Make login url clickable in emails

cluster constantly failing due to rate limits,
please find a better solution

.gitignore

@@ -3,3 +3,7 @@
 *.swp
 *.save
 *.1
+
+### IntelliJ IDEA ###
+.idea
+*.iml

README.md

@@ -2,31 +2,19 @@
 
 ## Introduction
 
-This is the Kubernetes manifests of services running on k-space.ee domains:
-
-- [Authelia](https://auth.k-space.ee) for authentication
-- [Drone.io](https://drone.k-space.ee) for building Docker images
-- [Harbor](https://harbor.k-space.ee) for hosting Docker images
-- [ArgoCD](https://argocd.k-space.ee) for deploying Kubernetes manifests and
-  Helm charts into the cluster
-- [camtiler](https://cams.k-space.ee) for cameras
-- [Longhorn Dashboard](https://longhorn.k-space.ee) for administering
-  Longhorn storage
-- [Kubernetes Dashboard](https://kubernetes-dashboard.k-space.ee/) for read-only overview
-  of the Kubernetes cluster
-- [Wildduck Webmail](https://webmail.k-space.ee/)
-
-Most endpoints are protected by OIDC autentication or Authelia SSO middleware.
+This is the Kubernetes manifests of services running on k-space.ee domains.
+The applications are listed on https://auth2.k-space.ee for authenticated users.
 
 
 ## Cluster access
 
 General discussion is happening in the `#kube` Slack channel.
 
+<details><summary>Bootstrapping access</summary>
 For bootstrap access obtain `/etc/kubernetes/admin.conf` from one of the master
 nodes and place it under `~/.kube/config` on your machine.
 
-Once Authelia is working, OIDC access for others can be enabled with
+Once Passmower is working, OIDC access for others can be enabled with
 running following on Kubernetes masters:
 
 ```bash
@@ -35,9 +23,9 @@ patch /etc/kubernetes/manifests/kube-apiserver.yaml - << EOF
      - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
      - --etcd-servers=https://127.0.0.1:2379
-+    - --oidc-issuer-url=https://auth.k-space.ee
-+    - --oidc-client-id=kubelogin
-+    - --oidc-username-claim=preferred_username
++    - --oidc-issuer-url=https://auth2.k-space.ee/
++    - --oidc-client-id=oidc-gateway.kubelogin
++    - --oidc-username-claim=sub
 +    - --oidc-groups-claim=groups
      - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
@@ -46,9 +34,9 @@ EOF
 sudo systemctl daemon-reload
 systemctl restart kubelet
 ```
+</details>
 
-Afterwards following can be used to talk to the Kubernetes cluster using
-OIDC credentials:
+The following can be used to talk to the Kubernetes cluster using OIDC credentials:
 
 ```bash
 kubectl krew install oidc-login
@@ -76,8 +64,8 @@ users:
       args:
       - oidc-login
       - get-token
-      - --oidc-issuer-url=https://auth.k-space.ee
-      - --oidc-client-id=kubelogin
+      - --oidc-issuer-url=https://auth2.k-space.ee/
+      - --oidc-client-id=oidc-gateway.kubelogin
       - --oidc-use-pkce
       - --oidc-extra-scope=profile,email,groups
       - --listen-address=127.0.0.1:27890
@@ -89,33 +77,45 @@ EOF
 
 For access control mapping see [cluster-role-bindings.yml](cluster-role-bindings.yml)
 
+### systemd-resolved issues on access
+```sh
+Unable to connect to the server: dial tcp: lookup master.kube.k-space.ee on 127.0.0.53:53: no such host
+```
+```
+Network → VPN → `IPv4` → Other nameservers (Muud nimeserverid): `172.21.0.1`
+Network → VPN → `IPv6` → Other nameservers (Muud nimeserverid): `2001:bb8:4008:21::1`
+Network → VPN → `IPv4` → Search domains (Otsingudomeenid): `kube.k-space.ee`
+Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.ee`
+```
 
 # Technology mapping
 
 Our self-hosted Kubernetes stack compared to AWS based deployments:
 
-| Hipster startup | Self-hosted hackerspace             | Purpose                                                             |
-|-----------------|-------------------------------------|---------------------------------------------------------------------|
-| AWS EC2         | Proxmox                             | Virtualization layer                                                |
-| AWS EKS         | kubeadm                             | Provision Kubernetes master nodes                                   |
-| AWS EBS         | Longhorn                            | Block storage for arbitrary applications needing persistent storage |
-| AWS NLB         | MetalLB                             | L2/L3 level load balancing                                          |
-| AWS ALB         | Traefik                             | Reverse proxy also known as ingress controller in Kubernetes jargon |
-| AWS ECR         | Harbor                              | Docker registry                                                     |
-| AWS DocumentDB  | MongoDB                             | NoSQL database                                                      |
-| AWS S3          | Minio                               | Object storage                                                      |
-| GitHub OAuth2   | Samba (Active Directory compatible) | Source of truth for authentication and authorization                |
-| Dex             | Authelia                            | ACL mapping and OIDC provider which integrates with GitHub/Samba    |
-| GitHub          | Gitea                               | Source code management, issue tracking                              |
-| GitHub Actions  | Drone                               | Build Docker images                                                 |
-| Gmail           | Wildduck                            | E-mail                                                              |
-| AWS Route53     | Bind and RFC2136                    | DNS records and Let's Encrypt DNS validation                        |
-| AWS VPC         | Calico                              | Overlay network                                                     |
+| Hipster startup   | Self-hosted hackerspace             | Purpose                                                             |
+|-------------------|-------------------------------------|---------------------------------------------------------------------|
+| AWS ALB           | Traefik                             | Reverse proxy also known as ingress controller in Kubernetes jargon |
+| AWS AMP           | Prometheus Operator                 | Monitoring and alerting                                             |
+| AWS CloudTrail    | ECK Operator                        | Log aggregation                                                     |
+| AWS DocumentDB    | MongoDB Community Operator          | Highly available NoSQL database                                     |
+| AWS EBS           | Longhorn                            | Block storage for arbitrary applications needing persistent storage |
+| AWS EC2           | Proxmox                             | Virtualization layer                                                |
+| AWS ECR           | Harbor                              | Docker registry                                                     |
+| AWS EKS           | kubeadm                             | Provision Kubernetes master nodes                                   |
+| AWS NLB           | MetalLB                             | L2/L3 level load balancing                                          |
+| AWS RDS for MySQL | MySQL Operator                      | Provision highly available relational databases                     |
+| AWS Route53       | Bind and RFC2136                    | DNS records and Let's Encrypt DNS validation                        |
+| AWS S3            | Minio Operator                      | Highly available object storage                                     |
+| AWS VPC           | Calico                              | Overlay network                                                     |
+| Dex               | Passmower                           | ACL mapping and OIDC provider which integrates with GitHub/Samba    |
+| GitHub Actions    | Drone                               | Build Docker images                                                 |
+| GitHub            | Gitea                               | Source code management, issue tracking                              |
+| GitHub OAuth2     | Samba (Active Directory compatible) | Source of truth for authentication and authorization                |
+| Gmail             | Wildduck                            | E-mail                                                              |
 
 
 External dependencies running as classic virtual machines:
 
-- Samba as Authelia's source of truth
 - Bind as DNS server
 
 
@@ -123,13 +123,13 @@ External dependencies running as classic virtual machines:
 
 Deploy applications via [ArgoCD](https://argocd.k-space.ee)
 
-We use Treafik with Authelia for Ingress.
+We use Treafik with Passmower for Ingress.
 Applications where possible and where applicable should use `Remote-User`
 authentication. This prevents application exposure on public Internet.
 Otherwise use OpenID Connect for authentication,
 see Argo itself as an example how that is done.
 
-See `kspace-camtiler/ingress.yml` for commented Ingress example.
+See `camtiler/ingress.yml` for commented Ingress example.
 
 Note that we do not use IngressRoute objects because they don't
 support `external-dns` out of the box.
@@ -141,27 +141,12 @@ these should be handled by `tls:` section in Ingress.
 
 ## Cluster formation
 
-Create Ubuntu 20.04 VM-s on Proxmox with local storage.
+Created Ubuntu 22.04 VM-s on Proxmox with local storage.
+Added some ARM64 workers by using Ubuntu 22.04 server on Raspberry Pi.
 
 After machines have booted up and you can reach them via SSH:
 
-```bash
-# Enable required kernel modules
-cat > /etc/modules << EOF
-overlay
-br_netfilter
-EOF
-cat /etc/modules | xargs -L 1 -t modprobe
-
-# Finetune sysctl:
-cat > /etc/sysctl.d/99-k8s.conf << EOF
-net.ipv4.conf.all.accept_redirects  = 0
-net.bridge.bridge-nf-call-iptables  = 1
-net.ipv4.ip_forward                 = 1
-net.bridge.bridge-nf-call-ip6tables = 1
-EOF
-sysctl --system
-
+```
 # Disable Ubuntu caching DNS resolver
 systemctl disable systemd-resolved.service
 systemctl stop systemd-resolved
@@ -172,50 +157,16 @@ nameserver 8.8.8.8
 EOF
 
 # Disable multipathd as Longhorn handles that itself
-systemctl mask multipathd
-systemctl disable multipathd
-systemctl stop multipathd
-
-# Disable Snapcraft
-systemctl mask snapd
-systemctl disable snapd
-systemctl stop snapd
+systemctl mask multipathd snapd
+systemctl disable --now multipathd snapd bluetooth ModemManager hciuart wpa_supplicant packagekit
 
 # Permit root login
 sed -i -e 's/PermitRootLogin no/PermitRootLogin without-password/' /etc/ssh/sshd_config
 systemctl reload ssh
-cat << EOF > /root/.ssh/authorized_keys
-sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBD4/e9SWYWYoNZMkkF+NirhbmHuUgjoCap42kAq0pLIXFwIqgVTCre03VPoChIwBClc8RspLKqr5W3j0fG8QwnQAAAAEc3NoOg== lauri@lauri-x13
-EOF
+cat ~ubuntu/.ssh/authorized_keys > /root/.ssh/authorized_keys
 userdel -f ubuntu
-apt-get remove -yq cloud-init
-
-
-```
-
-Install packages, for Raspbian set `OS=Debian_11`
-
-```bash
-OS=xUbuntu_20.04
-VERSION=1.23
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /
-EOF
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
-deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /
-EOF
-
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg add -
-curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers-cri-o.gpg add -
-curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
-echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
-
-apt-get update
-apt-get install -yqq apt-transport-https curl cri-o cri-o-runc kubelet=1.23.5-00 kubectl=1.23.5-00 kubeadm=1.23.5-00
-sudo systemctl daemon-reload
-sudo systemctl enable crio --now
-apt-mark hold kubelet kubeadm kubectl
-sed -i -e 's/unqualified-search-registries = .*/unqualified-search-registries = ["docker.io"]/' /etc/containers/registries.conf
+apt-get install -yqq linux-image-generic
+apt-get remove -yq cloud-init linux-image-*-kvm
 ```
 
