system/longhorn-system/Chart.yaml +++ b/system/longhorn-system/Chart.yaml @@ -3,5 +3,5 @@ name: longhorn version: 0.0.0 dependencies: - name: longhorn - version: 1.2.3 + version: 1.2.4 repository: https://charts.longhorn.io From 6ca8dd5c9c62d3f3f508f91ac626b55de732d02e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Fri, 25 Mar 2022 10:48:22 +0100 Subject: [PATCH 185/334] config: added firefly3 again --- home/firefly/{Chart.yaml.disabled => Chart.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename home/firefly/{Chart.yaml.disabled => Chart.yaml} (100%) diff --git a/home/firefly/Chart.yaml.disabled b/home/firefly/Chart.yaml similarity index 100% rename from home/firefly/Chart.yaml.disabled rename to home/firefly/Chart.yaml From c90fc361104b988d28fc10cd4dc4659aa9c03282 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 29 Mar 2022 23:32:08 +0000 Subject: [PATCH 186/334] chore(deps): update dependency alpine to v20220328 --- metal/roles/pxe_server/files/dhcp/Dockerfile | 2 +- metal/roles/pxe_server/files/tftp/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/metal/roles/pxe_server/files/dhcp/Dockerfile b/metal/roles/pxe_server/files/dhcp/Dockerfile index b6405ee336..42fe266870 100644 --- a/metal/roles/pxe_server/files/dhcp/Dockerfile +++ b/metal/roles/pxe_server/files/dhcp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20220316 +FROM alpine:20220328 RUN apk add dhcp diff --git a/metal/roles/pxe_server/files/tftp/Dockerfile b/metal/roles/pxe_server/files/tftp/Dockerfile index ada70c714d..4bbdf6ed31 100644 --- a/metal/roles/pxe_server/files/tftp/Dockerfile +++ b/metal/roles/pxe_server/files/tftp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20220316 +FROM alpine:20220328 RUN apk add busybox tftp-hpa From 9d986ff170ee7f265b40feb4bbe2e8e454229704 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 3 Apr 2022 12:31:31 +0200 Subject: [PATCH 187/334] feat: datadog --- system/datadog/Chart.yaml | 11 + system/datadog/values.yaml | 1495 ++++++++++++++++++++++++++++++++++++ 2 files changed, 1506 insertions(+) create mode 100644 system/datadog/Chart.yaml create mode 100644 system/datadog/values.yaml diff --git a/system/datadog/Chart.yaml b/system/datadog/Chart.yaml new file mode 100644 index 0000000000..0feccf6148 --- /dev/null +++ b/system/datadog/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: datadog +version: 0.0.1 +dependencies: + - name: datadog + version: v2.30.20 + repository: https://helm.datadoghq.com + + + + diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml new file mode 100644 index 0000000000..8e50e87a7d --- /dev/null +++ b/system/datadog/values.yaml @@ -0,0 +1,1495 @@ +datadog: + ## Default values for Datadog Agent + ## See Datadog helm documentation to learn more: + ## https://docs.datadoghq.com/agent/kubernetes/helm/ + + # nameOverride -- Override name of app + nameOverride: # "" + + # fullnameOverride -- Override the full qualified app name + fullnameOverride: # "" + + # targetSystem -- Target OS for this deployment (possible values: linux, windows) + targetSystem: "linux" + + # registry -- Registry to use for all Agent images (default gcr.io) + ## Currently we offer Datadog Agent images on: + ## GCR - use gcr.io/datadoghq (default) + ## DockerHub - use docker.io/datadog + ## AWS - use public.ecr.aws/datadog + registry: gcr.io/datadoghq + + datadog: + # datadog.apiKey -- Your Datadog API key + # ref: https://app.datadoghq.com/account/settings#agent/kubernetes + apiKey: # + + # datadog.apiKeyExistingSecret -- Use existing Secret which stores API key instead of creating a new one. The value should be set with the `api-key` key inside the secret. + ## If set, this parameter takes precedence over "apiKey". + apiKeyExistingSecret: "datadog-secret" # + + # datadog.appKey -- Datadog APP key required to use metricsProvider + ## If you are using clusterAgent.metricsProvider.enabled = true, you must set + ## a Datadog application key for read access to your metrics. + appKey: # + + # datadog.appKeyExistingSecret -- Use existing Secret which stores APP key instead of creating a new one. The value should be set with the `app-key` key inside the secret. + ## If set, this parameter takes precedence over "appKey". + appKeyExistingSecret: #"datadog-secret" # + + ## Configure the secret backend feature https://docs.datadoghq.com/agent/guide/secrets-management + ## Examples: https://docs.datadoghq.com/agent/guide/secrets-management/#setup-examples-1 + secretBackend: + # datadog.secretBackend.command -- Configure the secret backend command, path to the secret backend binary. + ## Note: If the command value is "/readsecret_multiple_providers.sh" the agents will have permissions to get secret objects. + ## Read more about "/readsecret_multiple_providers.sh": https://docs.datadoghq.com/agent/guide/secrets-management/#script-for-reading-from-multiple-secret-providers-readsecret_multiple_providerssh + command: # "/readsecret.sh" or "/readsecret_multiple_providers.sh" or any custom binary path + + # datadog.secretBackend.arguments -- Configure the secret backend command arguments (space-separated strings). + arguments: # "/etc/secret-volume" or any other custom arguments + + # datadog.secretBackend.timeout -- Configure the secret backend command timeout in seconds. + timeout: # 30 + + # datadog.securityContext -- Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment + securityContext: + runAsUser: 0 + # seLinuxOptions: + # user: "system_u" + # role: "system_r" + # type: "spc_t" + # level: "s0" + + # datadog.hostVolumeMountPropagation -- Allow to specify the `mountPropagation` value on all volumeMounts using HostPath + ## ref: https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation + hostVolumeMountPropagation: None + + # datadog.clusterName -- Set a unique cluster name to allow scoping hosts and Cluster Checks easily + ## The name must be unique and must be dot-separated tokens with the following restrictions: + ## * Lowercase letters, numbers, and hyphens only. + ## * Must start with a letter. + ## * Must end with a number or a letter. + ## * Overall length should not be higher than 80 characters. + ## Compared to the rules of GKE, dots are allowed whereas they are not allowed on GKE: + ## https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.FIELDS.name + clusterName: "jupiter.mein.nl" # + + # datadog.site -- The site of the Datadog intake to send Agent data to + ## Set to 'datadoghq.eu' to send data to the EU site. + site: datadog.eu # datadoghq.com + + # datadog.dd_url -- The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL + ## Overrides the site setting defined in "site". + dd_url: # https://app.datadoghq.com + + # datadog.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, off + logLevel: INFO + + # datadog.kubeStateMetricsEnabled -- If true, deploys the kube-state-metrics deployment + ## ref: https://github.com/kubernetes/kube-state-metrics/tree/kube-state-metrics-helm-chart-2.13.2/charts/kube-state-metrics + kubeStateMetricsEnabled: true + + kubeStateMetricsNetworkPolicy: + # datadog.kubeStateMetricsNetworkPolicy.create -- If true, create a NetworkPolicy for kube state metrics + create: false + + kubeStateMetricsCore: + # datadog.kubeStateMetricsCore.enabled -- Enable the kubernetes_state_core check in the Cluster Agent (Requires Cluster Agent 1.12.0+) + ## ref: https://docs.datadoghq.com/integrations/kubernetes_state_core + enabled: false + + # datadog.kubeStateMetricsCore.ignoreLegacyKSMCheck -- Disable the auto-configuration of legacy kubernetes_state check (taken into account only when datadog.kubeStateMetricsCore.enabled is true) + ## Disabling this field is not recommended as it results in enabling both checks, it can be useful though during the migration phase. + ## Migration guide: https://docs.datadoghq.com/integrations/kubernetes_state_core/?tab=helm#migration-from-kubernetes_state-to-kubernetes_state_core + ignoreLegacyKSMCheck: true + + # datadog.kubeStateMetricsCore.collectSecretMetrics -- Enable watching secret objects and collecting their corresponding metrics kubernetes_state.secret.* + ## Configuring this field will change the default kubernetes_state_core check configuration and the RBACs granted to Datadog Cluster Agent to run the kubernetes_state_core check. + collectSecretMetrics: true + + # datadog.kubeStateMetricsCore.useClusterCheckRunners -- For large clusters where the Kubernetes State Metrics Check Core needs to be distributed on dedicated workers. + ## Configuring this field will create a separate deployment which will run Cluster Checks, including Kubernetes State Metrics Core. + ## ref: https://docs.datadoghq.com/agent/cluster_agent/clusterchecksrunner?tab=helm + useClusterCheckRunners: false + + # datadog.kubeStateMetricsCore.labelsAsTags -- Extra labels to collect from resources and to turn into datadog tag. + ## It has the following structure: + ## labelsAsTags: + ## : # can be pod, deployment, node, etc. + ## : # where is the kubernetes label and is the datadog tag + ## : + ## : + ## : + ## + ## Warning: the label must match the transformation done by kube-state-metrics, + ## for example tags.datadoghq.com/version becomes label_tags_datadoghq_com_version. + labelsAsTags: {} + # pod: + # app: app + # node: + # zone: zone + # team: team + + ## Manage Cluster checks feature + ## ref: https://docs.datadoghq.com/agent/autodiscovery/clusterchecks/ + ## Autodiscovery via Kube Service annotations is automatically enabled + clusterChecks: + # datadog.clusterChecks.enabled -- Enable the Cluster Checks feature on both the cluster-agents and the daemonset + enabled: true + # datadog.clusterChecks.shareProcessNamespace -- Set the process namespace sharing on the cluster checks agent + shareProcessNamespace: false + + # datadog.nodeLabelsAsTags -- Provide a mapping of Kubernetes Node Labels to Datadog Tags + nodeLabelsAsTags: {} + # beta.kubernetes.io/instance-type: aws-instance-type + # kubernetes.io/role: kube_role + # : + + # datadog.podLabelsAsTags -- Provide a mapping of Kubernetes Labels to Datadog Tags + podLabelsAsTags: {} + # app: kube_app + # release: helm_release + # : + + # datadog.podAnnotationsAsTags -- Provide a mapping of Kubernetes Annotations to Datadog Tags + podAnnotationsAsTags: {} + # iam.amazonaws.com/role: kube_iamrole + # : + + # datadog.namespaceLabelsAsTags -- Provide a mapping of Kubernetes Namespace Labels to Datadog Tags + namespaceLabelsAsTags: {} + # env: environment + # : + + # datadog.tags -- List of static tags to attach to every metric, event and service check collected by this Agent. + ## Learn more about tagging: https://docs.datadoghq.com/tagging/ + tags: [] + # - ":" + # - ":" + + # datadog.checksCardinality -- Sets the tag cardinality for the checks run by the Agent. + ## https://docs.datadoghq.com/getting_started/tagging/assigning_tags/?tab=containerizedenvironments#environment-variables + checksCardinality: # low, orchestrator or high (not set by default to avoid overriding existing DD_CHECKS_TAG_CARDINALITY configurations, the default value in the Agent is low) + + # kubelet configuration + kubelet: + # datadog.kubelet.host -- Override kubelet IP + host: + valueFrom: + fieldRef: + fieldPath: status.hostIP + # datadog.kubelet.tlsVerify -- Toggle kubelet TLS verification + # @default -- true + tlsVerify: # false + # datadog.kubelet.hostCAPath -- Path (on host) where the Kubelet CA certificate is stored + # @default -- None (no mount from host) + hostCAPath: + # datadog.kubelet.agentCAPath -- Path (inside Agent containers) where the Kubelet CA certificate is stored + # @default -- /var/run/host-kubelet-ca.crt if hostCAPath else /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + agentCAPath: + + # datadog.expvarPort -- Specify the port to expose pprof and expvar to not interfer with the agentmetrics port from the cluster-agent, which defaults to 5000 + expvarPort: 6000 + + ## dogstatsd configuration + ## ref: https://docs.datadoghq.com/agent/kubernetes/dogstatsd/ + ## To emit custom metrics from your Kubernetes application, use DogStatsD. + dogstatsd: + # datadog.dogstatsd.port -- Override the Agent DogStatsD port + ## Note: Make sure your client is sending to the same UDP port. + port: 8125 + + # datadog.dogstatsd.originDetection -- Enable origin detection for container tagging + ## https://docs.datadoghq.com/developers/dogstatsd/unix_socket/#using-origin-detection-for-container-tagging + originDetection: false + + # datadog.dogstatsd.tags -- List of static tags to attach to every custom metric, event and service check collected by Dogstatsd. + ## Learn more about tagging: https://docs.datadoghq.com/tagging/ + tags: [] + # - ":" + # - ":" + + # datadog.dogstatsd.tagCardinality -- Sets the tag cardinality relative to the origin detection + ## https://docs.datadoghq.com/developers/dogstatsd/unix_socket/#using-origin-detection-for-container-tagging + tagCardinality: low + + # datadog.dogstatsd.useSocketVolume -- Enable dogstatsd over Unix Domain Socket with an HostVolume + ## ref: https://docs.datadoghq.com/developers/dogstatsd/unix_socket/ + useSocketVolume: true + + # datadog.dogstatsd.socketPath -- Path to the DogStatsD socket + socketPath: /var/run/datadog/dsd.socket + + # datadog.dogstatsd.hostSocketPath -- Host path to the DogStatsD socket + hostSocketPath: /var/run/datadog/ + + # datadog.dogstatsd.useHostPort -- Sets the hostPort to the same value of the container port + ## Needs to be used for sending custom metrics. + ## The ports need to be available on all hosts. + ## + ## WARNING: Make sure that hosts using this are properly firewalled otherwise + ## metrics and traces are accepted from any host able to connect to this host. + useHostPort: false + + # datadog.dogstatsd.useHostPID -- Run the agent in the host's PID namespace + ## This is required for Dogstatsd origin detection to work. + ## See https://docs.datadoghq.com/developers/dogstatsd/unix_socket/ + useHostPID: false + + # datadog.dogstatsd.nonLocalTraffic -- Enable this to make each node accept non-local statsd traffic (from outside of the pod) + ## ref: https://github.com/DataDog/docker-dd-agent#environment-variables + nonLocalTraffic: true + + # datadog.collectEvents -- Enables this to start event collection from the kubernetes API + ## ref: https://docs.datadoghq.com/agent/kubernetes/#event-collection + collectEvents: true + + # datadog.leaderElection -- Enables leader election mechanism for event collection + leaderElection: true + + # datadog.leaderLeaseDuration -- Set the lease time for leader election in second + leaderLeaseDuration: # 60 + + ## Enable logs agent and provide custom configs + logs: + # datadog.logs.enabled -- Enables this to activate Datadog Agent log collection + ## ref: https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/#log-collection-setup + enabled: false + + # datadog.logs.containerCollectAll -- Enable this to allow log collection for all containers + ## ref: https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/#log-collection-setup + containerCollectAll: false + + # datadog.logs.containerCollectUsingFiles -- Collect logs from files in /var/log/pods instead of using container runtime API + ## It's usually the most efficient way of collecting logs. + ## ref: https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/#log-collection-setup + containerCollectUsingFiles: true + + # datadog.logs.autoMultiLineDetection -- Allows the Agent to detect common multi-line patterns automatically. + ## ref: https://docs.datadoghq.com/agent/logs/advanced_log_collection/?tab=configurationfile#automatic-multi-line-aggregation + autoMultiLineDetection: false + + ## Enable apm agent and provide custom configs + apm: + # datadog.apm.socketEnabled -- Enable APM over Socket (Unix Socket or windows named pipe) + ## ref: https://docs.datadoghq.com/agent/kubernetes/apm/ + socketEnabled: true + + # datadog.apm.portEnabled -- Enable APM over TCP communication (port 8126 by default) + ## ref: https://docs.datadoghq.com/agent/kubernetes/apm/ + portEnabled: false + + # datadog.apm.enabled -- Enable this to enable APM and tracing, on port 8126 + # DEPRECATED. Use datadog.apm.portEnabled instead + ## ref: https://github.com/DataDog/docker-dd-agent#tracing-from-the-host + enabled: false + + # datadog.apm.port -- Override the trace Agent port + ## Note: Make sure your client is sending to the same UDP port. + port: 8126 + + # datadog.apm.useSocketVolume -- Enable APM over Unix Domain Socket + # DEPRECATED. Use datadog.apm.socketEnabled instead + ## ref: https://docs.datadoghq.com/agent/kubernetes/apm/ + useSocketVolume: false + + # datadog.apm.socketPath -- Path to the trace-agent socket + socketPath: /var/run/datadog/apm.socket + + # datadog.apm.hostSocketPath -- Host path to the trace-agent socket + hostSocketPath: /var/run/datadog/ + + # datadog.envFrom -- Set environment variables for all Agents directly from configMaps and/or secrets + ## envFrom to pass configmaps or secrets as environment + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # datadog.env -- Set environment variables for all Agents + ## The Datadog Agent supports many environment variables. + ## ref: https://docs.datadoghq.com/agent/docker/?tab=standard#environment-variables + env: [] + # - name: + # value: + + # datadog.confd -- Provide additional check configurations (static and Autodiscovery) + ## Each key becomes a file in /conf.d + ## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#optional-volumes + ## ref: https://docs.datadoghq.com/agent/autodiscovery/ + confd: {} + # redisdb.yaml: |- + # init_config: + # instances: + # - host: "name" + # port: "6379" + # kubernetes_state.yaml: |- + # ad_identifiers: + # - kube-state-metrics + # init_config: + # instances: + # - kube_state_url: http://%%host%%:8080/metrics + + # datadog.checksd -- Provide additional custom checks as python code + ## Each key becomes a file in /checks.d + ## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#optional-volumes + checksd: {} + # service.py: |- + + # datadog.dockerSocketPath -- Path to the docker socket + dockerSocketPath: # /var/run/docker.sock + + # datadog.criSocketPath -- Path to the container runtime socket (if different from Docker) + criSocketPath: # /var/run/containerd/containerd.sock + + # Configure how the agent interact with the host's container runtime + containerRuntimeSupport: + # datadog.containerRuntimeSupport.enabled -- Set this to false to disable agent access to container runtime. + enabled: true + + ## Enable process agent and provide custom configs + processAgent: + # datadog.processAgent.enabled -- Set this to true to enable live process monitoring agent + ## Note: /etc/passwd is automatically mounted to allow username resolution. + ## ref: https://docs.datadoghq.com/graphing/infrastructure/process/#kubernetes-daemonset + enabled: true + + # datadog.processAgent.processCollection -- Set this to true to enable process collection in process monitoring agent + ## Requires processAgent.enabled to be set to true to have any effect + processCollection: false + + # datadog.processAgent.stripProcessArguments -- Set this to scrub all arguments from collected processes + ## Requires processAgent.enabled and processAgent.processCollection to be set to true to have any effect + ## ref: https://docs.datadoghq.com/infrastructure/process/?tab=linuxwindows#process-arguments-scrubbing + stripProcessArguments: false + + # datadog.processAgent.processDiscovery -- Enables or disables autodiscovery of integrations + processDiscovery: false + + ## Enable systemProbe agent and provide custom configs + systemProbe: + + # datadog.systemProbe.debugPort -- Specify the port to expose pprof and expvar for system-probe agent + debugPort: 0 + + # datadog.systemProbe.enableConntrack -- Enable the system-probe agent to connect to the netlink/conntrack subsystem to add NAT information to connection data + ## Ref: http://conntrack-tools.netfilter.org/ + enableConntrack: true + + # datadog.systemProbe.seccomp -- Apply an ad-hoc seccomp profile to the system-probe agent to restrict its privileges + ## Note that this will break `kubectl exec … -c system-probe -- /bin/bash` + seccomp: localhost/system-probe + + # datadog.systemProbe.seccompRoot -- Specify the seccomp profile root directory + seccompRoot: /var/lib/kubelet/seccomp + + # datadog.systemProbe.bpfDebug -- Enable logging for kernel debug + bpfDebug: false + + # datadog.systemProbe.apparmor -- Specify a apparmor profile for system-probe + apparmor: unconfined + + # datadog.systemProbe.enableTCPQueueLength -- Enable the TCP queue length eBPF-based check + enableTCPQueueLength: false + + # datadog.systemProbe.enableOOMKill -- Enable the OOM kill eBPF-based check + enableOOMKill: false + + # datadog.systemProbe.enableRuntimeCompiler -- Enable the runtime compiler for eBPF probes + enableRuntimeCompiler: false + + # datadog.systemProbe.mountPackageManagementDirs -- Enables mounting of specific package management directories when runtime compilation is enabled + mountPackageManagementDirs: [] + ## For runtime compilation to be able to download kernel headers, the host's package management folders + ## must be mounted to the /host directory. For example, for Ubuntu & Debian the following mount would be necessary: + # - name: "apt-config-dir" + # hostPath: /etc/apt + # mountPath: /host/etc/apt + ## If this list is empty, then all necessary package management directories (for all supported OSs) will be mounted. + + # datadog.systemProbe.osReleasePath -- Specify the path to your os-release file if you don't want to attempt mounting all `/etc/*-release` file by default + osReleasePath: + + # datadog.systemProbe.runtimeCompilationAssetDir -- Specify a directory for runtime compilation assets to live in + runtimeCompilationAssetDir: /var/tmp/datadog-agent/system-probe + + # datadog.systemProbe.collectDNSStats -- Enable DNS stat collection + collectDNSStats: true + + # datadog.systemProbe.maxTrackedConnections -- the maximum number of tracked connections + maxTrackedConnections: 131072 + + # datadog.systemProbe.conntrackMaxStateSize -- the maximum size of the userspace conntrack cache + conntrackMaxStateSize: 131072 # 2 * maxTrackedConnections by default, per https://github.com/DataDog/datadog-agent/blob/d1c5de31e1bba72dfac459aed5ff9562c3fdcc20/pkg/process/config/config.go#L229 + + # datadog.systemProbe.conntrackInitTimeout -- the time to wait for conntrack to initialize before failing + conntrackInitTimeout: 10s + + orchestratorExplorer: + # datadog.orchestratorExplorer.enabled -- Set this to false to disable the orchestrator explorer + ## This requires processAgent.enabled and clusterAgent.enabled to be set to true + ## ref: TODO - add doc link + enabled: true + + # datadog.orchestratorExplorer.container_scrubbing -- Enable the scrubbing of containers in the kubernetes resource YAML for sensitive information + ## The container scrubbing is taking significant resources during data collection. + ## If you notice that the cluster-agent uses too much CPU in larger clusters + ## turning this option off will improve the situation. + container_scrubbing: + enabled: true + + helmCheck: + # datadog.helmCheck.enabled -- Set this to true to enable the Helm check (Requires Agent 7.35.0+ and Cluster Agent 1.19.0+) + # This requires clusterAgent.enabled to be set to true + enabled: false + + # datadog.helmCheck.collectEvents -- Set this to true to enable event collection in the Helm Check (Requires Agent 7.36.0+ and Cluster Agent 1.20.0+) + # This requires datadog.HelmCheck.enabled to be set to true + collectEvents: false + + networkMonitoring: + # datadog.networkMonitoring.enabled -- Enable network performance monitoring + enabled: false + + ## Universal Service Monitoring is currently in private beta. + ## See https://www.datadoghq.com/blog/universal-service-monitoring-datadog/ for more details and private beta signup. + serviceMonitoring: + # datadog.serviceMonitoring.enabled -- Enable Universal Service Monitoring + enabled: false + + ## Enable security agent and provide custom configs + securityAgent: + compliance: + # datadog.securityAgent.compliance.enabled -- Set to true to enable Cloud Security Posture Management (CSPM) + enabled: false + + # datadog.securityAgent.compliance.configMap -- Contains CSPM compliance benchmarks that will be used + configMap: + + # datadog.securityAgent.compliance.checkInterval -- Compliance check run interval + checkInterval: 20m + + runtime: + # datadog.securityAgent.runtime.enabled -- Set to true to enable Cloud Workload Security (CWS) + enabled: false + + policies: + # datadog.securityAgent.runtime.policies.configMap -- Contains CWS policies that will be used + configMap: + + syscallMonitor: + # datadog.securityAgent.runtime.syscallMonitor.enabled -- Set to true to enable the Syscall monitoring (recommended for troubleshooting only) + enabled: false + + ## Manage NetworkPolicy + networkPolicy: + # datadog.networkPolicy.create -- If true, create NetworkPolicy for all the components + create: false + + # datadog.networkPolicy.flavor -- Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + cilium: + # datadog.networkPolicy.cilium.dnsSelector -- Cilium selector of the DNS server entity + # @default -- kube-dns in namespace kube-system + dnsSelector: + toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system + "k8s:k8s-app": kube-dns + + ## Configure prometheus scraping autodiscovery + ## ref: https://docs.datadoghq.com/agent/kubernetes/prometheus/ + prometheusScrape: + # datadog.prometheusScrape.enabled -- Enable autodiscovering pods and services exposing prometheus metrics. + enabled: false + # datadog.prometheusScrape.serviceEndpoints -- Enable generating dedicated checks for service endpoints. + serviceEndpoints: false + # datadog.prometheusScrape.additionalConfigs -- Allows adding advanced openmetrics check configurations with custom discovery rules. (Requires Agent version 7.27+) + additionalConfigs: [] + # - + # autodiscovery: + # kubernetes_annotations: + # include: + # custom_include_label: 'true' + # exclude: + # custom_exclude_label: 'true' + # kubernetes_container_names: + # - my-app + # configurations: + # - send_distribution_buckets: true + # timeout: 5 + + # datadog.ignoreAutoConfig -- List of integration to ignore auto_conf.yaml. + ## ref: https://docs.datadoghq.com/agent/faq/auto_conf/ + ignoreAutoConfig: [] + # - redisdb + # - kubernetes_state + + # datadog.containerExclude -- Exclude containers from the Agent + # Autodiscovery, as a space-sepatered list + ## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers + containerExclude: # "image:datadog/agent" + + # datadog.containerInclude -- Include containers in the Agent Autodiscovery, + # as a space-separated list. If a container matches an include rule, it’s + # always included in the Autodiscovery + ## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#include-containers + containerInclude: + + # datadog.containerExcludeLogs -- Exclude logs from the Agent Autodiscovery, + # as a space-separated list + containerExcludeLogs: + + # datadog.containerIncludeLogs -- Include logs in the Agent Autodiscovery, as + # a space-separated list + containerIncludeLogs: + + # datadog.containerExcludeMetrics -- Exclude metrics from the Agent + # Autodiscovery, as a space-separated list + containerExcludeMetrics: + + # datadog.containerIncludeMetrics -- Include metrics in the Agent + # Autodiscovery, as a space-separated list + containerIncludeMetrics: + + # datadog.excludePauseContainer -- Exclude pause containers from the Agent + # Autodiscovery. + ## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#pause-containers + excludePauseContainer: true + + ## This is the Datadog Cluster Agent implementation that handles cluster-wide + ## metrics more cleanly, separates concerns for better rbac, and implements + ## the external metrics API so you can autoscale HPAs based on datadog metrics + ## ref: https://docs.datadoghq.com/agent/kubernetes/cluster/ + clusterAgent: + # clusterAgent.enabled -- Set this to false to disable Datadog Cluster Agent + enabled: true + + # clusterAgent.shareProcessNamespace -- Set the process namespace sharing on the Datadog Cluster Agent + shareProcessNamespace: false + + ## Define the Datadog Cluster-Agent image to work with + image: + # clusterAgent.image.name -- Cluster Agent image name to use (relative to `registry`) + name: cluster-agent + + # clusterAgent.image.tag -- Cluster Agent image tag to use + tag: 1.18.0 + + # clusterAgent.image.repository -- Override default registry + image.name for Cluster Agent + repository: + + # clusterAgent.image.pullPolicy -- Cluster Agent image pullPolicy + pullPolicy: IfNotPresent + + # clusterAgent.image.pullSecrets -- Cluster Agent repository pullSecret (ex: specify docker registry credentials) + ## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + pullSecrets: [] + # - name: "" + + # clusterAgent.securityContext -- Allows you to overwrite the default PodSecurityContext on the cluster-agent pods. + securityContext: {} + + containers: + clusterAgent: + # clusterAgent.containers.clusterAgent.securityContext -- Specify securityContext on the cluster-agent container. + securityContext: {} + + # clusterAgent.command -- Command to run in the Cluster Agent container as entrypoint + command: [] + + # clusterAgent.token -- Cluster Agent token is a preshared key between node agents and cluster agent (autogenerated if empty, needs to be at least 32 characters a-zA-z) + token: "" + + # clusterAgent.tokenExistingSecret -- Existing secret name to use for Cluster Agent token + tokenExistingSecret: "" + + # clusterAgent.replicas -- Specify the of cluster agent replicas, if > 1 it allow the cluster agent to work in HA mode. + replicas: 1 + + ## Provide Cluster Agent Deployment pod(s) RBAC configuration + rbac: + # clusterAgent.rbac.create -- If true, create & use RBAC resources + create: true + + # clusterAgent.rbac.serviceAccountName -- Specify a preexisting ServiceAccount to use if clusterAgent.rbac.create is false + serviceAccountName: default + + # clusterAgent.rbac.serviceAccountAnnotations -- Annotations to add to the ServiceAccount if clusterAgent.rbac.create is true + serviceAccountAnnotations: {} + + ## Provide Cluster Agent pod security configuration + podSecurity: + podSecurityPolicy: + # clusterAgent.podSecurity.podSecurityPolicy.create -- If true, create a PodSecurityPolicy resource for Cluster Agent pods + create: false + securityContextConstraints: + # clusterAgent.podSecurity.securityContextConstraints.create -- If true, create a SCC resource for Cluster Agent pods + create: false + + # Enable the metricsProvider to be able to scale based on metrics in Datadog + metricsProvider: + # clusterAgent.metricsProvider.enabled -- Set this to true to enable Metrics Provider + enabled: false + + # clusterAgent.metricsProvider.wpaController -- Enable informer and controller of the watermark pod autoscaler + ## NOTE: You need to install the `WatermarkPodAutoscaler` CRD before + wpaController: false + + # clusterAgent.metricsProvider.useDatadogMetrics -- Enable usage of DatadogMetric CRD to autoscale on arbitrary Datadog queries + ## NOTE: It will install DatadogMetrics CRD automatically (it may conflict with previous installations) + useDatadogMetrics: false + + # clusterAgent.metricsProvider.createReaderRbac -- Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) + createReaderRbac: true + + # clusterAgent.metricsProvider.aggregator -- Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) + aggregator: avg + + ## Configuration for the service for the cluster-agent metrics server + service: + # clusterAgent.metricsProvider.service.type -- Set type of cluster-agent metrics server service + type: ClusterIP + + # clusterAgent.metricsProvider.service.port -- Set port of cluster-agent metrics server service (Kubernetes >= 1.15) + port: 8443 + + # clusterAgent.metricsProvider.endpoint -- Override the external metrics provider endpoint. If not set, the cluster-agent defaults to `datadog.site` + endpoint: # https://api.datadoghq.com + + # clusterAgent.env -- Set environment variables specific to Cluster Agent + ## The Cluster-Agent supports many additional environment variables + ## ref: https://docs.datadoghq.com/agent/cluster_agent/commands/#cluster-agent-options + env: [] + + # clusterAgent.envFrom -- Set environment variables specific to Cluster Agent from configMaps and/or secrets + ## The Cluster-Agent supports many additional environment variables + ## ref: https://docs.datadoghq.com/agent/cluster_agent/commands/#cluster-agent-options + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + admissionController: + # clusterAgent.admissionController.enabled -- Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods + enabled: false + + # clusterAgent.admissionController.mutateUnlabelled -- Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"' + mutateUnlabelled: false + + # clusterAgent.confd -- Provide additional cluster check configurations. Each key will become a file in /conf.d. + ## ref: https://docs.datadoghq.com/agent/autodiscovery/ + confd: {} + # mysql.yaml: |- + # cluster_check: true + # instances: + # - host: + # port: 3306 + # username: datadog + # password: + + # clusterAgent.advancedConfd -- Provide additional cluster check configurations. Each key is an integration containing several config files. + ## ref: https://docs.datadoghq.com/agent/autodiscovery/ + advancedConfd: {} + # mysql.d: + # 1.yaml: |- + # cluster_check: true + # instances: + # - host: + # port: 3306 + # username: datadog + # password: + # 2.yaml: |- + # cluster_check: true + # instances: + # - host: + # port: 3306 + # username: datadog + # password: + + # clusterAgent.resources -- Datadog cluster-agent resource requests and limits. + resources: {} + # requests: + # cpu: 200m + # memory: 256Mi + # limits: + # cpu: 200m + # memory: 256Mi + + # clusterAgent.priorityClassName -- Name of the priorityClass to apply to the Cluster Agent + priorityClassName: # system-cluster-critical + + # clusterAgent.nodeSelector -- Allow the Cluster Agent Deployment to be scheduled on selected nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + + # clusterAgent.tolerations -- Allow the Cluster Agent Deployment to schedule on tainted nodes ((requires Kubernetes >= 1.6)) + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + + # clusterAgent.affinity -- Allow the Cluster Agent Deployment to schedule using affinity rules + ## By default, Cluster Agent Deployment Pods are forced to run on different Nodes. + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + # clusterAgent.healthPort -- Port number to use in the Cluster Agent for the healthz endpoint + healthPort: 5556 + + # clusterAgent.livenessProbe -- Override default Cluster Agent liveness probe settings + # @default -- Every 15s / 6 KO / 1 OK + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + # clusterAgent.readinessProbe -- Override default Cluster Agent readiness probe settings + # @default -- Every 15s / 6 KO / 1 OK + readinessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + # clusterAgent.strategy -- Allow the Cluster Agent deployment to perform a rolling update on helm update + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + + # clusterAgent.deploymentAnnotations -- Annotations to add to the cluster-agents's deployment + deploymentAnnotations: {} + # key: "value" + + # clusterAgent.podAnnotations -- Annotations to add to the cluster-agents's pod(s) + podAnnotations: {} + # key: "value" + + # clusterAgent.useHostNetwork -- Bind ports on the hostNetwork + ## Useful for CNI networking where hostPort might + ## not be supported. The ports need to be available on all hosts. It can be + ## used for custom metrics instead of a service endpoint. + ## + ## WARNING: Make sure that hosts using this are properly firewalled otherwise + ## metrics and traces are accepted from any host able to connect to this host. + # + useHostNetwork: false + + # clusterAgent.dnsConfig -- Specify dns configuration options for datadog cluster agent containers e.g ndots + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + dnsConfig: {} + # options: + # - name: ndots + # value: "1" + + # clusterAgent.volumes -- Specify additional volumes to mount in the cluster-agent container + volumes: [] + # - hostPath: + # path: + # name: + + # clusterAgent.volumeMounts -- Specify additional volumes to mount in the cluster-agent container + volumeMounts: [] + # - name: + # mountPath: + # readOnly: true + + # clusterAgent.datadog_cluster_yaml -- Specify custom contents for the datadog cluster agent config (datadog-cluster.yaml) + datadog_cluster_yaml: {} + + # clusterAgent.createPodDisruptionBudget -- Create pod disruption budget for Cluster Agent deployments + createPodDisruptionBudget: false + + networkPolicy: + # clusterAgent.networkPolicy.create -- If true, create a NetworkPolicy for the cluster agent. + # DEPRECATED. Use datadog.networkPolicy.create instead + create: false + + # clusterAgent.additionalLabels -- Adds labels to the Cluster Agent deployment and pods + additionalLabels: {} + # key: "value" + + ## This section lets you configure the agents deployed by this chart to connect to a Cluster Agent + ## deployed independently + existingClusterAgent: + # existingClusterAgent.join -- set this to true if you want the agents deployed by this chart to + # connect to a Cluster Agent deployed independently + join: false + + # existingClusterAgent.tokenSecretName -- Existing secret name to use for external Cluster Agent token + tokenSecretName: # + + # existingClusterAgent.serviceName -- Existing service name to use for reaching the external Cluster Agent + serviceName: # + + # existingClusterAgent.clusterchecksEnabled -- set this to false if you don’t want the agents to run the cluster checks of the joined external cluster agent + clusterchecksEnabled: true + + agents: + # agents.enabled -- You should keep Datadog DaemonSet enabled! + ## The exceptional case could be a situation when you need to run + ## single Datadog pod per every namespace, but you do not need to + ## re-create a DaemonSet for every non-default namespace install. + ## Note: StatsD and DogStatsD work over UDP, so you may not + ## get guaranteed delivery of the metrics in Datadog-per-namespace setup! + # + enabled: true + + # agents.shareProcessNamespace -- Set the process namespace sharing on the Datadog Daemonset + shareProcessNamespace: false + + ## Define the Datadog image to work with + image: + # agents.image.name -- Datadog Agent image name to use (relative to `registry`) + ## use "dogstatsd" for Standalone Datadog Agent DogStatsD 7 + name: agent + + # agents.image.tag -- Define the Agent version to use + tag: 7.34.0 + + # agents.image.tagSuffix -- Suffix to append to Agent tag + ## Ex: + ## jmx to enable jmx fetch collection + ## servercore to get Windows images based on servercore + tagSuffix: "" + + # agents.image.repository -- Override default registry + image.name for Agent + repository: + + # agents.image.doNotCheckTag -- Skip the version<>chart compatibility check + ## By default, the version passed in agents.image.tag is checked + ## for compatibility with the version of the chart. + ## This boolean permits to completely skip this check. + ## This is useful, for example, for custom tags that are not + ## respecting semantic versioning + doNotCheckTag: # false + + # agents.image.pullPolicy -- Datadog Agent image pull policy + pullPolicy: IfNotPresent + + # agents.image.pullSecrets -- Datadog Agent repository pullSecret (ex: specify docker registry credentials) + ## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + pullSecrets: [] + # - name: "" + + ## Provide Daemonset RBAC configuration + rbac: + # agents.rbac.create -- If true, create & use RBAC resources + create: true + + # agents.rbac.serviceAccountName -- Specify a preexisting ServiceAccount to use if agents.rbac.create is false + serviceAccountName: default + + # agents.rbac.serviceAccountAnnotations -- Annotations to add to the ServiceAccount if agents.rbac.create is true + serviceAccountAnnotations: {} + + ## Provide Daemonset PodSecurityPolicy configuration + podSecurity: + podSecurityPolicy: + # agents.podSecurity.podSecurityPolicy.create -- If true, create a PodSecurityPolicy resource for Agent pods + create: false + + securityContextConstraints: + # agents.podSecurity.securityContextConstraints.create -- If true, create a SecurityContextConstraints resource for Agent pods + create: false + + # agents.podSecurity.seLinuxContext -- Provide seLinuxContext configuration for PSP/SCC + # @default -- Must run as spc_t + seLinuxContext: + rule: MustRunAs + seLinuxOptions: + user: system_u + role: system_r + type: spc_t + level: s0 + + # agents.podSecurity.privileged -- If true, Allow to run privileged containers + privileged: false + + # agents.podSecurity.capabilities -- Allowed capabilities + ## capabilities must contain all agents.containers.*.securityContext.capabilities. + capabilities: + - SYS_ADMIN + - SYS_RESOURCE + - SYS_PTRACE + - NET_ADMIN + - NET_BROADCAST + - NET_RAW + - IPC_LOCK + - CHOWN + - AUDIT_CONTROL + - AUDIT_READ + + # agents.podSecurity.allowedUnsafeSysctls -- Allowed unsafe sysclts + allowedUnsafeSysctls: [] + + # agents.podSecurity.volumes -- Allowed volumes types + volumes: + - configMap + - downwardAPI + - emptyDir + - hostPath + - secret + + # agents.podSecurity.seccompProfiles -- Allowed seccomp profiles + seccompProfiles: + - "runtime/default" + - "localhost/system-probe" + + apparmor: + # agents.podSecurity.apparmor.enabled -- If true, enable apparmor enforcement + ## see: https://kubernetes.io/docs/tutorials/clusters/apparmor/ + enabled: true + + # agents.podSecurity.apparmorProfiles -- Allowed apparmor profiles + apparmorProfiles: + - "runtime/default" + - "unconfined" + + # agents.podSecurity.defaultApparmor -- Default AppArmor profile for all containers but system-probe + defaultApparmor: runtime/default + + containers: + agent: + # agents.containers.agent.env -- Additional environment variables for the agent container + env: [] + + # agents.containers.agent.envFrom -- Set environment variables specific to agent container from configMaps and/or secrets + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # agents.containers.agent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off + ## If not set, fall back to the value of datadog.logLevel. + logLevel: # INFO + + # agents.containers.agent.resources -- Resource requests and limits for the agent container. + resources: {} + # requests: + # cpu: 200m + # memory: 256Mi + # limits: + # cpu: 200m + # memory: 256Mi + + # agents.containers.agent.healthPort -- Port number to use in the node agent for the healthz endpoint + healthPort: 5555 + + # agents.containers.agent.livenessProbe -- Override default agent liveness probe settings + # @default -- Every 15s / 6 KO / 1 OK + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + # agents.containers.agent.readinessProbe -- Override default agent readiness probe settings + # @default -- Every 15s / 6 KO / 1 OK + readinessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + # agents.containers.agent.securityContext -- Allows you to overwrite the default container SecurityContext for the agent container. + securityContext: {} + + # agents.containers.agent.ports -- Allows to specify extra ports (hostPorts for instance) for this container + ports: [] + + processAgent: + # agents.containers.processAgent.env -- Additional environment variables for the process-agent container + env: [] + + # agents.containers.processAgent.envFrom -- Set environment variables specific to process-agent from configMaps and/or secrets + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # agents.containers.processAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off + ## If not set, fall back to the value of datadog.logLevel. + logLevel: # INFO + + # agents.containers.processAgent.resources -- Resource requests and limits for the process-agent container + resources: {} + # requests: + # cpu: 100m + # memory: 200Mi + # limits: + # cpu: 100m + # memory: 200Mi + + # agents.containers.processAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the process-agent container. + securityContext: {} + + # agents.containers.processAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container + ports: [] + + traceAgent: + # agents.containers.traceAgent.env -- Additional environment variables for the trace-agent container + env: + + # agents.containers.traceAgent.envFrom -- Set environment variables specific to trace-agent from configMaps and/or secrets + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # agents.containers.traceAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off + logLevel: # INFO + + # agents.containers.traceAgent.resources -- Resource requests and limits for the trace-agent container + resources: {} + # requests: + # cpu: 100m + # memory: 200Mi + # limits: + # cpu: 100m + # memory: 200Mi + + # agents.containers.traceAgent.livenessProbe -- Override default agent liveness probe settings + # @default -- Every 15s + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + + # agents.containers.traceAgent.securityContext -- Allows you to overwrite the default container SecurityContext for the trace-agent container. + securityContext: {} + + # agents.containers.traceAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container + ports: [] + + systemProbe: + # agents.containers.systemProbe.env -- Additional environment variables for the system-probe container + env: [] + + # agents.containers.systemProbe.envFrom -- Set environment variables specific to system-probe from configMaps and/or secrets + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # agents.containers.systemProbe.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off. + ## If not set, fall back to the value of datadog.logLevel. + logLevel: # INFO + + # agents.containers.systemProbe.resources -- Resource requests and limits for the system-probe container + resources: {} + # requests: + # cpu: 100m + # memory: 200Mi + # limits: + # cpu: 100m + # memory: 200Mi + + # agents.containers.systemProbe.securityContext -- Allows you to overwrite the default container SecurityContext for the system-probe container. + ## agents.podSecurity.capabilities must reflect the changed made in securityContext.capabilities. + securityContext: + privileged: false + capabilities: + add: ["SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"] + + # agents.containers.systemProbe.ports -- Allows to specify extra ports (hostPorts for instance) for this container + ports: [] + + securityAgent: + # agents.containers.securityAgent.env -- Additional environment variables for the security-agent container + env: + + # agents.containers.securityAgent.envFrom -- Set environment variables specific to security-agent from configMaps and/or secrets + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # agents.containers.securityAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off + ## If not set, fall back to the value of datadog.logLevel. + logLevel: # INFO + + # agents.containers.securityAgent.resources -- Resource requests and limits for the security-agent container + resources: {} + # requests: + # cpu: 100m + # memory: 200Mi + # limits: + # cpu: 100m + # memory: 200Mi + + # agents.containers.securityAgent.ports -- Allows to specify extra ports (hostPorts for instance) for this container + ports: [] + + initContainers: + # agents.containers.initContainers.resources -- Resource requests and limits for the init containers + resources: {} + # requests: + # cpu: 100m + # memory: 200Mi + # limits: + # cpu: 100m + # memory: 200Mi + + # agents.volumes -- Specify additional volumes to mount in the dd-agent container + volumes: [] + # - hostPath: + # path: + # name: + + # agents.volumeMounts -- Specify additional volumes to mount in all containers of the agent pod + volumeMounts: [] + # - name: + # mountPath: + # readOnly: true + + # agents.useHostNetwork -- Bind ports on the hostNetwork + ## Useful for CNI networking where hostPort might + ## not be supported. The ports need to be available on all hosts. It Can be + ## used for custom metrics instead of a service endpoint. + ## + ## WARNING: Make sure that hosts using this are properly firewalled otherwise + ## metrics and traces are accepted from any host able to connect to this host. + useHostNetwork: false + + # agents.dnsConfig -- specify dns configuration options for datadog cluster agent containers e.g ndots + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + dnsConfig: {} + # options: + # - name: ndots + # value: "1" + + # agents.daemonsetAnnotations -- Annotations to add to the DaemonSet + daemonsetAnnotations: {} + # key: "value" + + # agents.podAnnotations -- Annotations to add to the DaemonSet's Pods + podAnnotations: {} + # key: "value" + + # agents.tolerations -- Allow the DaemonSet to schedule on tainted nodes (requires Kubernetes >= 1.6) + tolerations: [] + + # agents.nodeSelector -- Allow the DaemonSet to schedule on selected nodes + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + nodeSelector: {} + + # agents.affinity -- Allow the DaemonSet to schedule using affinity rules + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + # agents.updateStrategy -- Allow the DaemonSet to perform a rolling update on helm update + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: "10%" + + # agents.priorityClassCreate -- Creates a priorityClass for the Datadog Agent's Daemonset pods. + priorityClassCreate: false + + # agents.priorityClassName -- Sets PriorityClassName if defined + priorityClassName: + + # agents.priorityClassValue -- Value used to specify the priority of the scheduling of Datadog Agent's Daemonset pods. + ## The PriorityClass uses PreemptLowerPriority. + priorityClassValue: 1000000000 + + # agents.podLabels -- Sets podLabels if defined + # Note: These labels are also used as label selectors so they are immutable. + podLabels: {} + + # agents.additionalLabels -- Adds labels to the Agent daemonset and pods + additionalLabels: {} + # key: "value" + + # agents.useConfigMap -- Configures a configmap to provide the agent configuration. Use this in combination with the `agents.customAgentConfig` parameter. + useConfigMap: # false + + # agents.customAgentConfig -- Specify custom contents for the datadog agent config (datadog.yaml) + ## ref: https://docs.datadoghq.com/agent/guide/agent-configuration-files/?tab=agentv6 + ## ref: https://github.com/DataDog/datadog-agent/blob/main/pkg/config/config_template.yaml + ## Note the `agents.useConfigMap` needs to be set to `true` for this parameter to be taken into account. + customAgentConfig: {} + # # Autodiscovery for Kubernetes + # listeners: + # - name: kubelet + # config_providers: + # - name: kubelet + # polling: true + # # needed to support legacy docker label config templates + # - name: docker + # polling: true + # + # # Enable java cgroup handling. Only one of those options should be enabled, + # # depending on the agent version you are using along that chart. + # + # # agent version < 6.15 + # # jmx_use_cgroup_memory_limit: true + # + # # agent version >= 6.15 + # # jmx_use_container_support: true + + networkPolicy: + # agents.networkPolicy.create -- If true, create a NetworkPolicy for the agents. + # DEPRECATED. Use datadog.networkPolicy.create instead + create: false + + localService: + # agents.localService.overrideName -- Name of the internal traffic service to target the agent running on the local node + overrideName: "" + + # agents.localService.forceLocalServiceEnabled -- Force the creation of the internal traffic policy service to target the agent running on the local node. + # By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. + # This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. + forceLocalServiceEnabled: false + + clusterChecksRunner: + # clusterChecksRunner.enabled -- If true, deploys agent dedicated for running the Cluster Checks instead of running in the Daemonset's agents. + ## ref: https://docs.datadoghq.com/agent/autodiscovery/clusterchecks/ + enabled: false + + ## Define the Datadog image to work with. + image: + # clusterChecksRunner.image.name -- Datadog Agent image name to use (relative to `registry`) + name: agent + + # clusterChecksRunner.image.tag -- Define the Agent version to use + tag: 7.34.0 + + # clusterChecksRunner.image.tagSuffix -- Suffix to append to Agent tag + ## Ex: + ## jmx to enable jmx fetch collection + ## servercore to get Windows images based on servercore + tagSuffix: "" + + # clusterChecksRunner.image.repository -- Override default registry + image.name for Cluster Check Runners + repository: + + # clusterChecksRunner.image.pullPolicy -- Datadog Agent image pull policy + pullPolicy: IfNotPresent + + # clusterChecksRunner.image.pullSecrets -- Datadog Agent repository pullSecret (ex: specify docker registry credentials) + ## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + pullSecrets: [] + # - name: "" + + # clusterChecksRunner.createPodDisruptionBudget -- Create the pod disruption budget to apply to the cluster checks agents + createPodDisruptionBudget: false + + # Provide Cluster Checks Deployment pods RBAC configuration + rbac: + # clusterChecksRunner.rbac.create -- If true, create & use RBAC resources + create: true + + # clusterChecksRunner.rbac.dedicated -- If true, use a dedicated RBAC resource for the cluster checks agent(s) + dedicated: false + + # clusterChecksRunner.rbac.serviceAccountAnnotations -- Annotations to add to the ServiceAccount if clusterChecksRunner.rbac.dedicated is true + serviceAccountAnnotations: {} + + # clusterChecksRunner.rbac.serviceAccountName -- Specify a preexisting ServiceAccount to use if clusterChecksRunner.rbac.create is false + serviceAccountName: default + + # clusterChecksRunner.replicas -- Number of Cluster Checks Runner instances + ## If you want to deploy the clusterChecks agent in HA, keep at least clusterChecksRunner.replicas set to 2. + ## And increase the clusterChecksRunner.replicas according to the number of Cluster Checks. + replicas: 2 + + # clusterChecksRunner.resources -- Datadog clusterchecks-agent resource requests and limits. + resources: {} + # requests: + # cpu: 200m + # memory: 500Mi + # limits: + # cpu: 200m + # memory: 500Mi + + # clusterChecksRunner.affinity -- Allow the ClusterChecks Deployment to schedule using affinity rules. + ## By default, ClusterChecks Deployment Pods are preferred to run on different Nodes. + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + # clusterChecksRunner.strategy -- Allow the ClusterChecks deployment to perform a rolling update on helm update + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + + # clusterChecksRunner.dnsConfig -- specify dns configuration options for datadog cluster agent containers e.g ndots + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + dnsConfig: {} + # options: + # - name: ndots + # value: "1" + + # clusterChecksRunner.priorityClassName -- Name of the priorityClass to apply to the Cluster checks runners + priorityClassName: # system-cluster-critical + + # clusterChecksRunner.nodeSelector -- Allow the ClusterChecks Deployment to schedule on selected nodes + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: {} + + # clusterChecksRunner.tolerations -- Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + # + tolerations: [] + + # clusterChecksRunner.healthPort -- Port number to use in the Cluster Checks Runner for the healthz endpoint + healthPort: 5557 + + # clusterChecksRunner.livenessProbe -- Override default agent liveness probe settings + # @default -- Every 15s / 6 KO / 1 OK + ## In case of issues with the probe, you can disable it with the + ## following values, to allow easier investigating: + # + # livenessProbe: + # exec: + # command: ["/bin/true"] + # + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + # clusterChecksRunner.readinessProbe -- Override default agent readiness probe settings + # @default -- Every 15s / 6 KO / 1 OK + ## In case of issues with the probe, you can disable it with the + ## following values, to allow easier investigating: + # + # readinessProbe: + # exec: + # command: ["/bin/true"] + # + readinessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + # clusterChecksRunner.deploymentAnnotations -- Annotations to add to the cluster-checks-runner's Deployment + deploymentAnnotations: {} + # key: "value" + + # clusterChecksRunner.podAnnotations -- Annotations to add to the cluster-checks-runner's pod(s) + podAnnotations: {} + # key: "value" + + # clusterChecksRunner.env -- Environment variables specific to Cluster Checks Runner + ## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#environment-variables + env: [] + # - name: + # value: + + # clusterChecksRunner.envFrom -- Set environment variables specific to Cluster Checks Runner from configMaps and/or secrets + ## envFrom to pass configmaps or secrets as environment + ## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#environment-variables + envFrom: [] + # - configMapRef: + # name: + # - secretRef: + # name: + + # clusterChecksRunner.volumes -- Specify additional volumes to mount in the cluster checks container + volumes: [] + # - hostPath: + # path: + # name: + + # clusterChecksRunner.volumeMounts -- Specify additional volumes to mount in the cluster checks container + volumeMounts: [] + # - name: + # mountPath: + # readOnly: true + + networkPolicy: + # clusterChecksRunner.networkPolicy.create -- If true, create a NetworkPolicy for the cluster checks runners. + # DEPRECATED. Use datadog.networkPolicy.create instead + create: false + + # clusterChecksRunner.additionalLabels -- Adds labels to the cluster checks runner deployment and pods + additionalLabels: {} + # key: "value" + + # clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods. + securityContext: {} + + # clusterChecksRunner.ports -- Allows to specify extra ports (hostPorts for instance) for this container + ports: [] + + datadog-crds: + crds: + # datadog-crds.crds.datadogMetrics -- Set to true to deploy the DatadogMetrics CRD + datadogMetrics: true + + kube-state-metrics: + rbac: + # kube-state-metrics.rbac.create -- If true, create & use RBAC resources + create: true + + serviceAccount: + # kube-state-metrics.serviceAccount.create -- If true, create ServiceAccount, require rbac kube-state-metrics.rbac.create true + create: true + + # kube-state-metrics.serviceAccount.name -- The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + + # kube-state-metrics.resources -- Resource requests and limits for the kube-state-metrics container. + resources: {} + # requests: + # cpu: 200m + # memory: 256Mi + # limits: + # cpu: 200m + # memory: 256Mi + + # kube-state-metrics.nodeSelector -- Node selector for KSM. KSM only supports Linux. + nodeSelector: + kubernetes.io/os: linux + + # # kube-state-metrics.image -- Override default image information for the kube-state-metrics container. + # image: + # # kube-state-metrics.repository -- Override default image registry for the kube-state-metrics container. + # repository: k8s.gcr.io/kube-state-metrics/kube-state-metrics + # # kube-state-metrics.tag -- Override default image tag for the kube-state-metrics container. + # tag: v1.9.8 + # # kube-state-metrics.pullPolicy -- Override default image pullPolicy for the kube-state-metrics container. + # pullPolicy: IfNotPresent + + providers: + gke: + # providers.gke.autopilot -- Enables Datadog Agent deployment on GKE Autopilot + autopilot: false + + eks: + ec2: + # providers.eks.ec2.useHostnameFromFile -- Use hostname from EC2 filesystem instead of fetching from metadata endpoint. + ## When deploying to EC2-backed EKS infrastructure, there are situations where the + ## IMDS metadata endpoint is not accesible to containers. This flag mounts the host's + ## `/var/lib/cloud/data/instance-id` and uses that for Agent's hostname instead. + useHostnameFromFile: false \ No newline at end of file From 36a176b75b09d6410d995f1a9bc3ded0db25c8b4 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 3 Apr 2022 12:44:15 +0000 Subject: [PATCH 188/334] chore(deps): update all non-major dependencies --- apps/paperless/Chart.yaml | 2 +- apps/seafile/Chart.yaml | 2 +- home/homeassistant/Chart.yaml | 2 +- home/homeassistant/values.yaml | 2 +- home/influxdb/values.yaml | 2 +- home/mariadb/Chart.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- platform/gitea/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 7e9119817f..24b801cd63 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -3,7 +3,7 @@ name: paperless version: 0.0.0 dependencies: - name: paperless - version: 8.5.0 + version: 8.6.0 repository: https://k8s-at-home.com/charts/ - name: crushftp version: 1.0.2 diff --git a/apps/seafile/Chart.yaml b/apps/seafile/Chart.yaml index 91e0881d64..1c86959070 100644 --- a/apps/seafile/Chart.yaml +++ b/apps/seafile/Chart.yaml @@ -3,5 +3,5 @@ name: seafile version: 0.0.0 dependencies: - name: seafile - version: 2.0.1 + version: 2.1.0 repository: https://k8s-at-home.com/charts diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml index 8d0d1ebdf5..f447be3a6a 100644 --- a/home/homeassistant/Chart.yaml +++ b/home/homeassistant/Chart.yaml @@ -3,5 +3,5 @@ name: homeassistant version: 0.0.0 dependencies: - name: home-assistant - version: 12.1.0 + version: 12.2.0 repository: https://k8s-at-home.com/charts/ diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 5a8b516b4d..73a85803b5 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.3.7 + tag: 2022.3.8 # -- image pull policy pullPolicy: IfNotPresent diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index e52864ef29..89b412cacb 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.378.0-debian-10-r0 + tag: 0.379.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index a1fa120535..4e725c0292 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 10.4.2 + version: 10.4.5 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 7bd13718fb..4b720f8671 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -443,7 +443,7 @@ nextcloud: image: repository: xperimental/nextcloud-exporter - tag: 0.5.0 + tag: 0.5.1 pullPolicy: IfNotPresent ## Metrics exporter resource requests and limits diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 69503ea836..91866e723b 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.1.9 + version: 11.1.15 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index 05bc4217b9..0d152ed106 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.6.0 + version: 16.8.2 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 1280baec6f..6a8ac919c4 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 5.0.3 + version: 5.0.4 repository: https://dl.gitea.io/charts/ diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 6f4911d9e8..1937114d81 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.0.18 + version: 4.0.19 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 67111d4d3f..89de73e370 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 2.12.0 + version: 2.13.0 repository: https://weaveworks.github.io/kured From 2dfc41f33e1c48799b0a39278676ba0a0065e278 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 3 Apr 2022 12:44:21 +0000 Subject: [PATCH 189/334] chore(deps): update helm release argo-cd to v4 --- bootstrap/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 9ed37aaff3..9e64b218a0 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 3.35.4 + version: 4.5.0 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.11.0 From 1652dea576ebea081ba3e25783ae7e4cb49997e4 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 3 Apr 2022 13:56:52 +0000 Subject: [PATCH 190/334] chore(deps): update all non-major dependencies --- apps/paperless/Chart.yaml | 2 +- apps/seafile/Chart.yaml | 2 +- home/homeassistant/Chart.yaml | 2 +- home/homeassistant/values.yaml | 2 +- home/influxdb/values.yaml | 2 +- home/mariadb/Chart.yaml | 2 +- home/mariadb/values.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- platform/gitea/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 7e9119817f..24b801cd63 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -3,7 +3,7 @@ name: paperless version: 0.0.0 dependencies: - name: paperless - version: 8.5.0 + version: 8.6.0 repository: https://k8s-at-home.com/charts/ - name: crushftp version: 1.0.2 diff --git a/apps/seafile/Chart.yaml b/apps/seafile/Chart.yaml index 91e0881d64..1c86959070 100644 --- a/apps/seafile/Chart.yaml +++ b/apps/seafile/Chart.yaml @@ -3,5 +3,5 @@ name: seafile version: 0.0.0 dependencies: - name: seafile - version: 2.0.1 + version: 2.1.0 repository: https://k8s-at-home.com/charts diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml index 8d0d1ebdf5..f447be3a6a 100644 --- a/home/homeassistant/Chart.yaml +++ b/home/homeassistant/Chart.yaml @@ -3,5 +3,5 @@ name: homeassistant version: 0.0.0 dependencies: - name: home-assistant - version: 12.1.0 + version: 12.2.0 repository: https://k8s-at-home.com/charts/ diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 5a8b516b4d..73a85803b5 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.3.7 + tag: 2022.3.8 # -- image pull policy pullPolicy: IfNotPresent diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index e52864ef29..89b412cacb 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.378.0-debian-10-r0 + tag: 0.379.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index a1fa120535..4e725c0292 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 10.4.2 + version: 10.4.5 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index f9f5800972..596987ccdb 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -74,7 +74,7 @@ mariadb: image: registry: docker.io repository: bitnami/mariadb - tag: 10.6.7-debian-10-r11 + tag: 10.7.3-debian-10-r11 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 7bd13718fb..4b720f8671 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -443,7 +443,7 @@ nextcloud: image: repository: xperimental/nextcloud-exporter - tag: 0.5.0 + tag: 0.5.1 pullPolicy: IfNotPresent ## Metrics exporter resource requests and limits diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 69503ea836..91866e723b 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.1.9 + version: 11.1.15 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index 05bc4217b9..0d152ed106 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.6.0 + version: 16.8.2 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 1280baec6f..6a8ac919c4 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 5.0.3 + version: 5.0.4 repository: https://dl.gitea.io/charts/ diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 6f4911d9e8..1937114d81 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.0.18 + version: 4.0.19 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 67111d4d3f..89de73e370 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 2.12.0 + version: 2.13.0 repository: https://weaveworks.github.io/kured From 0fc47bc18fea9cf09a1e3f1ab5ac7206be14d176 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 05:37:30 +0200 Subject: [PATCH 191/334] feat: datadog --- system/datadog/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml index 8e50e87a7d..52182dde4b 100644 --- a/system/datadog/values.yaml +++ b/system/datadog/values.yaml @@ -229,7 +229,7 @@ datadog: ## ## WARNING: Make sure that hosts using this are properly firewalled otherwise ## metrics and traces are accepted from any host able to connect to this host. - useHostPort: false + useHostPort: true # datadog.dogstatsd.useHostPID -- Run the agent in the host's PID namespace ## This is required for Dogstatsd origin detection to work. From 3c0b9f36f61c8a68cf9c35bead10a1d0a4896a5a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 05:38:26 +0200 Subject: [PATCH 192/334] feat: update apps --- apps/paperless/values.yaml | 1 + apps/sample-laravel/deployment.yaml | 2 +- apps/sample-laravel/svc.yaml | 2 - apps/sample-laravel/tekton.yaml | 92 +++++++++++++++++++++++++++++ apps/seafile/values.yaml | 89 +++++++++++++++++++++++----- 5 files changed, 168 insertions(+), 18 deletions(-) create mode 100644 apps/sample-laravel/tekton.yaml diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 233c02b588..d960e99b7a 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -95,6 +95,7 @@ crushftp: - name: paperless-consume claimName: paperless-consume mountPath: /mnt/FTP/Shared/scan + configVolume: size: 1Gi loadBalancerIp: 127.0.0.1 diff --git a/apps/sample-laravel/deployment.yaml b/apps/sample-laravel/deployment.yaml index dafc82d139..7e2c3e0ca6 100644 --- a/apps/sample-laravel/deployment.yaml +++ b/apps/sample-laravel/deployment.yaml @@ -5,7 +5,7 @@ metadata: app: sample-laravel-app name: sample-laravel-app spec: - replicas: 3 + replicas: 1 selector: matchLabels: app: sample-laravel-app diff --git a/apps/sample-laravel/svc.yaml b/apps/sample-laravel/svc.yaml index f339f94020..ff575929cc 100644 --- a/apps/sample-laravel/svc.yaml +++ b/apps/sample-laravel/svc.yaml @@ -1,5 +1,3 @@ - - apiVersion: v1 kind: Service metadata: diff --git a/apps/sample-laravel/tekton.yaml b/apps/sample-laravel/tekton.yaml new file mode 100644 index 0000000000..33b68bde00 --- /dev/null +++ b/apps/sample-laravel/tekton.yaml @@ -0,0 +1,92 @@ + +--- +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerTemplate +metadata: + name: cd-pipeline-trigger-template +spec: + params: + - name: sha + description: The commit SHA to build and deploy + - name: short-sha + description: Truncated version of the SHA + resourcetemplates: + - apiVersion: tekton.dev/v1beta1 + kind: PipelineRun + metadata: + generateName: cd-pipeline-run- + spec: + serviceAccountName: build-bot + pipelineRef: + name: cd-pipeline + params: + - name: sha + value: $(tt.params.sha) + - name: short-sha + value: $(tt.params.short-sha) + workspaces: + - name: git-ssh-creds + secret: + secretName: git-ssh-creds + - name: git-manifests-repo-ssh-creds + secret: + secretName: git-manifests-repo-ssh-creds + - name: docker-creds + secret: + secretName: docker-config + - name: cd-ws # this workspace name must be declared in the Pipeline + volumeClaimTemplate: + spec: + storageClass: "longhorn" + accessModes: + - ReadWriteOnce # access mode may affect how you can use this volume in parallel tasks + resources: + requests: + storage: 1Gi +--- +apiVersion: triggers.tekton.dev/v1alpha1 +kind: TriggerBinding +metadata: + name: cd-pipeline-trigger-template-binding +spec: + params: + - name: sha + value: $(body.after) + - name: short-sha + value: $(extensions.short-sha) +--- +apiVersion: triggers.tekton.dev/v1alpha1 +kind: EventListener +metadata: + name: main-push-listener +spec: + serviceAccountName: build-bot + triggers: + - name: gitea-main-push-trigger + interceptors: + - name: gitea-main-push-interceptor + ref: + name: "gitea" + kind: ClusterInterceptor + apiVersion: triggers.tekton.dev + params: + - name: "secretRef" + value: + secretName: gitea-main-push-webhook-secret + secretKey: secretToken + - name: "eventTypes" + value: ["push"] + - name: "CEL filter: only when branch main is pushed" + ref: + name: "cel" + params: + - name: "filter" + value: "body.ref == 'refs/heads/main'" + - name: "overlays" + value: + - key: short-sha + expression: "body.after.truncate(7)" + bindings: + - ref: cd-pipeline-trigger-template-binding + template: + ref: cd-pipeline-trigger-template \ No newline at end of file diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index 38c6c1adb5..1948ebd0a4 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -1,18 +1,77 @@ seafile: - ingress: + + image: + # -- image repository + repository: seafileltd/seafile-mc + # -- image tag + tag: 8.0.7 + # -- image pull policy + pullPolicy: IfNotPresent + + # -- environment variables. See more environment variables in the [seafile documentation](https://manual.seafile.com/). + # @default -- See below + env: + # -- Set the container timezone + TIME_ZONE: Europe/Amsterdam + # -- The hostname of your database + DB_HOST: mariadb-galera.mariadb-galera.svc.cluster.local + # -- The root password for mysql (used for initial setup) + DB_ROOT_PASSWD: XL3ePsvRu2% + # -- The initial admin user's email + SEAFILE_ADMIN_EMAIL: peter@mein.nl + # -- The initial admin user's password + SEAFILE_ADMIN_PASSWORD: seafileadminpass + # -- The hostname for the server (set to your ingress hostname) + SEAFILE_SERVER_HOSTNAME: seafile.jupiter.mein.nl + SEAFILE_SERVER_LETSENCRYPT: true + + # -- Configures service settings for the chart. + # @default -- See values.yaml + service: main: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host seafile.