diff --git a/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml b/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml new file mode 100644 index 00000000..e3b78e2f --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml @@ -0,0 +1,102 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app dragonfly-operator +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + dragonfly-operator: + strategy: RollingUpdate + containers: + app: + image: + repository: ghcr.io/dragonflydb/operator + tag: v1.1.2 + command: ["/manager"] + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8080 + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /healthz + port: &port 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /readyz + port: *port + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + resources: + requests: + cpu: 10m + limits: + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + service: + app: + controller: *app + ports: + http: + port: *port + metrics: + port: 8080 + serviceMonitor: + app: + serviceName: *app + endpoints: + - port: metrics + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + serviceAccount: + create: true + name: *app diff --git a/kubernetes/main/apps/database/dragonfly/app/kustomization.yaml b/kubernetes/main/apps/database/dragonfly/app/kustomization.yaml new file mode 100644 index 00000000..639c55db --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator + - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.2/manifests/crd.yaml + - ./helmrelease.yaml + - ./rbac.yaml diff --git a/kubernetes/main/apps/database/dragonfly/app/rbac.yaml b/kubernetes/main/apps/database/dragonfly/app/rbac.yaml new file mode 100644 index 00000000..6e1e0920 --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/app/rbac.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: dragonfly-operator +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["apps"] + resources: ["statefulsets"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["dragonflydb.io"] + resources: ["dragonflies"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["dragonflydb.io"] + resources: ["dragonflies/finalizers"] + verbs: ["update"] + - apiGroups: ["dragonflydb.io"] + resources: ["dragonflies/status"] + verbs: ["get", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: dragonfly-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dragonfly-operator +subjects: + - kind: ServiceAccount + name: dragonfly-operator + namespace: database diff --git a/kubernetes/main/apps/database/dragonfly/cluster/cluster.yaml b/kubernetes/main/apps/database/dragonfly/cluster/cluster.yaml new file mode 100644 index 00000000..7a254a5d --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/cluster/cluster.yaml @@ -0,0 +1,29 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/dragonflydb.io/dragonfly_v1alpha1.json +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly +metadata: + name: dragonfly +spec: + image: ghcr.io/dragonflydb/dragonfly:v1.18.1 + replicas: 3 + env: + - name: MAX_MEMORY + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: 1Mi + args: + - --maxmemory=$(MAX_MEMORY)Mi + - --proactor_threads=2 + - --cluster_mode=emulated + - --lock_on_hashtags + authentication: + passwordFromSecret: + name: dragonfly-secret + key: password + resources: + requests: + cpu: 100m + limits: + memory: 512Mi diff --git a/kubernetes/main/apps/database/dragonfly/cluster/kustomization.yaml b/kubernetes/main/apps/database/dragonfly/cluster/kustomization.yaml new file mode 100644 index 00000000..6f0f305d --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/cluster/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster.yaml + - ./podmonitor.yaml diff --git a/kubernetes/main/apps/database/dragonfly/cluster/podmonitor.yaml b/kubernetes/main/apps/database/dragonfly/cluster/podmonitor.yaml new file mode 100644 index 00000000..b26a770d --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/cluster/podmonitor.yaml @@ -0,0 +1,13 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: dragonfly +spec: + selector: + matchLabels: + app: dragonfly + podTargetLabels: ["app"] + podMetricsEndpoints: + - port: admin diff --git a/kubernetes/main/apps/database/dragonfly/ks.yaml b/kubernetes/main/apps/database/dragonfly/ks.yaml new file mode 100644 index 00000000..d834f953 --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/ks.yaml @@ -0,0 +1,66 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app dragonfly-operator + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/database/dragonfly/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app dragonfly-secret-store + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/database/dragonfly/secret-store + prune: true + sourceRef: + kind: GitRepository + name: home-ops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app dragonfly-cluster + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: dragonfly-operator + - name: dragonfly-secret-store + path: ./kubernetes/main/apps/database/dragonfly/cluster + prune: true + sourceRef: + kind: GitRepository + name: home-ops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/main/apps/database/dragonfly/secret-store/clustersecretstore.yaml b/kubernetes/main/apps/database/dragonfly/secret-store/clustersecretstore.yaml new file mode 100644 index 00000000..7174c658 --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/secret-store/clustersecretstore.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: dragonfly-secret-store +spec: + provider: + kubernetes: + remoteNamespace: database + auth: + serviceAccount: + name: dragonfly-secret-manager + namespace: database + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + namespace: security + key: ca.crt diff --git a/kubernetes/main/apps/database/dragonfly/secret-store/kustomization.yaml b/kubernetes/main/apps/database/dragonfly/secret-store/kustomization.yaml new file mode 100644 index 00000000..790486d8 --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/secret-store/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./clustersecretstore.yaml + - ./rbac.yaml + - ./secret.sops.yaml diff --git a/kubernetes/main/apps/database/dragonfly/secret-store/rbac.yaml b/kubernetes/main/apps/database/dragonfly/secret-store/rbac.yaml new file mode 100644 index 00000000..6832e5de --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/secret-store/rbac.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dragonfly-secret-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dragonfly-secret-manager-role +rules: + - apiGroups: [""] + resources: + - secrets + resourceNames: + - dragonfly-secret + verbs: + - get + - list + - watch + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectrulesreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dragonfly-secret-manager-binding +subjects: + - kind: ServiceAccount + name: dragonfly-secret-manager + namespace: database +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dragonfly-secret-manager-role diff --git a/kubernetes/main/apps/database/dragonfly/secret-store/secret.sops.yaml b/kubernetes/main/apps/database/dragonfly/secret-store/secret.sops.yaml new file mode 100644 index 00000000..046a263d --- /dev/null +++ b/kubernetes/main/apps/database/dragonfly/secret-store/secret.sops.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Secret +metadata: + name: dragonfly-secret +type: kubernetes.io/basic-auth +stringData: + username: ENC[AES256_GCM,data:q1syECEHzlku,iv:Ft/Kwi788xSLcbZFzzvs0oEWBgtM3+wRhM+fzFFXaGI=,tag:AksZsqPTrAEtBt5ONBYMhA==,type:str] + password: ENC[AES256_GCM,data:z/mvnn+uDdyuMP8w/e3b30HcMv/uDtQvcExLzW8B2jlQbNX9Us5Ob+M/E8sjGxG4Y2kuMishO9PQgfq+6MDnBw==,iv:m51Tw9yYPrnlUPubqGtCU+LyylaGjrXkiGCcJzK2IfY=,tag:x4de+pR0Qd6BL5JVwzsfdA==,type:str] + host: ENC[AES256_GCM,data:3jlG9CbloDNLUPLFdUXutDJE61727bShQ74Jrj7XTJrZhihq,iv:MD6c0FsKWNyJHBAQy1ZI/62k0h+TNL990jXimrTZNEc=,tag:u4EZpKa4ZJ98TsB86Xni0g==,type:str] + port: ENC[AES256_GCM,data:3Ew/JA==,iv:Nlsqd0OCqi2rJLD6gIRf+p5JQu2zVz0ygZ2zNaQw03I=,tag:0Ixm2b8UHlBtUHIwOICXCA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT1B3NzU2bTF6SE1OMVN0 + MHIvOUFuK081UFBrMWxQYllSRGoxZlpHeVU4CmtpRkovcUhXdis0WndYTTFsZkUx + b3Y1YndEWG0yMDRkSWJKU2hweDVnY0UKLS0tIFpWZ3M2R3lLSURTK0dnMlpaNURE + dHFnSm1OeHdzVElYdC8yNkpFV3I5QVUKuAfcF2UIgxBcGT0ULdOTL9MHm6kynVDO + Nr1TRBfWBga7eNfeffniTHunS+ag+w3swhGCt6w6heSJyyZz3Y8hNQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-19T14:21:05Z" + mac: ENC[AES256_GCM,data:z766h9nNYXqV5WcDhVxwOrwYfo8kMG/kyQNdqwUWbFZprcEe9k4MCedAIkrJzRKVoxS1tYvYb8AWjhlCMIg9sGpdLk5+aUbcLsAiTUOicAq+nuhySfKTFApHhyVKopGB9XHX8V6H5xi7MmvhK+0P0NVVY4CLBuLGhLdVmtvrwzY=,iv:CX/ri2UdqbJryyeitybkWUvJaBDGPaUhV+GOq+pQyPo=,tag:AhusS/dEINZYScE9SkDR2w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/main/apps/database/kustomization.yaml b/kubernetes/main/apps/database/kustomization.yaml new file mode 100644 index 00000000..e02143ad --- /dev/null +++ b/kubernetes/main/apps/database/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./dragonfly/ks.yaml diff --git a/kubernetes/main/apps/database/namespace.yaml b/kubernetes/main/apps/database/namespace.yaml new file mode 100644 index 00000000..5cad2860 --- /dev/null +++ b/kubernetes/main/apps/database/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: database + labels: + kustomize.toolkit.fluxcd.io/prune: disabled