netbox: init

k8s/kustomization.yaml

@@ -10,6 +10,7 @@ resources:
   - matrix
   - miniflux
   - monitoring
+  - netbox
   - s3staticsites
   - shlink
   - snipeit

k8s/netbox/configs/extra.py

@@ -0,0 +1,23 @@
+# based on https://github.com/netbox-community/netbox-docker/blob/release/configuration/extra.py
+import os
+
+# Remote authentication support
+REMOTE_AUTH_ENABLED = True
+REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
+REMOTE_AUTH_HEADER = 'HTTP_X_FORWARDED_PREFERRED_USERNAME'
+REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_X_FORWARDED_PREFERRED_USERNAME'
+REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
+REMOTE_AUTH_USER_EMAIL = 'HTTP_X_FORWARDED_EMAIL'
+REMOTE_AUTH_AUTO_CREATE_USER = True
+REMOTE_AUTH_DEFAULT_GROUPS = []
+REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
+
+# S3 storage
+STORAGE_BACKEND = 'storages.backends.s3boto3.S3Boto3Storage'
+STORAGE_CONFIG = {
+    'AWS_ACCESS_KEY_ID': os.getenv("AWS_ACCESS_KEY_ID"),
+    'AWS_SECRET_ACCESS_KEY': os.getenv("AWS_SECRET_ACCESS_KEY"),
+    'AWS_STORAGE_BUCKET_NAME': 'netbox',
+    'AWS_S3_REGION_NAME': 'us-sea-1',
+    'AWS_S3_ENDPOINT_URL': 'https://storage.home.finn.io'
+}

k8s/netbox/database.yaml

@@ -0,0 +1,20 @@
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: netbox-database
+spec:
+  teamId: netbox
+  volume:
+    size: 10Gi
+  numberOfInstances: 2
+  users:
+    superuser:
+    - superuser
+    - createdb
+    netbox: []
+  databases:
+    netbox: netbox
+  preparedDatabases:
+    netbox: {}
+  postgresql:
+    version: "16"

k8s/netbox/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: netbox
+  labels:
+    name: netbox
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-traefik-forward-auth@kubernetescrd
+spec:
+  rules:
+  - host: netbox.k8s.home.finn.io
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: netbox
+            port: 
+              number: 8080

k8s/netbox/kustomization.yaml

@@ -0,0 +1,31 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - database.yaml
+  - ingress.yaml
+  - netbox.yaml
+  - redis.yaml
+  - secret-store.yaml
+configMapGenerator:
+  - name: netbox
+    literals:
+      - CORS_ORIGIN_ALLOW_ALL=True
+      - DB_HOST=netbox-database
+      - DB_NAME=netbox
+      - EMAIL_PORT=456
+      - EMAIL_SERVER=mx1.janky.email
+      - EMAIL_TIMEOUT=5
+      - EMAIL_USE_TLS=true
+      - GRAPHQL_ENABLED=true
+      - HOUSEKEEPING_INTERVAL=86400
+      - METRICS_ENABLED=false
+      - REDIS_CACHE_DATABASE=1
+      - REDIS_CACHE_HOST=valkey
+      - REDIS_DATABASE=0
+      - REDIS_HOST=valkey
+      - SKIP_SUPERUSER=true
+      - WEBHOOKS_ENABLED=true
+  - name: netbox-configs
+    files:
+      - configs/extra.py

k8s/netbox/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: netbox

k8s/netbox/netbox.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: netbox
+spec:
+  selector:
+    matchLabels:
+      app: netbox
+  template:
+    metadata:
+      labels:
+        app: netbox
+    spec:
+      containers:
+      - name: netbox
+        image: ghcr.io/netbox-community/netbox:v4.1.8-3.0.2
+        envFrom:
+          - secretRef:
+              name: netbox
+          - configMapRef:
+              name: netbox
+        env:
+          - name: DB_USER
+            valueFrom:
+              secretKeyRef:
+                name: netbox.netbox-database.credentials.postgresql.acid.zalan.do
+                key: username
+          - name: DB_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: netbox.netbox-database.credentials.postgresql.acid.zalan.do
+                key: password
+        volumeMounts:
+          - name: netbox-configs
+            mountPath: /etc/netbox/config/extras
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - containerPort: 8080
+      volumes:
+      - name: netbox-configs
+        configMap:
+          name: netbox-configs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: netbox
+spec:
+  selector:
+    app: netbox
+  ports:
+  - port: 8080
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: netbox
+spec:
+  secretStoreRef:
+    kind: SecretStore
+    name: openbao
+  target:
+    name: netbox
+    creationPolicy: Owner
+  dataFrom:
+    - extract:
+        key: netbox/default/netbox

k8s/netbox/redis.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: valkey
+spec:
+  selector:
+    matchLabels:
+      app: valkey
+  serviceName: valkey
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: valkey
+    spec:
+      containers:
+      - name: valkey
+        image: docker.io/valkey/valkey:8.0.1
+        ports:
+        - containerPort: 6379
+        volumeMounts:
+        - name: data
+          mountPath: /data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: 1Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: valkey
+spec:
+  selector:
+    app: valkey
+  ports:
+  - port: 6379

k8s/netbox/secret-store.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: openbao
+spec:
+  provider:
+    vault:
+      server: http://openbao.openbao:8200
+      path: static-secrets
+      version: v2
+      auth:
+        kubernetes:
+          mountPath: kubernetes
+          role: kubernetes-default
+          serviceAccountRef:
+            name: default