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: seafile-tls-certificate - hosts: - - *host + ports: + http: + port: 80 + + ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + ingress: + main: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host seafile.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: seafile-tls-certificate + hosts: + - *host + + # -- Enable and configure mariadb database subchart under this key. + # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) + # @default -- See values.yaml mariadb: - enabled: true + enabled: false + architecture: standalone + auth: + database: seafile + username: seafile + password: seafilepass + rootPassword: seafilerootpass + primary: + persistence: + enabled: false + # storageClass: "" + + # -- Configure persistence settings for the chart under this key. + # @default -- See values.yaml + persistence: {} + # shared: + # enabled: false + + From 4690c16c7ab044f9f542e1b2edead62b7b8c7f3a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 05:46:01 +0200 Subject: [PATCH 193/334] chore: commit all --- docs/diagrams/provisioning_flow.jpg | Bin 0 -> 54524 bytes docs/src/images/provisioning_flow.jpg | Bin 0 -> 54524 bytes home/firefly/values.yaml | 1 - metal/TODO.md | 11 ++ metal/roles/k3s/defaults/main.yml | 2 +- .../pxe_server/files/data/tftboot/.gitignore | 0 .../pxe_server/files/data/tftboot/grub.cfg | 16 +++ .../pxe_server/files/data/tftboot/grubx64.efi | 0 .../pxe_server/files/data/tftboot/meta-data | 1 + .../pxe_server/files/data/tftboot/user-data | 89 ++++++++++++++ metal/roles/pxe_server/files/dhcp/Dockerfile | 2 +- metal/roles/pxe_server/files/tftp/Dockerfile | 2 +- metal/roles/pxe_server/tasks/main.yml | 12 +- .../pxe_server/templates/kickstart.ks.j2.bak | 51 ++++++++ metal/roles/pxe_server/templates/meta-data.j2 | 1 + metal/roles/pxe_server/templates/user-data.j2 | 89 ++++++++++++++ metal/roles/wake/tasks/main.yml | 4 +- system/nfs/Chart.yaml | 7 ++ system/nfs/values.yaml | 112 ++++++++++++++++++ system/samba/values.yaml | 2 +- 20 files changed, 389 insertions(+), 13 deletions(-) create mode 100644 docs/diagrams/provisioning_flow.jpg create mode 100644 docs/src/images/provisioning_flow.jpg create mode 100644 metal/TODO.md create mode 100644 metal/roles/pxe_server/files/data/tftboot/.gitignore create mode 100644 metal/roles/pxe_server/files/data/tftboot/grub.cfg create mode 100755 metal/roles/pxe_server/files/data/tftboot/grubx64.efi create mode 100644 metal/roles/pxe_server/files/data/tftboot/meta-data create mode 100644 metal/roles/pxe_server/files/data/tftboot/user-data create mode 100644 metal/roles/pxe_server/templates/kickstart.ks.j2.bak create mode 100644 metal/roles/pxe_server/templates/meta-data.j2 create mode 100644 metal/roles/pxe_server/templates/user-data.j2 create mode 100644 system/nfs/Chart.yaml create mode 100644 system/nfs/values.yaml diff --git a/docs/diagrams/provisioning_flow.jpg b/docs/diagrams/provisioning_flow.jpg new file mode 100644 index 0000000000000000000000000000000000000000..40fc4c858e2756454824c072971408c2dff40d4b GIT binary patch literal 54524 zcmeFZ1z1$=x;H*ZN+XSwGz_7X^q@$`NH>Ty2uL@BA|fCRAs|R7-AFe`cbC%L-3&1N zm+vm$_nf`YKL2yR>wITlANtJ2S~INm+|N9B{qEnrZoc2lg9sI5h@ zU%1dax|+POcJai%nF2|HurM$%G0?FvF)?r7#=^!W!NbMD!KJ)IOh7_IMMq0RMNLi5 z#LY_2z{yBW&GwL;^Zo;VettSuVR0c|F>XG7-k%pixqbUKE)FgQ9v%hnJ?eYB|LLEb zZy+KpR4mkOR1^l#Eg}?DB9xm}5FH4Ff(}UgQ{X@Upxi=5L&w0xx{Zwke4v~VbPEL) z^%fc`IyxE}@M&M*eGnQE`ki|Z9$^rxnqV?GlJLHY{DQ^!xVVW_ZD^l~@43_K+t_5} z6qHoVEUawo9Q*=;4~2w9q@GC2$jZqpsB36yY3u0fnF5PtX=QEW?BeR??&0Yb@FwtW z(7WJ}sOS$dv2h>c6H?RCGcvQXb8<^c%gQS%tEy|7TUy)NJ370%het-o#wWi2m|R#~ zT3%UQTi@6`I6OK&IXyeSK>U;o1%&!1vHmLAALJqe@bCw=ZTgiXf8zrcL(Q?%bC`{x9E{r^j{zY6v@ zxh6rls3^dfhe`y3fX)zXss7miQX^NJe8v2}K7FjoS+I}>BE{H->!p3$B$$W1ug92F zBC@sW+F7P&0D&cc1M(ZW;;7c8ULQ>@IW>X}K89YNrY!vOCfkZhf0zQ8$9(M?jp+u| zXpJO!QFjCS{3hjW2htp_^?&7Ga^5|^(9ejwjyDC-wK;~A+j>>vK6iPblExw^UjJy9 zU8qcesYgRqn&EW_+vi*VLIb-du%*fFvd**Qei+~PwfP3AN*8zZrUcI&+Bx~vLZpAUMIj__-VGj_%~}l zxMse73XaXg$wb~6&~P(iuNxK6y;m_}5;Y92DE|=pWv!!ZhnHVx!AaaX+)?9rOGtp=-2@^m zzgl3Y|QJ;*tO=#u+uEuN_FeruQS0*4LaB}Z}6&QBVUcI3^-2l z2RyEa2fK>06(MIx$cejh>od}y&%a7Ed;7eRgN<^4wTOmewBbR*l*;I&H&z0&>GKRO z`Q4=$^Ow2Z=d@RZ!nDUdMOZTi;zPW;5;Kx>lfkLn=_N5PkXFaMn^rWYWtBv2RPCGJJMVr>q=goNRI{yw&f!MnXCe-#q&fAk(Q6iuFYG9pP?F+j zVi+kp(AFkk@}tCB!<;7+gQ*71QEyD6YTr6)HkPd1fZl{}sm&&9j6aw{U%MBx{M;`^ z=qgtk6B;eQk4(wx-aORTPgm+1jCc^Kgh$1e`U;&yRr0Unku$N#Z3dxaz8b-^V+3uC zI0=fyq-%9WxH$#>=cSR!j9d}ftAOb1vm4N0pHaT<;J=!B;9kojC0@X`(qQWtNy?+J zrPU5(%|oQW^;o(aZ}NgPi6$Y5sx;^y4XWQ(=mK&qm^UUXcLR!Wf;F-t-;Q~ecz-GY z)+_yfY6u(XUu2*{RBu4=Pjra&IRr|Ux+~rJMez-&@Tc*ha=JuVz`G1qpoW9Yq=%*<{5dIt^_4 zRD7Pr^7IK9{s|F=Gi{d+{w9Ux6%700sKt+M^olEoc{NGc2Ve||ln83V5sf0cv&auuj>0 zvHlL1Oz#qevzYiu=DMjM_ab@$9!l_5O!W?wdq!gaUExD&jvJ8c4G0xsQP0{sN99s4 zoILj==<=~+M`CNfdN>Y0U~JRlV++!V^$5BuslHxJ8HhZmI-$e8vKo_^RY_ z6wO5>aXoQ@n1E~Z<~!_L3?-K#}ZXE%&(r9k4E%x0kzeN2c`;Sw}{dCNVvGxOnRNo**XsrW~p(y;;^0U z^SWI+B7r&C$MfEvTb+TzPDjrBPU|zjpu?iiTcPKc3w#R>xb)S^m1ky(kX!`MJVed5 ztdP@OQ?1n2s-fZXH&d9$T3z!U*fmoBN{I;H$?yEd!(V-gR^<0???4h& z4M}aH16h?p2Qg;O$9YX*Xhah4~3xGG!IatT1Yh`P&`Va!O^y^4y8Q^DdXy%y^GGJ@%jg`~1yi=;^5 z8gonn&*hE`apseQ%|cm<#43;6r6mkZ_o-9*Yd_IpuT$B)vP}CS9ll7)dL%YpPr9tp zs+n^jmq&OVK1FdUCUpEAEOOaAiJzX~!0*lOJl$M<)ge$MZIQv8`^@ug?LJhhK`UB5 z!BE2fi~JGez~CW7!9gQ^c?V}~W!wPU z_N^F`U2sXbM8QLAn>RxTrE=T3`MsJlB*Y^dMs54BCNgrXWTx8WyYUQ8_bSy>*nAem6g@rj0&o-efG_-S(dhs3-zgElv-_WZ^$B@$+veiUA%|TJ!s}oA zm}C_inJIGUvrJEl~B_zLW3zzC$aRfXZOzk)@?Gs{Us;KD(x_4hnv6?8M~ZNtB5p zUBqq?SwO1cW_0_Z^ovhFh$$JT1lAz?^~X>Ix(!_dEKJ0OLqq#@mBEP(xEr?My`FN6 zJqqE!0a5LU(JkRXDXm9lC-s$YN%4HpGB8U-O(v)pUdSCW7!HdlbkWcjT_PZ#^mwT9 z`gC{FdRW)zbFnG?eBz;R9(i*k$?*W`R&d7Tcf%HNnvkd463DVRM}tFwdc#UIX@x{p z7o_@X!@wc5fzf&ve~fF}!H(O4PljoZY?`f$W}w_<(kRC~f8)T|`s}uNT^h$GOlsXX zPhKtYdHVQ!oDZr>u{!g?D=}k?lDhHXAlmftXA&U`{Cgpj+y#r-Wnc_@cz{*LVZUm0wwjtXFu*m^8gL@nx0r!w#sNppHW$CR|8+u@Q$ z`fEeZkUU6^q}Qt%q;c07z=j;eUPIo1+JOJ6e>^rZ01%%WP+2)00>$74GnX5U!O^r!0$YbXKZ7RvHp4LrpMKkygU1YJxuHGm_kgnkR)5H299xV1DSD* zV@vcU!*pLLbVW~Emr_y7XUg{mbPp#5u{qZ}G1h>01BwJcxd9ciH69ZgbJ&3JWR@{- z#m1L?ZRAdp)Y!&_PVSaTQ)udb1c`(Cd|6m=4+!N&b-F}pGY+G-eF?gpEkLSBj7OyefZrTURS%`>Q?q)K$mm@xZ&rL#S&b z;tbNO-AiSca{4yM+Pu+nl0~l4RMef24>2)v10sSgCvU+{c3~fjVoeehJ(rTn**RZO zQn;!KW2A95mc-Nsh<`$oFaZ1D8*CrQIZ6sIzct{~;tUsZ2JTJPZPd*mje1{Vh@>c7 z93jatLt*O>U=d*8b>pD83B9;iEetrQ`48=S93 zXoyOfFRK)O;wDb;G)^i-mypN=H25)Q)kM&yqh3JYE2Qa#;SB}yAHvfgqke)a`&$YLecXbJFELC*w7q} z#wBWA!b{_(dxyoKOM*ce>j`f^B$&S;3*}TJC*q!IC3-)$=RbEyHV)Z(4O^F~^y5C4 z)j!}mjbn*6v%f=;WOi@tr98!^YzAvH1j{y=YSfk8)t1pd`bo%}nhH7A!333jBb=BX z?C-6Rx=@L)M!Q>vQF+UA zJr{Mf(MV0MT6#6!0Hj!f+Di}wYUMQ&isYz=Ej$czh2ow29ZqSM3m(Zk*K2%zQ8>ug zBoXtLA&~9yLDF3I2ru%dM&|w0$oZc;yRLL$@7;^K2aBEMq6h4+p1Vls?FuuZhMdAe zC1}RPj^z*0Dmpc z_qx1~&!-s7sHu||s~@;nJ!T(v_e;|j3tB3=3e$sKd)|Pycl1(FBpr6fo?$W2KiWIn zoM=nIu$^T(Ku_wAd1ikve9H8`tAXI6V;61tm;E3hFLFLR{Z{I#< z9o2r4E467*If2Bg3C+Et7I-uLpevPVzn?HE5xoa~hsnhN!&I=T-MTGJik zL(c%+8=NfCr1=GQIZR%A{J$=R4>{AWqhAe_ zyN?O5cPCa`bMG@?4v&wj~Hlh|PlG z#iYEAvJFmTV3KVlMaQ{B<8UY92<4Y`*E#Q#9|eWNeaDAwCES# z&Quy>ZNC?7vs@=BcWH~?fMgHIB8wzhMtJ6{4a{;YdmA-3!72^>+Et}h(_x&%_cm{9 zsb96Z#6pO!470LzTzleFCtoN6sWhqqU-#VixLFC)O)v0j(YXOF?-abU>Ex2v@>FK4dlMO7#M9G@?y`nfjTqh;yI znKg4<5TmyT9M7HpV&F3E+^^m*W_gdfZKr*MR(I8TEZD;IYO8X8pczJJ+Z#3W#AS=G zE6Vkv^HilV8JtNWLP9RC4cq!!_@lXtv4>Hfv9y-D^g$Qv=tQN@os#_<&=1R+5LNCf zUM5`(TzOBRr@}t_14GfosE!!ZjbzysBUswzSpr!eMw$tG z_#)Xf!E@1oO#+4Wq+$)2+csDHDJdy@0Zypzks?_!##MEvkV)w4CpY&)rG_-X3 zD}bR({%h40FpM&QY$WV1vKBy7Qj^QUe+;`mwEiPJ<)6SN*mCJt{ph!NzIZUI)dg1c znjWSxmI_a$v@jt_4_j5`9eLaC@JDq{X=<1iiwFAJEgBO{o~J!dQK)s7TWP{i(g=vK zC2oe{xj?X$PqSlo_hjYQn%I%+>yRWb9VJZ>k|g9k0jI1Mx?4aH!=529vq`X{SWasR zWA~;%JGlXEX?shPwy34&%J=IR$BPubby0o+q_N!N3-E&yyt%W%)oSoS0PUUX=R?dZ zMP=&Cu%&MkUq)C4B3VRsgsyU$%jK*o`NR=B z{#lCz<9@41#_>a915Y^hI}46@%=ah(BQ#qbmIISa1BM-tB<~y0x1G8D!0ENDsk?M% z-4oT}AHK*OxS6F@4%hK~S@(xoY`9fyL&Bbt-GCb40tM2fN4qL2J0H}?TzU*G6{|*y zOy?Y422#URcSR<8{CM`0&fd7jmDH#W7PH(wIP7d(+5~T5_l+OZJZ#nT*4cFH5##C{ zzzrIMni_g2sej>edv3E9?t?pS7OLGaloTA|QFl!Hz6$dQ^SH>hkg?eqx2zFsi+5A2 zQk%H5(=^Pyqm#fW2}(LOy14l`L!0dd7T}FmDE@9x(6wt{@s9%XzxlEMdw3AI^@>O- zs)yI^(KjGzaT~2ar~>;tK;*xRlmEwq$S7irr@16OszDzaPg6L>A8Yj>fhJUG&+ zj>P=A=Q2@1XZEv+I`tJRb;zlHVaaDEKYe&b~%j_Jk29d z{i`c@#XxY*m6Zd=0A7a#is)}7gNlzx^5d8bu_WGmT!V7y_Jegi8jb2D7%M}Rr4*AG z`1CCJtKO&9?5aVPzi;W6Y*O{jX2DFpaJ?bic*W>Y*50>TEjguaicf&oX;l?(lp0F&!Lo`}#;^9tTm{?7STmG~wI59F znts@=c6XzDRX7>KDVn&F@|K%ey`+BBHMpqH-=P%z_}wFLS?n|34$P_XNFSy&XhQEM zF*^C%!{H~=1a|i<>qIJQS)bni_@-&JJi(?UVJFm=kk zGiME+I$^Pzu(8!oc>`JEi@DReGKJLH-%P4}3c`8CF{!n#Nl@VC3+FEcMD?pIA_~fb zOEh2~zfKoaRXQIc%T-{vIme^gkG&p05}GUJ}@Nzd+(8%xEQA9z-)DYl1wfE1ad+4v^?c!`rOEaB+(5Vatq1$&!v4SQ^G_+ssp0ZVaXnVl6H*&?(|FX@&2=wQVUo8J ze}z!~5_)DLGNK+Bi#?!mWB2is9R5||RC=}lPpKouA2O|!Q2|k{F_&08mOIwBuYoel z01ItQ)-Oil|ENuo(kfxac%HobKJAF15DaEBr_Wg?^ctop`-PTBs<+xL8b!xN-F?60 zUK8!?()Y0h8FNj}R&?qpr~;_}lKXQV=lCIkmRi;^zi*1_NjX4Q%2m(PMSb-E<|1Qq z@#+^NNU9x4UCeMPk+x+EQ2kU-ePzcdZa}m-u=0GsNU~mE!1mKF^#%aO-W*WS!sel0 z2`2w>LZ@$hzuY`+8v!pULW%>WhQDLEjUM&f;ra9J=`2Tm?O+F+alcFx^0(Qi z9^&gn{^j=Be-Tup@o%R7m+6y7IJJiU`R=lR7Bl0QX~KV*eO*8-)8l@G3R6{xz~0I| z)+2EUN41?TX)bB7ihR!lVNPH9Y;}ziH=MOV*31+3lwRy=`O4Ass6Tp6Gc zCQH3hADK=u(aPgY;nS=J*nynQ?F}t=;YV~aLV3mVKW>wjq{W-D=nl+A)*xvECO-*m zKQ($}Gga3WGfniKqmUQ6*bSkI^<1n7Tus&pVWM=8e4PtdgDNbEX@*|YwUV2ZQd^Uz zD`gGE%)C0|#Jsvy{$P5?r*%@_Yo3}o`9pqp8mA;}`otYEo>W+~16SOsUE}vDC0(jH zhut4n?S?B}WF2>Fjtq8Q*;XC1xuTC`l^NdCLmOiT6TRG~4#(moVKwqUn2l-f$egip zt8lMyiYgGs;w7H`bZy1%-Qq;cgrhKt@loKrW@a9loRK=6ig~T2*3J0i zUKpwnn!jYzp1-V3e~2x{rzc}vX(I(jzN&Y7t$X7N^Oqlf{7ylAh%Y&>`m%VV#xDau ztrF8Irru&fn5&1fx)jT!X6 zFkp3g4}CkP=ThnRS3=@b{mwI z4ttym)X-4;!GayeWsNmDjPe@gxifiHC`vDS^X3|+udy<19oVZw{DC$V1f;JBAs~j7*8m)N2FHS(2Xut3j+{HLGUT~XmrzL0R%ya9wh;Q8P zcp>Y&Voou9rYt)@HQG#)BDK0__d6zN=er8K*dvTc{4cpPS*Oa&gi>U7<`GkUFLM2h zek9(y@Acj^@%_-t;&oM<51M zsg0P49lf_gOXa-=XPR@x(pEA#f&PYdmh~(8Qfq*=V9NcSgfBve1^AGt#Ly0-6zWFxR4d)}|t+2|_ zIu;(hH=$9N&usVgpZVx0QJoR3!*WxqGV;fyapij-m0bwp#)SwZ#q|M&XHbBb*`vJcpMHNiE|cYm z@kKoI6WUO>(Yo(vMhv!MlTM+Hfmkf@p^H&7Qb3bY$vnKAoAH(`_%g&6#xP@waEOl1tPGq7Aiaqer%u0;Az#*{VsM!t=NZ z3nw`5=HYFbr!1~fi~X$9pSmfnQjOz*;NQtpB0iUFP`4vz>y(`=DpEcz&Q_lwfooGA zEuiV;edkw`fMIeVc$dHHdKV0Kjn%HLyp%JaB;()K=fsy6`i3_C^_e^E!lC89Nw0Vxtwd27 zxQd?6Cp$sw$#G~pKGD(Dsdzb0TrGZ(d&7=jWgjGN+v{>o)^x?V0Og%AEaF+bl&YMK zd8`;{IwQG6^Pml)HppLS zyoN5Q{oba9hiqz&@+NJ{6NgEczvyAh^(}WnMsVvYc`uDl{N%N za_lzZg=o0K>-dvNIb@7e@k8ux=mpjstf3KcYrMdm_3Dj7XtbKC6mIwB zARpPzs8F=#+?hqYjO16)^b4RMwFm))=<9n%-qB%*WV{!ti-IltSR5-mJpP%_^!F(` zp;hP%Prq|wvhZqwsw8eW#p2vbdvJYd#TcqHZTjWN`u}Wu9%CgycxVEcK(OnCvOK{# zq!cEy9w4IF4Ck*@m$?DxYC6E}WxEw#1T-_O0f7zV8qX?C8~7tM?pAeD1H2tR<>dDM^=L*V1O>~d+)BZ07t)?~BOuL_rL_8u)X)&0EQmI=DsJB3CM zt191WyQDc=d-!`!WyM>DTn$ghz;CQfj#FYo=t%{owNq14#BxqMROp<(2jf|({`d41 z&BNKoXXzu7hO!^Mk@)Pk>E$&zUa?yW)^BZwoqYZ*VM%dO@391^3D6Jx4ENt{X!(cu zAebGp%;<|m03H%Yulz&GAyLB($QO2uo`u(y+~aF*l_R|IkhJlMP^>1hm*ZoI4qU9i!-xrewi7 z`p&LhjITjjf#zI&OJ4zh`dd}q^7q|0_P=)K6fpif69D}(nZN%2D}(FbaGXhh`I-v! z{$^lD-YyS3_hL&e;{}BLZ)`U1`zL#9phTj$fte8+^Y2w1e+2&;U;JEWQP>489pVhA z+vX{h+TDPb@58p{Za@|V9R2#AWS;@mRfV6^X4||09pb~zmH^!y4-tS}U_verfZb^; zZH@PDI>9s?9C2Y@(wHOs+h`v&9V({?E^HB0PBT-L^4bTBDd25zsuw#7E-x12WNbP> z9{+2{7plwN`311k3qt`eA@*SYwJ1`;p>Zn}xY4aLFuT12&Feo0HUHV>G_^Y+PV4s3h-%HIl=k77PLN}c;{y-5;WSEFzf`5Y?9`AWj9)eJ zAG0}1qLGgu&g~T;{mb)o(3->zs5?r6srI$)KuAQ^fTd2iBHI}u^b$Kr$^!P`BweQw?dQ>|+R??M zoJum#?zHMcOTB~Lu(aKf9}P1uLQ_N+C};L5v9^8XjpUn%1M{k?2U95*Cgj~I@S-Ih z&25vzz4(Y|NM}6p}N$Ht6Mh{kF(qZDYc*Kk1uT(Won3n2JVD6Gc(- zj{PpDJ(;)e@>|XIgJO)@8RA8k1M~nre<&SPf*zG1dmV%;So=YMi~v(Za6&`hk(YvZ#QC%W=&eKnZ?s3N$xBDJdW) zdpDp`tr&|bfV}q%;O;dd`}8yuD+R-wq)9YB{M?PIV}N2)-+=Zy08U8(iOsLNJbd>r zjfiaNOl(YvD5Hb7#++XohJ35--0av5vF!73a{B5<0~mz@tu(lQb`|Q^9nI8f{q0Am zZqe5+@8`C|(Z!zyOKjUfu;co|88(+V#W{-O;Y!%rFH|~HPzTlcRU2oeA*xS3i>^0S z`NA(!dks4AQc-JItUg^wcdW=JanfzYIl+8oq1jpa->w%z;$DmA%$!giqMN(orW1OH z=;a=W;hOn7j-_q;#fYip4+Tke9DXUxwuS@tN#>`74^@8ls_r4y8xf!a?17QSrPWJh z4G+>E{J11`_294Exc|6B474RZ>OWse*Cq3QOZ6R(J>k@7yQgCGas0XB z*_s-hQ!71fT><=h2+8B2tzjN+8~lP z*uaa4?#cEd&%({p&4-8atnnrC>zL2PL4|c>#8VR1K5WY0&j^C%h))Q}JYo$6Py1)t zCRw5w$(*Vf1EL4?PB;!yUM17Hkk?#wKCZeHLkq84fv;n(8TIL!GGdK6z8<;-xVUPW z|4v(tVN|(@2Wc5UfM(0BM>Vuf1_lca*t7#lYxF|n#d#ILJ+TBZtAX=WN0W4bCJsrt zyjLX3rxkiJ#730&oj2qL@_6qIgr;m|}&nF`cYX=7Pk7GHB{+Q}m8})t7<-T&6NB!)5Jxd-Xlqi7m9*s$qqD|r*!5hcBgjrr;B1cHom7kvo^%<-S)mbrTvif^8%vY z?h|B3bW8>jx)Wk~wu~2#NpY$vu0yFd^w@6qBYrj50W&XHC z+P!5==n}^2q9wI6!3d970Nlk-IDw8(Ox77z0L^RzGba`QC{{tObn^9F+Arj-uVc~3 zAXO`!%eqL6DK;o*r}L~XI4{+n_*gL3B}X8~aG`!ca|5Ctry*IEjcjHp6{SX3jk28# z6jFzCl18?$3yW4dmaQ*&n&~XbxSRUt@+!O45VY9IKAjRwoqJv>w!_GKAK`Wd<2Ww3 z+oGoxNI|BR%hZlLa3p*MYp%Oev6TsrJWGk4^BhsUExdUw8@q7>!WZb-(n^pHnRuV7 zBxiAj32px>piHbflzF(fV-`B}uDf#ZSYV5)5zbi5%~{qHx)X%QaQ{2On3L=xy6*6m zyyYTch4$o&*h2;Ud)3%d2gxYQNX;H^GPB2tF5V=9<4VUS8`c)u8x)> z19too-SxDB9I`8htHB2%tAt-|@8f(#cn=5?e;1pZidj*Z_CF^6r*k6%95Q;DByx5KI=njP)96DEvDM~ z>Fj1omTF}j;ol~Nl^r7pvPhe7-59v9I!eXzFa<1?eaggXhfik_bb_;zTXUnn(t5IN zzV+Zfm&=Q?t&9Z5?VcY&8D2Eyt?q6^14P|Iokh-=?{(h&SRXo!&(!B6840a3np^He zf7Zf~r+`;B>jld*4aPjl2s?dPyro4cm7~Us)l@i^CN{b&L?|Pxz)}B&qX>t(%#u!Z zGGEQ6w+!&z^ml*F+ARNo87Mk?{7fN#>mL2*n2q4p1|AQLC&|z|8!uzSF6x3YXCQN^ zBNInOc16tR83*7?A?43j!>BGTc75O0x-oO%r}a>WB9%Jg?A#*Dqhn$*ZTZn%7dx#f zwX$cWQ=Lpo$3ok_aE1D!^HRM7fu=Z(`Y6qQEmBcaXlgj5Ky`$_cE|Q@w)ucFr`6AtWn%$?y2%xSDgXny5;$6B`c3u}-l zWKwOg3DQAO=pFVr!>F$qpeo}0Rx|dk?WH$_%>rqr-ct?Ys zAukP=)Fi^Tug+vYKyh46v4Dal#dqQvT}{L#d;tOPu4T8lpR+q|ybPw*UxK}RXvAMW zvJgA1&-ImygVEebs(s-c#;2Q1xSzBaTAsaK@FAc6ZL*Iel{>`vk#0g^v~Q}-9i2_V zJ@i(~7?V-2fNAfE{41J+g1|c4h1x2UiUb*!+oPuardOP>`gIugX6|(u&XDnhqpLVf zam3EWmv;_Y`d-%I7Me6NYqnrW+GoqIwxs!Ii2UCHv5>a;$czinF!Vs}M0N@ibmI+U zq|DF<9JN-?!xr9|dn8}9q>-AOdg5bUf!_leamcZ+-xM?yT5V0m9-rc(RE6$1tto9& zXsMwJ(WFvja`gr>C2L&YP8v>Z`k z!>h)5+MNCD;-PYezUr_evn9$4vf9Z*2NaK5=|PvNbpf2raCz?cA!IBs3dbnty{We8 z&x02}eR}sfInuWCDXiHA*GMfsWrsu;kGOPn?STE5OtKbEnlmXm;}X`8T{V( zuo~938&$MaaL}UCl3whh_cIrk=x$lnqtBSMCMTF9S1B?fI%|QV%!*hr)%G-~8w+M)Dn8>J?5Y7)v84XgzNscd9$YUpik*STN#kf1xaF zj9-0LjGRs1=(4Fe7RL|i3TUIk8+|S08p`VY%~;q8rZDU28Kb}P$Tzb9_7mk|j zSM(4ITr)vxRh+U*m2_cV+DjeITSo2&j&DTV0-Ty4&bjT{UiO;L!$~4U!oDv?f46mB z2?|?szMBRP&uzgxEYLNt9sw!?E5m+0u4~s{c+6zwi~Voq2;KF*R`zzSd{y^oQQ5l% z=w{uy7rr=UGb_cgu)-lPLyzlD=U)iz&}%4lU%=Ucw7U(roTA)?_J8kuJ`_S*1sFa~G=Z;*Ckvrc)O~{Q%+{0|J16 z3-urs_WJr-0zHq7f7|&lY^K8y>n#Lle;zez3Ja~gH~a?CXyHY8fE(aUWZL{T>C^MgVblM@d0Z(D7WNyV^;&aE88iL zgfUYNpV*lElaZWnIgjz6pA@H$^}@Y9?7vvqGsr(Tc`IuWpkqXHpkNy%UKS~fH_UP> zw|eKjC5jtd_ARZJE7v*$sDHPH;i8fppNRyJB3=rya5t+K!m=c+6AARf+u7HfiHlSwbz5d&)&0 z#CiX_5JyJek>gzYOncLs1fggqjOl4FtvB=zoL(piZ6g@=ItZ>80imAIa!qMF!q0no z>~gE}lyGMa0nfgQ7)Or8`v$1H9>{XH>dTAW@~L?K0$yfUHL;CPyM=fr!70pwv3t^+ zF3+q)#ztV+)|JB(!W@on;IiVWjbw0vF-UR6XEK@TnCReYD`l)qe}+txT%mxNnzQQ+ zT3PNhqr|Ld8=tnzZu;^hqvy6EPyy*C2|L5%f?At9XHSRf%hh#3S%+kE1l}+#Z->Xr zOB>cQB)KAqs(38L&<^h2k_fs1jj6!Dkz;W7WT#dmN#KkZA%(FMvqZHs?o>UN53nuZ zmFLfun;sW|HbT>4*+WrIGdwC2haw53#P*MN+BCw(b;h4O>ujM9U(A>E zU}$)??W0%YX2#deWk0TkXbF3UrWp!3KMLJYE^_6KJ!J*( z73}}!_^b$qb|y&NWaoTpo&GpSuy5-2-uojXDC@U(8IkGHt?HuHoW0}UqM)#Pqb6xP zg?a^J)UP_LVt41mM4KwONGtbt({DifPFrssB*ihyU5-_C`<)W2(|3RN=0*I)qze~O zoP$*kVw34>uKRi|?@y<$M2~vIZRSVj`5)BOc!Zdn3!~|S9s$XA-gm3Q5Rcrlr5;Kv zFlpJAcc`HR7I$I8n3xsm8hcqaO=s6?{*d&unVI&V(ds{b+STt++_8LMrV(Lhmsq}q8VLfFe#iV>DLT58?dH@Xp=&2uDrI0gfWS=6^|i10y0s;9`bHXq>L%2%2qJb83&7pk+Bxs@tDwka!Ai(l9$1((Duk@A!JvjHMJpCMI8?}*)*PEIB zi`Fk&EiBgk%CoMMJYXxE_y9z>D|)o`^af;Vuxol+)n&oyOyGPz=FL(014*|kTk)lP zg7*s6nOeB2Q_}0m5IJzkQW(EF3G=!Eoed$cc}@lTS0J|UNuRZxNu-1+Unc?Gxsa!@ zd7+bm0_+&00iadv{^=-Z{R)6RMaJ$fTJQJrF&;~diHDZjAUrtbF3o75H2^{3`-EtG z*tA(GnQ&0`m32?LVfv6lTx4GR7DFU~j8W32xlCTD)>UI~)pItP+~_D^N@tTHt5~}Q zER}KB2HBl+kMG-dL*HHLz*ZkpAoQ5kYE!gEH3~Bd3+W$UfzQ0;x$=n-sY zb_HL>Yjs{nDTWEkldhCHQ<@9oe%^nSomp0qyprXiIX!P)ea+75@q%-@g({V8LGrSr z+;tMxqF);d_H=N~NsU>;W0J>SxlR54QrlHwC=F{QCr>OvNOv(;rGUWo;q?ng_ov_6 zh&XZ7}1BI)u;4Fi9o_i4!=hTg{>mxp)Uw-)5efJY=b{ zTk#9{e3h43BuZqc=>?{pCBWK0@ENW(0iM++JPB;fKRvimlg3z;O6wEzLTE3R25CQE z6y`}TnFRN+!^?sPl@T`}+!oZM4avJfSxO_m0NC?%bDdI$R2)mVk2Q<#kt8PYB3mQ| z05E<(U%dVl-ege&*o>P*(m(-C4G{GVpPd190MOpvcQ0+c13~XsS?l99*6%h)Y$D1N z6nH7)n4-i%o4#9l;{vwg1adW_dl`p2c7t_c(+HGZ=&ic6h0IC_9C>eZ_TDIiIT_)* z{AY|SuXG|{^E%Ym%Bfc3sq-b4Y+cd{)WVLXRr@I{xKD> z-yFZYC0}4~s>=|MYyVz|Lk26gm%Gpd)&wKAn)IvpUFZSlBn%&OwWS$kYv~GJ9VEU~ zc@QvX=UoIuI<5zq#h*86?;aR^u|)AGblFfUCVYw15!N;~x(~aSX^1{IT`D`M3_4TN zbX9zMX9E+25TXsb7!F+*=FW2bEhhRcI{FzV(Od%&k}Aq?Cu!>I#jTcTXOqjEQ~cI` ztEUWP2)SgQZgiMzL23T*G|7_kK0AK7`6xL(jmYk#g4aUV))f-W!$tdyH9CN*qcySv zk9s?&0!G?Oj|?4MC)Ji$fN~lj%ntuWo>EV+PUgwEHrGD2ghLhM3yyXI?dsh89p9A^_5xt zky;T&^KPKYG{S?%u|w~;TghLtvuj7u$R13@DJ`p}&|%17ljy0ctzJfsFr4{9N&KYi zBIKg)Lt4q#CiMVgMQ#7{!k%qf_R(jkIBVp_X+A9%69rKkXIaoy$EBsz$T00=#g?qC z*oU6qLd;E%2Ot?wQ|m9J<%Jru5|WYz(k$sDWFK>g?nUHyja+{9-kG;2!YpYw=MWH}};_lEE*A{nz6ff@H7AsJoxRU~>pKKwr1oeVI=Vj-69BmSnYYUfQqpDFnxrZsTevdN`A(-iLRq z$dDEl9v%jwjD1Q@9k%~$IF!oOBPVuUM2%miXo6!<>DTgdv(Yp52f}nWA9QB4F8$k= zrCe@RcUd(o^SeaBZ*H#@_C@ua+KGB~6vpgpgEBufb|`Z$%Jc77LeqsyVG1YRknRxY zc~=Kyw=6V3p@9yM&8u9nM|ow$X{mWnyHZI?{!4AN#6l3+erG0Zx8I-O>8Eb8I80O) ze#DDn2!Zv9m8WL*+uLUY>U30&?xSDT)Vd|=->``=vQ%hZ)o-HtimO%F`g<3K7 zFiVyYjU_1M^7}0-=Ku=I8+9TYWt@xB2%Od8Cs^M^6QcYjLg*PJao(KYvHIe@hfb|b zXuisA4m&x0UlC8q*T}LPbcH5r0R8t>p{mg{yHaA@dCAgMhdu4p$bk@3RACuzBlc3w z2(9McF=?VCssF(mzK&?ob?MxU39-)82KMSCu7brVjfpxF&*{o3HW!rP+(`f~T8T3R zLK?Oq$_%>_(`Y`qUtKqYV14x+T^E7FWMp>4Mr?*A-hzJx$P=`FtW~fdmdM;ad8_ScY$88+mL=@9M z+@hoAJTHZO=Z6K>L_)tqpm+sojF?0@01)4wN=4-aHa>riqnnIw%&fi;@BAu?*Wbf@itPS>39D<#~j*GH)clYAU{3~F$nPkq%A@ppnx z+8%M5)^v#y8GnfoT5lc+EZ0^C_sQJe0juw?#5Fd5z<4QB#EOQPS!mMZHoB^ck8T;7 zgcLWK7YDDDD+;5TM#+&H#?sTWt6r(| z$Bj=NuTt%8(v2;Vzki-OSa|ehYBfGBof*kRTLdT9*hpcIhBwFKG7+f$s}|iSBdpo! z;SiQjCz9{6JN1XPG6(_Zi(H(S%$v$#ggzLJukoTp~a#dq%Ca@i;u^ zMF5*PSzF!$eQUg}XmP~XQQWswZ#CEbMUN%6nk|JDyklbPYdEZ(7j@eWfLdJ2!;h-1 zT3xlr^%pvZX1Ir(#{LXOt7DzR4FdQ)0FaU_fOedTj$9i_elkg(P}>(Peh z$wRbR(-4Uf!VBm`Kbxbq0R=|0sam8`xza@cRZ6wZV)Eze5{d!k?v;W(o=g;Q3hW!W z18P@My6Z4ZmD@bThtJy3|0tZQ5%c?MG4Ev7QdhoL`5OaN-BY+7bRl{E;wFx$k=SddVQ$N6MBUrM;jS; z&;~Unnw7Us4r9LTGYe0=R(GW-jE3}-j;X%3_<`_J7wigvvhD#yCO}-Tqa1$F3rA4| zME|to2@zB70$<+EN5UQew-1o#d(e4XM{`Z|1Q3(b*Hpa^D9{I8*@2E(OyDe$`>Z&J z3*hgXtuQSs00TPRn(=H-q+@_0gah5EXshq$=7T$XM0}9xcY|-`GqJLEt&1jUt(_NT z5?SxK&PyIl$V#%$S(r{X1)&~O`o?GPjZzH@oUflKov)<>C?Oo>pV%Ro`=QV4UjRfv zHTP%Y^e2KSwyw@;Pxco85geW#hq$^-15>!17V-_UWuSK>(FokKF6cnIumi+%=3yLP zNhFThBR{q7=oE648s2TXts|Y260M1`P4I@Bu432U&$AM(+~r1N3WCL3p^JY?$p-BpflhfVpP9L z`f9qJ<2eOU7T6cHT7Ab2E-wZ(0)-$yfIoGj3I1dEC{hST82)1yQTt=}C}Ckj;{Rh8 zk^MvWsLs#8mg-ufwt7*k#D|^}RlnF^@!~#cPJl?cw@rhO9J*slvk+_sxAcR~xJe^A zwnXO6??eaN!iEE4TO^n7US8`2Ux!}ZN_FW6PCJ$f+k*B3{Gf=&iv_^a)$+B@RegIX zG3!MyO)2Zv?&Ybq=SW`PdXJ)97m(ArQW1e-bgCQluapSP^-f4i)rfB9AlK?0dtg6L!x#*?pQwSV#a>gk1+oYmLW7TRG# zZGFcShA*iLK{Dv6DC?y@cc2bPk^7)r%hytNTg*g~I!+$>*N<&if_rJHT6109QS*y2 zmeH(clGCQM8*~rt9=_JiBqbwV40Gug;>|zp;U&0oQC>|GT>R2JDmu>NBc(l6-4(t$ zad@!G%>ChEj@3I-?5_1Nw|3rTet#af*wHA%=1nP|l2VG{1tH2UG8ijuXEKi%?unGH zygS3KH$|oeh4O|-DfhP1wT_E{se{Ir@rdz3b!{TN_HiKTX^VM5o8D{v_a=CFHCWnK z<4n(|4}0%RkMKoLgq`gf-8oRRPSBl*wc6(CF4EzDdp17Ip{(J6s1pIRXlP~`Q35H{ zRwu8N(uLfsE}0594NVkzBna}HH?RjK!&vEl^?751 z8m`-e=(;5lf>hTX)l5-+1L8dmZ5{o6ArSsvv<$70MCke8;}{S=tE^--d@5b>PEwD< zJiI(}MEq#HzF`kW_kLE%Z`x#=wG~lNt2CS6*~6nU9Fr|qo~h25n#OYOW3?8}& z6Jf9)YO7}%^X>B`g&zn-8c8_kWm$_5!uX&$W|j&5rKqiKVXaVvwzjNTH}j0*wanQn zeC;*5Ex6dvDY8f=RNQ=aTN}s0mCWvGX~wHvH5lz(Ve_ARMgh;Came$NbF5NN{?uJ$ zVYG8@S9aiI4q*1IVajzCCIkPew}4itCt4ewfRPvoTu!tKq)A?y4!J-uj7L|QW2T7} zE#Fr3^Slo@z2_mwm{}qUYO6iw>UVRYE5&y0K1IB~fNM?t8M8jlu|1&Ay%sL<(VCxb zjX`^xbE#2Oc!egUMwD+3zPxX&)MdkB_bI@ii@V!FXZaKt=(nXMuwfsA@5?v%)hf`_ zk3SG3h|UFuo^4BV+_y5kDeD%)o)US)Tdfa?Zdg%djJy3pI^s@Uvjn>jI`Afy%JXZWeYz_E$ynwD z>-KJb`T7bPSd;pu@NA%hm0w(U4KmV_`R8LA&E4n&@0!;oo=3@5GT9}e((($L-^G(vgRV|)%MGN!Y)p7@5ic;w68lPBtp%OZMc`dYOAqSV{afg^2qu2cJ|@1K<}zt9Aj zoT?rGAPadSPyAtTECqxfx!%DXg|(OXjh?W>bH z%Jd>G>tf=JL}S~i5{CVre8Oa&%d(Md>b=-L)?~dLG zZ|;Agb*pIs={61s{!10AQ))n(@;|_5A=>(ZfD2<}-zJ|B@VMX?Cc4>A;H)fb_#4JI^O;j&J$r^I+_#h}P0IER#_ z63LLGZY3q0cTN`swwdHQ1(3TXt}71crFwQAx-iPP`jz9$eX~Th1r5y3@_a?6U2&K- zUwxowU;R1djA^n#)o?hoqPe51tKH|6@lq=&M^#buB^HO96adaKqaZlroqPQQ0VA$* zxODMm5k73Ekhi+1vST>K`8HxMZPIbK>bhE%D0>?k6kG}){VW}aioZ~Pw*ZcGIxy~D zX~q2JZr$5gi?Zo!krp)k2p%w3!_LmWZyPf=j|3~cUp!pL18=xw%xg)=v2LK)r7=JF`f1v_U{RD0bj<)9IBK!nxvL?cprY?dH zH6$lq>5f~m4{t1dX96-E`-T%={#9IiX@Ktrf9n2 z&gfO}p}R5O7457?%QN<(o3c+(Z_)<-V4?|}yBFnqh@~JZ?Y|h;FY`>5@M^yL9A+Kl z2gjCJ!ARou8vJxYrOabrnIDPQGyDDfsYXj*sje2d_1cdxP0w@|gy^xI!Mq?+j&dp7x2I z;>`vm&mK%fbWYbBP`JBLd1C22A5ZSU)g5&{@p$5j_K;b*m`h@z&6LumwCI;`BAEbt zE8PpCAS$p1L>Lnh!Z`Y(9$WPp5&+x&XL*F9wF?kym}7aZ|Occkn0qM+e5A zbwV{i@2FV$T8gnGig+Y!pUyF5wM3oWYnEM^`6#lkgb!6&0%{gAt{``?)2^^iqDFS~ zO1xQks1WYJz*`BbJqXc zGo#cDZUPBi&sFCs*b(SwFT9^z&52M^KjzV|3rW#zY)$R1eiMQ{Eh$P-esocsf9Ngl zZLvg2p4(Qb);P+^9BZ*~x9@V0d``7@w{kP~OJmy~xU7KkzW%`F#HcBw41bgJj0tzt zxHl1B~8sEwQP^g%Tii{gAhssp)YqFtNT{KtHD+x2u0 zt;gYt+yrg+n)tiZ=@Pp<3liCCqs?E0T~g;Q%*YUjKX=jGeNzX{Ow;Sd!H{(|-}Q_i zDalvza=y)tTZbaf;=I%XF572LHEjcGDceRs3UliCGSFcaOIug~5#uU1mh$lxPo6*r zhq|kr!^hZ4p|Zd^&2j6h-LPESm9U;-a7cuZ59%4w&Kt)rXmZ5#__AVoXvgq9Df|Nj zw=1zthzV_Imx#2EMxKh)OdgIU%0FR?ttD(d`w#PBe}T}diqoP-14Rd&&1z8$3Fyx_ zBB`KoIL8R_!+l~}8ihtZ=zCVIz@g~=jk1LKAk%J^gtu<{Mihn7b3*=R(zM+SvHtQqN7QmCI~VqkUHPESn-X zTnTtgX{Y1_V7t@dt2nssm3kK?woUnFi0tgRL~;|22%fRMjOn5*>vP5sr?(u86}1U3 z$7MtGf>xyswx6;#;zeFo-{9AbvZBV_K3E!8Z?1iC2z%`3tiHSyA9+gDp<}z^-rW<0 zJK#zi)hDo3#&cSo=HrDS+B)TY*s5W*VKv)}xOSbhFP45GqQ=JgUZU;JYM?NbNF2eH zu;yIpT(+0)SI8^YADJvw=YL+7=GHg;yyU+quK#nb+$|Eu4hX6utsK;V_?0e16bk8S zm}eE>xg}*gh&97~7{NR8Hsb|ma(d{r7NaQLp+w*+4(jW4rUZ0e8!6$oT+_!ghDbA+ zmpMSzEub2Nsl?NuljF=bfVqVL1$+nwe6T77Ct9<@xv; zn-Na*BmlHcynJ={1EHq@3$@eJ$^MBL{2!Tzirjk;*i*x3gR2SW6noHtWOd;qcsz!C&f zfPVrPiemuaLT&o1_vZ$CpBrto{deFO-8p5*5kBA0M%R+(eq$IS#nl6Pn)^DwfvZ+} zL5e=wyy@HrO$cjeydT|iVG<{zsSSM9b9^bEmH7+}brU_zm3K2E?)xZtKKY4bYy#kl z>g9(H#LMU+B==q!Jv37EYp@APn>|@h^_7ePzZXM+K=$dwE;&^mL+&0l`f?uZ?8${7g7|Hy^8Cs(E#%Xg)%GnK!j`L53vplUC^c%F?q?Z~bG)qmMMN>}RYpWDxY8Ci5R zmpau4<(Eg(oe}~y@C4ulpbqDRC*yxlEB3apj*`(lmgWjY6sA^N8wH}ZS4%!E!=SGm z6d6Ad5>$51MO#_cY_>xVfKIki(I`QOUpkKE4i51KIjk&d9heV3Tjt?f3o<#O+S@)| zu&;@%Ou0&2jlfjG))}Qrij*d*TJd36)}I#ZccJYii8*SgkQ+ zb@_=ST6%&jE=KxgbR8K&^gAaFw&#TQL~dnDB@5PZWfmin>xT2A>@}SNF?>wh1_BSi zhx#{kW=rQ^2beT9Sp~+Yb%j6lbE1t|M=?3cx2yIMJCkW_nXo;wHLsc*?{tOsLe%7_v9`Rc9^|YyGOXQu9`3+tWCo?>+*(FR7Uq%0>X^`w7cR%B9>bh#8Q|;0w z>97kxmJJG_0U_+~4DR7NAdLS_y+Y8=_9uP1fCJGvFCu{Tm$&Uy$EbbOE^D zm(E#DJ=p2>#8!?U=LPZ)1cmpdujdS+b!4-5geKK`z48_$L%2>Ol+mt8iv_d3+1oP0 z&LzPNkDEzkj2hTK{XqDv0I0n?LRnm>ptQZi6?XB2tFeu>h3mDi&Sl}rFM#aca|xu2 zA|5pp@%Z@2sJQwxfFAH!?q`s*_$P)r=ua%t0fUrYfB^q*HU$6LasbIJoFQZ_S}NPW zxR?t~RN8yxgt3j_TK}%BIC@zwtun`Hy#h{fux+zLezqLy%UgX64}C?7Lh{3MqFLO&M0YAs_&(%tbx({*URr=04dk=Hs!A?=cN zP1UcS-x7x&`(Ug^ng!to&1Z#JK=ia?AR0-%zk~Mie zyvozg{?MY~i_=xktKMx;n~p7It)p8(7J;Sw8YGwm&e@1Q+>%0I!TQz{a>QQ%*K%6v zeP<`4mtV5D+T{5RD~Td6S@!tJ1#kbZK0|JHZq+WI<2**(*<*Z6V#76ogXytz7MXd#Uy=K@ zu)tDvCmd0iPA@G@lF7V^z(FM@xyS{`E<|c^nee={`RZTFo zei%6IkmXGAmz0Z;5b7$;|VnrqYW0&CjXA~*kxs^6@tGbezQ(2F%-7P|MkvJ`rRZx8=Pz3Br&xKtyqwUP<9Lw1SP-XX zBIYJ438-@ZPnbaf2SA}P{QzcKjSthby?AFgv1;nxp_la~EY>;o26f9&2FK|W`xDWD zh#nxf8BwEFLvzB>BCuUB3PaOwLRB8q_fVQJTCC*C*L---Ykf-Y%|_kv;{Mqq6~Q&# zPE3M;kYbJ3B97XJM-5u97d2f3hMzI<%v{BSlX9PH>L*^AC2qjY zz1DjoKZEk4e3bx&h0-4g%0>;gh0tfM17GIdDw@VKC(85{tyUb>CErJ=NErYI&g&2G z=k-F}<9vD|T~W89jX$8DjwZ2wPPAofq?R$O-*J>btzN%S9_G(Ye!iR)?Pg1H(%2%T zK2z@f{nzZi<<5Ffqw&@F$VSCCS##<( z2NM~XMs0KBH8@|&lwj}?lMyW$J<>h*GV)`$PAb!`L@W9Q{MnthP5E4-;?6O|T_31U zSz?3p&OmVz+vK(A3hGo%dVZ}+Qjk+dQ72a$Ou1I?ygt=KTpRmbr~{TmWlxG_6i zXSCJydPX95Cm~rZ1tloo4x71mf&sTW*L;VAQt0EV1AgilFS$J zj9!oQMFEurQGL!eYnSIbx>#Dyf)di*x3@$%0xJ1Y^W?Jf!{(UCc4=_NW5?vU*kBeSn!*t_L2e}`SldB(U3 zQf1xL)|O#u`+$l}oiX$6VjY4nMl4n!(lG5uepk?9bs$Uq5`KDn>sDHPpIz$8X+DF; z%A4v$anG2_hhtZ1M&Fl6UZh&~5N-rwIZr+|3Gh@dd%32V@TIc8F3>iKfvZQ;k`^f) zrqis$$A=egIaoCb=wcG}J^lYYaTTi&?$&wABq7&6#u2mmV%wgE!E*GXzU^VE<@7tg z?NZ}4tr=$@1H~ZqSmpZaR>=Oh+Q8Kqeik_a%NMe!qAaK<@1ZU&*;WM-WYZ%hW+izc|xUxgBxh{6cN=o}|L0`;dJ7#ZT~Se=VO@L-G)BsqDs{kb*hx{%V#G z2}Xww0NAi6POhnmZ#>uS$e!~hoPjgRl^ekoyX2gVa+2>Kw1Lnltx-KyeY@jbq&UkM z`y%#@uZX8@79r`Gy;R*s3%{TY28_F=@aS36N~!n&w2N= zbGzs~B&Fz6APxIX<*_Zx3JCir%gq$B%2NT^*Po}4I%<CD` z#?yIeH|bnD>G{;MexaVQvKKW&c`B5)$SF>+*6PU@kyeDNc|uL@`>#!9e z9g;@Xv5?I0LROpA*QAdZr|$Blcx0Y7_Q(!DF1SO_zzXv^+ml)DQ(a(w=-2DnS2y#f z#QCFQxQbRe4x5-|Y6QL@LK|DXC|BnhA!1piug~i_fpe(nRiMC8OZZTGbQYQEvJMOJwO@izojx>W`1T@J*bxhheZ|94233yT2&tg z`39=&ivp&WwKUh55I{(tIsnLD8Q{R~s~qP}9#T&zG}T8^n>`iz7~LZo!dcP#9e%e<|FGtBlQtvT4o8a}jt+W?fI~wRC$H?Wz4s}UK z518v-(mBXhL(V`=Y>njLKees&+qYK+gp)3WUpkn&U=7i&4Fz^$Le1QYc$`LWAWP(~ zl%EA&;UlafAohamP&<8@Y!?N3vCM8Iy5WxM8cYO*#C z6oxy+@BEL8!-CveANYQFCnQ`mnHp_O>>D0k!E4fFmTw%z z`$(ze^E7Z2tQczN`Lc0{#{dL29Kco~%?QL}{7UV|&T$wb_)mB*}Tswo{b&#jSqG+TnVi{?nHjh9#xh zt5iDbQ>&E_MSlv4Y&(A&J*t#-?f%E&ppWDE0fkxhSQOoE4S|PARwBeZbX7+4i=?MI z-U6H4=|Q4r276^zIQak=thB&lrha}Mea6>^Gj(h3T}7s}LtQJb^Z6KWQKO!1c=!8o zLb=m*g|~clqylv5pl`fik`EzPx%!K{`Yq{M<~Nquv=LJ9HVYA7hL3^a)^9$x@TnZ# zV`)l`57Rzg5M97P?n2w(!YYfBYu|Q9h7+lq;BUW`j8!bs%Tdl8n=?m@i$O&F(g%u1 z@J{r>Fj!t_Tf?F(e(#CvU?Sm7Q1{yV!D)G0^1-YR0uq$`tc=E8{!qjfRAEumprrTy zYmP?d!#ZQ`uNU{5CpsIRiIE<6r>B~UCzQiaCEud&4xf+M%=D~262epStW=+z&8pZs z!3vvW$o9!Ko--EB!I!_Se-=v0{E%;ABGibrOUO4X;VY1~t3mZMiCbd; zgD5b^z3TZ?MDE5y+ecGwK=trN2GUj1K9?MfRaRxH`aqxGM+mxfpt=%FUJAQk{A=1QDqo5Ndcx+Mciml`k_|mYdaWJZ_>@X#u zE=tNl-<8IqLoF2})wZ8XRWwGKWSS=vn!;W#HG%-dh z@dpC66Z81R=G#RKT{<0i=jEy%qIZZ?A?sVnOsJ%y%yS&?fkfPc=@HT{9rd2m>@}<{ z)&xnF$tNpDi-fuy9^qYXOU%ccC1ttQMf4r>^S!7EiZ^(b)ooA621(Yws0vR<{EJht zHfP2AZ*hOe&^>6PFs*$UvGQ%?sqT>oWW2$e>8F+E-_XeZeY;Hbxa|EKUKR9S`uSbF zexBG5cuNYQAkVe;Sao@IyxW?ps7c#(HV@pLG^bV=2IdC5BnJ^$?FFI`h6=?Dv!YYM zLNNyN9L~eq(CHqhY{jB>r%N^T`>$0QlRLz6h*2sc9E_u-S+Tbudx^=~MY--D*5oJF zEyy)`>34g^vZ)_j?=n`ioUVh^|AxZzR=siZ1M zpwlTksG@`z-(csnCSns`aNF|vl@BjfR0|5cWT9t&8T|_6#+U?%>$hD$~Uu{Ns z&s%g+86hOYvY`EGD-raq_Qw7RJ5qa-hS^}Gi}jhTF>z`)u-%wd3)89XLN9TZ{abaW z{u`Y>%NMA|h$5cafwlFfh1ZuDDS}i7?C15J3#8vP#LUdXq687l?rf@m-lX(v7nHn^ z>`BY&7hKy;MPi#^J?=iV07bLFoHFqa{uF(~u6~*GI%3)spuRHJhwg8p(M$6q?Z$)0?uzVO$8{GuVLkhWn z61|^_n7fJAeJFiYjl8%-R24v#E>#D52Y48cSPSuGuR!)iwJzuzYsPaGo$&R82gI+# zBP0ZS2f&y!nQGEOPO%ejzQLqcZ!*Ob9pwof6l7`ds5k>Ic!vhX((e3Ld^p+6BGs!V z*`{4=Ts1I)5c^*}b)!5N*%B?9l*2@$eRwSWQvX_cWX{Xgrg7(cP3%xzZMyAP*TVM* zE{Ak}f>3RYPhhKw>Ts1VHJe&TMc)0}6_ACM*aUjGWKRxK-=hzrXKM5M*5oLVzzdss zk4<7%TPyGA0*}W!5436{l*cnDoo;mOdB-IjY%y4gzq~4x6_-rdIxX0l<#2L^GuWEy zSJjNsdKAw%EiK9;Wj$Wo&|(j(5V&Z&U*1H!+RQ3{oYtIr`uwVb=UZ(kst0M3;X4GX zcA7L#EJDP<6)dqWrQ@k4osf-1xl8kf8Gj?=tjSZu zj#-CnIvUmR1EKL9>gnj3&K~1mm7?VfnRQ=%K@xlBH-EQ)3zmX(#NmoRTqhqF24p8o zN#u_=(o0INV{AIzbFAsbLw9xK69<(C+GtALG_`OYopx&HR6<0!ZSv-VOEN=`tQjTZ zHTp&S4{f3njuo?YTZm`pO*%y`iJ?vb*2rxYF*5yq7o?-(&32*MRHFiubf}$T0@a;2 z2hL}Ogn~?i)YH@%-{D#n`J*-IlpV8=b%UqM%Bk{(F8hA zs=cV+tW9=)>MaVGI2Xp0mPbZ?dLjJ{AQdeO&?xLSS=sZB22s5V+zMy>ApbqgJU7Hl zeHYaiajn^z5cq7Dv56IVv1iwuHiWjpia?frw`(kebd?R4pWiptbSXiR)Yf?v8I66K zn`)Al<^gHd1*e9OO#>|)BYvgZzTdA)?-4t1d)Oq9$D&s9+4R5PcSPQ|Bc!_EE^m?K5YiulRci0RlQmY!xl`IIOv$P$` zQfWdb&(+DI?8s;Ln@!j*qkMW`UOrgzmqkwF?yW}^`euN;gC@iHY-$Ry>8CRy<)?V? z6g=t+6?=41F z10^)kwV#*HG!{Yi&}rbPQSH1LOqoG>jBxnU1uHN-+y)FZ_THQ{`bWNZrp!g+~58j|J`%{ zdsxT@h6U-;gE+H=XQ;QUpGtVI`rnW}26?)YuH8j1+@6=v*VJjm`#p@1nXu6Pi`hgidEfWbp4S4?hSX%1%UulpUqPPuKF382>F++zizFoVr)d&4H zB?PF|)RDJDAmbre#6Enub)}*Y`E7hwNfmtXADlc4|L4pzOrjf=m^EGCtFJsCF&q34 zqqAy`8b8F&Qw3VlH*u!sa28x>-OI^Y=S6;xzyz3Id`DE2CZY%Mp1%mdp^3kcKnQ5R zUztqid@7l(XftomPE#u!I-Qm5N+6#k@9}1h)q&>j97Xu|DQ9Vk4BMD=7Frpg^k4OM z{%V%3CGY*rgyh?l;v8+v_4op)aqeTl;JuRov3Cnfvv5tc`+*mf#Gq^uKco|SJd9Y=1LR|_?FS5J6jBd9#efsyVOvCcIw|Cv?fC?vSMyzy zQ_`{4y(S2hc~8Ca;>iu>>*b3jl{>TK zi^CO|cGpvYIa6kP>1CA@gA&ZQ7XKiyYT7-EgVbRGR2bX#9Oi55j^&x*Kp@IO9mczupNKynap$Q^FdKo zwecqP%VfIg6VZi&1=i@7P9!GN3C^3 z8vV5P9Go#Z_~MjdG(EK9sM`a z|0_U|W7zobEPZ}O;R6Cme=lJAUvM9pXCmwak3IAV@Z<8FEN)hWOOf;6xyAlKkQTN6 z#Xs&BGo*iXE&dl6B>nf*9BVyCQvQc_Q-~#xX<4cY69iP1xqJ$y0IkL@75qgTG5*FR zMwieL4WimB1F~$FD5HGS0$y0rU=I)_>OeU^VxppntdY(byTTvNA(fCPz zJeswTPMq<2Q0R255lndU8QG8*{R`pzmyi<}>((gNb+*QFZBAmc^M=RW`g31-*=(FW zqgij7y3ZRV`6(3_%|stp>yJqHH0Y>Tp7>GGQ`jnM!zS0Jy+~SI?>|&-jI54 zUc2cXS9ye`>VP8}@+p=N;_)lOx?>iC#~!f@@(hce58q}-USoOH2N-uA(%X5m1DXuz z5)u#Z$+uDMkogx_JY*uHyDWpi>0r;lOqb@4^LWg$b8%_QtA1aghW$WryP3ZB7AYD` zcx>0(pl=Pe%M>ZsTb?&mB!PB?s&@NkXwBW6efKFIzwTMx;Cl37>U~fJn+)nUm<5Ur zm`P@9L<{=^U97(6pL?tTqU}%rs#x`3a6i%$Kx8GVCmhiCUH^eFrlKF8SOD%bl>x}{ zK+-d>MBx?in}1R*o&xHAUw3CFI z@PzOZzu+lB%aWvk`>0BnGw(&90}Y|`-Tku;_2H7|>`Rm>R&nNCX>r&$hal>ydB4&f z%{m!|NQ!II)y|bj!e_CAbt+AdS;KoDv@U|%;7MijC;UAnPn0d|#vZ}HraEkKvf_#@ z&fj>=yql3)fuPvg#Z<8%nFF^>-gJi&p6Ahgb+zofH6Uy69fuH}cC-V+sxQB0nap1Ci~rH z(wqCF?D-@a`$eBvJLlTS^Xg}}SAcMw`d%yYx$uS+Pg3s0<}M+GOXLoR_N?sT3CN$f z6@55da-MH}h2zytwta8KC9loymlER0!SGwY_;#H(p28Wg z&S}DJi7=_CT<)an7reQTlaA{?;2M6OzpbQ)O!<%;(-iQ|sY$yNG3?3@82q$1$p7c? z^Z%Y~|2*0HH{b1(+rGc5W3MGuZA`WFGvRcf=}ImOMCj@=B7zk{5flA z!`~K)1}aG_)8Yx8Hr4K<>jKm2)-TI$O&z|k#s>2CP7jnY18jQs;$I%J=rjAB0du^4 z;ArO2RJGiakpN^#T+AXsw6_p&INE?wtg;()kdGT1vsNO2qA&Vnwn^;`Ry3L zcS7C2VUhi$&1!XZ3H=N~xhNw3V1}I&M(GvN11ME{9Qpk8Ap93f)&C?Y_-k`M01omu z0mT2RZN$GBS_dav*EzGnGajIGjpBof2=MfxYxpe2Z}@@;*$m{3LgHlGxSlDQ^R+ zDc=HRszZRW*U27S((}ok1E5JHsc+wAe}iE|bI}eur4DF7fv>1|sJHZ{h0DO=#tT+>d|BHVcB?R_DL!YFQe6Qsct z)@}&tp?*?*Y?p>|uvk5jQ+Xrtsz;(-aQ#;MNuVz?pq)QMpjcDh_(4bJ?dd@e!lL_9<>sqQE<(p{ikTYd9jiuUuY@xMU!k%K^x3}f6;Fh6VCSG9bry8wso--~m zFWxyZvARMRZOUfZ1xs!F6m_=zRC)PLXJx?sNiTU&Kn)ESzC~qJq}aDeOi|fvubBeM z2L%$!G`M927t&mMrv8ixI-22#78U{k4_uGjGW6V5M_g!A=Q%yey}Zyx@B1Xw5mwVsN@TuXF}SEf%H_97IB~{%Ft&$Oe?2% zv~TV?%?PZGH#XeZuRvgNMilUdI{3S(3wmR|_e{ewRDORA&EEVeAPM~W{xX95M^WAX z-}}sW#}<8xlzwL))c=Z`Bg7gQ=8g=JX@)5K6&EFcX-TwVLuO7eME)p@Aa) zER|maGCrU`ZA}6yga1byAQEdbSylp5a}n{i&1sDLbQMs&kCcj!Lo-rSZ9-&2!a-|; zqkss7b@Yx-q#0wUW)pW96kYX_ynM0p9Fbojl;foflw+K93|$rNS0 zUGfolDWXW9o*6`66wprd3S{f9P1=nSzSOdKfpAVa$^QpAD4G=$4RV0(cmN~%VvDIsGLj-6DLSZye zBpsw<8@K{h>zx~L06aal0WeRb%vU0br3?O__O3Iksdmi<0Tl%S zkw^-tVsYF>Ah=`EmZ7XPtGeD!K0If!`zxp^r1B7BxWN- zUo)VCDB5@F7r^ru;EagcE?K%e?7H8>J7J8w!d(qpuD6|+C9CcJ=#AHP-Zi_qO;1*u zf;f?trpW3?75IP!Yz*?fQ(A50J33(?G?-MMLYK)A=+P6%MgB%MG6;M^&KkzX@yh4I zrY8zMGiazrOm7nK_Y3o$8^ct-V)GM3T01E}qifrEsQV=@wR(TqG`H{Hr}38CPoe-a zeEIkq8um4a-trJ+KGU9zoO`mlz9>B&ggyjD%V%pSJtHZYOaqJ7$uEksall3LRK@zI z@~MU8-avOW8^t}Un-mVGL69g4S9JgLLgumfFUUdt)ewh2Lr4D9RW@64 ziYU4rmzG@XL~Huajy^L>a=-KqQPN52MdV(cLduvT@M8z>lC13;MzV1|EOpzf2#p@? z5#lu7_G^}(jzQpRq%!#26I)k#t`vrAcNi%NDl;CbTWyWxejqn4vwNq5P56h))s&wT z3cqQMEUksa<1Vu(Lk2hSHs@C`(uM(5l6TCczOc%1;>jb3c&m{tztInB+}uHKo9^vj z`)RjyM^r+at!9`0?_;ZEN5Oi90)IryA!fYzLshz7)=FN4qwg~;&0fh_tj|ZhkUCoD zoEF74yrnijMo|UsnrE32lUwt>i$(Oh6YGytLL#!ca66ksF>&?_AV8L$wJ|W%yJt}B^xM>6ht;;b zI_J#DCPsY`kj<<9;k`?`WikvMt{-2?m#}-t{y zn2YCYuXQ9Hyt1o|x-+1X{({m8L~&Re@-}wh6R+t)4-dcXKV(t0AIbxp{$ly{pXKp? zD-`sgNZtq%VDLjNiWodfUa!emM?alBE}`A{H$~*_`FjowHIb%ymweC5QXO=bat?(; zoCELYD8+9^p@pI!=H^;q=}Ef-4e0vAIaK)Gl-J!fvw*qs23%Z{2TyY?Y8J5!duXng zjVY+LbHH9a%6T-`9aUZv^Hgm2v^p*WV|dp2d1<_E<){smn*?Ji{Ln?_`-W%+_C=gY zPFjF{t$DR-p1W5$ot4oayx0y2B)L>DrQtV?PM^Qtz?nTp&57_?hw1-e)8tv*X^MCq zS~z5u6`(I$cRT#IVW8&Yl{4-EZx-6|EF!QwE^K{Qrr$>;(*H0{S<1i{ZQ<`JQx&~M z@TAZD1*lbdu}WBmU2`86Qt@$`G*>`!1m7>)O8EdsT%C5NT9~EBX*8~L1{{=Fw#+}y z`!L<&2%mkIJ_o-TT_pg{KBDu-p%u%e&T6< zC^xtlGImNbTBm7()p8`eomhv8I(TMmGU>fnj~_Rf&!V0oXRi&UZ|q+<$QwsVHl{Qr z2Az;M`@)8Ns6>kM*``T&M|`6oi{`5b?;8WShJ*v) zL{WNH*N%yq6VhwR-zp7rDlhTWLZUV9u|ew5jivyC%KJ7dwyYuPq80; z>$}QM*AlETDwOFc!rB3|!k2G>y_a0tt5xnp+_om=`P-;}1Dy2?thuPK&b3cexe+Ht0Xyp+R4uRnNIBTNv;Qh<|E@JuU(3k{n&igg4Q<}a#1Tv9hS$4wlk(rTM6X{=DL6{%lgTb+1`JAF8e<^y-KO~vxWv+5I$4`6P06VIZ7$`x3Hi7 zN+Gw%1~6J=5h0hk_)8(T)~EQ=sN{W&uBa6m&=4X0L_wMHx8`*XAc1VE{L|bwXFg*l zUX$uB*E2k%JhT$)e%R)MXK1sHREaK{W*!mYffW4A9DWQv;Ex?r2(U0v(~K&IkDGCH zCgNx)^%eE)r^i?A$tHGP*@oR7R3dEpQXaVCa`80^-zHhs6?d8rJRlgM9Qy4>;D#J= zb^7cA*<0Yb=#rB1D0%ZDJKh_&1=|1oersqAqL&*fB66`J~b0}BcmO|2OxJ6X(LW6mi4DUXQ89ef;G$M{2&u&f3J*!I%P(fZv` znq0|(3leVZ;b>La)wqa0ypFzfRzHW<^G~c!p^PJrL&a_-0!fJ-Y~83t&IWm`P}SSm zf>eIPUHz#r@?Zn}uPTxNes50yyuVwjZ_9MvzlZk+_xCqDZwh~wVq&#i`4R!Gp@0PbfmFX$BcIA3c1QY zs$yO3Gwk44cNxFE8W;#YUi|(fKVgnFd_$sEoO^zkE8c5F9+=;)6t|2~h*X`C z-kaSK_q@#E(Z`qP#C0)uIqiWyQkdZ9Ct)=StEH`pPbr9Gp>PkQn2@3{TWvL$Hn;rx z019pRG9amK1@TXP#7{EYJngahNB`!c7_n4f1bJW6H9~3y7a*kEZqrrEXi^z&wK5b=`+L02!f*T zwMuIyX-uu_$05##xYZUffCRud)uSvi;Pl60m~1xV6TP`F3)^ucX0C9%0lVoX3%5rx z(RRI8D2}0&i2IT-?^N@by%y(#n z1{e!#W0WD#7pUa`hG&9mipC)NNTa%;3{5=>ME+M>#>v9#HAyBw ziU>eNB1O|;rMIhychL1pi+efw7}qwB!^ux7bfZPxeV2PgdR9kWu1ho6WDy>;u}Lp} zHu}=)NCR*{6>GB&RFnmp#-STX21F>~?P za!oCAcfP9bsId0R!3cr2X{%* z7GCui8l4%koOdCZg>u!P4+f?-AS}AAn6>ZL3;gP!d0)9cN;!~3Z_ZX+iBE)dsZ>wF z7%ANgtk(i)vhaulu*5eO+YC$by?3fK`!%TqQPqvo)hgyvIHNQDO4 zp8Nd8uQaNv%f0k`%>8QTpwKodb;j0b*O)Q^;)2g^B>e(#lTV+a1|+(IeIs%r&Ca@J z@#O?~qh!Ru%keJwg zslJf=`YupImTzJ*i0yqH)6L1)Skzi=_*MnG4N{ZxW1My*xgdymYM(8uR0D<5ThW5hyG41{j)h5^od(vkzP_w>1WiS2^vh z7^E?Mv|gVNAa3M#-+%J-o6Fw+-V130$+9Ng8GsL!${aI1OJdu242}fQ8)v#*123Z|?l#U?5rRYYFhVmc>dhxjoM+;@V`puI z>2f3sD|i=%cXW~$JAj=P`y8NTPRa6>u47f*$IKp?nWV|31l+}W+=MH%70Z&*`U|j? z=q#O<98h7|M4Mw9Y53|^xjo%sfWSzxQ{eiK@x!Qng_w6xB`c*yvgGPAaWXF;uV%_F^Gj{ag(k^kfAySQq31n&V3iy7RfjrcA=J;61r_2nPx%?c&im6+2!Oow38G?; zMj&tk1cubnOd;z*z$^+O=~~Zl)vBIeSxt?)Yd-X}>V9vQPxR}j;Za>sKlKV<4GjkQ zgz8ljw|apB_LuvEL_J7e{9ZhGWb`ykN10ggHcQ;M@x>WFrG+;1=RlJDFL2je7my`fUd zGFg@$aUmV*rRd;*04GxE`*Ekj{E6O2_{{dU(MoZxDUeqjoN}PzcZo{@d1Z1!I^RcV z^a!oMvcYx-Og7E)t)q3DjaJ4_OgssnZY9)y&gNYlze%MaQSrz=b18FUIbk?eEJASt zIvP5S!mVB|fOno&-wbYS=$kzKP7c(;%4hI#Es%9|V*m z;>7NuJ$j4>@mWxdZ^1%&I`4aEPg2tKe1d>LV^E!VbEbPwWasKgovVQ6S@#gcr4$#? zIDVZsq)z(SU$wgTejr@YoWJl%<#*Ptjd)r@m7$)aA6fiL&5Z@h$~t-+lbpg+ncb2n zF7jk+dKq~&Z@^)A6Y=zJ@XXuc=9KW*#Ebda7BoWz{>-8znfyttF^B z_WJrFWvNx%o-9PYnV}Oo|8m_4!s;UnY!XS|&)LaE-#M*pZ;&o{hOJNTgN*p2$d#n$ z5$YNGr&?pgju>K3#&)@8=xdPgd}*Mn=OH?tvOP^Q2jgKs`el)HsUz zkf}~3O5$jQdy9W?v@LhiKWfqS{O#&;@teMya*VhJ-7N*mXK{m+Vx|N!TxY$pTa^s; zrtnP7Af>iWboVLx`rs9{&&%mA?+@V>G7$9sf%L)OEbgh5#hl$OO3Ew?s(;dIIkUp hBqdhwDJT-)onolT^B?q^KSS02KmK2D^XB?B_HWem-pc?0 literal 0 HcmV?d00001 diff --git a/docs/src/images/provisioning_flow.jpg b/docs/src/images/provisioning_flow.jpg new file mode 100644 index 0000000000000000000000000000000000000000..40fc4c858e2756454824c072971408c2dff40d4b GIT binary patch literal 54524 zcmeFZ1z1$=x;H*ZN+XSwGz_7X^q@$`NH>Ty2uL@BA|fCRAs|R7-AFe`cbC%L-3&1N zm+vm$_nf`YKL2yR>wITlANtJ2S~INm+|N9B{qEnrZoc2lg9sI5h@ zU%1dax|+POcJai%nF2|HurM$%G0?FvF)?r7#=^!W!NbMD!KJ)IOh7_IMMq0RMNLi5 z#LY_2z{yBW&GwL;^Zo;VettSuVR0c|F>XG7-k%pixqbUKE)FgQ9v%hnJ?eYB|LLEb zZy+KpR4mkOR1^l#Eg}?DB9xm}5FH4Ff(}UgQ{X@Upxi=5L&w0xx{Zwke4v~VbPEL) z^%fc`IyxE}@M&M*eGnQE`ki|Z9$^rxnqV?GlJLHY{DQ^!xVVW_ZD^l~@43_K+t_5} z6qHoVEUawo9Q*=;4~2w9q@GC2$jZqpsB36yY3u0fnF5PtX=QEW?BeR??&0Yb@FwtW z(7WJ}sOS$dv2h>c6H?RCGcvQXb8<^c%gQS%tEy|7TUy)NJ370%het-o#wWi2m|R#~ zT3%UQTi@6`I6OK&IXyeSK>U;o1%&!1vHmLAALJqe@bCw=ZTgiXf8zrcL(Q?%bC`{x9E{r^j{zY6v@ zxh6rls3^dfhe`y3fX)zXss7miQX^NJe8v2}K7FjoS+I}>BE{H->!p3$B$$W1ug92F zBC@sW+F7P&0D&cc1M(ZW;;7c8ULQ>@IW>X}K89YNrY!vOCfkZhf0zQ8$9(M?jp+u| zXpJO!QFjCS{3hjW2htp_^?&7Ga^5|^(9ejwjyDC-wK;~A+j>>vK6iPblExw^UjJy9 zU8qcesYgRqn&EW_+vi*VLIb-du%*fFvd**Qei+~PwfP3AN*8zZrUcI&+Bx~vLZpAUMIj__-VGj_%~}l zxMse73XaXg$wb~6&~P(iuNxK6y;m_}5;Y92DE|=pWv!!ZhnHVx!AaaX+)?9rOGtp=-2@^m zzgl3Y|QJ;*tO=#u+uEuN_FeruQS0*4LaB}Z}6&QBVUcI3^-2l z2RyEa2fK>06(MIx$cejh>od}y&%a7Ed;7eRgN<^4wTOmewBbR*l*;I&H&z0&>GKRO z`Q4=$^Ow2Z=d@RZ!nDUdMOZTi;zPW;5;Kx>lfkLn=_N5PkXFaMn^rWYWtBv2RPCGJJMVr>q=goNRI{yw&f!MnXCe-#q&fAk(Q6iuFYG9pP?F+j zVi+kp(AFkk@}tCB!<;7+gQ*71QEyD6YTr6)HkPd1fZl{}sm&&9j6aw{U%MBx{M;`^ z=qgtk6B;eQk4(wx-aORTPgm+1jCc^Kgh$1e`U;&yRr0Unku$N#Z3dxaz8b-^V+3uC zI0=fyq-%9WxH$#>=cSR!j9d}ftAOb1vm4N0pHaT<;J=!B;9kojC0@X`(qQWtNy?+J zrPU5(%|oQW^;o(aZ}NgPi6$Y5sx;^y4XWQ(=mK&qm^UUXcLR!Wf;F-t-;Q~ecz-GY z)+_yfY6u(XUu2*{RBu4=Pjra&IRr|Ux+~rJMez-&@Tc*ha=JuVz`G1qpoW9Yq=%*<{5dIt^_4 zRD7Pr^7IK9{s|F=Gi{d+{w9Ux6%700sKt+M^olEoc{NGc2Ve||ln83V5sf0cv&auuj>0 zvHlL1Oz#qevzYiu=DMjM_ab@$9!l_5O!W?wdq!gaUExD&jvJ8c4G0xsQP0{sN99s4 zoILj==<=~+M`CNfdN>Y0U~JRlV++!V^$5BuslHxJ8HhZmI-$e8vKo_^RY_ z6wO5>aXoQ@n1E~Z<~!_L3?-K#}ZXE%&(r9k4E%x0kzeN2c`;Sw}{dCNVvGxOnRNo**XsrW~p(y;;^0U z^SWI+B7r&C$MfEvTb+TzPDjrBPU|zjpu?iiTcPKc3w#R>xb)S^m1ky(kX!`MJVed5 ztdP@OQ?1n2s-fZXH&d9$T3z!U*fmoBN{I;H$?yEd!(V-gR^<0???4h& z4M}aH16h?p2Qg;O$9YX*Xhah4~3xGG!IatT1Yh`P&`Va!O^y^4y8Q^DdXy%y^GGJ@%jg`~1yi=;^5 z8gonn&*hE`apseQ%|cm<#43;6r6mkZ_o-9*Yd_IpuT$B)vP}CS9ll7)dL%YpPr9tp zs+n^jmq&OVK1FdUCUpEAEOOaAiJzX~!0*lOJl$M<)ge$MZIQv8`^@ug?LJhhK`UB5 z!BE2fi~JGez~CW7!9gQ^c?V}~W!wPU z_N^F`U2sXbM8QLAn>RxTrE=T3`MsJlB*Y^dMs54BCNgrXWTx8WyYUQ8_bSy>*nAem6g@rj0&o-efG_-S(dhs3-zgElv-_WZ^$B@$+veiUA%|TJ!s}oA zm}C_inJIGUvrJEl~B_zLW3zzC$aRfXZOzk)@?Gs{Us;KD(x_4hnv6?8M~ZNtB5p zUBqq?SwO1cW_0_Z^ovhFh$$JT1lAz?^~X>Ix(!_dEKJ0OLqq#@mBEP(xEr?My`FN6 zJqqE!0a5LU(JkRXDXm9lC-s$YN%4HpGB8U-O(v)pUdSCW7!HdlbkWcjT_PZ#^mwT9 z`gC{FdRW)zbFnG?eBz;R9(i*k$?*W`R&d7Tcf%HNnvkd463DVRM}tFwdc#UIX@x{p z7o_@X!@wc5fzf&ve~fF}!H(O4PljoZY?`f$W}w_<(kRC~f8)T|`s}uNT^h$GOlsXX zPhKtYdHVQ!oDZr>u{!g?D=}k?lDhHXAlmftXA&U`{Cgpj+y#r-Wnc_@cz{*LVZUm0wwjtXFu*m^8gL@nx0r!w#sNppHW$CR|8+u@Q$ z`fEeZkUU6^q}Qt%q;c07z=j;eUPIo1+JOJ6e>^rZ01%%WP+2)00>$74GnX5U!O^r!0$YbXKZ7RvHp4LrpMKkygU1YJxuHGm_kgnkR)5H299xV1DSD* zV@vcU!*pLLbVW~Emr_y7XUg{mbPp#5u{qZ}G1h>01BwJcxd9ciH69ZgbJ&3JWR@{- z#m1L?ZRAdp)Y!&_PVSaTQ)udb1c`(Cd|6m=4+!N&b-F}pGY+G-eF?gpEkLSBj7OyefZrTURS%`>Q?q)K$mm@xZ&rL#S&b z;tbNO-AiSca{4yM+Pu+nl0~l4RMef24>2)v10sSgCvU+{c3~fjVoeehJ(rTn**RZO zQn;!KW2A95mc-Nsh<`$oFaZ1D8*CrQIZ6sIzct{~;tUsZ2JTJPZPd*mje1{Vh@>c7 z93jatLt*O>U=d*8b>pD83B9;iEetrQ`48=S93 zXoyOfFRK)O;wDb;G)^i-mypN=H25)Q)kM&yqh3JYE2Qa#;SB}yAHvfgqke)a`&$YLecXbJFELC*w7q} z#wBWA!b{_(dxyoKOM*ce>j`f^B$&S;3*}TJC*q!IC3-)$=RbEyHV)Z(4O^F~^y5C4 z)j!}mjbn*6v%f=;WOi@tr98!^YzAvH1j{y=YSfk8)t1pd`bo%}nhH7A!333jBb=BX z?C-6Rx=@L)M!Q>vQF+UA zJr{Mf(MV0MT6#6!0Hj!f+Di}wYUMQ&isYz=Ej$czh2ow29ZqSM3m(Zk*K2%zQ8>ug zBoXtLA&~9yLDF3I2ru%dM&|w0$oZc;yRLL$@7;^K2aBEMq6h4+p1Vls?FuuZhMdAe zC1}RPj^z*0Dmpc z_qx1~&!-s7sHu||s~@;nJ!T(v_e;|j3tB3=3e$sKd)|Pycl1(FBpr6fo?$W2KiWIn zoM=nIu$^T(Ku_wAd1ikve9H8`tAXI6V;61tm;E3hFLFLR{Z{I#< z9o2r4E467*If2Bg3C+Et7I-uLpevPVzn?HE5xoa~hsnhN!&I=T-MTGJik zL(c%+8=NfCr1=GQIZR%A{J$=R4>{AWqhAe_ zyN?O5cPCa`bMG@?4v&wj~Hlh|PlG z#iYEAvJFmTV3KVlMaQ{B<8UY92<4Y`*E#Q#9|eWNeaDAwCES# z&Quy>ZNC?7vs@=BcWH~?fMgHIB8wzhMtJ6{4a{;YdmA-3!72^>+Et}h(_x&%_cm{9 zsb96Z#6pO!470LzTzleFCtoN6sWhqqU-#VixLFC)O)v0j(YXOF?-abU>Ex2v@>FK4dlMO7#M9G@?y`nfjTqh;yI znKg4<5TmyT9M7HpV&F3E+^^m*W_gdfZKr*MR(I8TEZD;IYO8X8pczJJ+Z#3W#AS=G zE6Vkv^HilV8JtNWLP9RC4cq!!_@lXtv4>Hfv9y-D^g$Qv=tQN@os#_<&=1R+5LNCf zUM5`(TzOBRr@}t_14GfosE!!ZjbzysBUswzSpr!eMw$tG z_#)Xf!E@1oO#+4Wq+$)2+csDHDJdy@0Zypzks?_!##MEvkV)w4CpY&)rG_-X3 zD}bR({%h40FpM&QY$WV1vKBy7Qj^QUe+;`mwEiPJ<)6SN*mCJt{ph!NzIZUI)dg1c znjWSxmI_a$v@jt_4_j5`9eLaC@JDq{X=<1iiwFAJEgBO{o~J!dQK)s7TWP{i(g=vK zC2oe{xj?X$PqSlo_hjYQn%I%+>yRWb9VJZ>k|g9k0jI1Mx?4aH!=529vq`X{SWasR zWA~;%JGlXEX?shPwy34&%J=IR$BPubby0o+q_N!N3-E&yyt%W%)oSoS0PUUX=R?dZ zMP=&Cu%&MkUq)C4B3VRsgsyU$%jK*o`NR=B z{#lCz<9@41#_>a915Y^hI}46@%=ah(BQ#qbmIISa1BM-tB<~y0x1G8D!0ENDsk?M% z-4oT}AHK*OxS6F@4%hK~S@(xoY`9fyL&Bbt-GCb40tM2fN4qL2J0H}?TzU*G6{|*y zOy?Y422#URcSR<8{CM`0&fd7jmDH#W7PH(wIP7d(+5~T5_l+OZJZ#nT*4cFH5##C{ zzzrIMni_g2sej>edv3E9?t?pS7OLGaloTA|QFl!Hz6$dQ^SH>hkg?eqx2zFsi+5A2 zQk%H5(=^Pyqm#fW2}(LOy14l`L!0dd7T}FmDE@9x(6wt{@s9%XzxlEMdw3AI^@>O- zs)yI^(KjGzaT~2ar~>;tK;*xRlmEwq$S7irr@16OszDzaPg6L>A8Yj>fhJUG&+ zj>P=A=Q2@1XZEv+I`tJRb;zlHVaaDEKYe&b~%j_Jk29d z{i`c@#XxY*m6Zd=0A7a#is)}7gNlzx^5d8bu_WGmT!V7y_Jegi8jb2D7%M}Rr4*AG z`1CCJtKO&9?5aVPzi;W6Y*O{jX2DFpaJ?bic*W>Y*50>TEjguaicf&oX;l?(lp0F&!Lo`}#;^9tTm{?7STmG~wI59F znts@=c6XzDRX7>KDVn&F@|K%ey`+BBHMpqH-=P%z_}wFLS?n|34$P_XNFSy&XhQEM zF*^C%!{H~=1a|i<>qIJQS)bni_@-&JJi(?UVJFm=kk zGiME+I$^Pzu(8!oc>`JEi@DReGKJLH-%P4}3c`8CF{!n#Nl@VC3+FEcMD?pIA_~fb zOEh2~zfKoaRXQIc%T-{vIme^gkG&p05}GUJ}@Nzd+(8%xEQA9z-)DYl1wfE1ad+4v^?c!`rOEaB+(5Vatq1$&!v4SQ^G_+ssp0ZVaXnVl6H*&?(|FX@&2=wQVUo8J ze}z!~5_)DLGNK+Bi#?!mWB2is9R5||RC=}lPpKouA2O|!Q2|k{F_&08mOIwBuYoel z01ItQ)-Oil|ENuo(kfxac%HobKJAF15DaEBr_Wg?^ctop`-PTBs<+xL8b!xN-F?60 zUK8!?()Y0h8FNj}R&?qpr~;_}lKXQV=lCIkmRi;^zi*1_NjX4Q%2m(PMSb-E<|1Qq z@#+^NNU9x4UCeMPk+x+EQ2kU-ePzcdZa}m-u=0GsNU~mE!1mKF^#%aO-W*WS!sel0 z2`2w>LZ@$hzuY`+8v!pULW%>WhQDLEjUM&f;ra9J=`2Tm?O+F+alcFx^0(Qi z9^&gn{^j=Be-Tup@o%R7m+6y7IJJiU`R=lR7Bl0QX~KV*eO*8-)8l@G3R6{xz~0I| z)+2EUN41?TX)bB7ihR!lVNPH9Y;}ziH=MOV*31+3lwRy=`O4Ass6Tp6Gc zCQH3hADK=u(aPgY;nS=J*nynQ?F}t=;YV~aLV3mVKW>wjq{W-D=nl+A)*xvECO-*m zKQ($}Gga3WGfniKqmUQ6*bSkI^<1n7Tus&pVWM=8e4PtdgDNbEX@*|YwUV2ZQd^Uz zD`gGE%)C0|#Jsvy{$P5?r*%@_Yo3}o`9pqp8mA;}`otYEo>W+~16SOsUE}vDC0(jH zhut4n?S?B}WF2>Fjtq8Q*;XC1xuTC`l^NdCLmOiT6TRG~4#(moVKwqUn2l-f$egip zt8lMyiYgGs;w7H`bZy1%-Qq;cgrhKt@loKrW@a9loRK=6ig~T2*3J0i zUKpwnn!jYzp1-V3e~2x{rzc}vX(I(jzN&Y7t$X7N^Oqlf{7ylAh%Y&>`m%VV#xDau ztrF8Irru&fn5&1fx)jT!X6 zFkp3g4}CkP=ThnRS3=@b{mwI z4ttym)X-4;!GayeWsNmDjPe@gxifiHC`vDS^X3|+udy<19oVZw{DC$V1f;JBAs~j7*8m)N2FHS(2Xut3j+{HLGUT~XmrzL0R%ya9wh;Q8P zcp>Y&Voou9rYt)@HQG#)BDK0__d6zN=er8K*dvTc{4cpPS*Oa&gi>U7<`GkUFLM2h zek9(y@Acj^@%_-t;&oM<51M zsg0P49lf_gOXa-=XPR@x(pEA#f&PYdmh~(8Qfq*=V9NcSgfBve1^AGt#Ly0-6zWFxR4d)}|t+2|_ zIu;(hH=$9N&usVgpZVx0QJoR3!*WxqGV;fyapij-m0bwp#)SwZ#q|M&XHbBb*`vJcpMHNiE|cYm z@kKoI6WUO>(Yo(vMhv!MlTM+Hfmkf@p^H&7Qb3bY$vnKAoAH(`_%g&6#xP@waEOl1tPGq7Aiaqer%u0;Az#*{VsM!t=NZ z3nw`5=HYFbr!1~fi~X$9pSmfnQjOz*;NQtpB0iUFP`4vz>y(`=DpEcz&Q_lwfooGA zEuiV;edkw`fMIeVc$dHHdKV0Kjn%HLyp%JaB;()K=fsy6`i3_C^_e^E!lC89Nw0Vxtwd27 zxQd?6Cp$sw$#G~pKGD(Dsdzb0TrGZ(d&7=jWgjGN+v{>o)^x?V0Og%AEaF+bl&YMK zd8`;{IwQG6^Pml)HppLS zyoN5Q{oba9hiqz&@+NJ{6NgEczvyAh^(}WnMsVvYc`uDl{N%N za_lzZg=o0K>-dvNIb@7e@k8ux=mpjstf3KcYrMdm_3Dj7XtbKC6mIwB zARpPzs8F=#+?hqYjO16)^b4RMwFm))=<9n%-qB%*WV{!ti-IltSR5-mJpP%_^!F(` zp;hP%Prq|wvhZqwsw8eW#p2vbdvJYd#TcqHZTjWN`u}Wu9%CgycxVEcK(OnCvOK{# zq!cEy9w4IF4Ck*@m$?DxYC6E}WxEw#1T-_O0f7zV8qX?C8~7tM?pAeD1H2tR<>dDM^=L*V1O>~d+)BZ07t)?~BOuL_rL_8u)X)&0EQmI=DsJB3CM zt191WyQDc=d-!`!WyM>DTn$ghz;CQfj#FYo=t%{owNq14#BxqMROp<(2jf|({`d41 z&BNKoXXzu7hO!^Mk@)Pk>E$&zUa?yW)^BZwoqYZ*VM%dO@391^3D6Jx4ENt{X!(cu zAebGp%;<|m03H%Yulz&GAyLB($QO2uo`u(y+~aF*l_R|IkhJlMP^>1hm*ZoI4qU9i!-xrewi7 z`p&LhjITjjf#zI&OJ4zh`dd}q^7q|0_P=)K6fpif69D}(nZN%2D}(FbaGXhh`I-v! z{$^lD-YyS3_hL&e;{}BLZ)`U1`zL#9phTj$fte8+^Y2w1e+2&;U;JEWQP>489pVhA z+vX{h+TDPb@58p{Za@|V9R2#AWS;@mRfV6^X4||09pb~zmH^!y4-tS}U_verfZb^; zZH@PDI>9s?9C2Y@(wHOs+h`v&9V({?E^HB0PBT-L^4bTBDd25zsuw#7E-x12WNbP> z9{+2{7plwN`311k3qt`eA@*SYwJ1`;p>Zn}xY4aLFuT12&Feo0HUHV>G_^Y+PV4s3h-%HIl=k77PLN}c;{y-5;WSEFzf`5Y?9`AWj9)eJ zAG0}1qLGgu&g~T;{mb)o(3->zs5?r6srI$)KuAQ^fTd2iBHI}u^b$Kr$^!P`BweQw?dQ>|+R??M zoJum#?zHMcOTB~Lu(aKf9}P1uLQ_N+C};L5v9^8XjpUn%1M{k?2U95*Cgj~I@S-Ih z&25vzz4(Y|NM}6p}N$Ht6Mh{kF(qZDYc*Kk1uT(Won3n2JVD6Gc(- zj{PpDJ(;)e@>|XIgJO)@8RA8k1M~nre<&SPf*zG1dmV%;So=YMi~v(Za6&`hk(YvZ#QC%W=&eKnZ?s3N$xBDJdW) zdpDp`tr&|bfV}q%;O;dd`}8yuD+R-wq)9YB{M?PIV}N2)-+=Zy08U8(iOsLNJbd>r zjfiaNOl(YvD5Hb7#++XohJ35--0av5vF!73a{B5<0~mz@tu(lQb`|Q^9nI8f{q0Am zZqe5+@8`C|(Z!zyOKjUfu;co|88(+V#W{-O;Y!%rFH|~HPzTlcRU2oeA*xS3i>^0S z`NA(!dks4AQc-JItUg^wcdW=JanfzYIl+8oq1jpa->w%z;$DmA%$!giqMN(orW1OH z=;a=W;hOn7j-_q;#fYip4+Tke9DXUxwuS@tN#>`74^@8ls_r4y8xf!a?17QSrPWJh z4G+>E{J11`_294Exc|6B474RZ>OWse*Cq3QOZ6R(J>k@7yQgCGas0XB z*_s-hQ!71fT><=h2+8B2tzjN+8~lP z*uaa4?#cEd&%({p&4-8atnnrC>zL2PL4|c>#8VR1K5WY0&j^C%h))Q}JYo$6Py1)t zCRw5w$(*Vf1EL4?PB;!yUM17Hkk?#wKCZeHLkq84fv;n(8TIL!GGdK6z8<;-xVUPW z|4v(tVN|(@2Wc5UfM(0BM>Vuf1_lca*t7#lYxF|n#d#ILJ+TBZtAX=WN0W4bCJsrt zyjLX3rxkiJ#730&oj2qL@_6qIgr;m|}&nF`cYX=7Pk7GHB{+Q}m8})t7<-T&6NB!)5Jxd-Xlqi7m9*s$qqD|r*!5hcBgjrr;B1cHom7kvo^%<-S)mbrTvif^8%vY z?h|B3bW8>jx)Wk~wu~2#NpY$vu0yFd^w@6qBYrj50W&XHC z+P!5==n}^2q9wI6!3d970Nlk-IDw8(Ox77z0L^RzGba`QC{{tObn^9F+Arj-uVc~3 zAXO`!%eqL6DK;o*r}L~XI4{+n_*gL3B}X8~aG`!ca|5Ctry*IEjcjHp6{SX3jk28# z6jFzCl18?$3yW4dmaQ*&n&~XbxSRUt@+!O45VY9IKAjRwoqJv>w!_GKAK`Wd<2Ww3 z+oGoxNI|BR%hZlLa3p*MYp%Oev6TsrJWGk4^BhsUExdUw8@q7>!WZb-(n^pHnRuV7 zBxiAj32px>piHbflzF(fV-`B}uDf#ZSYV5)5zbi5%~{qHx)X%QaQ{2On3L=xy6*6m zyyYTch4$o&*h2;Ud)3%d2gxYQNX;H^GPB2tF5V=9<4VUS8`c)u8x)> z19too-SxDB9I`8htHB2%tAt-|@8f(#cn=5?e;1pZidj*Z_CF^6r*k6%95Q;DByx5KI=njP)96DEvDM~ z>Fj1omTF}j;ol~Nl^r7pvPhe7-59v9I!eXzFa<1?eaggXhfik_bb_;zTXUnn(t5IN zzV+Zfm&=Q?t&9Z5?VcY&8D2Eyt?q6^14P|Iokh-=?{(h&SRXo!&(!B6840a3np^He zf7Zf~r+`;B>jld*4aPjl2s?dPyro4cm7~Us)l@i^CN{b&L?|Pxz)}B&qX>t(%#u!Z zGGEQ6w+!&z^ml*F+ARNo87Mk?{7fN#>mL2*n2q4p1|AQLC&|z|8!uzSF6x3YXCQN^ zBNInOc16tR83*7?A?43j!>BGTc75O0x-oO%r}a>WB9%Jg?A#*Dqhn$*ZTZn%7dx#f zwX$cWQ=Lpo$3ok_aE1D!^HRM7fu=Z(`Y6qQEmBcaXlgj5Ky`$_cE|Q@w)ucFr`6AtWn%$?y2%xSDgXny5;$6B`c3u}-l zWKwOg3DQAO=pFVr!>F$qpeo}0Rx|dk?WH$_%>rqr-ct?Ys zAukP=)Fi^Tug+vYKyh46v4Dal#dqQvT}{L#d;tOPu4T8lpR+q|ybPw*UxK}RXvAMW zvJgA1&-ImygVEebs(s-c#;2Q1xSzBaTAsaK@FAc6ZL*Iel{>`vk#0g^v~Q}-9i2_V zJ@i(~7?V-2fNAfE{41J+g1|c4h1x2UiUb*!+oPuardOP>`gIugX6|(u&XDnhqpLVf zam3EWmv;_Y`d-%I7Me6NYqnrW+GoqIwxs!Ii2UCHv5>a;$czinF!Vs}M0N@ibmI+U zq|DF<9JN-?!xr9|dn8}9q>-AOdg5bUf!_leamcZ+-xM?yT5V0m9-rc(RE6$1tto9& zXsMwJ(WFvja`gr>C2L&YP8v>Z`k z!>h)5+MNCD;-PYezUr_evn9$4vf9Z*2NaK5=|PvNbpf2raCz?cA!IBs3dbnty{We8 z&x02}eR}sfInuWCDXiHA*GMfsWrsu;kGOPn?STE5OtKbEnlmXm;}X`8T{V( zuo~938&$MaaL}UCl3whh_cIrk=x$lnqtBSMCMTF9S1B?fI%|QV%!*hr)%G-~8w+M)Dn8>J?5Y7)v84XgzNscd9$YUpik*STN#kf1xaF zj9-0LjGRs1=(4Fe7RL|i3TUIk8+|S08p`VY%~;q8rZDU28Kb}P$Tzb9_7mk|j zSM(4ITr)vxRh+U*m2_cV+DjeITSo2&j&DTV0-Ty4&bjT{UiO;L!$~4U!oDv?f46mB z2?|?szMBRP&uzgxEYLNt9sw!?E5m+0u4~s{c+6zwi~Voq2;KF*R`zzSd{y^oQQ5l% z=w{uy7rr=UGb_cgu)-lPLyzlD=U)iz&}%4lU%=Ucw7U(roTA)?_J8kuJ`_S*1sFa~G=Z;*Ckvrc)O~{Q%+{0|J16 z3-urs_WJr-0zHq7f7|&lY^K8y>n#Lle;zez3Ja~gH~a?CXyHY8fE(aUWZL{T>C^MgVblM@d0Z(D7WNyV^;&aE88iL zgfUYNpV*lElaZWnIgjz6pA@H$^}@Y9?7vvqGsr(Tc`IuWpkqXHpkNy%UKS~fH_UP> zw|eKjC5jtd_ARZJE7v*$sDHPH;i8fppNRyJB3=rya5t+K!m=c+6AARf+u7HfiHlSwbz5d&)&0 z#CiX_5JyJek>gzYOncLs1fggqjOl4FtvB=zoL(piZ6g@=ItZ>80imAIa!qMF!q0no z>~gE}lyGMa0nfgQ7)Or8`v$1H9>{XH>dTAW@~L?K0$yfUHL;CPyM=fr!70pwv3t^+ zF3+q)#ztV+)|JB(!W@on;IiVWjbw0vF-UR6XEK@TnCReYD`l)qe}+txT%mxNnzQQ+ zT3PNhqr|Ld8=tnzZu;^hqvy6EPyy*C2|L5%f?At9XHSRf%hh#3S%+kE1l}+#Z->Xr zOB>cQB)KAqs(38L&<^h2k_fs1jj6!Dkz;W7WT#dmN#KkZA%(FMvqZHs?o>UN53nuZ zmFLfun;sW|HbT>4*+WrIGdwC2haw53#P*MN+BCw(b;h4O>ujM9U(A>E zU}$)??W0%YX2#deWk0TkXbF3UrWp!3KMLJYE^_6KJ!J*( z73}}!_^b$qb|y&NWaoTpo&GpSuy5-2-uojXDC@U(8IkGHt?HuHoW0}UqM)#Pqb6xP zg?a^J)UP_LVt41mM4KwONGtbt({DifPFrssB*ihyU5-_C`<)W2(|3RN=0*I)qze~O zoP$*kVw34>uKRi|?@y<$M2~vIZRSVj`5)BOc!Zdn3!~|S9s$XA-gm3Q5Rcrlr5;Kv zFlpJAcc`HR7I$I8n3xsm8hcqaO=s6?{*d&unVI&V(ds{b+STt++_8LMrV(Lhmsq}q8VLfFe#iV>DLT58?dH@Xp=&2uDrI0gfWS=6^|i10y0s;9`bHXq>L%2%2qJb83&7pk+Bxs@tDwka!Ai(l9$1((Duk@A!JvjHMJpCMI8?}*)*PEIB zi`Fk&EiBgk%CoMMJYXxE_y9z>D|)o`^af;Vuxol+)n&oyOyGPz=FL(014*|kTk)lP zg7*s6nOeB2Q_}0m5IJzkQW(EF3G=!Eoed$cc}@lTS0J|UNuRZxNu-1+Unc?Gxsa!@ zd7+bm0_+&00iadv{^=-Z{R)6RMaJ$fTJQJrF&;~diHDZjAUrtbF3o75H2^{3`-EtG z*tA(GnQ&0`m32?LVfv6lTx4GR7DFU~j8W32xlCTD)>UI~)pItP+~_D^N@tTHt5~}Q zER}KB2HBl+kMG-dL*HHLz*ZkpAoQ5kYE!gEH3~Bd3+W$UfzQ0;x$=n-sY zb_HL>Yjs{nDTWEkldhCHQ<@9oe%^nSomp0qyprXiIX!P)ea+75@q%-@g({V8LGrSr z+;tMxqF);d_H=N~NsU>;W0J>SxlR54QrlHwC=F{QCr>OvNOv(;rGUWo;q?ng_ov_6 zh&XZ7}1BI)u;4Fi9o_i4!=hTg{>mxp)Uw-)5efJY=b{ zTk#9{e3h43BuZqc=>?{pCBWK0@ENW(0iM++JPB;fKRvimlg3z;O6wEzLTE3R25CQE z6y`}TnFRN+!^?sPl@T`}+!oZM4avJfSxO_m0NC?%bDdI$R2)mVk2Q<#kt8PYB3mQ| z05E<(U%dVl-ege&*o>P*(m(-C4G{GVpPd190MOpvcQ0+c13~XsS?l99*6%h)Y$D1N z6nH7)n4-i%o4#9l;{vwg1adW_dl`p2c7t_c(+HGZ=&ic6h0IC_9C>eZ_TDIiIT_)* z{AY|SuXG|{^E%Ym%Bfc3sq-b4Y+cd{)WVLXRr@I{xKD> z-yFZYC0}4~s>=|MYyVz|Lk26gm%Gpd)&wKAn)IvpUFZSlBn%&OwWS$kYv~GJ9VEU~ zc@QvX=UoIuI<5zq#h*86?;aR^u|)AGblFfUCVYw15!N;~x(~aSX^1{IT`D`M3_4TN zbX9zMX9E+25TXsb7!F+*=FW2bEhhRcI{FzV(Od%&k}Aq?Cu!>I#jTcTXOqjEQ~cI` ztEUWP2)SgQZgiMzL23T*G|7_kK0AK7`6xL(jmYk#g4aUV))f-W!$tdyH9CN*qcySv zk9s?&0!G?Oj|?4MC)Ji$fN~lj%ntuWo>EV+PUgwEHrGD2ghLhM3yyXI?dsh89p9A^_5xt zky;T&^KPKYG{S?%u|w~;TghLtvuj7u$R13@DJ`p}&|%17ljy0ctzJfsFr4{9N&KYi zBIKg)Lt4q#CiMVgMQ#7{!k%qf_R(jkIBVp_X+A9%69rKkXIaoy$EBsz$T00=#g?qC z*oU6qLd;E%2Ot?wQ|m9J<%Jru5|WYz(k$sDWFK>g?nUHyja+{9-kG;2!YpYw=MWH}};_lEE*A{nz6ff@H7AsJoxRU~>pKKwr1oeVI=Vj-69BmSnYYUfQqpDFnxrZsTevdN`A(-iLRq z$dDEl9v%jwjD1Q@9k%~$IF!oOBPVuUM2%miXo6!<>DTgdv(Yp52f}nWA9QB4F8$k= zrCe@RcUd(o^SeaBZ*H#@_C@ua+KGB~6vpgpgEBufb|`Z$%Jc77LeqsyVG1YRknRxY zc~=Kyw=6V3p@9yM&8u9nM|ow$X{mWnyHZI?{!4AN#6l3+erG0Zx8I-O>8Eb8I80O) ze#DDn2!Zv9m8WL*+uLUY>U30&?xSDT)Vd|=->``=vQ%hZ)o-HtimO%F`g<3K7 zFiVyYjU_1M^7}0-=Ku=I8+9TYWt@xB2%Od8Cs^M^6QcYjLg*PJao(KYvHIe@hfb|b zXuisA4m&x0UlC8q*T}LPbcH5r0R8t>p{mg{yHaA@dCAgMhdu4p$bk@3RACuzBlc3w z2(9McF=?VCssF(mzK&?ob?MxU39-)82KMSCu7brVjfpxF&*{o3HW!rP+(`f~T8T3R zLK?Oq$_%>_(`Y`qUtKqYV14x+T^E7FWMp>4Mr?*A-hzJx$P=`FtW~fdmdM;ad8_ScY$88+mL=@9M z+@hoAJTHZO=Z6K>L_)tqpm+sojF?0@01)4wN=4-aHa>riqnnIw%&fi;@BAu?*Wbf@itPS>39D<#~j*GH)clYAU{3~F$nPkq%A@ppnx z+8%M5)^v#y8GnfoT5lc+EZ0^C_sQJe0juw?#5Fd5z<4QB#EOQPS!mMZHoB^ck8T;7 zgcLWK7YDDDD+;5TM#+&H#?sTWt6r(| z$Bj=NuTt%8(v2;Vzki-OSa|ehYBfGBof*kRTLdT9*hpcIhBwFKG7+f$s}|iSBdpo! z;SiQjCz9{6JN1XPG6(_Zi(H(S%$v$#ggzLJukoTp~a#dq%Ca@i;u^ zMF5*PSzF!$eQUg}XmP~XQQWswZ#CEbMUN%6nk|JDyklbPYdEZ(7j@eWfLdJ2!;h-1 zT3xlr^%pvZX1Ir(#{LXOt7DzR4FdQ)0FaU_fOedTj$9i_elkg(P}>(Peh z$wRbR(-4Uf!VBm`Kbxbq0R=|0sam8`xza@cRZ6wZV)Eze5{d!k?v;W(o=g;Q3hW!W z18P@My6Z4ZmD@bThtJy3|0tZQ5%c?MG4Ev7QdhoL`5OaN-BY+7bRl{E;wFx$k=SddVQ$N6MBUrM;jS; z&;~Unnw7Us4r9LTGYe0=R(GW-jE3}-j;X%3_<`_J7wigvvhD#yCO}-Tqa1$F3rA4| zME|to2@zB70$<+EN5UQew-1o#d(e4XM{`Z|1Q3(b*Hpa^D9{I8*@2E(OyDe$`>Z&J z3*hgXtuQSs00TPRn(=H-q+@_0gah5EXshq$=7T$XM0}9xcY|-`GqJLEt&1jUt(_NT z5?SxK&PyIl$V#%$S(r{X1)&~O`o?GPjZzH@oUflKov)<>C?Oo>pV%Ro`=QV4UjRfv zHTP%Y^e2KSwyw@;Pxco85geW#hq$^-15>!17V-_UWuSK>(FokKF6cnIumi+%=3yLP zNhFThBR{q7=oE648s2TXts|Y260M1`P4I@Bu432U&$AM(+~r1N3WCL3p^JY?$p-BpflhfVpP9L z`f9qJ<2eOU7T6cHT7Ab2E-wZ(0)-$yfIoGj3I1dEC{hST82)1yQTt=}C}Ckj;{Rh8 zk^MvWsLs#8mg-ufwt7*k#D|^}RlnF^@!~#cPJl?cw@rhO9J*slvk+_sxAcR~xJe^A zwnXO6??eaN!iEE4TO^n7US8`2Ux!}ZN_FW6PCJ$f+k*B3{Gf=&iv_^a)$+B@RegIX zG3!MyO)2Zv?&Ybq=SW`PdXJ)97m(ArQW1e-bgCQluapSP^-f4i)rfB9AlK?0dtg6L!x#*?pQwSV#a>gk1+oYmLW7TRG# zZGFcShA*iLK{Dv6DC?y@cc2bPk^7)r%hytNTg*g~I!+$>*N<&if_rJHT6109QS*y2 zmeH(clGCQM8*~rt9=_JiBqbwV40Gug;>|zp;U&0oQC>|GT>R2JDmu>NBc(l6-4(t$ zad@!G%>ChEj@3I-?5_1Nw|3rTet#af*wHA%=1nP|l2VG{1tH2UG8ijuXEKi%?unGH zygS3KH$|oeh4O|-DfhP1wT_E{se{Ir@rdz3b!{TN_HiKTX^VM5o8D{v_a=CFHCWnK z<4n(|4}0%RkMKoLgq`gf-8oRRPSBl*wc6(CF4EzDdp17Ip{(J6s1pIRXlP~`Q35H{ zRwu8N(uLfsE}0594NVkzBna}HH?RjK!&vEl^?751 z8m`-e=(;5lf>hTX)l5-+1L8dmZ5{o6ArSsvv<$70MCke8;}{S=tE^--d@5b>PEwD< zJiI(}MEq#HzF`kW_kLE%Z`x#=wG~lNt2CS6*~6nU9Fr|qo~h25n#OYOW3?8}& z6Jf9)YO7}%^X>B`g&zn-8c8_kWm$_5!uX&$W|j&5rKqiKVXaVvwzjNTH}j0*wanQn zeC;*5Ex6dvDY8f=RNQ=aTN}s0mCWvGX~wHvH5lz(Ve_ARMgh;Came$NbF5NN{?uJ$ zVYG8@S9aiI4q*1IVajzCCIkPew}4itCt4ewfRPvoTu!tKq)A?y4!J-uj7L|QW2T7} zE#Fr3^Slo@z2_mwm{}qUYO6iw>UVRYE5&y0K1IB~fNM?t8M8jlu|1&Ay%sL<(VCxb zjX`^xbE#2Oc!egUMwD+3zPxX&)MdkB_bI@ii@V!FXZaKt=(nXMuwfsA@5?v%)hf`_ zk3SG3h|UFuo^4BV+_y5kDeD%)o)US)Tdfa?Zdg%djJy3pI^s@Uvjn>jI`Afy%JXZWeYz_E$ynwD z>-KJb`T7bPSd;pu@NA%hm0w(U4KmV_`R8LA&E4n&@0!;oo=3@5GT9}e((($L-^G(vgRV|)%MGN!Y)p7@5ic;w68lPBtp%OZMc`dYOAqSV{afg^2qu2cJ|@1K<}zt9Aj zoT?rGAPadSPyAtTECqxfx!%DXg|(OXjh?W>bH z%Jd>G>tf=JL}S~i5{CVre8Oa&%d(Md>b=-L)?~dLG zZ|;Agb*pIs={61s{!10AQ))n(@;|_5A=>(ZfD2<}-zJ|B@VMX?Cc4>A;H)fb_#4JI^O;j&J$r^I+_#h}P0IER#_ z63LLGZY3q0cTN`swwdHQ1(3TXt}71crFwQAx-iPP`jz9$eX~Th1r5y3@_a?6U2&K- zUwxowU;R1djA^n#)o?hoqPe51tKH|6@lq=&M^#buB^HO96adaKqaZlroqPQQ0VA$* zxODMm5k73Ekhi+1vST>K`8HxMZPIbK>bhE%D0>?k6kG}){VW}aioZ~Pw*ZcGIxy~D zX~q2JZr$5gi?Zo!krp)k2p%w3!_LmWZyPf=j|3~cUp!pL18=xw%xg)=v2LK)r7=JF`f1v_U{RD0bj<)9IBK!nxvL?cprY?dH zH6$lq>5f~m4{t1dX96-E`-T%={#9IiX@Ktrf9n2 z&gfO}p}R5O7457?%QN<(o3c+(Z_)<-V4?|}yBFnqh@~JZ?Y|h;FY`>5@M^yL9A+Kl z2gjCJ!ARou8vJxYrOabrnIDPQGyDDfsYXj*sje2d_1cdxP0w@|gy^xI!Mq?+j&dp7x2I z;>`vm&mK%fbWYbBP`JBLd1C22A5ZSU)g5&{@p$5j_K;b*m`h@z&6LumwCI;`BAEbt zE8PpCAS$p1L>Lnh!Z`Y(9$WPp5&+x&XL*F9wF?kym}7aZ|Occkn0qM+e5A zbwV{i@2FV$T8gnGig+Y!pUyF5wM3oWYnEM^`6#lkgb!6&0%{gAt{``?)2^^iqDFS~ zO1xQks1WYJz*`BbJqXc zGo#cDZUPBi&sFCs*b(SwFT9^z&52M^KjzV|3rW#zY)$R1eiMQ{Eh$P-esocsf9Ngl zZLvg2p4(Qb);P+^9BZ*~x9@V0d``7@w{kP~OJmy~xU7KkzW%`F#HcBw41bgJj0tzt zxHl1B~8sEwQP^g%Tii{gAhssp)YqFtNT{KtHD+x2u0 zt;gYt+yrg+n)tiZ=@Pp<3liCCqs?E0T~g;Q%*YUjKX=jGeNzX{Ow;Sd!H{(|-}Q_i zDalvza=y)tTZbaf;=I%XF572LHEjcGDceRs3UliCGSFcaOIug~5#uU1mh$lxPo6*r zhq|kr!^hZ4p|Zd^&2j6h-LPESm9U;-a7cuZ59%4w&Kt)rXmZ5#__AVoXvgq9Df|Nj zw=1zthzV_Imx#2EMxKh)OdgIU%0FR?ttD(d`w#PBe}T}diqoP-14Rd&&1z8$3Fyx_ zBB`KoIL8R_!+l~}8ihtZ=zCVIz@g~=jk1LKAk%J^gtu<{Mihn7b3*=R(zM+SvHtQqN7QmCI~VqkUHPESn-X zTnTtgX{Y1_V7t@dt2nssm3kK?woUnFi0tgRL~;|22%fRMjOn5*>vP5sr?(u86}1U3 z$7MtGf>xyswx6;#;zeFo-{9AbvZBV_K3E!8Z?1iC2z%`3tiHSyA9+gDp<}z^-rW<0 zJK#zi)hDo3#&cSo=HrDS+B)TY*s5W*VKv)}xOSbhFP45GqQ=JgUZU;JYM?NbNF2eH zu;yIpT(+0)SI8^YADJvw=YL+7=GHg;yyU+quK#nb+$|Eu4hX6utsK;V_?0e16bk8S zm}eE>xg}*gh&97~7{NR8Hsb|ma(d{r7NaQLp+w*+4(jW4rUZ0e8!6$oT+_!ghDbA+ zmpMSzEub2Nsl?NuljF=bfVqVL1$+nwe6T77Ct9<@xv; zn-Na*BmlHcynJ={1EHq@3$@eJ$^MBL{2!Tzirjk;*i*x3gR2SW6noHtWOd;qcsz!C&f zfPVrPiemuaLT&o1_vZ$CpBrto{deFO-8p5*5kBA0M%R+(eq$IS#nl6Pn)^DwfvZ+} zL5e=wyy@HrO$cjeydT|iVG<{zsSSM9b9^bEmH7+}brU_zm3K2E?)xZtKKY4bYy#kl z>g9(H#LMU+B==q!Jv37EYp@APn>|@h^_7ePzZXM+K=$dwE;&^mL+&0l`f?uZ?8${7g7|Hy^8Cs(E#%Xg)%GnK!j`L53vplUC^c%F?q?Z~bG)qmMMN>}RYpWDxY8Ci5R zmpau4<(Eg(oe}~y@C4ulpbqDRC*yxlEB3apj*`(lmgWjY6sA^N8wH}ZS4%!E!=SGm z6d6Ad5>$51MO#_cY_>xVfKIki(I`QOUpkKE4i51KIjk&d9heV3Tjt?f3o<#O+S@)| zu&;@%Ou0&2jlfjG))}Qrij*d*TJd36)}I#ZccJYii8*SgkQ+ zb@_=ST6%&jE=KxgbR8K&^gAaFw&#TQL~dnDB@5PZWfmin>xT2A>@}SNF?>wh1_BSi zhx#{kW=rQ^2beT9Sp~+Yb%j6lbE1t|M=?3cx2yIMJCkW_nXo;wHLsc*?{tOsLe%7_v9`Rc9^|YyGOXQu9`3+tWCo?>+*(FR7Uq%0>X^`w7cR%B9>bh#8Q|;0w z>97kxmJJG_0U_+~4DR7NAdLS_y+Y8=_9uP1fCJGvFCu{Tm$&Uy$EbbOE^D zm(E#DJ=p2>#8!?U=LPZ)1cmpdujdS+b!4-5geKK`z48_$L%2>Ol+mt8iv_d3+1oP0 z&LzPNkDEzkj2hTK{XqDv0I0n?LRnm>ptQZi6?XB2tFeu>h3mDi&Sl}rFM#aca|xu2 zA|5pp@%Z@2sJQwxfFAH!?q`s*_$P)r=ua%t0fUrYfB^q*HU$6LasbIJoFQZ_S}NPW zxR?t~RN8yxgt3j_TK}%BIC@zwtun`Hy#h{fux+zLezqLy%UgX64}C?7Lh{3MqFLO&M0YAs_&(%tbx({*URr=04dk=Hs!A?=cN zP1UcS-x7x&`(Ug^ng!to&1Z#JK=ia?AR0-%zk~Mie zyvozg{?MY~i_=xktKMx;n~p7It)p8(7J;Sw8YGwm&e@1Q+>%0I!TQz{a>QQ%*K%6v zeP<`4mtV5D+T{5RD~Td6S@!tJ1#kbZK0|JHZq+WI<2**(*<*Z6V#76ogXytz7MXd#Uy=K@ zu)tDvCmd0iPA@G@lF7V^z(FM@xyS{`E<|c^nee={`RZTFo zei%6IkmXGAmz0Z;5b7$;|VnrqYW0&CjXA~*kxs^6@tGbezQ(2F%-7P|MkvJ`rRZx8=Pz3Br&xKtyqwUP<9Lw1SP-XX zBIYJ438-@ZPnbaf2SA}P{QzcKjSthby?AFgv1;nxp_la~EY>;o26f9&2FK|W`xDWD zh#nxf8BwEFLvzB>BCuUB3PaOwLRB8q_fVQJTCC*C*L---Ykf-Y%|_kv;{Mqq6~Q&# zPE3M;kYbJ3B97XJM-5u97d2f3hMzI<%v{BSlX9PH>L*^AC2qjY zz1DjoKZEk4e3bx&h0-4g%0>;gh0tfM17GIdDw@VKC(85{tyUb>CErJ=NErYI&g&2G z=k-F}<9vD|T~W89jX$8DjwZ2wPPAofq?R$O-*J>btzN%S9_G(Ye!iR)?Pg1H(%2%T zK2z@f{nzZi<<5Ffqw&@F$VSCCS##<( z2NM~XMs0KBH8@|&lwj}?lMyW$J<>h*GV)`$PAb!`L@W9Q{MnthP5E4-;?6O|T_31U zSz?3p&OmVz+vK(A3hGo%dVZ}+Qjk+dQ72a$Ou1I?ygt=KTpRmbr~{TmWlxG_6i zXSCJydPX95Cm~rZ1tloo4x71mf&sTW*L;VAQt0EV1AgilFS$J zj9!oQMFEurQGL!eYnSIbx>#Dyf)di*x3@$%0xJ1Y^W?Jf!{(UCc4=_NW5?vU*kBeSn!*t_L2e}`SldB(U3 zQf1xL)|O#u`+$l}oiX$6VjY4nMl4n!(lG5uepk?9bs$Uq5`KDn>sDHPpIz$8X+DF; z%A4v$anG2_hhtZ1M&Fl6UZh&~5N-rwIZr+|3Gh@dd%32V@TIc8F3>iKfvZQ;k`^f) zrqis$$A=egIaoCb=wcG}J^lYYaTTi&?$&wABq7&6#u2mmV%wgE!E*GXzU^VE<@7tg z?NZ}4tr=$@1H~ZqSmpZaR>=Oh+Q8Kqeik_a%NMe!qAaK<@1ZU&*;WM-WYZ%hW+izc|xUxgBxh{6cN=o}|L0`;dJ7#ZT~Se=VO@L-G)BsqDs{kb*hx{%V#G z2}Xww0NAi6POhnmZ#>uS$e!~hoPjgRl^ekoyX2gVa+2>Kw1Lnltx-KyeY@jbq&UkM z`y%#@uZX8@79r`Gy;R*s3%{TY28_F=@aS36N~!n&w2N= zbGzs~B&Fz6APxIX<*_Zx3JCir%gq$B%2NT^*Po}4I%<CD` z#?yIeH|bnD>G{;MexaVQvKKW&c`B5)$SF>+*6PU@kyeDNc|uL@`>#!9e z9g;@Xv5?I0LROpA*QAdZr|$Blcx0Y7_Q(!DF1SO_zzXv^+ml)DQ(a(w=-2DnS2y#f z#QCFQxQbRe4x5-|Y6QL@LK|DXC|BnhA!1piug~i_fpe(nRiMC8OZZTGbQYQEvJMOJwO@izojx>W`1T@J*bxhheZ|94233yT2&tg z`39=&ivp&WwKUh55I{(tIsnLD8Q{R~s~qP}9#T&zG}T8^n>`iz7~LZo!dcP#9e%e<|FGtBlQtvT4o8a}jt+W?fI~wRC$H?Wz4s}UK z518v-(mBXhL(V`=Y>njLKees&+qYK+gp)3WUpkn&U=7i&4Fz^$Le1QYc$`LWAWP(~ zl%EA&;UlafAohamP&<8@Y!?N3vCM8Iy5WxM8cYO*#C z6oxy+@BEL8!-CveANYQFCnQ`mnHp_O>>D0k!E4fFmTw%z z`$(ze^E7Z2tQczN`Lc0{#{dL29Kco~%?QL}{7UV|&T$wb_)mB*}Tswo{b&#jSqG+TnVi{?nHjh9#xh zt5iDbQ>&E_MSlv4Y&(A&J*t#-?f%E&ppWDE0fkxhSQOoE4S|PARwBeZbX7+4i=?MI z-U6H4=|Q4r276^zIQak=thB&lrha}Mea6>^Gj(h3T}7s}LtQJb^Z6KWQKO!1c=!8o zLb=m*g|~clqylv5pl`fik`EzPx%!K{`Yq{M<~Nquv=LJ9HVYA7hL3^a)^9$x@TnZ# zV`)l`57Rzg5M97P?n2w(!YYfBYu|Q9h7+lq;BUW`j8!bs%Tdl8n=?m@i$O&F(g%u1 z@J{r>Fj!t_Tf?F(e(#CvU?Sm7Q1{yV!D)G0^1-YR0uq$`tc=E8{!qjfRAEumprrTy zYmP?d!#ZQ`uNU{5CpsIRiIE<6r>B~UCzQiaCEud&4xf+M%=D~262epStW=+z&8pZs z!3vvW$o9!Ko--EB!I!_Se-=v0{E%;ABGibrOUO4X;VY1~t3mZMiCbd; zgD5b^z3TZ?MDE5y+ecGwK=trN2GUj1K9?MfRaRxH`aqxGM+mxfpt=%FUJAQk{A=1QDqo5Ndcx+Mciml`k_|mYdaWJZ_>@X#u zE=tNl-<8IqLoF2})wZ8XRWwGKWSS=vn!;W#HG%-dh z@dpC66Z81R=G#RKT{<0i=jEy%qIZZ?A?sVnOsJ%y%yS&?fkfPc=@HT{9rd2m>@}<{ z)&xnF$tNpDi-fuy9^qYXOU%ccC1ttQMf4r>^S!7EiZ^(b)ooA621(Yws0vR<{EJht zHfP2AZ*hOe&^>6PFs*$UvGQ%?sqT>oWW2$e>8F+E-_XeZeY;Hbxa|EKUKR9S`uSbF zexBG5cuNYQAkVe;Sao@IyxW?ps7c#(HV@pLG^bV=2IdC5BnJ^$?FFI`h6=?Dv!YYM zLNNyN9L~eq(CHqhY{jB>r%N^T`>$0QlRLz6h*2sc9E_u-S+Tbudx^=~MY--D*5oJF zEyy)`>34g^vZ)_j?=n`ioUVh^|AxZzR=siZ1M zpwlTksG@`z-(csnCSns`aNF|vl@BjfR0|5cWT9t&8T|_6#+U?%>$hD$~Uu{Ns z&s%g+86hOYvY`EGD-raq_Qw7RJ5qa-hS^}Gi}jhTF>z`)u-%wd3)89XLN9TZ{abaW z{u`Y>%NMA|h$5cafwlFfh1ZuDDS}i7?C15J3#8vP#LUdXq687l?rf@m-lX(v7nHn^ z>`BY&7hKy;MPi#^J?=iV07bLFoHFqa{uF(~u6~*GI%3)spuRHJhwg8p(M$6q?Z$)0?uzVO$8{GuVLkhWn z61|^_n7fJAeJFiYjl8%-R24v#E>#D52Y48cSPSuGuR!)iwJzuzYsPaGo$&R82gI+# zBP0ZS2f&y!nQGEOPO%ejzQLqcZ!*Ob9pwof6l7`ds5k>Ic!vhX((e3Ld^p+6BGs!V z*`{4=Ts1I)5c^*}b)!5N*%B?9l*2@$eRwSWQvX_cWX{Xgrg7(cP3%xzZMyAP*TVM* zE{Ak}f>3RYPhhKw>Ts1VHJe&TMc)0}6_ACM*aUjGWKRxK-=hzrXKM5M*5oLVzzdss zk4<7%TPyGA0*}W!5436{l*cnDoo;mOdB-IjY%y4gzq~4x6_-rdIxX0l<#2L^GuWEy zSJjNsdKAw%EiK9;Wj$Wo&|(j(5V&Z&U*1H!+RQ3{oYtIr`uwVb=UZ(kst0M3;X4GX zcA7L#EJDP<6)dqWrQ@k4osf-1xl8kf8Gj?=tjSZu zj#-CnIvUmR1EKL9>gnj3&K~1mm7?VfnRQ=%K@xlBH-EQ)3zmX(#NmoRTqhqF24p8o zN#u_=(o0INV{AIzbFAsbLw9xK69<(C+GtALG_`OYopx&HR6<0!ZSv-VOEN=`tQjTZ zHTp&S4{f3njuo?YTZm`pO*%y`iJ?vb*2rxYF*5yq7o?-(&32*MRHFiubf}$T0@a;2 z2hL}Ogn~?i)YH@%-{D#n`J*-IlpV8=b%UqM%Bk{(F8hA zs=cV+tW9=)>MaVGI2Xp0mPbZ?dLjJ{AQdeO&?xLSS=sZB22s5V+zMy>ApbqgJU7Hl zeHYaiajn^z5cq7Dv56IVv1iwuHiWjpia?frw`(kebd?R4pWiptbSXiR)Yf?v8I66K zn`)Al<^gHd1*e9OO#>|)BYvgZzTdA)?-4t1d)Oq9$D&s9+4R5PcSPQ|Bc!_EE^m?K5YiulRci0RlQmY!xl`IIOv$P$` zQfWdb&(+DI?8s;Ln@!j*qkMW`UOrgzmqkwF?yW}^`euN;gC@iHY-$Ry>8CRy<)?V? z6g=t+6?=41F z10^)kwV#*HG!{Yi&}rbPQSH1LOqoG>jBxnU1uHN-+y)FZ_THQ{`bWNZrp!g+~58j|J`%{ zdsxT@h6U-;gE+H=XQ;QUpGtVI`rnW}26?)YuH8j1+@6=v*VJjm`#p@1nXu6Pi`hgidEfWbp4S4?hSX%1%UulpUqPPuKF382>F++zizFoVr)d&4H zB?PF|)RDJDAmbre#6Enub)}*Y`E7hwNfmtXADlc4|L4pzOrjf=m^EGCtFJsCF&q34 zqqAy`8b8F&Qw3VlH*u!sa28x>-OI^Y=S6;xzyz3Id`DE2CZY%Mp1%mdp^3kcKnQ5R zUztqid@7l(XftomPE#u!I-Qm5N+6#k@9}1h)q&>j97Xu|DQ9Vk4BMD=7Frpg^k4OM z{%V%3CGY*rgyh?l;v8+v_4op)aqeTl;JuRov3Cnfvv5tc`+*mf#Gq^uKco|SJd9Y=1LR|_?FS5J6jBd9#efsyVOvCcIw|Cv?fC?vSMyzy zQ_`{4y(S2hc~8Ca;>iu>>*b3jl{>TK zi^CO|cGpvYIa6kP>1CA@gA&ZQ7XKiyYT7-EgVbRGR2bX#9Oi55j^&x*Kp@IO9mczupNKynap$Q^FdKo zwecqP%VfIg6VZi&1=i@7P9!GN3C^3 z8vV5P9Go#Z_~MjdG(EK9sM`a z|0_U|W7zobEPZ}O;R6Cme=lJAUvM9pXCmwak3IAV@Z<8FEN)hWOOf;6xyAlKkQTN6 z#Xs&BGo*iXE&dl6B>nf*9BVyCQvQc_Q-~#xX<4cY69iP1xqJ$y0IkL@75qgTG5*FR zMwieL4WimB1F~$FD5HGS0$y0rU=I)_>OeU^VxppntdY(byTTvNA(fCPz zJeswTPMq<2Q0R255lndU8QG8*{R`pzmyi<}>((gNb+*QFZBAmc^M=RW`g31-*=(FW zqgij7y3ZRV`6(3_%|stp>yJqHH0Y>Tp7>GGQ`jnM!zS0Jy+~SI?>|&-jI54 zUc2cXS9ye`>VP8}@+p=N;_)lOx?>iC#~!f@@(hce58q}-USoOH2N-uA(%X5m1DXuz z5)u#Z$+uDMkogx_JY*uHyDWpi>0r;lOqb@4^LWg$b8%_QtA1aghW$WryP3ZB7AYD` zcx>0(pl=Pe%M>ZsTb?&mB!PB?s&@NkXwBW6efKFIzwTMx;Cl37>U~fJn+)nUm<5Ur zm`P@9L<{=^U97(6pL?tTqU}%rs#x`3a6i%$Kx8GVCmhiCUH^eFrlKF8SOD%bl>x}{ zK+-d>MBx?in}1R*o&xHAUw3CFI z@PzOZzu+lB%aWvk`>0BnGw(&90}Y|`-Tku;_2H7|>`Rm>R&nNCX>r&$hal>ydB4&f z%{m!|NQ!II)y|bj!e_CAbt+AdS;KoDv@U|%;7MijC;UAnPn0d|#vZ}HraEkKvf_#@ z&fj>=yql3)fuPvg#Z<8%nFF^>-gJi&p6Ahgb+zofH6Uy69fuH}cC-V+sxQB0nap1Ci~rH z(wqCF?D-@a`$eBvJLlTS^Xg}}SAcMw`d%yYx$uS+Pg3s0<}M+GOXLoR_N?sT3CN$f z6@55da-MH}h2zytwta8KC9loymlER0!SGwY_;#H(p28Wg z&S}DJi7=_CT<)an7reQTlaA{?;2M6OzpbQ)O!<%;(-iQ|sY$yNG3?3@82q$1$p7c? z^Z%Y~|2*0HH{b1(+rGc5W3MGuZA`WFGvRcf=}ImOMCj@=B7zk{5flA z!`~K)1}aG_)8Yx8Hr4K<>jKm2)-TI$O&z|k#s>2CP7jnY18jQs;$I%J=rjAB0du^4 z;ArO2RJGiakpN^#T+AXsw6_p&INE?wtg;()kdGT1vsNO2qA&Vnwn^;`Ry3L zcS7C2VUhi$&1!XZ3H=N~xhNw3V1}I&M(GvN11ME{9Qpk8Ap93f)&C?Y_-k`M01omu z0mT2RZN$GBS_dav*EzGnGajIGjpBof2=MfxYxpe2Z}@@;*$m{3LgHlGxSlDQ^R+ zDc=HRszZRW*U27S((}ok1E5JHsc+wAe}iE|bI}eur4DF7fv>1|sJHZ{h0DO=#tT+>d|BHVcB?R_DL!YFQe6Qsct z)@}&tp?*?*Y?p>|uvk5jQ+Xrtsz;(-aQ#;MNuVz?pq)QMpjcDh_(4bJ?dd@e!lL_9<>sqQE<(p{ikTYd9jiuUuY@xMU!k%K^x3}f6;Fh6VCSG9bry8wso--~m zFWxyZvARMRZOUfZ1xs!F6m_=zRC)PLXJx?sNiTU&Kn)ESzC~qJq}aDeOi|fvubBeM z2L%$!G`M927t&mMrv8ixI-22#78U{k4_uGjGW6V5M_g!A=Q%yey}Zyx@B1Xw5mwVsN@TuXF}SEf%H_97IB~{%Ft&$Oe?2% zv~TV?%?PZGH#XeZuRvgNMilUdI{3S(3wmR|_e{ewRDORA&EEVeAPM~W{xX95M^WAX z-}}sW#}<8xlzwL))c=Z`Bg7gQ=8g=JX@)5K6&EFcX-TwVLuO7eME)p@Aa) zER|maGCrU`ZA}6yga1byAQEdbSylp5a}n{i&1sDLbQMs&kCcj!Lo-rSZ9-&2!a-|; zqkss7b@Yx-q#0wUW)pW96kYX_ynM0p9Fbojl;foflw+K93|$rNS0 zUGfolDWXW9o*6`66wprd3S{f9P1=nSzSOdKfpAVa$^QpAD4G=$4RV0(cmN~%VvDIsGLj-6DLSZye zBpsw<8@K{h>zx~L06aal0WeRb%vU0br3?O__O3Iksdmi<0Tl%S zkw^-tVsYF>Ah=`EmZ7XPtGeD!K0If!`zxp^r1B7BxWN- zUo)VCDB5@F7r^ru;EagcE?K%e?7H8>J7J8w!d(qpuD6|+C9CcJ=#AHP-Zi_qO;1*u zf;f?trpW3?75IP!Yz*?fQ(A50J33(?G?-MMLYK)A=+P6%MgB%MG6;M^&KkzX@yh4I zrY8zMGiazrOm7nK_Y3o$8^ct-V)GM3T01E}qifrEsQV=@wR(TqG`H{Hr}38CPoe-a zeEIkq8um4a-trJ+KGU9zoO`mlz9>B&ggyjD%V%pSJtHZYOaqJ7$uEksall3LRK@zI z@~MU8-avOW8^t}Un-mVGL69g4S9JgLLgumfFUUdt)ewh2Lr4D9RW@64 ziYU4rmzG@XL~Huajy^L>a=-KqQPN52MdV(cLduvT@M8z>lC13;MzV1|EOpzf2#p@? z5#lu7_G^}(jzQpRq%!#26I)k#t`vrAcNi%NDl;CbTWyWxejqn4vwNq5P56h))s&wT z3cqQMEUksa<1Vu(Lk2hSHs@C`(uM(5l6TCczOc%1;>jb3c&m{tztInB+}uHKo9^vj z`)RjyM^r+at!9`0?_;ZEN5Oi90)IryA!fYzLshz7)=FN4qwg~;&0fh_tj|ZhkUCoD zoEF74yrnijMo|UsnrE32lUwt>i$(Oh6YGytLL#!ca66ksF>&?_AV8L$wJ|W%yJt}B^xM>6ht;;b zI_J#DCPsY`kj<<9;k`?`WikvMt{-2?m#}-t{y zn2YCYuXQ9Hyt1o|x-+1X{({m8L~&Re@-}wh6R+t)4-dcXKV(t0AIbxp{$ly{pXKp? zD-`sgNZtq%VDLjNiWodfUa!emM?alBE}`A{H$~*_`FjowHIb%ymweC5QXO=bat?(; zoCELYD8+9^p@pI!=H^;q=}Ef-4e0vAIaK)Gl-J!fvw*qs23%Z{2TyY?Y8J5!duXng zjVY+LbHH9a%6T-`9aUZv^Hgm2v^p*WV|dp2d1<_E<){smn*?Ji{Ln?_`-W%+_C=gY zPFjF{t$DR-p1W5$ot4oayx0y2B)L>DrQtV?PM^Qtz?nTp&57_?hw1-e)8tv*X^MCq zS~z5u6`(I$cRT#IVW8&Yl{4-EZx-6|EF!QwE^K{Qrr$>;(*H0{S<1i{ZQ<`JQx&~M z@TAZD1*lbdu}WBmU2`86Qt@$`G*>`!1m7>)O8EdsT%C5NT9~EBX*8~L1{{=Fw#+}y z`!L<&2%mkIJ_o-TT_pg{KBDu-p%u%e&T6< zC^xtlGImNbTBm7()p8`eomhv8I(TMmGU>fnj~_Rf&!V0oXRi&UZ|q+<$QwsVHl{Qr z2Az;M`@)8Ns6>kM*``T&M|`6oi{`5b?;8WShJ*v) zL{WNH*N%yq6VhwR-zp7rDlhTWLZUV9u|ew5jivyC%KJ7dwyYuPq80; z>$}QM*AlETDwOFc!rB3|!k2G>y_a0tt5xnp+_om=`P-;}1Dy2?thuPK&b3cexe+Ht0Xyp+R4uRnNIBTNv;Qh<|E@JuU(3k{n&igg4Q<}a#1Tv9hS$4wlk(rTM6X{=DL6{%lgTb+1`JAF8e<^y-KO~vxWv+5I$4`6P06VIZ7$`x3Hi7 zN+Gw%1~6J=5h0hk_)8(T)~EQ=sN{W&uBa6m&=4X0L_wMHx8`*XAc1VE{L|bwXFg*l zUX$uB*E2k%JhT$)e%R)MXK1sHREaK{W*!mYffW4A9DWQv;Ex?r2(U0v(~K&IkDGCH zCgNx)^%eE)r^i?A$tHGP*@oR7R3dEpQXaVCa`80^-zHhs6?d8rJRlgM9Qy4>;D#J= zb^7cA*<0Yb=#rB1D0%ZDJKh_&1=|1oersqAqL&*fB66`J~b0}BcmO|2OxJ6X(LW6mi4DUXQ89ef;G$M{2&u&f3J*!I%P(fZv` znq0|(3leVZ;b>La)wqa0ypFzfRzHW<^G~c!p^PJrL&a_-0!fJ-Y~83t&IWm`P}SSm zf>eIPUHz#r@?Zn}uPTxNes50yyuVwjZ_9MvzlZk+_xCqDZwh~wVq&#i`4R!Gp@0PbfmFX$BcIA3c1QY zs$yO3Gwk44cNxFE8W;#YUi|(fKVgnFd_$sEoO^zkE8c5F9+=;)6t|2~h*X`C z-kaSK_q@#E(Z`qP#C0)uIqiWyQkdZ9Ct)=StEH`pPbr9Gp>PkQn2@3{TWvL$Hn;rx z019pRG9amK1@TXP#7{EYJngahNB`!c7_n4f1bJW6H9~3y7a*kEZqrrEXi^z&wK5b=`+L02!f*T zwMuIyX-uu_$05##xYZUffCRud)uSvi;Pl60m~1xV6TP`F3)^ucX0C9%0lVoX3%5rx z(RRI8D2}0&i2IT-?^N@by%y(#n z1{e!#W0WD#7pUa`hG&9mipC)NNTa%;3{5=>ME+M>#>v9#HAyBw ziU>eNB1O|;rMIhychL1pi+efw7}qwB!^ux7bfZPxeV2PgdR9kWu1ho6WDy>;u}Lp} zHu}=)NCR*{6>GB&RFnmp#-STX21F>~?P za!oCAcfP9bsId0R!3cr2X{%* z7GCui8l4%koOdCZg>u!P4+f?-AS}AAn6>ZL3;gP!d0)9cN;!~3Z_ZX+iBE)dsZ>wF z7%ANgtk(i)vhaulu*5eO+YC$by?3fK`!%TqQPqvo)hgyvIHNQDO4 zp8Nd8uQaNv%f0k`%>8QTpwKodb;j0b*O)Q^;)2g^B>e(#lTV+a1|+(IeIs%r&Ca@J z@#O?~qh!Ru%keJwg zslJf=`YupImTzJ*i0yqH)6L1)Skzi=_*MnG4N{ZxW1My*xgdymYM(8uR0D<5ThW5hyG41{j)h5^od(vkzP_w>1WiS2^vh z7^E?Mv|gVNAa3M#-+%J-o6Fw+-V130$+9Ng8GsL!${aI1OJdu242}fQ8)v#*123Z|?l#U?5rRYYFhVmc>dhxjoM+;@V`puI z>2f3sD|i=%cXW~$JAj=P`y8NTPRa6>u47f*$IKp?nWV|31l+}W+=MH%70Z&*`U|j? z=q#O<98h7|M4Mw9Y53|^xjo%sfWSzxQ{eiK@x!Qng_w6xB`c*yvgGPAaWXF;uV%_F^Gj{ag(k^kfAySQq31n&V3iy7RfjrcA=J;61r_2nPx%?c&im6+2!Oow38G?; zMj&tk1cubnOd;z*z$^+O=~~Zl)vBIeSxt?)Yd-X}>V9vQPxR}j;Za>sKlKV<4GjkQ zgz8ljw|apB_LuvEL_J7e{9ZhGWb`ykN10ggHcQ;M@x>WFrG+;1=RlJDFL2je7my`fUd zGFg@$aUmV*rRd;*04GxE`*Ekj{E6O2_{{dU(MoZxDUeqjoN}PzcZo{@d1Z1!I^RcV z^a!oMvcYx-Og7E)t)q3DjaJ4_OgssnZY9)y&gNYlze%MaQSrz=b18FUIbk?eEJASt zIvP5S!mVB|fOno&-wbYS=$kzKP7c(;%4hI#Es%9|V*m z;>7NuJ$j4>@mWxdZ^1%&I`4aEPg2tKe1d>LV^E!VbEbPwWasKgovVQ6S@#gcr4$#? zIDVZsq)z(SU$wgTejr@YoWJl%<#*Ptjd)r@m7$)aA6fiL&5Z@h$~t-+lbpg+ncb2n zF7jk+dKq~&Z@^)A6Y=zJ@XXuc=9KW*#Ebda7BoWz{>-8znfyttF^B z_WJrFWvNx%o-9PYnV}Oo|8m_4!s;UnY!XS|&)LaE-#M*pZ;&o{hOJNTgN*p2$d#n$ z5$YNGr&?pgju>K3#&)@8=xdPgd}*Mn=OH?tvOP^Q2jgKs`el)HsUz zkf}~3O5$jQdy9W?v@LhiKWfqS{O#&;@teMya*VhJ-7N*mXK{m+Vx|N!TxY$pTa^s; zrtnP7Af>iWboVLx`rs9{&&%mA?