proxmox: first attempt to move to ingressroute

traefik: Bump version
traefik: Pull resources only from trusted namespaces
2022-11-04 11:39:36 +02:00 · 2022-10-21 08:30:04 +03:00 · 2022-10-21 08:27:53 +03:00 · 2022-10-21 00:57:11 +03:00 · 2022-10-21 00:56:54 +03:00 · 2022-10-14 20:18:28 +03:00
36 changed files with 12926 additions and 388 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,7 @@
 *.swp
 *.save
 *.1
+
+### IntelliJ IDEA ###
+.idea
+*.iml
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ Most endpoints are protected by OIDC autentication or Authelia SSO middleware.

 General discussion is happening in the `#kube` Slack channel.

+<details><summary>Bootstrapping access</summary>
 For bootstrap access obtain `/etc/kubernetes/admin.conf` from one of the master
 nodes and place it under `~/.kube/config` on your machine.

@@ -46,9 +47,9 @@ EOF
 sudo systemctl daemon-reload
 systemctl restart kubelet
 ```
+</details>

-Afterwards following can be used to talk to the Kubernetes cluster using
-OIDC credentials:
+The following can be used to talk to the Kubernetes cluster using OIDC credentials:

 ```bash
 kubectl krew install oidc-login
@@ -89,6 +90,16 @@ EOF

 For access control mapping see [cluster-role-bindings.yml](cluster-role-bindings.yml)

+### systemd-resolved issues on access
+```sh
+Unable to connect to the server: dial tcp: lookup master.kube.k-space.ee on 127.0.0.53:53: no such host
+```
+```
+Network → VPN → `IPv4` → Other nameservers (Muud nimeserverid): `172.21.0.1`
+Network → VPN → `IPv6` → Other nameservers (Muud nimeserverid): `2001:bb8:4008:21::1`
+Network → VPN → `IPv4` → Search domains (Otsingudomeenid): `kube.k-space.ee`
+Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.ee`
+```

 # Technology mapping

--- a/argocd/applications/grafana.yml
+++ b/argocd/applications/grafana.yml
@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: grafana
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: grafana
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/values.yaml
+++ b/argocd/values.yaml
@@ -16,7 +16,6 @@ server:
  ingress:
    enabled: true
    annotations:
-      cert-manager.io/cluster-issuer: default
      external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
@@ -24,8 +23,7 @@ server:
    - argocd.k-space.ee
    tls:
     - hosts:
-       - argocd.k-space.ee
-       secretName: argocd-server-tls
+       - "*.k-space.ee"
  configEnabled: true
  config:
    admin.enabled: "false"
--- a/authelia/README.md
+++ b/authelia/README.md
@@ -162,8 +162,8 @@ kubectl -n argocd create secret generic argocd-secret \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
-kubectl -n monitoring delete secret oidc-secret
-kubectl -n monitoring create secret generic oidc-secret \
+kubectl -n grafana delete secret oidc-secret
+kubectl -n grafana create secret generic oidc-secret \
    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
--- a/authelia/application.yml
+++ b/authelia/application.yml
@@ -295,7 +295,6 @@ metadata:
  labels:
    app.kubernetes.io/name: authelia
  annotations:
-    cert-manager.io/cluster-issuer: default
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    kubernetes.io/tls-acme: "true"
    traefik.ingress.kubernetes.io/router.entryPoints: websecure
@@ -315,8 +314,7 @@ spec:
                  number: 80
  tls:
    - hosts:
-        - auth.k-space.ee
-      secretName: authelia-tls
+        - "*.k-space.ee"
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
--- a/camtiler/application.yml
+++ b/camtiler/application.yml
@@ -182,12 +182,6 @@ metadata:
  annotations:
    kubernetes.io/ingress.class: traefik

-    # Following specifies the certificate issuer defined in
-    # ../cert-manager/issuer.yml
-    # This is where the HTTPS certificates for the
-    # `tls:` section below are obtained from
-    cert-manager.io/cluster-issuer: default
-
    # This tells Traefik this Ingress object is associated with the
    # https:// entrypoint
    # Global http:// to https:// redirect is enabled in
@@ -234,8 +228,7 @@ spec:
                  number: 3003
  tls:
    - hosts:
-        - cams.k-space.ee
-      secretName: camtiler-tls
+        - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -371,7 +364,6 @@ metadata:
  name: minio
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -389,8 +381,7 @@ spec:
                  number: 80
  tls:
    - hosts:
-        - cams-s3.k-space.ee
-      secretName: cams-s3-tls
+        - "*.k-space.ee"
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
--- a/drone/README.md
+++ b/drone/README.md
@@ -77,14 +77,11 @@ steps:
  - echo "ENV GIT_COMMIT_TIMESTAMP=$(git log -1 --format=%cd --date=iso-strict)" >> Dockerfile
  - cat Dockerfile
 - name: docker
-  image: plugins/docker
+  image: harbor.k-space.ee/k-space/drone-kaniko
  settings:
-    repo: harbor.k-space.ee/${DRONE_REPO}
+    repo: ${DRONE_REPO}
    tags: latest-arm64
    registry: harbor.k-space.ee
-    squash: true
-    experimental: true
-    mtu: 1300
    username:
      from_secret: docker_username
