Update k8s manifests

.sops.yaml

@@ -0,0 +1,4 @@
+creation_rules:
+  - path_regex: '.*secret.*\.yaml$'
+    encrypted_regex: '^(data|stringData)$'
+    age: 'age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m'

k8s/apps/gitea/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: gitea
+  annotations:
+    cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
+spec:
+  ingressClassName: traefik
+  tls:
+    - secretName: gitea-tls
+      hosts: ["gitea.n0ball.tw"]
+  rules:
+    - host: gitea.n0ball.tw
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea-external
+                port:
+                  number: 3000

k8s/apps/gitea/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - service-external.yaml
+  - ingress.yaml

k8s/apps/gitea/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

k8s/apps/gitea/service-external.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitea-external
+  namespace: gitea
+subsets:
+  - addresses:
+      - ip: 192.168.51.203
+    ports:
+      - port: 3000
+        protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-external
+  namespace: gitea
+spec:
+  ports:
+    - port: 3000
+      targetPort: 3000
+      protocol: TCP

k8s/apps/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gitea/
+  - vaultwarden/
+  - pkg-repo/

k8s/apps/pkg-repo/deployment.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pkg-repo-pvc
+  namespace: pkg-repo
+spec:
+  storageClassName: longhorn
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 100Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pkg-repo
+  namespace: pkg-repo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pkg-repo
+  template:
+    metadata:
+      labels:
+        app: pkg-repo
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:stable
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: repo-data
+              mountPath: /usr/share/nginx/html
+      volumes:
+        - name: repo-data
+          persistentVolumeClaim:
+            claimName: pkg-repo-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pkg-repo
+  namespace: pkg-repo
+spec:
+  selector:
+    app: pkg-repo
+  ports:
+    - port: 80
+      targetPort: 80

k8s/apps/pkg-repo/ingress.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pkg-repo
+  namespace: pkg-repo
+  annotations:
+    cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
+spec:
+  ingressClassName: traefik
+  tls:
+    - secretName: pkg-repo-tls
+      hosts: ["repo.n0ball.tw"]
+  rules:
+    - host: repo.n0ball.tw
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: pkg-repo
+                port:
+                  number: 80

k8s/apps/pkg-repo/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - ingress.yaml

k8s/apps/pkg-repo/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pkg-repo

k8s/apps/vaultwarden/helmrelease.yaml

@@ -0,0 +1,26 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: vaultwarden
+      sourceRef:
+        kind: HelmRepository
+        name: vaultwarden
+        namespace: flux-system
+  values:
+    domain: https://vault.n0ball.tw
+    database:
+      type: postgresql
+      existingSecret: vaultwarden-db-secret
+      existingSecretKey: DATABASE_URL
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
+      hostname: vault.n0ball.tw
+      tls: true

k8s/apps/vaultwarden/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrelease.yaml

k8s/apps/vaultwarden/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden

k8s/flux/gotk-sync.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 5m
+  url: https://gitea.n0ball.tw/admin/infra.git
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ./k8s/infrastructure
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: pg-init
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ./k8s/pg-init
+  prune: true
+  dependsOn:
+    - name: infrastructure
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ./k8s/apps
+  prune: true
+  dependsOn:
+    - name: infrastructure
+    - name: pg-init
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age

k8s/infrastructure/cert-manager/clusterissuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: n0ball-tw-issuer
+spec:
+  acme:
+    server: https://acme-v2.api.letsencrypt.org/directory
+    email: admin@n0ball.tw
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - "n0ball.tw"

k8s/infrastructure/cert-manager/helmrelease.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.*"
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  values:
+    installCRDs: true

k8s/infrastructure/cert-manager/wildcard-cert.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n0ball-tw-wildcard
+  namespace: kube-system
+spec:
+  secretName: n0ball-tw-tls
+  issuerRef:
+    name: n0ball-tw-issuer
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.n0ball.tw"
+    - "n0ball.tw"

k8s/infrastructure/helmrepositories.yaml

@@ -0,0 +1,63 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: longhorn
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.longhorn.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.jetstack.io
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: bitnami
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.bitnami.com/bitnami
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: prometheus-community
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://prometheus-community.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://grafana.github.io/helm-charts
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: openldap
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://jp-gouin.github.io/helm-openldap/
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: vaultwarden
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://guerzon.github.io/vaultwarden

k8s/infrastructure/keycloak/helmrelease.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: keycloak
+      version: "21.*"
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  values:
+    replicaCount: 3
+    auth:
+      existingSecret: keycloak-admin-secret
+    postgresql:
+      enabled: false
+    externalDatabase:
+      host: pgbouncer.internal
+      port: 6432
+      database: keycloak
+      existingSecret: keycloak-db-secret
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
+      hostname: keycloak.n0ball.tw
+      tls: true
+    extraEnvVars:
+      - name: KC_PROXY
+        value: edge

k8s/infrastructure/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrepositories.yaml
+  - longhorn/helmrelease.yaml
+  - cert-manager/helmrelease.yaml
+  - cert-manager/clusterissuer.yaml
+  - cert-manager/wildcard-cert.yaml
+  - observability/kustomization.yaml
+  - openldap/helmrelease.yaml
+  - keycloak/helmrelease.yaml