+@V>G7$9sf%L)OEbgh5#hl$OO3Ew?s(;dIIkUp hBqdhwDJT-)onolT^B?q^KSS02KmK2D^XB?B_HWem-pc?0 literal 0 HcmV?d00001 diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml index c1b12255f3..9a206e499b 100644 --- a/home/firefly/values.yaml +++ b/home/firefly/values.yaml @@ -26,7 +26,6 @@ firefly-iii: # -- Directly defined environment variables. Use this for non-secret configuration values. env: - DB_CONNECTION: mysql DEFAULT_LANGUAGE: "nl_NL" DEFAULT_LOCALE: "equal" TZ: "Europe/Amsterdam" diff --git a/metal/TODO.md b/metal/TODO.md new file mode 100644 index 0000000000..77daddd7b6 --- /dev/null +++ b/metal/TODO.md @@ -0,0 +1,11 @@ +TODO Metal + +[ ] Auto install ubuntu +[ ] Disable GUI +[ ] Make ssh root posible +[ ] Install basic package +[ ] Disable GUI +[ ] Mount script for fstab +[ ] Zpool init for host +[ ] Set hostname +[ ] Install iscsi \ No newline at end of file diff --git a/metal/roles/k3s/defaults/main.yml b/metal/roles/k3s/defaults/main.yml index 2698ff7618..bec6d4d3bf 100644 --- a/metal/roles/k3s/defaults/main.yml +++ b/metal/roles/k3s/defaults/main.yml @@ -1,4 +1,4 @@ -k3s_version: v1.23.4+k3s1 +k3s_version: v1.23.3+k3s1 k3s_config_file: /etc/rancher/k3s/config.yaml k3s_token_file: /etc/rancher/node/password k3s_service_file: /etc/systemd/system/k3s.service diff --git a/metal/roles/pxe_server/files/data/tftboot/.gitignore b/metal/roles/pxe_server/files/data/tftboot/.gitignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/metal/roles/pxe_server/files/data/tftboot/grub.cfg b/metal/roles/pxe_server/files/data/tftboot/grub.cfg new file mode 100644 index 0000000000..e1c3943ab9 --- /dev/null +++ b/metal/roles/pxe_server/files/data/tftboot/grub.cfg @@ -0,0 +1,16 @@ +default=autoinstall +timeout=30 +timeout_style=menu +menuentry "Focal Live Installer - automated" --id=autoinstall { + echo "Loading Kernel..." + # make sure to escape the ';' or surround argument in quotes + linux /vmlinuz ip=dhcp url=http://192.168.1.105/iso/ubuntu-20.04-live-server-amd64.iso autoinstall ds="nocloud-net;s=http://192.168.1.105/;" root=/dev/ram0 cloud-config-url=/dev/null + echo "Loading Ram Disk..." + initrd /initrd +} +menuentry "Focal Live Installer" --id=install { + echo "Loading Kernel..." + linux /vmlinuz ip=dhcp url=http://192.168.1.105/iso/ubuntu-20.04-live-server-amd64.iso root=/dev/ram0 cloud-config-url=/dev/null + echo "Loading Ram Disk..." + initrd /initrd +} diff --git a/metal/roles/pxe_server/files/data/tftboot/grubx64.efi b/metal/roles/pxe_server/files/data/tftboot/grubx64.efi new file mode 100755 index 0000000000..e69de29bb2 diff --git a/metal/roles/pxe_server/files/data/tftboot/meta-data b/metal/roles/pxe_server/files/data/tftboot/meta-data new file mode 100644 index 0000000000..49d3dd1020 --- /dev/null +++ b/metal/roles/pxe_server/files/data/tftboot/meta-data @@ -0,0 +1 @@ +instance-id: focal-autoinstall \ No newline at end of file diff --git a/metal/roles/pxe_server/files/data/tftboot/user-data b/metal/roles/pxe_server/files/data/tftboot/user-data new file mode 100644 index 0000000000..36d511dd0d --- /dev/null +++ b/metal/roles/pxe_server/files/data/tftboot/user-data @@ -0,0 +1,89 @@ +#cloud-config +autoinstall: + version: 1 + package_upgrade: true + packages: + - zsh + - tmux + - nmap + - curl + - wget + - git + - htop + - iperf + - fail2ban + - vim + - net-tools + apt: + geoip: true + preserve_sources_list: false + apt: + preserve_sources_list: false + primary: + - arches: [amd64, i386] + uri: http://us.archive.ubuntu.com/ubuntu + - arches: [default] + uri: http://ports.ubuntu.com/ubuntu-ports + # r00tme + identity: {hostname: { hostvars[item]['inventory_hostname'] }}, password: $6$.c38i4RIqZeF4RtR$hRu2RFep/.6DziHLnRqGOEImb15JT2i.K/F9ojBkK/79zqY30Ll2/xx6QClQfdelLe.ZjpeVYfE8xBBcyLspa/, + username: jupiter} + keyboard: {layout: us, variant: ''} + locale: en_US.UTF-8 + # interface name will probably be different + network: + network: + version: 2 + ethernets: + enp89s0: + critical: true + dhcp-identifier: mac + dhcp4: true + ssh: + allow-pw: false + authorized-keys: [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILL07EL+5oPvSofRBADx1Of3q0Wj5vSa9KXtnSJzxDyn peter@mein.nl" + ] + install-server: true + # this creates an efi partition, /boot partition, and root(/) lvm volume + storage: + grub: + reorder_uefi: False + swap: + size: 0 + config: + - {ptable: gpt, path: /dev/nvme0n1, preserve: false, name: '', grub_device: false, + type: disk, id: disk-nvme0n1} + - {device: disk-nvme0n1, size: 536870912, wipe: superblock, flag: boot, number: 1, + preserve: false, grub_device: true, type: partition, id: partition-nvme0n11} + - {fstype: fat32, volume: partition-nvme0n11, preserve: false, type: format, id: format-2} + - {device: disk-nvme0n1, size: 1073741824, wipe: superblock, flag: linux, number: 2, + preserve: false, grub_device: false, type: partition, id: partition-nvme0n12} + - {fstype: ext4, volume: partition-nvme0n12, preserve: false, type: format, id: format-0} + - {device: disk-nvme0n1, size: -1, flag: linux, number: 3, preserve: false, + grub_device: false, type: partition, id: partition-nvme0n13} + - name: vg-0 + devices: [partition-nvme0n13] + preserve: false + type: lvm_volgroup + id: lvm-volgroup-vg-0 + - {name: lv-root, volgroup: lvm-volgroup-vg-0, size: 100%, preserve: false, + type: lvm_partition, id: lvm-partition-lv-root} + - {fstype: ext4, volume: lvm-partition-lv-root, preserve: false, type: format, + id: format-1} + - {device: format-1, path: /, type: mount, id: mount-2} + - {device: format-0, path: /boot, type: mount, id: mount-1} + - {device: format-2, path: /boot/efi, type: mount, id: mount-3} +write_files: + # override the kernel package + - path: /run/kernel-meta-package + content: | + linux-virtual + owner: root:root + permissions: "0644" + # attempt to also use an answers file by providing a file at the default path. It did not seem to have any effect + #- path: /subiquity_config/answers.yaml + # content: | + # InstallProgress: + # reboot: no + # owner: root:root + # permissions: "0644" \ No newline at end of file diff --git a/metal/roles/pxe_server/files/dhcp/Dockerfile b/metal/roles/pxe_server/files/dhcp/Dockerfile index 42fe266870..78590a9324 100644 --- a/metal/roles/pxe_server/files/dhcp/Dockerfile +++ b/metal/roles/pxe_server/files/dhcp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20220328 +FROM alpine:20210804 RUN apk add dhcp diff --git a/metal/roles/pxe_server/files/tftp/Dockerfile b/metal/roles/pxe_server/files/tftp/Dockerfile index 4bbdf6ed31..1adac2bcc6 100644 --- a/metal/roles/pxe_server/files/tftp/Dockerfile +++ b/metal/roles/pxe_server/files/tftp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20220328 +FROM alpine:20210804 RUN apk add busybox tftp-hpa diff --git a/metal/roles/pxe_server/tasks/main.yml b/metal/roles/pxe_server/tasks/main.yml index dd9fdf2a22..96a6ded247 100644 --- a/metal/roles/pxe_server/tasks/main.yml +++ b/metal/roles/pxe_server/tasks/main.yml @@ -1,35 +1,35 @@ -- name: Download boot image +- name: Download ISO get_url: url: "{{ iso_url }}" dest: "{{ role_path }}/files/data/iso/{{ iso_url | basename }}" checksum: "{{ iso_checksum }}" register: iso -- name: Extract boot image +- name: Extract the ISO command: cmd: "xorriso -osirrox on -indev {{ iso.dest }} -extract / {{ role_path }}/files/data/os" creates: "{{ role_path }}/files/data/os/.treeinfo" -- name: Generate DHCP config +- name: Render DHCP config template: src: dhcpd.conf.j2 dest: "{{ role_path }}/files/data/pxe-config/dhcpd.conf" mode: 0644 -- name: Generate GRUB config +- name: Render GRUB config template: src: grub.cfg.j2 dest: "{{ role_path }}/files/data/pxe-config/grub.cfg" mode: 0644 -- name: Generate init config for each machine +- name: Render machine specific init config template: src: kickstart.ks.j2 dest: "{{ role_path }}/files/data/init-config/{{ hostvars[item]['mac'] }}.ks" mode: 0644 loop: "{{ groups['metal'] }}" -- name: Start the ephemeral PXE server +- name: Start ephemeral PXE server docker_compose: project_src: "{{ role_path }}/files" state: present diff --git a/metal/roles/pxe_server/templates/kickstart.ks.j2.bak b/metal/roles/pxe_server/templates/kickstart.ks.j2.bak new file mode 100644 index 0000000000..4bf19305b1 --- /dev/null +++ b/metal/roles/pxe_server/templates/kickstart.ks.j2.bak @@ -0,0 +1,51 @@ +#version=RHEL8 + +# Do not use graphical install +text + +# Keyboard layouts +keyboard --xlayouts='us' +# System language +lang en_US.UTF-8 + +# Partition clearing information +clearpart --all --drives={{ hostvars[item]['disk'] }} +# Partitioning +ignoredisk --only-use={{ hostvars[item]['disk'] }} +autopart + +# Network information +network --bootproto=static --device={{ hostvars[item]['network_interface'] }} --ip={{ hostvars[item]['ansible_host'] }} --gateway={{ ansible_default_ipv4.gateway }} --nameserver={{ dns_server }} --netmask={{ ansible_default_ipv4.netmask }} --ipv6=auto --hostname={{ hostvars[item]['inventory_hostname'] }} --activate + +# Use network installation +repo --name="Minimal" --baseurl=http://{{ ansible_default_ipv4.address }}/os/Minimal +url --url="http://{{ ansible_default_ipv4.address }}/os" +# Disable Setup Agent on first boot +firstboot --disable +# Do not configure the X Window System +skipx +# Enable NTP +services --enabled="chronyd" +# System timezone +timezone {{ timezone }} --isUtc + +# Create user (locked by default) +user --groups=wheel --name=admin +# Add SSH key +sshkey --username=root "{{ ssh_public_key }}" + +# Disable SELinux +selinux --disabled + +# Disable firewall +firewall --disabled + +%packages +@^minimal-environment +iscsi-initiator-utils +%end + +# Enable iSCSI for Kubernetes storage +services --enable=iscsid + +reboot diff --git a/metal/roles/pxe_server/templates/meta-data.j2 b/metal/roles/pxe_server/templates/meta-data.j2 new file mode 100644 index 0000000000..49d3dd1020 --- /dev/null +++ b/metal/roles/pxe_server/templates/meta-data.j2 @@ -0,0 +1 @@ +instance-id: focal-autoinstall \ No newline at end of file diff --git a/metal/roles/pxe_server/templates/user-data.j2 b/metal/roles/pxe_server/templates/user-data.j2 new file mode 100644 index 0000000000..88a8f83b50 --- /dev/null +++ b/metal/roles/pxe_server/templates/user-data.j2 @@ -0,0 +1,89 @@ +#cloud-config +autoinstall: + version: 1 + package_upgrade: true + packages: + - zsh + - tmux + - nmap + - curl + - wget + - git + - htop + - iperf + - fail2ban + - vim + - net-tools + apt: + geoip: true + preserve_sources_list: false + apt: + preserve_sources_list: false + primary: + - arches: [amd64, i386] + uri: http://us.archive.ubuntu.com/ubuntu + - arches: [default] + uri: http://ports.ubuntu.com/ubuntu-ports + # r00tme + identity: {hostname: { hostvars[item]['inventory_hostname'] }}, password: $6$.c38i4RIqZeF4RtR$hRu2RFep/.6DziHLnRqGOEImb15JT2i.K/F9ojBkK/79zqY30Ll2/xx6QClQfdelLe.ZjpeVYfE8xBBcyLspa/, + username: jupiter} + keyboard: {layout: us, variant: ''} + locale: en_US.UTF-8 + # interface name will probably be different + network: + network: + version: 2 + ethernets: + {{ hostvars[item]['network_interface'] }}: + critical: true + dhcp-identifier: mac + dhcp4: true + ssh: + allow-pw: false + authorized-keys: [ + "{{ ssh_public_key }}" + ] + install-server: true + # this creates an efi partition, /boot partition, and root(/) lvm volume + storage: + grub: + reorder_uefi: False + swap: + size: 0 + config: + - {ptable: gpt, path: /dev/{{ hostvars[item]['disk'] }}, preserve: false, name: '', grub_device: false, + type: disk, id: disk-{{ hostvars[item]['disk'] }}} + - {device: disk-{{ hostvars[item]['disk'] }}, size: 536870912, wipe: superblock, flag: boot, number: 1, + preserve: false, grub_device: true, type: partition, id: partition-{{ hostvars[item]['disk'] }}1} + - {fstype: fat32, volume: partition-{{ hostvars[item]['disk'] }}1, preserve: false, type: format, id: format-2} + - {device: disk-{{ hostvars[item]['disk'] }}, size: 1073741824, wipe: superblock, flag: linux, number: 2, + preserve: false, grub_device: false, type: partition, id: partition-{{ hostvars[item]['disk'] }}2} + - {fstype: ext4, volume: partition-{{ hostvars[item]['disk'] }}2, preserve: false, type: format, id: format-0} + - {device: disk-{{ hostvars[item]['disk'] }}, size: -1, flag: linux, number: 3, preserve: false, + grub_device: false, type: partition, id: partition-{{ hostvars[item]['disk'] }}3} + - name: vg-0 + devices: [partition-{{ hostvars[item]['disk'] }}3] + preserve: false + type: lvm_volgroup + id: lvm-volgroup-vg-0 + - {name: lv-root, volgroup: lvm-volgroup-vg-0, size: 100%, preserve: false, + type: lvm_partition, id: lvm-partition-lv-root} + - {fstype: ext4, volume: lvm-partition-lv-root, preserve: false, type: format, + id: format-1} + - {device: format-1, path: /, type: mount, id: mount-2} + - {device: format-0, path: /boot, type: mount, id: mount-1} + - {device: format-2, path: /boot/efi, type: mount, id: mount-3} +write_files: + # override the kernel package + - path: /run/kernel-meta-package + content: | + linux-virtual + owner: root:root + permissions: "0644" + # attempt to also use an answers file by providing a file at the default path. It did not seem to have any effect + #- path: /subiquity_config/answers.yaml + # content: | + # InstallProgress: + # reboot: no + # owner: root:root + # permissions: "0644" \ No newline at end of file diff --git a/metal/roles/wake/tasks/main.yml b/metal/roles/wake/tasks/main.yml index 2a2a01918a..ebd8e736eb 100644 --- a/metal/roles/wake/tasks/main.yml +++ b/metal/roles/wake/tasks/main.yml @@ -1,8 +1,8 @@ -- name: Send Wake-on-LAN magic packets +- name: Send magic Wake-on-LAN packet community.general.wakeonlan: mac: "{{ hostvars[inventory_hostname]['mac'] }}" delegate_to: localhost -- name: Wait for the machines to come online +- name: Wait for the servers to comes up wait_for_connection: timeout: 600 diff --git a/system/nfs/Chart.yaml b/system/nfs/Chart.yaml new file mode 100644 index 0000000000..2feefa5b97 --- /dev/null +++ b/system/nfs/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: nfs +version: 0.0.0 +dependencies: + - name: nfs-server-provisioner + version: 1.4.0 + repository: https://kubernetes-sigs.github.io/nfs-ganesha-server-and-external-provisioner/ \ No newline at end of file diff --git a/system/nfs/values.yaml b/system/nfs/values.yaml new file mode 100644 index 0000000000..ea9a2372a8 --- /dev/null +++ b/system/nfs/values.yaml @@ -0,0 +1,112 @@ +# Default values for nfs-provisioner. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +# imagePullSecrets: + +image: + repository: k8s.gcr.io/sig-storage/nfs-provisioner + tag: v3.0.0 + # digest: + pullPolicy: IfNotPresent + +# For a list of available arguments +# Please see https://github.com/kubernetes-incubator/external-storage/blob/HEAD/nfs/docs/deployment.md#arguments +extraArgs: {} + # device-based-fsids: false + # grace-period: 0 + +service: + type: ClusterIP + + nfsPort: 2049 + nlockmgrPort: 32803 + mountdPort: 20048 + rquotadPort: 875 + rpcbindPort: 111 + statdPort: 662 + # nfsNodePort: + # nlockmgrNodePort: + # mountdNodePort: + # rquotadNodePort: + # rpcbindNodePort: + # statdNodePort: + # clusterIP: + + externalIPs: 192.168.1.226 + +persistence: + enabled: true + + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "hostpath" + hostPath: /pool0/home + accessMode: ReadWriteOnce + size: 1Gi + +## For creating the StorageClass automatically: +storageClass: + create: true + + ## Set a provisioner name. If unset, a name will be generated. + # provisionerName: + + ## Set StorageClass as the default StorageClass + ## Ignored if storageClass.create is false + defaultClass: false + + ## Set a StorageClass name + ## Ignored if storageClass.create is false + name: nfs + + # set to null to prevent expansion + allowVolumeExpansion: true + ## StorageClass parameters + parameters: {} + + mountOptions: + - vers=3 + + ## ReclaimPolicy field of the class, which can be either Delete or Retain + reclaimPolicy: Delete + +## For RBAC support: +rbac: + create: true + + ## Ignored if rbac.create is true + ## + serviceAccountName: default + +## For creating the PriorityClass automatically: +priorityClass: + ## Enable creation of a PriorityClass resource for this nfs-server-provisioner instance + create: false + + ## Set a PriorityClass name to override the default name + name: "" + + ## PriorityClass value. The higher the value, the higher the scheduling priority + value: 5 + +resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/system/samba/values.yaml b/system/samba/values.yaml index ba4263664e..ec131c6d25 100644 --- a/system/samba/values.yaml +++ b/system/samba/values.yaml @@ -21,7 +21,7 @@ samba: TZ: Europe/Amsterdam # SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP) SAMBA_SERVER_STRING: europa - # SAMBA_LOG_LEVEL: Log level. (default 0) + SAMBA_LOG_LEVEL: 1 # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) SAMBA_HOSTS_ALLOW: 213.34.1.38/32 37.97.253.87/32 192.168.1.0/24 10.42.0.0/16 127.0.0.0/8 From 9edfe386e741d251fd111814323fd27bae96621a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 06:01:03 +0200 Subject: [PATCH 194/334] disable: firefly --- home/firefly/{Chart.yaml => Chart.yaml.disabled} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename home/firefly/{Chart.yaml => Chart.yaml.disabled} (100%) diff --git a/home/firefly/Chart.yaml b/home/firefly/Chart.yaml.disabled similarity index 100% rename from home/firefly/Chart.yaml rename to home/firefly/Chart.yaml.disabled From 1b248daa34d115df01792512f18fa1b7f25fcad0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 06:13:21 +0200 Subject: [PATCH 195/334] config: longer repo timeout --- bootstrap/argocd/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bootstrap/argocd/values.yaml b/bootstrap/argocd/values.yaml index 967535b280..a834cf74b5 100644 --- a/bootstrap/argocd/values.yaml +++ b/bootstrap/argocd/values.yaml @@ -4,6 +4,7 @@ argo-cd: - --insecure config: statusbadge.enabled: 'true' + resource.customizations.health.argoproj.io_Application: | hs = {} hs.status = "Progressing" @@ -55,6 +56,8 @@ argo-cd: serviceMonitor: enabled: true controller: + args: + repoServerTimeoutSeconds: "180" metrics: *metrics repoServer: metrics: *metrics From 9216c74f13884eedfb9f114fe2e7d41ad0e1293c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 06:30:58 +0200 Subject: [PATCH 196/334] config: update site --- system/datadog/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml index 52182dde4b..b659a03122 100644 --- a/system/datadog/values.yaml +++ b/system/datadog/values.yaml @@ -66,7 +66,7 @@ datadog: # datadog.clusterName -- Set a unique cluster name to allow scoping hosts and Cluster Checks easily ## The name must be unique and must be dot-separated tokens with the following restrictions: - ## * Lowercase letters, numbers, and hyphens only. + ## * Lowercase letters, numbers, and githyphens only. ## * Must start with a letter. ## * Must end with a number or a letter. ## * Overall length should not be higher than 80 characters. @@ -76,7 +76,7 @@ datadog: # datadog.site -- The site of the Datadog intake to send Agent data to ## Set to 'datadoghq.eu' to send data to the EU site. - site: datadog.eu # datadoghq.com + site: datadoghq.eu # datadoghq.com # datadog.dd_url -- The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL ## Overrides the site setting defined in "site". From 755c639c1cb1af86e757ac4f393141ca211a7454 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 06:32:00 +0200 Subject: [PATCH 197/334] config: enable oomkill --- system/datadog/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml index b659a03122..3d15e727de 100644 --- a/system/datadog/values.yaml +++ b/system/datadog/values.yaml @@ -394,7 +394,7 @@ datadog: enableTCPQueueLength: false # datadog.systemProbe.enableOOMKill -- Enable the OOM kill eBPF-based check - enableOOMKill: false + enableOOMKill: true # datadog.systemProbe.enableRuntimeCompiler -- Enable the runtime compiler for eBPF probes enableRuntimeCompiler: false From 00eb4fecfa8e4c01044c2e64296149844bcbe524 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 06:51:09 +0200 Subject: [PATCH 198/334] config: process collection --- system/datadog/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml index 3d15e727de..a599723418 100644 --- a/system/datadog/values.yaml +++ b/system/datadog/values.yaml @@ -357,7 +357,7 @@ datadog: # datadog.processAgent.processCollection -- Set this to true to enable process collection in process monitoring agent ## Requires processAgent.enabled to be set to true to have any effect - processCollection: false + processCollection: true # datadog.processAgent.stripProcessArguments -- Set this to scrub all arguments from collected processes ## Requires processAgent.enabled and processAgent.processCollection to be set to true to have any effect From 649c0334a0d184068726002f63b70822c538f2dd Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 4 Apr 2022 07:11:01 +0200 Subject: [PATCH 199/334] config: privatebin ingress --- apps/privatebin/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index 11c07c7ea3..c2c98d5583 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -7,8 +7,7 @@ privatebin: external-dns.alpha.kubernetes.io/exclude: 'true' hosts: - host: &host privatebin.jupiter.mein.nl - paths: - - / + path: / tls: - secretName: privatebin-tls-certificate hosts: From b04b05fc745e625d7593ca6ee243ed33d31cc2a4 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 6 Apr 2022 20:35:38 +0200 Subject: [PATCH 200/334] feat: added ws services to ha --- home/homeassistant/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 73a85803b5..2b13930ae4 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -152,6 +152,7 @@ home-assistant: ingressClassName: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.org/websocket-services: home-assistant hosts: - host: &config homeassistant-config.europa.jupiter.mein.nl paths: From 48535fc0de148bd0c518c640f8f74e578d61b088 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 19 Apr 2022 08:37:28 +0200 Subject: [PATCH 201/334] fix: fixing faulty yaml --- .tekton/pipelines/pipeline.yaml | 21 --- README.md | 276 +------------------------------- bin/dendrite/values.yaml | 8 - 3 files changed, 1 insertion(+), 304 deletions(-) diff --git a/.tekton/pipelines/pipeline.yaml b/.tekton/pipelines/pipeline.yaml index 2746fd1bb5..5ad25ea7fc 100644 --- a/.tekton/pipelines/pipeline.yaml +++ b/.tekton/pipelines/pipeline.yaml @@ -25,27 +25,6 @@ spec: workspace: shared-data taskRef: name: lint -<<<<<<< HEAD -======= - - name: tools - runAfter: - - fetch-repo - workspaces: - - name: source - workspace: shared-data - # - name: dockerconfig - # workspace: dockerconfig - taskRef: - name: kaniko - params: - - name: CONTEXT - value: ./tools - - name: IMAGE - value: registry.jupiter.mein.nl/tools:latest - - name: EXTRA_ARGS - value: - - --cache=true ->>>>>>> e811f24237ce3e35dfec3f36a89fcf9861ca7958 - name: external runAfter: - fetch-repo diff --git a/README.md b/README.md index e3d9375554..e51cdcc6d5 100644 --- a/README.md +++ b/README.md @@ -1,275 +1 @@ -<<<<<<< HEAD -# Jupiter Mein Homelab -======= -
- -# Khue's Homelab - - - -[![chat](https://img.shields.io/matrix/homelab:matrix.khuedoan.com?style=flat-square&logo=matrix&logoColor=white&label=chat)](https://matrix.to/#/#homelab:matrix.khuedoan.com) -[![tag](https://img.shields.io/github/v/tag/khuedoan/homelab?style=flat-square&logo=semver&logoColor=white)](https://github.com/khuedoan/homelab/tags) -[![document](https://img.shields.io/website?label=document&logo=gitbook&logoColor=white&style=flat-square&url=https%3A%2F%2Fhomelab.khuedoan.com)](https://homelab.khuedoan.com) -[![license](https://img.shields.io/github/license/khuedoan/homelab?style=flat-square&logo=gnu&logoColor=white)](https://www.gnu.org/licenses/gpl-3.0.html) -[![stars](https://img.shields.io/github/stars/khuedoan/homelab?logo=github&logoColor=white&color=gold&style=flat-square)](https://github.com/khuedoan/homelab) - -This project utilizes [Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code) and [GitOps](https://www.weave.works/technologies/gitops) to automate provisioning, operating, and updating self-hosted services in my homelab. -It can be used as a highly customizable framework to build your own homelab. - - - - - - - - -Current status: **ALPHA** - -
- -## Overview - -This section provides a high level overview of the project. -For further information, please see the [documentation](https://homelab.khuedoan.com). - -### Hardware - -![Hardware](https://user-images.githubusercontent.com/27996771/98970963-25137200-2543-11eb-8f2d-f9a2d45756ef.JPG) - -- 4 × NEC SFF `PC-MK26ECZDR` (Japanese version of the ThinkCentre M700): - - CPU: `Intel Core i5-6600T @ 2.70GHz` - - RAM: `16GB` - - SSD: `128GB` -- TP-Link `TL-SG108` switch: - - Ports: `8` - - Speed: `1000Mbps` - -### Features - -Project status: **Alpha** (see [roadmap](#roadmap) below) - -- [x] Common applications: Gitea, Seafile, Jellyfin, Paperless... -- [x] Automated bare metal provisioning with PXE boot -- [x] Automated Kubernetes installation and management -- [x] Installing and managing applications using GitOps -- [x] Automatic rolling upgrade for OS and Kubernetes -- [x] Automatically update apps (with approval) -- [x] Modular architecture, easy to add or remove features/components -- [x] Automated certificate management -- [x] Automatically update DNS records for exposed services -- [x] Expose services to the internet securely with [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/) -- [x] CI/CD platform -- [x] Private container registry -- [x] Distributed storage -- [x] Support multiple environments (dev, prod) -- [ ] Monitoring and alerting 🚧 -- [ ] Automated offsite backups 🚧 -- [ ] Single sign-on 🚧 - -Some demo videos and screenshots are shown here. -They can't capture all of the project's features, but they are sufficient to get a concept of it. - -| [![Deployment](https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7.svg)](https://asciinema.org/a/xkBRkwC6e9RAzVuMDXH3nGHp7) | -| :--: | -| Deploy with a single command (after updating the config files of course) | - -| [![PXE boot](https://user-images.githubusercontent.com/27996771/157303477-df2e7410-8f02-4648-a86c-71e6b7e89e35.png)](https://www.youtube.com/watch?v=y-d7btNNAT8) | -| :--: | -| PXE boot | - -| ![](https://user-images.githubusercontent.com/27996771/149445807-0f869eb7-d8f5-4fef-ab97-ac281df91a06.png) | -| :--: | -| Homepage with Ingress discovery powered by [Hajimari](https://github.com/toboshii/hajimari) | - -| ![](https://user-images.githubusercontent.com/27996771/149444871-38889c9d-862f-41ff-8c05-8ece21da3e9c.png) | -| :--: | -| Git server powered by [Gitea](https://gitea.io/en-us/) | - -| ![](https://user-images.githubusercontent.com/27996771/149445374-58fd0605-bb9a-46e4-81d6-5e584d2b94a9.png) | -| :--: | -| Continuous integration with [Tekton](https://tekton.dev/) | - -| ![](https://user-images.githubusercontent.com/27996771/149444716-fc0d7282-4cf7-4ddb-97a4-1a3fb47ff2b8.png) | -| :--: | -| Continuous deployment with [ArgoCD](https://argoproj.github.io/cd/) | - -| ![](https://user-images.githubusercontent.com/27996771/149446631-1c5d056b-1fdc-48e6-96ba-e1abe1762be0.png) | -| :--: | -| Monitoring dashboard powered by [Grafana](https://grafana.com/) | - -| ![](https://user-images.githubusercontent.com/27996771/149448510-7163310c-2049-4ccd-901d-f11f605bfc32.png) | -| :--: | -| [Matrix](https://matrix.org/) chat server powered by [Element](https://matrix.org/docs/projects/client/element) and [Dendrite](https://matrix.org/docs/projects/server/dendrite) | - -| ![](https://user-images.githubusercontent.com/27996771/149448896-9d79947d-468c-45c6-a81d-b43654e8ab6b.png) | -| :--: | -| Cluster management using [Lens](https://k8slens.dev/) (or you can just use `kubectl`) | - -| ![](https://user-images.githubusercontent.com/27996771/149452309-de4a893b-e94c-4ba8-9119-ea87449cf77e.png) | -| :--: | -| Secret management with [Vault](https://www.vaultproject.io/) | - -### Tech stack - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LogoNameDescription
AnsibleAutomate bare metal provisioning and configuration
ArgoCDGitOps tool built to deploy applications to Kubernetes
cert-managerCloud native certificate management
CloudflareDNS and Tunnel
DockerEphermeral PXE server and convenient tools container
ExternalDNSSynchronizes exposed Kubernetes Services and Ingresses with DNS providers
GiteaSelf-hosted Git service
GrafanaOperational dashboards
HelmThe package manager for Kubernetes
K3sLightweight distribution of Kubernetes
KubernetesContainer-orchestration system, the backbone of this project
LokiLog aggregation system
LonghornCloud native distributed block storage for Kubernetes
MetalLBBare metal load-balancer for Kubernetes
NGINXKubernetes Ingress Controller
PrometheusSystems monitoring and alerting toolkit
RenovateAutomatically update dependencies
Rocky LinuxBase OS for Kubernetes nodes
TektonCloud native solution for building CI/CD systems
TrowPrivate container registry
VaultSecrets and encryption management system
- -## Get Started - -- [Try it out locally](https://homelab.khuedoan.com/try-locally.html) without any hardware -- [Deploy on real hardware](https://homelab.khuedoan.com/deployment) for real workload - -## Roadmap - -See [roadmap](https://homelab.khuedoan.com/roadmap.html) and [open issues](https://github.com/khuedoan/homelab/issues) for a list of proposed features and known issues. - -## Contributing - -Any contributions you make, either big or small, are greatly appreciated. - -## License - -> Copyright (c) 2020, 2021, 2022 Khue Doan - -
- -Distributed under the GPLv3 License. - -This project is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. - -This project is distributed in the hope that it will be useful, but **WITHOUT ANY WARRANTY**; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -See the GNU General Public License for more details. - -You should have received a copy of the GNU General Public License along with this project (`LICENSE.md`). -If not, see . - -
- -## Acknowledgements - -- [ArgoCD usage in my coworker's homelab](https://github.com/locmai/humble) -- [README template](https://github.com/othneildrew/Best-README-Template) -- [Run the same Cloudflare Tunnel across many `cloudflared` processes](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel) -- [MAC address environment variable in GRUB config](https://askubuntu.com/questions/1272400/how-do-i-automate-network-installation-of-many-ubuntu-18-04-systems-with-efi-and) -- [Official k3s systemd service file](https://github.com/k3s-io/k3s/blob/master/k3s.service) -- [Official Cloudflare Tunnel examples](https://github.com/cloudflare/argo-tunnel-examples) -- [Initialize GitOps repository on Gitea and integrate with Tekton by RedHat](https://github.com/redhat-scholars/tekton-tutorial/tree/master/triggers) - -## Stargazers over time - -[![Stargazers over time](https://starchart.cc/khuedoan/homelab.svg)](https://starchart.cc/khuedoan/homelab) -<<<<<<< HEAD ->>>>>>> 8442b6d98469b5ddab0280f783a0efe72b6aea7d -======= ->>>>>>> 062cdd53765184bc0427123ae458d3bbe60c152f ->>>>>>> khuedoan-master +# Jupiter Mein Homelab \ No newline at end of file diff --git a/bin/dendrite/values.yaml b/bin/dendrite/values.yaml index 112c41a012..f464bb50d7 100644 --- a/bin/dendrite/values.yaml +++ b/bin/dendrite/values.yaml @@ -27,15 +27,7 @@ dendrite: pullPolicy: IfNotPresent configuration: version: 2 -<<<<<<< HEAD:apps/matrix/values.yaml servername: &host matrix.jupiter.mein.nl -======= -<<<<<<< HEAD:bin/dendrite/values.yaml - servername: &host matrix.jupiter.mein.nl -======= - servername: &backend_host matrix.khuedoan.com ->>>>>>> 062cdd53765184bc0427123ae458d3bbe60c152f:apps/matrix/values.yaml ->>>>>>> khuedoan-master:bin/dendrite/values.yaml database: host: "dendrite-postgresql:5432" user: "dendrite" From 7e44a9bcce1028e984f00dcdc84442fe17c8f427 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 19 Apr 2022 08:41:16 +0200 Subject: [PATCH 202/334] upgrade: homeassistant --- home/homeassistant/Chart.yaml | 2 +- home/homeassistant/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml index f447be3a6a..7c46a8f420 100644 --- a/home/homeassistant/Chart.yaml +++ b/home/homeassistant/Chart.yaml @@ -3,5 +3,5 @@ name: homeassistant version: 0.0.0 dependencies: - name: home-assistant - version: 12.2.0 + version: 13.0.2 repository: https://k8s-at-home.com/charts/ diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 2b13930ae4..e3fe5c9704 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.3.8 + tag: 2022.4 # -- image pull policy pullPolicy: IfNotPresent From 901cd120ad8210040c574c0ba196884b27c082ba Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 19 Apr 2022 20:54:53 +0200 Subject: [PATCH 203/334] =?UTF-8?q?config:=20different=20tag=20=C3=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index e3fe5c9704..3b503397a3 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.4 + tag: 2022.4.5 # -- image pull policy pullPolicy: IfNotPresent From 146e8d9bd9389c2935289f3a5180ca0593235e53 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 23 Apr 2022 09:11:56 +0200 Subject: [PATCH 204/334] config: renamed renovate.json --- renovate.json5 => renovate.json | 1 - 1 file changed, 1 deletion(-) rename renovate.json5 => renovate.json (82%) diff --git a/renovate.json5 b/renovate.json similarity index 82% rename from renovate.json5 rename to renovate.json index 845bcb14f6..027bdefd9b 100644 --- a/renovate.json5 +++ b/renovate.json @@ -1,4 +1,3 @@ -// TODO switch to YAML https://github.com/renovatebot/renovate/issues/7031 { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ From a4c2adf5197ee48f22b8467a314990bd8b96c55b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 22 May 2022 16:46:47 +0200 Subject: [PATCH 205/334] fix: remove bin --- bin/dendrite/Chart.yaml | 7 -- bin/dendrite/values.yaml | 84 ------------------- bin/system-upgrade/k3s/agent.yaml | 26 ------ bin/system-upgrade/k3s/kustomization.yaml | 10 --- bin/system-upgrade/k3s/server.yaml | 21 ----- bin/system-upgrade/kustomization.yaml | 6 -- .../rocky-linux/kustomization.yaml | 9 -- bin/system-upgrade/rocky-linux/upgrade.yaml | 38 --------- 8 files changed, 201 deletions(-) delete mode 100644 bin/dendrite/Chart.yaml delete mode 100644 bin/dendrite/values.yaml delete mode 100644 bin/system-upgrade/k3s/agent.yaml delete mode 100644 bin/system-upgrade/k3s/kustomization.yaml delete mode 100644 bin/system-upgrade/k3s/server.yaml delete mode 100644 bin/system-upgrade/kustomization.yaml delete mode 100644 bin/system-upgrade/rocky-linux/kustomization.yaml delete mode 100644 bin/system-upgrade/rocky-linux/upgrade.yaml diff --git a/bin/dendrite/Chart.yaml b/bin/dendrite/Chart.yaml deleted file mode 100644 index 2635e311ca..0000000000 --- a/bin/dendrite/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: dendrite -version: 0.0.0 -dependencies: - - name: dendrite - version: 0.0.3 - repository: https://locmai.github.io/charts # TODO switch to official chart diff --git a/bin/dendrite/values.yaml b/bin/dendrite/values.yaml deleted file mode 100644 index f464bb50d7..0000000000 --- a/bin/dendrite/values.yaml +++ /dev/null @@ -1,84 +0,0 @@ -elementweb: - ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - hosts: - - host: &frontend_host chat.khuedoan.com - paths: - - path: / - pathType: Prefix - tls: - - secretName: element-tls-certificate - hosts: - - *frontend_host - config: - default: - base_url: https://matrix.khuedoan.com - server_name: khuedoan.com - -dendrite: - polylith: false - image: - name: "locmai/dendrite-monolith:010922" # TODO switch to official image - pullPolicy: IfNotPresent - configuration: - version: 2 - servername: &host matrix.jupiter.mein.nl - database: - host: "dendrite-postgresql:5432" - user: "dendrite" - password: "dendrite" - max_open_conns: 100 - max_idle_conns: 2 - conn_max_lifetime: -1 - metrics: - enabled: true - jetstream: - in_memory: false - addresses: - - nats://dendrite-nats:4222 - persistence: - storageClass: longhorn - logs: - capacity: 1Gi - media: - capacity: 5Gi - nats: - enabled: true - nats: - jetstream: - enabled: true - postgresql: - enabled: true - global: - postgresql: - postgresqlDatabase: dendrite - postgresqlUsername: dendrite - postgresqlPassword: dendrite - persistence: - enabled: true - storageClass: longhorn - accessModes: - - ReadWriteOnce - size: 5Gi - ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - nginx.ingress.kubernetes.io/proxy-body-size: 32m - hosts: - - host: *backend_host - paths: - - path: / - pathType: Prefix - tls: - - secretName: dendrite-tls-certificate - hosts: - - *backend_host diff --git a/bin/system-upgrade/k3s/agent.yaml b/bin/system-upgrade/k3s/agent.yaml deleted file mode 100644 index bd27216012..0000000000 --- a/bin/system-upgrade/k3s/agent.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: k3s-agent - namespace: system-upgrade - labels: - k3s-upgrade: agent -spec: - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: DoesNotExist - serviceAccountName: system-upgrade - prepare: - image: rancher/k3s-upgrade - args: - - prepare - - k3s-server - concurrency: 1 - cordon: true - drain: - force: true - skipWaitForDeleteTimeout: 300 # Honor PodDisruptionBudgets - upgrade: - image: rancher/k3s-upgrade - channel: https://update.k3s.io/v1-release/channels/v1.23 diff --git a/bin/system-upgrade/k3s/kustomization.yaml b/bin/system-upgrade/k3s/kustomization.yaml deleted file mode 100644 index 688a489e0a..0000000000 --- a/bin/system-upgrade/k3s/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - server.yaml - - agent.yaml - -commonAnnotations: - # TODO https://github.com/rancher/system-upgrade-controller/issues/172 - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true diff --git a/bin/system-upgrade/k3s/server.yaml b/bin/system-upgrade/k3s/server.yaml deleted file mode 100644 index f8d6d00b5c..0000000000 --- a/bin/system-upgrade/k3s/server.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: k3s-server - namespace: system-upgrade - labels: - k3s-upgrade: server -spec: - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - serviceAccountName: system-upgrade - concurrency: 1 - cordon: true - drain: - force: true - skipWaitForDeleteTimeout: 300 # Honor PodDisruptionBudgets - upgrade: - image: rancher/k3s-upgrade - channel: https://update.k3s.io/v1-release/channels/v1.23 diff --git a/bin/system-upgrade/kustomization.yaml b/bin/system-upgrade/kustomization.yaml deleted file mode 100644 index 4bb6075308..0000000000 --- a/bin/system-upgrade/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - https://github.com/rancher/system-upgrade-controller/releases/download/v0.8.1/system-upgrade-controller.yaml - - k3s diff --git a/bin/system-upgrade/rocky-linux/kustomization.yaml b/bin/system-upgrade/rocky-linux/kustomization.yaml deleted file mode 100644 index 5dc3423d94..0000000000 --- a/bin/system-upgrade/rocky-linux/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - upgrade.yaml - -commonAnnotations: - # TODO https://github.com/rancher/system-upgrade-controller/issues/172 - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true diff --git a/bin/system-upgrade/rocky-linux/upgrade.yaml b/bin/system-upgrade/rocky-linux/upgrade.yaml deleted file mode 100644 index e11833b330..0000000000 --- a/bin/system-upgrade/rocky-linux/upgrade.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: rocky-upgrade - namespace: system-upgrade -type: Opaque -stringData: - upgrade.sh: | - #!/bin/sh - set -e - dnf upgrade -y - command -v needs-restarting || dnf install -y dnf-utils - needs-restarting --reboothint || reboot ---- -apiVersion: upgrade.cattle.io/v1 -kind: Plan -metadata: - name: rocky-upgrade - namespace: system-upgrade -spec: - serviceAccountName: system-upgrade - secrets: - - name: rocky - path: /host/run/system-upgrade/secrets/rocky - upgrade: - image: rockylinux - command: - - chroot - - /host - args: - - sh - - /run/system-upgrade/secrets/rocky/upgrade.sh - concurrency: 1 - cordon: true - drain: - force: true - skipWaitForDeleteTimeout: 300 # Honor PodDisruptionBudgets - version: "20220123" # TODO dummy value From 0e51b4b42eafb16fdd20812c5d76f75a4eab3bdf Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 22 May 2022 16:57:20 +0200 Subject: [PATCH 206/334] fix: clean up --- apps/hajimari/Chart.yaml | 7 -- apps/hajimari/values.yaml | 25 ------ apps/sample-laravel/deployment.yaml | 20 ----- apps/sample-laravel/ingress.yaml | 19 ----- apps/sample-laravel/kustomization.yaml | 4 - apps/sample-laravel/svc.yaml | 9 -- apps/sample-laravel/tekton.yaml | 92 -------------------- bin/blog/deployment.yaml | 21 ----- bin/blog/ingress.yaml | 24 ------ bin/blog/kustomization.yaml | 7 -- bin/blog/service.yaml | 15 ---- bin/cloudflared/values.yaml | 2 +- system/nfs/Chart.yaml | 7 -- system/nfs/values.yaml | 112 ------------------------- system/samba/Chart.yaml | 7 -- system/samba/values.yaml | 96 --------------------- 16 files changed, 1 insertion(+), 466 deletions(-) delete mode 100644 apps/hajimari/Chart.yaml delete mode 100644 apps/hajimari/values.yaml delete mode 100644 apps/sample-laravel/deployment.yaml delete mode 100644 apps/sample-laravel/ingress.yaml delete mode 100644 apps/sample-laravel/kustomization.yaml delete mode 100644 apps/sample-laravel/svc.yaml delete mode 100644 apps/sample-laravel/tekton.yaml delete mode 100644 bin/blog/deployment.yaml delete mode 100644 bin/blog/ingress.yaml delete mode 100644 bin/blog/kustomization.yaml delete mode 100644 bin/blog/service.yaml delete mode 100644 system/nfs/Chart.yaml delete mode 100644 system/nfs/values.yaml delete mode 100644 system/samba/Chart.yaml delete mode 100644 system/samba/values.yaml diff --git a/apps/hajimari/Chart.yaml b/apps/hajimari/Chart.yaml deleted file mode 100644 index be25f924f7..0000000000 --- a/apps/hajimari/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: hajimari -version: 0.0.0 -dependencies: - - name: hajimari - version: 1.2.0 - repository: https://hajimari.io diff --git a/apps/hajimari/values.yaml b/apps/hajimari/values.yaml deleted file mode 100644 index db0cd97ce1..0000000000 --- a/apps/hajimari/values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -hajimari: - image: # TODO remove this https://github.com/toboshii/hajimari/blob/main/charts/hajimari/values.yaml - tag: v0.2.0 - env: - TZ: Asia/Ho_Chi_Minh - hajimari: - defaultEnable: true - namespaceSelector: - any: true - ingress: - main: - enabled: true - ingressClassName: nginx - annotations: - external-dns.alpha.kubernetes.io/exclude: 'true' - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host home.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: hajimari-tls-certificate - hosts: - - *host diff --git a/apps/sample-laravel/deployment.yaml b/apps/sample-laravel/deployment.yaml deleted file mode 100644 index 7e2c3e0ca6..0000000000 --- a/apps/sample-laravel/deployment.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: sample-laravel-app - name: sample-laravel-app -spec: - replicas: 1 - selector: - matchLabels: - app: sample-laravel-app - template: - metadata: - labels: - app: sample-laravel-app - spec: - containers: - - name: sample-laravel-app - image: ealen/echo-server:latest - imagePullPolicy: Always \ No newline at end of file diff --git a/apps/sample-laravel/ingress.yaml b/apps/sample-laravel/ingress.yaml deleted file mode 100644 index 38df3fe0dd..0000000000 --- a/apps/sample-laravel/ingress.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: laravel-sample - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$2 -spec: - ingressClassName: nginx - rules: - - host: sample.europa.jupiter.mein.nl - http: - paths: - - path: / - pathType: ImplementationSpecific - backend: - service: - name: sample-laravel-svc - port: - number: 8080 \ No newline at end of file diff --git a/apps/sample-laravel/kustomization.yaml b/apps/sample-laravel/kustomization.yaml deleted file mode 100644 index 726e0c7e87..0000000000 --- a/apps/sample-laravel/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: - - deployment.yaml - - svc.yaml - - ingress.yaml \ No newline at end of file diff --git a/apps/sample-laravel/svc.yaml b/apps/sample-laravel/svc.yaml deleted file mode 100644 index ff575929cc..0000000000 --- a/apps/sample-laravel/svc.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: sample-laravel-svc -spec: - selector: - app: sample-laravel-app - ports: - - port: 8080 \ No newline at end of file diff --git a/apps/sample-laravel/tekton.yaml b/apps/sample-laravel/tekton.yaml deleted file mode 100644 index 33b68bde00..0000000000 --- a/apps/sample-laravel/tekton.yaml +++ /dev/null @@ -1,92 +0,0 @@ - ---- -apiVersion: triggers.tekton.dev/v1alpha1 -kind: TriggerTemplate -metadata: - name: cd-pipeline-trigger-template -spec: - params: - - name: sha - description: The commit SHA to build and deploy - - name: short-sha - description: Truncated version of the SHA - resourcetemplates: - - apiVersion: tekton.dev/v1beta1 - kind: PipelineRun - metadata: - generateName: cd-pipeline-run- - spec: - serviceAccountName: build-bot - pipelineRef: - name: cd-pipeline - params: - - name: sha - value: $(tt.params.sha) - - name: short-sha - value: $(tt.params.short-sha) - workspaces: - - name: git-ssh-creds - secret: - secretName: git-ssh-creds - - name: git-manifests-repo-ssh-creds - secret: - secretName: git-manifests-repo-ssh-creds - - name: docker-creds - secret: - secretName: docker-config - - name: cd-ws # this workspace name must be declared in the Pipeline - volumeClaimTemplate: - spec: - storageClass: "longhorn" - accessModes: - - ReadWriteOnce # access mode may affect how you can use this volume in parallel tasks - resources: - requests: - storage: 1Gi ---- -apiVersion: triggers.tekton.dev/v1alpha1 -kind: TriggerBinding -metadata: - name: cd-pipeline-trigger-template-binding -spec: - params: - - name: sha - value: $(body.after) - - name: short-sha - value: $(extensions.short-sha) ---- -apiVersion: triggers.tekton.dev/v1alpha1 -kind: EventListener -metadata: - name: main-push-listener -spec: - serviceAccountName: build-bot - triggers: - - name: gitea-main-push-trigger - interceptors: - - name: gitea-main-push-interceptor - ref: - name: "gitea" - kind: ClusterInterceptor - apiVersion: triggers.tekton.dev - params: - - name: "secretRef" - value: - secretName: gitea-main-push-webhook-secret - secretKey: secretToken - - name: "eventTypes" - value: ["push"] - - name: "CEL filter: only when branch main is pushed" - ref: - name: "cel" - params: - - name: "filter" - value: "body.ref == 'refs/heads/main'" - - name: "overlays" - value: - - key: short-sha - expression: "body.after.truncate(7)" - bindings: - - ref: cd-pipeline-trigger-template-binding - template: - ref: cd-pipeline-trigger-template \ No newline at end of file diff --git a/bin/blog/deployment.yaml b/bin/blog/deployment.yaml deleted file mode 100644 index 22f2adb7b1..0000000000 --- a/bin/blog/deployment.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# TESTING -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: blog - name: blog -spec: - replicas: 3 - selector: - matchLabels: - app: blog - template: - metadata: - labels: - app: blog - spec: - containers: - - name: blog - image: registry.jupiter.mein.nl/blog:latest - imagePullPolicy: Always diff --git a/bin/blog/ingress.yaml b/bin/blog/ingress.yaml deleted file mode 100644 index cc996d6da4..0000000000 --- a/bin/blog/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: blog - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: jupiter-tunnel.jupiter.mein.nl - external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true' -spec: - ingressClassName: nginx - rules: - - host: &host blog.jupiter.mein.nl - http: - paths: - - pathType: ImplementationSpecific - backend: - service: - name: blog - port: - name: http - tls: - - hosts: - - *host - secretName: blog-tls-certificate diff --git a/bin/blog/kustomization.yaml b/bin/blog/kustomization.yaml deleted file mode 100644 index 1d4f62eb32..0000000000 --- a/bin/blog/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - deployment.yaml - - service.yaml - - ingress.yaml diff --git a/bin/blog/service.yaml b/bin/blog/service.yaml deleted file mode 100644 index 75b8e00966..0000000000 --- a/bin/blog/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: blog - name: blog -spec: - type: ClusterIP - selector: - app: blog - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 80 diff --git a/bin/cloudflared/values.yaml b/bin/cloudflared/values.yaml index f5f469968d..0014ac231e 100644 --- a/bin/cloudflared/values.yaml +++ b/bin/cloudflared/values.yaml @@ -14,5 +14,5 @@ cloudflared: podMonitor: enabled: true - metricsEndpoints: + metricsEndpoinrenovts: - port: http diff --git a/system/nfs/Chart.yaml b/system/nfs/Chart.yaml deleted file mode 100644 index 2feefa5b97..0000000000 --- a/system/nfs/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: nfs -version: 0.0.0 -dependencies: - - name: nfs-server-provisioner - version: 1.4.0 - repository: https://kubernetes-sigs.github.io/nfs-ganesha-server-and-external-provisioner/ \ No newline at end of file diff --git a/system/nfs/values.yaml b/system/nfs/values.yaml deleted file mode 100644 index ea9a2372a8..0000000000 --- a/system/nfs/values.yaml +++ /dev/null @@ -1,112 +0,0 @@ -# Default values for nfs-provisioner. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -# imagePullSecrets: - -image: - repository: k8s.gcr.io/sig-storage/nfs-provisioner - tag: v3.0.0 - # digest: - pullPolicy: IfNotPresent - -# For a list of available arguments -# Please see https://github.com/kubernetes-incubator/external-storage/blob/HEAD/nfs/docs/deployment.md#arguments -extraArgs: {} - # device-based-fsids: false - # grace-period: 0 - -service: - type: ClusterIP - - nfsPort: 2049 - nlockmgrPort: 32803 - mountdPort: 20048 - rquotadPort: 875 - rpcbindPort: 111 - statdPort: 662 - # nfsNodePort: - # nlockmgrNodePort: - # mountdNodePort: - # rquotadNodePort: - # rpcbindNodePort: - # statdNodePort: - # clusterIP: - - externalIPs: 192.168.1.226 - -persistence: - enabled: true - - ## Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "hostpath" - hostPath: /pool0/home - accessMode: ReadWriteOnce - size: 1Gi - -## For creating the StorageClass automatically: -storageClass: - create: true - - ## Set a provisioner name. If unset, a name will be generated. - # provisionerName: - - ## Set StorageClass as the default StorageClass - ## Ignored if storageClass.create is false - defaultClass: false - - ## Set a StorageClass name - ## Ignored if storageClass.create is false - name: nfs - - # set to null to prevent expansion - allowVolumeExpansion: true - ## StorageClass parameters - parameters: {} - - mountOptions: - - vers=3 - - ## ReclaimPolicy field of the class, which can be either Delete or Retain - reclaimPolicy: Delete - -## For RBAC support: -rbac: - create: true - - ## Ignored if rbac.create is true - ## - serviceAccountName: default - -## For creating the PriorityClass automatically: -priorityClass: - ## Enable creation of a PriorityClass resource for this nfs-server-provisioner instance - create: false - - ## Set a PriorityClass name to override the default name - name: "" - - ## PriorityClass value. The higher the value, the higher the scheduling priority - value: 5 - -resources: {} - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/system/samba/Chart.yaml b/system/samba/Chart.yaml deleted file mode 100644 index 4e6fed73c8..0000000000 --- a/system/samba/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: samba -version: 0.0.0 -dependencies: - - name: samba - version: 6.0.0 - repository: https://k8s-at-home.com/charts/ diff --git a/system/samba/values.yaml b/system/samba/values.yaml deleted file mode 100644 index ec131c6d25..0000000000 --- a/system/samba/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -samba: - # - # IMPORTANT NOTE - # - # This chart inherits from our common library chart. You can check the default values/options here: - # https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml - # - - image: - # -- image repository - repository: ghcr.io/crazy-max/samba - # -- image tag - tag: 4.15.5 - # -- image pull policy - pullPolicy: Always - - # -- environment variables. See [image docs](https://github.com/crazy-max/docker-samba#environment-variables) for more details. - # @default -- See below - env: - # -- Set the container timezone - TZ: Europe/Amsterdam - # SAMBA_WORKGROUP: NT-Domain-Name or Workgroup-Name. (default WORKGROUP) - SAMBA_SERVER_STRING: europa - SAMBA_LOG_LEVEL: 1 - # SAMBA_FOLLOW_SYMLINKS: Allow to follow symlinks. (default yes) - # SAMBA_WIDE_LINKS: Controls whether or not links in the UNIX file system may be followed by the server. (default yes) - SAMBA_HOSTS_ALLOW: 213.34.1.38/32 37.97.253.87/32 192.168.1.0/24 10.42.0.0/16 127.0.0.0/8 - # SAMBA_INTERFACES: Allows you to override the default network interfaces list. - - # -- Configures service settings for the chart. - # @default -- See values.yaml - service: - main: - type: LoadBalancer - ports: - tcp: - enabled: true - protocol: TCP - port: 445 - - - # ingress: - # # -- Enable and configure ingress settings for the chart under this key. - # # @default -- See values.yaml - # main: - # enabled: true - # ingressClassName: nginx - # annotations: - # cert-manager.io/cluster-issuer: letsencrypt-prod - # hosts: - # - host: &host samba.jupiter.mein.nl - # paths: - # - path: / - # pathType: Prefix - # tls: - # - secretName: samba-tls-certificate - # hosts: - # - *host - - # -- Configure persistence settings for the chart under this key. - # @default -- See values.yaml - persistence: - hostpath: - enabled: true - type: hostPath - hostPath: /pool0/home/renee - - configmap: - config: - # -- Store samba configuration as a ConfigMap - enabled: true - # -- Samba configuration. See [image documentation](https://github.com/crazy-max/docker-samba#configuration) for more information. - # @default -- See values.yaml - data: - config.yml: | - auth: - - user: renee - group: renee - uid: 1004 - gid: 1004 - password: mette01 - - - global: - - "force user = renee" - - "force group = renee" - - share: - - name: renee - path: /pool0/home/renee - browsable: yes - readonly: no - guestok: no - validusers: renee - writelist: renee - veto: no \ No newline at end of file From 3bbf86fefdfe0305c60aafe3621bf7841f091d94 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 22 May 2022 17:00:37 +0200 Subject: [PATCH 207/334] fix: remove adminer --- home/adminer/Chart.yaml | 12 -- .../charts/adminer/.circleci/config.yml | 14 -- .../.github/ISSUE_TEMPLATE/bug_report.md | 34 --- .../.github/ISSUE_TEMPLATE/feature_request.md | 28 --- .../adminer/.github/PULL_REQUEST_TEMPLATE.md | 40 ---- home/adminer/charts/adminer/.gitignore | 7 - home/adminer/charts/adminer/.helmignore | 26 --- home/adminer/charts/adminer/Chart.yaml | 31 --- home/adminer/charts/adminer/LICENSE | 201 ------------------ home/adminer/charts/adminer/README.md | 107 ---------- .../charts/adminer/templates/NOTES.txt | 19 -- .../charts/adminer/templates/_helpers.tpl | 32 --- .../charts/adminer/templates/deployment.yaml | 74 ------- .../charts/adminer/templates/ingress.yaml | 61 ------ .../charts/adminer/templates/service.yaml | 32 --- home/adminer/charts/adminer/values.yaml | 194 ----------------- home/adminer/values.yaml | 97 --------- 17 files changed, 1009 deletions(-) delete mode 100644 home/adminer/Chart.yaml delete mode 100644 home/adminer/charts/adminer/.circleci/config.yml delete mode 100644 home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md delete mode 100644 home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md delete mode 100644 home/adminer/charts/adminer/.gitignore delete mode 100644 home/adminer/charts/adminer/.helmignore delete mode 100644 home/adminer/charts/adminer/Chart.yaml delete mode 100644 home/adminer/charts/adminer/LICENSE delete mode 100644 home/adminer/charts/adminer/README.md delete mode 100644 home/adminer/charts/adminer/templates/NOTES.txt delete mode 100644 home/adminer/charts/adminer/templates/_helpers.tpl delete mode 100644 home/adminer/charts/adminer/templates/deployment.yaml delete mode 100644 home/adminer/charts/adminer/templates/ingress.yaml delete mode 100644 home/adminer/charts/adminer/templates/service.yaml delete mode 100644 home/adminer/charts/adminer/values.yaml delete mode 100644 home/adminer/values.yaml diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml deleted file mode 100644 index 41159c6a04..0000000000 --- a/home/adminer/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -name: adminer -version: 0.0.0 -dependencies: - - name: adminer - version: 0.2.0 - - name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 1.x.x -engine: gotpl \ No newline at end of file diff --git a/home/adminer/charts/adminer/.circleci/config.yml b/home/adminer/charts/adminer/.circleci/config.yml deleted file mode 100644 index 5309c82587..0000000000 --- a/home/adminer/charts/adminer/.circleci/config.yml +++ /dev/null @@ -1,14 +0,0 @@ -version: 2 -jobs: - build: - docker: - - image: alpine - steps: - - checkout - - run: - name: helm-github-pages - environment: - - GITHUB_PAGES_REPO: cetic/helm-charts - - HELM_CHART: adminer - - HELM_VERSION: 3.2.4 - command: wget -O - https://raw.githubusercontent.com/cetic/helm-chart-publisher/master/publish.sh | sh \ No newline at end of file diff --git a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 9af2bccefc..0000000000 --- a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: '[cetic/adminer] issue title' -labels: '' -assignees: '' - ---- - - - -**Describe the bug** -A clear and concise description of what the bug is. - -**Version of Helm and Kubernetes**: - - -**What happened**: - - -**What you expected to happen**: - - -**How to reproduce it** (as minimally and precisely as possible): - - -**Anything else we need to know**: - - diff --git a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 84c4aa6ff0..0000000000 --- a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '[cetic/adminer] issue title' -labels: '' -assignees: '' - ---- - - - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. - diff --git a/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md b/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index b2e13b69d2..0000000000 --- a/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,40 +0,0 @@ - - -#### What this PR does / why we need it: - -#### Which issue this PR fixes -*(optional, in `fixes #(, fixes #, ...)` format, will close that issue when PR gets merged)* - - fixes # - -#### Special notes for your reviewer: - -#### Checklist -[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] -- [ ] [DCO](https://github.com/helm/charts/blob/master/CONTRIBUTING.md#sign-your-work) signed -- [ ] Chart Version bumped -- [ ] Variables are documented in the README.md diff --git a/home/adminer/charts/adminer/.gitignore b/home/adminer/charts/adminer/.gitignore deleted file mode 100644 index 3f18c1655b..0000000000 --- a/home/adminer/charts/adminer/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -*.tgz - -# Helm Charts dependencies -#/charts -#*.lock - -.idea diff --git a/home/adminer/charts/adminer/.helmignore b/home/adminer/charts/adminer/.helmignore deleted file mode 100644 index fbdd321f57..0000000000 --- a/home/adminer/charts/adminer/.helmignore +++ /dev/null @@ -1,26 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store - -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ - -# Common backup files -*.swp -*.bak -*.tmp -*~ - -# Various IDEs -.project -.idea/ -*.tmproj - -.circleci/ diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml deleted file mode 100644 index 7f3c6e76df..0000000000 --- a/home/adminer/charts/adminer/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: v2 -name: adminer -appVersion: 4.8.1 -version: 0.2.0 -description: Adminer is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB -home: https://www.adminer.org -icon: https://raw.githubusercontent.com/Kong/docker-official-docs/master/adminer/logo.png -dependencies: - - name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 1.x.x -engine: gotpl -keywords: - - adminer - - postgres - - mysql - - sqlite - - elasticsearch - - mongodb - - database - - sql -maintainers: - - name: fzalila - email: faiez.zalila@cetic.be - url: https://github.com/fzalila - - name: alexnuttinck - email: alexandre.nuttinck@cetic.be - url: https://github.com/alexnuttinck diff --git a/home/adminer/charts/adminer/LICENSE b/home/adminer/charts/adminer/LICENSE deleted file mode 100644 index 261eeb9e9f..0000000000 --- a/home/adminer/charts/adminer/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/home/adminer/charts/adminer/README.md b/home/adminer/charts/adminer/README.md deleted file mode 100644 index 25eef8257a..0000000000 --- a/home/adminer/charts/adminer/README.md +++ /dev/null @@ -1,107 +0,0 @@ -# Helm Chart for Adminer - -[![CircleCI](https://circleci.com/gh/cetic/helm-adminer.svg?style=svg)](https://circleci.com/gh/cetic/helm-adminer/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-adminer.svg?label=release) - -## Introduction - -This [Helm](https://github.com/kubernetes/helm) chart installs [Adminer](https://www.adminer.org) in a Kubernetes cluster. - -## Prerequisites - -- Kubernetes cluster 1.10+ -- Helm 3.0.0+ -- PV provisioner support in the underlying infrastructure. - -## Installation - -### Add Helm repository - -```bash -helm repo add cetic https://cetic.github.io/helm-charts -helm repo update -``` - -### Configure the chart - -The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). - -#### Configure the way how to expose Adminer service: - -- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. -- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. -- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. -- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. - -### Install the chart - -Install the Adminer helm chart with a release name `my-release`: - -```bash -helm install --name my-release cetic/adminer -``` - -## Uninstallation - -To uninstall/delete the `my-release` deployment: - -```bash -helm delete --purge my-release -``` - -## Configuration - -The following table lists the configurable parameters of the Adminer chart and the default values. - -| Parameter | Description | Default | -| --------------------------------- | ----------------------------------------------------------------------- | --------------------------- | -| **Image** | -| `image.repository` | Image | `adminer` | -| `image.tag` | Image tag | `4.7.7-standalone` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Image pull secrets for private registry | `[]` | -| **Config** | -| `config.plugins` | List of plugins to install. You can find the list of plugins on [GitHub](https://github.com/vrana/adminer/tree/master/plugins)| ``| -| `config.design` | A bundled design to use. You can find the list of designs on [GitHub](https://github.com/vrana/adminer/tree/master/designs)| ``| -| `config.externalserver` | The default host | `` | -| **Service** | -| `service.type` | Service type | `NodePort` | -| `service.port` | The service port | `80` | -| `service.annotations` | Custom annotations for service | `{}` | -| `service.labels` | Additional custom labels for the service | `{}` | -| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `nil` | -| `service.loadBalancerSourceRanges`| Address that are allowed when svc is `LoadBalancer` | `[]` | -| **Ingress** | -| `ingress.enabled` | Enables Ingress | `false` | -| `ingress.annotations` | Ingress annotations | `{}` | -| `ingress.labels` | Custom labels | `{}` | -| `ingress.hosts` | Ingress accepted hostnames | `[]` | -| `ingress.tls` | Ingress TLS configuration | `[]` | -| **Resources** | -| `resources` | CPU/Memory resource requests/limits | `{}` | -| **Tolerations** | -| `tolerations` | Add tolerations | `[]` | -| **NodeSelector** | -| `nodeSelector` | node labels for pod assignment | `{}` | -| **Affinity** | -| `affinity` | node/pod affinities | `{}` | -| **LivenessProbe** | -| `livenessProbe` | Liveness probe settings | `nil` | -| **ReadnessProbe** | -| `readinessProbe` | Readiness probe settings | `nil` | -| `volumeMounts` | Add volumeMount to the adminer container | `nil` | -| `volumes` | Add volumes to the pod | `nil` | - -## Credits - -Initially inspired from https://github.com/mogaal/helm-charts/tree/master/adminer. - -## Contributing - -Feel free to contribute by making a [pull request](https://github.com/cetic/helm-adminer/pull/new/master). - -Please read the official [Contribution Guide](https://github.com/helm/charts/blob/master/CONTRIBUTING.md) from Helm for more information on how you can contribute to this Chart. - -## License - -[Apache License 2.0](/LICENSE.md) - diff --git a/home/adminer/charts/adminer/templates/NOTES.txt b/home/adminer/charts/adminer/templates/NOTES.txt deleted file mode 100644 index 7d187a5890..0000000000 --- a/home/adminer/charts/adminer/templates/NOTES.txt +++ /dev/null @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ if $.Values.ingress.host }}{{.Values.ingress.host}}{{else}}your-cluster-ip{{end}}{{ $.Values.ingress.path }} - {{if not $.Values.ingress.host}} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "adminer.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "adminer.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "adminer.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "adminer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/home/adminer/charts/adminer/templates/_helpers.tpl b/home/adminer/charts/adminer/templates/_helpers.tpl deleted file mode 100644 index d223408a51..0000000000 --- a/home/adminer/charts/adminer/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "adminer.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "adminer.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "adminer.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/home/adminer/charts/adminer/templates/deployment.yaml b/home/adminer/charts/adminer/templates/deployment.yaml deleted file mode 100644 index 7b1db5fbd0..0000000000 --- a/home/adminer/charts/adminer/templates/deployment.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "adminer.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "adminer.name" . }} - helm.sh/chart: {{ include "adminer.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "adminer.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "adminer.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- if .Values.image.pullSecrets }} - imagePullSecrets: - {{- range .Values.image.pullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 8080 - protocol: TCP - env: - - name: ADMINER_PLUGINS - value: {{ .Values.config.plugins }} - - name: ADMINER_DESIGN - value: {{ .Values.config.design }} - - name: ADMINER_DEFAULT_SERVER - value: {{ .Values.config.externalserver }} - {{- with .Values.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.livenessProbe }} - livenessProbe: - {{ toYaml . | indent 12 }} - {{- end }} - {{- with .Values.readinessProbe }} - readinessProbe: - {{ toYaml . | indent 12 }} - {{- end }} - {{- with .Values.volumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/home/adminer/charts/adminer/templates/ingress.yaml b/home/adminer/charts/adminer/templates/ingress.yaml deleted file mode 100644 index 56cb3432a8..0000000000 --- a/home/adminer/charts/adminer/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled }} -apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ template "common.names.fullname" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.ingress.annotations .Values.commonAnnotations .Values.ingress.certManager }} - annotations: - {{- if .Values.ingress.certManager }} - kubernetes.io/tls-acme: "true" - {{- end }} - {{- if .Values.ingress.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} - ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - {{- end }} - rules: - {{- if .Values.ingress.hostname }} - - host: {{ .Values.ingress.hostname }} - http: - paths: - {{- if .Values.ingress.extraPaths }} - {{- toYaml .Values.ingress.extraPaths | nindent 10 }} - {{- end }} - - path: {{ .Values.ingress.path }} - {{- if eq "true" (include "common.ingress.supportsPathType" .) }} - pathType: {{ .Values.ingress.pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} - {{- end }} - {{- range .Values.ingress.extraHosts }} - - host: {{ .name | quote }} - http: - paths: - - path: {{ default "/" .path }} - {{- if eq "true" (include "common.ingress.supportsPathType" $) }} - pathType: {{ default "ImplementationSpecific" .pathType }} - {{- end }} - backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} - {{- end }} - {{- if or .Values.ingress.tls .Values.ingress.extraTls }} - tls: - {{- if .Values.ingress.tls }} - - hosts: - - {{ .Values.ingress.hostname }} - secretName: {{ printf "%s-tls" .Values.ingress.hostname }} - {{- end }} - {{- if .Values.ingress.extraTls }} - {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/home/adminer/charts/adminer/templates/service.yaml b/home/adminer/charts/adminer/templates/service.yaml deleted file mode 100644 index 1ab66d386f..0000000000 --- a/home/adminer/charts/adminer/templates/service.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "adminer.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "adminer.name" . }} - helm.sh/chart: {{ include "adminer.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{ with .Values.service.loadBalancerSourceRanges }} -{{ toYaml . | indent 4 }} -{{- end }} - {{- end }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "adminer.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/home/adminer/charts/adminer/values.yaml b/home/adminer/charts/adminer/values.yaml deleted file mode 100644 index f557909cbc..0000000000 --- a/home/adminer/charts/adminer/values.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# Default values for adminer. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: adminer - tag: 4.8.1-standalone - pullPolicy: IfNotPresent - pullSecrets: [] - -# See envs from https://hub.docker.com/_/adminer/ -config: - plugins: "" - design: "pepa-linha" - externalserver: "" - -## @section Common parameters - -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override influxdb.fullname template with a string (will prepend the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override influxdb.fullname template with a string -## -fullnameOverride: "" -## @param clusterDomain Default Kubernetes cluster domain -## -clusterDomain: cluster.local -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] - -## Enable diagnostic mode in the deployment -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the deployment - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the deployment - ## - args: - - infinity - -service: - type: NodePort - port: 80 - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -ingress: - ## @param ingress.enabled Enable ingress controller resource - ## - enabled: false - ## @param ingress.tls Create TLS Secret - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: false - ## DEPRECATED: Use ingress.annotations instead of ingress.certManager - ## certManager: false - ## - - ## @param ingress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.hostname Default host for the ingress resource - ## - hostname: adminer.local - ## @param ingress.path Ingress path*' in order to use this - ## with ALB ingress controllers. - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: influxdb.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths Additional arbitrary path/backend objects - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - influxdb.local - ## secretName: influxdb.local-tls - ## - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## - name: influxdb.