    password:
@@ -109,14 +106,11 @@ steps:
  - echo "ENV GIT_COMMIT_TIMESTAMP=$(git log -1 --format=%cd --date=iso-strict)" >> Dockerfile
  - cat Dockerfile
 - name: docker
-  image: plugins/docker
+  image: harbor.k-space.ee/k-space/drone-kaniko
  settings:
-    repo: harbor.k-space.ee/${DRONE_REPO}
+    repo: ${DRONE_REPO}
    tags: latest-amd64
    registry: harbor.k-space.ee
-    squash: true
-    experimental: true
-    mtu: 1300
    storage_driver: vfs
    username:
      from_secret: docker_username
@@ -130,8 +124,8 @@ steps:
 - name: manifest
  image: plugins/manifest
  settings:
-    target: harbor.k-space.ee/${DRONE_REPO}:latest
-    template: harbor.k-space.ee/${DRONE_REPO}:latest-ARCH
+    target: ${DRONE_REPO}:latest
+    template: ${DRONE_REPO}:latest-ARCH
    platforms:
      - linux/amd64
      - linux/arm64
--- a/drone/application.yml
+++ b/drone/application.yml
@@ -83,7 +83,6 @@ kind: Ingress
 metadata:
  name: drone
  annotations:
-    cert-manager.io/cluster-issuer: default
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -91,8 +90,7 @@ metadata:
 spec:
  tls:
    - hosts:
-        - "drone.k-space.ee"
-      secretName: drone-tls
+        - "*.k-space.ee"
  rules:
    - host: "drone.k-space.ee"
      http:
--- a/elastic-system/application.yml
+++ b/elastic-system/application.yml
@@ -5,11 +5,9 @@ metadata:
  name: filebeat
 spec:
  type: filebeat
-  version: 8.4.1
+  version: 8.4.3
  elasticsearchRef:
    name: elasticsearch
-  kibanaRef:
-    name: kibana
  config:
    logging:
      level: warning
@@ -29,6 +27,9 @@ spec:
              - /var/log/containers/*${data.kubernetes.container.id}.log
  daemonSet:
    podTemplate:
+      metadata:
+        annotations:
+          co.elastic.logs/enabled: 'false'
      spec:
        serviceAccountName: filebeat
        automountServiceAccountToken: true
@@ -85,11 +86,9 @@ metadata:
  name: filebeat-syslog
 spec:
  type: filebeat
-  version: 8.4.1
+  version: 8.4.3
  elasticsearchRef:
    name: elasticsearch
-  kibanaRef:
-    name: kibana
  config:
    logging:
      level: warning
@@ -109,6 +108,9 @@ spec:
  deployment:
    replicas: 2
    podTemplate:
+      metadata:
+        annotations:
+          co.elastic.logs/enabled: 'false'
      spec:
        terminationGracePeriodSeconds: 30
        containers:
@@ -216,7 +218,7 @@ kind: Elasticsearch
 metadata:
  name: elasticsearch
 spec:
-  version: 8.4.1
+  version: 8.4.3
  nodeSets:
  - name: default
    count: 1
@@ -240,7 +242,7 @@ kind: Kibana
 metadata:
  name: kibana
 spec:
-  version: 8.4.1
+  version: 8.4.3
  count: 1
  elasticsearchRef:
    name: elasticsearch
@@ -263,6 +265,9 @@ spec:
    - key: elastic
      path: xpack.security.authc.providers.anonymous.anonymous1.credentials.password
  podTemplate:
+    metadata:
+      annotations:
+        co.elastic.logs/enabled: 'false'
    spec:
      containers:
        - name: kibana
@@ -283,7 +288,6 @@ metadata:
  name: kibana
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
@@ -302,8 +306,7 @@ spec:
              number: 5601
  tls:
  - hosts:
-    - kibana.k-space.ee
-    secretName: kibana-tls
+    - "*.k-space.ee"
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
--- a/etherpad/application.yml
+++ b/etherpad/application.yml
@@ -79,7 +79,6 @@ metadata:
  namespace: etherpad
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -97,8 +96,7 @@ spec:
              number: 9001
  tls:
  - hosts:
-    - pad.k-space.ee
-    secretName: pad-tls
+    - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/grafana/README.md
+++ b/grafana/README.md
@@ -0,0 +1,19 @@
+# Grafana
+
+```
+kubectl create namespace grafana
+kubectl apply -n grafana -f application.yml
+```
+
+## OIDC secret
+
+See Authelia README on provisioning and updating OIDC secrets for Grafana
+
+## Grafana post deployment steps
+
+* Configure Prometheus datasource with URL set to
+  `http://prometheus-operated.prometheus-operator.svc.cluster.local:9090`
+* Configure Elasticsearch datasource with URL set to
+  `http://elasticsearch.elastic-system.svc.cluster.local`,
+  Time field name set to `timestamp` and
+  ElasticSearch version set to `7.10+`
--- a/grafana/application.yml
+++ b/grafana/application.yml
@@ -0,0 +1,135 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-config
+data:
+  grafana.ini: |
+    [log]
+    level = warn
+    [server]
+    domain = grafana.k-space.ee
+    root_url = https://%(domain)s/
+    [auth.generic_oauth]
+    name = OAuth
+    icon = signin
+    enabled = true
+    client_id = grafana
+    scopes = openid profile email groups
+    empty_scopes = false
+    auth_url = https://auth.k-space.ee/api/oidc/authorize
+    token_url = https://auth.k-space.ee/api/oidc/token
+    api_url = https://auth.k-space.ee/api/oidc/userinfo
+    allow_sign_up = true
+    role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || 'Viewer'
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: grafana
+  name: grafana
+spec:
+  revisionHistoryLimit: 0
+  serviceName: grafana
+  selector:
+    matchLabels:
+      app: grafana
+  template:
+    metadata:
+      labels:
+        app: grafana
+    spec:
+      securityContext:
+        fsGroup: 472
+      containers:
+        - name: grafana
+          image: grafana/grafana:8.5.0
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 472
+          envFrom:
+            - secretRef:
+                name: oidc-secret
+          ports:
+            - containerPort: 3000
+              name: http-grafana
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /robots.txt
+              port: 3000
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: 3000
+            timeoutSeconds: 1
+          resources:
+            requests:
+              cpu: 250m
+              memory: 750Mi
+          volumeMounts:
+            - mountPath: /var/lib/grafana
+              name: grafana-data
+            - mountPath: /etc/grafana
+              name: grafana-config
+      volumes:
+        - name: grafana-config
+          configMap:
+            name: grafana-config
+  volumeClaimTemplates:
+    - metadata:
+        name: grafana-data
+      spec:
+        storageClassName: longhorn
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana
+spec:
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: http-grafana
+  selector:
+    app: grafana
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: grafana.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: grafana
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - "*.k-space.ee"
--- a/harbor/application.yml
+++ b/harbor/application.yml
@@ -397,7 +397,6 @@ spec:
      containers:
      - name: core
        image: goharbor/harbor-core:v2.4.2
-        imagePullPolicy: IfNotPresent
        startupProbe:
          httpGet:
            path: /api/v2.0/ping
@@ -406,16 +405,9 @@ spec:
          failureThreshold: 360
          initialDelaySeconds: 10
          periodSeconds: 10
-        livenessProbe:
-          httpGet:
-            path: /api/v2.0/ping
-            scheme: HTTP
-            port: 8080
-          failureThreshold: 2
-          periodSeconds: 10
        readinessProbe:
          httpGet:
-            path: /api/v2.0/ping
+            path: /api/v2.0/projects
            scheme: HTTP
            port: 8080
          failureThreshold: 2
@@ -472,6 +464,13 @@ spec:
        secret:
      - name: psc
        emptyDir: {}
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/jobservice/jobservice-dpl.yaml
 apiVersion: apps/v1
@@ -502,14 +501,6 @@ spec:
      containers:
      - name: jobservice
        image: goharbor/harbor-jobservice:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /api/v1/stats
-            scheme: HTTP
-            port: 8080
-          initialDelaySeconds: 300
-          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/v1/stats
@@ -544,6 +535,13 @@ spec:
      - name: job-logs
        persistentVolumeClaim:
          claimName: harbor-jobservice
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/portal/deployment.yaml
 apiVersion: apps/v1
@@ -574,14 +572,6 @@ spec:
      containers:
      - name: portal
        image: goharbor/harbor-portal:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            scheme: HTTP
-            port: 8080
-          initialDelaySeconds: 300
-          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
@@ -599,6 +589,13 @@ spec:
      - name: portal-config
        configMap:
          name: "harbor-portal"
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/registry/registry-dpl.yaml
 apiVersion: apps/v1
@@ -629,14 +626,6 @@ spec:
      containers:
      - name: registry
        image: goharbor/registry-photon:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            scheme: HTTP
-            port: 5000
-          initialDelaySeconds: 300
-          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
@@ -664,14 +653,6 @@ spec:
          subPath: config.yml
      - name: registryctl
        image: goharbor/harbor-registryctl:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /api/health
-            scheme: HTTP
-            port: 8080
-          initialDelaySeconds: 300
-          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/health
@@ -722,6 +703,13 @@ spec:
      - name: registry-data
        persistentVolumeClaim:
          claimName: harbor-registry
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/database/database-ss.yaml
 apiVersion: apps/v1
@@ -756,7 +744,6 @@ spec:
      # we may remove it after several releases
      - name: "data-migrator"
        image: goharbor/harbor-db:v2.4.2
-        imagePullPolicy: IfNotPresent
        command: ["/bin/sh"]
        args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"]
        volumeMounts:
@@ -769,7 +756,6 @@ spec:
      # as "fsGroup" applied before the init container running, the container has enough permission to execute the command
      - name: "data-permissions-ensurer"
        image: goharbor/harbor-db:v2.4.2
-        imagePullPolicy: IfNotPresent
        command: ["/bin/sh"]