 On master:
@@ -226,6 +177,16 @@ kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-e
 
 For the `kubeadm join` command specify FQDN via `--node-name $(hostname -f)`.
 
+Set AZ labels:
+
+```
+for j in $(seq 1 9); do
+  for t in master mon worker storage; do
+    kubectl label nodes ${t}${j}.kube.k-space.ee topology.kubernetes.io/zone=node${j}
+  done
+done
+```
+
 After forming the cluster add taints:
 
 ```bash
@@ -233,7 +194,7 @@ for j in $(seq 1 9); do
   kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker=''
 done
 
-for j in $(seq 1 3); do
+for j in $(seq 1 4); do
   kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule
   kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring
 done
@@ -244,15 +205,26 @@ for j in $(seq 1 4); do
 done
 ```
 
-On Raspberry Pi you need to take additonal steps:
-
-* Manually enable cgroups by appending
-  `cgroup_memory=1 cgroup_enable=memory` to `/boot/cmdline.txt`,
-* Disable swap with `swapoff -a; apt-get purge -y dphys-swapfile`
-* For mounting Longhorn volumes on Rasbian install `open-iscsi`
-
 For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them:
 
 ```bash
 kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule
 ```
+
+For door controllers:
+
+```
+for j in ground front back; do
+  kubectl taint nodes door-${j}.kube.k-space.ee dedicated=door:NoSchedule
+  kubectl label nodes door-${j}.kube.k-space.ee dedicated=door
+  kubectl taint nodes door-${j}.kube.k-space.ee arch=arm64:NoSchedule
+done
+```
+
+To reduce wear on storage:
+
+```
+echo StandardOutput=null >> /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+systemctl daemon-reload
+systemctl restart kubelet
+```

ansible-bind-primary.yml

@@ -0,0 +1,76 @@
+- name: Setup primary nameserver
+  hosts: ns1.k-space.ee
+  tasks:
+  - name: Make sure bind9 is installed
+    ansible.builtin.apt:
+      name: bind9
+      state: present
+
+  - name: Configure Bind
+    register: bind
+    copy:
+      dest: /etc/bind/named.conf
+      content: |
+        # This file is managed by Ansible
+        # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
+        # Do NOT modify manually
+
+        include "/etc/bind/named.conf.local";
+        include "/etc/bind/readwrite.key";
+        include "/etc/bind/readonly.key";
+
+        options {
+            directory "/var/cache/bind";
+            version "";
+            listen-on { any; };
+            listen-on-v6 { any; };
+            pid-file "/var/run/named/named.pid";
+            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+            allow-recursion { none; };
+            recursion no;
+            check-names master ignore;
+            dnssec-validation no;
+            auth-nxdomain no;
+        };
+
+        # https://kb.isc.org/docs/aa-00723
+
+        acl allowed {
+            172.20.3.0/24;
+            172.20.4.0/24;
+        };
+
+        acl rejected { !allowed; any; };
+
+        zone "." {
+            type hint;
+            file "/var/lib/bind/db.root";
+        };
+
+        zone "k-space.ee" {
+            type master;
+            file "/var/lib/bind/db.k-space.ee";
+            allow-update { !rejected; key readwrite; };
+            allow-transfer { !rejected; key readonly; key readwrite; };
+        };
+
+        zone "k6.ee" {
+            type master;
+            file "/var/lib/bind/db.k6.ee";
+            allow-update { !rejected; key readwrite; };
+            allow-transfer { !rejected; key readonly; key readwrite; };
+        };
+
+        zone "kspace.ee" {
+            type master;
+            file "/var/lib/bind/db.kspace.ee";
+            allow-update { !rejected; key readwrite; };
+            allow-transfer { !rejected; key readonly; key readwrite; };
+        };
+  - name: Check Bind config
+    ansible.builtin.shell: "named-checkconf"
+  - name: Reload Bind config
+    service:
+      name: bind9
+      state: reloaded
+    when: bind.changed

ansible-doors.yml

@@ -0,0 +1,63 @@
+# ansible doors -m shell -a "ctr image pull harbor.k-space.ee/k-space/mjpg-streamer:latest"
+# journalctl -u mjpg_streamer@video0.service -f
+- name: Setup doors
+  hosts: doors
+  tasks:
+  - name: Make sure containerd is installed
+    ansible.builtin.apt:
+      name: containerd
+      state: present
+
+  - name: Copy systemd service for Doorboy controller
+    copy:
+      dest: /etc/systemd/system/godoor.service
+      content: |
+        [Unit]
+        Description=Doorboy service
+        Documentation=https://git.k-space.ee/k-space/godoor
+        After=network.target
+        [Service]
+        Environment=IMAGE=harbor.k-space.ee/k-space/godoor:latest
+        ExecStartPre=-ctr task kill --signal=9 %N
+        ExecStartPre=-ctr task rm %N
+        ExecStartPre=-ctr c rm %N
+        ExecStartPre=-ctr image pull $IMAGE
+        ExecStart=ctr run --rm --pid-file=/run/%N.pid --privileged --read-only --env-file=/etc/godoor --env=KDOORPI_API_ALLOWED=https://doorboy-proxy.k-space.ee/allowed --env=KDOORPI_API_LONGPOLL=https://doorboy-proxy.k-space.ee/longpoll --env=KDOORPI_API_SWIPE=https://doorboy-proxy.k-space.ee/swipe --env=KDOORPI_DOOR=%H --net-host --net-host --cwd /app $IMAGE %N /godoor
+        ExecStopPost=ctr task rm %N
+        ExecStopPost=ctr c rm %N
+        Restart=always
+        [Install]
+        WantedBy=multi-user.target
+  - name: Enable Doorboy controller
+    ansible.builtin.systemd:
+      state: restarted
+      daemon_reload: yes
+      name: godoor.service
+
+  - name: Copy systemd service for mjpg-streamer
+    copy:
+      dest: /etc/systemd/system/mjpg_streamer@.service
+      content: |
+        [Unit]
+        Description=A server for streaming Motion-JPEG from a video capture device
+        After=network.target
+        ConditionPathExists=/dev/%I
+        [Service]
+        Environment=IMAGE=harbor.k-space.ee/k-space/mjpg-streamer:latest
+        StandardOutput=tty
+        Type=forking
+        ExecStartPre=-ctr task kill --signal=9 %p_%i
+        ExecStartPre=-ctr task rm %p_%i
+        ExecStartPre=-ctr c rm %p_%i
+        ExecStartPre=-ctr image pull $IMAGE
+        ExecStart=ctr run --tty -d --rm --pid-file=/run/%i.pid --privileged --read-only --net-host $IMAGE %p_%i /usr/local/bin/mjpg_streamer -i 'input_uvc.so -d /dev/%I -r 1280x720 -f 10' -o 'output_http.so -w /usr/share/mjpg_streamer/www'
+        ExecStopPost=ctr task rm %p_%i
+        ExecStopPost=ctr c rm %p_%i
+        PIDFile=/run/%i.pid
+        [Install]
+        WantedBy=multi-user.target
+  - name: Enable mjpg-streamer
+    ansible.builtin.systemd:
+      state: restarted
+      daemon_reload: yes
+      name: mjpg_streamer@video0.service