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - -# kubectl create secret generic ca --from-file=ca.pem -# cat > login-ssl.php << EOF -# "/secrets/ca.pem")); -# EOF -# kubectl create configmap plugins-enabled --from-file=login-ssl.php -# volumeMounts: -# - name: ca -# mountPath: "/secrets/" -# readOnly: true -# - name: plugins-enabled -# mountPath: "/var/www/html/plugins-enabled/" -# readOnly: true - -# volumes: -# - name: ca -# secret: -# secretName: ca -# - name: plugins-enabled -# configMap: -# name: plugins-enabled - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml deleted file mode 100644 index 770b685207..0000000000 --- a/home/adminer/values.yaml +++ /dev/null @@ -1,97 +0,0 @@ -adminer: - # Default values for adminer. - # This is a YAML-formatted file. - # Declare variables to be passed into your templates. - - replicaCount: 1 - - image: - repository: adminer - tag: 4.8.1-standalone - pullPolicy: IfNotPresent - pullSecrets: [] - - # See envs from https://hub.docker.com/_/adminer/ - config: - plugins: "" - design: "pepa-linha" - externalserver: "" - - nameOverride: "" - fullnameOverride: "" - - service: - type: NodePort - port: 80 - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - - ## Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - - ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ - ## -## Configure the ingress resource that allows you to access the -## ®abbitMQ installation. Set up the URL -## ref: https://kubernetes.io/docs/user-guide/ingress/ -## - ingress: - enabled: true - path: / - pathType: ImplementationSpecific - hostname: adminer.jupiter.mein.nl - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - tls: true - selfSigned: false - extraHosts: [] - extraTls: [] - secrets: [] - ingressClassName: "nginx" - - # kubectl create secret generic ca --from-file=ca.pem - # cat > login-ssl.php << EOF - # "/secrets/ca.pem")); - # EOF - # kubectl create configmap plugins-enabled --from-file=login-ssl.php - # volumeMounts: - # - name: ca - # mountPath: "/secrets/" - # readOnly: true - # - name: plugins-enabled - # mountPath: "/var/www/html/plugins-enabled/" - # readOnly: true - - # volumes: - # - name: ca - # secret: - # secretName: ca - # - name: plugins-enabled - # configMap: - # name: plugins-enabled - - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - - nodeSelector: {} - - tolerations: [] - - affinity: {} \ No newline at end of file From d01d878d5645ea60e765e214e5171671bf691275 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 22 May 2022 18:32:01 +0200 Subject: [PATCH 208/334] fix: remove monitorin in favor of datadog --- system/monitoring-system/Chart.yaml | 7 ------- system/monitoring-system/values.yaml | 25 ------------------------- 2 files changed, 32 deletions(-) delete mode 100644 system/monitoring-system/Chart.yaml delete mode 100644 system/monitoring-system/values.yaml diff --git a/system/monitoring-system/Chart.yaml b/system/monitoring-system/Chart.yaml deleted file mode 100644 index bd6007f99b..0000000000 --- a/system/monitoring-system/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: kube-prometheus-stack -version: 0.0.0 -dependencies: - - name: kube-prometheus-stack - version: 19.3.0 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 - repository: https://prometheus-community.github.io/helm-charts diff --git a/system/monitoring-system/values.yaml b/system/monitoring-system/values.yaml deleted file mode 100644 index acd0b37265..0000000000 --- a/system/monitoring-system/values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -kube-prometheus-stack: - grafana: - adminPassword: null - ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - &host grafana.jupiter.mein.nl - tls: - - secretName: grafana-general-tls - hosts: - - *host - additionalDataSources: - - name: Loki - type: loki - url: http://loki.loki:3100 - - prometheus: - prometheusSpec: - ruleSelectorNilUsesHelmValues: false - serviceMonitorSelectorNilUsesHelmValues: false - podMonitorSelectorNilUsesHelmValues: false - probeSelectorNilUsesHelmValues: false From 62e9f2933a8055a500864a1253dc9fcdf54c46b3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 22 May 2022 18:34:57 +0200 Subject: [PATCH 209/334] test: postgres disable --- home/postgresql/{Chart.yaml => Chart.yaml.disabled} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename home/postgresql/{Chart.yaml => Chart.yaml.disabled} (100%) diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml.disabled similarity index 100% rename from home/postgresql/Chart.yaml rename to home/postgresql/Chart.yaml.disabled From 6bc9b8e8d83befd407e172316e3f781bbc79c710 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 11:58:18 +0200 Subject: [PATCH 210/334] disable home --- config.js | 27 +++++++++++++++++++ .../home}/firefly/Chart.yaml.disabled | 0 {home => disable/home}/firefly/values.yaml | 0 .../home}/homeassistant/Chart.yaml | 0 .../home}/homeassistant/values.yaml | 0 {home => disable/home}/influxdb/Chart.yaml | 0 {home => disable/home}/influxdb/values.yaml | 0 {home => disable/home}/mariadb/Chart.yaml | 0 {home => disable/home}/mariadb/values.yaml | 0 {home => disable/home}/nextcloud/Chart.yaml | 0 {home => disable/home}/nextcloud/values.yaml | 0 {home => disable/home}/pihole/Chart.yaml | 0 {home => disable/home}/pihole/values.yaml | 0 .../home}/postgresql/Chart.yaml.disabled | 0 {home => disable/home}/postgresql/values.yaml | 0 {home => disable/home}/redis/Chart.yaml | 0 {home => disable/home}/redis/values.yaml | 0 renovate.json | 5 ++++ 18 files changed, 32 insertions(+) create mode 100644 config.js rename {home => disable/home}/firefly/Chart.yaml.disabled (100%) rename {home => disable/home}/firefly/values.yaml (100%) rename {home => disable/home}/homeassistant/Chart.yaml (100%) rename {home => disable/home}/homeassistant/values.yaml (100%) rename {home => disable/home}/influxdb/Chart.yaml (100%) rename {home => disable/home}/influxdb/values.yaml (100%) rename {home => disable/home}/mariadb/Chart.yaml (100%) rename {home => disable/home}/mariadb/values.yaml (100%) rename {home => disable/home}/nextcloud/Chart.yaml (100%) rename {home => disable/home}/nextcloud/values.yaml (100%) rename {home => disable/home}/pihole/Chart.yaml (100%) rename {home => disable/home}/pihole/values.yaml (100%) rename {home => disable/home}/postgresql/Chart.yaml.disabled (100%) rename {home => disable/home}/postgresql/values.yaml (100%) rename {home => disable/home}/redis/Chart.yaml (100%) rename {home => disable/home}/redis/values.yaml (100%) diff --git a/config.js b/config.js new file mode 100644 index 0000000000..79af12e4b3 --- /dev/null +++ b/config.js @@ -0,0 +1,27 @@ +module.exports = { + "platform": "github", + "token": "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", + "logFileLevel": "trace", + "onboarding": false, + "allowCustomCrateRegistries": true, + "allowScripts": true, + "exposeAllEnv": true, + "dryRun": "full", + "gitAuthor": "Renovate Bot ", + "repositories": ["petermein/homelab"], + "includeForks": true, + "hostRules": [ + { + hostType: 'docker', + username: 'petermein', + password: process.env.DOCKER_HUB_PASSWORD, + }, + ], + "regexManagers": [ + { + "fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"], + "matchStrings": ["uses: (?.*?)@(?.*?)\\s"], + "datasourceTemplate": "github-tags" + } + ] + } diff --git a/home/firefly/Chart.yaml.disabled b/disable/home/firefly/Chart.yaml.disabled similarity index 100% rename from home/firefly/Chart.yaml.disabled rename to disable/home/firefly/Chart.yaml.disabled diff --git a/home/firefly/values.yaml b/disable/home/firefly/values.yaml similarity index 100% rename from home/firefly/values.yaml rename to disable/home/firefly/values.yaml diff --git a/home/homeassistant/Chart.yaml b/disable/home/homeassistant/Chart.yaml similarity index 100% rename from home/homeassistant/Chart.yaml rename to disable/home/homeassistant/Chart.yaml diff --git a/home/homeassistant/values.yaml b/disable/home/homeassistant/values.yaml similarity index 100% rename from home/homeassistant/values.yaml rename to disable/home/homeassistant/values.yaml diff --git a/home/influxdb/Chart.yaml b/disable/home/influxdb/Chart.yaml similarity index 100% rename from home/influxdb/Chart.yaml rename to disable/home/influxdb/Chart.yaml diff --git a/home/influxdb/values.yaml b/disable/home/influxdb/values.yaml similarity index 100% rename from home/influxdb/values.yaml rename to disable/home/influxdb/values.yaml diff --git a/home/mariadb/Chart.yaml b/disable/home/mariadb/Chart.yaml similarity index 100% rename from home/mariadb/Chart.yaml rename to disable/home/mariadb/Chart.yaml diff --git a/home/mariadb/values.yaml b/disable/home/mariadb/values.yaml similarity index 100% rename from home/mariadb/values.yaml rename to disable/home/mariadb/values.yaml diff --git a/home/nextcloud/Chart.yaml b/disable/home/nextcloud/Chart.yaml similarity index 100% rename from home/nextcloud/Chart.yaml rename to disable/home/nextcloud/Chart.yaml diff --git a/home/nextcloud/values.yaml b/disable/home/nextcloud/values.yaml similarity index 100% rename from home/nextcloud/values.yaml rename to disable/home/nextcloud/values.yaml diff --git a/home/pihole/Chart.yaml b/disable/home/pihole/Chart.yaml similarity index 100% rename from home/pihole/Chart.yaml rename to disable/home/pihole/Chart.yaml diff --git a/home/pihole/values.yaml b/disable/home/pihole/values.yaml similarity index 100% rename from home/pihole/values.yaml rename to disable/home/pihole/values.yaml diff --git a/home/postgresql/Chart.yaml.disabled b/disable/home/postgresql/Chart.yaml.disabled similarity index 100% rename from home/postgresql/Chart.yaml.disabled rename to disable/home/postgresql/Chart.yaml.disabled diff --git a/home/postgresql/values.yaml b/disable/home/postgresql/values.yaml similarity index 100% rename from home/postgresql/values.yaml rename to disable/home/postgresql/values.yaml diff --git a/home/redis/Chart.yaml b/disable/home/redis/Chart.yaml similarity index 100% rename from home/redis/Chart.yaml rename to disable/home/redis/Chart.yaml diff --git a/home/redis/values.yaml b/disable/home/redis/values.yaml similarity index 100% rename from home/redis/values.yaml rename to disable/home/redis/values.yaml diff --git a/renovate.json b/renovate.json index 027bdefd9b..b58cebe5a8 100644 --- a/renovate.json +++ b/renovate.json @@ -3,6 +3,11 @@ "extends": [ "config:base" ], + "enabledManagers": [ + "docker" + ], + "dependencyDashboard": true, + "ignorePaths": ["disable/**"], "packageRules": [ { "matchPackagePatterns": [ From 37e22a6ac19aa286be1f4bc9a900655e9768e102 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:02:14 +0200 Subject: [PATCH 211/334] renovate fixes --- renovate.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/renovate.json b/renovate.json index b58cebe5a8..c01f18f67a 100644 --- a/renovate.json +++ b/renovate.json @@ -3,9 +3,6 @@ "extends": [ "config:base" ], - "enabledManagers": [ - "docker" - ], "dependencyDashboard": true, "ignorePaths": ["disable/**"], "packageRules": [ From 5539d31ffa2430e2ac893ddef6691948fef7a4bc Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:05:51 +0200 Subject: [PATCH 212/334] disable apps --- {apps => disable/apps}/jellyfin/Chart.yaml | 0 {apps => disable/apps}/jellyfin/values.yaml | 0 {apps => disable/apps}/paperless/Chart.yaml | 0 {apps => disable/apps}/paperless/values.yaml | 0 {apps => disable/apps}/privatebin/Chart.yaml | 0 {apps => disable/apps}/privatebin/values.yaml | 0 {apps => disable/apps}/seafile/Chart.yaml | 0 {apps => disable/apps}/seafile/values.yaml | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename {apps => disable/apps}/jellyfin/Chart.yaml (100%) rename {apps => disable/apps}/jellyfin/values.yaml (100%) rename {apps => disable/apps}/paperless/Chart.yaml (100%) rename {apps => disable/apps}/paperless/values.yaml (100%) rename {apps => disable/apps}/privatebin/Chart.yaml (100%) rename {apps => disable/apps}/privatebin/values.yaml (100%) rename {apps => disable/apps}/seafile/Chart.yaml (100%) rename {apps => disable/apps}/seafile/values.yaml (100%) diff --git a/apps/jellyfin/Chart.yaml b/disable/apps/jellyfin/Chart.yaml similarity index 100% rename from apps/jellyfin/Chart.yaml rename to disable/apps/jellyfin/Chart.yaml diff --git a/apps/jellyfin/values.yaml b/disable/apps/jellyfin/values.yaml similarity index 100% rename from apps/jellyfin/values.yaml rename to disable/apps/jellyfin/values.yaml diff --git a/apps/paperless/Chart.yaml b/disable/apps/paperless/Chart.yaml similarity index 100% rename from apps/paperless/Chart.yaml rename to disable/apps/paperless/Chart.yaml diff --git a/apps/paperless/values.yaml b/disable/apps/paperless/values.yaml similarity index 100% rename from apps/paperless/values.yaml rename to disable/apps/paperless/values.yaml diff --git a/apps/privatebin/Chart.yaml b/disable/apps/privatebin/Chart.yaml similarity index 100% rename from apps/privatebin/Chart.yaml rename to disable/apps/privatebin/Chart.yaml diff --git a/apps/privatebin/values.yaml b/disable/apps/privatebin/values.yaml similarity index 100% rename from apps/privatebin/values.yaml rename to disable/apps/privatebin/values.yaml diff --git a/apps/seafile/Chart.yaml b/disable/apps/seafile/Chart.yaml similarity index 100% rename from apps/seafile/Chart.yaml rename to disable/apps/seafile/Chart.yaml diff --git a/apps/seafile/values.yaml b/disable/apps/seafile/values.yaml similarity index 100% rename from apps/seafile/values.yaml rename to disable/apps/seafile/values.yaml From 5d0c294d4c2e87cd2557c6b1979baa5b6b7e3fc4 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:09:45 +0200 Subject: [PATCH 213/334] disable more --- {system => disable}/external-dns/Chart.yaml | 0 {system => disable}/external-dns/values.yaml | 0 {system => disable}/loki/Chart.yaml | 0 {system => disable}/loki/values.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename {system => disable}/external-dns/Chart.yaml (100%) rename {system => disable}/external-dns/values.yaml (100%) rename {system => disable}/loki/Chart.yaml (100%) rename {system => disable}/loki/values.yaml (100%) diff --git a/system/external-dns/Chart.yaml b/disable/external-dns/Chart.yaml similarity index 100% rename from system/external-dns/Chart.yaml rename to disable/external-dns/Chart.yaml diff --git a/system/external-dns/values.yaml b/disable/external-dns/values.yaml similarity index 100% rename from system/external-dns/values.yaml rename to disable/external-dns/values.yaml diff --git a/system/loki/Chart.yaml b/disable/loki/Chart.yaml similarity index 100% rename from system/loki/Chart.yaml rename to disable/loki/Chart.yaml diff --git a/system/loki/values.yaml b/disable/loki/values.yaml similarity index 100% rename from system/loki/values.yaml rename to disable/loki/values.yaml From 7bdefd028187ce8ff5c0346dbcc22e4fd7c987b8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:11:40 +0200 Subject: [PATCH 214/334] disable kured --- {system => disable}/kured/Chart.yaml | 0 {system => disable}/kured/values.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {system => disable}/kured/Chart.yaml (100%) rename {system => disable}/kured/values.yaml (100%) diff --git a/system/kured/Chart.yaml b/disable/kured/Chart.yaml similarity index 100% rename from system/kured/Chart.yaml rename to disable/kured/Chart.yaml diff --git a/system/kured/values.yaml b/disable/kured/values.yaml similarity index 100% rename from system/kured/values.yaml rename to disable/kured/values.yaml From fae213be80cfca7d293cd6507fbaef7cc64eaed7 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:13:12 +0200 Subject: [PATCH 215/334] disable --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index c01f18f67a..8e436a87d3 100644 --- a/renovate.json +++ b/renovate.json @@ -4,7 +4,7 @@ "config:base" ], "dependencyDashboard": true, - "ignorePaths": ["disable/**"], + "ignorePaths": ["disable/**", "system/**"], "packageRules": [ { "matchPackagePatterns": [ From e2d6f84d22076bbbd73c69ffb06e8bda1c5fb78c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:14:35 +0200 Subject: [PATCH 216/334] disable --- {disable/apps => apps}/jellyfin/Chart.yaml | 0 {disable/apps => apps}/jellyfin/values.yaml | 0 {disable/apps => apps}/paperless/Chart.yaml | 0 {disable/apps => apps}/paperless/values.yaml | 0 {disable/apps => apps}/privatebin/Chart.yaml | 0 {disable/apps => apps}/privatebin/values.yaml | 0 {disable/apps => apps}/seafile/Chart.yaml | 0 {disable/apps => apps}/seafile/values.yaml | 0 {disable/home => home}/firefly/Chart.yaml.disabled | 0 {disable/home => home}/firefly/values.yaml | 0 {disable/home => home}/homeassistant/Chart.yaml | 0 {disable/home => home}/homeassistant/values.yaml | 0 {disable/home => home}/influxdb/Chart.yaml | 0 {disable/home => home}/influxdb/values.yaml | 0 {disable/home => home}/mariadb/Chart.yaml | 0 {disable/home => home}/mariadb/values.yaml | 0 {disable/home => home}/nextcloud/Chart.yaml | 0 {disable/home => home}/nextcloud/values.yaml | 0 {disable/home => home}/pihole/Chart.yaml | 0 {disable/home => home}/pihole/values.yaml | 0 {disable/home => home}/postgresql/Chart.yaml.disabled | 0 {disable/home => home}/postgresql/values.yaml | 0 {disable/home => home}/redis/Chart.yaml | 0 {disable/home => home}/redis/values.yaml | 0 {disable => system}/external-dns/Chart.yaml | 0 {disable => system}/external-dns/values.yaml | 0 {disable => system}/kured/Chart.yaml | 0 {disable => system}/kured/values.yaml | 0 {disable => system}/loki/Chart.yaml | 0 {disable => system}/loki/values.yaml | 0 30 files changed, 0 insertions(+), 0 deletions(-) rename {disable/apps => apps}/jellyfin/Chart.yaml (100%) rename {disable/apps => apps}/jellyfin/values.yaml (100%) rename {disable/apps => apps}/paperless/Chart.yaml (100%) rename {disable/apps => apps}/paperless/values.yaml (100%) rename {disable/apps => apps}/privatebin/Chart.yaml (100%) rename {disable/apps => apps}/privatebin/values.yaml (100%) rename {disable/apps => apps}/seafile/Chart.yaml (100%) rename {disable/apps => apps}/seafile/values.yaml (100%) rename {disable/home => home}/firefly/Chart.yaml.disabled (100%) rename {disable/home => home}/firefly/values.yaml (100%) rename {disable/home => home}/homeassistant/Chart.yaml (100%) rename {disable/home => home}/homeassistant/values.yaml (100%) rename {disable/home => home}/influxdb/Chart.yaml (100%) rename {disable/home => home}/influxdb/values.yaml (100%) rename {disable/home => home}/mariadb/Chart.yaml (100%) rename {disable/home => home}/mariadb/values.yaml (100%) rename {disable/home => home}/nextcloud/Chart.yaml (100%) rename {disable/home => home}/nextcloud/values.yaml (100%) rename {disable/home => home}/pihole/Chart.yaml (100%) rename {disable/home => home}/pihole/values.yaml (100%) rename {disable/home => home}/postgresql/Chart.yaml.disabled (100%) rename {disable/home => home}/postgresql/values.yaml (100%) rename {disable/home => home}/redis/Chart.yaml (100%) rename {disable/home => home}/redis/values.yaml (100%) rename {disable => system}/external-dns/Chart.yaml (100%) rename {disable => system}/external-dns/values.yaml (100%) rename {disable => system}/kured/Chart.yaml (100%) rename {disable => system}/kured/values.yaml (100%) rename {disable => system}/loki/Chart.yaml (100%) rename {disable => system}/loki/values.yaml (100%) diff --git a/disable/apps/jellyfin/Chart.yaml b/apps/jellyfin/Chart.yaml similarity index 100% rename from disable/apps/jellyfin/Chart.yaml rename to apps/jellyfin/Chart.yaml diff --git a/disable/apps/jellyfin/values.yaml b/apps/jellyfin/values.yaml similarity index 100% rename from disable/apps/jellyfin/values.yaml rename to apps/jellyfin/values.yaml diff --git a/disable/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml similarity index 100% rename from disable/apps/paperless/Chart.yaml rename to apps/paperless/Chart.yaml diff --git a/disable/apps/paperless/values.yaml b/apps/paperless/values.yaml similarity index 100% rename from disable/apps/paperless/values.yaml rename to apps/paperless/values.yaml diff --git a/disable/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml similarity index 100% rename from disable/apps/privatebin/Chart.yaml rename to apps/privatebin/Chart.yaml diff --git a/disable/apps/privatebin/values.yaml b/apps/privatebin/values.yaml similarity index 100% rename from disable/apps/privatebin/values.yaml rename to apps/privatebin/values.yaml diff --git a/disable/apps/seafile/Chart.yaml b/apps/seafile/Chart.yaml similarity index 100% rename from disable/apps/seafile/Chart.yaml rename to apps/seafile/Chart.yaml diff --git a/disable/apps/seafile/values.yaml b/apps/seafile/values.yaml similarity index 100% rename from disable/apps/seafile/values.yaml rename to apps/seafile/values.yaml diff --git a/disable/home/firefly/Chart.yaml.disabled b/home/firefly/Chart.yaml.disabled similarity index 100% rename from disable/home/firefly/Chart.yaml.disabled rename to home/firefly/Chart.yaml.disabled diff --git a/disable/home/firefly/values.yaml b/home/firefly/values.yaml similarity index 100% rename from disable/home/firefly/values.yaml rename to home/firefly/values.yaml diff --git a/disable/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml similarity index 100% rename from disable/home/homeassistant/Chart.yaml rename to home/homeassistant/Chart.yaml diff --git a/disable/home/homeassistant/values.yaml b/home/homeassistant/values.yaml similarity index 100% rename from disable/home/homeassistant/values.yaml rename to home/homeassistant/values.yaml diff --git a/disable/home/influxdb/Chart.yaml b/home/influxdb/Chart.yaml similarity index 100% rename from disable/home/influxdb/Chart.yaml rename to home/influxdb/Chart.yaml diff --git a/disable/home/influxdb/values.yaml b/home/influxdb/values.yaml similarity index 100% rename from disable/home/influxdb/values.yaml rename to home/influxdb/values.yaml diff --git a/disable/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml similarity index 100% rename from disable/home/mariadb/Chart.yaml rename to home/mariadb/Chart.yaml diff --git a/disable/home/mariadb/values.yaml b/home/mariadb/values.yaml similarity index 100% rename from disable/home/mariadb/values.yaml rename to home/mariadb/values.yaml diff --git a/disable/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml similarity index 100% rename from disable/home/nextcloud/Chart.yaml rename to home/nextcloud/Chart.yaml diff --git a/disable/home/nextcloud/values.yaml b/home/nextcloud/values.yaml similarity index 100% rename from disable/home/nextcloud/values.yaml rename to home/nextcloud/values.yaml diff --git a/disable/home/pihole/Chart.yaml b/home/pihole/Chart.yaml similarity index 100% rename from disable/home/pihole/Chart.yaml rename to home/pihole/Chart.yaml diff --git a/disable/home/pihole/values.yaml b/home/pihole/values.yaml similarity index 100% rename from disable/home/pihole/values.yaml rename to home/pihole/values.yaml diff --git a/disable/home/postgresql/Chart.yaml.disabled b/home/postgresql/Chart.yaml.disabled similarity index 100% rename from disable/home/postgresql/Chart.yaml.disabled rename to home/postgresql/Chart.yaml.disabled diff --git a/disable/home/postgresql/values.yaml b/home/postgresql/values.yaml similarity index 100% rename from disable/home/postgresql/values.yaml rename to home/postgresql/values.yaml diff --git a/disable/home/redis/Chart.yaml b/home/redis/Chart.yaml similarity index 100% rename from disable/home/redis/Chart.yaml rename to home/redis/Chart.yaml diff --git a/disable/home/redis/values.yaml b/home/redis/values.yaml similarity index 100% rename from disable/home/redis/values.yaml rename to home/redis/values.yaml diff --git a/disable/external-dns/Chart.yaml b/system/external-dns/Chart.yaml similarity index 100% rename from disable/external-dns/Chart.yaml rename to system/external-dns/Chart.yaml diff --git a/disable/external-dns/values.yaml b/system/external-dns/values.yaml similarity index 100% rename from disable/external-dns/values.yaml rename to system/external-dns/values.yaml diff --git a/disable/kured/Chart.yaml b/system/kured/Chart.yaml similarity index 100% rename from disable/kured/Chart.yaml rename to system/kured/Chart.yaml diff --git a/disable/kured/values.yaml b/system/kured/values.yaml similarity index 100% rename from disable/kured/values.yaml rename to system/kured/values.yaml diff --git a/disable/loki/Chart.yaml b/system/loki/Chart.yaml similarity index 100% rename from disable/loki/Chart.yaml rename to system/loki/Chart.yaml diff --git a/disable/loki/values.yaml b/system/loki/values.yaml similarity index 100% rename from disable/loki/values.yaml rename to system/loki/values.yaml From a03dd41e4a126734a5f94b769f1b80d99e445dc3 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 10:19:22 +0000 Subject: [PATCH 217/334] chore(deps): update helm release influxdb to v5 --- home/influxdb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/influxdb/Chart.yaml b/home/influxdb/Chart.yaml index b72f348c41..feef5261a0 100644 --- a/home/influxdb/Chart.yaml +++ b/home/influxdb/Chart.yaml @@ -3,5 +3,5 @@ name: influxdb version: 0.0.0 dependencies: - name: influxdb - version: 3.0.6 + version: 5.3.4 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 484b37bf33eceb8d7c53dd820a22a90fe00cb141 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 10:19:25 +0000 Subject: [PATCH 218/334] chore(deps): update helm release mariadb to v11 --- home/mariadb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 4e725c0292..20143a92dd 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 10.4.5 + version: 11.0.13 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 6d544f07d5ce0fbaa92fa0a3c767bc45045a9380 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 12:51:56 +0200 Subject: [PATCH 219/334] disable --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 8e436a87d3..3155caf734 100644 --- a/renovate.json +++ b/renovate.json @@ -4,7 +4,7 @@ "config:base" ], "dependencyDashboard": true, - "ignorePaths": ["disable/**", "system/**"], + "ignorePaths": ["disable/**", "system/datadog/**"], "packageRules": [ { "matchPackagePatterns": [ From cf66884705251b6cf6fe52a4f54172acaa434525 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 10:54:23 +0000 Subject: [PATCH 220/334] chore(deps): update helm values nextcloud to v24 --- home/nextcloud/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 4b720f8671..22b3ee0a87 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 23.0.3-fpm-alpine + tag: 24.0.1-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName From d4467a093cf62d4f8b72c4816bf17da58a83b15b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 10:54:26 +0000 Subject: [PATCH 221/334] chore(deps): update helm values seafileltd/seafile-mc to v9 --- apps/seafile/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index 1948ebd0a4..c9d632102a 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -4,7 +4,7 @@ seafile: # -- image repository repository: seafileltd/seafile-mc # -- image tag - tag: 8.0.7 + tag: 9.0.5 # -- image pull policy pullPolicy: IfNotPresent From e88fbc001ed0b1c61dc6f920b37cc14aa3f0b899 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:01:45 +0200 Subject: [PATCH 222/334] disable --- system/loki/Chart.yaml | 7 ------- system/loki/values.yaml | 4 ---- 2 files changed, 11 deletions(-) delete mode 100644 system/loki/Chart.yaml delete mode 100644 system/loki/values.yaml diff --git a/system/loki/Chart.yaml b/system/loki/Chart.yaml deleted file mode 100644 index e532189833..0000000000 --- a/system/loki/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: loki -version: 0.0.0 -dependencies: - - name: loki-stack - version: 2.6.1 - repository: https://grafana.github.io/helm-charts diff --git a/system/loki/values.yaml b/system/loki/values.yaml deleted file mode 100644 index fe3126cb1e..0000000000 --- a/system/loki/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -loki-stack: - loki: - serviceMonitor: - enabled: true From 97b50356089ad98db04f9399db41d9dbbdc29402 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:06:12 +0200 Subject: [PATCH 223/334] renovate rules --- renovate.json | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/renovate.json b/renovate.json index 3155caf734..95b9bdaf1f 100644 --- a/renovate.json +++ b/renovate.json @@ -5,17 +5,4 @@ ], "dependencyDashboard": true, "ignorePaths": ["disable/**", "system/datadog/**"], - "packageRules": [ - { - "matchPackagePatterns": [ - "*" - ], - "matchUpdateTypes": [ - "minor", - "patch" - ], - "groupName": "all non-major dependencies", - "groupSlug": "all-minor-patch" - } - ] } From c5c163018818e96be1e6c78b5c36b9795777bb27 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:07:03 +0200 Subject: [PATCH 224/334] renovate rules --- .gitignore | 2 ++ config.js | 27 --------------------------- 2 files changed, 2 insertions(+), 27 deletions(-) delete mode 100644 config.js diff --git a/.gitignore b/.gitignore index dc235836d7..1061fa115f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ book/ Chart.lock .DS_Store go.sum + +config.js \ No newline at end of file diff --git a/config.js b/config.js deleted file mode 100644 index 79af12e4b3..0000000000 --- a/config.js +++ /dev/null @@ -1,27 +0,0 @@ -module.exports = { - "platform": "github", - "token": "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", - "logFileLevel": "trace", - "onboarding": false, - "allowCustomCrateRegistries": true, - "allowScripts": true, - "exposeAllEnv": true, - "dryRun": "full", - "gitAuthor": "Renovate Bot ", - "repositories": ["petermein/homelab"], - "includeForks": true, - "hostRules": [ - { - hostType: 'docker', - username: 'petermein', - password: process.env.DOCKER_HUB_PASSWORD, - }, - ], - "regexManagers": [ - { - "fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"], - "matchStrings": ["uses: (?.*?)@(?.*?)\\s"], - "datasourceTemplate": "github-tags" - } - ] - } From 5e1d40d6049c4396a2d3203aefe4a04259e7dca3 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:08:09 +0200 Subject: [PATCH 225/334] renovate rules --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 95b9bdaf1f..5dd772151a 100644 --- a/renovate.json +++ b/renovate.json @@ -4,5 +4,5 @@ "config:base" ], "dependencyDashboard": true, - "ignorePaths": ["disable/**", "system/datadog/**"], + "ignorePaths": ["disable/**", "system/datadog/**"] } From 481067e1b1aacccac78fcaf0cacfdb724b4da619 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 11:08:41 +0000 Subject: [PATCH 226/334] chore(deps): update helm release crushftp to v1.0.3 --- apps/paperless/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 24b801cd63..151b56bcda 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -6,5 +6,5 @@ dependencies: version: 8.6.0 repository: https://k8s-at-home.com/charts/ - name: crushftp - version: 1.0.2 + version: 1.0.3 repository: https://greggbjensen.github.io/helm-crushftp From 1b43fdeb910405c9272a945ec18449384e463264 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 11:08:47 +0000 Subject: [PATCH 227/334] chore(deps): update helm release gitea to v5.0.9 --- platform/gitea/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 6a8ac919c4..5f4de1f438 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 5.0.4 + version: 5.0.9 repository: https://dl.gitea.io/charts/ From 33cffb316fe87e2cc646772d879051d333fac58c Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:12:19 +0200 Subject: [PATCH 228/334] chore(deps): update helm values docker.io/bitnami/mariadb to v10.7.4 --- home/mariadb/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index 596987ccdb..f113e2c7ed 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -74,7 +74,7 @@ mariadb: image: registry: docker.io repository: bitnami/mariadb - tag: 10.7.3-debian-10-r11 + tag: 10.7.4-debian-10-r11 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images From c0efdce4a69bac9755f59282fbabefd71c726d84 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:12:22 +0200 Subject: [PATCH 229/334] chore(deps): update dependency nginx to v1.22 --- metal/roles/pxe_server/files/http/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metal/roles/pxe_server/files/http/Dockerfile b/metal/roles/pxe_server/files/http/Dockerfile index b0a1e81789..93a34a4038 100644 --- a/metal/roles/pxe_server/files/http/Dockerfile +++ b/metal/roles/pxe_server/files/http/Dockerfile @@ -1 +1 @@ -FROM nginx:1.21-alpine +FROM nginx:1.22-alpine From 2689f55b546a0586850381374d9184ee169a090e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:41 +0200 Subject: [PATCH 230/334] chore(deps): update helm release argo-cd to v4.8.3 --- bootstrap/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 9e64b218a0..53ac668e82 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.5.0 + version: 4.8.3 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.11.0 From 21992608290ae00ec06ee1b4a06d0d71a463842f Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:44 +0200 Subject: [PATCH 231/334] chore(deps): update helm release argocd-applicationset to v1.12.1 --- bootstrap/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 9e64b218a0..d66e9cfb14 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -6,5 +6,5 @@ dependencies: version: 4.5.0 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset - version: 1.11.0 + version: 1.12.1 repository: https://argoproj.github.io/argo-helm From be0e6e70e02f99cc0ccf303c9fd2d3b7cd57c001 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:47 +0200 Subject: [PATCH 232/334] chore(deps): update helm release external-dns to v1.9.0 --- system/external-dns/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/external-dns/Chart.yaml b/system/external-dns/Chart.yaml index af442b2831..fd2930d3c0 100644 --- a/system/external-dns/Chart.yaml +++ b/system/external-dns/Chart.yaml @@ -3,5 +3,5 @@ name: external-dns version: 0.0.0 dependencies: - name: external-dns - version: 1.7.1 + version: 1.9.0 repository: https://kubernetes-sigs.github.io/external-dns/ From 291424081f636616d05e289d698aeb55a1c9b2d0 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:49 +0200 Subject: [PATCH 233/334] chore(deps): update helm release external-secrets to v0.5.6 --- platform/external-secrets/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/external-secrets/Chart.yaml b/platform/external-secrets/Chart.yaml index 096180a8b9..a88e328e8f 100644 --- a/platform/external-secrets/Chart.yaml +++ b/platform/external-secrets/Chart.yaml @@ -3,5 +3,5 @@ name: external-secrets version: 0.0.0 dependencies: - name: external-secrets - version: 0.4.4 + version: 0.5.6 repository: https://charts.external-secrets.io From 9d6a68c61bd7494fad28fc1a454dbf52c2bbafb1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:53 +0200 Subject: [PATCH 234/334] chore(deps): update helm release home-assistant to v13.2.0 --- home/homeassistant/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml index 7c46a8f420..2aa651dcc8 100644 --- a/home/homeassistant/Chart.yaml +++ b/home/homeassistant/Chart.yaml @@ -3,5 +3,5 @@ name: homeassistant version: 0.0.0 dependencies: - name: home-assistant - version: 13.0.2 + version: 13.2.0 repository: https://k8s-at-home.com/charts/ From 73450b777f70cbb472aabd5163f08fc4fc1c9a45 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:55 +0200 Subject: [PATCH 235/334] chore(deps): update helm release ingress-nginx to v4.1.4 --- system/ingress-nginx/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 1937114d81..53c4049d90 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.0.19 + version: 4.1.4 repository: https://kubernetes.github.io/ingress-nginx From 680da85d0857c2595f6105bc6112c9fa423b33bf Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:16:58 +0200 Subject: [PATCH 236/334] chore(deps): update helm release nextcloud to v2.14.4 --- home/nextcloud/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index e6d342d7c4..a3367855cc 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 2.13.2 + version: 2.14.4 repository: https://nextcloud.github.io/helm/ From 63a5a04632fa3783bd099b9bb92d077f880f8327 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:17:01 +0200 Subject: [PATCH 237/334] chore(deps): update helm release privatebin to v0.15.0 --- apps/privatebin/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml index a04128c11e..858ec0d69b 100644 --- a/apps/privatebin/Chart.yaml +++ b/apps/privatebin/Chart.yaml @@ -3,5 +3,5 @@ name: privatebin version: 0.0.0 dependencies: - name: privatebin - version: 0.14.0 + version: 0.15.0 repository: https://privatebin.github.io/helm-chart From 84815a1eb84580a2589285d08f322395ee76e778 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:17:04 +0200 Subject: [PATCH 238/334] chore(deps): update helm release security-apps to v0.48.0 --- platform/dex/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 3a6db86a9e..471da75dd8 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.39.1 dependencies: - name: security-apps - version: 0.42.0 + version: 0.48.0 repository: https://charts.adfinis.com From 267fad0dea86d0706ecc9e41f5517062105d598d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:17:06 +0200 Subject: [PATCH 239/334] chore(deps): update helm values codercom/code-server to v4.4.0 --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 3b503397a3..9dd02021f2 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.2.0 + tag: 4.4.0 workingDir: "/config" args: - --auth From 27fd9532016913e486bd7069b6af990cbce162cd Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:32:26 +0200 Subject: [PATCH 240/334] renovate rules --- renovate.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 5dd772151a..3155caf734 100644 --- a/renovate.json +++ b/renovate.json @@ -4,5 +4,18 @@ "config:base" ], "dependencyDashboard": true, - "ignorePaths": ["disable/**", "system/datadog/**"] + "ignorePaths": ["disable/**", "system/datadog/**"], + "packageRules": [ + { + "matchPackagePatterns": [ + "*" + ], + "matchUpdateTypes": [ + "minor", + "patch" + ], + "groupName": "all non-major dependencies", + "groupSlug": "all-minor-patch" + } + ] } From 2fb070df512cc016d93c88c86bcd481903800da0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:33:15 +0200 Subject: [PATCH 241/334] renovate rules --- disable/external-dns/Chart.yaml | 7 +++++++ disable/external-dns/values.yaml | 15 +++++++++++++++ disable/kured/Chart.yaml | 7 +++++++ disable/kured/values.yaml | 5 +++++ 4 files changed, 34 insertions(+) create mode 100644 disable/external-dns/Chart.yaml create mode 100644 disable/external-dns/values.yaml create mode 100644 disable/kured/Chart.yaml create mode 100644 disable/kured/values.yaml diff --git a/disable/external-dns/Chart.yaml b/disable/external-dns/Chart.yaml new file mode 100644 index 0000000000..af442b2831 --- /dev/null +++ b/disable/external-dns/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: external-dns +version: 0.0.0 +dependencies: + - name: external-dns + version: 1.7.1 + repository: https://kubernetes-sigs.github.io/external-dns/ diff --git a/disable/external-dns/values.yaml b/disable/external-dns/values.yaml new file mode 100644 index 0000000000..21b1ccf773 --- /dev/null +++ b/disable/external-dns/values.yaml @@ -0,0 +1,15 @@ +external-dns: + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: cloudflare-api-token + key: value + extraArgs: + - --annotation-filter=external-dns.alpha.kubernetes.io/exclude notin (true) + + metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/disable/kured/Chart.yaml b/disable/kured/Chart.yaml new file mode 100644 index 0000000000..89de73e370 --- /dev/null +++ b/disable/kured/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: kured +version: 0.0.0 +dependencies: +- name: kured + version: 2.13.0 + repository: https://weaveworks.github.io/kured diff --git a/disable/kured/values.yaml b/disable/kured/values.yaml new file mode 100644 index 0000000000..27797e2e06 --- /dev/null +++ b/disable/kured/values.yaml @@ -0,0 +1,5 @@ +kured: + configuration: + annotateNodes: true + rebootSentinelCommand: sh -c "! needs-restarting --reboothint" + timeZone: Asia/Ho_Chi_Minh From 2e141709907e7069cacd6ff0a003a1c423d580d5 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 11:33:38 +0000 Subject: [PATCH 242/334] chore(deps): update helm release authentik to v2022.6.1 --- platform/authentik/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index 4691ac63bb..1cc92b9f2f 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 2022.3.1 + version: 2022.6.1 repository: https://charts.goauthentik.io From f0913ad3cf1a6832b47a2733c8bca3b5c8e97fe6 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 11 Jun 2022 13:35:01 +0200 Subject: [PATCH 243/334] chore(deps): update all non-major dependencies --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/jellyfin/Chart.yaml | 2 +- apps/paperless/Chart.yaml | 2 +- apps/seafile/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 6 +++--- external/versions.tf | 8 ++++---- home/firefly/values.yaml | 2 +- home/homeassistant/values.yaml | 4 ++-- home/influxdb/values.yaml | 8 ++++---- home/postgresql/values.yaml | 4 ++-- home/redis/Chart.yaml | 2 +- home/redis/values.yaml | 2 +- platform/vault/Chart.yaml | 2 +- platform/vault/files/generate-secrets/go.mod | 2 +- system/cert-manager/Chart.yaml | 2 +- system/descheduler/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- 18 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index ed86edcb1f..8f2bc0a1ed 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.1.7 + image: hashicorp/terraform:1.2.2 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index b003af6ac8..e38fa4e373 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.1.7 + image: hashicorp/terraform:1.2.2 command: - terraform args: diff --git a/apps/jellyfin/Chart.yaml b/apps/jellyfin/Chart.yaml index 1969e4e212..e381cb1c9d 100644 --- a/apps/jellyfin/Chart.yaml +++ b/apps/jellyfin/Chart.yaml @@ -3,5 +3,5 @@ name: jellyfin version: 0.0.0 dependencies: - name: jellyfin - version: 9.3.0 + version: 9.4.2 repository: https://k8s-at-home.com/charts/ diff --git a/apps/paperless/Chart.yaml b/apps/paperless/Chart.yaml index 151b56bcda..8a95ce326a 100644 --- a/apps/paperless/Chart.yaml +++ b/apps/paperless/Chart.yaml @@ -3,7 +3,7 @@ name: paperless version: 0.0.0 dependencies: - name: paperless - version: 8.6.0 + version: 8.8.3 repository: https://k8s-at-home.com/charts/ - name: crushftp version: 1.0.3 diff --git a/apps/seafile/Chart.yaml b/apps/seafile/Chart.yaml index 1c86959070..5b0c569e4e 100644 --- a/apps/seafile/Chart.yaml +++ b/apps/seafile/Chart.yaml @@ -3,5 +3,5 @@ name: seafile version: 0.0.0 dependencies: - name: seafile - version: 2.1.0 + version: 2.2.2 repository: https://k8s-at-home.com/charts diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index d2bb02545b..19cefcf551 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,17 +2,17 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.11.0" + version = "~> 3.16.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.9.0" + version = "~> 2.11.0" } http = { source = "hashicorp/http" - version = "~> 2.1.0" + version = "~> 2.2.0" } } } diff --git a/external/versions.tf b/external/versions.tf index 1aa3bfbd63..746ccaa6ba 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.1.0" + required_version = "~> 1.2.0" backend "local" { @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.11.0" + version = "~> 3.16.0" } b2 = { @@ -19,12 +19,12 @@ terraform { kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.9.0" + version = "~> 2.11.0" } http = { source = "hashicorp/http" - version = "~> 2.1.0" + version = "~> 2.2.0" } } } diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml index 9a206e499b..cc439205ff 100644 --- a/home/firefly/values.yaml +++ b/home/firefly/values.yaml @@ -62,7 +62,7 @@ firefly-iii: image: repository: curlimages/curl pullPolicy: IfNotPresent - tag: 7.82.0 + tag: 7.83.1 imagePullSecrets: [] diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 9dd02021f2..58b3e558f3 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.4.5 + tag: 2022.6.5 # -- image pull policy pullPolicy: IfNotPresent @@ -90,7 +90,7 @@ home-assistant: enabled: false image: repository: bitnami/postgresql - tag: 14.2.0 + tag: 14.3.0 postgresqlUsername: home-assistant postgresqlPassword: home-assistant-pass postgresqlDatabase: home-assistant diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml index 89b412cacb..ed43ea571d 100644 --- a/home/influxdb/values.yaml +++ b/home/influxdb/values.yaml @@ -72,7 +72,7 @@ influxdb: image: registry: docker.io repository: bitnami/influxdb - tag: 2.1.1-debian-10-r50 + tag: 2.2.0-debian-10-r50 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1263,7 +1263,7 @@ influxdb: image: registry: docker.io repository: bitnami/google-cloud-sdk - tag: 0.379.0-debian-10-r0 + tag: 0.388.0-debian-10-r0 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1300,7 +1300,7 @@ influxdb: image: registry: docker.io repository: bitnami/azure-cli - tag: 2.34.1-debian-10-r14 + tag: 2.36.0-debian-10-r14 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## @@ -1337,7 +1337,7 @@ influxdb: image: registry: docker.io repository: bitnami/aws-cli - tag: 2.4.27-debian-10-r4 + tag: 2.7.4-debian-10-r4 ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## diff --git a/home/postgresql/values.yaml b/home/postgresql/values.yaml index c7cbe23694..099462147a 100644 --- a/home/postgresql/values.yaml +++ b/home/postgresql/values.yaml @@ -88,7 +88,7 @@ postgresql: image: registry: docker.io repository: bitnami/postgresql - tag: 14.1.0-debian-10-r80 + tag: 14.2.0-debian-10-r80 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -1326,6 +1326,6 @@ postgresql: postgresql: image: repository: bitnami/postgresql - tag: 14.2.0 + tag: 14.3.0 auth: existingSecret: \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index 0d152ed106..413bc4723d 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.8.2 + version: 16.12.1 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/values.yaml b/home/redis/values.yaml index e67863240c..35f998cd3e 100644 --- a/home/redis/values.yaml +++ b/home/redis/values.yaml @@ -1215,7 +1215,7 @@ redis: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.37.0-debian-10-r2 + tag: 1.39.0-debian-10-r2 pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. diff --git a/platform/vault/Chart.yaml b/platform/vault/Chart.yaml index 49f57f55f8..f88f5eee4d 100644 --- a/platform/vault/Chart.yaml +++ b/platform/vault/Chart.yaml @@ -3,5 +3,5 @@ name: vault version: 0.0.0 dependencies: - name: vault - version: 0.19.0 + version: 0.20.1 repository: https://helm.releases.hashicorp.com diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod index c3d40e4bcb..d4c1a00dec 100644 --- a/platform/vault/files/generate-secrets/go.mod +++ b/platform/vault/files/generate-secrets/go.mod @@ -3,7 +3,7 @@ module git.khuedoan.com/khuedoan/homelab/vault/init go 1.17 require ( - github.com/hashicorp/vault/api v1.5.0 + github.com/hashicorp/vault/api v1.7.2 github.com/sethvargo/go-password v0.2.0 gopkg.in/yaml.v2 v2.4.0 ) diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index c59ceee452..fceb666dda 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.7.2 + version: v1.8.0 repository: https://charts.jetstack.io diff --git a/system/descheduler/Chart.yaml b/system/descheduler/Chart.yaml index 866417de25..c12e681c11 100644 --- a/system/descheduler/Chart.yaml +++ b/system/descheduler/Chart.yaml @@ -3,5 +3,5 @@ name: descheduler version: 0.0.0 dependencies: - name: descheduler - version: 0.23.2 + version: 0.24.1 repository: https://kubernetes-sigs.github.io/descheduler/ diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 89de73e370..f57b5f3746 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 2.13.0 + version: 2.15.0 repository: https://weaveworks.github.io/kured From a63ea74e6084ab37d366b4ff9cd90e4e98a07a1d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:41:56 +0200 Subject: [PATCH 244/334] delete influx --- home/influxdb/Chart.yaml | 7 - home/influxdb/values.yaml | 1352 ------------------------------------- 2 files changed, 1359 deletions(-) delete mode 100644 home/influxdb/Chart.yaml delete mode 100644 home/influxdb/values.yaml diff --git a/home/influxdb/Chart.yaml b/home/influxdb/Chart.yaml deleted file mode 100644 index feef5261a0..0000000000 --- a/home/influxdb/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: influxdb -version: 0.0.0 -dependencies: - - name: influxdb - version: 5.3.4 - repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/influxdb/values.yaml b/home/influxdb/values.yaml deleted file mode 100644 index ed43ea571d..0000000000 --- a/home/influxdb/values.yaml +++ /dev/null @@ -1,1352 +0,0 @@ - -influxdb: - - ## @section Global parameters - ## Global Docker image parameters - ## Please, note that this will override the image parameters, including dependencies, configured to use the global value - ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass - - ## @param global.imageRegistry Global Docker image registry - ## @param global.imagePullSecrets Global Docker registry secret names as an array - ## @param global.storageClass Global storage class for dynamic provisioning - ## - global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - storageClass: "" - - ## @section Common parameters - - ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) - ## - kubeVersion: "" - ## @param nameOverride String to partially override influxdb.fullname template with a string (will prepend the release name) - ## - nameOverride: "" - ## @param fullnameOverride String to fully override influxdb.fullname template with a string - ## - fullnameOverride: "" - ## @param clusterDomain Default Kubernetes cluster domain - ## - clusterDomain: cluster.local - ## @param commonAnnotations Annotations to add to all deployed objects - ## - commonAnnotations: {} - ## @param commonLabels Labels to add to all deployed objects - ## - commonLabels: {} - ## @param extraDeploy Array of extra objects to deploy with the release - ## - extraDeploy: [] - - ## Enable diagnostic mode in the deployment - ## - diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the deployment - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the deployment - ## - args: - - infinity - - ## @section InfluxDB™ parameters - - ## Bitnami InfluxDB™ image - ## ref: https://hub.docker.com/r/bitnami/influxdb/tags/ - ## @param image.registry InfluxDB™ image registry - ## @param image.repository InfluxDB™ image repository - ## @param image.tag InfluxDB™ image tag (immutable tags are recommended) - ## @param image.pullPolicy InfluxDB™ image pull policy - ## @param image.pullSecrets Specify docker-registry secret names as an array - ## @param image.debug Specify if debug logs should be enabled - ## - image: - registry: docker.io - repository: bitnami/influxdb - tag: 2.2.0-debian-10-r50 - ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false - ## @param architecture InfluxDB™ architecture (`standalone` or `high-availability`) - ## - architecture: standalone - ## Authentication parameters - ## - auth: - ## @param auth.enabled Enable/disable authentication (Variable to keep compatibility with InfluxDB™ v1, in v2 it will be ignored) - ## - enabled: true - ## @param auth.usePasswordFiles Whether to use files to provide secrets instead of env vars. - ## - usePasswordFiles: false - ## InfluxDB™ admin credentials - ## - admin: - ## @param auth.admin.username InfluxDB™ admin user name - ## - username: admin - ## @param auth.admin.password InfluxDB™ admin user's password - ## - password: "" - ## @param auth.admin.token InfluxDB™ admin user's token. Only valid with InfluxDB™ v2 - ## - token: "" - ## @param auth.admin.org InfluxDB™ admin user's org. Only valid with InfluxDB™ v2 - ## - org: primary - ## @param auth.admin.bucket InfluxDB™ admin user's bucket. Only valid with InfluxDB™ v2 - ## - bucket: primary - ## @param auth.createUserToken Whether to create tokens for the different users. Take into account these tokens are going to be created by CLI randomly and they will not be accessible from a secret. See more influxdb 2.0 [auth ref](https://docs.influxdata.com/influxdb/v2.0/security/tokens/) - ## You should take into account these tokens are going to be created by CLI - ## so it is not possible to get them by k8s secrets nor to provide them though - ## values - ## See more influxdb 2.0 auth ref: https://docs.influxdata.com/influxdb/v2.0/security/tokens/ - ## - createUserToken: false - ## InfluxDB™ credentials for user with 'admin' privileges on the db specified at 'database' parameter - ## - user: - ## @param auth.user.username Name for InfluxDB™ user with 'admin' privileges on the bucket specified at `auth.user.bucket` and `auth.user.org` or `auth.admin.org` - ## - username: "" - ## @param auth.user.password InfluxDB™ password for `user.name` user - ## - password: "" - ## @param auth.user.org Org to be created on first run - ## - org: "" - ## @param auth.user.bucket Bucket to be created on first run - ## already create. If it is not null a new bucket will be created. - ## - bucket: "" - ## InfluxDB™ credentials for user with 'read' privileges on the db specified at 'database' parameter - ## @param auth.readUser.username Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` - ## @param auth.readUser.password InfluxDB™ password for `auth.readUser.username` user - ## - readUser: - username: "" - password: "" - ## InfluxDB™ credentials for user with 'write' privileges on the db specified at 'database' parameter - ## @param auth.writeUser.username Name for InfluxDB™ user with 'read' privileges on the bucket specified at `auth.user.bucket` - ## @param auth.writeUser.password InfluxDB™ password for `auth.writeUser.username` user - ## - writeUser: - username: "" - password: "" - ## @param auth.existingSecret Name of existing Secret object with InfluxDB™ credentials (`auth.admin.password`, `auth.user.password`, `auth.readUser.password`, and `auth.writeUser.password` will be ignored and picked up from this secret) - ## - existingSecret: "influxdb-secret" - ## InfluxDB™ backend parameters - ## - influxdb: - ## @param influxdb.configuration Specify content for influxdb.conf - ## Alternatively, you can put your influxdb.conf under the files/conf/ directory - ## - ## configuration: |- - ## reporting-disabled = false - ## bind-address = "127.0.0.1:8088" - ## [meta] - ## dir = "/bitnami/influxdb/meta" - ## ... - ## - configuration: "" - ## @param influxdb.existingConfiguration Name of existing ConfigMap object with the InfluxDB™ configuration (`influxdb.configuration` will be ignored). - ## - existingConfiguration: "" - ## @param influxdb.initdbScripts Dictionary of initdb scripts - ## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory - ## - ## initdbScripts: - ## my_init_script.sh: | - ## #!/bin/sh - ## echo "Do something." - initdbScripts: {} - ## @param influxdb.initdbScriptsCM Name of existing ConfigMap object with the initdb scripts (`influxdb.initdbScripts` will be ignored). - ## - initdbScriptsCM: "" - ## @param influxdb.initdbScriptsSecret Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`) - ## - initdbScriptsSecret: "" - ## @param influxdb.replicaCount The number of InfluxDB™ replicas to deploy - ## - replicaCount: 1 - ## @param influxdb.podAffinityPreset InfluxDB™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param influxdb.podAntiAffinityPreset InfluxDB™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node affinity preset - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param influxdb.nodeAffinityPreset.type InfluxDB™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - type: "" - ## @param influxdb.nodeAffinityPreset.key InfluxDB™ Node label key to match Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param influxdb.nodeAffinityPreset.values InfluxDB™ Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param influxdb.affinity InfluxDB™ Affinity for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param influxdb.nodeSelector InfluxDB™ Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param influxdb.tolerations InfluxDB™ Tolerations for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param influxdb.podAnnotations Annotations for InfluxDB™ pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param influxdb.podLabels Extra labels for InfluxDB™ pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param influxdb.hostAliases InfluxDB™ pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param influxdb.updateStrategy.type InfluxDB™ statefulset/deployment strategy type - ## Statefulset ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## Deployment ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete - ## - type: RollingUpdate - ## @param influxdb.priorityClassName InfluxDB™ pods' priorityClassName - ## - priorityClassName: "" - ## @param influxdb.schedulerName Name of the k8s scheduler (other than default) - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param influxdb.topologySpreadConstraints Topology Spread Constraints for pod assignment - ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## The value is evaluated as a template - ## - topologySpreadConstraints: [] - ## @param influxdb.podManagementPolicy podManagementPolicy to manage scaling operation of InfluxDB™ pods - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies - ## - podManagementPolicy: OrderedReady - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param influxdb.podSecurityContext.enabled Enabled InfluxDB™ pods' Security Context - ## @param influxdb.podSecurityContext.fsGroup Set InfluxDB™ pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param influxdb.containerSecurityContext.enabled Enabled InfluxDB™ containers' Security Context - ## @param influxdb.containerSecurityContext.runAsUser Set InfluxDB™ containers' Security Context runAsUser - ## @param influxdb.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - ## InfluxDB™ pods' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param influxdb.resources.limits The resources limits for the container - ## @param influxdb.resources.requests The requested resources for the container - ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - requests: {} - ## @param influxdb.command Override default container command (useful when using custom images) - ## - command: [] - ## @param influxdb.args Override default container args (useful when using custom images) - ## - args: [] - ## @param influxdb.lifecycleHooks for the InfluxDB™ container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param influxdb.extraEnvVars Array containing extra env vars to configure InfluxDB™ - ## For example: - ## extraEnvVars: - ## - name: INFLUXDB_DATA_QUERY_LOG_ENABLED - ## value: "true" - ## - extraEnvVars: [] - ## @param influxdb.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for InfluxDB™ nodes - ## - extraEnvVarsCM: "" - ## @param influxdb.extraEnvVarsSecret Name of existing Secret containing extra env vars for InfluxDB™ nodes - ## - extraEnvVarsSecret: "" - ## @param influxdb.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts - ## - extraVolumes: [] - ## @param influxdb.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. - ## - extraVolumeMounts: [] - ## @param influxdb.containerPorts.http InfluxDB™ container HTTP port - ## @param influxdb.containerPorts.rpc InfluxDB™ container RPC port - ## - containerPorts: - http: 8086 - rpc: 8088 - - ## Configure extra options for InfluxDB™ containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## @param influxdb.startupProbe.enabled Enable startupProbe - ## @param influxdb.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param influxdb.startupProbe.periodSeconds Period seconds for startupProbe - ## @param influxdb.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param influxdb.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param influxdb.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 180 - periodSeconds: 45 - timeoutSeconds: 30 - successThreshold: 1 - failureThreshold: 6 - ## @param influxdb.livenessProbe.enabled Enable livenessProbe - ## @param influxdb.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param influxdb.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param influxdb.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param influxdb.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param influxdb.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 180 - periodSeconds: 45 - timeoutSeconds: 30 - successThreshold: 1 - failureThreshold: 6 - ## @param influxdb.readinessProbe.enabled Enable readinessProbe - ## @param influxdb.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param influxdb.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param influxdb.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param influxdb.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param influxdb.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 60 - periodSeconds: 45 - timeoutSeconds: 30 - successThreshold: 1 - failureThreshold: 6 - ## @param influxdb.customStartupProbe Override default startup probe - ## - customStartupProbe: {} - ## @param influxdb.customLivenessProbe Override default liveness probe - ## - customLivenessProbe: {} - ## @param influxdb.customReadinessProbe Override default readiness probe - ## - customReadinessProbe: {} - ## @param influxdb.sidecars Add additional sidecar containers to the InfluxDB™ pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param influxdb.initContainers Add additional init containers to the InfluxDB™ pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] - ## - initContainers: [] - - ## Service parameters - ## - service: - ## @param influxdb.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) - ## - type: ClusterIP - ## @param influxdb.service.ports.http InfluxDB™ HTTP port - ## @param influxdb.service.ports.rpc InfluxDB™ RPC port - ## - ports: - http: 8086 - rpc: 8088 - ## @param influxdb.service.nodePorts [object] Specify the nodePort(s) value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - http: "" - rpc: "" - ## @param influxdb.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param influxdb.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - loadBalancerSourceRanges: [] - ## @param influxdb.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param influxdb.service.externalTrafficPolicy InfluxDB™ service external traffic policy - ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param influxdb.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param influxdb.service.annotations Annotations for InfluxDB™ service - ## - annotations: {} - ## @param influxdb.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param influxdb.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - sessionAffinityConfig: {} - - ## @section InfluxDB Relay™ parameters - - relay: - ## Bitnami InfluxDB Relay™ image - ## ref: https://hub.docker.com/r/bitnami/influxdb-relay/tags/ - ## @param relay.image.registry InfluxDB Relay™ image registry - ## @param relay.image.repository InfluxDB Relay™ image repository - ## @param relay.image.tag InfluxDB Relay™ image tag (immutable tags are recommended) - ## @param relay.image.pullPolicy InfluxDB Relay™ image pull policy - ## @param relay.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/influxdb-relay - tag: 0.20200717.0-scratch-r14 - ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param relay.configuration [string] InfluxDB Relay™ Configuration. Specify content for relay.toml - ## Alternatively, you can put your relay.toml under the files/conf/ directory - ## - configuration: |- - [[http]] - # Name of the HTTP server, used for display purposes only. - name = "relay-server" - - # TCP address to bind to, for HTTP server. - bind-addr = "0.0.0.0:9096" - - # Array of InfluxDB™ instances to use as backends for Relay. - output = [ - {{- $influxdbReplicaCount := int .Values.influxdb.replicaCount }} - {{- $influxdbFullname := include "common.names.fullname" . }} - {{- $influxdbHeadlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} - {{- $releaseName := .Release.Namespace }} - {{- $clusterDomain:= .Values.clusterDomain }} - {{- range $e, $i := until $influxdbReplicaCount }} - { name="{{ $influxdbFullname }}-{{ $i }}", location="http://{{ $influxdbFullname }}-{{ $i }}.{{ $influxdbHeadlessServiceName }}.{{ $releaseName }}.svc.{{ $clusterDomain }}:8086/write", timeout="10s"}, - {{- end }} - ] - ## @param relay.existingConfiguration Name of existing ConfigMap object with the InfluxDB Relay™ configuration (`relay.configuration` will be ignored) - ## NOTE: This will override relay.configuration - ## - existingConfiguration: "" - ## @param relay.replicaCount The number of InfluxDB Relay™ replicas to deploy - ## - replicaCount: 1 - ## @param relay.updateStrategy.type InfluxDB Relay™ deployment strategy type. - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - ## e.g: - ## updateStrategy: - ## type: RollingUpdate - ## rollingUpdate: - ## maxSurge: 25% - ## maxUnavailable: 25% - ## - updateStrategy: - type: RollingUpdate - ## @param relay.podAnnotations Annotations for InfluxDB Relay™ pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param relay.podLabels Extra labels for InfluxDB Relay™ pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param relay.hostAliases InfluxDB Relay™ pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param relay.podAffinityPreset InfluxDB Relay™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param relay.podAntiAffinityPreset InfluxDB Relay™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node affinity preset - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param relay.nodeAffinityPreset.type InfluxDB Relay™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - type: "" - ## @param relay.nodeAffinityPreset.key InfluxDB Relay™ Node label key to match Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param relay.nodeAffinityPreset.values InfluxDB Relay™ Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param relay.affinity InfluxDB Relay™ Affinity for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param relay.nodeSelector InfluxDB Relay™ Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param relay.tolerations InfluxDB Relay™ Tolerations for pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param relay.priorityClassName InfluxDB Relay™ pods' priorityClassName - ## - priorityClassName: "" - ## @param relay.schedulerName Name of the k8s scheduler (other than default) - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param relay.topologySpreadConstraints Topology Spread Constraints for pod assignment - ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## The value is evaluated as a template - ## - topologySpreadConstraints: [] - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param relay.podSecurityContext.enabled Enabled InfluxDB Relay™ pods' Security Context - ## @param relay.podSecurityContext.fsGroup Set InfluxDB Relay™ pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param relay.containerSecurityContext.enabled Enabled InfluxDB Relay™ containers' Security Context - ## @param relay.containerSecurityContext.runAsUser Set InfluxDB Relay™ containers' Security Context runAsUser - ## @param relay.containerSecurityContext.runAsNonRoot Set Controller container's Security Context runAsNonRoot - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsNonRoot: true - ## InfluxDB Relay™ pods' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param relay.resources.limits The resources limits for the container - ## @param relay.resources.requests The requested resources for the container - ## - resources: - ## Example: - ## limits: - ## cpu: 100m - ## memory: 128Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 100m - ## memory: 128Mi - requests: {} - ## @param relay.command Override default container command (useful when using custom images) - ## - command: [] - ## @param relay.args Override default container args (useful when using custom images) - ## - args: [] - ## @param relay.lifecycleHooks for the InfluxDB Relay™ container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param relay.extraEnvVars Array containing extra env vars to configure InfluxDB Relay™ - ## For example: - ## extraEnvVars: - ## - name: INFLUXDB_DATA_QUERY_LOG_ENABLED - ## value: "true" - ## - extraEnvVars: [] - ## @param relay.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for InfluxDB Relay™ nodes - ## - extraEnvVarsCM: "" - ## @param relay.extraEnvVarsSecret Name of existing Secret containing extra env vars for InfluxDB Relay™ nodes - ## - extraEnvVarsSecret: "" - ## @param relay.extraVolumes Array of extra volumes to be added to the deployment (evaluated as template). Requires setting extraVolumeMounts - ## - extraVolumes: [] - ## @param relay.extraVolumeMounts Array of extra volume mounts to be added to the container (evaluated as template). Normally used with extraVolumes. - ## - extraVolumeMounts: [] - - ## Configure extra options for InfluxDB Relay™ containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## @param relay.startupProbe.enabled Enable startupProbe - ## @param relay.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param relay.startupProbe.periodSeconds Period seconds for startupProbe - ## @param relay.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param relay.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param relay.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - ## @param relay.livenessProbe.enabled Enable livenessProbe - ## @param relay.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param relay.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param relay.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param relay.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param relay.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - ## @param relay.readinessProbe.enabled Enable readinessProbe - ## @param relay.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param relay.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param relay.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param relay.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param relay.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - ## @param relay.customStartupProbe Override default startup probe - ## - customStartupProbe: {} - ## @param relay.customLivenessProbe Override default liveness probe - ## - customLivenessProbe: {} - ## @param relay.customReadinessProbe Override default readiness probe - ## - customReadinessProbe: {} - ## @param relay.containerPorts [object] Container ports - ## - containerPorts: - http: 9096 - ## @param relay.sidecars Add additional sidecar containers to the InfluxDB Relay™ pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param relay.initContainers Add additional init containers to the InfluxDB Relay™ pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] - ## - initContainers: [] - ## Service parameters - ## - service: - ## @param relay.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) - ## - type: ClusterIP - ## @param relay.service.ports.http InfluxDB Relay™ HTTP port - ## - ports: - http: 9096 - ## @param relay.service.nodePorts.http Kubernetes HTTP node port - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - http: "" - ## @param relay.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param relay.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - loadBalancerSourceRanges: [] - ## @param relay.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param relay.service.annotations Annotations for InfluxDB Relay™ service - ## - annotations: {} - ## @param relay.service.externalTrafficPolicy InfluxDB Relay™ service external traffic policy - ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param relay.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param relay.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same mongos Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param relay.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - - ## @section InfluxDB Collectd™ parameters - - collectd: - ## @param collectd.enabled InfluxDB Collectd™ service enable - ## - enabled: false - service: - ## @param collectd.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) - ## - type: ClusterIP - ## @param collectd.service.port InfluxDB Collectd™ UDP port (should match with corresponding port in influxdb.conf) - ## This requires corresponding configuration in influxdb.conf to enable - ## collectd block - ## - port: 25826 - ## @param collectd.service.nodePort Kubernetes HTTP node port - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePort: "" - ## @param collectd.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param collectd.