        args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
        volumeMounts:
@@ -779,13 +765,6 @@ spec:
      containers:
      - name: database
        image: goharbor/harbor-db:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          exec:
-            command:
-            - /docker-healthcheck.sh
-          initialDelaySeconds: 300
-          periodSeconds: 10
        readinessProbe:
          exec:
            command:
@@ -811,6 +790,13 @@ spec:
        emptyDir:
          medium: Memory
          sizeLimit: 512Mi
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
  volumeClaimTemplates:
  - metadata:
      name: "database-data"
@@ -853,12 +839,6 @@ spec:
      containers:
      - name: redis
        image: goharbor/redis-photon:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          tcpSocket:
-            port: 6379
-          initialDelaySeconds: 300
-          periodSeconds: 10
        readinessProbe:
          tcpSocket:
            port: 6379
@@ -868,6 +848,13 @@ spec:
        - name: data
          mountPath: /var/lib/redis
          subPath: 
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
  volumeClaimTemplates:
  - metadata:
      name: data
@@ -970,15 +957,6 @@ spec:
            mountPath: /home/scanner/.cache
            subPath: 
            readOnly: false
-          livenessProbe:
-            httpGet:
-              scheme: HTTP
-              path: /probe/healthy
-              port: api-server
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 10
          readinessProbe:
            httpGet:
              scheme: HTTP
@@ -995,6 +973,13 @@ spec:
            requests:
              cpu: 200m
              memory: 512Mi
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
  volumeClaimTemplates:
  - metadata:
      name: data
@@ -1016,7 +1001,6 @@ metadata:
  labels:
    app: harbor
  annotations:
-    cert-manager.io/cluster-issuer: default
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    ingress.kubernetes.io/proxy-body-size: "0"
    ingress.kubernetes.io/ssl-redirect: "true"
@@ -1027,9 +1011,8 @@ metadata:
    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
  tls:
-  - secretName: harbor-tls
-    hosts:
-    - harbor.k-space.ee
+  - hosts:
+    - "*.k-space.ee"
  rules:
  - http:
      paths:
--- a/kube-system/metrics-server.yml
+++ b/kube-system/metrics-server.yml
@@ -0,0 +1,197 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:aggregated-metrics-reader
+rules:
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    k8s-app: metrics-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        k8s-app: metrics-server
+    spec:
+      containers:
+      - args:
+        - --cert-dir=/tmp
+        - --secure-port=4443
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --kubelet-use-node-status-port
+        - --kubelet-insecure-tls
+        - --metric-resolution=15s
+        image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        name: metrics-server
+        ports:
+        - containerPort: 4443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 20
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-dir
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      volumes:
+      - emptyDir: {}
+        name: tmp-dir
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: true
+  service:
+    name: metrics-server
+    namespace: kube-system
+  version: v1beta1
+  versionPriority: 100
--- a/kubernetes-dashboard/application.yml
+++ b/kubernetes-dashboard/application.yml
@@ -269,7 +269,6 @@ metadata:
    certManager: "true"
    rewriteTarget: "true"
  annotations:
-    cert-manager.io/cluster-issuer: default
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -289,5 +288,4 @@ spec:
                  number: 80
  tls:
    - hosts:
-      - dashboard.k-space.ee
-      secretName: dashboard-tls
+      - "*.k-space.ee"
--- a/longhorn-system/application-extras.yml
+++ b/longhorn-system/application-extras.yml
@@ -5,7 +5,6 @@ metadata:
  namespace: longhorn-system
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
@@ -24,9 +23,7 @@ spec:
              number: 80
  tls:
  - hosts:
-    - longhorn.k-space.ee
-    secretName: longhorn-tls
-
+    - "*.k-space.ee"
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
--- a/longhorn-system/application.yml
+++ b/longhorn-system/application.yml
@@ -1056,9 +1056,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    prometheus.io/scrape: "true"
-    prometheus.io/port: "9500"
  labels:
    app: longhorn-manager
  name: longhorn-backend
--- a/phpmyadmin/application.yml
+++ b/phpmyadmin/application.yml
@@ -40,7 +40,6 @@ metadata:
  name: phpmyadmin
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
@@ -59,8 +58,7 @@ spec:
              number: 80
  tls:
  - hosts:
-    - phpmyadmin.k-space.ee
-    secretName: phpmyadmin-tls
+    - "*.k-space.ee"
 ---
 apiVersion: v1
 kind: Service
--- a/playground/README.md
+++ b/playground/README.md
@@ -0,0 +1,10 @@
+# Playground
+
+Playground namespace is accessible to `Developers` AD group.