ansible-kubernetes.yml

@@ -0,0 +1,81 @@
+---
+- name: Reconfigure graceful shutdown for kubelet
+  hosts: kubernetes
+  tasks:
+    - name: Reconfigure shutdownGracePeriod
+      ansible.builtin.lineinfile:
+        path: /var/lib/kubelet/config.yaml
+        regexp: '^shutdownGracePeriod:'
+        line: 'shutdownGracePeriod: 5m'
+    - name: Reconfigure shutdownGracePeriodCriticalPods
+      ansible.builtin.lineinfile:
+        path: /var/lib/kubelet/config.yaml
+        regexp: '^shutdownGracePeriodCriticalPods:'
+        line: 'shutdownGracePeriodCriticalPods: 5m'
+    - name: Work around unattended-upgrades
+      ansible.builtin.lineinfile:
+        path: /lib/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf
+        regexp: '^InhibitDelayMaxSec='
+        line: 'InhibitDelayMaxSec=5m0s'
+
+- name: Pin kube components
+  hosts: kubernetes
+  tasks:
+    - name: Pin packages
+      loop:
+        - kubeadm
+        - kubectl
+        - kubelet
+      ansible.builtin.copy:
+        dest: "/etc/apt/preferences.d/{{ item }}"
+        content: |
+          Package: {{ item }}
+          Pin: version 1.26.*
+          Pin-Priority: 1001
+
+- name: Reset /etc/containers/registries.conf
+  hosts: kubernetes
+  tasks:
+  - name: Copy /etc/containers/registries.conf
+    ansible.builtin.copy:
+      content: "unqualified-search-registries = [\"docker.io\"]\n"
+      dest: /etc/containers/registries.conf
+    register: registries
+  - name: Restart CRI-O
+    service:
+      name: cri-o
+      state: restarted
+    when: registries.changed
+
+- name: Reset /etc/modules
+  hosts: kubernetes
+  tasks:
+  - name: Copy /etc/modules
+    ansible.builtin.copy:
+      content: |
+        overlay
+        br_netfilter
+      dest: /etc/modules
+    register: kernel_modules
+  - name: Load kernel modules
+    ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe"
+    when: kernel_modules.changed
+
+- name: Reset /etc/sysctl.d/99-k8s.conf
+  hosts: kubernetes
+  tasks:
+  - name: Copy /etc/sysctl.d/99-k8s.conf
+    ansible.builtin.copy:
+      content: |
+        net.ipv4.conf.all.accept_redirects  = 0
+        net.bridge.bridge-nf-call-iptables  = 1
+        net.ipv4.ip_forward                 = 1
+        net.bridge.bridge-nf-call-ip6tables = 1
+        vm.max_map_count                    = 524288
+        fs.inotify.max_user_instances       = 1280
+        fs.inotify.max_user_watches         = 655360
+      dest: /etc/sysctl.d/99-k8s.conf
+    register: sysctl
+  - name: Reload sysctl config
+    ansible.builtin.shell: "sysctl --system"
+    when: sysctl.changed

ansible.cfg

@@ -0,0 +1,12 @@
+[defaults]
+ansible_managed = This file is managed by Ansible, manual changes will be overwritten.
+inventory = inventory.yml
+nocows = 1
+pipelining = True
+pattern = 
+deprecation_warnings = False
+fact_caching = jsonfile
+fact_caching_connection = ~/.ansible/k-space-fact-cache
+
+[ssh_connection]
+ssh_args = -F ssh_config

argocd/README.md

@@ -1,7 +1,9 @@
 # Workflow
 
 Most applications in our Kubernetes cluster are managed by ArgoCD.
+Most notably operators are NOT managed by ArgoCD.
 
+Adding to `applications/`: `kubectl apply -f newapp.yaml`
 
 # Deployment
 
@@ -11,16 +13,15 @@ To deploy ArgoCD:
 helm repo add argo-cd https://argoproj.github.io/argo-helm
 kubectl create secret -n argocd generic argocd-secret # Initialize empty secret for sessions
 helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
-kubectl apply -f argocd.yml -n argocd
+kubectl apply -f argocd.yml -f application-extras.yml -n argocd
 kubectl -n argocd rollout restart deployment/k6-argocd-redis
 kubectl -n argocd rollout restart deployment/k6-argocd-repo-server
 kubectl -n argocd rollout restart deployment/k6-argocd-server
 kubectl -n argocd rollout restart deployment/k6-argocd-notifications-controller
 kubectl -n argocd rollout restart statefulset/k6-argocd-application-controller
+kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
 ```
 
-Note: Refer to Authelia README for OIDC secret setup
-
 
 # Setting up Git secrets
 
@@ -36,11 +37,45 @@ kubectl -n argocd create secret generic gitea-kube-staging \
   --from-literal=type=git \
   --from-literal=url=git@git.k-space.ee:k-space/kube-staging \
   --from-file=sshPrivateKey=id_ecdsa
+kubectl -n argocd create secret generic gitea-kube-members \
+  --from-literal=type=git \
+  --from-literal=url=git@git.k-space.ee:k-space/kube-members \
+  --from-file=sshPrivateKey=id_ecdsa
 kubectl label -n argocd secret gitea-kube argocd.argoproj.io/secret-type=repository
 kubectl label -n argocd secret gitea-kube-staging argocd.argoproj.io/secret-type=repository
+kubectl label -n argocd secret gitea-kube-members argocd.argoproj.io/secret-type=repository
 rm -fv id_ecdsa
 ```
 
 Have Gitea admin reset password for user `argocd` and log in with that account.
 Add the SSH key for user `argocd` from file `id_ecdsa.pub`.
 Delete any other SSH keys associated with Gitea user `argocd`.
+
+
+# Managing applications
+
+To update apps:
+
+```
+for j in asterisk bind camtiler drone drone-execution etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck woodpecker; do
+cat << EOF >> applications/$j.yaml
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: $j
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: $j
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: $j
+  syncPolicy: {}
+EOF
+done
+find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
+```

argocd/application-extras.yml

@@ -0,0 +1,37 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  displayName: Argo CD
+  uri: https://argocd.k-space.ee
+  redirectUris:
+    - https://argocd.k-space.ee/auth/callback
+  allowedGroups:
+    - k-space:kubernetes:admins
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  namespace: argocd
+  name: k-space.ee
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  sourceRepos:
+    - '*'

argocd/application.tpl

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: foobar
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: foobar
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: foobar
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/asterisk.yaml

@@ -1,14 +1,16 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: prometheus-operator
+  name: asterisk
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: prometheus-operator
+    path: asterisk
     targetRevision: HEAD
   destination:
     server: 'https://kubernetes.default.svc'
-    namespace: prometheus-operator
+    namespace: asterisk
+  syncPolicy: {}

argocd/applications/authelia.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: authelia
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: authelia
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: authelia
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/bind.yaml

@@ -1,17 +1,16 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: harbor
+  name: bind
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: harbor
+    path: bind
     targetRevision: HEAD
   destination:
     server: 'https://kubernetes.default.svc'
-    namespace: harbor
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+    namespace: bind
+  syncPolicy: {}

argocd/applications/camtiler.yaml

@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: camtiler
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
     path: camtiler
@@ -12,6 +13,4 @@ spec:
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: camtiler
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+  syncPolicy: {}

argocd/applications/drone-execution.yaml

@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: drone-execution
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
     path: drone-execution
@@ -12,6 +13,4 @@ spec:
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: drone-execution
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+  syncPolicy: {}

argocd/applications/drone.yaml

@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: drone
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
     path: drone
@@ -12,6 +13,4 @@ spec:
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: drone
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+  syncPolicy: {}

argocd/applications/elastic-system.yml

@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: elastic-system
-  namespace: argocd
-spec:
-  project: default
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: elastic-system
-  syncPolicy:
-    automated: {}
-    syncOptions:
-      - CreateNamespace=true
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: elastic-system
-    targetRevision: HEAD
-  ignoreDifferences:
-    - group: admissionregistration.k8s.io
-      kind: ValidatingWebhookConfiguration
-      jqPathExpressions:
-        - '.webhooks[]?.clientConfig.caBundle'

argocd/applications/etherpad.yaml

@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: etherpad
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
     path: etherpad
@@ -12,6 +13,4 @@ spec:
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: etherpad
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+  syncPolicy: {}

argocd/applications/external-dns.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-dns
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: external-dns
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: external-dns
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/freescout.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: freescout
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: freescout
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: freescout
+  syncPolicy: {}

argocd/applications/gitea.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: gitea
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: gitea
+  syncPolicy: {}

argocd/applications/grafana.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: grafana
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: grafana
+  syncPolicy: {}

argocd/applications/hackerspace.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: hackerspace
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: hackerspace
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: hackerspace
+  syncPolicy: {}

argocd/applications/kubernetes-dashboard.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kubernetes-dashboard
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: kubernetes-dashboard
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: kubernetes-dashboard
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/logging.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: logging
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: logging
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: logging
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/metallb-system.yml