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - loadBalancerSourceRanges: [] - ## @param collectd.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param collectd.service.externalTrafficPolicy InfluxDB Collectd™ service external traffic policy - ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param collectd.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param collectd.service.annotations Annotations for InfluxDB Collectd™ service - ## metallb.universe.tf/allow-shared-ip: "true" - ## - annotations: {} - ## @param collectd.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same mongos Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param collectd.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - - ## @section Exposing parameters - - ## Configure the ingress resource that allows you to access the - ## influxdb installation. Set up the URL - ## ref: https://kubernetes.io/docs/user-guide/ingress/ - ## - ingress: - ## @param ingress.enabled Enable ingress controller resource - ## - enabled: true - ## @param ingress.tls Create TLS Secret - ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} - ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it - ## - tls: true - ## DEPRECATED: Use ingress.annotations instead of ingress.certManager - ## certManager: false - ## - - ## @param ingress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.hostname Default host for the ingress resource - ## - hostname: influxdb.jupiter.mein.nl - ## @param ingress.path Ingress path*' in order to use this - ## with ALB ingress controllers. - ## - path: / - ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - - ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. - ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array - ## extraHosts: - ## - name: influxdb.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths Additional arbitrary path/backend objects - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - influxdb.local - ## secretName: influxdb.local-tls - ## - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## - name: influxdb.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "nginx" - - ## @section Metrics parameters - - ## Prometheus metrics - ## ref: https://docs.influxdata.com/influxdb/v1.7/administration/server_monitoring/#influxdb-metrics-http-endpoint - ## - metrics: - ## @param metrics.enabled Enable the export of Prometheus metrics - ## - enabled: false - service: - ## @param metrics.service.type Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) - ## - type: ClusterIP - ## @param metrics.service.port InfluxDB™ Prometheus port - ## - port: 9122 - ## @param metrics.service.nodePort Kubernetes HTTP node port - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePort: "" - ## @param metrics.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param metrics.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - loadBalancerSourceRanges: [] - ## @param metrics.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param metrics.service.annotations [object] Annotations for the Prometheus metrics service - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.port }}" - prometheus.io/path: "/metrics" - ## @param metrics.service.externalTrafficPolicy Service external traffic policy - ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) - ## - extraPorts: [] - ## @param metrics.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same mongos Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running - ## e.g: - ## namespace: monitoring - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## e.g: - ## interval: 10s - ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## e.g: - ## scrapeTimeout: 10s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration - ## e.g: - ## selector: - ## prometheus: my-prometheus - ## - selector: {} - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false - ## NetworkPolicy parameters - ## - networkPolicy: - ## @param networkPolicy.enabled Enable NetworkPolicy - ## - enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections - ## client labels will have network access to the ports InfluxDB™ is listening - ## on. When true, InfluxDB™ will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## Persistence parameters - ## - persistence: - ## @param persistence.enabled Enable data persistence - ## - enabled: true - ## @param persistence.existingClaim Use a existing PVC which must be created manually before bound - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template - ## - existingClaim: "" - ## @param persistence.storageClass Specify the `storageClass` used to provision the volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. - ## - storageClass: "longhorn" - ## @param persistence.accessModes Access mode of data volume - ## - accessModes: - - ReadWriteOnce - ## @param persistence.size Size of data volume - ## - size: 8Gi - ## @param persistence.annotations Persistent Volume Claim annotations - ## - annotations: {} - - ## Pod Service Account - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ - ## - serviceAccount: - ## @param serviceAccount.enabled Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) - ## - enabled: false - ## @param serviceAccount.name Name of an already existing service account. Setting this value disables the automatic service account creation - ## - name: "" - - ## Pod Security Policy - ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - ## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later - ## - psp: - create: false - - ## Role Based Access - ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ - ## @param rbac.create Create Role and RoleBinding (required for PSP to work) - ## - rbac: - create: false - - ## @section Volume permissions parameters - - ## Init Container parameters - ## Change the owner and group of the persistent volume mountpoint to 'runAsUser:fsGroup' - ## values from the securityContext section. - ## - volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume mountpoint to `runAsUser:fsGroup` - ## - enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image name - ## @param volumePermissions.image.tag Init container volume-permissions image tag - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r313 - ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init container Security Context - ## Note: the chown of the data folder is done to securityContext.runAsUser - ## and not the below volumePermissions.securityContext.runAsUser - ## When runAsUser is set to special value "auto", init container will try to chwon the - ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). - ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with - ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false - ## @param volumePermissions.securityContext.runAsUser User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") - ## - securityContext: - runAsUser: 0 - - ## @section InfluxDB™ backup parameters - - backup: - ## @param backup.enabled Enable InfluxDB™ backup - ## - enabled: false - ## @param backup.directory Directory where backups are stored - ## - directory: "/backups" - ## @param backup.retentionDays Retention time in days for backups (older backups are deleted) - ## - retentionDays: 10 - ## Cronjob configuration - ## This cronjob is used to create InfluxDB™ backups - ## - cronjob: - ## @param backup.cronjob.schedule Schedule in Cron format to save snapshots - ## See https://en.wikipedia.org/wiki/Cron - ## - schedule: "0 2 * * *" - ## @param backup.cronjob.historyLimit Number of successful finished jobs to retain - ## - historyLimit: 1 - ## @param backup.cronjob.podAnnotations Pod annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## K8s Security Context for Backup Cronjob pods - ## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param backup.cronjob.securityContext.enabled Enable security context for InfluxDB™ - ## @param backup.cronjob.securityContext.fsGroup Group ID for the InfluxDB™ filesystem - ## @param backup.cronjob.securityContext.runAsUser Group ID for the InfluxDB™ filesystem - ## - securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - ## @param backup.podAffinityPreset Backup ™ Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param backup.podAntiAffinityPreset Backup™ Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node affinity preset - ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param backup.nodeAffinityPreset.type Backup™ Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - type: "" - ## @param backup.nodeAffinityPreset.key Backup™ Node label key to match Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param backup.nodeAffinityPreset.values Backup™ Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param backup.affinity Backup™ Affinity for backup pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param backup.nodeSelector Backup™ Node labels for backup pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param backup.tolerations Backup™ Tolerations for backup pod assignment - ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## Storage providers where to upload backups - ## - uploadProviders: - ## Google Storage Bucket configuration - ## @param backup.uploadProviders.google.enabled enable upload to google storage bucket - ## @param backup.uploadProviders.google.secret json secret with serviceaccount data to access Google storage bucket - ## @param backup.uploadProviders.google.secretKey service account secret key name - ## @param backup.uploadProviders.google.existingSecret Name of existing secret object with Google serviceaccount json credentials - ## @param backup.uploadProviders.google.bucketName google storage bucket name name - ## - google: - enabled: false - secret: "" - secretKey: "key.json" - existingSecret: "" - bucketName: "gs://bucket/influxdb" - ## Bitnami Google Cloud SDK image - ## ref: https://hub.docker.com/r/bitnami/google-cloud-sdk/tags/ - ## @param backup.uploadProviders.google.image.registry Google Cloud SDK image registry - ## @param backup.uploadProviders.google.image.repository Google Cloud SDK image name - ## @param backup.uploadProviders.google.image.tag Google Cloud SDK image tag - ## @param backup.uploadProviders.google.image.pullPolicy Google Cloud SDK image pull policy - ## @param backup.uploadProviders.google.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/google-cloud-sdk - tag: 0.388.0-debian-10-r0 - ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Azure Storage Container configuration - ## - azure: - ## @param backup.uploadProviders.azure.enabled Enable upload to azure storage container - ## @param backup.uploadProviders.azure.secret Secret with credentials to access Azure storage - ## @param backup.uploadProviders.azure.secretKey Service account secret key name - ## @param backup.uploadProviders.azure.existingSecret Name of existing secret object - ## @param backup.uploadProviders.azure.containerName Destination container - enabled: false - secret: "" - secretKey: "connection-string" - existingSecret: "" - containerName: "influxdb-container" - ## Bitnami Azure CLI image - ## ref: https://hub.docker.com/r/bitnami/azure-cli/tags/ - ## @param backup.uploadProviders.azure.image.registry Azure CLI image registry - ## @param backup.uploadProviders.azure.image.repository Azure CLI image repository - ## @param backup.uploadProviders.azure.image.tag Azure CLI image tag (immutable tags are recommended) - ## @param backup.uploadProviders.azure.image.pullPolicy Azure CLI image pull policy - ## @param backup.uploadProviders.azure.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/azure-cli - tag: 2.36.0-debian-10-r14 - ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - aws: - ## @param backup.uploadProviders.aws.enabled Enable upload to aws s3 bucket - ## @param backup.uploadProviders.aws.accessKeyID Access Key ID to access aws s3 - ## @param backup.uploadProviders.aws.secretAccessKey Secret Access Key to access aws s3 - ## @param backup.uploadProviders.aws.region Region of aws s3 bucket - ## @param backup.uploadProviders.aws.existingSecret Name of existing secret object - ## @param backup.uploadProviders.aws.bucketName aws s3 bucket name - enabled: false - accessKeyID: "" - secretAccessKey: "" - region: "us-east-1" - existingSecret: "" - bucketName: "s3://bucket/influxdb" - ## Bitnami AWS CLI image - ## ref: https://hub.docker.com/r/bitnami/aws-cli/tags - ## @param backup.uploadProviders.aws.image.registry AWS CLI image registry - ## @param backup.uploadProviders.aws.image.repository AWS CLI image repository - ## @param backup.uploadProviders.aws.image.tag AWS CLI image tag (immutable tags are recommended) - ## @param backup.uploadProviders.aws.image.pullPolicy AWS CLI image pull policy - ## @param backup.uploadProviders.aws.image.pullSecrets Specify docker-registry secret names as an array - ## - image: - registry: docker.io - repository: bitnami/aws-cli - tag: 2.7.4-debian-10-r4 - ## Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] \ No newline at end of file From a6137a2658c1f0183d53a632bc15a9783d664efe Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:53:51 +0200 Subject: [PATCH 245/334] config: ha --- home/homeassistant/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 58b3e558f3..ed171e1d6d 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -1,4 +1,4 @@ -home-assistant: +homeassistant: image: # -- image repository repository: homeassistant/home-assistant From 29739dc499b7f93408afd4042e7f35ab02e488b9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:55:17 +0200 Subject: [PATCH 246/334] config: ha --- home/homeassistant/values.yaml | 333 +++++++++++++++++---------------- 1 file changed, 167 insertions(+), 166 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index ed171e1d6d..1e3704de23 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -1,177 +1,178 @@ homeassistant: - image: - # -- image repository - repository: homeassistant/home-assistant - # -- image tag - tag: 2022.6.5 - # -- image pull policy - pullPolicy: IfNotPresent - - # -- environment variables. - # @default -- See below - env: - # -- Set the container timezone - TZ: Europe/Amsterdam - - # -- Configures service settings for the chart. Normally this does not need to be modified. - # @default -- See values.yaml - service: - main: - ports: - http: - port: 8123 - - ingress: - # -- Enable and configure ingress settings for the chart under this key. + home-assistant: + image: + # -- image repository + repository: homeassistant/home-assistant + # -- image tag + tag: 2022.6.5 + # -- image pull policy + pullPolicy: IfNotPresent + + # -- environment variables. + # @default -- See below + env: + # -- Set the container timezone + TZ: Europe/Amsterdam + + # -- Configures service settings for the chart. Normally this does not need to be modified. # @default -- See values.yaml + service: main: - enabled: true - ingressClassName: nginx - annotations: - nginx.org/websocket-services: home-assistant - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host homeassistant.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: homeassistant-tls-certificate - hosts: - - *host - - # -- Enable devices to be discoverable - hostNetwork: true - - # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet - # dnsPolicy: ClusterFirstWithHostNet - - securityContext: - # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine - privileged: # true - - # -- Configure persistence settings for the chart under this key. - # @default -- See values.yaml - persistence: - config: - enabled: true - type: pvc - accessMode: ReadWriteOnce - size: 5Gi - storageClass: longhorn - - # -- Configure a hostPathMount to mount a USB device in the container. + ports: + http: + port: 8123 + + ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + enabled: true + ingressClassName: nginx + annotations: + nginx.org/websocket-services: home-assistant + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host homeassistant.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: homeassistant-tls-certificate + hosts: + - *host + + # -- Enable devices to be discoverable + hostNetwork: true + + # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet + # dnsPolicy: ClusterFirstWithHostNet + + securityContext: + # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine + privileged: # true + + # -- Configure persistence settings for the chart under this key. # @default -- See values.yaml - usb: - enabled: false - type: hostPath - hostPath: /path/to/device - - # -- Enable and configure mariadb database subchart under this key. - # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) - # @default -- See values.yaml - mariadb: - enabled: false - architecture: standalone - auth: - database: home-assistant - username: home-assistant - password: home-assistant-pass - rootPassword: home-assistantrootpass - primary: - persistence: - enabled: false - storageClass: "" - - # -- Enable and configure postgresql database subchart under this key. - # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) - # @default -- See values.yaml - postgresql: - enabled: false - image: - repository: bitnami/postgresql - tag: 14.3.0 - postgresqlUsername: home-assistant - postgresqlPassword: home-assistant-pass - postgresqlDatabase: home-assistant persistence: - enabled: true - storageClass: longhorn - size: 4Gi + config: + enabled: true + type: pvc + accessMode: ReadWriteOnce + size: 5Gi + storageClass: longhorn + + # -- Configure a hostPathMount to mount a USB device in the container. + # @default -- See values.yaml + usb: + enabled: false + type: hostPath + hostPath: /path/to/device - metrics: &metrics - # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # -- Enable and configure mariadb database subchart under this key. + # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) # @default -- See values.yaml - enabled: true - serviceMonitor: - enabled: true - interval: 1m - scrapeTimeout: 30s - labels: {} - ## See https://www.home-assistant.io/docs/authentication/ for where to find - ## long lived access token creation under your account profile, which is - ## needed to monitor Home Assistant - # bearerTokenSecret: - # name: "" - # key: "" - - # -- Enable and configure Prometheus Rules for the chart under this key. + mariadb: + enabled: false + architecture: standalone + auth: + database: home-assistant + username: home-assistant + password: home-assistant-pass + rootPassword: home-assistantrootpass + primary: + persistence: + enabled: false + storageClass: "" + + # -- Enable and configure postgresql database subchart under this key. + # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) # @default -- See values.yaml - prometheusRule: + postgresql: enabled: false - labels: {} - # -- Configure additionial rules for the chart under this key. - # @default -- See prometheusrules.yaml - rules: [] - # - alert: HomeAssistantAbsent - # annotations: - # description: Home Assistant has disappeared from Prometheus service discovery. - # summary: Home Assistant is down. - # expr: | - # absent(up{job=~".*home-assistant.*"} == 1) - # for: 5m - # labels: - # severity: critical - - addons: - codeserver: - enabled: true image: - repository: codercom/code-server - tag: 4.4.0 - workingDir: "/config" - args: - - --auth - - "none" - - --user-data-dir - - "/config/.vscode" - - --extensions-dir - - "/config/.vscode" - ingress: + repository: bitnami/postgresql + tag: 14.3.0 + postgresqlUsername: home-assistant + postgresqlPassword: home-assistant-pass + postgresqlDatabase: home-assistant + persistence: enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.org/websocket-services: home-assistant - hosts: - - host: &config homeassistant-config.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: home-assistant-config-tls-certificate - hosts: - - *config - volumeMounts: - - name: config - mountPath: /config - - # git: - # enabled: true - # user: - # name: homeassistant-bot - # email: homeassitant@jupiter.mein.nl - - - - \ No newline at end of file + storageClass: longhorn + size: 4Gi + + metrics: &metrics + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: true + serviceMonitor: + enabled: true + interval: 1m + scrapeTimeout: 30s + labels: {} + ## See https://www.home-assistant.io/docs/authentication/ for where to find + ## long lived access token creation under your account profile, which is + ## needed to monitor Home Assistant + # bearerTokenSecret: + # name: "" + # key: "" + + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + labels: {} + # -- Configure additionial rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: [] + # - alert: HomeAssistantAbsent + # annotations: + # description: Home Assistant has disappeared from Prometheus service discovery. + # summary: Home Assistant is down. + # expr: | + # absent(up{job=~".*home-assistant.*"} == 1) + # for: 5m + # labels: + # severity: critical + + addons: + codeserver: + enabled: true + image: + repository: codercom/code-server + tag: 4.4.0 + workingDir: "/config" + args: + - --auth + - "none" + - --user-data-dir + - "/config/.vscode" + - --extensions-dir + - "/config/.vscode" + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.org/websocket-services: home-assistant + hosts: + - host: &config homeassistant-config.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: home-assistant-config-tls-certificate + hosts: + - *config + volumeMounts: + - name: config + mountPath: /config + + # git: + # enabled: true + # user: + # name: homeassistant-bot + # email: homeassitant@jupiter.mein.nl + + + + \ No newline at end of file From 8b9ce46d967511b1566a78c5c03ae4815384431d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 13:56:10 +0200 Subject: [PATCH 247/334] config: ha --- home/homeassistant/values.yaml | 335 ++++++++++++++++----------------- 1 file changed, 167 insertions(+), 168 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 1e3704de23..58b3e558f3 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -1,178 +1,177 @@ -homeassistant: - home-assistant: - image: - # -- image repository - repository: homeassistant/home-assistant - # -- image tag - tag: 2022.6.5 - # -- image pull policy - pullPolicy: IfNotPresent - - # -- environment variables. - # @default -- See below - env: - # -- Set the container timezone - TZ: Europe/Amsterdam - - # -- Configures service settings for the chart. Normally this does not need to be modified. +home-assistant: + image: + # -- image repository + repository: homeassistant/home-assistant + # -- image tag + tag: 2022.6.5 + # -- image pull policy + pullPolicy: IfNotPresent + + # -- environment variables. + # @default -- See below + env: + # -- Set the container timezone + TZ: Europe/Amsterdam + + # -- Configures service settings for the chart. Normally this does not need to be modified. + # @default -- See values.yaml + service: + main: + ports: + http: + port: 8123 + + ingress: + # -- Enable and configure ingress settings for the chart under this key. # @default -- See values.yaml - service: main: - ports: - http: - port: 8123 - - ingress: - # -- Enable and configure ingress settings for the chart under this key. - # @default -- See values.yaml - main: - enabled: true - ingressClassName: nginx - annotations: - nginx.org/websocket-services: home-assistant - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host homeassistant.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: homeassistant-tls-certificate - hosts: - - *host - - # -- Enable devices to be discoverable - hostNetwork: true - - # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet - # dnsPolicy: ClusterFirstWithHostNet - - securityContext: - # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine - privileged: # true - - # -- Configure persistence settings for the chart under this key. - # @default -- See values.yaml - persistence: - config: enabled: true - type: pvc - accessMode: ReadWriteOnce - size: 5Gi - storageClass: longhorn - - # -- Configure a hostPathMount to mount a USB device in the container. - # @default -- See values.yaml - usb: - enabled: false - type: hostPath - hostPath: /path/to/device + ingressClassName: nginx + annotations: + nginx.org/websocket-services: home-assistant + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host homeassistant.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: homeassistant-tls-certificate + hosts: + - *host + + # -- Enable devices to be discoverable + hostNetwork: true + + # -- When hostNetwork is true set dnsPolicy to ClusterFirstWithHostNet + # dnsPolicy: ClusterFirstWithHostNet + + securityContext: + # -- (bool) Privileged securityContext may be required if USB devics are accessed directly through the host machine + privileged: # true + + # -- Configure persistence settings for the chart under this key. + # @default -- See values.yaml + persistence: + config: + enabled: true + type: pvc + accessMode: ReadWriteOnce + size: 5Gi + storageClass: longhorn - # -- Enable and configure mariadb database subchart under this key. - # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) - # @default -- See values.yaml - mariadb: - enabled: false - architecture: standalone - auth: - database: home-assistant - username: home-assistant - password: home-assistant-pass - rootPassword: home-assistantrootpass - primary: - persistence: - enabled: false - storageClass: "" - - # -- Enable and configure postgresql database subchart under this key. - # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) + # -- Configure a hostPathMount to mount a USB device in the container. # @default -- See values.yaml - postgresql: + usb: enabled: false - image: - repository: bitnami/postgresql - tag: 14.3.0 - postgresqlUsername: home-assistant - postgresqlPassword: home-assistant-pass - postgresqlDatabase: home-assistant + type: hostPath + hostPath: /path/to/device + + # -- Enable and configure mariadb database subchart under this key. + # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) + # @default -- See values.yaml + mariadb: + enabled: false + architecture: standalone + auth: + database: home-assistant + username: home-assistant + password: home-assistant-pass + rootPassword: home-assistantrootpass + primary: persistence: - enabled: true - storageClass: longhorn - size: 4Gi - - metrics: &metrics - # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. - # @default -- See values.yaml - enabled: true - serviceMonitor: - enabled: true - interval: 1m - scrapeTimeout: 30s - labels: {} - ## See https://www.home-assistant.io/docs/authentication/ for where to find - ## long lived access token creation under your account profile, which is - ## needed to monitor Home Assistant - # bearerTokenSecret: - # name: "" - # key: "" - - # -- Enable and configure Prometheus Rules for the chart under this key. - # @default -- See values.yaml - prometheusRule: enabled: false - labels: {} - # -- Configure additionial rules for the chart under this key. - # @default -- See prometheusrules.yaml - rules: [] - # - alert: HomeAssistantAbsent - # annotations: - # description: Home Assistant has disappeared from Prometheus service discovery. - # summary: Home Assistant is down. - # expr: | - # absent(up{job=~".*home-assistant.*"} == 1) - # for: 5m - # labels: - # severity: critical - - addons: - codeserver: - enabled: true - image: - repository: codercom/code-server - tag: 4.4.0 - workingDir: "/config" - args: - - --auth - - "none" - - --user-data-dir - - "/config/.vscode" - - --extensions-dir - - "/config/.vscode" - ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.org/websocket-services: home-assistant - hosts: - - host: &config homeassistant-config.europa.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: home-assistant-config-tls-certificate - hosts: - - *config - volumeMounts: - - name: config - mountPath: /config - - # git: - # enabled: true - # user: - # name: homeassistant-bot - # email: homeassitant@jupiter.mein.nl - + storageClass: "" + # -- Enable and configure postgresql database subchart under this key. + # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) + # @default -- See values.yaml + postgresql: + enabled: false + image: + repository: bitnami/postgresql + tag: 14.3.0 + postgresqlUsername: home-assistant + postgresqlPassword: home-assistant-pass + postgresqlDatabase: home-assistant + persistence: + enabled: true + storageClass: longhorn + size: 4Gi - \ No newline at end of file + metrics: &metrics + # -- Enable and configure a Prometheus serviceMonitor for the chart under this key. + # @default -- See values.yaml + enabled: true + serviceMonitor: + enabled: true + interval: 1m + scrapeTimeout: 30s + labels: {} + ## See https://www.home-assistant.io/docs/authentication/ for where to find + ## long lived access token creation under your account profile, which is + ## needed to monitor Home Assistant + # bearerTokenSecret: + # name: "" + # key: "" + + # -- Enable and configure Prometheus Rules for the chart under this key. + # @default -- See values.yaml + prometheusRule: + enabled: false + labels: {} + # -- Configure additionial rules for the chart under this key. + # @default -- See prometheusrules.yaml + rules: [] + # - alert: HomeAssistantAbsent + # annotations: + # description: Home Assistant has disappeared from Prometheus service discovery. + # summary: Home Assistant is down. + # expr: | + # absent(up{job=~".*home-assistant.*"} == 1) + # for: 5m + # labels: + # severity: critical + + addons: + codeserver: + enabled: true + image: + repository: codercom/code-server + tag: 4.4.0 + workingDir: "/config" + args: + - --auth + - "none" + - --user-data-dir + - "/config/.vscode" + - --extensions-dir + - "/config/.vscode" + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.org/websocket-services: home-assistant + hosts: + - host: &config homeassistant-config.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: home-assistant-config-tls-certificate + hosts: + - *config + volumeMounts: + - name: config + mountPath: /config + + # git: + # enabled: true + # user: + # name: homeassistant-bot + # email: homeassitant@jupiter.mein.nl + + + + \ No newline at end of file From 286248fa91b60b4fc4069027fef205d2b349552c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 11 Jun 2022 19:07:56 +0200 Subject: [PATCH 248/334] service: adminer --- home/adminer/Chart.yaml | 12 ++ .../charts/adminer/.circleci/config.yml | 14 ++ .../.github/ISSUE_TEMPLATE/bug_report.md | 34 +++ .../.github/ISSUE_TEMPLATE/feature_request.md | 28 +++ .../adminer/.github/PULL_REQUEST_TEMPLATE.md | 40 ++++ home/adminer/charts/adminer/.gitignore | 7 + home/adminer/charts/adminer/.helmignore | 26 +++ home/adminer/charts/adminer/Chart.yaml | 31 +++ home/adminer/charts/adminer/LICENSE | 201 ++++++++++++++++++ home/adminer/charts/adminer/README.md | 107 ++++++++++ .../charts/adminer/templates/NOTES.txt | 19 ++ .../charts/adminer/templates/_helpers.tpl | 32 +++ .../charts/adminer/templates/deployment.yaml | 74 +++++++ .../charts/adminer/templates/ingress.yaml | 61 ++++++ .../charts/adminer/templates/service.yaml | 32 +++ home/adminer/charts/adminer/values.yaml | 194 +++++++++++++++++ home/adminer/values.yaml | 97 +++++++++ 17 files changed, 1009 insertions(+) create mode 100644 home/adminer/Chart.yaml create mode 100644 home/adminer/charts/adminer/.circleci/config.yml create mode 100644 home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md create mode 100644 home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md create mode 100644 home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md create mode 100644 home/adminer/charts/adminer/.gitignore create mode 100644 home/adminer/charts/adminer/.helmignore create mode 100644 home/adminer/charts/adminer/Chart.yaml create mode 100644 home/adminer/charts/adminer/LICENSE create mode 100644 home/adminer/charts/adminer/README.md create mode 100644 home/adminer/charts/adminer/templates/NOTES.txt create mode 100644 home/adminer/charts/adminer/templates/_helpers.tpl create mode 100644 home/adminer/charts/adminer/templates/deployment.yaml create mode 100644 home/adminer/charts/adminer/templates/ingress.yaml create mode 100644 home/adminer/charts/adminer/templates/service.yaml create mode 100644 home/adminer/charts/adminer/values.yaml create mode 100644 home/adminer/values.yaml diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml new file mode 100644 index 0000000000..41159c6a04 --- /dev/null +++ b/home/adminer/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: adminer +version: 0.0.0 +dependencies: + - name: adminer + version: 0.2.0 + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +engine: gotpl \ No newline at end of file diff --git a/home/adminer/charts/adminer/.circleci/config.yml b/home/adminer/charts/adminer/.circleci/config.yml new file mode 100644 index 0000000000..5309c82587 --- /dev/null +++ b/home/adminer/charts/adminer/.circleci/config.yml @@ -0,0 +1,14 @@ +version: 2 +jobs: + build: + docker: + - image: alpine + steps: + - checkout + - run: + name: helm-github-pages + environment: + - GITHUB_PAGES_REPO: cetic/helm-charts + - HELM_CHART: adminer + - HELM_VERSION: 3.2.4 + command: wget -O - https://raw.githubusercontent.com/cetic/helm-chart-publisher/master/publish.sh | sh \ No newline at end of file diff --git a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000000..9af2bccefc --- /dev/null +++ b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,34 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '[cetic/adminer] issue title' +labels: '' +assignees: '' + +--- + + + +**Describe the bug** +A clear and concise description of what the bug is. + +**Version of Helm and Kubernetes**: + + +**What happened**: + + +**What you expected to happen**: + + +**How to reproduce it** (as minimally and precisely as possible): + + +**Anything else we need to know**: + + diff --git a/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000000..84c4aa6ff0 --- /dev/null +++ b/home/adminer/charts/adminer/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,28 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '[cetic/adminer] issue title' +labels: '' +assignees: '' + +--- + + + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. + diff --git a/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md b/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000000..b2e13b69d2 --- /dev/null +++ b/home/adminer/charts/adminer/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,40 @@ + + +#### What this PR does / why we need it: + +#### Which issue this PR fixes +*(optional, in `fixes #(, fixes #, ...)` format, will close that issue when PR gets merged)* + - fixes # + +#### Special notes for your reviewer: + +#### Checklist +[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] +- [ ] [DCO](https://github.com/helm/charts/blob/master/CONTRIBUTING.md#sign-your-work) signed +- [ ] Chart Version bumped +- [ ] Variables are documented in the README.md diff --git a/home/adminer/charts/adminer/.gitignore b/home/adminer/charts/adminer/.gitignore new file mode 100644 index 0000000000..3f18c1655b --- /dev/null +++ b/home/adminer/charts/adminer/.gitignore @@ -0,0 +1,7 @@ +*.tgz + +# Helm Charts dependencies +#/charts +#*.lock + +.idea diff --git a/home/adminer/charts/adminer/.helmignore b/home/adminer/charts/adminer/.helmignore new file mode 100644 index 0000000000..fbdd321f57 --- /dev/null +++ b/home/adminer/charts/adminer/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store + +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ + +# Common backup files +*.swp +*.bak +*.tmp +*~ + +# Various IDEs +.project +.idea/ +*.tmproj + +.circleci/ diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml new file mode 100644 index 0000000000..7f3c6e76df --- /dev/null +++ b/home/adminer/charts/adminer/Chart.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: v2 +name: adminer +appVersion: 4.8.1 +version: 0.2.0 +description: Adminer is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB +home: https://www.adminer.org +icon: https://raw.githubusercontent.com/Kong/docker-official-docs/master/adminer/logo.png +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +engine: gotpl +keywords: + - adminer + - postgres + - mysql + - sqlite + - elasticsearch + - mongodb + - database + - sql +maintainers: + - name: fzalila + email: faiez.zalila@cetic.be + url: https://github.com/fzalila + - name: alexnuttinck + email: alexandre.nuttinck@cetic.be + url: https://github.com/alexnuttinck diff --git a/home/adminer/charts/adminer/LICENSE b/home/adminer/charts/adminer/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/home/adminer/charts/adminer/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/home/adminer/charts/adminer/README.md b/home/adminer/charts/adminer/README.md new file mode 100644 index 0000000000..25eef8257a --- /dev/null +++ b/home/adminer/charts/adminer/README.md @@ -0,0 +1,107 @@ +# Helm Chart for Adminer + +[![CircleCI](https://circleci.com/gh/cetic/helm-adminer.svg?style=svg)](https://circleci.com/gh/cetic/helm-adminer/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-adminer.svg?label=release) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Adminer](https://www.adminer.org) in a Kubernetes cluster. + +## Prerequisites + +- Kubernetes cluster 1.10+ +- Helm 3.0.0+ +- PV provisioner support in the underlying infrastructure. + +## Installation + +### Add Helm repository + +```bash +helm repo add cetic https://cetic.github.io/helm-charts +helm repo update +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure the way how to expose Adminer service: + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +### Install the chart + +Install the Adminer helm chart with a release name `my-release`: + +```bash +helm install --name my-release cetic/adminer +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: + +```bash +helm delete --purge my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Adminer chart and the default values. + +| Parameter | Description | Default | +| --------------------------------- | ----------------------------------------------------------------------- | --------------------------- | +| **Image** | +| `image.repository` | Image | `adminer` | +| `image.tag` | Image tag | `4.7.7-standalone` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets for private registry | `[]` | +| **Config** | +| `config.plugins` | List of plugins to install. You can find the list of plugins on [GitHub](https://github.com/vrana/adminer/tree/master/plugins)| ``| +| `config.design` | A bundled design to use. You can find the list of designs on [GitHub](https://github.com/vrana/adminer/tree/master/designs)| ``| +| `config.externalserver` | The default host | `` | +| **Service** | +| `service.type` | Service type | `NodePort` | +| `service.port` | The service port | `80` | +| `service.annotations` | Custom annotations for service | `{}` | +| `service.labels` | Additional custom labels for the service | `{}` | +| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges`| Address that are allowed when svc is `LoadBalancer` | `[]` | +| **Ingress** | +| `ingress.enabled` | Enables Ingress | `false` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.labels` | Custom labels | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| **Resources** | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| **Tolerations** | +| `tolerations` | Add tolerations | `[]` | +| **NodeSelector** | +| `nodeSelector` | node labels for pod assignment | `{}` | +| **Affinity** | +| `affinity` | node/pod affinities | `{}` | +| **LivenessProbe** | +| `livenessProbe` | Liveness probe settings | `nil` | +| **ReadnessProbe** | +| `readinessProbe` | Readiness probe settings | `nil` | +| `volumeMounts` | Add volumeMount to the adminer container | `nil` | +| `volumes` | Add volumes to the pod | `nil` | + +## Credits + +Initially inspired from https://github.com/mogaal/helm-charts/tree/master/adminer. + +## Contributing + +Feel free to contribute by making a [pull request](https://github.com/cetic/helm-adminer/pull/new/master). + +Please read the official [Contribution Guide](https://github.com/helm/charts/blob/master/CONTRIBUTING.md) from Helm for more information on how you can contribute to this Chart. + +## License + +[Apache License 2.0](/LICENSE.md) + diff --git a/home/adminer/charts/adminer/templates/NOTES.txt b/home/adminer/charts/adminer/templates/NOTES.txt new file mode 100644 index 0000000000..7d187a5890 --- /dev/null +++ b/home/adminer/charts/adminer/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ if $.Values.ingress.host }}{{.Values.ingress.host}}{{else}}your-cluster-ip{{end}}{{ $.Values.ingress.path }} + {{if not $.Values.ingress.host}} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "adminer.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "adminer.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "adminer.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "adminer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/home/adminer/charts/adminer/templates/_helpers.tpl b/home/adminer/charts/adminer/templates/_helpers.tpl new file mode 100644 index 0000000000..d223408a51 --- /dev/null +++ b/home/adminer/charts/adminer/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "adminer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "adminer.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "adminer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/home/adminer/charts/adminer/templates/deployment.yaml b/home/adminer/charts/adminer/templates/deployment.yaml new file mode 100644 index 0000000000..7b1db5fbd0 --- /dev/null +++ b/home/adminer/charts/adminer/templates/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "adminer.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + helm.sh/chart: {{ include "adminer.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + env: + - name: ADMINER_PLUGINS + value: {{ .Values.config.plugins }} + - name: ADMINER_DESIGN + value: {{ .Values.config.design }} + - name: ADMINER_DEFAULT_SERVER + value: {{ .Values.config.externalserver }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/home/adminer/charts/adminer/templates/ingress.yaml b/home/adminer/charts/adminer/templates/ingress.yaml new file mode 100644 index 0000000000..56cb3432a8 --- /dev/null +++ b/home/adminer/charts/adminer/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ template "common.names.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations .Values.ingress.certManager }} + annotations: + {{- if .Values.ingress.certManager }} + kubernetes.io/tls-acme: "true" + {{- end }} + {{- if .Values.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if or .Values.ingress.tls .Values.ingress.extraTls }} + tls: + {{- if .Values.ingress.tls }} + - hosts: + - {{ .Values.ingress.hostname }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/home/adminer/charts/adminer/templates/service.yaml b/home/adminer/charts/adminer/templates/service.yaml new file mode 100644 index 0000000000..1ab66d386f --- /dev/null +++ b/home/adminer/charts/adminer/templates/service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "adminer.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "adminer.name" . }} + helm.sh/chart: {{ include "adminer.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (eq .Values.service.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ with .Values.service.loadBalancerSourceRanges }} +{{ toYaml . | indent 4 }} +{{- end }} + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "adminer.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/home/adminer/charts/adminer/values.yaml b/home/adminer/charts/adminer/values.yaml new file mode 100644 index 0000000000..f557909cbc --- /dev/null +++ b/home/adminer/charts/adminer/values.yaml @@ -0,0 +1,194 @@ +# Default values for adminer. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: adminer + tag: 4.8.1-standalone + pullPolicy: IfNotPresent + pullSecrets: [] + +# See envs from https://hub.docker.com/_/adminer/ +config: + plugins: "" + design: "pepa-linha" + externalserver: "" + +## @section Common parameters + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override influxdb.fullname template with a string (will prepend the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override influxdb.fullname template with a string +## +fullnameOverride: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +service: + type: NodePort + port: 80 + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +ingress: + ## @param ingress.enabled Enable ingress controller resource + ## + enabled: false + ## @param ingress.tls Create TLS Secret + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## DEPRECATED: Use ingress.annotations instead of ingress.certManager + ## certManager: false + ## + + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: adminer.local + ## @param ingress.path Ingress path*' in order to use this + ## with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: influxdb.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Additional arbitrary path/backend objects + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - influxdb.local + ## secretName: influxdb.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## - name: influxdb.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + +# kubectl create secret generic ca --from-file=ca.pem +# cat > login-ssl.php << EOF +# "/secrets/ca.pem")); +# EOF +# kubectl create configmap plugins-enabled --from-file=login-ssl.php +# volumeMounts: +# - name: ca +# mountPath: "/secrets/" +# readOnly: true +# - name: plugins-enabled +# mountPath: "/var/www/html/plugins-enabled/" +# readOnly: true + +# volumes: +# - name: ca +# secret: +# secretName: ca +# - name: plugins-enabled +# configMap: +# name: plugins-enabled + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/home/adminer/values.yaml b/home/adminer/values.yaml new file mode 100644 index 0000000000..770b685207 --- /dev/null +++ b/home/adminer/values.yaml @@ -0,0 +1,97 @@ +adminer: + # Default values for adminer. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + replicaCount: 1 + + image: + repository: adminer + tag: 4.8.1-standalone + pullPolicy: IfNotPresent + pullSecrets: [] + + # See envs from https://hub.docker.com/_/adminer/ + config: + plugins: "" + design: "pepa-linha" + externalserver: "" + + nameOverride: "" + fullnameOverride: "" + + service: + type: NodePort + port: 80 + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + + ## Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + + ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ## +## Configure the ingress resource that allows you to access the +## ®abbitMQ installation. Set up the URL +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## + ingress: + enabled: true + path: / + pathType: ImplementationSpecific + hostname: adminer.jupiter.mein.nl + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + tls: true + selfSigned: false + extraHosts: [] + extraTls: [] + secrets: [] + ingressClassName: "nginx" + + # kubectl create secret generic ca --from-file=ca.pem + # cat > login-ssl.php << EOF + # "/secrets/ca.pem")); + # EOF + # kubectl create configmap plugins-enabled --from-file=login-ssl.php + # volumeMounts: + # - name: ca + # mountPath: "/secrets/" + # readOnly: true + # - name: plugins-enabled + # mountPath: "/var/www/html/plugins-enabled/" + # readOnly: true + + # volumes: + # - name: ca + # secret: + # secretName: ca + # - name: plugins-enabled + # configMap: + # name: plugins-enabled + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} \ No newline at end of file From 2331fa4f769196ac75680a0eb0077479e0e555a6 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 11:45:12 +0200 Subject: [PATCH 249/334] Expirement with loadbalancer on MetalLB --- home/pihole/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index a87e1c3170..b933481c94 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -40,7 +40,7 @@ pihole: mixedService: false # -- `spec.type` for the DNS Service - type: NodePort + type: LoadBalancer # -- The port of the DNS service port: 53 From 0c8ba3e8dbe69849fbc89d8874cf8914441aead8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 11:50:11 +0200 Subject: [PATCH 250/334] Try lb ip --- home/pihole/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index b933481c94..ca17ece0fd 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -52,7 +52,7 @@ pihole: externalTrafficPolicy: Local # -- A fixed `spec.loadBalancerIP` for the DNS Service - loadBalancerIP: "" + loadBalancerIP: "192.168.1.225" # -- A fixed `spec.loadBalancerIP` for the IPv6 DNS Service loadBalancerIPv6: "" From bb33f4981366f330e5882b4ea013b253599c0752 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 12:03:17 +0200 Subject: [PATCH 251/334] Allow mixed ip in metal lb --- home/pihole/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index ca17ece0fd..b443592385 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -57,9 +57,9 @@ pihole: loadBalancerIPv6: "" # -- Annotations for the DNS service - annotations: {} - # metallb.universe.tf/address-pool: network-services - # metallb.universe.tf/allow-shared-ip: pihole-svc + annotations: + metallb.universe.tf/address-pool: network-services + metallb.universe.tf/allow-shared-ip: pihole-svc # -- Configuration for the DHCP service on port 67 serviceDhcp: From 1621fa1e75a7f7c35b950087e9962c5412684d28 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 12:08:20 +0200 Subject: [PATCH 252/334] Added pre-commit --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..e6e661f94f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,7 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 # Use the ref you want to point at + hooks: + - id: trailing-whitespace + - id: check-merge-conflict + - id: check-yaml From b65ac03670c87b82813371bd41d06351570e26fd Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 13:23:45 +0200 Subject: [PATCH 253/334] Re-enable postgres --- home/postgresql/{Chart.yaml.disabled => Chart.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename home/postgresql/{Chart.yaml.disabled => Chart.yaml} (100%) diff --git a/home/postgresql/Chart.yaml.disabled b/home/postgresql/Chart.yaml similarity index 100% rename from home/postgresql/Chart.yaml.disabled rename to home/postgresql/Chart.yaml From 83a91983babb8c46337d3c4fbf8d677e2ae02a50 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 13:41:32 +0200 Subject: [PATCH 254/334] testing authtik with seperate db --- platform/authentik/values.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/platform/authentik/values.yaml b/platform/authentik/values.yaml index ad33505c85..f3b4c681dd 100644 --- a/platform/authentik/values.yaml +++ b/platform/authentik/values.yaml @@ -2,7 +2,11 @@ authentik: authentik: secret_key: dontjudgemethisisjustfortesting # TODO postgresql: - password: &postgresql_password IKnowThisIsNotASecurePasswordJust4Testing # TODO + host: postgresql.postgresql.svc.cluster.local + username: authentik + password: secret # TODO + redis: + host: redis-master.redis.svc.cluster.local ingress: enabled: true @@ -22,7 +26,7 @@ authentik: #TODO move to shared postgres postgresql: enabled: false - postgresqlPassword: *postgresql_password + postgresqlPassword: test persistence: enabled: true storageClass: longhorn @@ -32,4 +36,4 @@ authentik: persistence: enabled: true storageClass: longhorn - size: 1Gi + size: 1Gi \ No newline at end of file From 5054d3a58877aa484d9f6035eb2d73514a2b3f84 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 13:51:24 +0200 Subject: [PATCH 255/334] Delete vault external secret ref --- .../templates/{admin-secret.yaml => admin-secret.yaml.disable} | 0 .../gitea/templates/{config-job.yaml => config-job.yaml.disable} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename platform/gitea/templates/{admin-secret.yaml => admin-secret.yaml.disable} (100%) rename platform/gitea/templates/{config-job.yaml => config-job.yaml.disable} (100%) diff --git a/platform/gitea/templates/admin-secret.yaml b/platform/gitea/templates/admin-secret.yaml.disable similarity index 100% rename from platform/gitea/templates/admin-secret.yaml rename to platform/gitea/templates/admin-secret.yaml.disable diff --git a/platform/gitea/templates/config-job.yaml b/platform/gitea/templates/config-job.yaml.disable similarity index 100% rename from platform/gitea/templates/config-job.yaml rename to platform/gitea/templates/config-job.yaml.disable From e236bcb4df21545af8d571080ecb7a4f17cc47ac Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 13 Jun 2022 18:43:06 +0000 Subject: [PATCH 256/334] chore(deps): update helm release postgresql to v11.6.6 --- home/postgresql/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 91866e723b..f949f70bea 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.1.15 + version: 11.6.6 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From 625669263bd7b940127da68931969d34f89721e1 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 13 Jun 2022 22:16:18 +0200 Subject: [PATCH 257/334] Update pihole --- home/pihole/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index b443592385..74a677e436 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -19,7 +19,7 @@ pihole: # -- the repostory to pull the image from repository: "pihole/pihole" # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "" + tag: "2022.05" # -- the pull policy pullPolicy: IfNotPresent @@ -398,4 +398,4 @@ pihole: policy: "None" nameservers: - 127.0.0.1 - - 8.8.8.8 \ No newline at end of file + - 8.8.8.8 From 77b72f0e478053671035923b395414cb75ea86c0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 22 Jun 2022 23:20:13 +0000 Subject: [PATCH 258/334] chore(deps): update all non-major dependencies helm releases --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/seafile/values.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 2 +- external/versions.tf | 2 +- home/homeassistant/values.yaml | 4 ++-- home/nextcloud/Chart.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/pihole/Chart.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/postgresql/values.yaml | 2 +- home/redis/Chart.yaml | 2 +- metal/roles/pxe_server/files/http/Dockerfile | 2 +- platform/dex/Chart.yaml | 2 +- platform/external-secrets/Chart.yaml | 2 +- system/cert-manager/Chart.yaml | 2 +- system/longhorn-system/Chart.yaml | 2 +- 18 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 8f2bc0a1ed..4a7369eb9c 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.2.2 + image: hashicorp/terraform:1.2.3 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index e38fa4e373..c379cb120b 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.2.2 + image: hashicorp/terraform:1.2.3 command: - terraform args: diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index c9d632102a..2ce6053ec1 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -4,7 +4,7 @@ seafile: # -- image repository repository: seafileltd/seafile-mc # -- image tag - tag: 9.0.5 + tag: 9.0.6 # -- image pull policy pullPolicy: IfNotPresent diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 7217d94c2b..bcdc9dbcc5 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.8.3 + version: 4.9.4 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.12.1 diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index 19cefcf551..cfc0d7b247 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.16.0" + version = "~> 3.17.0" } kubernetes = { diff --git a/external/versions.tf b/external/versions.tf index 746ccaa6ba..3823bd448f 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.16.0" + version = "~> 3.17.0" } b2 = { diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 58b3e558f3..d62fb4ee21 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.6.5 + tag: 2022.6.7 # -- image pull policy pullPolicy: IfNotPresent @@ -90,7 +90,7 @@ home-assistant: enabled: false image: repository: bitnami/postgresql - tag: 14.3.0 + tag: 14.4.0 postgresqlUsername: home-assistant postgresqlPassword: home-assistant-pass postgresqlDatabase: home-assistant diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index a3367855cc..13e7948907 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 2.14.4 + version: 2.14.6 repository: https://nextcloud.github.io/helm/ diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 22b3ee0a87..7506f20249 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 24.0.1-fpm-alpine + tag: 24.0.2-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index 3a0aa5ab90..30a9f30306 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.5.8 + version: 2.9.0 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index f949f70bea..065e08935c 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.6.6 + version: 11.6.8 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/postgresql/values.yaml b/home/postgresql/values.yaml index 099462147a..66c42d26f9 100644 --- a/home/postgresql/values.yaml +++ b/home/postgresql/values.yaml @@ -1326,6 +1326,6 @@ postgresql: postgresql: image: repository: bitnami/postgresql - tag: 14.3.0 + tag: 14.4.0 auth: existingSecret: \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index 413bc4723d..9e2221fc97 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.12.1 + version: 16.12.3 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/metal/roles/pxe_server/files/http/Dockerfile b/metal/roles/pxe_server/files/http/Dockerfile index 93a34a4038..26643d7e68 100644 --- a/metal/roles/pxe_server/files/http/Dockerfile +++ b/metal/roles/pxe_server/files/http/Dockerfile @@ -1 +1 @@ -FROM nginx:1.22-alpine +FROM nginx:1.23-alpine diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 471da75dd8..2246ff202d 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.39.1 dependencies: - name: security-apps - version: 0.48.0 + version: 0.51.0 repository: https://charts.adfinis.com diff --git a/platform/external-secrets/Chart.yaml b/platform/external-secrets/Chart.yaml index a88e328e8f..96c4249b03 100644 --- a/platform/external-secrets/Chart.yaml +++ b/platform/external-secrets/Chart.yaml @@ -3,5 +3,5 @@ name: external-secrets version: 0.0.0 dependencies: - name: external-secrets - version: 0.5.6 + version: 0.5.7 repository: https://charts.external-secrets.io diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index fceb666dda..3b04f4a610 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.8.0 + version: v1.8.1 repository: https://charts.jetstack.io diff --git a/system/longhorn-system/Chart.yaml b/system/longhorn-system/Chart.yaml index 78baec8e68..d29698e5fa 100644 --- a/system/longhorn-system/Chart.yaml +++ b/system/longhorn-system/Chart.yaml @@ -3,5 +3,5 @@ name: longhorn version: 0.0.0 dependencies: - name: longhorn - version: 1.2.4 + version: 1.3.0 repository: https://charts.longhorn.io From 4bf58108cd1e4395fb314afb981ccdce33132ed0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 27 Jun 2022 18:00:00 +0000 Subject: [PATCH 259/334] chore(deps): update Helm release nextcloud to v3 --- home/nextcloud/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index 13e7948907..86592bb91b 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 2.14.6 + version: 3.0.0 repository: https://nextcloud.github.io/helm/ From 89d61a7e446330a9b6c14bdfcaa53c4426c0ae35 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 29 Jun 2022 14:31:59 +0000 Subject: [PATCH 260/334] chore(deps): update all non-major dependencies helm releases --- bin/cloudflared/Chart.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 2 +- external/versions.tf | 2 +- home/postgresql/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- platform/authentik/Chart.yaml | 2 +- system/cert-manager/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/cloudflared/Chart.yaml b/bin/cloudflared/Chart.yaml index b14d611d44..f6bae20473 100644 --- a/bin/cloudflared/Chart.yaml +++ b/bin/cloudflared/Chart.yaml @@ -3,5 +3,5 @@ name: cloudflared version: 0.0.0 dependencies: - name: cloudflared - version: 0.3.3 + version: 0.4.3 repository: https://khuedoan.github.io/charts diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index bcdc9dbcc5..dbe6b833f5 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.9.4 + version: 4.9.11 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.12.1 diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index cfc0d7b247..160cfbb1f3 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.17.0" + version = "~> 3.18.0" } kubernetes = { diff --git a/external/versions.tf b/external/versions.tf index 3823bd448f..771af199e8 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.17.0" + version = "~> 3.18.0" } b2 = { diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 065e08935c..0c879a7f6e 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.6.8 + version: 11.6.10 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index 9e2221fc97..e82e6e3bcb 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.12.3 + version: 16.13.0 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index 1cc92b9f2f..59167afaa1 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 2022.6.1 + version: 2022.6.3 repository: https://charts.goauthentik.io diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index 3b04f4a610..f51965d4b0 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.8.1 + version: v1.8.2 repository: https://charts.jetstack.io diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index f57b5f3746..45a0495666 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 2.15.0 + version: 2.16.0 repository: https://weaveworks.github.io/kured From 92c7308f2476fc8778015c80ef08af2397c68edf Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 5 Jul 2022 08:22:07 +0200 Subject: [PATCH 261/334] Add first version of plex for audio --- home/plex/Chart.yaml | 7 +++ home/plex/values.yaml | 112 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 home/plex/Chart.yaml create mode 100644 home/plex/values.yaml diff --git a/home/plex/Chart.yaml b/home/plex/Chart.yaml new file mode 100644 index 0000000000..6b5bd15f10 --- /dev/null +++ b/home/plex/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: plex +version: 0.0.0 +dependencies: + - name: plex + version: 6.3.3 + repository: https://library-charts.k8s-at-home.com \ No newline at end of file diff --git a/home/plex/values.yaml b/home/plex/values.yaml new file mode 100644 index 0000000000..2f2719e999 --- /dev/null +++ b/home/plex/values.yaml @@ -0,0 +1,112 @@ +plex: + # + # IMPORTANT NOTE + # + # This chart inherits from our common library chart. You can check the default values/options here: + # https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml + # + + image: + # -- image repository + repository: ghcr.io/k8s-at-home/plex + # @default -- chart.appVersion + tag: + # -- image pull policy + pullPolicy: IfNotPresent + + # -- environment variables. See [plex docs](https://support.plex.tv/articles/201105343-advanced-hidden-server-settings/) for more details. + # **NOTE:** Plex preference options are camelCase and CASE SENSITIVE! + # You can do horrible things to your Plex configuration if you are not careful + # @default -- See below + env: + # -- Set the container timezone + TZ: Amsterdam/Europe + # ADVERTISE_IP: + # ALLOWED_NETWORKS: + # PLEX_CLAIM: + # PLEX_PREFERENCE_1: "FriendlyName=plex-kubernetes" + # PLEX_PREFERENCE_2: "EnableIPv6=0" + # PLEX_PREFERENCE_3: "logDebug=0" + # PLEX_PREFERENCE_4: "DisableTLSv1_0=1" + # PLEX_PREFERENCE_5: "LanNetworksBandwidth=xxx.xxx.xxx.0/18\,xxx.xxx.xxx.0/24\,xxx.xxx.xxx.0/24" + # PLEX_PREFERENCE_6: "TranscoderQuality=2" + # PLEX_PREFERENCE_7: "TreatWanIpAsLocal=0" + # PLEX_PREFERENCE_8: "TranscoderH264BackgroundPreset=fast" + + # -- Configures service settings for the chart. + # @default -- See values.yaml + service: + main: + primary: true + ports: + http: + port: 32400 + dnla-tcp: + enabled: false + type: NodePort + ports: + dnla-tcp: + enabled: true + port: 32469 + protocol: TCP + targetPort: 32469 + externalTrafficPolicy: Local + dnla-udp: + enabled: false + type: NodePort + ports: + dnla-udp: + enabled: true + port: 1900 + protocol: TCP + targetPort: 1900 + externalTrafficPolicy: Local + + ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + main: + enabled: false + + # -- Enable devices to be discoverable + hostNetwork: false + + # -- Configure persistence settings for the chart under this key. + # @default -- See values.yaml + persistence: + config: + enabled: false + mountPath: /config + + transcode: + enabled: false + mountPath: /transcode + + # -- Configure the Security Context for the Pod + podSecurityContext: {} + # runAsUser: 568 + # runAsGroup: 568 + # fsGroup: 568 + # # Hardware acceleration using an Intel iGPU w/ QuickSync + # # These IDs below should be matched to your `video` and `render` group on the host + # # To obtain those IDs run the following grep statement on the host: + # # $ cat /etc/group | grep "video\|render" + # # video:x:44: + # # render:x:109: + # supplementalGroups: + # - 44 + # - 109 + + # -- Configure the resource requests and/or limits for the Pod + resources: {} + # requests: + # # Hardware acceleration using an Intel iGPU w/ QuickSync and + # # using intel-gpu-plugin (https://github.com/intel/intel-device-plugins-for-kubernetes) + # gpu.intel.com/i915: 1 + # cpu: 200m + # memory: 256Mi + # limits: + # # Hardware acceleration using an Intel iGPU w/ QuickSync and + # # using intel-gpu-plugin (https://github.com/intel/intel-device-plugins-for-kubernetes) + # gpu.intel.com/i915: 1 + # memory: 4096Mi \ No newline at end of file From 97996993843772bb6b97acc28586ad8e5e46f476 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 5 Jul 2022 08:32:07 +0200 Subject: [PATCH 262/334] fix: url of plex chart --- home/plex/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/plex/Chart.yaml b/home/plex/Chart.yaml index 6b5bd15f10..494486439f 100644 --- a/home/plex/Chart.yaml +++ b/home/plex/Chart.yaml @@ -4,4 +4,4 @@ version: 0.0.0 dependencies: - name: plex version: 6.3.3 - repository: https://library-charts.k8s-at-home.com \ No newline at end of file + repository: https://k8s-at-home.com/charts/ From 196a1a51ff1e213bc6bfcb758db70ed216b06318 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 5 Jul 2022 08:40:34 +0200 Subject: [PATCH 263/334] Add ingress to plex --- home/plex/values.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/home/plex/values.yaml b/home/plex/values.yaml index 2f2719e999..4feb04599d 100644 --- a/home/plex/values.yaml +++ b/home/plex/values.yaml @@ -66,7 +66,19 @@ plex: # -- Enable and configure ingress settings for the chart under this key. # @default -- See values.yaml main: - enabled: false + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: &host plex.europa.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: plex-tls-certificate + hosts: + - *host # -- Enable devices to be discoverable hostNetwork: false From aa8a652c33a1bd795dd57c0a1f362dcc296c5bad Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 5 Jul 2022 08:49:19 +0200 Subject: [PATCH 264/334] Test loadbalancer for sharing --- home/plex/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/home/plex/values.yaml b/home/plex/values.yaml index 4feb04599d..c74df32c6a 100644 --- a/home/plex/values.yaml +++ b/home/plex/values.yaml @@ -42,8 +42,8 @@ plex: http: port: 32400 dnla-tcp: - enabled: false - type: NodePort + enabled: true + type: LoadBalancer ports: dnla-tcp: enabled: true @@ -52,8 +52,8 @@ plex: targetPort: 32469 externalTrafficPolicy: Local dnla-udp: - enabled: false - type: NodePort + enabled: true + type: LoadBalancer ports: dnla-udp: enabled: true From 571c9979f426659b2a692947c91948d9f979de5b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 7 Aug 2022 11:31:43 +0200 Subject: [PATCH 265/334] chore(deps): update dependency alpine to v20220715 --- metal/roles/pxe_server/files/dhcp/Dockerfile | 2 +- metal/roles/pxe_server/files/tftp/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/metal/roles/pxe_server/files/dhcp/Dockerfile b/metal/roles/pxe_server/files/dhcp/Dockerfile index b6405ee336..187a9b23a7 100644 --- a/metal/roles/pxe_server/files/dhcp/Dockerfile +++ b/metal/roles/pxe_server/files/dhcp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20220316 +FROM alpine:20220715 RUN apk add dhcp diff --git a/metal/roles/pxe_server/files/tftp/Dockerfile b/metal/roles/pxe_server/files/tftp/Dockerfile index ada70c714d..a2358bf438 100644 --- a/metal/roles/pxe_server/files/tftp/Dockerfile +++ b/metal/roles/pxe_server/files/tftp/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:20220316 +FROM alpine:20220715 RUN apk add busybox tftp-hpa From 71b18fe59ea8e3f75a748c20ff524ad4a7cceb77 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 7 Aug 2022 11:31:46 +0200 Subject: [PATCH 266/334] chore(deps): update helm release kured to v3 --- system/kured/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 45a0495666..7a54e989e7 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 2.16.0 + version: 3.0.0 repository: https://weaveworks.github.io/kured From 38273bef4e0e81dd7d871d9a45672aaff0b52a2d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 8 Aug 2022 20:20:35 +0200 Subject: [PATCH 267/334] Include forks in renovate --- .vscode/settings.json | 22 ++++++++++++++++++++++ renovate.json | 1 + 2 files changed, 23 insertions(+) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..21cfc46d92 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,22 @@ +{ + "workbench.colorCustomizations": { + "activityBar.activeBackground": "#65c89b", + "activityBar.activeBorder": "#945bc4", + "activityBar.background": "#65c89b", + "activityBar.foreground": "#15202b", + "activityBar.inactiveForeground": "#15202b99", + "activityBarBadge.background": "#945bc4", + "activityBarBadge.foreground": "#e7e7e7", + "sash.hoverBorder": "#65c89b", + "statusBar.background": "#42b883", + "statusBar.foreground": "#15202b", + "statusBarItem.hoverBackground": "#359268", + "statusBarItem.remoteBackground": "#42b883", + "statusBarItem.remoteForeground": "#15202b", + "titleBar.activeBackground": "#42b883", + "titleBar.activeForeground": "#15202b", + "titleBar.inactiveBackground": "#42b88399", + "titleBar.inactiveForeground": "#15202b99" + }, + "peacock.color": "#42b883" +} \ No newline at end of file diff --git a/renovate.json b/renovate.json index 3155caf734..feb90584e3 100644 --- a/renovate.json +++ b/renovate.json @@ -5,6 +5,7 @@ ], "dependencyDashboard": true, "ignorePaths": ["disable/**", "system/datadog/**"], + "includeForks": true, "packageRules": [ { "matchPackagePatterns": [ From e139214670cbeea8e4dbcccfce8247830d374699 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 18:25:15 +0000 Subject: [PATCH 268/334] chore(deps): update all non-major dependencies helm releases --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/jellyfin/Chart.