README.md

# k-space.ee infrastructure
Kubernetes manifests, Ansible [playbooks](ansible/README.md), and documentation for K-SPACE services.

<!-- TODO: Docs for adding to ArgoCD (auto-)sync -->
- Repo is deployed with [ArgoCD](https://argocd.k-space.ee). For `kubectl` access, see [CLUSTER.md](CLUSTER.md#kubectl).
- Debugging Kubernetes [on Wiki](https://wiki.k-space.ee/en/hosting/debugging-kubernetes)
- Need help? → [`#kube`](https://k-space-ee.slack.com/archives/C02EYV1NTM2)

Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](_disabled/camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee)

Tip: Search the repo for `kind: xyz` for examples.

## Supporting services
- Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee)[^nodrone].
- Passmower: Authz with `kind: OIDCClient` (or `kind: OIDCMiddlewareClient`[^authz]).
- Traefik[^nonginx]: Expose services with `kind: Service` + `kind: Ingress` (TLS and DNS **included**).

[^nodrone]: Replaces Drone CI.

### Additional
- bind: Manage _additional_ DNS records with `kind: DNSEndpoint`.
- [Prometheus](https://wiki.k-space.ee/en/hosting/monitoring): Collect metrics with `kind: PodMonitor` (alerts with `kind: PrometheusRule`).
- [Slack bots](SLACK.md) and Kubernetes [CLUSTER.md](CLUSTER.md) itself.
<!-- TODO: Redirects: external-dns.alpha.kubernetes.io/hostname + in -extras.yaml: IngressRoute and Middleware -->

[^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box.
[^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security.

### Network

All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic.
See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.
Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.

#### Regenerate networkpolicy-base.yml
It's quite odd there is no better way to generate these.

[regenerate-networkpolicy-base.sh](regenerate-networkpolicy-base.sh)

<!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->
### Databases / -stores:
- Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])
- External (hyperconverged Proxmox) Rook/Ceph: `rook-ceph/storage-classes.yaml` (filesystem storage)[^fs]
- Mongo[^mongoproblems]: `kind: MongoDBCommunity` (NAS* `inventory-mongodb`)
- Garage S3[^nominio]: buckets/credentials created with CLI and usually stored in secretspace/kube #TODO: link to docs, kube claim instead?
- MariaDB*: search for `mysql`, `mariadb`[^mariadb] (replaces MySQL)
- Postgres*: hardcoded to [harbor/application.yml](harbor/application.yml)
- Seeded secrets: `kind: SecretClaim` (generates random secret in templated format)
- Secrets in git: https://git.k-space.ee/secretspace (members personal info, API credentials, see argocd/deploy_key.pub comment)

[^mariadb]: As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker

[^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. Dragonfly replaces KeyDB.

[^mongoproblems]: Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template).

[^nominio]: Replaces Minio S3.
[^fs]: Replaces Longhorn and proxmox-csi.

***
_This page is referenced by wiki [front page](https://wiki.k-space.ee) as **the** technical documentation for infra._
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`# k-space.ee infrastructure`
			`Kubernetes manifests, Ansible [playbooks](ansible/README.md), and documentation for K-SPACE services.`
Initial commit 2022-08-16 12:40:54 +03:00
doc: readme tip + todo for argo 'user-facing' doc 2024-08-03 02:00:48 +03:00			`<!-- TODO: Docs for adding to ArgoCD (auto-)sync -->`
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			- Repo is deployed with [ArgoCD](https://argocd.k-space.ee). For `kubectl` access, see [CLUSTER.md](CLUSTER.md#kubectl).
			`- Debugging Kubernetes [on Wiki](https://wiki.k-space.ee/en/hosting/debugging-kubernetes)`
			- Need help? → [`#kube`](https://k-space-ee.slack.com/archives/C02EYV1NTM2)
Initial commit 2022-08-16 12:40:54 +03:00
README: Update networking wiki ref 2025-08-01 19:25:17 +03:00			`Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](_disabled/camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee)`
Initial commit 2022-08-16 12:40:54 +03:00
doc: readme tip + todo for argo 'user-facing' doc 2024-08-03 02:00:48 +03:00			Tip: Search the repo for `kind: xyz` for examples.

docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`## Supporting services`
docs: drone is replaced 2025-05-03 15:11:11 +03:00			`- Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee)[^nodrone].`
doc: readme tip + todo for argo 'user-facing' doc 2024-08-03 02:00:48 +03:00			- Passmower: Authz with `kind: OIDCClient` (or `kind: OIDCMiddlewareClient`[^authz]).
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			- Traefik[^nonginx]: Expose services with `kind: Service` + `kind: Ingress` (TLS and DNS included).
Initial commit 2022-08-16 12:40:54 +03:00
docs: drone is replaced 2025-05-03 15:11:11 +03:00			`[^nodrone]: Replaces Drone CI.`

docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`### Additional`
			- bind: Manage _additional_ DNS records with `kind: DNSEndpoint`.
			- [Prometheus](https://wiki.k-space.ee/en/hosting/monitoring): Collect metrics with `kind: PodMonitor` (alerts with `kind: PrometheusRule`).
			`- [Slack bots](SLACK.md) and Kubernetes [CLUSTER.md](CLUSTER.md) itself.`
Add redirects sign.k-space.ee, members.k-space.ee There still are dead inventory links with members.k-space.ee 2024-08-03 01:49:16 +03:00			`<!-- TODO: Redirects: external-dns.alpha.kubernetes.io/hostname + in -extras.yaml: IngressRoute and Middleware -->`
Initial commit 2022-08-16 12:40:54 +03:00
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			[^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box.
update readme 2024-07-30 12:40:01 +03:00			[^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security.
Initial commit 2022-08-16 12:40:54 +03:00
update readme about network 2024-08-15 13:40:22 +03:00			`### Network`

			`All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic.`
			`See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.`
			`Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.`

clean up shared/ most of it replaced or unused 2026-01-03 05:34:13 +02:00			`#### Regenerate networkpolicy-base.yml`
			`It's quite odd there is no better way to generate these.`

			`[regenerate-networkpolicy-base.sh](regenerate-networkpolicy-base.sh)`

doc: Reword backlink warning we already got more broken links :/ I don't really want it to be an agressive warn. 2024-08-03 01:59:45 +03:00			`<!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->`
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`### Databases / -stores:`
			- Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])
update README datastores 2026-01-05 23:14:00 +02:00			- External (hyperconverged Proxmox) Rook/Ceph: `rook-ceph/storage-classes.yaml` (filesystem storage)[^fs]
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			- Mongo[^mongoproblems]: `kind: MongoDBCommunity` (NAS* `inventory-mongodb`)
minio is dead, external is dead, some envs are dead 2025-12-29 00:13:35 +02:00			`- Garage S3[^nominio]: buckets/credentials created with CLI and usually stored in secretspace/kube #TODO: link to docs, kube claim instead?`
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			- MariaDB*: search for `mysql`, `mariadb`[^mariadb] (replaces MySQL)
			`- Postgres*: hardcoded to [harbor/application.yml](harbor/application.yml)`
argo: secret-claim-operator to git 2025-04-20 17:43:46 +03:00			- Seeded secrets: `kind: SecretClaim` (generates random secret in templated format)
move members repo to secretspace 2025-05-03 14:49:30 +03:00			`- Secrets in git: https://git.k-space.ee/secretspace (members personal info, API credentials, see argocd/deploy_key.pub comment)`
Initial commit 2022-08-16 12:40:54 +03:00
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`[^mariadb]: As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker`
Initial commit 2022-08-16 12:40:54 +03:00
keydb (and redis) is dead 2025-04-20 17:08:09 +03:00			`[^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. Dragonfly replaces KeyDB.`
Initial commit 2022-08-16 12:40:54 +03:00
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`[^mongoproblems]: Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template).`
Initial commit 2022-08-16 12:40:54 +03:00
minio is dead, external is dead, some envs are dead 2025-12-29 00:13:35 +02:00			`[^nominio]: Replaces Minio S3.`
update README datastores 2026-01-05 23:14:00 +02:00			`[^fs]: Replaces Longhorn and proxmox-csi.`
minio is dead, external is dead, some envs are dead 2025-12-29 00:13:35 +02:00
docs: mega refactor Also bunch of edits at wiki.k-space.ee 2024-07-30 10:51:34 +03:00			`***`
			`_This page is referenced by wiki [front page](https://wiki.k-space.ee) as the technical documentation for infra._`