@@ -1,22 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: metallb-system
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: metallb-system
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: metallb-system
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
-  ignoreDifferences:
-    - group: apiextensions.k8s.io
-      kind: CustomResourceDefinition
-      jqPathExpressions:
-        - '.spec.conversion.webhook.clientConfig.caBundle'

argocd/applications/mysql-operator.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mysql-operator
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: mysql-operator
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: mysql-operator
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/nextcloud.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: nextcloud
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: nextcloud
+  syncPolicy: {}

argocd/applications/nyancat.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nyancat
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: nyancat
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: nyancat
+  syncPolicy: {}

argocd/applications/phpmyadmin.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: phpmyadmin
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: phpmyadmin
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: phpmyadmin
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/reloader.yml

@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: reloader
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: reloader
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: reloader
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/applications/rosdump.yaml

@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: rosdump
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
     path: rosdump
@@ -12,6 +13,4 @@ spec:
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: rosdump
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+  syncPolicy: {}

argocd/applications/traefik.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: traefik
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: traefik
+  syncPolicy: {}

argocd/applications/whoami-oidc.yaml

@@ -1,17 +1,17 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: keel
+  name: whoami-oidc
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: keel
+    path: whoami-oidc
     targetRevision: HEAD
   destination:
     server: 'https://kubernetes.default.svc'
-    namespace: keel
+    namespace: whoami-oidc
   syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+    automated: {}

argocd/applications/wiki.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wiki
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: wiki
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: wiki
+  syncPolicy: {}

argocd/applications/wildduck.yaml

@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: wildduck
   namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
   source:
     repoURL: 'git@git.k-space.ee:k-space/kube.git'
     path: wildduck
@@ -12,6 +13,4 @@ spec:
   destination:
     server: 'https://kubernetes.default.svc'
     namespace: wildduck
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+  syncPolicy: {}

argocd/applications/woodpecker.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: woodpecker
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: woodpecker
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: woodpecker
+  syncPolicy: {}

argocd/values.yaml

@@ -1,7 +1,7 @@
 global:
   logLevel: warn
+  domain: argocd.k-space.ee
 
-# We use Authelia OIDC instead of Dex
 dex:
   enabled: false
 
@@ -11,12 +11,9 @@ redis-ha:
 
 server:
   # HTTPS is implemented by Traefik
-  extraArgs:
-    - --insecure
   ingress:
     enabled: true
     annotations:
-      cert-manager.io/cluster-issuer: default
       external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"
@@ -24,27 +21,9 @@ server:
     - argocd.k-space.ee
     tls:
      - hosts:
-       - argocd.k-space.ee
-       secretName: argocd-server-tls
-  configEnabled: true
-  config:
-    admin.enabled: "false"
-    url: https://argocd.k-space.ee
-    application.instanceLabelKey: argocd.argoproj.io/instance
-    oidc.config: |
-       name: Authelia
-       issuer: https://auth.k-space.ee
-       clientID: argocd
-       cliClientID: argocd
-       clientSecret: $oidc.config.clientSecret
-       requestedIDTokenClaims:
-         groups:
-           essential: true
-       requestedScopes:
-         - openid
-         - profile
-         - email
-         - groups
+       - "*.k-space.ee"
+
+  configfucked:
     resource.customizations: |
       # https://github.com/argoproj/argo-cd/issues/1704
       networking.k8s.io/Ingress:
@@ -52,28 +31,11 @@ server:
             hs = {}
             hs.status = "Healthy"
             return hs
+      apiextensions.k8s.io/CustomResourceDefinition:
+          ignoreDifferences: |
+            jsonPointers:
+              - "x-kubernetes-validations"
 
-  # Members of ArgoCD Admins group in AD/Samba are allowed to administer Argo
-  rbacConfig:
-    policy.default: role:readonly
-    policy.csv: |
-      # Map AD groups to ArgoCD roles
-      g, Developers, role:developers
-      g, ArgoCD Admins, role:admin
-      # Allow developers to read objects
-      p, role:developers, applications, get, */*, allow
-      p, role:developers, certificates, get, *, allow
-      p, role:developers, clusters, get, *, allow
-      p, role:developers, repositories, get, *, allow
-      p, role:developers, projects, get, *, allow
-      p, role:developers, accounts, get, *, allow
-      p, role:developers, gpgkeys, get, *, allow
-      p, role:developers, logs, get, */*, allow
-      p, role:developers, applications, restart, default/camtiler, allow
-      p, role:developers, applications, override, default/camtiler, allow
-      p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
-      p, role:developers, applications, sync, default/camtiler, allow
-      p, role:developers, applications, update, default/camtiler, allow
 
   metrics:
     enabled: true
@@ -95,11 +57,49 @@ controller:
     enabled: true
 
 configs:
+  params:
+    server.insecure: true
+  rbac:
+    policy.default: role:admin
+    policy.csv: |
+      # Map AD groups to ArgoCD roles
+      g, Developers, role:developers
+      g, ArgoCD Admins, role:admin
+      # Allow developers to read objects
+      p, role:developers, applications, get, */*, allow
+      p, role:developers, certificates, get, *, allow
+      p, role:developers, clusters, get, *, allow
+      p, role:developers, repositories, get, *, allow
+      p, role:developers, projects, get, *, allow
+      p, role:developers, accounts, get, *, allow
+      p, role:developers, gpgkeys, get, *, allow
+      p, role:developers, logs, get, */*, allow
+      p, role:developers, applications, restart, default/camtiler, allow
+      p, role:developers, applications, override, default/camtiler, allow
+      p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
+      p, role:developers, applications, sync, default/camtiler, allow
+      p, role:developers, applications, update, default/camtiler, allow
+  cm:
+    admin.enabled: "false"
+
+    oidc.config: |
+       name: OpenID Connect
+       issuer: https://auth2.k-space.ee/
+       clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
+       cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
+       clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET
+       requestedIDTokenClaims:
+         groups:
+           essential: true
+       requestedScopes:
+         - openid
+         - profile
+         - email
+         - groups
   secret:
     createSecret: false
-  knownHosts:
-    data:
-      ssh_known_hosts: |
+  ssh:
+    knownHosts: |
         # Copy-pasted from `ssh-keyscan git.k-space.ee`
         git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0=
         git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5

asterisk/.gitignore

@@ -0,0 +1 @@
+conf

asterisk/README.md

@@ -0,0 +1,11 @@
+# Asterisk
+
+Asterisk is used as 
+
+This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/asterisk)
+
+Should ArgoCD be down manifests here can be applied with:
+
+```
+kubectl apply -n asterisk -f application.yaml
+```

asterisk/application.yml

@@ -0,0 +1,124 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: asterisk
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: voip.k-space.ee
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: asterisk
+  ports:
+    - name: asterisk
+      protocol: UDP
+      port: 5060
+    - name: sip-data-10000
+      protocol: UDP
+      port: 10000
+    - name: sip-data-10001
+      protocol: UDP
+      port: 10001
+    - name: sip-data-10002
+      protocol: UDP
+      port: 10002
+    - name: sip-data-10003
+      protocol: UDP
+      port: 10003
+    - name: sip-data-10004
+      protocol: UDP
+      port: 10004
+    - name: sip-data-10005
+      protocol: UDP
+      port: 10005
+    - name: sip-data-10006
+      protocol: UDP
+      port: 10006
+    - name: sip-data-10007
+      protocol: UDP
+      port: 10007
+    - name: sip-data-10008
+      protocol: UDP
+      port: 10008
+    - name: sip-data-10009
+      protocol: UDP
+      port: 10009
+    - name: sip-data-10010
+      protocol: UDP
+      port: 10010
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: asterisk
+  labels:
+    app: asterisk
+spec:
+  selector:
+    matchLabels:
+      app: asterisk
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: asterisk
+    spec:
+      containers:
+        - name: asterisk
+          image: harbor.k-space.ee/k-space/asterisk
+          command:
+            - /usr/sbin/asterisk
+          args:
+            - -TWBpvvvdddf
+          volumeMounts:
+            - name: config
+              mountPath: /etc/asterisk
+          ports:
+            - containerPort: 8088
+              name: metrics
+      volumes:
+        - name: config
+          secret:
+            secretName: asterisk-secrets
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: asterisk
+spec:
+  selector:
+    matchLabels:
+      app: asterisk
+  podMetricsEndpoints:
+    - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: asterisk
+spec:
+  groups:
+    - name: asterisk
+      rules:
+        - alert: AsteriskPhoneNotRegistered
+          expr: asterisk_endpoints_state{resource=~"1.*"} < 2
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            summary: "{{ $labels.resource }} is not registered."
+        - alert: AsteriskOutboundNumberNotRegistered
+          expr: asterisk_pjsip_outbound_registration_status == 0
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            summary: "{{ $labels.username }} is not registered with provider."
+        - alert: AsteriskCallsPerMinuteLimitExceed
+          expr: asterisk_channels_duration_seconds > 10*60
+          for: 20m
+          labels:
+            severity: warning
+          annotations:
+            summary: "Call at channel {{ $labels.name }} is taking longer than 10m."