+
+Novel log aggregator is being developer in this namespace:
+
+```
+kubectl create secret generic -n playground mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+kubectl create secret generic -n playground mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+kubectl apply -n playground -f logging.yml -f mongodb-support.yml -f mongoexpress.yml -f networkpolicy-base.yml
--- a/playground/logging.yml
+++ b/playground/logging.yml
@@ -0,0 +1,263 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: mongodb
+spec:
+  additionalMongodConfig:
+    systemLog:
+      quiet: true
+  members: 3
+  type: ReplicaSet
+  version: "5.0.13"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: readwrite
+      db: application
+      passwordSecretRef:
+        name: mongodb-application-readwrite-password
+      roles:
+        - name: readWrite
+          db: application
+      scramCredentialsSecretName: mongodb-application-readwrite
+    - name: readonly
+      db: application
+      passwordSecretRef:
+        name: mongodb-application-readonly-password
+      roles:
+        - name: readOnly
+          db: application
+      scramCredentialsSecretName: mongodb-application-readonly
+  statefulSet:
+    spec:
+      logLevel: WARN
+      template:
+        spec:
+          containers:
+            - name: mongod
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 2Gi
+                limits:
+                  cpu: 2000m
+                  memory: 2Gi
+            - name: mongodb-agent
+              resources:
+                requests:
+                  cpu: 1m
+                  memory: 100Mi
+                limits: {}
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: app
+                        operator: In
+                        values:
+                          - mongodb-svc
+                  topologyKey: kubernetes.io/hostname
+          nodeSelector:
+            dedicated: monitoring
+          tolerations:
+            - key: dedicated
+              operator: Equal
+              value: monitoring
+              effect: NoSchedule
+      volumeClaimTemplates:
+        - metadata:
+            name: logs-volume
+          spec:
+            storageClassName: local-path
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 512Mi
+        - metadata:
+            name: data-volume
+          spec:
+            storageClassName: local-path
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 2Gi
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: log-shipper
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: log-shipper
+  template:
+    metadata:
+      labels:
+        app: log-shipper
+    spec:
+      serviceAccountName: log-shipper
+      containers:
+        - name: log-shipper
+          image: harbor.k-space.ee/k-space/log-shipper
+          securityContext:
+            runAsUser: 0
+          env:
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MONGODB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-application-readwrite
+                  key: connectionString.standard
+          ports:
+            - containerPort: 8000
+              name: metrics
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: etcmachineid
+              mountPath: /etc/machine-id
+              readOnly: true
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+      volumes:
+        - name: etcmachineid
+          hostPath:
+            path: /etc/machine-id
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: varlog
+          hostPath:
+            path: /var/log
+      tolerations:
+        - operator: "Exists"
+          effect: "NoExecute"
+        - operator: "Exists"
+          effect: "NoSchedule"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: logging-log-shipper
+subjects:
+  - kind: ServiceAccount
+    name: log-shipper
+    namespace: playground
+roleRef:
+  kind: ClusterRole
+  name: filebeat
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: log-shipper
+  labels:
+    app: log-shipper
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-shipper
+spec:
+  podSelector:
+    matchLabels:
+      app: log-shipper
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: prometheus-operator
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: mongodb-svc
+      ports:
+        - port: 27017
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-viewer-backend
+spec:
+  podSelector:
+    matchLabels:
+      app: log-viewer-backend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: mongodb-svc
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-viewer-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app: log-viewer-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: log-shipper
+spec:
+  selector:
+    matchLabels:
+      app: log-shipper
+  podMetricsEndpoints:
+    - port: metrics
--- a/playground/mongodb-support.yml
+++ b/playground/mongodb-support.yml
@@ -0,0 +1 @@
+../mongodb-operator/mongodb-support.yml
--- a/playground/mongoexpress.yml
+++ b/playground/mongoexpress.yml
@@ -0,0 +1 @@
+../shared/mongoexpress.yml
--- a/playground/networkpolicy-base.yml
+++ b/playground/networkpolicy-base.yml
@@ -0,0 +1 @@
+../shared/networkpolicy-base.yml
--- a/prometheus-operator/application.yml
+++ b/prometheus-operator/application.yml
@@ -399,7 +399,6 @@ kind: Ingress
 metadata:
  name: prometheus
  annotations:
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -418,15 +417,13 @@ spec:
              number: 9090
  tls:
  - hosts:
-    - prom.k-space.ee
-    secretName: prom-tls
+    - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: alertmanager
  annotations:
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -445,8 +442,7 @@ spec:
              number: 9093
  tls:
  - hosts:
-    - am.k-space.ee
-    secretName: alertmanager-tls
+    - "*.k-space.ee"
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
--- a/prometheus-operator/blackbox-exporter.yml
+++ b/prometheus-operator/blackbox-exporter.yml
@@ -156,7 +156,7 @@ metadata:
  name: blackbox-exporter
 spec:
  revisionHistoryLimit: 0
-  replicas: 2
+  replicas: 3
  selector:
    matchLabels:
      app: blackbox-exporter
--- a/tigera-operator/README.md
+++ b/tigera-operator/README.md
@@ -5,5 +5,6 @@ Calico implements the inter-pod overlay network
 ```
 curl https://projectcalico.docs.tigera.io/manifests/tigera-operator.yaml -O
 curl https://projectcalico.docs.tigera.io/manifests/custom-resources.yaml -O
-kubectl apply -f tigera-operator.yaml -f custom-resources.yaml
+kubectl apply -f custom-resources.yaml
+kubectl replace -f tigera-operator.yaml
 ```
--- a/tigera-operator/cleanup.sh
+++ b/tigera-operator/cleanup.sh
@@ -1,64 +0,0 @@
-#!/bin/bash
-
-NAMESPACE=${NAMESPACE:-longhorn-system}
-
-remove_and_wait() {
-  local crd=$1
-  out=`kubectl -n ${NAMESPACE} delete $crd --all 2>&1`
-  if [ $? -ne 0 ]; then
-    echo $out
-    return
-  fi
-  while true; do
-    out=`kubectl -n ${NAMESPACE} get $crd -o yaml | grep 'items: \[\]'`
-    if [ $? -eq 0 ]; then
-      break
-    fi
-    sleep 1
-  done
-  echo all $crd instances deleted
-}
-
-remove_crd_instances() {
-  remove_and_wait volumes.longhorn.rancher.io
-  # TODO: remove engines and replicas once we fix https://github.com/rancher/longhorn/issues/273
-  remove_and_wait engines.longhorn.rancher.io
-  remove_and_wait replicas.longhorn.rancher.io
-  remove_and_wait engineimages.longhorn.rancher.io
-  remove_and_wait settings.longhorn.rancher.io
-  # do this one last; manager crashes
-  remove_and_wait nodes.longhorn.rancher.io
-}
-
-# Delete driver related workloads in specific order
-remove_driver() {
-  kubectl -n ${NAMESPACE} delete deployment.apps/longhorn-driver-deployer
-  kubectl -n ${NAMESPACE} delete daemonset.apps/longhorn-csi-plugin
-  kubectl -n ${NAMESPACE} delete statefulset.apps/csi-attacher
-  kubectl -n ${NAMESPACE} delete service/csi-attacher
-  kubectl -n ${NAMESPACE} delete statefulset.apps/csi-provisioner
-  kubectl -n ${NAMESPACE} delete service/csi-provisioner
-  kubectl -n ${NAMESPACE} delete daemonset.apps/longhorn-flexvolume-driver
-}
-
-# Delete all workloads in the namespace
-remove_workloads() {
-  kubectl -n ${NAMESPACE} get daemonset.apps -o yaml | kubectl delete -f -
-  kubectl -n ${NAMESPACE} get deployment.apps -o yaml | kubectl delete -f -
-  kubectl -n ${NAMESPACE} get replicaset.apps -o yaml | kubectl delete -f -
-  kubectl -n ${NAMESPACE} get statefulset.apps -o yaml | kubectl delete -f -
-  kubectl -n ${NAMESPACE} get pods -o yaml | kubectl delete -f -
-  kubectl -n ${NAMESPACE} get service -o yaml | kubectl delete -f -
-}
-
-# Delete CRD definitions with longhorn.rancher.io in the name
-remove_crds() {
-  for crd in $(kubectl get crd -o jsonpath={.items[*].metadata.name} | tr ' ' '\n' | grep longhorn.rancher.io); do