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 4 ++-- external/versions.tf | 4 ++-- home/firefly/values.yaml | 2 +- home/homeassistant/Chart.yaml | 2 +- home/homeassistant/values.yaml | 4 ++-- home/mariadb/Chart.yaml | 2 +- home/nextcloud/Chart.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/pihole/Chart.yaml | 2 +- home/pihole/values.yaml | 2 +- home/plex/Chart.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/redis/Chart.yaml | 2 +- platform/authentik/Chart.yaml | 2 +- platform/dex/Chart.yaml | 2 +- platform/external-secrets/Chart.yaml | 2 +- platform/gitea/files/config/go.mod | 2 +- platform/vault/files/generate-secrets/go.mod | 10 +++++----- platform/vault/files/generate-secrets/go.sum | 10 ++++++++++ system/cert-manager/Chart.yaml | 2 +- system/external-dns/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- 27 files changed, 43 insertions(+), 33 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 4a7369eb9c..f39fe1c31a 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.2.3 + image: hashicorp/terraform:1.2.6 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index c379cb120b..5935580cba 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.2.3 + image: hashicorp/terraform:1.2.6 command: - terraform args: diff --git a/apps/jellyfin/Chart.yaml b/apps/jellyfin/Chart.yaml index e381cb1c9d..43431db22a 100644 --- a/apps/jellyfin/Chart.yaml +++ b/apps/jellyfin/Chart.yaml @@ -3,5 +3,5 @@ name: jellyfin version: 0.0.0 dependencies: - name: jellyfin - version: 9.4.2 + version: 9.5.3 repository: https://k8s-at-home.com/charts/ diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index dbe6b833f5..b24ba31a62 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,7 +3,7 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.9.11 + version: 4.10.5 repository: https://argoproj.github.io/argo-helm - name: argocd-applicationset version: 1.12.1 diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index 160cfbb1f3..c411f267bc 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,12 +2,12 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.18.0" + version = "~> 3.20.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.11.0" + version = "~> 2.12.0" } http = { diff --git a/external/versions.tf b/external/versions.tf index 771af199e8..77482510e0 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.18.0" + version = "~> 3.20.0" } b2 = { @@ -19,7 +19,7 @@ terraform { kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.11.0" + version = "~> 2.12.0" } http = { diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml index cc439205ff..08c63547bc 100644 --- a/home/firefly/values.yaml +++ b/home/firefly/values.yaml @@ -62,7 +62,7 @@ firefly-iii: image: repository: curlimages/curl pullPolicy: IfNotPresent - tag: 7.83.1 + tag: 7.84.0 imagePullSecrets: [] diff --git a/home/homeassistant/Chart.yaml b/home/homeassistant/Chart.yaml index 2aa651dcc8..72b3762705 100644 --- a/home/homeassistant/Chart.yaml +++ b/home/homeassistant/Chart.yaml @@ -3,5 +3,5 @@ name: homeassistant version: 0.0.0 dependencies: - name: home-assistant - version: 13.2.0 + version: 13.4.2 repository: https://k8s-at-home.com/charts/ diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index d62fb4ee21..16281f9f77 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.6.7 + tag: 2022.8.2 # -- image pull policy pullPolicy: IfNotPresent @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.4.0 + tag: 4.5.1 workingDir: "/config" args: - --auth diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 20143a92dd..7b96566dd6 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 11.0.13 + version: 11.1.6 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index 86592bb91b..381b89f53a 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 3.0.0 + version: 3.0.4 repository: https://nextcloud.github.io/helm/ diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 7506f20249..0a1c3e2148 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 24.0.2-fpm-alpine + tag: 24.0.3-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index 30a9f30306..2e9b9ee93a 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.9.0 + version: 2.9.1 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 74a677e436..447bd9f4a5 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -19,7 +19,7 @@ pihole: # -- the repostory to pull the image from repository: "pihole/pihole" # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "2022.05" + tag: "2022.07" # -- the pull policy pullPolicy: IfNotPresent diff --git a/home/plex/Chart.yaml b/home/plex/Chart.yaml index 494486439f..18b9c3552c 100644 --- a/home/plex/Chart.yaml +++ b/home/plex/Chart.yaml @@ -3,5 +3,5 @@ name: plex version: 0.0.0 dependencies: - name: plex - version: 6.3.3 + version: 6.4.3 repository: https://k8s-at-home.com/charts/ diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 0c879a7f6e..d375fad139 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.6.10 + version: 11.6.25 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index e82e6e3bcb..f62e2d70bc 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.13.0 + version: 16.13.2 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index 59167afaa1..2681df1d8a 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 2022.6.3 + version: 2022.7.3 repository: https://charts.goauthentik.io diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 2246ff202d..ed7ac0e6e6 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.39.1 dependencies: - name: security-apps - version: 0.51.0 + version: 0.54.0 repository: https://charts.adfinis.com diff --git a/platform/external-secrets/Chart.yaml b/platform/external-secrets/Chart.yaml index 96c4249b03..b73da88ef0 100644 --- a/platform/external-secrets/Chart.yaml +++ b/platform/external-secrets/Chart.yaml @@ -3,5 +3,5 @@ name: external-secrets version: 0.0.0 dependencies: - name: external-secrets - version: 0.5.7 + version: 0.5.9 repository: https://charts.external-secrets.io diff --git a/platform/gitea/files/config/go.mod b/platform/gitea/files/config/go.mod index 4e91d99a6e..ea70d854f6 100644 --- a/platform/gitea/files/config/go.mod +++ b/platform/gitea/files/config/go.mod @@ -1,6 +1,6 @@ module git.khuedoan.com/khuedoan/homelab/gitea/config -go 1.18 +go 1.19 require ( code.gitea.io/sdk/gitea v0.15.1 // indirect diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod index d4c1a00dec..5dab317424 100644 --- a/platform/vault/files/generate-secrets/go.mod +++ b/platform/vault/files/generate-secrets/go.mod @@ -1,6 +1,6 @@ module git.khuedoan.com/khuedoan/homelab/vault/init -go 1.17 +go 1.19 require ( github.com/hashicorp/vault/api v1.7.2 @@ -24,21 +24,21 @@ require ( github.com/hashicorp/go-retryablehttp v0.6.6 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect - github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect github.com/hashicorp/go-uuid v1.0.2 // indirect github.com/hashicorp/go-version v1.2.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hashicorp/vault/sdk v0.4.1 // indirect + github.com/hashicorp/vault/sdk v0.5.1 // indirect github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect github.com/mattn/go-colorable v0.1.6 // indirect github.com/mattn/go-isatty v0.0.12 // indirect github.com/mitchellh/copystructure v1.0.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-testing-interface v1.0.0 // indirect - github.com/mitchellh/mapstructure v1.4.2 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.0 // indirect github.com/oklog/run v1.0.0 // indirect github.com/pierrec/lz4 v2.5.2+incompatible // indirect diff --git a/platform/vault/files/generate-secrets/go.sum b/platform/vault/files/generate-secrets/go.sum index f2deb7f68b..c2528f808e 100644 --- a/platform/vault/files/generate-secrets/go.sum +++ b/platform/vault/files/generate-secrets/go.sum @@ -110,9 +110,13 @@ github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 h1:cCRo8gK7oq6A2L6LICkUZ+/a5r github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 h1:78ki3QBevHwYrVxnyVeaEz+7WtifHhauYF23es/0KlI= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 h1:nd0HIW15E6FG1MsnArYaHfuw9C2zgzM8LxkG5Ty/788= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= @@ -130,8 +134,12 @@ github.com/hashicorp/vault/api v1.4.1 h1:mWLfPT0RhxBitjKr6swieCEP2v5pp/M//t70S3k github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= github.com/hashicorp/vault/api v1.5.0 h1:Bp6yc2bn7CWkOrVIzFT/Qurzx528bdavF3nz590eu28= github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= +github.com/hashicorp/vault/api v1.7.2 h1:kawHE7s/4xwrdKbkmwQi0wYaIeUhk5ueek7ljuezCVQ= +github.com/hashicorp/vault/api v1.7.2/go.mod h1:xbfA+1AvxFseDzxxdWaL0uO99n1+tndus4GCrtouy0M= github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo= github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= +github.com/hashicorp/vault/sdk v0.5.1 h1:zly/TmNgOXCGgWIRA8GojyXzG817POtVh3uzIwzZx+8= +github.com/hashicorp/vault/sdk v0.5.1/go.mod h1:DoGraE9kKGNcVgPmTuX357Fm6WAx1Okvde8Vp3dPDoU= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -169,6 +177,8 @@ github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUb github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.2 h1:6h7AQ0yhTcIsmFmnAwQls75jp2Gzs4iB8W7pjMO+rqo= github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index f51965d4b0..4b3e2f4158 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.8.2 + version: v1.9.1 repository: https://charts.jetstack.io diff --git a/system/external-dns/Chart.yaml b/system/external-dns/Chart.yaml index fd2930d3c0..0de8d2cf3c 100644 --- a/system/external-dns/Chart.yaml +++ b/system/external-dns/Chart.yaml @@ -3,5 +3,5 @@ name: external-dns version: 0.0.0 dependencies: - name: external-dns - version: 1.9.0 + version: 1.10.1 repository: https://kubernetes-sigs.github.io/external-dns/ diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 53c4049d90..385c0c1eb7 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.1.4 + version: 4.2.0 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index c3b22b2a96..1e560eccaf 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 0.12.1 + version: 0.13.4 repository: https://metallb.github.io/metallb From 3d280afcd8522095c20899531adbd8f70f80ea3d Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 8 Aug 2022 21:29:03 +0200 Subject: [PATCH 269/334] Reset metallb --- system/metallb-system/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 1e560eccaf..c3b22b2a96 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 0.13.4 + version: 0.12.1 repository: https://metallb.github.io/metallb From cd4e345a369cb7fae98f3b07caf5067a3d3eaac4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Aug 2022 21:57:28 +0000 Subject: [PATCH 270/334] chore(deps): update all non-major dependencies helm releases --- system/ingress-nginx/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 385c0c1eb7..33e0c5d3bf 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.2.0 + version: 4.2.1 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index c3b22b2a96..1e560eccaf 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 0.12.1 + version: 0.13.4 repository: https://metallb.github.io/metallb From ca4ada2e2d1d32ab0bdcdb7f8a8a77a13a5c000b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 9 Aug 2022 08:16:33 +0200 Subject: [PATCH 271/334] Upgrade MetalLB to use CRD's in favor of ConfigMaps This reverts commit 3d280afcd8522095c20899531adbd8f70f80ea3d. --- metal/roles/metallb_config/tasks/main.yml | 4 ++-- .../templates/configmap.yaml.j2 | 12 ---------- .../metallb_config/templates/crds.yaml.j2 | 22 +++++++++++++++++++ system/metallb-system/Chart.yaml | 2 +- 4 files changed, 25 insertions(+), 15 deletions(-) delete mode 100644 metal/roles/metallb_config/templates/configmap.yaml.j2 create mode 100644 metal/roles/metallb_config/templates/crds.yaml.j2 diff --git a/metal/roles/metallb_config/tasks/main.yml b/metal/roles/metallb_config/tasks/main.yml index 8b3f37279b..7060b06e42 100644 --- a/metal/roles/metallb_config/tasks/main.yml +++ b/metal/roles/metallb_config/tasks/main.yml @@ -5,6 +5,6 @@ name: "{{ metallb_namespace }}" state: present -- name: Create MetalLB config base on network info +- name: Create MetalLB crds for network info kubernetes.core.k8s: - definition: "{{ lookup('template', 'configmap.yaml.j2') | from_yaml }}" + definition: "{{ lookup('template', 'crds.yaml.j2') | from_yaml }}" diff --git a/metal/roles/metallb_config/templates/configmap.yaml.j2 b/metal/roles/metallb_config/templates/configmap.yaml.j2 deleted file mode 100644 index 7aa186c5c7..0000000000 --- a/metal/roles/metallb_config/templates/configmap.yaml.j2 +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: metallb-config - namespace: {{ metallb_namespace }} -data: - config: | - address-pools: - - name: default - protocol: layer2 - addresses: - - {{ metallb_addresses }} diff --git a/metal/roles/metallb_config/templates/crds.yaml.j2 b/metal/roles/metallb_config/templates/crds.yaml.j2 new file mode 100644 index 0000000000..0ff6341df7 --- /dev/null +++ b/metal/roles/metallb_config/templates/crds.yaml.j2 @@ -0,0 +1,22 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + creationTimestamp: null + name: default + namespace: {{ metallb_namespace }} +spec: + addresses: + - {{ metallb_addresses }} +status: {} +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + creationTimestamp: null + name: l2advertisement1 + namespace: {{ metallb_namespace }} +spec: + ipAddressPools: + - default +status: {} +--- \ No newline at end of file diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 1e560eccaf..f84efcd214 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -4,4 +4,4 @@ version: 0.0.0 dependencies: - name: metallb version: 0.13.4 - repository: https://metallb.github.io/metallb + repository: https://charts.bitnami.com/bitnami From c4f58d65b90a05facecfa41966c32a27097e8bf2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 9 Aug 2022 08:22:49 +0200 Subject: [PATCH 272/334] MetalLB chart version bumb --- system/metallb-system/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index f84efcd214..b1b46295a6 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 0.13.4 + version: 4.0.1 repository: https://charts.bitnami.com/bitnami From 702f6009127eea6c403f35ed07e99d316f98f966 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 9 Aug 2022 09:40:29 +0200 Subject: [PATCH 273/334] Moved private bin to k8s-at-home --- apps/privatebin/Chart.yaml | 4 +- apps/privatebin/values.yaml | 123 ++++++++++++++++++++++++++++++++---- platform/trow/values.yaml | 5 ++ 3 files changed, 119 insertions(+), 13 deletions(-) diff --git a/apps/privatebin/Chart.yaml b/apps/privatebin/Chart.yaml index 858ec0d69b..be2e2818e7 100644 --- a/apps/privatebin/Chart.yaml +++ b/apps/privatebin/Chart.yaml @@ -3,5 +3,5 @@ name: privatebin version: 0.0.0 dependencies: - name: privatebin - version: 0.15.0 - repository: https://privatebin.github.io/helm-chart + version: 2.1.2 + repository: https://k8s-at-home.com/charts/ diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index c2c98d5583..eee92ea8ca 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -1,14 +1,115 @@ privatebin: + # IMPORTANT NOTE + # + # This chart inherits from our common library chart. You can check the default values/options here: + # https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml + # + + image: + # -- image repository + repository: privatebin/pdo + # -- image tag + tag: 1.3.5 + # -- image pull policy + pullPolicy: IfNotPresent + + # -- environment variables. See [image docs](https://docs.kanboard.org/en/latest/admin_guide/docker.html#environment-variables) + # and [application docs](# https://docs.kanboard.org/en/latest/admin_guide/config_file.html) for more details. + # @default -- See below (only deviations from the default settings are specified) + env: + # -- container timezone + TZ: Europe/Amsterdam + # -- PHP timezone (usually should match the containers TZ) + PHP_TZ: Europe/Amsterdam + + # -- Configures service settings for the chart. + # @default -- See values.yaml + service: + main: + ports: + http: + port: 8080 + ingress: - enabled: true - className: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/exclude: 'true' - hosts: - - host: &host privatebin.jupiter.mein.nl - path: / - tls: - - secretName: privatebin-tls-certificate + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See values.yaml + ingress: + main: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hajimari.io/appName: Privatebin + hajimari.io/icon: bin hosts: - - *host \ No newline at end of file + - host: &host privatebin.jupiter.mein.nl + paths: + - path: / + pathType: Prefix + tls: + - secretName: privatebin-tls-certificate + hosts: + - *host + + # -- Configure persistence settings for the chart under this key. + # @default -- See values.yaml + persistence: + data: + enabled: false + mountPath: /srv/data + + # -- Enable and configure postgresql database subchart under this key. + # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) + # @default -- See values.yaml + postgresql: + enabled: false + postgresqlUsername: privatebin + postgresqlPassword: privatebin + postgresqlDatabase: privatebin + persistence: + enabled: false + # storageClass: "" + + # -- Application Settings. See https://github.com/PrivateBin/PrivateBin/blob/master/cfg/conf.sample.php + # for a description of every setting + # @default -- See values.yaml + config: + main: + name: "PrivateBin" + # discussion: true + # opendiscussion: false + # password: true + # fileupload: false + # burnafterreadingselected: false + # defaultformatter: "plaintext" + # syntaxhighlightingtheme: "sons-of-obsidian" + # sizelimit: 10485760 + # template: "bootstrap" + # info: "More information on the project page." + # notice: "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service." + # languageselection: false + # languagedefault: "en" + # urlshortener: "https://shortener.example.com/api?link=" + # qrcode: false + # icon: "none" + # zerobincompatibility: false + # httpwarning: true + # compression: "zlib" + expire: + default: "1week" + expire_options: + 5min: 300 + 10min: 600 + 1hour: 3600 + 1day: 86400 + 1week: 604800 + 1month: 2592000 + 1year: 31536000 + never: 0 + formatter_options: + plaintext: "Plain Text" + syntaxhighlighting: "Source Code" + markdown: "Markdown" + traffic: + limit: 10 + # exemptedIp: "1.2.3.4,10.10.10/24" diff --git a/platform/trow/values.yaml b/platform/trow/values.yaml index 399fa26474..becb1efbf2 100644 --- a/platform/trow/values.yaml +++ b/platform/trow/values.yaml @@ -13,11 +13,13 @@ trow: disallowLocalImages: [] proxyDockerHub: false + ingress: enabled: false # TODO https://github.com/ContainerSolutions/trow/issues/282 annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/proxy-body-size: '0' + hajimari.io/enable: 'false' hosts: - host: &host registry.jupiter.mein.nl paths: @@ -28,3 +30,6 @@ trow: - *host volumeClaim: storageClassName: longhorn + + service: + port: 8085 From 0c18dd0c01495629d1f26fa69285de989d79b17b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 9 Aug 2022 09:51:48 +0200 Subject: [PATCH 274/334] Hajimari icon add --- apps/hajimari/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/hajimari/values.yaml b/apps/hajimari/values.yaml index 641de126c7..000f32b201 100644 --- a/apps/hajimari/values.yaml +++ b/apps/hajimari/values.yaml @@ -29,7 +29,7 @@ hajimari: - name: Documentation url: https://homelab.jupiter.mein.nl - name: Public GitHub repository - url: https://github.com/khuedoan/homelab + url: https://github.com/infratron/homelab - name: Managed services links: - name: Terraform Cloud From 5f2e826eae7b08b7b5441efb75279010a9e2ec4a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 12 Aug 2022 23:06:10 +0000 Subject: [PATCH 275/334] chore(deps): update all non-major dependencies docker tags --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/privatebin/values.yaml | 2 +- apps/seafile/values.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 2 +- external/versions.tf | 2 +- home/homeassistant/values.yaml | 4 ++-- home/mariadb/Chart.yaml | 2 +- home/nextcloud/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- home/postgresql/values.yaml | 2 +- metal/roles/pxe_server/files/dnsmasq/Dockerfile | 2 +- platform/dex/Chart.yaml | 2 +- platform/vault/Chart.yaml | 2 +- system/external-dns/Chart.yaml | 2 +- system/longhorn-system/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- test/go.mod | 4 ++-- test/go.sum | 2 ++ 20 files changed, 23 insertions(+), 21 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index f39fe1c31a..5e85260a53 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.2.6 + image: hashicorp/terraform:1.2.7 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index 5935580cba..7cd7e70f95 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.2.6 + image: hashicorp/terraform:1.2.7 command: - terraform args: diff --git a/apps/privatebin/values.yaml b/apps/privatebin/values.yaml index eee92ea8ca..5d0db0446c 100644 --- a/apps/privatebin/values.yaml +++ b/apps/privatebin/values.yaml @@ -9,7 +9,7 @@ privatebin: # -- image repository repository: privatebin/pdo # -- image tag - tag: 1.3.5 + tag: 1.4.0 # -- image pull policy pullPolicy: IfNotPresent diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index 2366c5dfc3..1d99103555 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -4,7 +4,7 @@ seafile: # -- image repository repository: seafileltd/seafile-mc # -- image tag - tag: 9.0.6 + tag: 9.0.7 # -- image pull policy pullPolicy: IfNotPresent diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 296eedf022..9059331bee 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.10.5 + version: 4.10.6 repository: https://argoproj.github.io/argo-helm diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index c411f267bc..b00bce53f0 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.20.0" + version = "~> 3.21.0" } kubernetes = { diff --git a/external/versions.tf b/external/versions.tf index 77482510e0..fc7c43fe3e 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.20.0" + version = "~> 3.21.0" } b2 = { diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 16281f9f77..43d8706298 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.8.2 + tag: 2022.8.3 # -- image pull policy pullPolicy: IfNotPresent @@ -90,7 +90,7 @@ home-assistant: enabled: false image: repository: bitnami/postgresql - tag: 14.4.0 + tag: 14.5.0 postgresqlUsername: home-assistant postgresqlPassword: home-assistant-pass postgresqlDatabase: home-assistant diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 7b96566dd6..d0db364d13 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 11.1.6 + version: 11.1.7 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 0a1c3e2148..b9e59463de 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 24.0.3-fpm-alpine + tag: 24.0.4-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index d375fad139..d9f0457d54 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.6.25 + version: 11.7.1 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/postgresql/values.yaml b/home/postgresql/values.yaml index 66c42d26f9..a56a99419b 100644 --- a/home/postgresql/values.yaml +++ b/home/postgresql/values.yaml @@ -1326,6 +1326,6 @@ postgresql: postgresql: image: repository: bitnami/postgresql - tag: 14.4.0 + tag: 14.5.0 auth: existingSecret: \ No newline at end of file diff --git a/metal/roles/pxe_server/files/dnsmasq/Dockerfile b/metal/roles/pxe_server/files/dnsmasq/Dockerfile index 21ad9b62a2..9196141879 100644 --- a/metal/roles/pxe_server/files/dnsmasq/Dockerfile +++ b/metal/roles/pxe_server/files/dnsmasq/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.11 +FROM alpine:3.16 RUN apk --no-cache add dnsmasq diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index c30c4b35c2..20bc014986 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.0.0 dependencies: - name: dex - version: 0.8.2 + version: 0.9.0 repository: https://charts.dexidp.io diff --git a/platform/vault/Chart.yaml b/platform/vault/Chart.yaml index f33c82f68c..2d73bb862a 100644 --- a/platform/vault/Chart.yaml +++ b/platform/vault/Chart.yaml @@ -3,5 +3,5 @@ name: vault version: 0.0.0 dependencies: - name: vault-operator - version: 1.15.6 + version: 1.15.8 repository: https://kubernetes-charts.banzaicloud.com diff --git a/system/external-dns/Chart.yaml b/system/external-dns/Chart.yaml index 0de8d2cf3c..09b460be76 100644 --- a/system/external-dns/Chart.yaml +++ b/system/external-dns/Chart.yaml @@ -3,5 +3,5 @@ name: external-dns version: 0.0.0 dependencies: - name: external-dns - version: 1.10.1 + version: 1.11.0 repository: https://kubernetes-sigs.github.io/external-dns/ diff --git a/system/longhorn-system/Chart.yaml b/system/longhorn-system/Chart.yaml index d29698e5fa..aa6b7887bc 100644 --- a/system/longhorn-system/Chart.yaml +++ b/system/longhorn-system/Chart.yaml @@ -3,5 +3,5 @@ name: longhorn version: 0.0.0 dependencies: - name: longhorn - version: 1.3.0 + version: 1.3.1 repository: https://charts.longhorn.io diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index b1b46295a6..ea04ce1a1f 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 4.0.1 + version: 4.0.2 repository: https://charts.bitnami.com/bitnami diff --git a/test/go.mod b/test/go.mod index 1708da26f8..e901200943 100644 --- a/test/go.mod +++ b/test/go.mod @@ -1,8 +1,8 @@ module git.khuedoan.com/ops/homelab -go 1.18 +go 1.19 -require github.com/gruntwork-io/terratest v0.40.18 +require github.com/gruntwork-io/terratest v0.40.19 require ( cloud.google.com/go v0.83.0 // indirect diff --git a/test/go.sum b/test/go.sum index 5e3dea6cd2..b486764d85 100644 --- a/test/go.sum +++ b/test/go.sum @@ -216,6 +216,8 @@ github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRa github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= github.com/gruntwork-io/terratest v0.40.18 h1:xuFaHOf/7kwc5cQN+6FfbmKglneBKesZxPHgISgkUlc= github.com/gruntwork-io/terratest v0.40.18/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= +github.com/gruntwork-io/terratest v0.40.19 h1:slnTF0Amrc9yRVUV/X/fHlVWKNF0H8fwa2OLyeV2IOA= +github.com/gruntwork-io/terratest v0.40.19/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= From 25da267cabd529d4c1a63be27a59afbb08ef38b9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 14 Aug 2022 09:23:15 +0200 Subject: [PATCH 276/334] Added traefik as secondary ingress --- system/ingress-traefik/Chart.yaml | 7 + system/ingress-traefik/values.yaml | 526 +++++++++++++++++++++++++++++ 2 files changed, 533 insertions(+) create mode 100644 system/ingress-traefik/Chart.yaml create mode 100644 system/ingress-traefik/values.yaml diff --git a/system/ingress-traefik/Chart.yaml b/system/ingress-traefik/Chart.yaml new file mode 100644 index 0000000000..e688b90e5b --- /dev/null +++ b/system/ingress-traefik/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: ingress-traefik +version: 0.0.0 +dependencies: + - name: traefik + version: 10.24.0 + repository: https://helm.traefik.io/traefik diff --git a/system/ingress-traefik/values.yaml b/system/ingress-traefik/values.yaml new file mode 100644 index 0000000000..ffd67f1395 --- /dev/null +++ b/system/ingress-traefik/values.yaml @@ -0,0 +1,526 @@ +ingress-traefik: + # Default values for Traefik + image: + name: traefik + # defaults to appVersion + tag: "" + pullPolicy: IfNotPresent + + # + # Configure the deployment + # + deployment: + enabled: true + # Can be either Deployment or DaemonSet + kind: Deployment + # Number of pods of the deployment (only applies when kind == Deployment) + replicas: 1 + # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # revisionHistoryLimit: 1 + # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down + terminationGracePeriodSeconds: 60 + # The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 + # Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} + # Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: [] + # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host + # - name: socat-proxy + # image: alpine/socat:1.0.5 + # args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"] + # volumeMounts: + # - name: dsdsocket + # mountPath: /socket + # Additional volumes available for use with initContainers and additionalContainers + additionalVolumes: [] + # - name: dsdsocket + # hostPath: + # path: /var/run/statsd-exporter + # Additional initContainers (e.g. for setting file permission as shown below) + initContainers: [] + # The "volume-permissions" init container is required if you run into permission issues. + # Related issue: https://github.com/traefik/traefik/issues/6972 + # - name: volume-permissions + # image: busybox:1.31.1 + # command: ["sh", "-c", "chmod -Rv 600 /data/*"] + # volumeMounts: + # - name: data + # mountPath: /data + # Use process namespace sharing + shareProcessNamespace: false + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName + + # Pod disruption budget + podDisruptionBudget: + enabled: false + # maxUnavailable: 1 + # maxUnavailable: 33% + # minAvailable: 0 + # minAvailable: 25% + + # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x + ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 + enabled: false + isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" + fallbackApiVersion: "" + + # Activate Pilot integration + pilot: + enabled: false + token: "" + # Toggle Pilot Dashboard + # dashboard: false + + # Enable experimental features + experimental: + http3: + enabled: false + plugins: + enabled: false + kubernetesGateway: + enabled: false + # certificate: + # group: "core" + # kind: "Secret" + # name: "mysecret" + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default + + # Create an IngressRoute for the dashboard + ingressRoute: + dashboard: + enabled: true + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} + + rollingUpdate: + maxUnavailable: 1 + maxSurge: 1 + + # Customize liveness and readiness probe values. + readinessProbe: + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + + # + # Configure providers + # + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + # ingressClass: traefik-internal + # labelSelector: environment=production,method=traefik + namespaces: [] + # - "default" + # IP used for Kubernetes Ingress endpoints + publishedService: + enabled: false + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" + + # + # Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. + # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--providers.file.filename=/config/dynamic.toml" + # - "--ping" + # - "--ping.entrypoint=web" + volumes: [] + # - name: public-cert + # mountPath: "/certs" + # type: secret + # - name: '{{ printf "%s-configs" .Release.Name }}' + # mountPath: "/config" + # type: configMap + + # Additional volumeMounts to add to the Traefik container + additionalVolumeMounts: [] + # For instance when using a logshipper for access logs + # - name: traefik-logs + # mountPath: /var/log/traefik + + # Logs + # https://docs.traefik.io/observability/logs/ + logs: + # Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on). + general: + # By default, the logs use a text format (common), but you can + # also ask for the json format in the format option + # format: json + # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. + level: ERROR + access: + # To enable access logs + enabled: false + # By default, logs are written using the Common Log Format (CLF). + # To write logs in JSON, use json in the format option. + # If the given format is unsupported, the default (CLF) is used instead. + # format: json + # To write the logs in an asynchronous fashion, specify a bufferingSize option. + # This option represents the number of log lines Traefik will keep in memory before writing + # them to the selected output. In some cases, this option can greatly help performances. + # bufferingSize: 100 + # Filtering https://docs.traefik.io/observability/access-logs/#filtering + filters: {} + # statuscodes: "200,300-302" + # retryattempts: true + # minduration: 10ms + # Fields + # https://docs.traefik.io/observability/access-logs/#limiting-the-fieldsincluding-headers + fields: + general: + defaultmode: keep + names: {} + # Examples: + # ClientUsername: drop + headers: + defaultmode: drop + names: {} + # Examples: + # User-Agent: redact + # Authorization: drop + # Content-Type: keep + + metrics: + # datadog: + # address: 127.0.0.1:8125 + # influxdb: + # address: localhost:8089 + # protocol: udp + prometheus: + entryPoint: metrics + # addRoutersLabels: true + # statsd: + # address: localhost:8125 + + tracing: {} + # instana: + # enabled: true + # datadog: + # localAgentHostPort: 127.0.0.1:8126 + # debug: false + # globalTag: "" + # prioritySampling: false + + globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" + + # + # Configure Traefik static configuration + # Additional arguments to be passed at Traefik's binary + # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ + ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` + additionalArguments: [] + # - "--providers.kubernetesingress.ingressclass=traefik-internal" + # - "--log.level=DEBUG" + + # Environment variables to be passed to Traefik's binary + env: [] + # - name: SOME_VAR + # value: some-var-value + # - name: SOME_VAR_FROM_CONFIG_MAP + # valueFrom: + # configMapRef: + # name: configmap-name + # key: config-key + # - name: SOME_SECRET + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # Configure ports + ports: + # The name of this one can't be changed as it is used for the readiness and + # liveness probes, but you can adjust its config to your liking + traefik: + port: 9000 + # Use hostPort if set. + # hostPort: 9000 + # + # Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which + # means it's listening on all your interfaces and all your IPs. You may want + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. + # healthchecksPort: 9000 + + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You SHOULD NOT expose the traefik port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9000 + # The port protocol (TCP/UDP) + protocol: TCP + web: + port: 8000 + # hostPort: 8000 + expose: true + exposedPort: 80 + # The port protocol (TCP/UDP) + protocol: TCP + # Use nodeport if set. This is useful if you have configured Traefik in a + # LoadBalancer + # nodePort: 32080 + # Port Redirections + # Added in 2.2, you can make permanent redirects via entrypoints. + # https://docs.traefik.io/routing/entrypoints/#redirection + # redirectTo: websecure + websecure: + port: 8443 + # hostPort: 8443 + expose: true + exposedPort: 443 + # The port protocol (TCP/UDP) + protocol: TCP + # nodePort: 32443 + # Enable HTTP/3. + # Requires enabling experimental http3 feature and tls. + # Note that you cannot have a UDP entrypoint with the same port. + # http3: true + # Set TLS at the entrypoint + # https://doc.traefik.io/traefik/routing/entrypoints/#tls + tls: + enabled: false + # this is the name of a TLSOption definition + options: "" + certResolver: "" + domains: [] + # - main: example.com + # sans: + # - foo.example.com + # - bar.example.com + metrics: + port: 9100 + # hostPort: 9100 + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # + # You may not want to expose the metrics port on production deployments. + # If you want to access it from outside of your cluster, + # use `kubectl port-forward` or create a secure ingress + expose: false + # The exposed port for this service + exposedPort: 9100 + # The port protocol (TCP/UDP) + protocol: TCP + + # TLS Options are created as TLSOption CRDs + # https://doc.traefik.io/traefik/https/tls/#tls-options + # Example: + # tlsOptions: + # default: + # sniStrict: true + # preferServerCipherSuites: true + # foobar: + # curvePreferences: + # - CurveP521 + # - CurveP384 + tlsOptions: {} + + # Options for the main traefik service, where the entrypoints traffic comes + # from. + service: + enabled: true + type: LoadBalancer + # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) + annotations: {} + # Additional annotations for TCP service only + annotationsTCP: {} + # Additional annotations for UDP service only + annotationsUDP: {} + # Additional service labels (e.g. for filtering Service by custom labels) + labels: {} + # Additional entries here will be added to the service spec. + # Cannot contain type, selector or ports entries. + spec: {} + # externalTrafficPolicy: Cluster + # loadBalancerIP: "1.2.3.4" + # clusterIP: "2.3.4.5" + loadBalancerSourceRanges: [] + # - 192.168.0.1/32 + # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 + # One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack + # List of IP families (e.g. IPv4 and/or IPv6). + # ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + # ipFamilies: + # - IPv4 + # - IPv6 + + ## Create HorizontalPodAutoscaler object. + ## + autoscaling: + enabled: false + # minReplicas: 1 + # maxReplicas: 10 + # metrics: + # - type: Resource + # resource: + # name: cpu + # targetAverageUtilization: 60 + # - type: Resource + # resource: + # name: memory + # targetAverageUtilization: 60 + + # Enable persistence using Persistent Volume Claims + # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: + # additionalArguments: + # - "--certificatesresolvers.le.acme.storage=/data/acme.json" + # It will persist TLS certificates. + persistence: + enabled: false + name: data + # existingClaim: "" + accessMode: ReadWriteOnce + size: 128Mi + # storageClass: "" + path: /data + annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod + + certResolvers: {} + # letsencrypt: + # # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ + # email: email@example.com + # dnsChallenge: + # # also add the provider's required configuration under env + # # or expand then from secrets/configmaps with envfrom + # # cf. https://doc.traefik.io/traefik/https/acme/#providers + # provider: digitalocean + # # add futher options for the dns challenge as needed + # # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge + # delayBeforeCheck: 30 + # resolvers: + # - 1.1.1.1 + # - 8.8.8.8 + # tlsChallenge: true + # httpChallenge: + # entryPoint: "web" + # # match the path to persistence + # storage: /data/acme.json + + # If hostNetwork is true, runs traefik in the host network namespace + # To prevent unschedulabel pods due to port collisions, if hostNetwork=true + # and replicas>1, a pod anti-affinity is recommended and will be set if the + # affinity is left as default. + hostNetwork: false + + # Whether Role Based Access Control objects like roles and rolebindings should be created + rbac: + enabled: true + + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. + # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + namespaced: false + + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding + podSecurityPolicy: + enabled: false + + # The service account the pods will use to interact with the Kubernetes API + serviceAccount: + # If set, an existing service account is used + # If not set, a service account is created automatically using the fullname template + name: "" + + # Additional serviceAccount annotations (e.g. for oidc authentication) + serviceAccountAnnotations: {} + + resources: {} + # requests: + # cpu: "100m" + # memory: "50Mi" + # limits: + # cpu: "300m" + # memory: "150Mi" + affinity: {} + # # This example pod anti-affinity forces the scheduler to put traefik pods + # # on nodes where no other traefik pods are scheduled. + # # It should be used when hostNetwork: true to prevent port conflicts + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - {{ template "traefik.name" . }} + # topologyKey: kubernetes.io/hostname + nodeSelector: {} + tolerations: [] + + # Pods can have priority. + # Priority indicates the importance of a Pod relative to other Pods. + priorityClassName: "" + + # Set the container security context + # To run the container with ports below 1024 this will need to be adjust to run as root + securityContext: + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + + podSecurityContext: + fsGroup: 65532 From feffeb56dfa43d7f25120a9c35c82631a10e810a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 18 Aug 2022 12:32:11 +0000 Subject: [PATCH 277/334] chore(deps): update helm release common to v2 --- home/adminer/Chart.yaml | 2 +- home/adminer/charts/adminer/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/home/adminer/Chart.yaml b/home/adminer/Chart.yaml index 41159c6a04..08eac5d74e 100644 --- a/home/adminer/Chart.yaml +++ b/home/adminer/Chart.yaml @@ -8,5 +8,5 @@ dependencies: repository: https://charts.bitnami.com/bitnami tags: - bitnami-common - version: 1.x.x + version: 2.x engine: gotpl \ No newline at end of file diff --git a/home/adminer/charts/adminer/Chart.yaml b/home/adminer/charts/adminer/Chart.yaml index 7f3c6e76df..adee9e761e 100644 --- a/home/adminer/charts/adminer/Chart.yaml +++ b/home/adminer/charts/adminer/Chart.yaml @@ -11,7 +11,7 @@ dependencies: repository: https://charts.bitnami.com/bitnami tags: - bitnami-common - version: 1.x.x + version: 2.x engine: gotpl keywords: - adminer From 4aef53b1c3a1dc381103eb52079a0695bab48601 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 22 Aug 2022 08:49:00 +0200 Subject: [PATCH 278/334] Test nextcloud non root --- home/nextcloud/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index b9e59463de..26e61be88c 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -167,7 +167,7 @@ nextcloud: ## Strategy used to replace old pods ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - strategy: + strategy: type: Recreate # type: RollingUpdate # rollingUpdate: @@ -177,8 +177,8 @@ nextcloud: ## ## Extra environment variables extraEnv: - - name: REDIS_HOST - value: redis-master.redis.svc.cluster.local + - name: REDIS_HOST + value: redis-master.redis.svc.cluster.local # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume # to NextCloud pods in Kubernetes. This can then be configured in External Storage @@ -193,11 +193,11 @@ nextcloud: # mountPath: "/legacy_data" # Extra secuurityContext parameters. For example you may need to define runAsNonRoot directive - # extraSecurityContext: - # runAsUser: "33" - # runAsGroup: "33" - # runAsNonRoot: true - # readOnlyRootFilesystem: true + extraSecurityContext: + runAsUser: "82" + runAsGroup: "82" + runAsNonRoot: true + readOnlyRootFilesystem: true nginx: ## You need to set an fpm version of the image for nextcloud if you want to use nginx! From 40463b9b653ba98865bb3a4a1198978668a05d73 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Aug 2022 23:32:07 +0000 Subject: [PATCH 279/334] chore(deps): update helm release gitea to v6 --- platform/gitea/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 5f4de1f438..6f19401ac6 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 5.0.9 + version: 6.0.0 repository: https://dl.gitea.io/charts/ From 42bc211522a43262f48c54307dd643381790a74b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 27 Aug 2022 09:31:04 +0200 Subject: [PATCH 280/334] Add traefik pool notation --- system/ingress-traefik/values.yaml | 58 +++++++++++++++++++----------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/system/ingress-traefik/values.yaml b/system/ingress-traefik/values.yaml index ffd67f1395..5ac109a9d4 100644 --- a/system/ingress-traefik/values.yaml +++ b/system/ingress-traefik/values.yaml @@ -1,5 +1,5 @@ ingress-traefik: - # Default values for Traefik + # Default values for Traefik image: name: traefik # defaults to appVersion @@ -14,7 +14,7 @@ ingress-traefik: # Can be either Deployment or DaemonSet kind: Deployment # Number of pods of the deployment (only applies when kind == Deployment) - replicas: 1 + replicas: 2 # Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) # revisionHistoryLimit: 1 # Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down @@ -30,7 +30,8 @@ ingress-traefik: # Additional Pod labels (e.g. for filtering Pod by custom labels) podLabels: {} # Additional containers (e.g. for metric offloading sidecars) - additionalContainers: [] + additionalContainers: + [] # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host # - name: socat-proxy # image: alpine/socat:1.0.5 @@ -39,12 +40,14 @@ ingress-traefik: # - name: dsdsocket # mountPath: /socket # Additional volumes available for use with initContainers and additionalContainers - additionalVolumes: [] + additionalVolumes: + [] # - name: dsdsocket # hostPath: # path: /var/run/statsd-exporter # Additional initContainers (e.g. for setting file permission as shown below) - initContainers: [] + initContainers: + [] # The "volume-permissions" init container is required if you run into permission issues. # Related issue: https://github.com/traefik/traefik/issues/6972 # - name: volume-permissions @@ -58,7 +61,8 @@ ingress-traefik: # Custom pod DNS policy. Apply if `hostNetwork: true` # dnsPolicy: ClusterFirstWithHostNet # Additional imagePullSecrets - imagePullSecrets: [] + imagePullSecrets: + [] # - name: myRegistryKeySecretName # Pod disruption budget @@ -72,7 +76,7 @@ ingress-traefik: # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ingressClass: # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 - enabled: false + enabled: true isDefaultClass: false # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" fallbackApiVersion: "" @@ -139,7 +143,8 @@ ingress-traefik: allowEmptyServices: false # ingressClass: traefik-internal # labelSelector: environment=production,method=traefik - namespaces: [] + namespaces: + [] # - "default" kubernetesIngress: @@ -148,7 +153,8 @@ ingress-traefik: allowEmptyServices: false # ingressClass: traefik-internal # labelSelector: environment=production,method=traefik - namespaces: [] + namespaces: + [] # - "default" # IP used for Kubernetes Ingress endpoints publishedService: @@ -174,7 +180,8 @@ ingress-traefik: # type: configMap # Additional volumeMounts to add to the Traefik container - additionalVolumeMounts: [] + additionalVolumeMounts: + [] # For instance when using a logshipper for access logs # - name: traefik-logs # mountPath: /var/log/traefik @@ -201,7 +208,8 @@ ingress-traefik: # them to the selected output. In some cases, this option can greatly help performances. # bufferingSize: 100 # Filtering https://docs.traefik.io/observability/access-logs/#filtering - filters: {} + filters: + {} # statuscodes: "200,300-302" # retryattempts: true # minduration: 10ms @@ -210,12 +218,14 @@ ingress-traefik: fields: general: defaultmode: keep - names: {} + names: + {} # Examples: # ClientUsername: drop headers: defaultmode: drop - names: {} + names: + {} # Examples: # User-Agent: redact # Authorization: drop @@ -233,7 +243,8 @@ ingress-traefik: # statsd: # address: localhost:8125 - tracing: {} + tracing: + {} # instana: # enabled: true # datadog: @@ -335,7 +346,7 @@ ingress-traefik: # Set TLS at the entrypoint # https://doc.traefik.io/traefik/routing/entrypoints/#tls tls: - enabled: false + enabled: true # this is the name of a TLSOption definition options: "" certResolver: "" @@ -378,7 +389,8 @@ ingress-traefik: enabled: true type: LoadBalancer # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) - annotations: {} + annotations: + - metallb.universe.tf/address-pool: traefik # Additional annotations for TCP service only annotationsTCP: {} # Additional annotations for UDP service only @@ -387,14 +399,17 @@ ingress-traefik: labels: {} # Additional entries here will be added to the service spec. # Cannot contain type, selector or ports entries. - spec: {} + spec: + {} # externalTrafficPolicy: Cluster # loadBalancerIP: "1.2.3.4" # clusterIP: "2.3.4.5" - loadBalancerSourceRanges: [] + loadBalancerSourceRanges: + [] # - 192.168.0.1/32 # - 172.16.0.0/16 - externalIPs: [] + externalIPs: + [] # - 1.2.3.4 # One of SingleStack, PreferDualStack, or RequireDualStack. # ipFamilyPolicy: SingleStack @@ -429,7 +444,7 @@ ingress-traefik: persistence: enabled: false name: data - # existingClaim: "" + # existingClaim: "" accessMode: ReadWriteOnce size: 128Mi # storageClass: "" @@ -485,7 +500,8 @@ ingress-traefik: # Additional serviceAccount annotations (e.g. for oidc authentication) serviceAccountAnnotations: {} - resources: {} + resources: + {} # requests: # cpu: "100m" # memory: "50Mi" From c00bd1b2c38ce1a77b59a2787c447be0eec02ce1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 31 Aug 2022 12:55:29 +0000 Subject: [PATCH 281/334] chore(deps): update all non-major dependencies --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 4 ++-- external/versions.tf | 4 ++-- home/firefly/values.yaml | 2 +- home/homeassistant/values.yaml | 4 ++-- home/mariadb/Chart.yaml | 2 +- home/nextcloud/Chart.yaml | 2 +- home/pihole/Chart.yaml | 2 +- home/pihole/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- platform/authentik/Chart.yaml | 2 +- platform/dex/Chart.yaml | 2 +- platform/vault/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/ingress-traefik/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- test/go.mod | 2 +- test/go.sum | 2 ++ 21 files changed, 25 insertions(+), 23 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 5e85260a53..b7fd2756ff 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.2.7 + image: hashicorp/terraform:1.2.8 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index 7cd7e70f95..c9d1963481 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.2.7 + image: hashicorp/terraform:1.2.8 command: - terraform args: diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 9059331bee..45873df764 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.10.6 + version: 4.10.9 repository: https://argoproj.github.io/argo-helm diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index b00bce53f0..cabe171f36 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,12 +2,12 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.21.0" + version = "~> 3.22.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.12.0" + version = "~> 2.13.0" } http = { diff --git a/external/versions.tf b/external/versions.tf index fc7c43fe3e..7a8ef4639e 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.21.0" + version = "~> 3.22.0" } b2 = { @@ -19,7 +19,7 @@ terraform { kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.12.0" + version = "~> 2.13.0" } http = { diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml index 08c63547bc..aeceeb5fb7 100644 --- a/home/firefly/values.yaml +++ b/home/firefly/values.yaml @@ -62,7 +62,7 @@ firefly-iii: image: repository: curlimages/curl pullPolicy: IfNotPresent - tag: 7.84.0 + tag: 7.85.0 imagePullSecrets: [] diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 43d8706298..c3d3a2f6a3 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.8.3 + tag: 2022.8.7 # -- image pull policy pullPolicy: IfNotPresent @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.5.1 + tag: 4.6.0 workingDir: "/config" args: - --auth diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index d0db364d13..20915bced2 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 11.1.7 + version: 11.2.2 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index 381b89f53a..579622a4a9 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 3.0.4 + version: 3.1.0 repository: https://nextcloud.github.io/helm/ diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index 2e9b9ee93a..9520741f34 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.9.1 + version: 2.9.2 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 447bd9f4a5..830b4f42df 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -19,7 +19,7 @@ pihole: # -- the repostory to pull the image from repository: "pihole/pihole" # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "2022.07" + tag: "2022.08" # -- the pull policy pullPolicy: IfNotPresent diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index d9f0457d54..aa92a0bbb3 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.7.1 + version: 11.8.1 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index 2681df1d8a..9041925627 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 2022.7.3 + version: 2022.8.3 repository: https://charts.goauthentik.io diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 20bc014986..6dda3c2f51 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.0.0 dependencies: - name: dex - version: 0.9.0 + version: 0.10.0 repository: https://charts.dexidp.io diff --git a/platform/vault/Chart.yaml b/platform/vault/Chart.yaml index 2d73bb862a..e8fa760195 100644 --- a/platform/vault/Chart.yaml +++ b/platform/vault/Chart.yaml @@ -3,5 +3,5 @@ name: vault version: 0.0.0 dependencies: - name: vault-operator - version: 1.15.8 + version: 1.16.0 repository: https://kubernetes-charts.banzaicloud.com diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index 33e0c5d3bf..c0cf0dd6ae 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.2.1 + version: 4.2.3 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/ingress-traefik/Chart.yaml b/system/ingress-traefik/Chart.yaml index e688b90e5b..9df616ab3d 100644 --- a/system/ingress-traefik/Chart.yaml +++ b/system/ingress-traefik/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-traefik version: 0.0.0 dependencies: - name: traefik - version: 10.24.0 + version: 10.24.1 repository: https://helm.traefik.io/traefik diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 7a54e989e7..3ceb62652d 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 3.0.0 + version: 3.0.1 repository: https://weaveworks.github.io/kured diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index ea04ce1a1f..7c9c21bb1e 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 4.0.2 + version: 4.1.1 repository: https://charts.bitnami.com/bitnami diff --git a/test/go.mod b/test/go.mod index e901200943..7672bd69a0 100644 --- a/test/go.mod +++ b/test/go.mod @@ -2,7 +2,7 @@ module git.khuedoan.com/ops/homelab go 1.19 -require github.com/gruntwork-io/terratest v0.40.19 +require github.com/gruntwork-io/terratest v0.40.20 require ( cloud.google.com/go v0.83.0 // indirect diff --git a/test/go.sum b/test/go.sum index b486764d85..8e5d7d06c6 100644 --- a/test/go.sum +++ b/test/go.sum @@ -218,6 +218,8 @@ github.com/gruntwork-io/terratest v0.40.18 h1:xuFaHOf/7kwc5cQN+6FfbmKglneBKesZxP github.com/gruntwork-io/terratest v0.40.18/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/gruntwork-io/terratest v0.40.19 h1:slnTF0Amrc9yRVUV/X/fHlVWKNF0H8fwa2OLyeV2IOA= github.com/gruntwork-io/terratest v0.40.19/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= +github.com/gruntwork-io/terratest v0.40.20 h1:pco6s3b62h2Yd13N+HvHQVTAk3aPRz4sdoVwErPCBzQ= +github.com/gruntwork-io/terratest v0.40.20/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= From 49b4af5c1edc3fe96a8b9aef9a18ef90bcbf78f1 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 3 Sep 2022 20:35:02 +0200 Subject: [PATCH 282/334] Ingress dashboard via ingress --- system/ingress-traefik/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/system/ingress-traefik/values.yaml b/system/ingress-traefik/values.yaml index 5ac109a9d4..381c319c14 100644 --- a/system/ingress-traefik/values.yaml +++ b/system/ingress-traefik/values.yaml @@ -109,7 +109,8 @@ ingress-traefik: dashboard: enabled: true # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) - annotations: {} + annotations: + kubernetes.io/ingress.class: "nginx" # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) labels: {} From 0c1c2bf5202da17af008ac98b97e153b56f9dfc2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 3 Sep 2022 20:50:11 +0200 Subject: [PATCH 283/334] Enable access log --- system/ingress-traefik/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system/ingress-traefik/values.yaml b/system/ingress-traefik/values.yaml index 381c319c14..43f792c6b3 100644 --- a/system/ingress-traefik/values.yaml +++ b/system/ingress-traefik/values.yaml @@ -196,10 +196,10 @@ ingress-traefik: # also ask for the json format in the format option # format: json # By default, the level is set to ERROR. Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. - level: ERROR + level: INFO access: # To enable access logs - enabled: false + enabled: true # By default, logs are written using the Common Log Format (CLF). # To write logs in JSON, use json in the format option. # If the given format is unsupported, the default (CLF) is used instead. From a19411e9432c7ddae8d185201cec3520d8e74e73 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 3 Sep 2022 20:52:20 +0200 Subject: [PATCH 284/334] Annotations traefik --- system/ingress-traefik/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-traefik/values.yaml b/system/ingress-traefik/values.yaml index 43f792c6b3..4205ad0be2 100644 --- a/system/ingress-traefik/values.yaml +++ b/system/ingress-traefik/values.yaml @@ -391,7 +391,7 @@ ingress-traefik: type: LoadBalancer # Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) annotations: - - metallb.universe.tf/address-pool: traefik + metallb.universe.tf/address-pool: traefik # Additional annotations for TCP service only annotationsTCP: {} # Additional annotations for UDP service only From 64cd106639a52a3cae67b4ac0dea9a2a7d2c7a61 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 3 Sep 2022 20:56:32 +0200 Subject: [PATCH 285/334] Test traefik --- system/ingress-traefik/values.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/system/ingress-traefik/values.yaml b/system/ingress-traefik/values.yaml index 4205ad0be2..3a897b3d3e 100644 --- a/system/ingress-traefik/values.yaml +++ b/system/ingress-traefik/values.yaml @@ -393,9 +393,12 @@ ingress-traefik: annotations: metallb.universe.tf/address-pool: traefik # Additional annotations for TCP service only - annotationsTCP: {} + annotationsTCP: + metallb.universe.tf/address-pool: traefik # Additional annotations for UDP service only - annotationsUDP: {} + annotationsUDP: + metallb.universe.tf/address-pool: traefik + # Additional service labels (e.g. for filtering Service by custom labels) labels: {} # Additional entries here will be added to the service spec. @@ -406,8 +409,7 @@ ingress-traefik: # loadBalancerIP: "1.2.3.4" # clusterIP: "2.3.4.5" loadBalancerSourceRanges: - [] - # - 192.168.0.1/32 + - 192.168.0.1/32 # - 172.16.0.0/16 externalIPs: [] From 5d2db860534f23c403c78a99a05f3b3e95528aa5 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 3 Sep 2022 22:56:58 +0200 Subject: [PATCH 286/334] Add auto merge non major --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index feb90584e3..3ab06d97fa 100644 --- a/renovate.json +++ b/renovate.json @@ -16,7 +16,8 @@ "patch" ], "groupName": "all non-major dependencies", - "groupSlug": "all-minor-patch" + "groupSlug": "all-minor-patch", + "automerge": true } ] } From 1642b7c756061f38584f065a41597101ef011a97 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 3 Sep 2022 20:59:25 +0000 Subject: [PATCH 287/334] chore(deps): update helm release argo-cd to v5 --- bootstrap/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 9059331bee..f463bc8f88 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 4.10.6 + version: 5.4.0 repository: https://argoproj.github.io/argo-helm From 010134a27e949f6feec0b69609355a8f95127325 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sat, 3 Sep 2022 23:09:26 +0200 Subject: [PATCH 288/334] More time for argo to run --- bootstrap/argocd/values.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bootstrap/argocd/values.yaml b/bootstrap/argocd/values.yaml index 3fc72ba597..c1086810f5 100644 --- a/bootstrap/argocd/values.yaml +++ b/bootstrap/argocd/values.yaml @@ -2,8 +2,10 @@ argo-cd: server: extraArgs: - --insecure + - --repo-server-timeout-seconds + - "500" config: - statusbadge.enabled: 'true' + statusbadge.enabled: "true" resource.customizations.health.argoproj.io_Application: | hs = {} @@ -42,6 +44,9 @@ argo-cd: repoServerTimeoutSeconds: "180" metrics: *metrics repoServer: + env: + - name: "ARGOCD_EXEC_TIMEOUT" + value: "5m" metrics: *metrics redis: metrics: *metrics From 7c1182f54cf0d2bef80106aa25802380cba8b916 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Sep 2022 11:38:22 +0000 Subject: [PATCH 289/334] chore(deps): update all non-major dependencies --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/seafile/values.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 2 +- external/versions.tf | 2 +- home/homeassistant/values.yaml | 4 ++-- home/mariadb/Chart.yaml | 2 +- home/nextcloud/Chart.yaml | 2 +- home/pihole/Chart.yaml | 2 +- home/pihole/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- platform/dex/Chart.yaml | 2 +- platform/gitea/Chart.yaml | 2 +- platform/vault/Chart.yaml | 2 +- system/descheduler/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/ingress-traefik/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- test/go.mod | 2 +- test/go.sum | 2 ++ 21 files changed, 23 insertions(+), 21 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index b7fd2756ff..3a6999b3e3 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.2.8 + image: hashicorp/terraform:1.2.9 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index c9d1963481..46fb246ece 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.2.8 + image: hashicorp/terraform:1.2.9 command: - terraform args: diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index 1d99103555..f99b053193 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -4,7 +4,7 @@ seafile: # -- image repository repository: seafileltd/seafile-mc # -- image tag - tag: 9.0.7 + tag: 9.0.8 # -- image pull policy pullPolicy: IfNotPresent diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index f463bc8f88..242f6523ad 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 5.4.0 + version: 5.4.4 repository: https://argoproj.github.io/argo-helm diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index cabe171f36..376cc1f843 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.22.0" + version = "~> 3.23.0" } kubernetes = { diff --git a/external/versions.tf b/external/versions.tf index 7a8ef4639e..d7256caca8 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.22.0" + version = "~> 3.23.0" } b2 = { diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index c3d3a2f6a3..c8c9de20a5 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.8.7 + tag: 2022.9.4 # -- image pull policy pullPolicy: IfNotPresent @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.6.0 + tag: 4.7.0 workingDir: "/config" args: - --auth diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 20915bced2..1d2089019a 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 11.2.2 + version: 11.3.0 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index 579622a4a9..3ace3d8dd9 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 3.1.0 + version: 3.1.2 repository: https://nextcloud.github.io/helm/ diff --git a/home/pihole/Chart.yaml b/home/pihole/Chart.yaml index 9520741f34..f4b346fe6b 100644 --- a/home/pihole/Chart.yaml +++ b/home/pihole/Chart.yaml @@ -3,5 +3,5 @@ name: pihole version: 0.0.0 dependencies: - name: pihole - version: 2.9.2 + version: 2.9.3 repository: https://mojo2600.github.io/pihole-kubernetes/ \ No newline at end of file diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 830b4f42df..3e259d0e81 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -19,7 +19,7 @@ pihole: # -- the repostory to pull the image from repository: "pihole/pihole" # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "2022.08" + tag: "2022.09" # -- the pull policy pullPolicy: IfNotPresent diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index aa92a0bbb3..7e48409fee 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.8.1 + version: 11.9.1 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 6dda3c2f51..22c8005947 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.0.0 dependencies: - name: dex - version: 0.10.0 + version: 0.11.0 repository: https://charts.dexidp.io diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 6f19401ac6..d6e299e0e5 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 6.0.0 + version: 6.0.1 repository: https://dl.gitea.io/charts/ diff --git a/platform/vault/Chart.yaml b/platform/vault/Chart.yaml index e8fa760195..7ecada2f42 100644 --- a/platform/vault/Chart.yaml +++ b/platform/vault/Chart.yaml @@ -3,5 +3,5 @@ name: vault version: 0.0.0 dependencies: - name: vault-operator - version: 1.16.0 + version: 1.16.1 repository: https://kubernetes-charts.banzaicloud.com diff --git a/system/descheduler/Chart.yaml b/system/descheduler/Chart.yaml index c12e681c11..c8b82dec4b 100644 --- a/system/descheduler/Chart.yaml +++ b/system/descheduler/Chart.yaml @@ -3,5 +3,5 @@ name: descheduler version: 0.0.0 dependencies: - name: descheduler - version: 0.24.1 + version: 0.25.0 repository: https://kubernetes-sigs.github.io/descheduler/ diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index c0cf0dd6ae..f8599529ad 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.2.3 + version: 4.2.5 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/ingress-traefik/Chart.yaml b/system/ingress-traefik/Chart.yaml index 9df616ab3d..e868fc341a 100644 --- a/system/ingress-traefik/Chart.yaml +++ b/system/ingress-traefik/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-traefik version: 0.0.0 dependencies: - name: traefik - version: 10.24.1 + version: 10.24.3 repository: https://helm.traefik.io/traefik diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 7c9c21bb1e..0ea1132276 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 4.1.1 + version: 4.1.2 repository: https://charts.bitnami.com/bitnami diff --git a/test/go.mod b/test/go.mod index 7672bd69a0..d711475b1a 100644 --- a/test/go.mod +++ b/test/go.mod @@ -2,7 +2,7 @@ module git.khuedoan.com/ops/homelab go 1.19 -require github.com/gruntwork-io/terratest v0.40.20 +require github.com/gruntwork-io/terratest v0.40.22 require ( cloud.google.com/go v0.83.0 // indirect diff --git a/test/go.sum b/test/go.sum index 8e5d7d06c6..c218caf597 100644 --- a/test/go.sum +++ b/test/go.sum @@ -220,6 +220,8 @@ github.com/gruntwork-io/terratest v0.40.19 h1:slnTF0Amrc9yRVUV/X/fHlVWKNF0H8fwa2 github.com/gruntwork-io/terratest v0.40.19/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/gruntwork-io/terratest v0.40.20 h1:pco6s3b62h2Yd13N+HvHQVTAk3aPRz4sdoVwErPCBzQ= github.com/gruntwork-io/terratest v0.40.20/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= +github.com/gruntwork-io/terratest v0.40.22 h1:qHIk+feNFspZQK2UTeH+zeMGfTfSuRduU10RCMMTveg= +github.com/gruntwork-io/terratest v0.40.22/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= From 8fc90fd674805ab9cd43050cbbe6fc357e68dd15 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 26 Sep 2022 01:35:38 +0000 Subject: [PATCH 290/334] chore(deps): update all non-major dependencies --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- apps/seafile/values.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 2 +- external/versions.tf | 4 ++-- home/homeassistant/values.yaml | 2 +- home/mariadb/Chart.yaml | 2 +- home/nextcloud/values.yaml | 2 +- platform/authentik/Chart.yaml | 2 +- platform/dex/Chart.yaml | 2 +- platform/vault/files/generate-secrets/go.mod | 4 ++-- platform/vault/files/generate-secrets/go.sum | 4 ++++ system/metallb-system/Chart.yaml | 2 +- 14 files changed, 19 insertions(+), 15 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index 3a6999b3e3..cf5db71725 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.2.9 + image: hashicorp/terraform:1.3.0 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index 46fb246ece..c88154da39 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.2.9 + image: hashicorp/terraform:1.3.0 command: - terraform args: diff --git a/apps/seafile/values.yaml b/apps/seafile/values.yaml index f99b053193..41b3da15a5 100644 --- a/apps/seafile/values.yaml +++ b/apps/seafile/values.yaml @@ -4,7 +4,7 @@ seafile: # -- image repository repository: seafileltd/seafile-mc # -- image tag - tag: 9.0.8 + tag: 9.0.9 # -- image pull policy pullPolicy: IfNotPresent diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 242f6523ad..49a4a27322 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 5.4.4 + version: 5.5.5 repository: https://argoproj.github.io/argo-helm diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index 376cc1f843..d2c2366f2f 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.23.0" + version = "~> 3.24.0" } kubernetes = { diff --git a/external/versions.tf b/external/versions.tf index d7256caca8..3dea33289a 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.2.0" + required_version = "~> 1.3.0" backend "local" { @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.23.0" + version = "~> 3.24.0" } b2 = { diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index c8c9de20a5..df2d5a5ed4 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.9.4 + tag: 2022.9.6 # -- image pull policy pullPolicy: IfNotPresent diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index 1d2089019a..dda9fd2867 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 11.3.0 + version: 11.3.1 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 26e61be88c..c14aed2a03 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 24.0.4-fpm-alpine + tag: 24.0.5-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index 9041925627..1ec2cb0878 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 2022.8.3 + version: 2022.9.0 repository: https://charts.goauthentik.io diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index 22c8005947..e21fd0283b 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.0.0 dependencies: - name: dex - version: 0.11.0 + version: 0.11.1 repository: https://charts.dexidp.io diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod index 5dab317424..01cc78f02e 100644 --- a/platform/vault/files/generate-secrets/go.mod +++ b/platform/vault/files/generate-secrets/go.mod @@ -3,7 +3,7 @@ module git.khuedoan.com/khuedoan/homelab/vault/init go 1.19 require ( - github.com/hashicorp/vault/api v1.7.2 + github.com/hashicorp/vault/api v1.8.0 github.com/sethvargo/go-password v0.2.0 gopkg.in/yaml.v2 v2.4.0 ) @@ -31,7 +31,7 @@ require ( github.com/hashicorp/go-version v1.2.