asterisk/network-policies.yml

@@ -0,0 +1,45 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: asterisk
+spec:
+  podSelector:
+    matchLabels:
+      app: asterisk
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+    - from:
+        - ipBlock:
+            cidr: 100.101.0.0/16
+    - from:
+        - ipBlock:
+            cidr: 100.102.0.0/16
+    - from:
+        - ipBlock:
+            cidr: 81.90.125.224/32 # Lauri home
+    - from:
+        - ipBlock:
+            cidr: 172.20.8.241/32 # Erki A
+    - from:
+        - ipBlock:
+            cidr: 195.222.16.36/32 # Elisa SIP
+    - from:
+        - ipBlock:
+            cidr: 195.222.16.38/32 # Elisa SIP        
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 195.222.16.36/32  # Elisa SIP
+    - to:
+        - ipBlock:
+            cidr: 195.222.16.38/32  # Elisa SIP

authelia/.gitignore

@@ -1,2 +0,0 @@
-application-secrets.y*ml
-oidc-secrets.y*ml

authelia/README.md

@@ -1,171 +0,0 @@
-# Authelia
-
-## Background
-
-Authelia works in conjunction with Traefik to provide SSO with
-credentials stored in Samba (Active Directory compatible) directory tree.
-
-Samba resides outside Kubernetes cluster as it's difficuilt to containerize
-while keeping it usable from outside the cluster due to Samba's networking.
-
-The MariaDB instance is used to store MFA tokens.
-KeyDB is used to store session info.
-
-
-## Deployment
-
-Inspect changes with `git diff` and proceed to deploy:
-
-```
-kubectl apply -n authelia -f application.yml
-kubectl create secret generic -n authelia mysql-secrets \
-    --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
-kubectl create secret generic -n authelia mariadb-secrets \
-    --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
-    --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
-kubectl -n authelia rollout restart deployment/authelia
-```
-
-To change secrets create `secret.yml`:
-
-```
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: application-secrets
-data:
-  JWT_TOKEN: ...
-  SESSION_ENCRYPTION_KEY: ...
-  STORAGE_PASSWORD: ...
-  STORAGE_ENCRYPTION_KEY: ...
-  LDAP_PASSWORD: ...
-  STORAGE_PASSWORD: ...
-  SMTP_PASSWORD: ...
-```
-
-Apply with:
-
-```
-kubectl apply -n authelia -f application-secrets.yml 
-kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true
-```
-
-## OIDC secrets
-
-OIDC secrets are separated from the main configuration until
-Authelia will add CRD-s for these.
-
-Generally speaking for untrusted applications, that is stuff that is running
-outside the Kubernetes cluster eg web browser based (JS) and
-local command line clients one
-should use `public: true` and omit `secret: ...`.
-
-Populate `oidc-secrets.yml` with approximately following:
-
-```
-identity_providers:
-  oidc:
-    clients:
-    - id: kubelogin
-      description: Kubernetes cluster
-      secret: ...
-      authorization_policy: two_factor
-      redirect_uris:
-      - http://localhost:27890
-      scopes:
-      - openid
-      - groups
-      - email
-      - profile
-    - id: proxmox
-      description: Proxmox Virtual Environment
-      secret: ...
-      authorization_policy: two_factor
-      redirect_uris:
-      - https://pve.k-space.ee
-      scopes:
-      - openid
-      - groups
-      - email
-      - profile
-    - id: argocd
-      description: ArgoCD
-      secret: ...
-      authorization_policy: two_factor
-      redirect_uris:
-      - https://argocd.k-space.ee/auth/callback
-      scopes:
-      - openid
-      - groups
-      - email
-      - profile
-    - id: harbor
-      description: Harbor
-      secret: ...
-      authorization_policy: two_factor
-      redirect_uris:
-      - https://harbor.k-space.ee/c/oidc/callback
-      scopes:
-      - openid
-      - groups
-      - email
-      - profile
-    - id: gitea
-      description: Gitea
-      secret: ...
-      authorization_policy: one_factor
-      redirect_uris:
-      - https://git.k-space.ee/user/oauth2/authelia/callback
-      scopes:
-      - openid
-      - profile
-      - email
-      - groups
-      grant_types:
-      - refresh_token
-      - authorization_code
-      response_types:
-      - code
-      userinfo_signing_algorithm: none
-    - id: grafana
-      description: Grafana
-      secret: ...
-      authorization_policy: one_factor
-      redirect_uris:
-      - https://grafana.k-space.ee/login/generic_oauth
-      scopes:
-      - openid
-      - groups
-      - email
-      - profile
-```
-
-To upload the file to Kubernetes secrets:
-
-```
-kubectl -n authelia delete secret oidc-secrets
-kubectl -n authelia create secret generic oidc-secrets \
-    --from-file=oidc-secrets.yml=oidc-secrets.yml
-kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
-kubectl -n authelia rollout restart deployment/authelia
-```
-
-Synchronize OIDC secrets:
-
-```
-kubectl -n argocd delete secret argocd-secret
-kubectl -n argocd create secret generic argocd-secret \
-    --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
-    --from-literal=oidc.config.clientSecret=$( \
-      kubectl get secret -n authelia oidc-secrets -o json \
-        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
-        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
-kubectl -n monitoring delete secret oidc-secret
-kubectl -n monitoring create secret generic oidc-secret \
-    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
-      kubectl get secret -n authelia oidc-secrets -o json \
-        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
-        | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)
-```