-    kubectl delete crd/$crd
-  done
-}
-
-remove_crd_instances
-remove_driver
-remove_workloads
-remove_crds
--- a/tigera-operator/custom-resources.yaml
+++ b/tigera-operator/custom-resources.yaml
@@ -1,5 +1,5 @@
 # This section includes base Calico installation configuration.
-# For more information, see: https://projectcalico.docs.tigera.io/v3.23/reference/installation/api#operator.tigera.io/v1.Installation
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.Installation
 apiVersion: operator.tigera.io/v1
 kind: Installation
 metadata:
@@ -10,7 +10,7 @@ spec:
    # Note: The ipPools section cannot be modified post-install.
    ipPools:
    - blockSize: 26
-      cidr: 192.168.0.0/16
+      cidr: 10.244.0.0/16
      encapsulation: VXLANCrossSubnet
      natOutgoing: Enabled
      nodeSelector: all()
@@ -18,7 +18,7 @@ spec:
 ---

 # This section configures the Calico API server.
-# For more information, see: https://projectcalico.docs.tigera.io/v3.23/reference/installation/api#operator.tigera.io/v1.APIServer
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.APIServer
 apiVersion: operator.tigera.io/v1
 kind: APIServer 
 metadata: 
--- a/tigera-operator/tigera-operator.yaml
+++ b/tigera-operator/tigera-operator.yaml
--- a/traefik/application-extras.yml
+++ b/traefik/application-extras.yml
@@ -64,8 +64,16 @@ spec:
              number: 9000
  tls:
  - hosts:
-    - traefik.k-space.ee
-    secretName: traefik-tls
+    - "*.k-space.ee"
+    secretName: wildcard-tls
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+spec:
+  defaultCertificate:
+    secretName: wildcard-tls
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
--- a/traefik/proxmox.yml
+++ b/traefik/proxmox.yml
@@ -1,3 +1,34 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: proxmox
+spec:
+  entryPoints:                      
+    - https
+  routes:                           
+  - kind: Rule
+    match: Host(`pve.k-space.ee`) 
+    priority: 10                    
+    middlewares:
+    - name: proxmox-redirect
+    - name: traefik-sso@kubernetescrd
+    - name: traefik-proxmox-redirect@kubernetescrd             
+    services:                      
+    - kind: Service
+      name: pve1
+      passHostHeader: true
+      port: 8006                      
+      responseForwarding:
+        flushInterval: 1ms
+      scheme: https
+      serversTransport: proxmox-servers-transport   
+  tls:                              
+    secretName: pve         
+    domains:                        
+    - main: pve.k-space.ee             
+      sans:                         
+      - "*.k-space.ee"
+
 apiVersion: traefik.containo.us/v1alpha1
 kind: ServersTransport
 metadata:
@@ -56,101 +87,6 @@ data:
    RWRmRHIzNTBpZkRCQkVuL3RvL3JUczFOVjhyOGpjcG14a2MzNjlSQXp3TmJiRVkKMVE9PQotLS0t
    LUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  name: pve1
-  annotations:
-    traefik.ingress.kubernetes.io/service.serverstransport: traefik-proxmox-servers-transport@kubernetescrd
-spec:
-  type: ExternalName
-  externalName: pve1.proxmox.infra.k-space.ee
-  ports:
-    - name: https
-      port: 8006
-      protocol: TCP
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: pve8
-  annotations:
-    traefik.ingress.kubernetes.io/service.serverstransport: traefik-proxmox-servers-transport@kubernetescrd
-spec:
-  type: ExternalName
-  externalName: pve8.proxmox.infra.k-space.ee
-  ports:
-    - name: https
-      port: 8006
-      protocol: TCP
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: pve9
-  annotations:
-    traefik.ingress.kubernetes.io/service.serverstransport: traefik-proxmox-servers-transport@kubernetescrd
-spec:
-  type: ExternalName
-  externalName: pve9.proxmox.infra.k-space.ee
-  ports:
-    - name: https
-      port: 8006
-      protocol: TCP
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: pve
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
-    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd,traefik-proxmox-redirect@kubernetescrd
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: proxmox.k-space.ee
-    http:
-      paths:
-      - pathType: Prefix
-        path: /
-        backend:
-          service:
-            name: whoami
-            port:
-              number: 80
-  - host: pve.k-space.ee
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: pve1
-            port:
-              number: 8006
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: pve8
-            port:
-              number: 8006
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: pve9
-            port:
-              number: 8006
-  tls:
-  - hosts:
-    - pve.k-space.ee
-    - proxmox.k-space.ee
-    secretName: pve-tls
---
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
--- a/traefik/values.yml
+++ b/traefik/values.yml
@@ -1,13 +1,36 @@
 image:
-  tag: "2.8"
+  tag: "2.9"

 websecure:
  tls:
    enabled: true

 providers:
+  kubernetesCRD:
+    enabled: true
+    namespaces:
+      - traefik
+      - authelia
+
  kubernetesIngress:
+    allowEmptyServices: true
    allowExternalNameServices: true
+    namespaces:
+      - argocd
+      - authelia
+      - camtiler
+      - drone
+      - elastic-system
+      - etherpad
+      - freescout
+      - grafana
+      - harbor
+      - kubernetes-dashboard
+      - logging
+      - longhorn-system
+      - phpmyadmin
+      - prometheus-operator
+      - wildduck

 deployment:
  replicas: 2
--- a/traefik/voron.yml
+++ b/traefik/voron.yml
@@ -17,7 +17,6 @@ metadata:
  name: voron
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
@@ -36,5 +35,4 @@ spec:
              name: http
  tls:
  - hosts:
-    - voron.k-space.ee
-    secretName: voron-tls
+    - "*.k-space.ee"
--- a/traefik/whoami.yml
+++ b/traefik/whoami.yml
@@ -41,7 +41,6 @@ kind: Ingress
 metadata:
  name: whoami
  annotations:
-    cert-manager.io/cluster-issuer: default
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -50,8 +49,7 @@ metadata:
 spec:
  tls:
  - hosts:
-    - "whoami.k-space.ee"
-    secretName: whoami-tls
+    - "*.k-space.ee"
  rules:
  - host: "whoami.k-space.ee"
    http:
--- a/wildduck/application.yml
+++ b/wildduck/application.yml
@@ -104,7 +104,6 @@ metadata:
  namespace: wildduck
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
@@ -123,8 +122,7 @@ spec:
              number: 80
  tls:
  - hosts:
-    - webmail.k-space.ee
-    secretName: webmail-tls
+    - "*.k-space.ee"
 ---
 apiVersion: codemowers.io/v1alpha1
 kind: KeyDBCluster
Author	SHA1	Message	Date
Song Meo	6b635b6dc7	proxmox: first attempt to move to ingressroute	2022-11-04 11:39:36 +02:00
Lauri Võsandi	1bcfbed130	traefik: Bump version	2022-10-21 08:30:04 +03:00
Lauri Võsandi	3b1cda8a58	traefik: Pull resources only from trusted namespaces	2022-10-21 08:27:53 +03:00
Lauri Võsandi	2fd0112c28	elastic-system: Exclude logging ECK stack itself	2022-10-21 00:57:11 +03:00
Lauri Võsandi	9275f745ce	elastic-system: Remove Filebeat's dependency on Kibana	2022-10-21 00:56:54 +03:00
Lauri Võsandi	3d86b6acde	elastic-system: Bump to 8.4.3	2022-10-14 20:18:28 +03:00
Lauri Võsandi	4a94cd4af0	longhorn-system: Remove Prometheus annotation as we use PodMonitor already	2022-10-14 15:03:48 +03:00
Lauri Võsandi	a27f273c0b	Add Grafana	2022-10-14 14:38:23 +03:00
Lauri Võsandi	4686108f42	Switch to wildcard *.k-space.ee certificate	2022-10-14 14:32:36 +03:00
Lauri Võsandi	30b7e50afb	kube-system: Add metrics-server	2022-10-14 14:23:21 +03:00
Lauri Võsandi	e4c9675b99	tigera-operator: Remove unrelated files	2022-10-14 14:05:40 +03:00
Lauri Võsandi	017bdd9fd8	tigera-operator: Upgrade Calico	2022-10-14 14:03:34 +03:00
Lauri Võsandi	0fd0094ba0	playground: Initial commit	2022-10-14 00:14:35 +03:00
Lauri Võsandi	d20fdf350d	drone: Switch templates to drone-kaniko plugin	2022-10-12 14:24:57 +03:00
rasmus	bac5040d2a	README: access/auth: collapse bootstrapping For 'how to connect to cluster', server-side setup is not needed from connecting clients. Hiding the section makes the steps more concise.	2022-10-11 10:47:41 +03:00
Danyliuk	4d5851259d	Update .gitignore file. Add IntelliJ IDEA part	2022-10-08 16:43:48 +00:00
Lauri Võsandi	8ee1896a55	harbor: Move to storage nodes	2022-10-04 13:39:25 +03:00
Lauri Võsandi	04b786b18d	prometheus-operator: Bump blackbox exporter replica count to 3	2022-10-04 10:11:53 +03:00