From 4b51367839d344c1c8f7f336a6854f14bde2eb34 Mon Sep 17 00:00:00 2001 From: Finn Date: Mon, 13 Jan 2025 18:40:19 -0800 Subject: [PATCH] Initial talos storage server --- .../kustomization.yaml | 8 + helm/render-all.sh | 2 +- helm/traefik/kustomization.yaml | 20 ++ talos/.gitignore | 1 + .../cert-manager-webhook-pdns/bundle.yaml | 311 ++++++++++++++++++ .../kustomization.yaml | 18 + .../letsencrypt.yaml | 20 ++ .../namespace-patch.yaml | 3 + .../cert-manager/controller-patches.yaml | 6 + .../operators/cert-manager/kustomization.yaml | 9 + talos/k8s/operators/kustomization.yaml | 3 + talos/k8s/operators/rook/kustomization.yaml | 1 - talos/k8s/operators/rook/pools.yaml | 34 -- talos/k8s/operators/traefik/bundle.yaml | 273 +++++++++++++++ .../k8s/operators/traefik/kustomization.yaml | 6 + talos/k8s/operators/traefik/namespace.yaml | 6 + talos/k8s/rook/buckets.yaml | 7 + talos/k8s/rook/kustomization.yaml | 6 + talos/k8s/rook/s3-pool.yaml | 72 ++++ 19 files changed, 770 insertions(+), 36 deletions(-) create mode 100644 helm/cert-manager-webhook-pdns/kustomization.yaml create mode 100644 helm/traefik/kustomization.yaml create mode 100644 talos/k8s/operators/cert-manager-webhook-pdns/bundle.yaml create mode 100644 talos/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml create mode 100644 talos/k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml create mode 100644 talos/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml create mode 100644 talos/k8s/operators/cert-manager/controller-patches.yaml create mode 100644 talos/k8s/operators/cert-manager/kustomization.yaml delete mode 100644 talos/k8s/operators/rook/pools.yaml create mode 100644 talos/k8s/operators/traefik/bundle.yaml create mode 100644 talos/k8s/operators/traefik/kustomization.yaml create mode 100644 talos/k8s/operators/traefik/namespace.yaml create mode 100644 talos/k8s/rook/buckets.yaml create mode 100644 talos/k8s/rook/kustomization.yaml create mode 100644 talos/k8s/rook/s3-pool.yaml diff --git a/helm/cert-manager-webhook-pdns/kustomization.yaml b/helm/cert-manager-webhook-pdns/kustomization.yaml new file mode 100644 index 0000000..9e666ec --- /dev/null +++ b/helm/cert-manager-webhook-pdns/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +helmCharts: +- name: cert-manager-webhook-pdns + namespace: cert-manager + releaseName: cert-manager-webhook-pdns + version: v3.2.2 + repo: https://zachomedia.github.io/cert-manager-webhook-pdns diff --git a/helm/render-all.sh b/helm/render-all.sh index 79e60de..91d2dd9 100755 --- a/helm/render-all.sh +++ b/helm/render-all.sh @@ -19,6 +19,6 @@ for component in openbao external-secrets secrets-store-csi-driver; do done # cisco k8s cluster operators -for component in rook; do +for component in rook cert-manager-webhook-pdns traefik; do render_helm ../talos/k8s/operators "${component}" done diff --git a/helm/traefik/kustomization.yaml b/helm/traefik/kustomization.yaml new file mode 100644 index 0000000..29135cf --- /dev/null +++ b/helm/traefik/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +helmCharts: +- name: traefik + namespace: traefik + releaseName: traefik + version: v34.0.0 + valuesInline: + deployment: + replicas: 2 + ports: + websecure: + hostPort: 443 + proxyProtocol: + trustedIPs: + - 10.5.1.1/32 + providers: + kubernetesCRD: + allowCrossNamespace: true + repo: https://traefik.github.io/charts diff --git a/talos/.gitignore b/talos/.gitignore index 0819985..642a428 100644 --- a/talos/.gitignore +++ b/talos/.gitignore @@ -1 +1,2 @@ /talosconfig +/controlplane.yaml diff --git a/talos/k8s/operators/cert-manager-webhook-pdns/bundle.yaml b/talos/k8s/operators/cert-manager-webhook-pdns/bundle.yaml new file mode 100644 index 0000000..5d095b0 --- /dev/null +++ b/talos/k8s/operators/cert-manager-webhook-pdns/bundle.yaml @@ -0,0 +1,311 @@ +# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - flowcontrol.apiserver.k8s.io + resources: + - flowschemas + - prioritylevelconfigurations + verbs: + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:domain-solver +rules: +- apiGroups: + - acme.zacharyseguin.ca + resources: + - '*' + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:webhook-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-pdns + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-pdns +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-pdns + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook-pdns + namespace: cert-manager +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns:domain-solver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-webhook-pdns:domain-solver +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/name: cert-manager-webhook-pdns + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/name: cert-manager-webhook-pdns + template: + metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + spec: + containers: + - args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + - --secure-port=8443 + env: + - name: GROUP_NAME + value: acme.zacharyseguin.ca + image: zachomedia/cert-manager-webhook-pdns:v2.5.1 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: https + scheme: HTTPS + name: cert-manager-webhook-pdns + ports: + - containerPort: 8443 + name: https + protocol: TCP + readinessProbe: + httpGet: + path: /healthz + port: https + scheme: HTTPS + resources: {} + securityContext: + runAsGroup: 100 + runAsUser: 100 + volumeMounts: + - mountPath: /tls + name: certs + readOnly: true + serviceAccountName: cert-manager-webhook-pdns + volumes: + - name: certs + secret: + secretName: cert-manager-webhook-pdns-webhook-tls +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + annotations: + cert-manager.io/inject-ca-from: cert-manager/cert-manager-webhook-pdns-webhook-tls + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: v1alpha1.acme.zacharyseguin.ca +spec: + group: acme.zacharyseguin.ca + groupPriorityMinimum: 1000 + service: + name: cert-manager-webhook-pdns + namespace: cert-manager + version: v1alpha1 + versionPriority: 15 +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-ca + namespace: cert-manager +spec: + commonName: ca.cert-manager-webhook-pdns.cert-manager + duration: 43800h0m0s + isCA: true + issuerRef: + name: cert-manager-webhook-pdns-selfsign + secretName: cert-manager-webhook-pdns-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-webhook-tls + namespace: cert-manager +spec: + dnsNames: + - cert-manager-webhook-pdns + - cert-manager-webhook-pdns.cert-manager + - cert-manager-webhook-pdns.cert-manager.svc + duration: 8760h0m0s + issuerRef: + name: cert-manager-webhook-pdns-ca + secretName: cert-manager-webhook-pdns-webhook-tls +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-ca + namespace: cert-manager +spec: + ca: + secretName: cert-manager-webhook-pdns-ca +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/instance: cert-manager-webhook-pdns + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cert-manager-webhook-pdns + app.kubernetes.io/version: v2.5.1 + helm.sh/chart: cert-manager-webhook-pdns-3.2.2 + name: cert-manager-webhook-pdns-selfsign + namespace: cert-manager +spec: + selfSigned: {} diff --git a/talos/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml b/talos/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml new file mode 100644 index 0000000..79e81d3 --- /dev/null +++ b/talos/k8s/operators/cert-manager-webhook-pdns/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - bundle.yaml + - letsencrypt.yaml +patches: + - path: namespace-patch.yaml + target: + kind: Deployment + name: cert-manager-webhook-pdns + - path: namespace-patch.yaml + target: + kind: ServiceAccount + name: cert-manager-webhook-pdns + - path: namespace-patch.yaml + target: + kind: Service + name: cert-manager-webhook-pdns diff --git a/talos/k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml b/talos/k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml new file mode 100644 index 0000000..4fdce3a --- /dev/null +++ b/talos/k8s/operators/cert-manager-webhook-pdns/letsencrypt.yaml @@ -0,0 +1,20 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt +spec: + acme: + email: dns-admin@janky.solutions + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-account-key + solvers: + - dns01: + webhook: + groupName: acme.zacharyseguin.ca + solverName: pdns + config: + host: https://dns.janky.solutions + apiKeySecretRef: + name: dns-janky-solutions + key: api-key diff --git a/talos/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml b/talos/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml new file mode 100644 index 0000000..e3a273e --- /dev/null +++ b/talos/k8s/operators/cert-manager-webhook-pdns/namespace-patch.yaml @@ -0,0 +1,3 @@ +- op: add + path: /metadata/namespace + value: cert-manager diff --git a/talos/k8s/operators/cert-manager/controller-patches.yaml b/talos/k8s/operators/cert-manager/controller-patches.yaml new file mode 100644 index 0000000..c13ad31 --- /dev/null +++ b/talos/k8s/operators/cert-manager/controller-patches.yaml @@ -0,0 +1,6 @@ +- op: add + path: /spec/template/spec/containers/0/args/- + value: --dns01-recursive-nameservers-only # adding this arg makes DNS-01 validation work, unclear why it doesnt work otherwise. +- op: add + path: /spec/template/spec/containers/0/args/- + value: --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53,8.8.4.4:53 diff --git a/talos/k8s/operators/cert-manager/kustomization.yaml b/talos/k8s/operators/cert-manager/kustomization.yaml new file mode 100644 index 0000000..2d1d592 --- /dev/null +++ b/talos/k8s/operators/cert-manager/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml +patches: + - path: controller-patches.yaml + target: + kind: Deployment + name: cert-manager diff --git a/talos/k8s/operators/kustomization.yaml b/talos/k8s/operators/kustomization.yaml index 20c5667..d20e599 100644 --- a/talos/k8s/operators/kustomization.yaml +++ b/talos/k8s/operators/kustomization.yaml @@ -1,4 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - cert-manager + - cert-manager-webhook-pdns - rook + - traefik diff --git a/talos/k8s/operators/rook/kustomization.yaml b/talos/k8s/operators/rook/kustomization.yaml index d46b945..12015f8 100644 --- a/talos/k8s/operators/rook/kustomization.yaml +++ b/talos/k8s/operators/rook/kustomization.yaml @@ -6,4 +6,3 @@ resources: - bundle.yaml - cluster.yaml - toolbox.yaml - - pools.yaml diff --git a/talos/k8s/operators/rook/pools.yaml b/talos/k8s/operators/rook/pools.yaml deleted file mode 100644 index 63ea442..0000000 --- a/talos/k8s/operators/rook/pools.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: ceph.rook.io/v1 -kind: CephObjectStore -metadata: - name: muh-buckets - namespace: rook-ceph -spec: - metadataPool: - failureDomain: osd - replicated: - size: 3 - dataPool: - failureDomain: osd - erasureCoded: - dataChunks: 2 - codingChunks: 1 - preservePoolsOnDelete: true - gateway: - # sslCertificateRef: - # caBundleRef: - port: 80 - # securePort: 443 - instances: 1 - # A key/value list of annotations - annotations: - # key: value - resources: - # limits: - # cpu: "500m" - # memory: "1024Mi" - # requests: - # cpu: "500m" - # memory: "1024Mi" - #zone: - #name: zone-a diff --git a/talos/k8s/operators/traefik/bundle.yaml b/talos/k8s/operators/traefik/bundle.yaml new file mode 100644 index 0000000..78fa3a8 --- /dev/null +++ b/talos/k8s/operators/traefik/bundle.yaml @@ -0,0 +1,273 @@ +# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + name: traefik + namespace: traefik +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + name: traefik-traefik +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - serverstransports + - serverstransporttcps + - tlsoptions + - tlsstores + - traefikservices + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + name: traefik-traefik +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traefik-traefik +subjects: +- kind: ServiceAccount + name: traefik + namespace: traefik +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + name: traefik + namespace: traefik +spec: + ports: + - name: web + port: 80 + protocol: TCP + targetPort: web + - name: websecure + port: 443 + protocol: TCP + targetPort: websecure + selector: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/name: traefik + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + name: traefik + namespace: traefik +spec: + minReadySeconds: 0 + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/name: traefik + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "9100" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + spec: + automountServiceAccountToken: true + containers: + - args: + - --global.checknewversion + - --global.sendanonymoususage + - --entryPoints.metrics.address=:9100/tcp + - --entryPoints.traefik.address=:8080/tcp + - --entryPoints.web.address=:8000/tcp + - --entryPoints.websecure.address=:8443/tcp + - --api.dashboard=true + - --ping=true + - --metrics.prometheus=true + - --metrics.prometheus.entrypoint=metrics + - --providers.kubernetescrd + - --providers.kubernetescrd.allowCrossNamespace=true + - --providers.kubernetescrd.allowEmptyServices=true + - --providers.kubernetesingress + - --providers.kubernetesingress.allowEmptyServices=true + - --providers.kubernetesingress.ingressendpoint.publishedservice=traefik/traefik + - --entryPoints.websecure.http.tls=true + - --entryPoints.websecure.proxyProtocol.trustedIPs=10.5.1.1/32 + - --log.level=INFO + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: docker.io/traefik:v3.3.1 + imagePullPolicy: IfNotPresent + lifecycle: null + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: 8080 + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + name: traefik + ports: + - containerPort: 9100 + name: metrics + protocol: TCP + - containerPort: 8080 + name: traefik + protocol: TCP + - containerPort: 8000 + name: web + protocol: TCP + - containerPort: 8443 + hostPort: 443 + name: websecure + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /ping + port: 8080 + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + resources: null + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /data + name: data + - mountPath: /tmp + name: tmp + hostNetwork: false + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + serviceAccountName: traefik + terminationGracePeriodSeconds: 60 + volumes: + - emptyDir: {} + name: data + - emptyDir: {} + name: tmp +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + labels: + app.kubernetes.io/instance: traefik-traefik + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: traefik + helm.sh/chart: traefik-34.0.0 + name: traefik +spec: + controller: traefik.io/ingress-controller diff --git a/talos/k8s/operators/traefik/kustomization.yaml b/talos/k8s/operators/traefik/kustomization.yaml new file mode 100644 index 0000000..bf09d01 --- /dev/null +++ b/talos/k8s/operators/traefik/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: traefik +resources: + - namespace.yaml + - bundle.yaml diff --git a/talos/k8s/operators/traefik/namespace.yaml b/talos/k8s/operators/traefik/namespace.yaml new file mode 100644 index 0000000..7cd1deb --- /dev/null +++ b/talos/k8s/operators/traefik/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: traefik + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/talos/k8s/rook/buckets.yaml b/talos/k8s/rook/buckets.yaml new file mode 100644 index 0000000..6ae8098 --- /dev/null +++ b/talos/k8s/rook/buckets.yaml @@ -0,0 +1,7 @@ +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: test-bucket +spec: + bucketName: test-bucket + storageClassName: rook-ceph-bucket diff --git a/talos/k8s/rook/kustomization.yaml b/talos/k8s/rook/kustomization.yaml new file mode 100644 index 0000000..37d8fa5 --- /dev/null +++ b/talos/k8s/rook/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: rook-ceph +resources: + - buckets.yaml + - s3-pool.yaml diff --git a/talos/k8s/rook/s3-pool.yaml b/talos/k8s/rook/s3-pool.yaml new file mode 100644 index 0000000..503ce8c --- /dev/null +++ b/talos/k8s/rook/s3-pool.yaml @@ -0,0 +1,72 @@ +apiVersion: ceph.rook.io/v1 +kind: CephObjectStore +metadata: + name: muh-buckets + namespace: rook-ceph +spec: + metadataPool: + failureDomain: osd + replicated: + size: 3 + dataPool: + failureDomain: osd + erasureCoded: + dataChunks: 2 + codingChunks: 1 + preservePoolsOnDelete: true + gateway: + port: 80 + instances: 1 + annotations: + resources: + # hosting: + # advertiseEndpoint: + # dnsName: s3.janky.solutions + # port: 443 + # useTls: true +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: s3.janky.solutions + labels: + name: s3.janky.solutions + annotations: + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - s3.janky.solutions + - "*.s3.janky.solutions" + secretName: s3.janky.solutions + rules: + - host: s3.janky.solutions + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: rook-ceph-rgw-muh-buckets + port: + number: 80 + - host: "*.s3.janky.solutions" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: rook-ceph-rgw-muh-buckets + port: + number: 80 +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: rook-ceph-bucket +provisioner: rook-ceph.ceph.rook.io/bucket +reclaimPolicy: Delete +parameters: + objectStoreName: muh-buckets + objectStoreNamespace: rook-ceph