authelia/application.yml

@@ -1,416 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: authelia-certificates
-  labels:
-    app.kubernetes.io/name: authelia
-data:
-      ldaps.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZJekNDQXd1Z0F3SUJBZ0lVRzNaYnI0MGVVMlRHak1Lek5XaDhOTDJkRDRZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0lURWZNQjBHQTFVRUF3d1dVMkZ0WW1FZ1lYUWdZV1F1YXkxemNHRmpaUzVsWlRBZUZ3MHlNVEV5TVRRdwpOekk0TlRGYUZ3MHlOakV5TVRNd056STROVEZhTUNFeEh6QWRCZ05WQkFNTUZsTmhiV0poSUdGMElHRmtMbXN0CmMzQmhZMlV1WldVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUURub3hEZFlicjAKVFJHOEErdk0xT0I1Rzg4Z05YL1pXeFNLb0VaM2p0ekF0NEc3blV0aUhoVzI1cUhEeXZGVGEzTzJiMUFVSEhzbwpVQXpVTWNVV1FRb3J2RjF4L1VsYitpcnk0QkxFTklaVTdYMVpxb2ZKYXgwZTcrbit1YVM3R015dnB4VXliNGlYCkd3djdZZEh5SmM4WjZROHd2MTdNV2F2ejNaOE5CWFdoeG1xc3ljTlphVkl2S1lNRVpGazNUTnA3T20vSTFpdkYKWDJuNVNtb2d2NmdBVmpVODhSeWc2NlRFVStiaGY5QWdiU0VxWjhMaVd6c20xdHc0WnJXMDVVK25JVjRzTHdlaQp2SXppblFMYmFMTkc2ZUl0cUtQZGVsWWhRNHlCeHM3QXpTOCtieVVBZk9jRktzUTI5alFVdUxNbE1pUmt6MjV5Cnc5UUZxSGVuRjNIYXJqU1JTL3ZZV3J3K0RNbmo2Tit3QVdtd21SR3NzVmxPMjFSLzAzNThBK0h5VzhyLzlsTm8KV1FoMmt3VGRPdjdxMzFwRmZQQUhHUkFITnZUN0dRKzVCeFFjdG83cG1GQ2t2OTdpbmhiZG50d2ViSmM1VWI3NQpBeHNWVC9uNk9aTjJSU09NV0RKY1pjVkpXYjQxdTNTL2lBVHlvbDBuOEZMRlRRZm9xdXdvVkQ1UnpwU0NsVm50Cjd1eENyaGNsYXhTYnhUUDhqa29ERXQzc1NycWoySm5PNlhtQ3R2VlZkMmQvWVZQQ21qQm54TWc1bld1WEwwZTgKNkh3MTd5TGtYeFgzVERkdjF2VThvYTdpTmZyNmc3Vlcrd2ZsUkJoVW5WRUluNXZEdm80STVSdWRXaEJxcHN6VQo3bGQrUDVjZE5GWEdjUlRQdFFlbXkxUllKMG5ZejkybGtRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVjZ1JrCnZ4U3V1QnNFaktzbXQvN3dpRHIxbHVRd0h3WURWUjBqQkJnd0ZvQVVjZ1JrdnhTdXVCc0VqS3NtdC83d2lEcjEKbHVRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVNlNXM1aU04QjQ2agp6bXZMOUQ4dUJrQ0VIOW9mMnc1VFluL1NPZkFRVnhBOGxBYndORitlWmgyakdGSUN6citNYmlTMlhZdkxJNnVrClZ5cFJrN28vdExmdmY0alpqZnRpeEliWEM1MjYrUk1xOEcvV2xGbzJnWFZ0eW5BcXp5bXJVYjV1MVZJcG53QWYKNTBzNHlDOURFUXF1aGErYzJCWTBRQ3ZySnUvYy9KTUs3QTdYOFdRSzVDUy8wZkNPdzBPY2xkZzA0c3VWVlU2eQp0MEZmV0kvTlhURFFrU2JWVXN5OElmaXd4a0o5NmNsTjFNWVArQ015Mkh1eWF0aTZySnhVZFBEbS9tYzdRWXNPClNTSzQyNXJQOFFZMmduNlNXUXJXdUJic2dLSEpoVzRBYjdTTldkb0Q0QytwVDA2V1MzVXphMnhZd09TV1IvTWMKR1V5YXRwLzlxR05tOWM1d2RFQ3FtdkVQc2twQkp5ZWR6MUk2V2lxdjRuK0UvRk9qRGl0VVpFd3BFZXRUQktXZgoyRnZRa1pGRmpRU3VIdG5KT040cVRvWmlaNW4vbis4Z1k2Z1Y5Wnd0NHM5OGlpdnUwTFc4UlZGSTNkS0tiYm5lCkY1KzltNE9vMjF0SlU2QThXVGpqVXpLUnFKdEZSa1JpWGtOTGRoY2MrdTdMOFFlZTFOUjIyalg5N2NaVDNGUGoKYmpOUlpId3k5K1dhMG1zcC9EYUR5RnlaOStPUUhReUJJazdCSS9LdU0rT2dta3dlSHBNSE5CMUs1NHZQenZKawpHaFN1QUNIeTRybmdvQTBvMzNhZzJ6a3lEY3NocVRtK2Q3UXFWOWUzU2pONFpUUXlTeWNpa0I1bFJKVHAydVFkCk5jVjBtcG5nREl1aFVlSFRKWkJ0SVZCZnp4bHdHd2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: authelia-config
-  labels:
-    app.kubernetes.io/name: authelia
-  annotations:
-    reloader.stakater.com/match: "true"
-data:
-  authelia-config.yml: |
-    ---
-    log:
-      level: warn
-    certificates_directory: /certificates
-    theme: light
-    default_redirection_url: https://members.k-space.ee
-    totp:
-      issuer: K-SPACE
-    authentication_backend:
-      ldap:
-        implementation: activedirectory
-        url: ldaps://ad.k-space.ee
-        base_dn: dc=ad,dc=k-space,dc=ee
-        username_attribute: sAMAccountName
-        additional_users_dn: ou=Membership
-        users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
-        additional_groups_dn: cn=Users
-        groups_filter: (&(member={dn})(objectclass=group))
-        group_name_attribute: cn
-        mail_attribute: mail
-        display_name_attribute: displayName
-        user: cn=authelia,cn=Users,dc=ad,dc=k-space,dc=ee
-    session:
-      domain: k-space.ee
-      same_site: lax
-      expiration: 1M
-      inactivity: 120h
-      remember_me_duration: "0"
-      redis:
-        host: redis
-        port: 6379
-    regulation:
-      ban_time: 5m
-      find_time: 2m
-      max_retries: 3
-    storage:
-      mysql:
-        host: mariadb
-        database: authelia
-        username: authelia
-    notifier:
-      disable_startup_check: true
-      smtp:
-        host: mail.k-space.ee
-        port: 465
-        username: authelia
-        sender: authelia@k-space.ee
-        subject: "[Authelia] {title}"
-        startup_check_address: lauri@k-space.ee
-    access_control:
-      default_policy: deny
-      rules:
-      # Longhorn dashboard
-      - domain: longhorn.k-space.ee
-        policy: two_factor
-        subject: group:Longhorn Admins
-      - domain: longhorn.k-space.ee
-        policy: deny
-      # Members site
-      - domain: members.k-space.ee
-        policy: bypass
-        resources:
-        - ^/?$
-      - domain: members.k-space.ee
-        policy: two_factor
-        resources:
-        - ^/login/authelia/?$
-      - domain: members.k-space.ee
-        policy: bypass
-      # Webmail
-      - domain: webmail.k-space.ee
-        policy: two_factor
-      # Etherpad
-      - domain: pad.k-space.ee
-        policy: two_factor
-        resources:
-        - ^/p/board-
-        subject: group:Board Members
-      - domain: pad.k-space.ee
-        policy: deny
-        resources:
-        - ^/p/board-
-      - domain: pad.k-space.ee
-        policy: two_factor
-        resources:
-        - ^/p/members-
-      - domain: pad.k-space.ee
-        policy: deny
-        resources:
-        - ^/p/members-
-      - domain: pad.k-space.ee
-        policy: bypass
-      # phpMyAdmin
-      - domain: phpmyadmin.k-space.ee
-        policy: two_factor
-      # Require login for everything else protected by traefik-sso middleware
-      - domain: '*.k-space.ee'
-        policy: one_factor
-    ...
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: authelia
-  labels:
-    app.kubernetes.io/name: authelia
-spec:
-  type: ClusterIP
-  sessionAffinity: None
-  selector:
-    app.kubernetes.io/name: authelia
-  ports:
-    - name: http
-      protocol: TCP
-      port: 80
-      targetPort: http
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: authelia
-  labels:
-    app.kubernetes.io/name: authelia
-  annotations:
-    reloader.stakater.com/search: "true"
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: authelia
-  replicas: 2
-  revisionHistoryLimit: 0
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: authelia
-    spec:
-      enableServiceLinks: false
-      containers:
-      - name: authelia
-        image: authelia/authelia:4
-        command:
-         - authelia
-         - --config=/config/authelia-config.yml
-         - --config=/config/oidc-secrets.yml
-        resources:
-          limits:
-            cpu: "4.00"
-            memory: 125Mi
-          requests:
-            cpu: "0.25"
-            memory: 50Mi
-        env:
-        - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK
-          value: "true"
-        - name: AUTHELIA_JWT_SECRET_FILE
-          value: /secrets/JWT_TOKEN
-        - name: AUTHELIA_SESSION_SECRET_FILE
-          value: /secrets/SESSION_ENCRYPTION_KEY
-        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
-          value: /secrets/LDAP_PASSWORD
-        - name: AUTHELIA_SESSION_REDIS_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: redis-secrets
-              key: REDIS_PASSWORD
-        - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
-          value: /secrets/STORAGE_ENCRYPTION_KEY
-        - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
-          value: /mariadb-secrets/MYSQL_PASSWORD
-        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
-          value: /secrets/OIDC_HMAC_SECRET
-        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
-          value: /secrets/OIDC_PRIVATE_KEY
-        - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
-          value: /secrets/SMTP_PASSWORD
-        - name: TZ
-          value: Europe/Tallinn
-        startupProbe:
-          failureThreshold: 6
-          httpGet:
-            path: /api/health
-            port: http
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 5
-          successThreshold: 1
-          timeoutSeconds: 5
-        livenessProbe:
-          failureThreshold: 5
-          httpGet:
-            path: /api/health
-            port: http
-            scheme: HTTP
-          initialDelaySeconds: 0
-          periodSeconds: 30
-          successThreshold: 1
-          timeoutSeconds: 5
-        readinessProbe:
-          failureThreshold: 5
-          httpGet:
-            path: /api/health
-            port: http
-            scheme: HTTP
-          initialDelaySeconds: 0
-          periodSeconds: 5
-          successThreshold: 1
-          timeoutSeconds: 5
-        ports:
-        - name: http
-          containerPort: 9091
-          protocol: TCP
-        volumeMounts:
-        - mountPath: /config/authelia-config.yml
-          name: authelia-config
-          readOnly: true
-          subPath: authelia-config.yml
-        - mountPath: /config/oidc-secrets.yml
-          name: oidc-secrets
-          readOnly: true
-          subPath: oidc-secrets.yml
-        - mountPath: /secrets
-          name: secrets
-          readOnly: true
-        - mountPath: /certificates
-          name: certificates
-          readOnly: true
-        - mountPath: /mariadb-secrets
-          name: mariadb-secrets
-          readOnly: true
-      volumes:
-      - name: authelia-config
-        configMap:
-          name: authelia-config
-      - name: secrets
-        secret:
-          secretName: application-secrets
-          items:
-          - key: JWT_TOKEN
-            path: JWT_TOKEN
-          - key: SESSION_ENCRYPTION_KEY
-            path: SESSION_ENCRYPTION_KEY
-          - key: STORAGE_ENCRYPTION_KEY
-            path: STORAGE_ENCRYPTION_KEY
-          - key: STORAGE_PASSWORD
-            path: STORAGE_PASSWORD
-          - key: LDAP_PASSWORD
-            path: LDAP_PASSWORD
-          - key: OIDC_PRIVATE_KEY
-            path: OIDC_PRIVATE_KEY
-          - key: OIDC_HMAC_SECRET
-            path: OIDC_HMAC_SECRET
-          - key: SMTP_PASSWORD
-            path: SMTP_PASSWORD
-      - name: certificates
-        secret:
-          secretName: authelia-certificates
-      - name: mariadb-secrets
-        secret:
-          secretName: mariadb-secrets
-      - name: redis-secrets
-        secret:
-          secretName: redis-secrets
-      - name: oidc-secrets
-        secret:
-          secretName: oidc-secrets
-          items:
-          - key: oidc-secrets.yml
-            path: oidc-secrets.yml
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: authelia
-  labels:
-    app.kubernetes.io/name: authelia
-  annotations:
-    cert-manager.io/cluster-issuer: default
-    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
-    kubernetes.io/tls-acme: "true"
-    traefik.ingress.kubernetes.io/router.entryPoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-k6-authelia@kubernetescrd
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-    - host: auth.k-space.ee
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: authelia
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - auth.k-space.ee
-      secretName: authelia-tls
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: forwardauth-k6-authelia
-  labels:
-    app.kubernetes.io/name: authelia
-spec:
-  forwardAuth:
-    address: http://authelia.authelia.svc.cluster.local/api/verify?rd=https://auth.k-space.ee/
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Remote-User
-      - Remote-Name
-      - Remote-Email
-      - Remote-Groups
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: headers-k6-authelia
-  labels:
-    app.kubernetes.io/name: authelia
-spec:
-  headers:
-    browserXssFilter: true
-    customFrameOptionsValue: "SAMEORIGIN"
-    customResponseHeaders:
-      Cache-Control: "no-store"
-      Pragma: "no-cache"
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: chain-k6-authelia-auth
-  labels:
-    app.kubernetes.io/name: authelia
-spec:
-  chain:
-    middlewares:
-      - name: forwardauth-k6-authelia
-        namespace: authelia
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: chain-k6-authelia
-  labels:
-    app.kubernetes.io/name: authelia
-spec:
-  chain:
-    middlewares:
-      - name: headers-k6-authelia
-        namespace: authelia
----
-apiVersion: mysql.oracle.com/v2
-kind: InnoDBCluster
-metadata:
-  name: mysql-cluster
-spec:
-  secretName: mysql-secrets
-  instances: 3
-  router:
-    instances: 2
-  tlsUseSelfSigned: true
-  datadirVolumeClaimTemplate:
-    storageClassName: local-path
-    accessModes:
-      - ReadWriteOnce
-    resources:
-      requests:
-        storage: "1Gi"
-  podSpec:
-    affinity:
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchExpressions:
-                - key: app.kubernetes.io/managed-by
-                  operator: In
-                  values:
-                    - mysql-operator
-            topologyKey: kubernetes.io/hostname
-    nodeSelector:
-      dedicated: storage
-    tolerations:
-      - key: dedicated
-        operator: Equal
-        value: storage
-        effect: NoSchedule
----
-apiVersion: codemowers.io/v1alpha1
-kind: KeyDBCluster
-metadata:
-  name: redis
-spec:
-  replicas: 3