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/hashicorp/hcl v1.0.0 // indirect - github.com/hashicorp/vault/sdk v0.5.1 // indirect + github.com/hashicorp/vault/sdk v0.6.0 // indirect github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect github.com/mattn/go-colorable v0.1.6 // indirect github.com/mattn/go-isatty v0.0.12 // indirect diff --git a/platform/vault/files/generate-secrets/go.sum b/platform/vault/files/generate-secrets/go.sum index c2528f808e..b70117e308 100644 --- a/platform/vault/files/generate-secrets/go.sum +++ b/platform/vault/files/generate-secrets/go.sum @@ -136,10 +136,14 @@ github.com/hashicorp/vault/api v1.5.0 h1:Bp6yc2bn7CWkOrVIzFT/Qurzx528bdavF3nz590 github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= github.com/hashicorp/vault/api v1.7.2 h1:kawHE7s/4xwrdKbkmwQi0wYaIeUhk5ueek7ljuezCVQ= github.com/hashicorp/vault/api v1.7.2/go.mod h1:xbfA+1AvxFseDzxxdWaL0uO99n1+tndus4GCrtouy0M= +github.com/hashicorp/vault/api v1.8.0 h1:7765sW1XBt+qf4XKIYE4ebY9qc/yi9V2/egzGSUNMZU= +github.com/hashicorp/vault/api v1.8.0/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo= github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/vault/sdk v0.5.1 h1:zly/TmNgOXCGgWIRA8GojyXzG817POtVh3uzIwzZx+8= github.com/hashicorp/vault/sdk v0.5.1/go.mod h1:DoGraE9kKGNcVgPmTuX357Fm6WAx1Okvde8Vp3dPDoU= +github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= +github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 0ea1132276..5dd7594eb1 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 4.1.2 + version: 4.1.3 repository: https://charts.bitnami.com/bitnami From 15ed1e68f655aa8c5e6cc68e11c644101e4e8922 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 5 Oct 2022 00:46:49 +0000 Subject: [PATCH 291/334] chore(deps): update helm release hajimari to v2 --- apps/hajimari/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/hajimari/Chart.yaml b/apps/hajimari/Chart.yaml index be25f924f7..dfae8c78b2 100644 --- a/apps/hajimari/Chart.yaml +++ b/apps/hajimari/Chart.yaml @@ -3,5 +3,5 @@ name: hajimari version: 0.0.0 dependencies: - name: hajimari - version: 1.2.0 + version: 2.0.2 repository: https://hajimari.io From e8bab065643e5a08c2c5eff41cfe13cc9b59c9b9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 21 Oct 2022 12:24:33 +0000 Subject: [PATCH 292/334] chore(deps): update helm release redis to v17 --- home/redis/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/redis/Chart.yaml b/home/redis/Chart.yaml index f62e2d70bc..dd184e42af 100644 --- a/home/redis/Chart.yaml +++ b/home/redis/Chart.yaml @@ -3,5 +3,5 @@ name: redis version: 0.0.0 dependencies: - name: redis - version: 16.13.2 + version: 17.3.7 repository: https://charts.bitnami.com/bitnami \ No newline at end of file From ac643be28e7be5347906ef6e4997b0551f230bbc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 22 Oct 2022 22:00:47 +0000 Subject: [PATCH 293/334] chore(deps): update all non-major dependencies --- .tekton/tasks/external.yaml | 2 +- .tekton/tasks/lint.yaml | 2 +- bootstrap/argocd/Chart.yaml | 2 +- external/modules/cloudflare/versions.tf | 4 ++-- external/versions.tf | 4 ++-- home/homeassistant/values.yaml | 4 ++-- home/mariadb/Chart.yaml | 2 +- home/nextcloud/values.yaml | 4 ++-- home/pihole/values.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- platform/authentik/Chart.yaml | 2 +- platform/dex/Chart.yaml | 2 +- platform/external-secrets/Chart.yaml | 2 +- platform/gitea/Chart.yaml | 2 +- platform/vault/files/generate-secrets/go.mod | 2 +- platform/vault/files/generate-secrets/go.sum | 2 ++ system/cert-manager/Chart.yaml | 2 +- system/descheduler/Chart.yaml | 2 +- system/ingress-nginx/Chart.yaml | 2 +- system/ingress-traefik/Chart.yaml | 2 +- system/longhorn-system/Chart.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- test/go.mod | 2 +- test/go.sum | 2 ++ 24 files changed, 30 insertions(+), 26 deletions(-) diff --git a/.tekton/tasks/external.yaml b/.tekton/tasks/external.yaml index cf5db71725..20a702973e 100644 --- a/.tekton/tasks/external.yaml +++ b/.tekton/tasks/external.yaml @@ -6,7 +6,7 @@ spec: workspaces: - name: source stepTemplate: - image: hashicorp/terraform:1.3.0 + image: hashicorp/terraform:1.3.3 workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/.tekton/tasks/lint.yaml b/.tekton/tasks/lint.yaml index c88154da39..0c863ce91d 100644 --- a/.tekton/tasks/lint.yaml +++ b/.tekton/tasks/lint.yaml @@ -20,7 +20,7 @@ spec: args: - . - name: terraform - image: hashicorp/terraform:1.3.0 + image: hashicorp/terraform:1.3.3 command: - terraform args: diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index 49a4a27322..dc2ed6e9fe 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 5.5.5 + version: 5.6.3 repository: https://argoproj.github.io/argo-helm diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index d2c2366f2f..7bb8a88006 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,12 +2,12 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.24.0" + version = "~> 3.26.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.13.0" + version = "~> 2.14.0" } http = { diff --git a/external/versions.tf b/external/versions.tf index 3dea33289a..28e9c47b36 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -8,7 +8,7 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.24.0" + version = "~> 3.26.0" } b2 = { @@ -19,7 +19,7 @@ terraform { kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.13.0" + version = "~> 2.14.0" } http = { diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index df2d5a5ed4..a802d3cc8a 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -3,7 +3,7 @@ home-assistant: # -- image repository repository: homeassistant/home-assistant # -- image tag - tag: 2022.9.6 + tag: 2022.10.5 # -- image pull policy pullPolicy: IfNotPresent @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.7.0 + tag: 4.7.1 workingDir: "/config" args: - --auth diff --git a/home/mariadb/Chart.yaml b/home/mariadb/Chart.yaml index dda9fd2867..a920b6af7a 100644 --- a/home/mariadb/Chart.yaml +++ b/home/mariadb/Chart.yaml @@ -3,5 +3,5 @@ name: mariadb version: 0.0.0 dependencies: - name: mariadb - version: 11.3.1 + version: 11.3.3 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index c14aed2a03..25217b8f41 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 24.0.5-fpm-alpine + tag: 24.0.6-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName @@ -443,7 +443,7 @@ nextcloud: image: repository: xperimental/nextcloud-exporter - tag: 0.5.1 + tag: 0.6.0 pullPolicy: IfNotPresent ## Metrics exporter resource requests and limits diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 3e259d0e81..2f0e24b8bc 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -19,7 +19,7 @@ pihole: # -- the repostory to pull the image from repository: "pihole/pihole" # -- the docker tag, if left empty it will get it from the chart's appVersion - tag: "2022.09" + tag: "2022.10" # -- the pull policy pullPolicy: IfNotPresent diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 7e48409fee..a8a524072a 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.9.1 + version: 11.9.11 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml index 1ec2cb0878..40ea502a17 100644 --- a/platform/authentik/Chart.yaml +++ b/platform/authentik/Chart.yaml @@ -3,5 +3,5 @@ name: authentik version: 0.0.0 dependencies: - name: authentik - version: 2022.9.0 + version: 2022.10.0 repository: https://charts.goauthentik.io diff --git a/platform/dex/Chart.yaml b/platform/dex/Chart.yaml index e21fd0283b..23913af1ee 100644 --- a/platform/dex/Chart.yaml +++ b/platform/dex/Chart.yaml @@ -3,5 +3,5 @@ name: dex version: 0.0.0 dependencies: - name: dex - version: 0.11.1 + version: 0.12.1 repository: https://charts.dexidp.io diff --git a/platform/external-secrets/Chart.yaml b/platform/external-secrets/Chart.yaml index b73da88ef0..71bd31c357 100644 --- a/platform/external-secrets/Chart.yaml +++ b/platform/external-secrets/Chart.yaml @@ -3,5 +3,5 @@ name: external-secrets version: 0.0.0 dependencies: - name: external-secrets - version: 0.5.9 + version: 0.6.0 repository: https://charts.external-secrets.io diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index d6e299e0e5..0a8048840a 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 6.0.1 + version: 6.0.3 repository: https://dl.gitea.io/charts/ diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod index 01cc78f02e..d2a4baa942 100644 --- a/platform/vault/files/generate-secrets/go.mod +++ b/platform/vault/files/generate-secrets/go.mod @@ -3,7 +3,7 @@ module git.khuedoan.com/khuedoan/homelab/vault/init go 1.19 require ( - github.com/hashicorp/vault/api v1.8.0 + github.com/hashicorp/vault/api v1.8.1 github.com/sethvargo/go-password v0.2.0 gopkg.in/yaml.v2 v2.4.0 ) diff --git a/platform/vault/files/generate-secrets/go.sum b/platform/vault/files/generate-secrets/go.sum index b70117e308..ad7acdee87 100644 --- a/platform/vault/files/generate-secrets/go.sum +++ b/platform/vault/files/generate-secrets/go.sum @@ -138,6 +138,8 @@ github.com/hashicorp/vault/api v1.7.2 h1:kawHE7s/4xwrdKbkmwQi0wYaIeUhk5ueek7ljue github.com/hashicorp/vault/api v1.7.2/go.mod h1:xbfA+1AvxFseDzxxdWaL0uO99n1+tndus4GCrtouy0M= github.com/hashicorp/vault/api v1.8.0 h1:7765sW1XBt+qf4XKIYE4ebY9qc/yi9V2/egzGSUNMZU= github.com/hashicorp/vault/api v1.8.0/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= +github.com/hashicorp/vault/api v1.8.1 h1:bMieWIe6dAlqAAPReZO/8zYtXaWUg/21umwqGZpEjCI= +github.com/hashicorp/vault/api v1.8.1/go.mod h1:uJrw6D3y9Rv7hhmS17JQC50jbPDAZdjZoTtrCCxxs7E= github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo= github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/vault/sdk v0.5.1 h1:zly/TmNgOXCGgWIRA8GojyXzG817POtVh3uzIwzZx+8= diff --git a/system/cert-manager/Chart.yaml b/system/cert-manager/Chart.yaml index 4b3e2f4158..ec927e363a 100644 --- a/system/cert-manager/Chart.yaml +++ b/system/cert-manager/Chart.yaml @@ -3,5 +3,5 @@ name: cert-manager version: 0.0.0 dependencies: - name: cert-manager - version: v1.9.1 + version: v1.10.0 repository: https://charts.jetstack.io diff --git a/system/descheduler/Chart.yaml b/system/descheduler/Chart.yaml index c8b82dec4b..e2c8eb0a40 100644 --- a/system/descheduler/Chart.yaml +++ b/system/descheduler/Chart.yaml @@ -3,5 +3,5 @@ name: descheduler version: 0.0.0 dependencies: - name: descheduler - version: 0.25.0 + version: 0.25.2 repository: https://kubernetes-sigs.github.io/descheduler/ diff --git a/system/ingress-nginx/Chart.yaml b/system/ingress-nginx/Chart.yaml index f8599529ad..f847d4921e 100644 --- a/system/ingress-nginx/Chart.yaml +++ b/system/ingress-nginx/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-nginx version: 0.0.0 dependencies: - name: ingress-nginx - version: 4.2.5 + version: 4.3.0 repository: https://kubernetes.github.io/ingress-nginx diff --git a/system/ingress-traefik/Chart.yaml b/system/ingress-traefik/Chart.yaml index e868fc341a..784e43eecc 100644 --- a/system/ingress-traefik/Chart.yaml +++ b/system/ingress-traefik/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-traefik version: 0.0.0 dependencies: - name: traefik - version: 10.24.3 + version: 10.33.0 repository: https://helm.traefik.io/traefik diff --git a/system/longhorn-system/Chart.yaml b/system/longhorn-system/Chart.yaml index aa6b7887bc..fe551d7974 100644 --- a/system/longhorn-system/Chart.yaml +++ b/system/longhorn-system/Chart.yaml @@ -3,5 +3,5 @@ name: longhorn version: 0.0.0 dependencies: - name: longhorn - version: 1.3.1 + version: 1.3.2 repository: https://charts.longhorn.io diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 5dd7594eb1..8b0472bd1b 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 4.1.3 + version: 4.1.8 repository: https://charts.bitnami.com/bitnami diff --git a/test/go.mod b/test/go.mod index d711475b1a..f236ad864b 100644 --- a/test/go.mod +++ b/test/go.mod @@ -2,7 +2,7 @@ module git.khuedoan.com/ops/homelab go 1.19 -require github.com/gruntwork-io/terratest v0.40.22 +require github.com/gruntwork-io/terratest v0.40.24 require ( cloud.google.com/go v0.83.0 // indirect diff --git a/test/go.sum b/test/go.sum index c218caf597..6fce8ddac3 100644 --- a/test/go.sum +++ b/test/go.sum @@ -222,6 +222,8 @@ github.com/gruntwork-io/terratest v0.40.20 h1:pco6s3b62h2Yd13N+HvHQVTAk3aPRz4sdo github.com/gruntwork-io/terratest v0.40.20/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/gruntwork-io/terratest v0.40.22 h1:qHIk+feNFspZQK2UTeH+zeMGfTfSuRduU10RCMMTveg= github.com/gruntwork-io/terratest v0.40.22/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= +github.com/gruntwork-io/terratest v0.40.24 h1:vxVi714rX+joBLrxBVnbMzSYQ2srIfXzjqvImHl6Rtk= +github.com/gruntwork-io/terratest v0.40.24/go.mod h1:JGeIGgLbxbG9/Oqm06z6YXVr76CfomdmLkV564qov+8= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= From 1257cc1d9bfdce7057bc014970ec2dd6bf2afe23 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 23 Oct 2022 07:13:17 +0000 Subject: [PATCH 294/334] chore(deps): update helm release traefik to v17 --- system/ingress-traefik/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-traefik/Chart.yaml b/system/ingress-traefik/Chart.yaml index 784e43eecc..ce2f5f1030 100644 --- a/system/ingress-traefik/Chart.yaml +++ b/system/ingress-traefik/Chart.yaml @@ -3,5 +3,5 @@ name: ingress-traefik version: 0.0.0 dependencies: - name: traefik - version: 10.33.0 + version: 17.0.5 repository: https://helm.traefik.io/traefik From f2a575888bebea8d8fce80b54d077d90bb7cb3c4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 23 Oct 2022 07:13:23 +0000 Subject: [PATCH 295/334] chore(deps): update nextcloud docker tag to v25 --- home/nextcloud/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/nextcloud/values.yaml b/home/nextcloud/values.yaml index 25217b8f41..4c53aaf9be 100644 --- a/home/nextcloud/values.yaml +++ b/home/nextcloud/values.yaml @@ -5,7 +5,7 @@ nextcloud: ## image: repository: nextcloud - tag: 24.0.6-fpm-alpine + tag: 25.0.0-fpm-alpine pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName From 1c9241c3cd50713df6637f28b080a3b3b9c11fb8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 13:05:02 +0200 Subject: [PATCH 296/334] Replace site refs --- .ci/pipeline.yaml | 6 +++--- README.md | 14 +++++++------- apps/paperless/values.yaml | 2 +- docs/how-to-guides/updating-documentation.md | 4 ++-- docs/how-to-guides/use-both-github-and-gitea.md | 2 +- docs/installation/production/configuration.md | 2 +- docs/installation/production/external-resources.md | 2 +- home/homeassistant/values.yaml | 4 ++-- home/pihole/values.yaml | 2 +- home/plex/values.yaml | 2 +- platform/gitea/files/config/go.mod | 2 +- platform/vault/files/generate-secrets/go.mod | 2 +- platform/vault/templates/cr.yaml | 2 +- scripts/configure | 2 +- scripts/hacks | 2 +- scripts/take-screenshots | 14 +++++++------- test/go.mod | 2 +- 17 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.ci/pipeline.yaml b/.ci/pipeline.yaml index 44ac3e52e0..ae3bbedf93 100644 --- a/.ci/pipeline.yaml +++ b/.ci/pipeline.yaml @@ -34,7 +34,7 @@ spec: - name: CONTEXT value: ./tools - name: IMAGE - value: registry.khuedoan.com/tools:latest + value: registry.jupiter.mein.nl/tools:latest - name: EXTRA_ARGS value: - --cache=true @@ -49,7 +49,7 @@ spec: workspaces: - name: source stepTemplate: - image: registry.khuedoan.com/tools:latest + image: registry.jupiter.mein.nl/tools:latest workingDir: /workspace/source steps: - name: run @@ -74,7 +74,7 @@ spec: secret: secretName: terraform-secrets stepTemplate: - image: registry.khuedoan.com/tools:latest + image: registry.jupiter.mein.nl/tools:latest workingDir: /workspace/source/external volumeMounts: - name: terraform-secrets diff --git a/README.md b/README.md index 1375fc6494..142561d6f5 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Jupiter Mein Homelab - Fork from Khuedoan -**[Features](#features) • [Get Started](#get-started) • [Documentation](https://homelab.khuedoan.com)** +**[Features](#features) • [Get Started](#get-started) • [Documentation](https://homelab.jupiter.mein.nl)** [![tag](https://img.shields.io/github/v/tag/khuedoan/homelab?style=flat-square&logo=semver&logoColor=white)](https://github.com/khuedoan/homelab/tags) -[![document](https://img.shields.io/website?label=document&logo=gitbook&logoColor=white&style=flat-square&url=https%3A%2F%2Fhomelab.khuedoan.com)](https://homelab.khuedoan.com) +[![document](https://img.shields.io/website?label=document&logo=gitbook&logoColor=white&style=flat-square&url=https%3A%2F%2Fhomelab.jupiter.mein.nl)](https://homelab.jupiter.mein.nl) [![license](https://img.shields.io/github/license/khuedoan/homelab?style=flat-square&logo=gnu&logoColor=white)](https://www.gnu.org/licenses/gpl-3.0.html) [![stars](https://img.shields.io/github/stars/khuedoan/homelab?logo=github&logoColor=white&color=gold&style=flat-square)](https://github.com/khuedoan/homelab) @@ -217,25 +217,25 @@ They can't capture all the project's features, but they are sufficient to get a ## Get Started -- [Try it out locally](https://homelab.khuedoan.com/installation/sandbox) without any hardware (just 4 commands!) -- [Deploy on real hardware](https://homelab.khuedoan.com/installation/production/prerequisites) for production workload +- [Try it out locally](https://homelab.jupiter.mein.nl/installation/sandbox) without any hardware (just 4 commands!) +- [Deploy on real hardware](https://homelab.jupiter.mein.nl/installation/production/prerequisites) for production workload ## Roadmap -See [roadmap](https://homelab.khuedoan.com/reference/roadmap) and [open issues](https://github.com/khuedoan/homelab/issues) for a list of proposed features and known issues. +See [roadmap](https://homelab.jupiter.mein.nl/reference/roadmap) and [open issues](https://github.com/khuedoan/homelab/issues) for a list of proposed features and known issues. ## Contributing Any contributions you make are greatly appreciated. -Please see [contributing guide](https://homelab.khuedoan.com/reference/contributing) for more information. +Please see [contributing guide](https://homelab.jupiter.mein.nl/reference/contributing) for more information. ## License Copyright © 2020 - 2022 Khue Doan Distributed under the GPLv3 License. -See [license page](https://homelab.khuedoan.com/reference/license) or `LICENSE.md` file for more information. +See [license page](https://homelab.jupiter.mein.nl/reference/license) or `LICENSE.md` file for more information. ## Acknowledgements diff --git a/apps/paperless/values.yaml b/apps/paperless/values.yaml index 09fa82ed66..bee0d4282a 100644 --- a/apps/paperless/values.yaml +++ b/apps/paperless/values.yaml @@ -67,7 +67,7 @@ paperless: hajimari.io/appName: Paperless hajimari.io/icon: file-document hosts: - - host: &host paperless.khuedoan.com + - host: &host paperless.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/docs/how-to-guides/updating-documentation.md b/docs/how-to-guides/updating-documentation.md index e214567511..adaafdf7be 100644 --- a/docs/how-to-guides/updating-documentation.md +++ b/docs/how-to-guides/updating-documentation.md @@ -1,7 +1,7 @@ # Updating documentation (this website) This project uses the [Diátaxis](https://diataxis.fr) technical documentation framework. -The website is generated using [Material for MkDocs](https://squidfunk.github.io/mkdocs-material) and can be viewed at [homelab.khuedoan.com](https://homelab.khuedoan.com). +The website is generated using [Material for MkDocs](https://squidfunk.github.io/mkdocs-material) and can be viewed at [homelab.jupiter.mein.nl](https://homelab.jupiter.mein.nl). There are 4 main parts: @@ -34,7 +34,7 @@ It's running on my other cluster in the [khuedoan/horus](https://github.com/khue - + diff --git a/docs/how-to-guides/use-both-github-and-gitea.md b/docs/how-to-guides/use-both-github-and-gitea.md index d4f6577267..b173039b08 100644 --- a/docs/how-to-guides/use-both-github-and-gitea.md +++ b/docs/how-to-guides/use-both-github-and-gitea.md @@ -5,7 +5,7 @@ Even though we self-host Gitea, you may still want to use GitHub as a backup and Add both push URLs (replace my repositories with yours): ```sh -git remote set-url --add --push origin git@git.khuedoan.com:ops/homelab +git remote set-url --add --push origin git@git.jupiter.mein.nl:ops/homelab git remote set-url --add --push origin git@github.com:khuedoan/homelab ``` diff --git a/docs/installation/production/configuration.md b/docs/installation/production/configuration.md index 5df750f335..cb405fea0e 100644 --- a/docs/installation/production/configuration.md +++ b/docs/installation/production/configuration.md @@ -31,7 +31,7 @@ make configure ``` Text editor (nvim): Enter seed repo (github.com/khuedoan/homelab): github.com/example/homelab - Enter your domain (khuedoan.com): example.com + Enter your domain (jupiter.mein.nl): example.com ``` It will prompt you to edit the inventory: diff --git a/docs/installation/production/external-resources.md b/docs/installation/production/external-resources.md index 6704e82aa6..0534ea93f1 100644 --- a/docs/installation/production/external-resources.md +++ b/docs/installation/production/external-resources.md @@ -43,7 +43,7 @@ If you decide to use a [different Terraform backend](https://www.terraform.io/la - + diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index a802d3cc8a..83ec1ff207 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -31,7 +31,7 @@ home-assistant: nginx.org/websocket-services: home-assistant cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host homeassistant.europa.jupiter.mein.nl + - host: &host homeassistant.jupiter.mein.nl paths: - path: / pathType: Prefix @@ -154,7 +154,7 @@ home-assistant: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.org/websocket-services: home-assistant hosts: - - host: &config homeassistant-config.europa.jupiter.mein.nl + - host: &config homeassistant-config.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/home/pihole/values.yaml b/home/pihole/values.yaml index 2f0e24b8bc..23eec81ba0 100644 --- a/home/pihole/values.yaml +++ b/home/pihole/values.yaml @@ -127,7 +127,7 @@ pihole: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - &host pihole.europa.jupiter.mein.nl + - &host pihole.jupiter.mein.nl path: / tls: - secretName: pihole-tls-certificate diff --git a/home/plex/values.yaml b/home/plex/values.yaml index c74df32c6a..23549d352d 100644 --- a/home/plex/values.yaml +++ b/home/plex/values.yaml @@ -71,7 +71,7 @@ plex: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host plex.europa.jupiter.mein.nl + - host: &host plex.jupiter.mein.nl paths: - path: / pathType: Prefix diff --git a/platform/gitea/files/config/go.mod b/platform/gitea/files/config/go.mod index ea70d854f6..de975dfb85 100644 --- a/platform/gitea/files/config/go.mod +++ b/platform/gitea/files/config/go.mod @@ -1,4 +1,4 @@ -module git.khuedoan.com/khuedoan/homelab/gitea/config +module git.jupiter.mein.nl/khuedoan/homelab/gitea/config go 1.19 diff --git a/platform/vault/files/generate-secrets/go.mod b/platform/vault/files/generate-secrets/go.mod index d2a4baa942..7927c4f722 100644 --- a/platform/vault/files/generate-secrets/go.mod +++ b/platform/vault/files/generate-secrets/go.mod @@ -1,4 +1,4 @@ -module git.khuedoan.com/khuedoan/homelab/vault/init +module git.jupiter.mein.nl/khuedoan/homelab/vault/init go 1.19 diff --git a/platform/vault/templates/cr.yaml b/platform/vault/templates/cr.yaml index a490f334fb..1cb2c8bea3 100644 --- a/platform/vault/templates/cr.yaml +++ b/platform/vault/templates/cr.yaml @@ -74,7 +74,7 @@ spec: spec: ingressClassName: nginx rules: - - host: &host vault.khuedoan.com + - host: &host vault.jupiter.mein.nl http: paths: - backend: diff --git a/scripts/configure b/scripts/configure index d7f6afadfd..b2bc105976 100755 --- a/scripts/configure +++ b/scripts/configure @@ -14,7 +14,7 @@ import sys from rich.prompt import Confirm, Prompt default_seed_repo = "https://github.com/khuedoan/homelab" -default_domain = "khuedoan.com" +default_domain = "jupiter.mein.nl" default_timezone = "Asia/Ho_Chi_Minh" default_terraform_workspace = "khuedoan" diff --git a/scripts/hacks b/scripts/hacks index 9cbd48a029..2a1079d980 100755 --- a/scripts/hacks +++ b/scripts/hacks @@ -13,7 +13,7 @@ import sys from rich.console import Console from kubernetes import client, config -# https://git.khuedoan.com/user/settings/applications +# https://git.jupiter.mein.nl/user/settings/applications # Doing this properly inside the cluster requires: # - Kubernetes service account # - Vault Kubernetes auth diff --git a/scripts/take-screenshots b/scripts/take-screenshots index 81808ae86a..48674522e3 100755 --- a/scripts/take-screenshots +++ b/scripts/take-screenshots @@ -15,31 +15,31 @@ from selenium import webdriver apps = [ { 'name': 'home', - 'url': 'https://home.khuedoan.com' + 'url': 'https://home.jupiter.mein.nl' }, { 'name': 'gitea', - 'url': 'https://git.khuedoan.com/ops/homelab' + 'url': 'https://git.jupiter.mein.nl/ops/homelab' }, { 'name': 'argocd', - 'url': 'https://argocd.khuedoan.com/applications/root' + 'url': 'https://argocd.jupiter.mein.nl/applications/root' }, { 'name': 'vault', - 'url': 'https://vault.khuedoan.com/ui/vault/secrets' + 'url': 'https://vault.jupiter.mein.nl/ui/vault/secrets' }, { 'name': 'tekton', - 'url': 'https://tekton.khuedoan.com/#/namespaces/tekton-pipelines/pipelineruns/homelab?pipelineTask=external&step=plan' + 'url': 'https://tekton.jupiter.mein.nl/#/namespaces/tekton-pipelines/pipelineruns/homelab?pipelineTask=external&step=plan' }, { 'name': 'matrix', - 'url': 'https://chat.khuedoan.com/#/room/#random:matrix.khuedoan.com' + 'url': 'https://chat.jupiter.mein.nl/#/room/#random:matrix.jupiter.mein.nl' }, { 'name': 'grafana', - 'url': 'https://grafana.khuedoan.com/d/efa86fd1d0c121a26444b636a3f509a8/kubernetes-compute-resources-cluster' # wtf is this ID + 'url': 'https://grafana.jupiter.mein.nl/d/efa86fd1d0c121a26444b636a3f509a8/kubernetes-compute-resources-cluster' # wtf is this ID }, ] diff --git a/test/go.mod b/test/go.mod index 8e1857c785..78f8331fc8 100644 --- a/test/go.mod +++ b/test/go.mod @@ -1,4 +1,4 @@ -module git.khuedoan.com/ops/homelab +module git.jupiter.mein.nl/ops/homelab go 1.19 From c43e51bbcedd3f0fc9dfbad8e85533df7fb9d02c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 13:20:20 +0200 Subject: [PATCH 297/334] Timezone fixes and enabled kured --- disable/kured/Chart.yaml | 7 ------- disable/kured/values.yaml | 5 ----- metal/roles/pxe_server/defaults/main.yml | 2 +- scripts/configure | 2 +- system/kured/Chart.yaml | 4 ++-- system/kured/values.yaml | 2 +- 6 files changed, 5 insertions(+), 17 deletions(-) delete mode 100644 disable/kured/Chart.yaml delete mode 100644 disable/kured/values.yaml diff --git a/disable/kured/Chart.yaml b/disable/kured/Chart.yaml deleted file mode 100644 index 89de73e370..0000000000 --- a/disable/kured/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: kured -version: 0.0.0 -dependencies: -- name: kured - version: 2.13.0 - repository: https://weaveworks.github.io/kured diff --git a/disable/kured/values.yaml b/disable/kured/values.yaml deleted file mode 100644 index 27797e2e06..0000000000 --- a/disable/kured/values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -kured: - configuration: - annotateNodes: true - rebootSentinelCommand: sh -c "! needs-restarting --reboothint" - timeZone: Asia/Ho_Chi_Minh diff --git a/metal/roles/pxe_server/defaults/main.yml b/metal/roles/pxe_server/defaults/main.yml index 465e497698..b9025eda5f 100644 --- a/metal/roles/pxe_server/defaults/main.yml +++ b/metal/roles/pxe_server/defaults/main.yml @@ -1,4 +1,4 @@ iso_url: "https://download.fedoraproject.org/pub/fedora/linux/releases/36/Server/x86_64/iso/Fedora-Server-dvd-x86_64-36-1.5.iso" iso_checksum: "sha256:5edaf708a52687b09f9810c2b6d2a3432edac1b18f4d8c908c0da6bde0379148" -timezone: Asia/Ho_Chi_Minh +timezone: Europe/Amsterdam dhcp_proxy: true diff --git a/scripts/configure b/scripts/configure index b2bc105976..45b261581a 100755 --- a/scripts/configure +++ b/scripts/configure @@ -15,7 +15,7 @@ from rich.prompt import Confirm, Prompt default_seed_repo = "https://github.com/khuedoan/homelab" default_domain = "jupiter.mein.nl" -default_timezone = "Asia/Ho_Chi_Minh" +default_timezone = "Europe/Amsterdam" default_terraform_workspace = "khuedoan" diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 3ceb62652d..6f53b60ef5 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 3.0.1 - repository: https://weaveworks.github.io/kured + version: 4.0.2 + repository: https://kubereboot.github.io/charts diff --git a/system/kured/values.yaml b/system/kured/values.yaml index 27797e2e06..7f6d51f644 100644 --- a/system/kured/values.yaml +++ b/system/kured/values.yaml @@ -2,4 +2,4 @@ kured: configuration: annotateNodes: true rebootSentinelCommand: sh -c "! needs-restarting --reboothint" - timeZone: Asia/Ho_Chi_Minh + timeZone: Europe/Amsterdam From c7066facb65d8aaca88f1753506bb09bea369c8e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 13:36:05 +0200 Subject: [PATCH 298/334] Dex secret ref --- platform/dex/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 159b099baf..09213a00d8 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -24,7 +24,7 @@ dex: secretEnv: GRAFANA_SSO_CLIENT_SECRET envFrom: - secretRef: - name: dex-secrets + name: config ingress: enabled: true className: nginx From 1296f411906a6cc3d0ebdfe0eb5b06ae94d6da37 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 13:45:37 +0200 Subject: [PATCH 299/334] Fixing DEX with Vault --- platform/dex/secret.yaml | 11 ----------- platform/dex/values.yaml | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 platform/dex/secret.yaml diff --git a/platform/dex/secret.yaml b/platform/dex/secret.yaml deleted file mode 100644 index ac08d7dad6..0000000000 --- a/platform/dex/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - config.yaml: Y29ubmVjdG9yczoKLSB0eXBlOiBvaWRjCiAgaWQ6IGF1dGhlbnRpawogIG5hbWU6IEp1cGl0ZXIKICBjb25maWc6CiAgICAjIENhbm9uaWNhbCBVUkwgb2YgdGhlIHByb3ZpZGVyLCBhbHNvIHVzZWQgZm9yIGNvbmZpZ3VyYXRpb24gZGlzY292ZXJ5LgogICAgIyBUaGlzIHZhbHVlIE1VU1QgbWF0Y2ggdGhlIHZhbHVlIHJldHVybmVkIGluIHRoZSBwcm92aWRlciBjb25maWcgZGlzY292ZXJ5LgogICAgIwogICAgIyBTZWU6IGh0dHBzOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1kaXNjb3ZlcnktMV8wLmh0bWwjUHJvdmlkZXJDb25maWcKICAgIGlzc3VlcjogaHR0cHM6Ly9hdXRoZW50aWsuanVwaXRlci5tZWluLm5sCgogICAgIyBDb25uZWN0b3IgY29uZmlnIHZhbHVlcyBzdGFydGluZyB3aXRoIGEgIiQiIHdpbGwgcmVhZCBmcm9tIHRoZSBlbnZpcm9ubWVudC4KICAgIGNsaWVudElEOiBkMjdmMjg3ZTMyYmIwMTI2YzJhMTg4NzFkMGZhMTcwNWMzMWIwYmVlCiAgICBjbGllbnRTZWNyZXQ6IDFjMmZkMWI5NTY4MDllYjI4NTUzMDQ4Mzg2OWJhZjRhNDcwMDc2Y2U0OTE1ZGZhMDVlNzMxYThmOWY0OWJiYWU4NDcxYjZmZTIxOWFiZGY4NjNkM2FkZmI3YzgwNDA5NjEyNDkxOGM2MzAwYzIyZDA0OGIxOTk1NTY4MTNmOTRkCgogICAgIyBEZXgncyBpc3N1ZXIgVVJMICsgIi9jYWxsYmFjayIKICAgIHJlZGlyZWN0VVJJOiBodHRwOi8vZGV4Lmp1cGl0ZXIubWVpbi5ubC9jYWxsYmFjawoKCiAgICAjIFNvbWUgcHJvdmlkZXJzIHJlcXVpcmUgcGFzc2luZyBjbGllbnRfc2VjcmV0IHZpYSBQT1NUIHBhcmFtZXRlcnMgaW5zdGVhZAogICAgIyBvZiBiYXNpYyBhdXRoLCBkZXNwaXRlIHRoZSBPQXV0aDIgUkZDIGRpc2NvdXJhZ2luZyBpdC4gTWFueSBvZiB0aGVzZQogICAgIyBjYXNlcyBhcmUgY2F1Z2h0IGludGVybmFsbHksIGJ1dCBzb21lIG1heSBuZWVkIHRvIHVuY29tbWVudCB0aGUKICAgICMgZm9sbG93aW5nIGZpZWxkLgogICAgIwogICAgIyBiYXNpY0F1dGhVbnN1cHBvcnRlZDogdHJ1ZQogICAgCiAgICAjIEdvb2dsZSBzdXBwb3J0cyB3aGl0ZWxpc3RpbmcgYWxsb3dlZCBkb21haW5zIHdoZW4gdXNpbmcgRyBTdWl0ZQogICAgIyAoR29vZ2xlIEFwcHMpLiBUaGUgZm9sbG93aW5nIGZpZWxkIGNhbiBiZSBzZXQgdG8gYSBsaXN0IG9mIGRvbWFpbnMKICAgICMgdGhhdCBjYW4gbG9nIGluOgogICAgIwogICAgIyBob3N0ZWREb21haW5zOgogICAgIyAgLSBleGFtcGxlLmNvbQoKICAgICMgTGlzdCBvZiBhZGRpdGlvbmFsIHNjb3BlcyB0byByZXF1ZXN0IGluIHRva2VuIHJlc3BvbnNlCiAgICAjIERlZmF1bHQgaXMgcHJvZmlsZSBhbmQgZW1haWwKICAgICMgRnVsbCBsaXN0IGF0IGh0dHBzOi8vZGV4aWRwLmlvL2RvY3MvY3VzdG9tLXNjb3Blcy1jbGFpbXMtY2xpZW50cy8KICAgICMgc2NvcGVzOgogICAgIyAgLSBwcm9maWxlCiAgICAjICAtIGVtYWlsCiAgICAjICAtIGdyb3VwcwoKICAgICMgU29tZSBwcm92aWRlcnMgcmV0dXJuIGNsYWltcyB3aXRob3V0ICJlbWFpbF92ZXJpZmllZCIsIHdoZW4gdGhleSBoYWQgbm8gdXNhZ2Ugb2YgZW1haWxzIHZlcmlmaWNhdGlvbiBpbiBlbnJvbGxtZW50IHByb2Nlc3MKICAgICMgb3IgaWYgdGhleSBhcmUgYWN0aW5nIGFzIGEgcHJveHkgZm9yIGFub3RoZXIgSURQIGV0YyBBV1MgQ29nbml0byB3aXRoIGFuIHVwc3RyZWFtIFNBTUwgSURQCiAgICAjIFRoaXMgY2FuIGJlIG92ZXJyaWRkZW4gd2l0aCB0aGUgYmVsb3cgb3B0aW9uCiAgICAjIGluc2VjdXJlU2tpcEVtYWlsVmVyaWZpZWQ6IHRydWUgCgogICAgIyBHcm91cHMgY2xhaW1zIChsaWtlIHRoZSByZXN0IG9mIG9pZGMgY2xhaW1zIHRocm91Z2ggZGV4KSBvbmx5IHJlZnJlc2ggd2hlbiB0aGUgaWQgdG9rZW4gaXMgcmVmcmVzaGVkCiAgICAjIG1lYW5pbmcgdGhlIHJlZ3VsYXIgcmVmcmVzaCBmbG93IGRvZXNuJ3QgdXBkYXRlIHRoZSBncm91cHMgY2xhaW0uIEFzIHN1Y2ggYnkgZGVmYXVsdCB0aGUgb2lkYyBjb25uZWN0b3IKICAgICMgZG9lc24ndCBhbGxvdyBncm91cHMgY2xhaW1zLiBJZiB5b3UgYXJlIG9rYXkgd2l0aCBoYXZpbmcgcG90ZW50aWFsbHkgc3RhbGUgZ3JvdXAgY2xhaW1zIHlvdSBjYW4gdXNlCiAgICAjIHRoaXMgb3B0aW9uIHRvIGVuYWJsZSBncm91cHMgY2xhaW1zIHRocm91Z2ggdGhlIG9pZGMgY29ubmVjdG9yIG9uIGEgcGVyLWNvbm5lY3RvciBiYXNpcy4KICAgICMgVGhpcyBjYW4gYmUgb3ZlcnJpZGRlbiB3aXRoIHRoZSBiZWxvdyBvcHRpb24KICAgICMgaW5zZWN1cmVFbmFibGVHcm91cHM6IHRydWUKCiAgICAjIFdoZW4gZW5hYmxlZCwgdGhlIE9wZW5JRCBDb25uZWN0b3Igd2lsbCBxdWVyeSB0aGUgVXNlckluZm8gZW5kcG9pbnQgZm9yIGFkZGl0aW9uYWwgY2xhaW1zLiBVc2VySW5mbyBjbGFpbXMKICAgICMgdGFrZSBwcmlvcml0eSBvdmVyIGNsYWltcyByZXR1cm5lZCBieSB0aGUgSURUb2tlbi4gVGhpcyBvcHRpb24gc2hvdWxkIGJlIHVzZWQgd2hlbiB0aGUgSURUb2tlbiBkb2Vzbid0IGNvbnRhaW4KICAgICMgYWxsIHRoZSBjbGFpbXMgcmVxdWVzdGVkLgogICAgIyBodHRwczovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtY29yZS0xXzAuaHRtbCNVc2VySW5mbwogICAgIyBnZXRVc2VySW5mbzogdHJ1ZQoKICAgICMgVGhlIHNldCBjbGFpbSBpcyB1c2VkIGFzIHVzZXIgaWQuCiAgICAjIENsYWltcyBsaXN0IGF0IGh0dHBzOi8vb3BlbmlkLm5ldC9zcGVjcy9vcGVuaWQtY29ubmVjdC1jb3JlLTFfMC5odG1sI0NsYWltcwogICAgIyBEZWZhdWx0OiBzdWIKICAgICMgdXNlcklES2V5OiBuaWNrbmFtZQoKICAgICMgVGhlIHNldCBjbGFpbSBpcyB1c2VkIGFzIHVzZXIgbmFtZS4KICAgICMgRGVmYXVsdDogbmFtZQogICAgIyB1c2VyTmFtZUtleTogbmlja25hbWUKCiAgICAjIEZvciBvZmZsaW5lX2FjY2VzcywgdGhlIHByb21wdCBwYXJhbWV0ZXIgaXMgc2V0IGJ5IGRlZmF1bHQgdG8gInByb21wdD1jb25zZW50Ii4gCiAgICAjIEhvd2V2ZXIgdGhpcyBpcyBub3Qgc3VwcG9ydGVkIGJ5IGFsbCBPSURDIHByb3ZpZGVycywgc29tZSBvZiB0aGVtIHN1cHBvcnQgZGlmZmVyZW50CiAgICAjIHZhbHVlIGZvciBwcm9tcHQsIGxpa2UgInByb21wdD1sb2dpbiIgb3IgInByb21wdD1ub25lIgogICAgIyBwcm9tcHRUeXBlOiBjb25zZW50CgogICAgIyBTb21lIHByb3ZpZGVycyByZXR1cm4gbm9uLXN0YW5kYXJkIGNsYWltcyAoZWcuIG1haWwpLgogICAgIyBVc2UgY2xhaW1NYXBwaW5nIHRvIG1hcCB0aG9zZSBjbGFpbXMgdG8gc3RhbmRhcmQgY2xhaW1zOgogICAgIyBodHRwczovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtY29yZS0xXzAuaHRtbCNDbGFpbXMKICAgICMgY2xhaW1NYXBwaW5nIGNhbiBvbmx5IG1hcCBhIG5vbi1zdGFuZGFyZCBjbGFpbSB0byBhIHN0YW5kYXJkIG9uZSBpZiBpdCdzIG5vdCByZXR1cm5lZCBpbiB0aGUgaWRfdG9rZW4uCiAgICBjbGFpbU1hcHBpbmc6CiAgICAgICMgVGhlIHNldCBjbGFpbSBpcyB1c2VkIGFzIHByZWZlcnJlZCB1c2VybmFtZS4KICAgICAgIyBEZWZhdWx0OiBwcmVmZXJyZWRfdXNlcm5hbWUKICAgICAgIyBwcmVmZXJyZWRfdXNlcm5hbWU6IG90aGVyX3VzZXJfbmFtZQoKICAgICAgIyBUaGUgc2V0IGNsYWltIGlzIHVzZWQgYXMgZW1haWwuCiAgICAgICMgRGVmYXVsdDogZW1haWwKICAgICAgIyBlbWFpbDogbWFpbAoKICAgICAgIyBUaGUgc2V0IGNsYWltIGlzIHVzZWQgYXMgZ3JvdXBzLgogICAgICAjIERlZmF1bHQ6IGdyb3VwcwogICAgICAjIGdyb3VwczogImNvZ25pdG86Z3JvdXBzIg== -kind: Secret -metadata: - creationTimestamp: "2022-02-02T19:01:15Z" - name: config - namespace: dex - resourceVersion: "830248" - uid: cf1f4bad-6f8c-4dde-a57d-07b0eb4113d6 -type: Opaque diff --git a/platform/dex/values.yaml b/platform/dex/values.yaml index 09213a00d8..159b099baf 100644 --- a/platform/dex/values.yaml +++ b/platform/dex/values.yaml @@ -24,7 +24,7 @@ dex: secretEnv: GRAFANA_SSO_CLIENT_SECRET envFrom: - secretRef: - name: config + name: dex-secrets ingress: enabled: true className: nginx From 396d1d45cd85886f16528106783e1baa5954eaca Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 14:07:57 +0200 Subject: [PATCH 300/334] Removed authentik --- platform/authentik/Chart.yaml | 7 ---- platform/authentik/values.yaml | 39 ------------------- ...-secret.yaml.disable => admin-secret.yaml} | 0 ...onfig-job.yaml.disable => config-job.yaml} | 0 4 files changed, 46 deletions(-) delete mode 100644 platform/authentik/Chart.yaml delete mode 100644 platform/authentik/values.yaml rename platform/gitea/templates/{admin-secret.yaml.disable => admin-secret.yaml} (100%) rename platform/gitea/templates/{config-job.yaml.disable => config-job.yaml} (100%) diff --git a/platform/authentik/Chart.yaml b/platform/authentik/Chart.yaml deleted file mode 100644 index 40ea502a17..0000000000 --- a/platform/authentik/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: authentik -version: 0.0.0 -dependencies: - - name: authentik - version: 2022.10.0 - repository: https://charts.goauthentik.io diff --git a/platform/authentik/values.yaml b/platform/authentik/values.yaml deleted file mode 100644 index b5fa48857e..0000000000 --- a/platform/authentik/values.yaml +++ /dev/null @@ -1,39 +0,0 @@ -authentik: - authentik: - secret_key: dontjudgemethisisjustfortesting # TODO - postgresql: - host: postgresql.postgresql.svc.cluster.local - username: authentik - password: secret # TODO - redis: - host: redis-master.redis.svc.cluster.local - - ingress: - enabled: true - ingressClassName: nginx - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: &host authentik.jupiter.mein.nl - paths: - - path: / - pathType: Prefix - tls: - - secretName: authentik-tls-certificate - hosts: - - *host - -#TODO move to shared postgres - postgresql: - enabled: false - postgresqlPassword: test - persistence: - enabled: true - storageClass: longhorn - redis: - enabled: false - master: - persistence: - enabled: true - storageClass: longhorn - size: 1Gi diff --git a/platform/gitea/templates/admin-secret.yaml.disable b/platform/gitea/templates/admin-secret.yaml similarity index 100% rename from platform/gitea/templates/admin-secret.yaml.disable rename to platform/gitea/templates/admin-secret.yaml diff --git a/platform/gitea/templates/config-job.yaml.disable b/platform/gitea/templates/config-job.yaml similarity index 100% rename from platform/gitea/templates/config-job.yaml.disable rename to platform/gitea/templates/config-job.yaml From 23c8a7ba016edea5a40dccc4aee3625c51c1bc9b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 19:43:08 +0200 Subject: [PATCH 301/334] Re-added Loki --- system/loki/Chart.yaml | 7 +++++++ system/loki/values.yaml | 4 ++++ 2 files changed, 11 insertions(+) create mode 100644 system/loki/Chart.yaml create mode 100644 system/loki/values.yaml diff --git a/system/loki/Chart.yaml b/system/loki/Chart.yaml new file mode 100644 index 0000000000..856a5c0b19 --- /dev/null +++ b/system/loki/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: loki +version: 0.0.0 +dependencies: + - name: loki-stack + version: 2.6.1 + repository: https://grafana.github.io/helm-charts \ No newline at end of file diff --git a/system/loki/values.yaml b/system/loki/values.yaml new file mode 100644 index 0000000000..1edd09bc4d --- /dev/null +++ b/system/loki/values.yaml @@ -0,0 +1,4 @@ +loki-stack: + loki: + serviceMonitor: + enabled: true \ No newline at end of file From 36ab8cf963473ce8d61d47544e53dd79bb208939 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 19:44:20 +0200 Subject: [PATCH 302/334] Re-added monitoring --- system/monitoring-system/Chart.yaml | 7 +++++++ system/monitoring-system/values.yaml | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 system/monitoring-system/Chart.yaml diff --git a/system/monitoring-system/Chart.yaml b/system/monitoring-system/Chart.yaml new file mode 100644 index 0000000000..bd6007f99b --- /dev/null +++ b/system/monitoring-system/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: kube-prometheus-stack +version: 0.0.0 +dependencies: + - name: kube-prometheus-stack + version: 19.3.0 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 + repository: https://prometheus-community.github.io/helm-charts diff --git a/system/monitoring-system/values.yaml b/system/monitoring-system/values.yaml index 68840a3b2c..b0aed36a97 100644 --- a/system/monitoring-system/values.yaml +++ b/system/monitoring-system/values.yaml @@ -9,7 +9,7 @@ kube-prometheus-stack: hajimari.io/appName: Grafana hajimari.io/icon: chart-bar hosts: - - &host grafana.jupiter.mein.nl + - &host grafana.khuedoan.com tls: - secretName: grafana-general-tls hosts: @@ -21,7 +21,7 @@ kube-prometheus-stack: envFromSecret: grafana-secrets grafana.ini: server: - root_url: https://grafana.jupiter.mein.nl + root_url: https://grafana.khuedoan.com auth.generic_oauth: enabled: true allow_sign_up: true @@ -29,9 +29,9 @@ kube-prometheus-stack: client_id: grafana-sso client_secret: $__env{GRAFANA_SSO_CLIENT_SECRET} scopes: openid profile email groups - auth_url: https://dex.jupiter.mein.nl/auth - token_url: https://dex.jupiter.mein.nl/token - api_url: https://dex.jupiter.mein.nl/userinfo + auth_url: https://dex.khuedoan.com/auth + token_url: https://dex.khuedoan.com/token + api_url: https://dex.khuedoan.com/userinfo prometheus: prometheusSpec: From 4f40438b5defb3f398c121cfbdb82e6869aec020 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 19:45:19 +0200 Subject: [PATCH 303/334] Re-added matrix --- apps/matrix/Chart.yaml | 10 ++++ apps/matrix/values.yaml | 87 ++++++++++++++++++++++++++++ system/monitoring-system/values.yaml | 10 ++-- 3 files changed, 102 insertions(+), 5 deletions(-) create mode 100644 apps/matrix/Chart.yaml create mode 100644 apps/matrix/values.yaml diff --git a/apps/matrix/Chart.yaml b/apps/matrix/Chart.yaml new file mode 100644 index 0000000000..1d31ff27b5 --- /dev/null +++ b/apps/matrix/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: elementweb +version: 0.0.0 +dependencies: + - name: elementweb + version: 0.0.3 + repository: https://locmai.github.io/charts # TODO switch to official chart + - name: dendrite + version: 0.0.3 + repository: https://locmai.github.io/charts # TODO switch to official chart diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml new file mode 100644 index 0000000000..d996c7cad4 --- /dev/null +++ b/apps/matrix/values.yaml @@ -0,0 +1,87 @@ +elementweb: + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + hajimari.io/appName: Chat + hajimari.io/icon: chat + hosts: + - host: &frontend_host chat.khuedoan.com + paths: + - path: / + pathType: Prefix + tls: + - secretName: element-tls-certificate + hosts: + - *frontend_host + config: + default: + base_url: https://matrix.khuedoan.com + server_name: khuedoan.com + +dendrite: + polylith: false + image: + name: "locmai/dendrite-monolith:010922" # TODO switch to official image + pullPolicy: IfNotPresent + configuration: + version: 2 + servername: &backend_host matrix.khuedoan.com + database: + host: matrix-postgresql:5432 + user: dendrite + password: dendrite + max_open_conns: 100 + max_idle_conns: 2 + conn_max_lifetime: -1 + metrics: + enabled: true + jetstream: + in_memory: false + addresses: + - nats://matrix-nats:4222 + persistence: + storageClass: longhorn + logs: + capacity: 1Gi + media: + capacity: 5Gi + nats: + enabled: true + nats: + jetstream: + enabled: true + postgresql: + enabled: true + global: + postgresql: + postgresqlDatabase: dendrite + postgresqlUsername: dendrite + postgresqlPassword: dendrite + persistence: + enabled: true + storageClass: longhorn + accessModes: + - ReadWriteOnce + size: 5Gi + ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + nginx.ingress.kubernetes.io/proxy-body-size: 32m + hajimari.io/enable: 'false' + hosts: + - host: *backend_host + paths: + - path: / + pathType: Prefix + tls: + - secretName: dendrite-tls-certificate + hosts: + - *backend_host diff --git a/system/monitoring-system/values.yaml b/system/monitoring-system/values.yaml index b0aed36a97..68840a3b2c 100644 --- a/system/monitoring-system/values.yaml +++ b/system/monitoring-system/values.yaml @@ -9,7 +9,7 @@ kube-prometheus-stack: hajimari.io/appName: Grafana hajimari.io/icon: chart-bar hosts: - - &host grafana.khuedoan.com + - &host grafana.jupiter.mein.nl tls: - secretName: grafana-general-tls hosts: @@ -21,7 +21,7 @@ kube-prometheus-stack: envFromSecret: grafana-secrets grafana.ini: server: - root_url: https://grafana.khuedoan.com + root_url: https://grafana.jupiter.mein.nl auth.generic_oauth: enabled: true allow_sign_up: true @@ -29,9 +29,9 @@ kube-prometheus-stack: client_id: grafana-sso client_secret: $__env{GRAFANA_SSO_CLIENT_SECRET} scopes: openid profile email groups - auth_url: https://dex.khuedoan.com/auth - token_url: https://dex.khuedoan.com/token - api_url: https://dex.khuedoan.com/userinfo + auth_url: https://dex.jupiter.mein.nl/auth + token_url: https://dex.jupiter.mein.nl/token + api_url: https://dex.jupiter.mein.nl/userinfo prometheus: prometheusSpec: From 51df1c94f01f9cd44cdbe16487adbba382c289be Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 23 Oct 2022 17:58:12 +0000 Subject: [PATCH 304/334] chore(deps): update all non-major dependencies --- external/modules/zerotier/versions.tf | 2 +- system/loki/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/external/modules/zerotier/versions.tf b/external/modules/zerotier/versions.tf index 3c0e37843f..f7b5ccf605 100644 --- a/external/modules/zerotier/versions.tf +++ b/external/modules/zerotier/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { zerotier = { source = "zerotier/zerotier" - version = "~> 1.2.0" + version = "~> 1.3.0" } } } diff --git a/system/loki/Chart.yaml b/system/loki/Chart.yaml index 856a5c0b19..7fc43aa20d 100644 --- a/system/loki/Chart.yaml +++ b/system/loki/Chart.yaml @@ -3,5 +3,5 @@ name: loki version: 0.0.0 dependencies: - name: loki-stack - version: 2.6.1 + version: 2.8.3 repository: https://grafana.github.io/helm-charts \ No newline at end of file From 7f00cf686d559dbc2c588296584c4e899a278091 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 23 Oct 2022 17:58:20 +0000 Subject: [PATCH 305/334] chore(deps): update helm release kube-prometheus-stack to v41 --- system/monitoring-system/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/monitoring-system/Chart.yaml b/system/monitoring-system/Chart.yaml index bd6007f99b..483c5e5a6b 100644 --- a/system/monitoring-system/Chart.yaml +++ b/system/monitoring-system/Chart.yaml @@ -3,5 +3,5 @@ name: kube-prometheus-stack version: 0.0.0 dependencies: - name: kube-prometheus-stack - version: 19.3.0 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 + version: 41.5.1 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 repository: https://prometheus-community.github.io/helm-charts From 25a0ab6d1057ac265e915dbba9d9997a714cbe5b Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 20:17:49 +0200 Subject: [PATCH 306/334] Matrix domain fixed --- apps/matrix/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index d996c7cad4..68240c6d75 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -4,12 +4,12 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hajimari.io/appName: Chat hajimari.io/icon: chat hosts: - - host: &frontend_host chat.khuedoan.com + - host: &frontend_host chat.jupiter.mein.nl paths: - path: / pathType: Prefix @@ -19,8 +19,8 @@ elementweb: - *frontend_host config: default: - base_url: https://matrix.khuedoan.com - server_name: khuedoan.com + base_url: https://matrix.jupiter.mein.nl + server_name: jupiter.mein.nl dendrite: polylith: false @@ -29,7 +29,7 @@ dendrite: pullPolicy: IfNotPresent configuration: version: 2 - servername: &backend_host matrix.khuedoan.com + servername: &backend_host matrix.jupiter.mein.nl database: host: matrix-postgresql:5432 user: dendrite @@ -72,7 +72,7 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.khuedoan.com" + external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hajimari.io/enable: 'false' From f942618be3a150fd93a43122fcc88744afa907f9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 20:36:06 +0200 Subject: [PATCH 307/334] Remove external dns requirements from matrix --- apps/matrix/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index 68240c6d75..d12ebfd920 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -4,8 +4,8 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + # external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" + # external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hajimari.io/appName: Chat hajimari.io/icon: chat hosts: @@ -72,8 +72,8 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + # external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" + # external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hajimari.io/enable: 'false' hosts: From c0726515ad12e04a74635211bebfbb10b9a87aa8 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 21:51:24 +0200 Subject: [PATCH 308/334] Homeassistant renamed uri --- home/homeassistant/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 83ec1ff207..56d0a069d5 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -31,7 +31,7 @@ home-assistant: nginx.org/websocket-services: home-assistant cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - - host: &host homeassistant.jupiter.mein.nl + - host: &host homeassistant.europa.jupiter.mein.nl paths: - path: / pathType: Prefix @@ -154,7 +154,7 @@ home-assistant: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.org/websocket-services: home-assistant hosts: - - host: &config homeassistant-config.jupiter.mein.nl + - host: &config homeassistant-config.europa.jupiter.mein.nl paths: - path: / pathType: Prefix @@ -170,7 +170,7 @@ home-assistant: # enabled: true # user: # name: homeassistant-bot - # email: homeassitant@jupiter.mein.nl + # email: homeassitant@europa.jupiter.mein.nl From f916e97d1273bda6213dde1d9819cb9123303205 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 23 Oct 2022 22:01:37 +0200 Subject: [PATCH 309/334] Customize docs --- mkdocs.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index 2fc550c902..d30f659674 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,9 +1,8 @@ # yaml-language-server: $schema=https://squidfunk.github.io/mkdocs-material/schema.json -site_name: Khue's Homelab -copyright: Copyright © 2020 - 2022 Khue Doan +site_name: Meins's Homelab -repo_url: https://github.com/khuedoan/homelab +repo_url: https://github.com/petermein/homelab theme: name: material From 1593c4c921caa46aef3815c1259093746ac4b29e Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 24 Oct 2022 14:53:39 +0200 Subject: [PATCH 310/334] Fix proxied matrix; --- apps/matrix/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index d12ebfd920..fdbfcf38c0 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -4,8 +4,8 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - # external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" - # external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hajimari.io/appName: Chat hajimari.io/icon: chat hosts: @@ -72,8 +72,8 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - # external-dns.alpha.kubernetes.io/target: "homelab-tunnel.jupiter.mein.nl" - # external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hajimari.io/enable: 'false' hosts: From 93791ef7d2fc4ac2d77ac9beb8465624a498779c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 24 Oct 2022 16:00:40 +0200 Subject: [PATCH 311/334] New tunnel config --- apps/matrix/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index fdbfcf38c0..8122705e3f 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -4,7 +4,7 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/target: "tunnel.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hajimari.io/appName: Chat hajimari.io/icon: chat @@ -72,7 +72,7 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/target: "tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hajimari.io/enable: 'false' From 9742fd2837135eefd87b8b642441aca538767d1c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 24 Oct 2022 16:07:05 +0200 Subject: [PATCH 312/334] Cloudflared added again --- system/cloudflared/Chart.yaml | 7 +++++++ system/cloudflared/values.yaml | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 system/cloudflared/Chart.yaml create mode 100644 system/cloudflared/values.yaml diff --git a/system/cloudflared/Chart.yaml b/system/cloudflared/Chart.yaml new file mode 100644 index 0000000000..b14d611d44 --- /dev/null +++ b/system/cloudflared/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: cloudflared +version: 0.0.0 +dependencies: + - name: cloudflared + version: 0.3.3 + repository: https://khuedoan.github.io/charts diff --git a/system/cloudflared/values.yaml b/system/cloudflared/values.yaml new file mode 100644 index 0000000000..0eb558e81a --- /dev/null +++ b/system/cloudflared/values.yaml @@ -0,0 +1,16 @@ +cloudflared: + credentials: + existingSecret: cloudflared-credentials + config: + tunnel: homelab + ingress: + - hostname: '*.jupiter.mein.nl' + service: https://ingress-nginx-controller.ingress-nginx + originRequest: + noTLSVerify: true + - service: http_status:404 + + podMonitor: + enabled: true + metricsEndpoints: + - port: http From 30e2ce96c0481318676bb9352d8add21abde4dd9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 24 Oct 2022 16:19:40 +0200 Subject: [PATCH 313/334] Fixed image for cloudflared --- apps/matrix/values.yaml | 2 +- system/cloudflared/values.yaml | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index 8122705e3f..a6fe0a92b1 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -4,7 +4,7 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "tunnel.mein.nl" + external-dns.alpha.kubernetes.io/target: "tunnel.jupiter.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hajimari.io/appName: Chat hajimari.io/icon: chat diff --git a/system/cloudflared/values.yaml b/system/cloudflared/values.yaml index 0eb558e81a..16ef62d2b8 100644 --- a/system/cloudflared/values.yaml +++ b/system/cloudflared/values.yaml @@ -1,11 +1,17 @@ cloudflared: + image: + repository: cloudflare/cloudflared + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "2022.10.2" + credentials: existingSecret: cloudflared-credentials config: tunnel: homelab ingress: - hostname: '*.jupiter.mein.nl' - service: https://ingress-nginx-controller.ingress-nginx + service: https://ingress-nginx-controller.ingress-nginx:443 originRequest: noTLSVerify: true - service: http_status:404 From c41a9a3dda85164b8f5b593fd80c12c196b62329 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 24 Oct 2022 22:15:50 +0200 Subject: [PATCH 314/334] New try for cloudflared without subdomain tunnel --- apps/matrix/values.yaml | 4 ++-- system/cloudflared/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index a6fe0a92b1..69f70b67e7 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -4,7 +4,7 @@ elementweb: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hajimari.io/appName: Chat hajimari.io/icon: chat @@ -72,7 +72,7 @@ dendrite: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod - external-dns.alpha.kubernetes.io/target: "tunnel.jupiter.mein.nl" + external-dns.alpha.kubernetes.io/target: "jupiter-tunnel.mein.nl" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/proxy-body-size: 32m hajimari.io/enable: 'false' diff --git a/system/cloudflared/values.yaml b/system/cloudflared/values.yaml index 16ef62d2b8..cb2873680c 100644 --- a/system/cloudflared/values.yaml +++ b/system/cloudflared/values.yaml @@ -10,7 +10,7 @@ cloudflared: config: tunnel: homelab ingress: - - hostname: '*.jupiter.mein.nl' + - hostname: '*.mein.nl' service: https://ingress-nginx-controller.ingress-nginx:443 originRequest: noTLSVerify: true From 149cb6e72ab9396ec89089cccc39a32c4d66cd6a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 24 Oct 2022 22:24:52 +0200 Subject: [PATCH 315/334] Move to top subdomain --- apps/matrix/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/matrix/values.yaml b/apps/matrix/values.yaml index 69f70b67e7..253100b95d 100644 --- a/apps/matrix/values.yaml +++ b/apps/matrix/values.yaml @@ -9,7 +9,7 @@ elementweb: hajimari.io/appName: Chat hajimari.io/icon: chat hosts: - - host: &frontend_host chat.jupiter.mein.nl + - host: &frontend_host chat.mein.nl paths: - path: / pathType: Prefix @@ -19,8 +19,8 @@ elementweb: - *frontend_host config: default: - base_url: https://matrix.jupiter.mein.nl - server_name: jupiter.mein.nl + base_url: https://matrix.mein.nl + server_name: mein.nl dendrite: polylith: false @@ -29,7 +29,7 @@ dendrite: pullPolicy: IfNotPresent configuration: version: 2 - servername: &backend_host matrix.jupiter.mein.nl + servername: &backend_host matrix.mein.nl database: host: matrix-postgresql:5432 user: dendrite From 7ee351f1c0b55675b153e1cefc47b5193f8d75d2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 24 Oct 2022 22:49:26 +0000 Subject: [PATCH 316/334] chore(deps): update all non-major dependencies --- bootstrap/argocd/Chart.yaml | 2 +- system/cloudflared/Chart.yaml | 2 +- system/kured/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index dc2ed6e9fe..c696ff649a 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 5.6.3 + version: 5.6.5 repository: https://argoproj.github.io/argo-helm diff --git a/system/cloudflared/Chart.yaml b/system/cloudflared/Chart.yaml index b14d611d44..f6bae20473 100644 --- a/system/cloudflared/Chart.yaml +++ b/system/cloudflared/Chart.yaml @@ -3,5 +3,5 @@ name: cloudflared version: 0.0.0 dependencies: - name: cloudflared - version: 0.3.3 + version: 0.4.3 repository: https://khuedoan.github.io/charts diff --git a/system/kured/Chart.yaml b/system/kured/Chart.yaml index 6f53b60ef5..400314fcf1 100644 --- a/system/kured/Chart.yaml +++ b/system/kured/Chart.yaml @@ -3,5 +3,5 @@ name: kured version: 0.0.0 dependencies: - name: kured - version: 4.0.2 + version: 4.0.3 repository: https://kubereboot.github.io/charts From 7a237afbab30fa6ce51a5ab6ec4943873cdf4fa3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:41:12 +0000 Subject: [PATCH 317/334] chore(deps): update all non-major dependencies --- bootstrap/argocd/Chart.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- system/monitoring-system/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index c696ff649a..c0211f1090 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 5.6.5 + version: 5.6.8 repository: https://argoproj.github.io/argo-helm diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index a8a524072a..5bda0e548e 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.9.11 + version: 11.9.12 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/system/monitoring-system/Chart.yaml b/system/monitoring-system/Chart.yaml index 483c5e5a6b..8f7fdedb94 100644 --- a/system/monitoring-system/Chart.yaml +++ b/system/monitoring-system/Chart.yaml @@ -3,5 +3,5 @@ name: kube-prometheus-stack version: 0.0.0 dependencies: - name: kube-prometheus-stack - version: 41.5.1 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 + version: 41.6.1 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 repository: https://prometheus-community.github.io/helm-charts From 07f439c41670f95e0ca075fc50169dc6b11412ec Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 27 Oct 2022 22:11:52 +0200 Subject: [PATCH 318/334] Datadog blacklist fs --- system/datadog/values.yaml | 108 ++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 48 deletions(-) diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml index a599723418..8f34a8c511 100644 --- a/system/datadog/values.yaml +++ b/system/datadog/values.yaml @@ -4,10 +4,10 @@ datadog: ## https://docs.datadoghq.com/agent/kubernetes/helm/ # nameOverride -- Override name of app - nameOverride: # "" + nameOverride: # "" # fullnameOverride -- Override the full qualified app name - fullnameOverride: # "" + fullnameOverride: # "" # targetSystem -- Target OS for this deployment (possible values: linux, windows) targetSystem: "linux" @@ -26,12 +26,12 @@ datadog: # datadog.apiKeyExistingSecret -- Use existing Secret which stores API key instead of creating a new one. The value should be set with the `api-key` key inside the secret. ## If set, this parameter takes precedence over "apiKey". - apiKeyExistingSecret: "datadog-secret" # + apiKeyExistingSecret: "datadog-secret" # # datadog.appKey -- Datadog APP key required to use metricsProvider ## If you are using clusterAgent.metricsProvider.enabled = true, you must set ## a Datadog application key for read access to your metrics. - appKey: # + appKey: # # datadog.appKeyExistingSecret -- Use existing Secret which stores APP key instead of creating a new one. The value should be set with the `app-key` key inside the secret. ## If set, this parameter takes precedence over "appKey". @@ -43,13 +43,13 @@ datadog: # datadog.secretBackend.command -- Configure the secret backend command, path to the secret backend binary. ## Note: If the command value is "/readsecret_multiple_providers.sh" the agents will have permissions to get secret objects. ## Read more about "/readsecret_multiple_providers.sh": https://docs.datadoghq.com/agent/guide/secrets-management/#script-for-reading-from-multiple-secret-providers-readsecret_multiple_providerssh - command: # "/readsecret.sh" or "/readsecret_multiple_providers.sh" or any custom binary path + command: # "/readsecret.sh" or "/readsecret_multiple_providers.sh" or any custom binary path # datadog.secretBackend.arguments -- Configure the secret backend command arguments (space-separated strings). - arguments: # "/etc/secret-volume" or any other custom arguments + arguments: # "/etc/secret-volume" or any other custom arguments # datadog.secretBackend.timeout -- Configure the secret backend command timeout in seconds. - timeout: # 30 + timeout: # 30 # datadog.securityContext -- Allows you to overwrite the default PodSecurityContext on the Daemonset or Deployment securityContext: @@ -72,15 +72,15 @@ datadog: ## * Overall length should not be higher than 80 characters. ## Compared to the rules of GKE, dots are allowed whereas they are not allowed on GKE: ## https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster.FIELDS.name - clusterName: "jupiter.mein.nl" # + clusterName: "jupiter.mein.nl" # # datadog.site -- The site of the Datadog intake to send Agent data to ## Set to 'datadoghq.eu' to send data to the EU site. - site: datadoghq.eu # datadoghq.com + site: datadoghq.eu # datadoghq.com # datadog.dd_url -- The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL ## Overrides the site setting defined in "site". - dd_url: # https://app.datadoghq.com + dd_url: # https://app.datadoghq.com # datadog.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, off logLevel: INFO @@ -169,7 +169,7 @@ datadog: # datadog.checksCardinality -- Sets the tag cardinality for the checks run by the Agent. ## https://docs.datadoghq.com/getting_started/tagging/assigning_tags/?tab=containerizedenvironments#environment-variables - checksCardinality: # low, orchestrator or high (not set by default to avoid overriding existing DD_CHECKS_TAG_CARDINALITY configurations, the default value in the Agent is low) + checksCardinality: # low, orchestrator or high (not set by default to avoid overriding existing DD_CHECKS_TAG_CARDINALITY configurations, the default value in the Agent is low) # kubelet configuration kubelet: @@ -180,7 +180,7 @@ datadog: fieldPath: status.hostIP # datadog.kubelet.tlsVerify -- Toggle kubelet TLS verification # @default -- true - tlsVerify: # false + tlsVerify: # false # datadog.kubelet.hostCAPath -- Path (on host) where the Kubelet CA certificate is stored # @default -- None (no mount from host) hostCAPath: @@ -248,7 +248,7 @@ datadog: leaderElection: true # datadog.leaderLeaseDuration -- Set the lease time for leader election in second - leaderLeaseDuration: # 60 + leaderLeaseDuration: # 60 ## Enable logs agent and provide custom configs logs: @@ -318,18 +318,17 @@ datadog: ## Each key becomes a file in /conf.d ## ref: https://github.com/DataDog/datadog-agent/tree/main/Dockerfiles/agent#optional-volumes ## ref: https://docs.datadoghq.com/agent/autodiscovery/ - confd: {} - # redisdb.yaml: |- - # init_config: - # instances: - # - host: "name" - # port: "6379" - # kubernetes_state.yaml: |- - # ad_identifiers: - # - kube-state-metrics - # init_config: - # instances: - # - kube_state_url: http://%%host%%:8080/metrics + confd: + disk.yaml: |- + init_config: + + instances: + - use_mount: false + file_system_blacklist: + - autofs$ + mount_point_blacklist: + - /proc/sys/fs/binfmt_misc + - /host/proc/sys/fs/binfmt_misc # datadog.checksd -- Provide additional custom checks as python code ## Each key becomes a file in /checks.d @@ -338,10 +337,10 @@ datadog: # service.py: |- # datadog.dockerSocketPath -- Path to the docker socket - dockerSocketPath: # /var/run/docker.sock + dockerSocketPath: # /var/run/docker.sock # datadog.criSocketPath -- Path to the container runtime socket (if different from Docker) - criSocketPath: # /var/run/containerd/containerd.sock + criSocketPath: # /var/run/containerd/containerd.sock # Configure how the agent interact with the host's container runtime containerRuntimeSupport: @@ -369,7 +368,6 @@ datadog: ## Enable systemProbe agent and provide custom configs systemProbe: - # datadog.systemProbe.debugPort -- Specify the port to expose pprof and expvar for system-probe agent debugPort: 0 @@ -421,7 +419,7 @@ datadog: maxTrackedConnections: 131072 # datadog.systemProbe.conntrackMaxStateSize -- the maximum size of the userspace conntrack cache - conntrackMaxStateSize: 131072 # 2 * maxTrackedConnections by default, per https://github.com/DataDog/datadog-agent/blob/d1c5de31e1bba72dfac459aed5ff9562c3fdcc20/pkg/process/config/config.go#L229 + conntrackMaxStateSize: 131072 # 2 * maxTrackedConnections by default, per https://github.com/DataDog/datadog-agent/blob/d1c5de31e1bba72dfac459aed5ff9562c3fdcc20/pkg/process/config/config.go#L229 # datadog.systemProbe.conntrackInitTimeout -- the time to wait for conntrack to initialize before failing conntrackInitTimeout: 10s @@ -510,7 +508,8 @@ datadog: # datadog.prometheusScrape.serviceEndpoints -- Enable generating dedicated checks for service endpoints. serviceEndpoints: false # datadog.prometheusScrape.additionalConfigs -- Allows adding advanced openmetrics check configurations with custom discovery rules. (Requires Agent version 7.27+) - additionalConfigs: [] + additionalConfigs: + [] # - # autodiscovery: # kubernetes_annotations: @@ -533,7 +532,7 @@ datadog: # datadog.containerExclude -- Exclude containers from the Agent # Autodiscovery, as a space-sepatered list ## ref: https://docs.datadoghq.com/agent/guide/autodiscovery-management/?tab=containerizedagent#exclude-containers - containerExclude: # "image:datadog/agent" + containerExclude: # "image:datadog/agent" # datadog.containerInclude -- Include containers in the Agent Autodiscovery, # as a space-separated list. If a container matches an include rule, it’s @@ -660,7 +659,7 @@ datadog: port: 8443 # clusterAgent.metricsProvider.endpoint -- Override the external metrics provider endpoint. If not set, the cluster-agent defaults to `datadog.site` - endpoint: # https://api.datadoghq.com + endpoint: # https://api.datadoghq.com # clusterAgent.env -- Set environment variables specific to Cluster Agent ## The Cluster-Agent supports many additional environment variables @@ -723,7 +722,7 @@ datadog: # memory: 256Mi # clusterAgent.priorityClassName -- Name of the priorityClass to apply to the Cluster Agent - priorityClassName: # system-cluster-critical + priorityClassName: # system-cluster-critical # clusterAgent.nodeSelector -- Allow the Cluster Agent Deployment to be scheduled on selected nodes ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector @@ -817,7 +816,8 @@ datadog: create: false # clusterAgent.additionalLabels -- Adds labels to the Cluster Agent deployment and pods - additionalLabels: {} + additionalLabels: + {} # key: "value" ## This section lets you configure the agents deployed by this chart to connect to a Cluster Agent @@ -828,10 +828,10 @@ datadog: join: false # existingClusterAgent.tokenSecretName -- Existing secret name to use for external Cluster Agent token - tokenSecretName: # + tokenSecretName: # # existingClusterAgent.serviceName -- Existing service name to use for reaching the external Cluster Agent - serviceName: # + serviceName: # # existingClusterAgent.clusterchecksEnabled -- set this to false if you don’t want the agents to run the cluster checks of the joined external cluster agent clusterchecksEnabled: true @@ -873,7 +873,7 @@ datadog: ## This boolean permits to completely skip this check. ## This is useful, for example, for custom tags that are not ## respecting semantic versioning - doNotCheckTag: # false + doNotCheckTag: # false # agents.image.pullPolicy -- Datadog Agent image pull policy pullPolicy: IfNotPresent @@ -974,7 +974,7 @@ datadog: # agents.containers.agent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off ## If not set, fall back to the value of datadog.logLevel. - logLevel: # INFO + logLevel: # INFO # agents.containers.agent.resources -- Resource requests and limits for the agent container. resources: {} @@ -1025,7 +1025,7 @@ datadog: # agents.containers.processAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off ## If not set, fall back to the value of datadog.logLevel. - logLevel: # INFO + logLevel: # INFO # agents.containers.processAgent.resources -- Resource requests and limits for the process-agent container resources: {} @@ -1054,7 +1054,7 @@ datadog: # name: # agents.containers.traceAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off - logLevel: # INFO + logLevel: # INFO # agents.containers.traceAgent.resources -- Resource requests and limits for the trace-agent container resources: {} @@ -1091,7 +1091,7 @@ datadog: # agents.containers.systemProbe.