k8s/infrastructure/longhorn/helmrelease.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: longhorn-system
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: longhorn
+      version: "1.6.*"
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn
+        namespace: flux-system
+  values:
+    defaultSettings:
+      defaultReplicaCount: 3
+      storageMinimalAvailablePercentage: 10
+    persistence:
+      defaultClass: true

k8s/infrastructure/observability/kube-prometheus-stack.yaml

@@ -0,0 +1,57 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kube-prometheus-stack
+  namespace: observability
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: "65.*"
+      sourceRef:
+        kind: HelmRepository
+        name: prometheus-community
+        namespace: flux-system
+  values:
+    prometheus:
+      prometheusSpec:
+        retention: 15d
+        storageSpec:
+          volumeClaimTemplate:
+            spec:
+              storageClassName: longhorn
+              accessModes: ["ReadWriteOnce"]
+              resources:
+                requests:
+                  storage: 20Gi
+        additionalScrapeConfigs:
+          - job_name: "vm-node-exporter"
+            static_configs:
+              - targets:
+                  - "192.168.51.201:9100"
+                  - "192.168.100.201:9100"
+                  - "192.168.52.201:9100"
+                  - "192.168.51.203:9100"
+                  - "192.168.51.202:9100"
+    grafana:
+      adminPassword:
+        existingSecret: grafana-admin-secret
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
+        hosts: ["grafana.n0ball.tw"]
+        tls:
+          - secretName: grafana-tls
+            hosts: ["grafana.n0ball.tw"]
+    alertmanager:
+      alertmanagerSpec:
+        storage:
+          volumeClaimTemplate:
+            spec:
+              storageClassName: longhorn
+              accessModes: ["ReadWriteOnce"]
+              resources:
+                requests:
+                  storage: 2Gi

k8s/infrastructure/observability/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - kube-prometheus-stack.yaml
+  - loki.yaml
+  - promtail.yaml

k8s/infrastructure/observability/loki.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: loki
+  namespace: observability
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: loki
+      version: "6.*"
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: flux-system
+  values:
+    deploymentMode: SingleBinary
+    loki:
+      commonConfig:
+        replication_factor: 1
+      storage:
+        type: filesystem
+      limits_config:
+        retention_period: 14d
+    singleBinary:
+      replicas: 1
+      persistence:
+        enabled: true
+        storageClass: longhorn
+        size: 20Gi

k8s/infrastructure/observability/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: observability

k8s/infrastructure/observability/promtail.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: promtail
+  namespace: observability
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: promtail
+      version: "6.*"
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+        namespace: flux-system
+  values:
+    config:
+      clients:
+        - url: http://loki.observability.svc.cluster.local:3100/loki/api/v1/push

k8s/infrastructure/openldap/helmrelease.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openldap
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: openldap
+  namespace: openldap
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: openldap-stack-ha
+      version: "4.*"
+      sourceRef:
+        kind: HelmRepository
+        name: openldap
+        namespace: flux-system
+  values:
+    global:
+      ldapDomain: n0ball.tw
+      existingSecret: openldap-admin-secret
+    replicaCount: 3
+    persistence:
+      enabled: true
+      storageClass: longhorn
+      size: 10Gi
+    ltb-passwd:
+      enabled: false

k8s/pg-init/keycloak-db.yaml

@@ -0,0 +1,38 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: keycloak-db-init
+  namespace: pg-init
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: db-init
+          image: postgres:17
+          env:
+            - name: PGHOST
+              value: pgbouncer.internal
+            - name: PGPORT
+              value: "6432"
+            - name: PGUSER
+              value: pginit
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: pg-init-secret
+                  key: password
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-db-bootstrap-secret
+                  key: password
+          command:
+            - bash
+            - -c
+            - |
+              psql -c "CREATE DATABASE keycloak;" || true
+              psql -c "CREATE USER keycloak WITH PASSWORD '${KC_DB_PASSWORD}';" || true
+              psql -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" || true
+              psql -d keycloak -c "GRANT ALL ON SCHEMA public TO keycloak;" || true

k8s/pg-init/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - keycloak-db.yaml
+  - vaultwarden-db.yaml

k8s/pg-init/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pg-init

k8s/pg-init/vaultwarden-db.yaml

@@ -0,0 +1,38 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: vaultwarden-db-init
+  namespace: pg-init
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: db-init
+          image: postgres:17
+          env:
+            - name: PGHOST
+              value: pgbouncer.internal
+            - name: PGPORT
+              value: "6432"
+            - name: PGUSER
+              value: pginit
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: pg-init-secret
+                  key: password
+            - name: VW_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-db-bootstrap-secret
+                  key: password
+          command:
+            - bash
+            - -c
+            - |
+              psql -c "CREATE DATABASE vaultwarden;" || true
+              psql -c "CREATE USER vaultwarden WITH PASSWORD '${VW_DB_PASSWORD}';" || true
+              psql -c "GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;" || true
+              psql -d vaultwarden -c "GRANT ALL ON SCHEMA public TO vaultwarden;" || true