authelia/mariadb.yml

@@ -1 +0,0 @@
-../shared/mariadb.yml

bind/.gitignore

@@ -0,0 +1 @@
+*.key

bind/README.md

@@ -0,0 +1,104 @@
+# Bind setup
+
+The Bind primary resides outside Kubernetes at `193.40.103.2` and
+it's internally reachable via `172.20.0.2`.
+
+Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
+under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
+
+Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
+are picked up automatically by `external-dns` and updated on primary.
+
+The primary triggers notification events to `172.20.53.{1..3}`
+which are internally exposed IP-s of the secondaries.
+
+# Secrets
+
+To configure TSIG secrets:
+
+```
+kubectl create secret generic -n bind bind-readonly-secret \
+  --from-file=readonly.key
+kubectl create secret generic -n bind bind-readwrite-secret \
+  --from-file=readwrite.key
+kubectl create secret generic -n bind external-dns
+kubectl -n bind delete secret tsig-secret
+kubectl -n bind create secret generic tsig-secret \
+    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
+kubectl -n cert-manager delete secret tsig-secret
+kubectl -n cert-manager create secret generic tsig-secret \
+    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
+```
+
+# Serving additional zones
+
+## Bind primary configuration
+
+To serve additional domains from this Bind setup add following
+section to `named.conf.local` on primary `ns1.k-space.ee`:
+
+```
+key "foobar" {
+	  algorithm hmac-sha512;
+	  secret "...";
+};
+
+zone "foobar.com" {
+    type master;
+    file "/var/lib/bind/db.foobar.com";
+    allow-update { !rejected; key foobar; };
+    allow-transfer { !rejected; key readonly; key foobar; };
+    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+};
+```
+
+Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
+
+```
+foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
+									NS	ns1.foobar.com.
+									NS	ns2.foobar.com.
+ns1.foobar.com.		A	193.40.103.2
+ns2.foobar.com.		A	62.65.250.2
+```
+
+Reload Bind config:
+
+```
+named-checkconf
+systemctl reload bind9
+```
+
+## Bind secondary config
+
+Add section to `bind-secondary-config-local` under key `named.conf.local`:
+
+```
+zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
+```
+
+And restart secondaries:
+
+```
+kubectl rollout restart -n bind statefulset/bind-secondary
+```
+
+## Registrar config
+
+At your DNS registrar point your glue records to:
+
+```
+foobar.com.				NS ns1.foobar.com.
+foobar.com.				NS ns2.foobar.com.
+ns1.foobar.com.		A	193.40.103.2
+ns2.foobar.com.		A	62.65.250.2
+```
+
+## Updating DNS records
+
+With the configured TSIG key `foobar` you can now:
+
+* Obtain Let's Encrypt certificates with DNS challenge.
+  Inside Kubernetes use `cert-manager` with RFC2136 provider.
+* Update DNS records.
+  Inside Kubernetes use `external-dns` with RFC2136 provider.

bind/bind-secondary.yaml

@@ -0,0 +1,178 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bind-secondary-config-local
+data:
+  named.conf.local: |
+    zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "codemowers.eu" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "codemowers.cloud" { type slave; masters { 172.20.0.2 key readonly; }; };
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bind-secondary-config
+data:
+  named.conf: |
+    include "/etc/bind/named.conf.local";
+    include "/etc/bind/readonly.key";
+    options {
+        recursion no;
+        pid-file "/var/bind/named.pid";
+        allow-query { 0.0.0.0/0; };
+        allow-notify { 172.20.0.2; };
+        allow-transfer { none; };
+        check-names slave ignore;
+        notify no;
+    };
+    zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "kspace.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: bind-secondary
+  namespace: bind
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: bind-secondary
+  template:
+    metadata:
+      labels:
+        app: bind-secondary
+    spec:
+      volumes:
+        - name: run
+          emptyDir: {}
+      containers:
+        - name: bind-secondary
+          image: internetsystemsconsortium/bind9:9.19
+          volumeMounts:
+            - mountPath: /run/named
+              name: run
+          workingDir: /var/bind
+          command:
+            - named
+            - -g
+            - -c
+            - /etc/bind/named.conf
+          volumeMounts:
+            - name: bind-secondary-config
+              mountPath: /etc/bind
+              readOnly: true
+            - name: bind-data
+              mountPath: /var/bind
+      volumes:
+        - name: bind-secondary-config
+          projected:
+            sources:
+              - configMap:
+                  name: bind-secondary-config
+              - configMap:
+                  name: bind-secondary-config-local
+                  optional: true
+              - secret:
+                  name: bind-readonly-secret
+        - name: bind-data
+          emptyDir: {}
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - bind-secondary
+              topologyKey: "kubernetes.io/hostname"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 62.65.250.2
+  selector:
+    app: bind-secondary
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary-0
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.53.1
+  selector:
+    app: bind-secondary
+    statefulset.kubernetes.io/pod-name: bind-secondary-0
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary-1
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.53.2
+  selector:
+    app: bind-secondary
+    statefulset.kubernetes.io/pod-name: bind-secondary-1
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary-2
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.53.3
+  selector:
+    app: bind-secondary
+    statefulset.kubernetes.io/pod-name: bind-secondary-2
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53

bind/external-dns-k-space.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns-k-space
+spec:
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: external-dns
+      domain: k-space.ee
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.5
+          envFrom:
+            - secretRef:
+                name: tsig-secret
+          args:
+            - --events
+            - --registry=txt
+            - --txt-prefix=external-dns-
+            - --txt-owner-id=k8s
+            - --provider=rfc2136
+            - --source=ingress
+            - --source=service
+            - --source=crd
+            - --domain-filter=k-space.ee
+            - --rfc2136-tsig-axfr
+            - --rfc2136-host=172.20.0.2
+            - --rfc2136-port=53
+            - --rfc2136-zone=k-space.ee
+            - --rfc2136-tsig-keyname=readwrite
+            - --rfc2136-tsig-secret-alg=hmac-sha512
+            - --rfc2136-tsig-secret=$(TSIG_SECRET)
+            # https://github.com/kubernetes-sigs/external-dns/issues/2446