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off. ## If not set, fall back to the value of datadog.logLevel. - logLevel: # INFO + logLevel: # INFO # agents.containers.systemProbe.resources -- Resource requests and limits for the system-probe container resources: {} @@ -1107,7 +1107,17 @@ datadog: securityContext: privileged: false capabilities: - add: ["SYS_ADMIN", "SYS_RESOURCE", "SYS_PTRACE", "NET_ADMIN", "NET_BROADCAST", "NET_RAW", "IPC_LOCK", "CHOWN"] + add: + [ + "SYS_ADMIN", + "SYS_RESOURCE", + "SYS_PTRACE", + "NET_ADMIN", + "NET_BROADCAST", + "NET_RAW", + "IPC_LOCK", + "CHOWN", + ] # agents.containers.systemProbe.ports -- Allows to specify extra ports (hostPorts for instance) for this container ports: [] @@ -1125,7 +1135,7 @@ datadog: # agents.containers.securityAgent.logLevel -- Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off ## If not set, fall back to the value of datadog.logLevel. - logLevel: # INFO + logLevel: # INFO # agents.containers.securityAgent.resources -- Resource requests and limits for the security-agent container resources: {} @@ -1218,11 +1228,12 @@ datadog: podLabels: {} # agents.additionalLabels -- Adds labels to the Agent daemonset and pods - additionalLabels: {} + additionalLabels: + {} # key: "value" # agents.useConfigMap -- Configures a configmap to provide the agent configuration. Use this in combination with the `agents.customAgentConfig` parameter. - useConfigMap: # false + useConfigMap: # false # agents.customAgentConfig -- Specify custom contents for the datadog agent config (datadog.yaml) ## ref: https://docs.datadoghq.com/agent/guide/agent-configuration-files/?tab=agentv6 @@ -1344,7 +1355,7 @@ datadog: # value: "1" # clusterChecksRunner.priorityClassName -- Name of the priorityClass to apply to the Cluster checks runners - priorityClassName: # system-cluster-critical + priorityClassName: # system-cluster-critical # clusterChecksRunner.nodeSelector -- Allow the ClusterChecks Deployment to schedule on selected nodes ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ @@ -1432,7 +1443,8 @@ datadog: create: false # clusterChecksRunner.additionalLabels -- Adds labels to the cluster checks runner deployment and pods - additionalLabels: {} + additionalLabels: + {} # key: "value" # clusterChecksRunner.securityContext -- Allows you to overwrite the default PodSecurityContext on the clusterchecks pods. @@ -1492,4 +1504,4 @@ datadog: ## When deploying to EC2-backed EKS infrastructure, there are situations where the ## IMDS metadata endpoint is not accesible to containers. This flag mounts the host's ## `/var/lib/cloud/data/instance-id` and uses that for Agent's hostname instead. - useHostnameFromFile: false \ No newline at end of file + useHostnameFromFile: false From 378eb8eef9b5fd95c5f6105f2c64cbe95058193e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 28 Oct 2022 21:19:41 +0000 Subject: [PATCH 319/334] chore(deps): update all non-major dependencies --- bootstrap/argocd/Chart.yaml | 2 +- home/firefly/values.yaml | 2 +- home/homeassistant/values.yaml | 2 +- home/nextcloud/Chart.yaml | 2 +- home/postgresql/Chart.yaml | 2 +- platform/external-secrets/Chart.yaml | 2 +- system/cloudflared/values.yaml | 2 +- system/metallb-system/Chart.yaml | 2 +- system/monitoring-system/Chart.yaml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bootstrap/argocd/Chart.yaml b/bootstrap/argocd/Chart.yaml index c0211f1090..b05eeb3914 100644 --- a/bootstrap/argocd/Chart.yaml +++ b/bootstrap/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 0.0.0 dependencies: - name: argo-cd - version: 5.6.8 + version: 5.8.5 repository: https://argoproj.github.io/argo-helm diff --git a/home/firefly/values.yaml b/home/firefly/values.yaml index aeceeb5fb7..9dbab04abd 100644 --- a/home/firefly/values.yaml +++ b/home/firefly/values.yaml @@ -62,7 +62,7 @@ firefly-iii: image: repository: curlimages/curl pullPolicy: IfNotPresent - tag: 7.85.0 + tag: 7.86.0 imagePullSecrets: [] diff --git a/home/homeassistant/values.yaml b/home/homeassistant/values.yaml index 56d0a069d5..e942dde122 100644 --- a/home/homeassistant/values.yaml +++ b/home/homeassistant/values.yaml @@ -138,7 +138,7 @@ home-assistant: enabled: true image: repository: codercom/code-server - tag: 4.7.1 + tag: 4.8.1 workingDir: "/config" args: - --auth diff --git a/home/nextcloud/Chart.yaml b/home/nextcloud/Chart.yaml index 3ace3d8dd9..ae1cfee164 100644 --- a/home/nextcloud/Chart.yaml +++ b/home/nextcloud/Chart.yaml @@ -3,5 +3,5 @@ name: nextcloud version: 0.0.0 dependencies: - name: nextcloud - version: 3.1.2 + version: 3.2.0 repository: https://nextcloud.github.io/helm/ diff --git a/home/postgresql/Chart.yaml b/home/postgresql/Chart.yaml index 5bda0e548e..be96dec01e 100644 --- a/home/postgresql/Chart.yaml +++ b/home/postgresql/Chart.yaml @@ -3,5 +3,5 @@ name: postgresql version: 0.0.0 dependencies: - name: postgresql - version: 11.9.12 + version: 11.9.13 repository: https://charts.bitnami.com/bitnami \ No newline at end of file diff --git a/platform/external-secrets/Chart.yaml b/platform/external-secrets/Chart.yaml index 71bd31c357..bd6fb32ed6 100644 --- a/platform/external-secrets/Chart.yaml +++ b/platform/external-secrets/Chart.yaml @@ -3,5 +3,5 @@ name: external-secrets version: 0.0.0 dependencies: - name: external-secrets - version: 0.6.0 + version: 0.6.1 repository: https://charts.external-secrets.io diff --git a/system/cloudflared/values.yaml b/system/cloudflared/values.yaml index cb2873680c..a5d887c0b6 100644 --- a/system/cloudflared/values.yaml +++ b/system/cloudflared/values.yaml @@ -3,7 +3,7 @@ cloudflared: repository: cloudflare/cloudflared pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "2022.10.2" + tag: "2022.10.3" credentials: existingSecret: cloudflared-credentials diff --git a/system/metallb-system/Chart.yaml b/system/metallb-system/Chart.yaml index 8b0472bd1b..c66b89bda2 100644 --- a/system/metallb-system/Chart.yaml +++ b/system/metallb-system/Chart.yaml @@ -3,5 +3,5 @@ name: metallb version: 0.0.0 dependencies: - name: metallb - version: 4.1.8 + version: 4.1.10 repository: https://charts.bitnami.com/bitnami diff --git a/system/monitoring-system/Chart.yaml b/system/monitoring-system/Chart.yaml index 8f7fdedb94..ecee0c473b 100644 --- a/system/monitoring-system/Chart.yaml +++ b/system/monitoring-system/Chart.yaml @@ -3,5 +3,5 @@ name: kube-prometheus-stack version: 0.0.0 dependencies: - name: kube-prometheus-stack - version: 41.6.1 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 + version: 41.7.0 # TODO upgrade https://github.com/prometheus-community/helm-charts/issues/1500 repository: https://prometheus-community.github.io/helm-charts From 8b8a8403026bdea1d5730aa925e4851e1348ae2a Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 30 Oct 2022 22:56:13 +0100 Subject: [PATCH 320/334] Preperations for PI's --- metal/Makefile | 6 +- metal/TODO.md | 7 +- metal/cluster.yml | 1 - metal/group_vars/all.yml | 1 + metal/inventories/prod.yml | 24 ++++- metal/k3d-dev.yaml | 2 +- metal/picm3.yml | 96 ++++++++++++++++++++ metal/roles/k3s/defaults/main.yml | 5 + metal/roles/k3s/tasks/main.yml | 32 ++++++- metal/roles/metallb_config/defaults/main.yml | 7 +- metal/roles/metallb_config/ippool.yaml | 10 ++ 11 files changed, 180 insertions(+), 11 deletions(-) create mode 100644 metal/picm3.yml create mode 100644 metal/roles/metallb_config/ippool.yaml diff --git a/metal/Makefile b/metal/Makefile index 4c7c3ae976..fa269a8b54 100644 --- a/metal/Makefile +++ b/metal/Makefile @@ -2,7 +2,7 @@ env ?= "prod" -default: boot cluster +default: boot os cluster # ~/.ssh/id_ed25519: # ssh-keygen -t ed25519 -f "$@" @@ -12,6 +12,10 @@ boot: ~/.ssh/id_ed25519 --inventory inventories/${env}.yml \ boot.yml +picm: ansible-playbook \ + --inventory inventories/${env}.yml \ + cluster.yml + cluster: ansible-playbook \ --inventory inventories/${env}.yml \ diff --git a/metal/TODO.md b/metal/TODO.md index 77daddd7b6..6b5b7b7bf3 100644 --- a/metal/TODO.md +++ b/metal/TODO.md @@ -1,5 +1,6 @@ TODO Metal +Europa [ ] Auto install ubuntu [ ] Disable GUI [ ] Make ssh root posible @@ -8,4 +9,8 @@ TODO Metal [ ] Mount script for fstab [ ] Zpool init for host [ ] Set hostname -[ ] Install iscsi \ No newline at end of file +[ ] Install iscsi + +PI's +[x] Set hostname +[ ] Log2ram diff --git a/metal/cluster.yml b/metal/cluster.yml index ef7e3f6bfe..1aaacbe242 100644 --- a/metal/cluster.yml +++ b/metal/cluster.yml @@ -2,7 +2,6 @@ hosts: metal roles: - k3s - - automatic_upgrade - name: Create some basic config hosts: localhost diff --git a/metal/group_vars/all.yml b/metal/group_vars/all.yml index 39fb773776..8ba4fb4ab5 100644 --- a/metal/group_vars/all.yml +++ b/metal/group_vars/all.yml @@ -2,3 +2,4 @@ ansible_user: root ansible_ssh_private_key_file: ~/.ssh/id_ed25519 ssh_public_key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}" dns_server: "8.8.8.8" +ansible_python_interpreter: "/usr/bin/python3" diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml index 837300c7d3..da3f6420ca 100644 --- a/metal/inventories/prod.yml +++ b/metal/inventories/prod.yml @@ -2,6 +2,28 @@ metal: children: masters: hosts: - europa: {ansible_host: 192.168.1.8, mac: '1c:69:7a:ac:21:f2', disk: nvme0n1, network_interface: enp89s0} + europa: + { + ansible_host: 192.168.1.8, + mac: "1c:69:7a:ac:21:f2", + disk: nvme0n1, + network_interface: enp89s0, + } workers: hosts: + leda-1: { ansible_host: 192.168.1.191, mac: "b8:27:eb:f0:aa:b3" } + ersa-2: { ansible_host: 192.168.1.192, mac: "b8:27:eb:f7:3c:52" } + himalia-3: { ansible_host: 192.168.1.193, mac: "b8:27:eb:d9:0e:4c" } + pandi-4: { ansible_host: 192.168.1.194, mac: "b8:27:eb:de:b3:0d" } + lysithe-5: { ansible_host: 192.168.1.195, mac: "b8:27:eb:60:39:5c" } + elara-6: { ansible_host: 192.168.1.196, mac: "b8:27:eb:94:af:0a" } + dia-7: { ansible_host: 192.168.1.197, mac: "b8:27:eb:3d:8d:16" } + picm3: + hosts: + leda-1: { ansible_host: 192.168.1.191, mac: "b8:27:eb:f0:aa:b3" } + ersa-2: { ansible_host: 192.168.1.192, mac: "b8:27:eb:f7:3c:52" } + himalia-3: { ansible_host: 192.168.1.193, mac: "b8:27:eb:d9:0e:4c" } + pandi-4: { ansible_host: 192.168.1.194, mac: "b8:27:eb:de:b3:0d" } + lysithe-5: { ansible_host: 192.168.1.195, mac: "b8:27:eb:60:39:5c" } + elara-6: { ansible_host: 192.168.1.196, mac: "b8:27:eb:94:af:0a" } + dia-7: { ansible_host: 192.168.1.197, mac: "b8:27:eb:3d:8d:16" } diff --git a/metal/k3d-dev.yaml b/metal/k3d-dev.yaml index e1c00a5720..d736466417 100644 --- a/metal/k3d-dev.yaml +++ b/metal/k3d-dev.yaml @@ -2,7 +2,7 @@ apiVersion: k3d.io/v1alpha4 kind: Simple metadata: name: homelab-dev -image: docker.io/rancher/k3s:v1.23.4-k3s1 +image: docker.io/rancher/k3s:v1.23.6-k3s1 servers: 1 agents: 0 options: diff --git a/metal/picm3.yml b/metal/picm3.yml new file mode 100644 index 0000000000..292115b29e --- /dev/null +++ b/metal/picm3.yml @@ -0,0 +1,96 @@ +# - name: Stage one +# hosts: +# - picm3 +# become: yes +# gather_facts: no + +# vars: +# ansible_user: pi +# ansible_ssh_pass: raspberry +# timezone: Europe/Amsterdam + +# vars_prompt: +# - name: "password" +# prompt: "Enter password for root user" +# private: yes + +# tasks: +# - name: Ping all hosts +# ping: + +# - name: Print +# debug: +# msg: "All hosts are up" + +# - name: Set hostname +# hostname: +# name: "{{ inventory_hostname }}" + +# - name: Set the timezone +# file: +# src: /usr/share/zoneinfo/{{ timezone }} +# dest: /etc/localtime +# state: link + +# - name: Set authorized_key for root user +# authorized_key: +# user: root +# state: present +# key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}" + +# - name: Set the password for root +# ansible.builtin.user: +# name: root +# state: present +# password: "{{ password | password_hash('sha512') }}" + +# - name: Enable root login +# lineinfile: +# path: /etc/ssh/sshd_config +# regexp: "^PermitRootLogin" +# line: "PermitRootLogin yes" +# state: present + +# - name: Restart ssh daemon +# service: +# name: sshd +# state: restarted + +# - name: Disable the default user 'pi' +# user: +# name: pi +# state: present +# password_lock: true +# shell: "/sbin/nologin" + +# - name: Reboot host and wait for it to restart +# reboot: +# msg: "Reboot initiated by Ansible" +# connect_timeout: 5 +# reboot_timeout: 600 +# pre_reboot_delay: 0 +# post_reboot_delay: 30 +# test_command: whoami + +- name: Stage two + hosts: + - picm3 + become: yes + gather_facts: no + + vars: + timezone: Europe/Amsterdam + + tasks: + - name: Enable container features + replace: + path: /boot/cmdline.txt + regexp: '^([\w](?!.*\b{{ item }}\b).*)$' + replace: '\1 {{ item }}' + with_items: + - "cgroup_enable=cpuset" + - "cgroup_memory=1" + - "cgroup_enable=memory" + + - name: Reboot + ansible.builtin.reboot: diff --git a/metal/roles/k3s/defaults/main.yml b/metal/roles/k3s/defaults/main.yml index c408f06d37..9333483460 100644 --- a/metal/roles/k3s/defaults/main.yml +++ b/metal/roles/k3s/defaults/main.yml @@ -9,3 +9,8 @@ k3s_server_config: - traefik disable-cloud-controller: true secrets-encryption: true + +k3s_pi_config: + node-label: + - "machine=pi" + - "pi-class=cm3" diff --git a/metal/roles/k3s/tasks/main.yml b/metal/roles/k3s/tasks/main.yml index 5e53b708f3..02fd5948a5 100644 --- a/metal/roles/k3s/tasks/main.yml +++ b/metal/roles/k3s/tasks/main.yml @@ -1,14 +1,31 @@ -- name: Download k3s binary +- name: Get DEB architecture + shell: dpkg --print-architecture + register: deb_architecture + +- name: Download k3s binary (amd64) + when: deb_architecture.stdout == 'amd64' ansible.builtin.get_url: url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s - checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-amd64.txt + checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-{{ deb_architecture.stdout }}.txt dest: "{{ role_path }}/files/bin/k3s" mode: 0755 delegate_to: localhost run_once: true register: k3s_binary -- name: Copy k3s binary to nodes +- name: Download k3s binary (other) + when: deb_architecture.stdout != 'amd64' + ansible.builtin.get_url: + url: https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/k3s-{{ deb_architecture.stdout }} + checksum: sha256:https://github.com/k3s-io/k3s/releases/download/{{ k3s_version }}/sha256sum-{{ deb_architecture.stdout }}.txt + dest: "{{ role_path }}/files/bin/k3s-{{ deb_architecture.stdout }}" + mode: 0755 + delegate_to: localhost + run_once: false + register: k3s_binary2 + +- name: Copy k3s binary to nodes (amd64) + when: deb_architecture.stdout == 'amd64' ansible.builtin.copy: src: bin/k3s dest: /usr/local/bin/k3s @@ -16,6 +33,15 @@ group: root mode: 0755 +- name: Copy k3s binary to nodes (other) + when: deb_architecture.stdout != 'amd64' + ansible.builtin.copy: + src: bin/k3s-{{ deb_architecture.stdout }} + dest: /usr/local/bin/k3s + owner: root + group: root + mode: 0755 + - name: Ensure config directories exist ansible.builtin.file: path: "{{ item }}" diff --git a/metal/roles/metallb_config/defaults/main.yml b/metal/roles/metallb_config/defaults/main.yml index 204b346b9a..ebcba5a8d0 100644 --- a/metal/roles/metallb_config/defaults/main.yml +++ b/metal/roles/metallb_config/defaults/main.yml @@ -1,7 +1,8 @@ metallb_namespace: metallb-system -metallb_subnet_cidr_prefix: 27 # /27 -metallb_subnet_index: -1 # last subnet -metallb_addresses: | # Use the last subnet with the specified size from the network +metallb_subnet_cidr_prefix: 27 # /27 +metallb_subnet_index: -1 # last subnet +metallb_addresses: + | # Use the last subnet with the specified size from the network {{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.netcommon.ipaddr('net') diff --git a/metal/roles/metallb_config/ippool.yaml b/metal/roles/metallb_config/ippool.yaml new file mode 100644 index 0000000000..18f96c71a8 --- /dev/null +++ b/metal/roles/metallb_config/ippool.yaml @@ -0,0 +1,10 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: traefik + namespace: metallb-system +spec: + addresses: + - 192.168.1.208/28 + autoAssign: false + avoidBuggyIPs: false From e48b65f7f9de82d2a934f6330846197f4b17b979 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 30 Oct 2022 22:56:35 +0100 Subject: [PATCH 321/334] started on nfs --- system/nfs-system/Chart.yaml | 7 +++ system/nfs-system/values.yaml | 111 ++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+) create mode 100644 system/nfs-system/Chart.yaml create mode 100644 system/nfs-system/values.yaml diff --git a/system/nfs-system/Chart.yaml b/system/nfs-system/Chart.yaml new file mode 100644 index 0000000000..49a901d251 --- /dev/null +++ b/system/nfs-system/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: nfs-subdir-external-provisioner +version: 0.0.0 +dependencies: + - name: nfs-subdir-external-provisioner + version: 4.0.2 + repository: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner diff --git a/system/nfs-system/values.yaml b/system/nfs-system/values.yaml new file mode 100644 index 0000000000..b7ce00f57c --- /dev/null +++ b/system/nfs-system/values.yaml @@ -0,0 +1,111 @@ +nfs-subdir-external-provisioner: + replicaCount: 1 + strategyType: Recreate + + image: + repository: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner + tag: v4.0.2 + pullPolicy: IfNotPresent + imagePullSecrets: [] + + nfs: + server: 192.168.1.8 + path: /pool0/nfs + mountOptions: + volumeName: nfs-subdir-external-provisioner-root + # Reclaim policy for the main nfs volume + reclaimPolicy: Retain + + # For creating the StorageClass automatically: + storageClass: + create: true + + # Set a provisioner name. If unset, a name will be generated. + # provisionerName: + + # Set StorageClass as the default StorageClass + # Ignored if storageClass.create is false + defaultClass: false + + # Set a StorageClass name + # Ignored if storageClass.create is false + name: nfs-client + + # Allow volume to be expanded dynamically + allowVolumeExpansion: true + + # Method used to reclaim an obsoleted volume + reclaimPolicy: Delete + + # When set to false your PVs will not be archived by the provisioner upon deletion of the PVC. + archiveOnDelete: true + + # If it exists and has 'delete' value, delete the directory. If it exists and has 'retain' value, save the directory. + # Overrides archiveOnDelete. + # Ignored if value not set. + onDelete: + + # Specifies a template for creating a directory path via PVC metadata's such as labels, annotations, name or namespace. + # Ignored if value not set. + pathPattern: + + # Set access mode - ReadWriteOnce, ReadOnlyMany or ReadWriteMany + accessModes: ReadWriteOnce + + # Set volume bindinng mode - Immediate or WaitForFirstConsumer + volumeBindingMode: Immediate + + # Storage class annotations + annotations: {} + + leaderElection: + # When set to false leader election will be disabled + enabled: true + + ## For RBAC support: + rbac: + # Specifies whether RBAC resources should be created + create: true + + # If true, create & use Pod Security Policy resources + # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + podSecurityPolicy: + enabled: false + + # Deployment pod annotations + podAnnotations: {} + + ## Set pod priorityClassName + # priorityClassName: "" + + podSecurityContext: {} + + securityContext: {} + + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + + # Annotations to add to the service account + annotations: {} + + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + # Additional labels for any resource created + labels: {} \ No newline at end of file From d2f45a1ea089eaef0d19b7ff5890a000fb81c29c Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 30 Oct 2022 23:01:37 +0100 Subject: [PATCH 322/334] Change storage class name --- system/nfs-system/values.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/system/nfs-system/values.yaml b/system/nfs-system/values.yaml index b7ce00f57c..bcd20aa91a 100644 --- a/system/nfs-system/values.yaml +++ b/system/nfs-system/values.yaml @@ -29,7 +29,7 @@ nfs-subdir-external-provisioner: # Set a StorageClass name # Ignored if storageClass.create is false - name: nfs-client + name: nfs # Allow volume to be expanded dynamically allowVolumeExpansion: true @@ -93,7 +93,8 @@ nfs-subdir-external-provisioner: # If not set and create is true, a name is generated using the fullname template name: - resources: {} + resources: + {} # limits: # cpu: 100m # memory: 128Mi @@ -108,4 +109,4 @@ nfs-subdir-external-provisioner: affinity: {} # Additional labels for any resource created - labels: {} \ No newline at end of file + labels: {} From 3b3dc51caea954c2d8d3fe540754c39c0e915b31 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Oct 2022 10:49:30 +0100 Subject: [PATCH 323/334] Added Io --- metal/inventories/prod.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml index da3f6420ca..d7f1072979 100644 --- a/metal/inventories/prod.yml +++ b/metal/inventories/prod.yml @@ -9,6 +9,12 @@ metal: disk: nvme0n1, network_interface: enp89s0, } + io: + { + ansible_host: 192.168.1.190, + ansible_ssh_port: 2022, + mac: "40:8d:5c:fb:9d:4b", + } workers: hosts: leda-1: { ansible_host: 192.168.1.191, mac: "b8:27:eb:f0:aa:b3" } From 8031c60db3d047ce0941832febe640d237cdfa41 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Oct 2022 22:28:49 +0100 Subject: [PATCH 324/334] Cluster expansion --- metal/inventories/prod.yml | 8 ++------ metal/k3d-dev.yaml | 4 ++-- metal/picm3.yml | 6 ++++++ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/metal/inventories/prod.yml b/metal/inventories/prod.yml index d7f1072979..f4e5d6ba4c 100644 --- a/metal/inventories/prod.yml +++ b/metal/inventories/prod.yml @@ -9,12 +9,8 @@ metal: disk: nvme0n1, network_interface: enp89s0, } - io: - { - ansible_host: 192.168.1.190, - ansible_ssh_port: 2022, - mac: "40:8d:5c:fb:9d:4b", - } + io-1: { ansible_host: 192.168.1.198, mac: "52:54:00:76:48:d4" } + io-2: { ansible_host: 192.168.1.199, mac: "52:54:00:19:70:a2" } workers: hosts: leda-1: { ansible_host: 192.168.1.191, mac: "b8:27:eb:f0:aa:b3" } diff --git a/metal/k3d-dev.yaml b/metal/k3d-dev.yaml index d736466417..e4aa36ba3d 100644 --- a/metal/k3d-dev.yaml +++ b/metal/k3d-dev.yaml @@ -3,8 +3,8 @@ kind: Simple metadata: name: homelab-dev image: docker.io/rancher/k3s:v1.23.6-k3s1 -servers: 1 -agents: 0 +servers: 3 +agents: 7 options: k3s: extraArgs: diff --git a/metal/picm3.yml b/metal/picm3.yml index 292115b29e..612ed63d7a 100644 --- a/metal/picm3.yml +++ b/metal/picm3.yml @@ -82,6 +82,12 @@ timezone: Europe/Amsterdam tasks: + - name: Install open-iscsi for longhorn + ansible.builtin.apt: + name: "open-iscsi" + state: latest + update_cache: true + - name: Enable container features replace: path: /boot/cmdline.txt From 0e9f61ff5825618abfc3ff6e0464229d9c944795 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Oct 2022 22:29:06 +0100 Subject: [PATCH 325/334] Disable oomkill --- system/datadog/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/datadog/values.yaml b/system/datadog/values.yaml index 8f34a8c511..7c78785901 100644 --- a/system/datadog/values.yaml +++ b/system/datadog/values.yaml @@ -392,7 +392,7 @@ datadog: enableTCPQueueLength: false # datadog.systemProbe.enableOOMKill -- Enable the OOM kill eBPF-based check - enableOOMKill: true + enableOOMKill: false # datadog.systemProbe.enableRuntimeCompiler -- Enable the runtime compiler for eBPF probes enableRuntimeCompiler: false From 54d4184b5b370d371fc2ac16fb9fc4dc18b1b2fc Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Oct 2022 22:39:59 +0100 Subject: [PATCH 326/334] Increase interal whitelist range gp# Please enter the commit message for your changes. Lines starting --- system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 7617788baf..347763fc75 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: config: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/24 + whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/18 admissionWebhooks: timeoutSeconds: 30 metrics: From 580adb9bf78a2adf841aefcc20951e34a8486cf0 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Mon, 31 Oct 2022 22:44:26 +0100 Subject: [PATCH 327/334] Disable whitelist --- system/ingress-nginx/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 347763fc75..f11ead332b 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,7 +1,7 @@ ingress-nginx: controller: config: - whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/18 + #whitelist-source-range: 213.34.1.38/32, 37.97.253.87/32, 192.168.1.0/24, 10.42.0.0/18 admissionWebhooks: timeoutSeconds: 30 metrics: From a3040ab0bcc16b78607ccdea559a2a065d251e28 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Nov 2022 09:52:40 +0100 Subject: [PATCH 328/334] Update nodes requirements on longhorn --- system/longhorn-system/values.yaml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/system/longhorn-system/values.yaml b/system/longhorn-system/values.yaml index cb344891a7..b15dc3e73b 100644 --- a/system/longhorn-system/values.yaml +++ b/system/longhorn-system/values.yaml @@ -1,13 +1,24 @@ longhorn: defaultSettings: nodeDownPodDeletionPolicy: delete-both-statefulset-and-deployment-pod + systemManagedComponentsNodeSelector: "storage:longhorn" persistence: # If you have three or more nodes for storage, use 3; otherwise use 2 - defaultClassReplicaCount: 1 # TODO run DR test to see if we actually need 3 + defaultClassReplicaCount: 3 # TODO run DR test to see if we actually need 3 guaranteedEngineManagerCPU: 15 guaranteedReplicaManagerCPU: 15 replicaSoftAntiAffinity: true + longhornManager: + nodeSelector: + storage: "longhorn" + longhornDriver: + nodeSelector: + storage: "longhorn" + longhornUI: + nodeSelector: + storage: "longhorn" + ingress: enabled: true ingressClassName: nginx @@ -15,4 +26,4 @@ longhorn: cert-manager.io/cluster-issuer: letsencrypt-prod host: longhorn.jupiter.mein.nl tls: true - tlsSecret: longhorn-tls-certificate \ No newline at end of file + tlsSecret: longhorn-tls-certificate From 4b1c733ba2da932ced6d8f6717633c53775d06b9 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Tue, 1 Nov 2022 11:47:06 +0100 Subject: [PATCH 329/334] disable kured --- {system => disable}/kured/Chart.yaml | 0 {system => disable}/kured/values.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {system => disable}/kured/Chart.yaml (100%) rename {system => disable}/kured/values.yaml (100%) diff --git a/system/kured/Chart.yaml b/disable/kured/Chart.yaml similarity index 100% rename from system/kured/Chart.yaml rename to disable/kured/Chart.yaml diff --git a/system/kured/values.yaml b/disable/kured/values.yaml similarity index 100% rename from system/kured/values.yaml rename to disable/kured/values.yaml From 92ef223117ea7b00211ee1a057a92fd0b63a0ae2 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Thu, 3 Nov 2022 20:18:49 +0100 Subject: [PATCH 330/334] MetalLB fixes --- metal/Makefile | 14 ++++++------ metal/roles/metallb_config/defaults/main.yml | 7 +++--- metal/roles/metallb_config/tasks/main.yml | 4 ++-- .../templates/configmap.yaml.j2 | 12 ++++++++++ .../metallb_config/templates/crds.yaml.j2 | 22 ------------------- system/metallb-system/values.yaml | 5 +++++ upstream | 1 + 7 files changed, 30 insertions(+), 35 deletions(-) create mode 100644 metal/roles/metallb_config/templates/configmap.yaml.j2 delete mode 100644 metal/roles/metallb_config/templates/crds.yaml.j2 create mode 160000 upstream diff --git a/metal/Makefile b/metal/Makefile index fa269a8b54..d5aef7d086 100644 --- a/metal/Makefile +++ b/metal/Makefile @@ -7,14 +7,14 @@ default: boot os cluster # ~/.ssh/id_ed25519: # ssh-keygen -t ed25519 -f "$@" -boot: ~/.ssh/id_ed25519 - ansible-playbook \ - --inventory inventories/${env}.yml \ - boot.yml +# boot: ~/.ssh/id_ed25519 +# ansible-playbook \ +# --inventory inventories/${env}.yml \ +# boot.yml -picm: ansible-playbook \ - --inventory inventories/${env}.yml \ - cluster.yml +# picm: ansible-playbook \ +# --inventory inventories/${env}.yml \ +# cluster.yml cluster: ansible-playbook \ diff --git a/metal/roles/metallb_config/defaults/main.yml b/metal/roles/metallb_config/defaults/main.yml index ebcba5a8d0..204b346b9a 100644 --- a/metal/roles/metallb_config/defaults/main.yml +++ b/metal/roles/metallb_config/defaults/main.yml @@ -1,8 +1,7 @@ metallb_namespace: metallb-system -metallb_subnet_cidr_prefix: 27 # /27 -metallb_subnet_index: -1 # last subnet -metallb_addresses: - | # Use the last subnet with the specified size from the network +metallb_subnet_cidr_prefix: 27 # /27 +metallb_subnet_index: -1 # last subnet +metallb_addresses: | # Use the last subnet with the specified size from the network {{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.netcommon.ipaddr('net') diff --git a/metal/roles/metallb_config/tasks/main.yml b/metal/roles/metallb_config/tasks/main.yml index 7060b06e42..8b3f37279b 100644 --- a/metal/roles/metallb_config/tasks/main.yml +++ b/metal/roles/metallb_config/tasks/main.yml @@ -5,6 +5,6 @@ name: "{{ metallb_namespace }}" state: present -- name: Create MetalLB crds for network info +- name: Create MetalLB config base on network info kubernetes.core.k8s: - definition: "{{ lookup('template', 'crds.yaml.j2') | from_yaml }}" + definition: "{{ lookup('template', 'configmap.yaml.j2') | from_yaml }}" diff --git a/metal/roles/metallb_config/templates/configmap.yaml.j2 b/metal/roles/metallb_config/templates/configmap.yaml.j2 new file mode 100644 index 0000000000..7aa186c5c7 --- /dev/null +++ b/metal/roles/metallb_config/templates/configmap.yaml.j2 @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: metallb-config + namespace: {{ metallb_namespace }} +data: + config: | + address-pools: + - name: default + protocol: layer2 + addresses: + - {{ metallb_addresses }} diff --git a/metal/roles/metallb_config/templates/crds.yaml.j2 b/metal/roles/metallb_config/templates/crds.yaml.j2 deleted file mode 100644 index 0ff6341df7..0000000000 --- a/metal/roles/metallb_config/templates/crds.yaml.j2 +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - creationTimestamp: null - name: default - namespace: {{ metallb_namespace }} -spec: - addresses: - - {{ metallb_addresses }} -status: {} ---- -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - creationTimestamp: null - name: l2advertisement1 - namespace: {{ metallb_namespace }} -spec: - ipAddressPools: - - default -status: {} ---- \ No newline at end of file diff --git a/system/metallb-system/values.yaml b/system/metallb-system/values.yaml index 468a8567ff..b3054866af 100644 --- a/system/metallb-system/values.yaml +++ b/system/metallb-system/values.yaml @@ -1,2 +1,7 @@ metallb: existingConfigMap: metallb-config + + speaker: + image: + repository: metallb/speaker + tag: main diff --git a/upstream b/upstream new file mode 160000 index 0000000000..686fea5764 --- /dev/null +++ b/upstream @@ -0,0 +1 @@ +Subproject commit 686fea57645ab65df8b71c54814dbc01827d48a6 From 22f7276a1f290c89c663aa5b8de31a99042e4795 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Sun, 6 Nov 2022 20:57:00 +0100 Subject: [PATCH 331/334] New cluster --- external/.gitignore | 1 - external/backblaze.tf | 22 -- external/cloudflare.tf | 20 - external/cloudflared.tf | 36 -- external/modules/cloudflare/main.tf | 12 +- external/modules/cloudflare/versions.tf | 6 +- external/modules/zerotier/versions.tf | 2 +- external/terraform.tfstate.backup | 461 ++++++++++++------------ external/versions.tf | 11 +- metal/roles/k3s/defaults/main.yml | 2 + metal/roles/metallb_config/ippool.yaml | 22 ++ platform/gitea/Chart.yaml | 2 +- platform/gitea/files/config/config.yaml | 15 +- 13 files changed, 271 insertions(+), 341 deletions(-) delete mode 100644 external/backblaze.tf delete mode 100644 external/cloudflare.tf delete mode 100644 external/cloudflared.tf diff --git a/external/.gitignore b/external/.gitignore index 25bf88abc2..1228eaef00 100644 --- a/external/.gitignore +++ b/external/.gitignore @@ -1,4 +1,3 @@ .terraform* terraform.tfstate terraform.tfvars -terraform.auto.tfvars \ No newline at end of file diff --git a/external/backblaze.tf b/external/backblaze.tf deleted file mode 100644 index 06cb53cbc4..0000000000 --- a/external/backblaze.tf +++ /dev/null @@ -1,22 +0,0 @@ -resource "b2_bucket" "backup" { - bucket_name = "infratron-homelab" - bucket_type = "allPrivate" -} - -resource "random_password" "backup_repo_password" { - length = 64 - special = false -} - -resource "kubernetes_secret" "backblaze_credentials" { - metadata { - name = "backblaze-credentials" - namespace = "k8up-operator" - } - - data = { - "application-key-id" = var.b2_application_key_id - "application-key" = var.b2_application_key - "repo-password" = random_password.backup_repo_password.result - } -} diff --git a/external/cloudflare.tf b/external/cloudflare.tf deleted file mode 100644 index fcbc95f6ad..0000000000 --- a/external/cloudflare.tf +++ /dev/null @@ -1,20 +0,0 @@ -data "cloudflare_zone" "mein_nl" { - zone_id = "f2dbeb2dca3e055df71df866b8188ce7" -} - -data "cloudflare_api_token_permission_groups" "all" {} - -data "http" "public_ipv4" { - url = "https://ipv4.icanhazip.com" -} - -# data "http" "public_ipv6" { -# url = "https://ipv6.icanhazip.com" -# } - -locals { - public_ips = [ - "${chomp(data.http.public_ipv4.body)}/32", - # "${chomp(data.http.public_ipv6.body)}/128" - ] -} diff --git a/external/cloudflared.tf b/external/cloudflared.tf deleted file mode 100644 index bcc1db88b8..0000000000 --- a/external/cloudflared.tf +++ /dev/null @@ -1,36 +0,0 @@ -resource "random_password" "tunnel_secret" { - length = 64 - special = false -} - -resource "cloudflare_argo_tunnel" "jupiter" { - account_id = var.cloudflare_account_id - name = "jk" - secret = base64encode(random_password.tunnel_secret.result) -} - -# Not proxied, not accessible. Just a record for auto-created CNAMEs by external-dns. -resource "cloudflare_record" "tunnel" { - zone_id = data.cloudflare_zone.zone.id - type = "CNAME" - name = "jupiter-tunnel" - value = "${cloudflare_argo_tunnel.jupiter.id}.cfargotunnel.com" - proxied = false - ttl = 1 # Auto -} - -resource "kubernetes_secret" "cloudflared_credentials" { - metadata { - name = "cloudflared-credentials" - namespace = "cloudflared" - } - - data = { - "credentials.json" = jsonencode({ - AccountTag = var.cloudflare_account_id - TunnelName = cloudflare_argo_tunnel.jupiter.name - TunnelID = cloudflare_argo_tunnel.jupiter.id - TunnelSecret = base64encode(random_password.tunnel_secret.result) - }) - } -} diff --git a/external/modules/cloudflare/main.tf b/external/modules/cloudflare/main.tf index e87c8be770..156eb24ea2 100644 --- a/external/modules/cloudflare/main.tf +++ b/external/modules/cloudflare/main.tf @@ -1,5 +1,5 @@ data "cloudflare_zone" "zone" { - zone_id = "f2dbeb2dca3e055df71df866b8188ce7" + name = "mein.nl" } data "cloudflare_api_token_permission_groups" "all" {} @@ -35,7 +35,7 @@ resource "cloudflare_record" "tunnel" { zone_id = data.cloudflare_zone.zone.id type = "CNAME" name = "jupiter-tunnel" - value = "${cloudflare_argo_tunnel.homelab.id}.cfargotunnel.com" + value = "${cloudflare_argo_tunnel.jupiter.id}.cfargotunnel.com" proxied = false ttl = 1 # Auto } @@ -49,15 +49,15 @@ resource "kubernetes_secret" "cloudflared_credentials" { data = { "credentials.json" = jsonencode({ AccountTag = var.cloudflare_account_id - TunnelName = cloudflare_argo_tunnel.homelab.name - TunnelID = cloudflare_argo_tunnel.homelab.id + TunnelName = cloudflare_argo_tunnel.jupiter.name + TunnelID = cloudflare_argo_tunnel.jupiter.id TunnelSecret = base64encode(random_password.tunnel_secret.result) }) } } resource "cloudflare_api_token" "external_dns" { - name = "homelab_external_dns" + name = "jupiter_external_dns" policy { permission_groups = [ @@ -88,7 +88,7 @@ resource "kubernetes_secret" "external_dns_token" { } resource "cloudflare_api_token" "cert_manager" { - name = "homelab_cert_manager" + name = "jupiter_cert_manager" policy { permission_groups = [ diff --git a/external/modules/cloudflare/versions.tf b/external/modules/cloudflare/versions.tf index 4598c3f4df..b91692591e 100644 --- a/external/modules/cloudflare/versions.tf +++ b/external/modules/cloudflare/versions.tf @@ -2,17 +2,17 @@ terraform { required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.26.0" + version = "~> 3.11.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.14.0" + version = "~> 2.9.0" } http = { source = "hashicorp/http" - version = "~> 2.2.0" + version = "~> 2.1.0" } } } diff --git a/external/modules/zerotier/versions.tf b/external/modules/zerotier/versions.tf index f7b5ccf605..3c0e37843f 100644 --- a/external/modules/zerotier/versions.tf +++ b/external/modules/zerotier/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { zerotier = { source = "zerotier/zerotier" - version = "~> 1.3.0" + version = "~> 1.2.0" } } } diff --git a/external/terraform.tfstate.backup b/external/terraform.tfstate.backup index a9434ef2d0..fbe4ce3313 100644 --- a/external/terraform.tfstate.backup +++ b/external/terraform.tfstate.backup @@ -1,21 +1,24 @@ { "version": 4, - "terraform_version": "1.1.4", - "serial": 26, - "lineage": "247a1195-7fec-d552-ad03-59b12b32cd72", + "terraform_version": "1.3.1", + "serial": 63, + "lineage": "021adf4e-968c-6935-be21-746921f43f25", "outputs": {}, "resources": [ { + "module": "module.cloudflare", "mode": "data", "type": "cloudflare_api_token_permission_groups", "name": "all", - "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "provider": "module.cloudflare.provider[\"registry.terraform.io/cloudflare/cloudflare\"]", "instances": [ { "schema_version": 0, "attributes": { - "id": "9d2b95c1aae319efd167360c2b80c66d", + "id": "37f58c2e50041f9eed30c0006b111b44", "permissions": { + "API Gateway Read": "6ced5d0d69b1422396909a62c38ab41b", + "API Gateway Write": "f0235726de25444a84f704b7c93afadf", "API Tokens Read": "0cc3a61731504c89b99ec1be78b77aa0", "API Tokens Write": "686d18d5ac6c441c867cbf6771e58a0a", "Access: Apps and Policies Read": "eb258a38ea634c86a0c89da6b27cb6b6", @@ -32,6 +35,8 @@ "Access: Service Tokens Read": "91f7ce32fa614d73b7e1fc8f0e78582b", "Access: Service Tokens Write": "a1c0fec57cf94af79479a6d827fa518c", "Account Analytics Read": "b89a480218d04ceb98b4fe57ca29dc1f", + "Account Custom Pages Read": "c57ea647ef654b47bc8944fa739b570d", + "Account Custom Pages Write": "8a9d35a7c8504208ad5c3e8d58e6162d", "Account Firewall Access Rules Read": "de7a688cc47d43bd9ea700b467a09c96", "Account Firewall Access Rules Write": "a416acf9ef5a4af19fb11ed3b96b1fe6", "Account Rule Lists Read": "4f1071168de8466e9808de86febfc516", @@ -51,14 +56,36 @@ "Bot Management Read": "07bea2220b2343fa9fae15656c0d8e88", "Bot Management Write": "3b94c49258ec4573b06d51d99b6416c0", "Cache Purge": "e17beae8b8cb423a99b1730f21238bed", + "Cache Settings Read": "3245da1cf36c45c3847bb9b483c62f97", + "Cache Settings Write": "9ff81cbbe65c400b97d92c3c1033cab6", + "China Network Steering Read": "9ade9cfc8f8949bcb2371be2f0ec8db1", + "China Network Steering Write": "c6f6338ceae545d0b90daaa1fed855e6", + "Config Settings Read": "20e5ea084b2f491c86b8d8d90abff905", + "Config Settings Write": "06f0526e6e464647bd61b63c54935235", + "Custom Errors Read": "a2b55cd504d44ef18b7ba6a7f2b8fbb1", + "Custom Errors Write": "a9dba34cf5814d4ab2007b4ada0045bd", + "Custom Pages Read": "a2431ca73b7d41f99c53303027392586", + "Custom Pages Write": "c244ec076974430a88bda1cdd992d0d9", + "D1 Read": "192192df92ee43ac90f2aeeffce67e35", + "D1 Write": "09b2857d1c31407795e75e3fed8617a1", "DDoS Protection Read": "af1c363c35ba45b9a8c682ae50eb3f99", "DDoS Protection Write": "d44ed14bcc4340b194d3824d60edad3f", "DNS Firewall Read": "5f48a472240a4b489a21d43bd19a06e1", "DNS Firewall Write": "da6d2d6f2ec8442eaadda60d13f42bca", "DNS Read": "82e64a83756745bbbb1c9c2701bf816b", "DNS Write": "4755a26eedb94da69e1066d98aa820be", + "Disable ESC Read": "e199d584e69344eba202452019deafe3", + "Disable ESC Write": "18555e39c5ba40d284dde87eda845a90", + "Dynamic URL Redirects Read": "d8e12db741544d1586ec1d6f5d3c7786", + "Dynamic URL Redirects Write": "74e1036f577a48528b78d2413b40538d", + "Email Routing Addresses Read": "5272e56105d04b5897466995b9bd4643", + "Email Routing Addresses Write": "e4589eb09e63436686cd64252a3aebeb", + "Email Routing Rules Read": "1b600d9d8062443e986a973f097e728a", + "Email Routing Rules Write": "79b3ec0d10ce4148a8f8bdc0cc5f97f2", "Firewall Services Read": "4ec32dfcb35641c5bb32d5ef1ab963b4", "Firewall Services Write": "43137f8d07884d3198dc0ee77ca6e79b", + "HTTP Applications Read": "6b60a5a87cae475da7e76e77e4209dd5", + "HTTP Applications Write": "4736c02a9f224c8196ae5b127beae78c", "HTTP DDoS Managed Ruleset Read": "c49f8d15f9f44885a544d945ef5aa6ae", "HTTP DDoS Managed Ruleset Write": "b88a3aa889474524bccea5cf18f122bf", "Health Checks Read": "fac65912d42144aa86b7dd33281bf79e", @@ -69,18 +96,23 @@ "IP Prefixes: Write": "92b8234e99f64e05bbbc59e1dc0f76b6", "Images Read": "0cf6473ad41449e7b7b743d14fc20c60", "Images Write": "618ec6c64a3a42f8b08bdcb147ded4e4", + "Intel Read": "df1577df30ee46268f9470952d7b0cdf", + "Intel Write": "92209474242d459690e2cdb1985eaa6c", "L4 DDoS Managed Ruleset Read": "4657621393f94f83b8ef94adba382e48", "L4 DDoS Managed Ruleset Write": "7a4c3574054a4d0ba7c692893ba8bdd4", "Load Balancers Read": "e9a975f628014f1d85b723993116f7d5", "Load Balancers Write": "6d7f2f5f5b1d4a0e9081fdc98d432fd1", "Load Balancing: Monitors and Pools Read": "9d24387c6e8544e2bc4024a03991339f", "Load Balancing: Monitors and Pools Write": "d2a1802cc9a34e30852f8b33869b2f3c", - "Logs Read": "c4a30cd58c5d42619c86a3c36c441e2d", + "Logs Read": "6a315a56f18441e59ed03352369ae956", "Logs Write": "3e0b5820118e47f3922f7c989e673882", "Magic Firewall Packet Captures - Read PCAPs API": "3a46c728a0a040d5a65cd8e2f3bc6935", "Magic Firewall Packet Captures - Write PCAPs API": "4ea7d6421801452dbf07cef853a5ef39", "Magic Firewall Read": "02b71f12bb0748e9af8126494e181342", "Magic Firewall Write": "8bd1dac84d3d43e7bfb43145f010a15c", + "Magic Network Monitoring Admin": "8e6ed1ef6e864ad0ae477ceffa5aa5eb", + "Magic Network Monitoring Config Read": "3d85e9514f944bb4912c5871d92e5af5", + "Magic Network Monitoring Config Write": "09c77baecb6341a2b1ca2c62b658d290", "Magic Transit Prefix Read": "967ecf860a244dd1911a0331a0af582a", "Magic Transit Prefix Write": "0bc09a3cd4b54605990df4e307f138e1", "Managed headers Read": "319f5059d33a410da0fac4d35a716157", @@ -89,8 +121,14 @@ "Mass URL Redirects Write": "abe78e2276664f4db588c1f675a77486", "Memberships Read": "3518d0f75557482e952c6762d3e64903", "Memberships Write": "9201bc6f42d440968aaab0c6f17ebb1d", + "Origin Read": "7b32a91ece3140d4b3c2c56f23fc8e35", + "Origin Write": "a4308c6855c84eb2873e01b6cc85cbb3", "Page Rules Read": "b415b70a4fd1412886f164451f20405c", "Page Rules Write": "ed07f6c337da4195b4e72a1fb2c6bcae", + "Pages Read": "e247aedd66bd41cc9193af0213416666", + "Pages Write": "8d28297797f24fb8a0c332fe0866ec89", + "Pubsub Configuration Read": "fd7f886c75a244389e892c4c3c068292", + "Pubsub Configuration Write": "910b6ecca1c5411bb894e787362d1312", "Rule Policies Read": "58abbad6d2ce40abb2594fbe932a2e0e", "Rule Policies Write": "61ddc58f1da14f95b33b41213360cbeb", "SSL and Certificates Read": "7b7216b327b04b8fbc8f524e1f9b7531", @@ -106,6 +144,8 @@ "Teams Write": "b33f02c6f7284e05a6f20741c0bb0567", "Transform Rules Read": "a9a99455bf3245f6a5a244f909d74830", "Transform Rules Write": "ae16e88bc7814753a1894c7ce187ab72", + "Turnstile Sites Read": "5d78fd7895974fd0bdbbbb079482721b", + "Turnstile Sites Write": "755c05aa014b4f9ab263aa80b8167bd8", "User Details Read": "8acbe5bb0d54464ab867149d7f7cf8ac", "User Details Write": "55a5e17cc99e4a3fa1f3432d262f2e55", "Waiting Rooms Read": "cab5202d07ef47beae788e6bc95cb6fe", @@ -121,6 +161,8 @@ "Workers Scripts Read": "1a71c399035b4950a1bd1466bbe4f420", "Workers Scripts Write": "e086da7e2179491d91ee5f35b3ca210a", "Workers Tail Read": "05880cd1bdc24d8bae0be2136972816b", + "Zaraz Admin": "cdeb15b336e640a2965df8c65052f1e0", + "Zaraz Read": "5bdbde7e76144204a244274eac3eb0eb", "Zone Read": "c8fed203ed3043cba015a93ad1616f1f", "Zone Settings Read": "517b21aee92c4d89936c976ba6e4be55", "Zone Settings Write": "3030687196b94b638145a3953da2b699", @@ -136,10 +178,11 @@ ] }, { + "module": "module.cloudflare", "mode": "data", "type": "cloudflare_zone", - "name": "mein_nl", - "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "name": "zone", + "provider": "module.cloudflare.provider[\"registry.terraform.io/cloudflare/cloudflare\"]", "instances": [ { "schema_version": 0, @@ -162,6 +205,7 @@ ] }, { + "module": "module.cloudflare", "mode": "data", "type": "http", "name": "public_ipv4", @@ -177,13 +221,12 @@ "Access-Control-Allow-Methods": "GET", "Access-Control-Allow-Origin": "*", "Alt-Svc": "h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400", - "Cf-Ray": "6d69531e2f6f5989-AMS", + "Cf-Ray": "765e0ab37b250e3b-AMS", "Content-Length": "12", "Content-Type": "text/plain", - "Date": "Tue, 01 Feb 2022 07:04:16 GMT", - "Expect-Ct": "max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"", + "Date": "Sun, 06 Nov 2022 13:05:37 GMT", "Server": "cloudflare", - "Set-Cookie": "__cf_bm=knleZ2GV3FanMKudN1BrNC2dwxGagNm74nqXocwcGM0-1643699056-0-Ad8dvZlo2W71Lqqryuk0RGDRiOumum+lHq2KMCDqa6X7Qg0IphXvkUaJo6pjBwBuIZGUCpRD6P7Ye3+30LbfoAc=; path=/; expires=Tue, 01-Feb-22 07:34:16 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None", + "Set-Cookie": "__cf_bm=taclcWAQIB54BH1DHZr6one2Tyy0ahfBWfeRHiQPo9M-1667739937-0-AZ/mqMWjkq3yWY/aZxjqb84LIhJw9el9kC0uA2i3FJrFYmFqs03KrtotC3XRp80M0LV0QcY0V7l5q3Vr1ybbHP0=; path=/; expires=Sun, 06-Nov-22 13:35:37 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None", "Vary": "Accept-Encoding" }, "url": "https://ipv4.icanhazip.com" @@ -193,49 +236,11 @@ ] }, { - "mode": "managed", - "type": "b2_bucket", - "name": "backup", - "provider": "provider[\"registry.terraform.io/backblaze/b2\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "account_id": "42ed5f32e413", - "bucket_id": "a462aefd15efb3027ee40113", - "bucket_info": {}, - "bucket_name": "infratron-homelab", - "bucket_type": "allPrivate", - "cors_rules": [], - "default_server_side_encryption": [ - { - "algorithm": "", - "mode": "none" - } - ], - "file_lock_configuration": [ - { - "default_retention": [], - "is_file_lock_enabled": false - } - ], - "id": "a462aefd15efb3027ee40113", - "lifecycle_rules": [], - "options": [ - "s3" - ], - "revision": 2 - }, - "sensitive_attributes": [], - "private": "bnVsbA==" - } - ] - }, - { + "module": "module.cloudflare", "mode": "managed", "type": "cloudflare_api_token", "name": "cert_manager", - "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "provider": "module.cloudflare.provider[\"registry.terraform.io/cloudflare/cloudflare\"]", "instances": [ { "schema_version": 0, @@ -252,10 +257,10 @@ ] } ], - "id": "774665d78721200897b10501ea37272d", - "issued_on": "2022-01-31T12:31:46Z", - "modified_on": "2022-01-31T12:31:46Z", - "name": "homelab_cert_manager", + "id": "d99082d470ef8ae84df4628aa2fd8660", + "issued_on": "2022-11-06T13:00:43Z", + "modified_on": "2022-11-06T13:03:54Z", + "name": "jupiter_cert_manager", "policy": [ { "effect": "allow", @@ -269,22 +274,23 @@ } ], "status": "active", - "value": "hKSWqAXuQitglD4rpxyoUGh-A-ojZzFJdBLv2C76" + "value": "-BaeJeyJmaBJo2UXQfgrQSiKCNajRm755QaCAy1m" }, "sensitive_attributes": [], "private": "bnVsbA==", "dependencies": [ - "data.cloudflare_api_token_permission_groups.all", - "data.http.public_ipv4" + "module.cloudflare.data.cloudflare_api_token_permission_groups.all", + "module.cloudflare.data.http.public_ipv4" ] } ] }, { + "module": "module.cloudflare", "mode": "managed", "type": "cloudflare_api_token", "name": "external_dns", - "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "provider": "module.cloudflare.provider[\"registry.terraform.io/cloudflare/cloudflare\"]", "instances": [ { "schema_version": 0, @@ -301,10 +307,10 @@ ] } ], - "id": "0f8e9cd48e207b7b607ad2151041412c", - "issued_on": "2022-01-31T12:31:46Z", - "modified_on": "2022-01-31T12:31:46Z", - "name": "homelab_external_dns", + "id": "72a70be82b532edf6f20426c0d3cbc2f", + "issued_on": "2022-11-06T13:00:43Z", + "modified_on": "2022-11-06T13:03:53Z", + "name": "jupiter_external_dns", "policy": [ { "effect": "allow", @@ -318,31 +324,32 @@ } ], "status": "active", - "value": "n7pog40deazFcF4ymKZ53z1M4fAICHuVoqZF2cgX" + "value": "1RckTDLQNCZnfLEYvlRwy792gMs-e9LYrMlOQglz" }, "sensitive_attributes": [], "private": "bnVsbA==", "dependencies": [ - "data.cloudflare_api_token_permission_groups.all", - "data.http.public_ipv4" + "module.cloudflare.data.cloudflare_api_token_permission_groups.all", + "module.cloudflare.data.http.public_ipv4" ] } ] }, { + "module": "module.cloudflare", "mode": "managed", "type": "cloudflare_argo_tunnel", "name": "jupiter", - "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", + "provider": "module.cloudflare.provider[\"registry.terraform.io/cloudflare/cloudflare\"]", "instances": [ { "schema_version": 0, "attributes": { "account_id": "bade361765d704ba91e29296a025e4e3", - "cname": "36249edb-7b99-4d73-aab1-5468d91726c3.cfargotunnel.com", - "id": "36249edb-7b99-4d73-aab1-5468d91726c3", - "name": "jk", - "secret": "dnZjRlRVbWkyU1VreEZESk02ZEtkcDl1NW9DWmZNSzRYeERubkJPSkdGOTZoazhwZW9iT3dpaUx4Y1d5T3AyQQ==" + "cname": "6cc0d529-f729-45c1-891f-281544f35b50.cfargotunnel.com", + "id": "6cc0d529-f729-45c1-891f-281544f35b50", + "name": "jupiter", + "secret": "eHhSc29BVUUzblh0UnV5UDVZdzdCUmJUMEJBWHVzNlE3YTk4VFAwVjZuaURXUjRST3ROMk56dXZnNVk5c21COQ==" }, "sensitive_attributes": [ [ @@ -354,56 +361,16 @@ ], "private": "bnVsbA==", "dependencies": [ - "random_password.tunnel_secret" - ] - } - ] - }, - { - "mode": "managed", - "type": "cloudflare_record", - "name": "tunnel", - "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]", - "instances": [ - { - "schema_version": 2, - "attributes": { - "allow_overwrite": false, - "created_on": "2022-02-01T07:04:31.210652Z", - "data": [], - "hostname": "jupiter-tunnel.mein.nl", - "id": "f25c8d59ecd89d45c77938ecd244c8db", - "metadata": { - "auto_added": "false", - "managed_by_apps": "false", - "managed_by_argo_tunnel": "false", - "source": "primary" - }, - "modified_on": "2022-02-01T07:04:31.210652Z", - "name": "jupiter-tunnel", - "priority": null, - "proxiable": true, - "proxied": false, - "timeouts": null, - "ttl": 1, - "type": "CNAME", - "value": "36249edb-7b99-4d73-aab1-5468d91726c3.cfargotunnel.com", - "zone_id": "f2dbeb2dca3e055df71df866b8188ce7" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMCwidXBkYXRlIjozMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMiJ9", - "dependencies": [ - "cloudflare_argo_tunnel.jupiter", - "data.cloudflare_zone.mein_nl", - "random_password.tunnel_secret" + "module.cloudflare.random_password.tunnel_secret" ] } ] }, { + "module": "module.cloudflare", "mode": "managed", "type": "kubernetes_secret", - "name": "backblaze_credentials", + "name": "cert_manager_token", "provider": "provider[\"registry.terraform.io/hashicorp/kubernetes\"]", "instances": [ { @@ -411,11 +378,9 @@ "attributes": { "binary_data": null, "data": { - "application-key": "K0002cDkc6JsqdrrA+Z8H4KuApP3m9w", - "application-key-id": "00042ed5f32e4130000000002", - "repo-password": "rATN4QEZjlNeXoj65ywc9aI1MxO9zqg7ZYaM5Tr9fWiB3y8KpnMpae9guS5zZtOZ" + "api-token": "-BaeJeyJmaBJo2UXQfgrQSiKCNajRm755QaCAy1m" }, - "id": "k8up-operator/backblaze-credentials", + "id": "cert-manager/cloudflare-api-token", "immutable": false, "metadata": [ { @@ -423,10 +388,10 @@ "generate_name": "", "generation": 0, "labels": {}, - "name": "backblaze-credentials", - "namespace": "k8up-operator", - "resource_version": "1703", - "uid": "4529a4d6-a259-49ee-ab8d-c14ac45c2ef8" + "name": "cloudflare-api-token", + "namespace": "cert-manager", + "resource_version": "2053006", + "uid": "3b9abcc6-36a7-45e9-894f-95c5817d3ce1" } ], "type": "Opaque" @@ -440,20 +405,7 @@ { "type": "index", "value": { - "value": "application-key", - "type": "string" - } - } - ], - [ - { - "type": "get_attr", - "value": "data" - }, - { - "type": "index", - "value": { - "value": "repo-password", + "value": "api-token", "type": "string" } } @@ -461,15 +413,18 @@ ], "private": "bnVsbA==", "dependencies": [ - "random_password.backup_repo_password" + "module.cloudflare.cloudflare_api_token.cert_manager", + "module.cloudflare.data.cloudflare_api_token_permission_groups.all", + "module.cloudflare.data.http.public_ipv4" ] } ] }, { + "module": "module.cloudflare", "mode": "managed", "type": "kubernetes_secret", - "name": "cert_manager_token", + "name": "cloudflared_credentials", "provider": "provider[\"registry.terraform.io/hashicorp/kubernetes\"]", "instances": [ { @@ -477,20 +432,20 @@ "attributes": { "binary_data": null, "data": { - "api-token": "hKSWqAXuQitglD4rpxyoUGh-A-ojZzFJdBLv2C76" + "credentials.json": "{\"AccountTag\":\"bade361765d704ba91e29296a025e4e3\",\"TunnelID\":\"6cc0d529-f729-45c1-891f-281544f35b50\",\"TunnelName\":\"jupiter\",\"TunnelSecret\":\"eHhSc29BVUUzblh0UnV5UDVZdzdCUmJUMEJBWHVzNlE3YTk4VFAwVjZuaURXUjRST3ROMk56dXZnNVk5c21COQ==\"}" }, - "id": "cert-manager/cloudflare-api-token", + "id": "cloudflared/cloudflared-credentials", "immutable": false, "metadata": [ { - "annotations": {}, + "annotations": null, "generate_name": "", "generation": 0, - "labels": {}, - "name": "cloudflare-api-token", - "namespace": "cert-manager", - "resource_version": "1705", - "uid": "9a1c49f1-abdc-4d45-a893-bc68674fb601" + "labels": null, + "name": "cloudflared-credentials", + "namespace": "cloudflared", + "resource_version": "2053733", + "uid": "e1aca647-6ad2-48d1-81e9-6556f7c09e3f" } ], "type": "Opaque" @@ -504,7 +459,7 @@ { "type": "index", "value": { - "value": "api-token", + "value": "credentials.json", "type": "string" } } @@ -512,17 +467,17 @@ ], "private": "bnVsbA==", "dependencies": [ - "cloudflare_api_token.cert_manager", - "data.cloudflare_api_token_permission_groups.all", - "data.http.public_ipv4" + "module.cloudflare.cloudflare_argo_tunnel.jupiter", + "module.cloudflare.random_password.tunnel_secret" ] } ] }, { + "module": "module.cloudflare", "mode": "managed", "type": "kubernetes_secret", - "name": "cloudflared_credentials", + "name": "external_dns_token", "provider": "provider[\"registry.terraform.io/hashicorp/kubernetes\"]", "instances": [ { @@ -530,9 +485,9 @@ "attributes": { "binary_data": null, "data": { - "credentials.json": "{\"AccountTag\":\"bade361765d704ba91e29296a025e4e3\",\"TunnelID\":\"36249edb-7b99-4d73-aab1-5468d91726c3\",\"TunnelName\":\"jk\",\"TunnelSecret\":\"dnZjRlRVbWkyU1VreEZESk02ZEtkcDl1NW9DWmZNSzRYeERubkJPSkdGOTZoazhwZW9iT3dpaUx4Y1d5T3AyQQ==\"}" + "value": "1RckTDLQNCZnfLEYvlRwy792gMs-e9LYrMlOQglz" }, - "id": "cloudflared/cloudflared-credentials", + "id": "external-dns/cloudflare-api-token", "immutable": false, "metadata": [ { @@ -540,10 +495,10 @@ "generate_name": "", "generation": 0, "labels": {}, - "name": "cloudflared-credentials", - "namespace": "cloudflared", - "resource_version": "631465", - "uid": "ee7d19f7-93fb-4b04-8f22-deb02fc6edb4" + "name": "cloudflare-api-token", + "namespace": "external-dns", + "resource_version": "2053008", + "uid": "595051ae-11c9-4c1b-b885-8be600455aac" } ], "type": "Opaque" @@ -557,7 +512,7 @@ { "type": "index", "value": { - "value": "credentials.json", + "value": "value", "type": "string" } } @@ -565,16 +520,48 @@ ], "private": "bnVsbA==", "dependencies": [ - "cloudflare_argo_tunnel.jupiter", - "random_password.tunnel_secret" + "module.cloudflare.cloudflare_api_token.external_dns", + "module.cloudflare.data.cloudflare_api_token_permission_groups.all", + "module.cloudflare.data.http.public_ipv4" ] } ] }, { + "module": "module.cloudflare", + "mode": "managed", + "type": "random_password", + "name": "tunnel_secret", + "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", + "instances": [ + { + "schema_version": 3, + "attributes": { + "bcrypt_hash": "$2a$10$ojTM2sFC2xzrvppFIXivpOcpNIvHDsetsJqIWDS5/5GCq3GyBf/Fu", + "id": "none", + "keepers": null, + "length": 64, + "lower": true, + "min_lower": 0, + "min_numeric": 0, + "min_special": 0, + "min_upper": 0, + "number": true, + "numeric": true, + "override_special": null, + "result": "xxRsoAUE3nXtRuyP5Yw7BRbT0BAXus6Q7a98TP0V6niDWR4ROtN2Nzuvg5Y9smB9", + "special": false, + "upper": true + }, + "sensitive_attributes": [] + } + ] + }, + { + "module": "module.zerotier", "mode": "managed", "type": "kubernetes_secret", - "name": "external_dns_token", + "name": "router", "provider": "provider[\"registry.terraform.io/hashicorp/kubernetes\"]", "instances": [ { @@ -582,9 +569,11 @@ "attributes": { "binary_data": null, "data": { - "value": "n7pog40deazFcF4ymKZ53z1M4fAICHuVoqZF2cgX" + "ZEROTIER_IDENTITY_PUBLIC": "db0463b05f:0:e87be2495502a43210b29d7add5aa5671207f6ef63b8754db732d9c0784d6c24bccf2a8bf585b17b6f8ba93dd642aee5d8d08aa76b2acccda3cd3a742a50bd85", + "ZEROTIER_IDENTITY_SECRET": "db0463b05f:0:e87be2495502a43210b29d7add5aa5671207f6ef63b8754db732d9c0784d6c24bccf2a8bf585b17b6f8ba93dd642aee5d8d08aa76b2acccda3cd3a742a50bd85:3c9412a5cc67b12585338b9cb06ad204508421e9d04dcbd89d5aa36c41cffe725c90a88b9fc0836d108c5c4308169d067d6d2a65a5ff0eb0a398838cf4dc8f49", + "ZEROTIER_NETWORK_ID": "52b337794fb44bbd" }, - "id": "external-dns/cloudflare-api-token", + "id": "zerotier/zerotier-router", "immutable": false, "metadata": [ { @@ -592,10 +581,10 @@ "generate_name": "", "generation": 0, "labels": {}, - "name": "cloudflare-api-token", - "namespace": "external-dns", - "resource_version": "1706", - "uid": "7c5f1f8f-5535-4f6f-91f8-0a6a75b72eca" + "name": "zerotier-router", + "namespace": "zerotier", + "resource_version": "2053007", + "uid": "76c24793-371b-4382-89f2-a153ee8e8ef2" } ], "type": "Opaque" @@ -609,7 +598,7 @@ { "type": "index", "value": { - "value": "value", + "value": "ZEROTIER_IDENTITY_SECRET", "type": "string" } } @@ -617,42 +606,25 @@ ], "private": "bnVsbA==", "dependencies": [ - "cloudflare_api_token.external_dns", - "data.cloudflare_api_token_permission_groups.all", - "data.http.public_ipv4" + "module.zerotier.zerotier_identity.router", + "module.zerotier.zerotier_network.network" ] } ] }, { + "module": "module.zerotier", "mode": "managed", - "type": "kubernetes_secret", - "name": "terraform_secrets", - "provider": "provider[\"registry.terraform.io/hashicorp/kubernetes\"]", + "type": "zerotier_identity", + "name": "router", + "provider": "module.zerotier.provider[\"registry.terraform.io/zerotier/zerotier\"]", "instances": [ { "schema_version": 0, "attributes": { - "binary_data": null, - "data": { - "credentials.tfrc.json": "{\n \"credentials\": {\n \"app.terraform.io\": {\n \"token\": \"q0oUr3wv19SWzA.atlasv1.ETCLKYIIzA8isWorNASVzEgSSYwD9j9ixGstzdJGD66MH5reBr0PwahtorBgUM8SYPU\"\n }\n }\n}", - "terraform.tfvars": "cloudflare_email = \"peter@infratron.io\"\ncloudflare_api_key = \"d3970e4b4b2ca364896b5931b6fa6ed7aface\"\ncloudflare_account_id = \"bade361765d704ba91e29296a025e4e3\"\nb2_application_key_id = \"00042ed5f32e4130000000001\"\nb2_application_key = \"K0009fNmtOqrgS74YygE24WIby9EneU\"\n" - }, - "id": "tekton-pipelines/terraform-secrets", - "immutable": false, - "metadata": [ - { - "annotations": {}, - "generate_name": "", - "generation": 0, - "labels": {}, - "name": "terraform-secrets", - "namespace": "tekton-pipelines", - "resource_version": "1704", - "uid": "133afe32-6b1e-4c2d-99d7-5f0adde382f7" - } - ], - "type": "Opaque" + "id": "db0463b05f", + "private_key": "db0463b05f:0:e87be2495502a43210b29d7add5aa5671207f6ef63b8754db732d9c0784d6c24bccf2a8bf585b17b6f8ba93dd642aee5d8d08aa76b2acccda3cd3a742a50bd85:3c9412a5cc67b12585338b9cb06ad204508421e9d04dcbd89d5aa36c41cffe725c90a88b9fc0836d108c5c4308169d067d6d2a65a5ff0eb0a398838cf4dc8f49", + "public_key": "db0463b05f:0:e87be2495502a43210b29d7add5aa5671207f6ef63b8754db732d9c0784d6c24bccf2a8bf585b17b6f8ba93dd642aee5d8d08aa76b2acccda3cd3a742a50bd85" }, "sensitive_attributes": [], "private": "bnVsbA==" @@ -660,60 +632,91 @@ ] }, { + "module": "module.zerotier", "mode": "managed", - "type": "random_password", - "name": "backup_repo_password", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", + "type": "zerotier_member", + "name": "router", + "provider": "module.zerotier.provider[\"registry.terraform.io/zerotier/zerotier\"]", "instances": [ { "schema_version": 0, "attributes": { - "id": "none", - "keepers": null, - "length": 64, - "lower": true, - "min_lower": 0, - "min_numeric": 0, - "min_special": 0, - "min_upper": 0, - "number": true, - "override_special": null, - "result": "rATN4QEZjlNeXoj65ywc9aI1MxO9zqg7ZYaM5Tr9fWiB3y8KpnMpae9guS5zZtOZ", - "special": false, - "upper": true + "allow_ethernet_bridging": true, + "authorized": true, + "capabilities": [], + "description": "Managed by Terraform", + "hidden": false, + "id": "52b337794fb44bbd/db0463b05f", + "ip_assignments": [ + "10.147.17.1" + ], + "member_id": "db0463b05f", + "name": "router", + "network_id": "52b337794fb44bbd", + "no_auto_assign_ips": true, + "tags": [] }, "sensitive_attributes": [], - "private": "bnVsbA==" + "private": "bnVsbA==", + "dependencies": [ + "module.zerotier.zerotier_identity.router", + "module.zerotier.zerotier_network.network" + ] } ] }, { + "module": "module.zerotier", "mode": "managed", - "type": "random_password", - "name": "tunnel_secret", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", + "type": "zerotier_network", + "name": "network", + "provider": "module.zerotier.provider[\"registry.terraform.io/zerotier/zerotier\"]", "instances": [ { "schema_version": 0, "attributes": { - "id": "none", - "keepers": null, - "length": 64, - "lower": true, - "min_lower": 0, - "min_numeric": 0, - "min_special": 0, - "min_upper": 0, - "number": true, - "override_special": null, - "result": "vvcFTUmi2SUkxFDJM6dKdp9u5oCZfMK4XxDnnBOJGF96hk8peobOwiiLxcWyOp2A", - "special": false, - "upper": true + "assign_ipv4": [ + { + "zerotier": true + } + ], + "assign_ipv6": [ + { + "rfc4193": false, + "sixplane": false, + "zerotier": false + } + ], + "assignment_pool": [ + { + "end": "10.147.17.255", + "start": "10.147.17.0" + } + ], + "creation_time": 1667739642875, + "description": "Homelab network", + "enable_broadcast": true, + "flow_rules": "accept;", + "id": "52b337794fb44bbd", + "multicast_limit": 32, + "name": "homelab", + "private": true, + "route": [ + { + "target": "10.147.17.0/24", + "via": "" + }, + { + "target": "192.168.1.0/24", + "via": "10.147.17.1" + } + ] }, "sensitive_attributes": [], "private": "bnVsbA==" } ] } - ] + ], + "check_results": [] } diff --git a/external/versions.tf b/external/versions.tf index 28e9c47b36..daeb16d60c 100644 --- a/external/versions.tf +++ b/external/versions.tf @@ -5,26 +5,21 @@ terraform { } + required_providers { cloudflare = { source = "cloudflare/cloudflare" - version = "~> 3.26.0" - } - - b2 = { - source = "Backblaze/b2" - version = "~> 0.7.0" version = "~> 3.11.0" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.14.0" + version = "~> 2.9.0" } http = { source = "hashicorp/http" - version = "~> 2.2.0" + version = "~> 2.1.0" } } } diff --git a/metal/roles/k3s/defaults/main.yml b/metal/roles/k3s/defaults/main.yml index 9333483460..07eb1a1a37 100644 --- a/metal/roles/k3s/defaults/main.yml +++ b/metal/roles/k3s/defaults/main.yml @@ -9,6 +9,8 @@ k3s_server_config: - traefik disable-cloud-controller: true secrets-encryption: true + node-label: + - "storage=longhorn" k3s_pi_config: node-label: diff --git a/metal/roles/metallb_config/ippool.yaml b/metal/roles/metallb_config/ippool.yaml index 18f96c71a8..aed992b89a 100644 --- a/metal/roles/metallb_config/ippool.yaml +++ b/metal/roles/metallb_config/ippool.yaml @@ -1,3 +1,4 @@ +--- apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: @@ -8,3 +9,24 @@ spec: - 192.168.1.208/28 autoAssign: false avoidBuggyIPs: false +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: default + namespace: metallb-system +spec: + addresses: + - 192.168.1.224/28 + autoAssign: true + avoidBuggyIPs: false +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: metallb-advertisement + namespace: metallb-system +spec: + ipAddressPools: + - default + - traefik diff --git a/platform/gitea/Chart.yaml b/platform/gitea/Chart.yaml index 0a8048840a..1280baec6f 100644 --- a/platform/gitea/Chart.yaml +++ b/platform/gitea/Chart.yaml @@ -3,5 +3,5 @@ name: gitea version: 0.0.0 dependencies: - name: gitea - version: 6.0.3 + version: 5.0.3 repository: https://dl.gitea.io/charts/ diff --git a/platform/gitea/files/config/config.yaml b/platform/gitea/files/config/config.yaml index b093dbff7d..f3940c7467 100644 --- a/platform/gitea/files/config/config.yaml +++ b/platform/gitea/files/config/config.yaml @@ -16,18 +16,5 @@ repositories: owner: ops private: false migrate: - source: https://github.com/khuedoan/homelab + source: https://github.com/petermein/homelab mirror: false - # TODO create webhook (use a global one?) - # webhooks: - # - http://gitea-webhook.tekton-pipelines:3000 - - name: blog - owner: khuedoan - migrate: - source: https://github.com/khuedoan/blog - mirror: true - - name: backstage - owner: khuedoan - migrate: - source: https://github.com/khuedoan/backstage - mirror: true From 4a84d981ff85e94ad237f1a80891a48dbd76e013 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 9 Nov 2022 13:46:15 +0100 Subject: [PATCH 332/334] Move mysql to nfs --- home/mariadb/values.yaml | 4 ++-- home/pihole/templates/pihole-password.yaml | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 home/pihole/templates/pihole-password.yaml diff --git a/home/mariadb/values.yaml b/home/mariadb/values.yaml index f113e2c7ed..b5144cd8bd 100644 --- a/home/mariadb/values.yaml +++ b/home/mariadb/values.yaml @@ -426,7 +426,7 @@ mariadb: ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## - storageClass: "longhorn" + storageClass: "nfs" ## @param primary.persistence.annotations MariaDB primary persistent volume claim annotations ## annotations: {} @@ -1246,4 +1246,4 @@ mariadb: ## - namespaceSelector: ## matchLabels: ## label: example - customRules: {} \ No newline at end of file + customRules: {} diff --git a/home/pihole/templates/pihole-password.yaml b/home/pihole/templates/pihole-password.yaml new file mode 100644 index 0000000000..f99aec52c9 --- /dev/null +++ b/home/pihole/templates/pihole-password.yaml @@ -0,0 +1,19 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: {{ .Values.pihole.admin.existingSecret }} + namespace: {{ .Release.Namespace }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + target: + template: + engineVersion: v2 + data: + password: {{` "{{ .password }}" `}} + data: + - secretKey: password + remoteRef: + key: /pihole/admin + property: password From f2d63715e68432df4c8d19968c2c3957e320c9f1 Mon Sep 17 00:00:00 2001 From: Peter Mein Date: Wed, 9 Nov 2022 15:16:00 +0100 Subject: [PATCH 333/334] Pin Vault to Europa and move to nfs --- .../vault/files/generate-secrets/config.yaml | 18 ++++ platform/vault/templates/cr.yaml | 6 +- platform/vault/values.yaml | 99 +++++++++++++++++++ 3 files changed, 120 insertions(+), 3 deletions(-) diff --git a/platform/vault/files/generate-secrets/config.yaml b/platform/vault/files/generate-secrets/config.yaml index 4b9b29d714..21202fad8d 100644 --- a/platform/vault/files/generate-secrets/config.yaml +++ b/platform/vault/files/generate-secrets/config.yaml @@ -18,3 +18,21 @@ - key: password length: 32 special: true + +- path: pihole/admin + data: + - key: password + length: 32 + special: true + +- path: mariadb/admin + data: + - key: password + length: 32 + special: true + +- path: postgres/admin + data: + - key: password + length: 32 + special: true diff --git a/platform/vault/templates/cr.yaml b/platform/vault/templates/cr.yaml index 1cb2c8bea3..0ba2cbe2a6 100644 --- a/platform/vault/templates/cr.yaml +++ b/platform/vault/templates/cr.yaml @@ -40,8 +40,8 @@ spec: # Support for pod nodeSelector rules to control which nodes can be chosen to run # the given pods - # nodeSelector: - # "node-role.kubernetes.io/your_role": "true" + nodeSelector: + "kubernetes.io/hostname": "europa" # Support for node tolerations that work together with node taints to control # the pods that can like on a node @@ -260,7 +260,7 @@ kind: PersistentVolumeClaim metadata: name: vault-file spec: - storageClassName: longhorn + storageClassName: nfs accessModes: - ReadWriteOnce resources: diff --git a/platform/vault/values.yaml b/platform/vault/values.yaml index e69de29bb2..963c608618 100644 --- a/platform/vault/values.yaml +++ b/platform/vault/values.yaml @@ -0,0 +1,99 @@ +vault-operator: + # Default values for vault-operator. + # This is a YAML-formatted file. + # Declare variables to be passed into your templates. + + replicaCount: 1 + + image: + bankVaultsRepository: ghcr.io/banzaicloud/bank-vaults + repository: ghcr.io/banzaicloud/vault-operator + # tag: "" + pullPolicy: IfNotPresent + imagePullSecrets: [] # global.imagePullSecrets is also supported + + service: + name: "" + type: ClusterIP + externalPort: 80 + internalPort: 8080 + annotations: {} + + nameOverride: "" + fullnameOverride: "" + + crdAnnotations: {} + + # The namespace where the operator watches for vault CRD objects, if not defined + # all namespaces are watched + watchNamespace: "" + syncPeriod: "1m" + + labels: {} + # team: banzai + + podLabels: {} + # team: banzai + + podAnnotations: {} + # team: banzai + + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + + affinity: {} + + # # if tolerations are used inside cluster, define tolerations as well + tolerations: [] + # - effect: NoSchedule + # key: node_role + # operator: Equal + # value: custom_worker + + # # If needed, define nodeSelector for vault operator + nodeSelector: + "kubernetes.io/hostname": "europa" + + podSecurityContext: {} + + securityContext: {} + + ## Assign a PriorityClassName to pods if set + priorityClassName: "" + + terminationGracePeriodSeconds: 10 + + livenessProbe: + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + + psp: + enabled: false + vaultSA: "vault" + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + monitoring: + # Create a Vault Operator ServiceMonitor object + serviceMonitor: + enabled: false + additionalLabels: {} + metricRelabelings: [] + relabelings: [] From 42593ab914df884cd931a95aada289ccfeab8df4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Jun 2023 18:25:41 +0000 Subject: [PATCH 334/334] chore(deps): replace k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner docker tag with registry.k8s.io/sig-storage/nfs-subdir-external-provisioner v4.0.2 --- system/nfs-system/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/nfs-system/values.yaml b/system/nfs-system/values.yaml index bcd20aa91a..4b17e82648 100644 --- a/system/nfs-system/values.yaml +++ b/system/nfs-system/values.yaml @@ -3,7 +3,7 @@ nfs-subdir-external-provisioner: strategyType: Recreate image: - repository: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner + repository: registry.k8s.io/sig-storage/nfs-subdir-external-provisioner tag: v4.0.2 pullPolicy: IfNotPresent imagePullSecrets: []