bind/external-dns-k6.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns-k6
+spec:
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: external-dns
+      domain: k6.ee
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.5
+          envFrom:
+            - secretRef:
+                name: tsig-secret
+          args:
+            - --log-level=debug
+            - --events
+            - --registry=noop
+            - --provider=rfc2136
+            - --source=service
+            - --source=crd
+            - --domain-filter=k6.ee
+            - --rfc2136-tsig-axfr
+            - --rfc2136-host=172.20.0.2
+            - --rfc2136-port=53
+            - --rfc2136-zone=k6.ee
+            - --rfc2136-tsig-keyname=readwrite
+            - --rfc2136-tsig-secret-alg=hmac-sha512
+            - --rfc2136-tsig-secret=$(TSIG_SECRET)
+            # https://github.com/kubernetes-sigs/external-dns/issues/2446
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: k6
+spec:
+  endpoints:
+  - dnsName: k6.ee
+    recordTTL: 300
+    recordType: SOA
+    targets:
+      - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
+  - dnsName: k6.ee
+    recordTTL: 300
+    recordType: NS
+    targets:
+      - ns1.k-space.ee
+      - ns2.k-space.ee
+  - dnsName: ns1.k-space.ee
+    recordTTL: 300
+    recordType: A
+    targets:
+      - 193.40.103.2
+  - dnsName: ns2.k-space.ee
+    recordTTL: 300
+    recordType: A
+    targets:
+      - 62.65.250.2
+  - dnsName: k-space.ee
+    recordTTL: 300
+    recordType: MX
+    targets:
+      - 10 mail.k-space.ee

bind/external-dns-kspace.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns-kspace
+spec:
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: external-dns
+      domain: kspace.ee
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.5
+          envFrom:
+          - secretRef:
+              name: tsig-secret
+          args:
+            - --events
+            - --registry=noop
+            - --provider=rfc2136
+            - --source=ingress
+            - --source=service
+            - --source=crd
+            - --domain-filter=kspace.ee
+            - --rfc2136-tsig-axfr
+            - --rfc2136-host=172.20.0.2
+            - --rfc2136-port=53
+            - --rfc2136-zone=kspace.ee
+            - --rfc2136-tsig-keyname=readwrite
+            - --rfc2136-tsig-secret-alg=hmac-sha512
+            - --rfc2136-tsig-secret=$(TSIG_SECRET)
+            # https://github.com/kubernetes-sigs/external-dns/issues/2446
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: kspace
+spec:
+  endpoints:
+  - dnsName: kspace.ee
+    recordTTL: 300
+    recordType: SOA
+    targets:
+      - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
+  - dnsName: kspace.ee
+    recordTTL: 300
+    recordType: NS
+    targets:
+      - ns1.k-space.ee
+      - ns2.k-space.ee
+  - dnsName: ns1.k-space.ee
+    recordTTL: 300
+    recordType: A
+    targets:
+      - 193.40.103.2
+  - dnsName: ns2.k-space.ee
+    recordTTL: 300
+    recordType: A
+    targets:
+      - 62.65.250.2

bind/external-dns.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  - nodes
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - extensions
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - externaldns.k8s.io
+  resources:
+  - dnsendpoints
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - externaldns.k8s.io
+  resources:
+  - dnsendpoints/status
+  verbs:
+  - update
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: bind

camtiler/README.md

@@ -1,7 +1,16 @@
 To apply changes:
 
 ```
-kubectl apply -n camtiler -f application.yml -f persistence.yml -f mongoexpress.yml -f mongodb-support.yml -f networkpolicy-base.yml -f minio-support.yml
+kubectl apply -n camtiler \
+  -f application.yml \
+  -f minio.yml \
+  -f mongoexpress.yml \
+  -f mongodb-support.yml \
+  -f camera-tiler.yml \
+  -f logmower.yml \
+  -f ingress.yml \
+  -f network-policies.yml \
+  -f networkpolicy-base.yml
 ```
 
 To deploy changes:
@@ -15,15 +24,16 @@ To initialize secrets:
 ```
 kubectl create secret generic -n camtiler mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
 kubectl create secret generic -n camtiler mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
-kubectl create secret generic -n camtiler minio-secret \
-    --from-literal=accesskey=application \
-    --from-literal=secretkey=$(cat /dev/urandom | base64 | head -c 30)
-kubectl create secret generic -n camtiler minio-env-configuration \
-    --from-literal="MINIO_BROWSER=off" \
+kubectl create secret generic -n camtiler minio-secrets \
     --from-literal="MINIO_ROOT_USER=root" \
-    --from-literal="MINIO_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)" \
-    --from-literal="MINIO_STORAGE_CLASS_STANDARD=EC:4"
+    --from-literal="MINIO_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)"
 kubectl -n camtiler create secret generic camera-secrets \
     --from-literal=username=... \
     --from-literal=password=...
 ```
+
+To restart all deployments:
+
+```
+for j in $(kubectl get deployments -n camtiler -o name); do kubectl rollout restart -n camtiler $j; done
+```

camtiler/application.yml

@@ -1,396 +1,11 @@
 ---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: codemowers.cloud/v1beta1
+kind: MinioBucketClaim
 metadata:
   name: camtiler
-  annotations:
-    keel.sh/policy: force
-    keel.sh/trigger: poll
 spec:
-  revisionHistoryLimit: 0
-  replicas: 2
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: camtiler
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: camtiler
-        component: camtiler
-    spec:
-      serviceAccountName: camtiler
-      containers:
-        - name: camtiler
-          image: harbor.k-space.ee/k-space/camera-tiler:latest
-          securityContext:
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1000
-          ports:
-            - containerPort: 5001
-              name: "http"
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: log-viewer-frontend
-  annotations:
-    keel.sh/policy: force
-    keel.sh/trigger: poll
-spec:
-  revisionHistoryLimit: 0
-  replicas: 2
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: log-viewer-frontend
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: log-viewer-frontend
-    spec:
-      containers:
-        - name: log-viewer-frontend
-          image: harbor.k-space.ee/k-space/log-viewer-frontend:latest
-#          securityContext:
-#            readOnlyRootFilesystem: true
-#            runAsNonRoot: true
-#            runAsUser: 1000
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: log-viewer-backend
-  annotations:
-    keel.sh/policy: force
-    keel.sh/trigger: poll
-spec:
-  revisionHistoryLimit: 0
-  replicas: 3
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: log-viewer-backend
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: log-viewer-backend
-    spec:
-      containers:
-        - name: log-backend-backend
-          image: harbor.k-space.ee/k-space/log-viewer:latest
-          securityContext:
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1000
-          env:
-            - name: MONGO_URI
-              valueFrom:
-                secretKeyRef:
-                  name: mongodb-application-readwrite
-                  key: connectionString.standard
-            - name: MINIO_BUCKET
-              value: application
-            - name: MINIO_HOSTNAME
-              value: cams-s3.k-space.ee
-            - name: MINIO_PORT
-              value: "443"
-            - name: MINIO_SCHEME
-              value: "https"
-            - name: MINIO_SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: minio-secret
-                  key: secretkey
-            - name: MINIO_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: minio-secret
-                  key: accesskey
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: log-viewer-frontend
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: log-viewer-frontend
-  ports:
-    - protocol: TCP
-      port: 3003
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: log-viewer-backend
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: log-viewer-backend
-  ports:
-    - protocol: TCP
-      port: 3002
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: camtiler
-  labels:
-    component: camtiler
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: camtiler
-    component: camtiler
-  ports:
-    - protocol: TCP
-      port: 5001
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: camtiler
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: camtiler
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-    verbs:
-      - list
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: camtiler
-subjects:
-  - kind: ServiceAccount
-    name: camtiler
-    apiGroup: ""
-roleRef:
-  kind: Role
-  name: camtiler
-  apiGroup: ""
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: camtiler
-  annotations:
-    kubernetes.io/ingress.class: traefik
-
-    # Following specifies the certificate issuer defined in
-    # ../cert-manager/issuer.yml
-    # This is where the HTTPS certificates for the
-    # `tls:` section below are obtained from
-    cert-manager.io/cluster-issuer: default
-
-    # This tells Traefik this Ingress object is associated with the
-    # https:// entrypoint
-    # Global http:// to https:// redirect is enabled in
-    # ../traefik/values.yml using `globalArguments`
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-
-    # Following enables Authelia intercepting middleware
-    # which makes sure user is authenticated and then
-    # proceeds to inject Remote-User header for the application
-    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
-
-    traefik.ingress.kubernetes.io/router.tls: "true"
-
-    # Following tells external-dns to add CNAME entry which makes
-    # cams.k-space.ee point to same IP address as traefik.k-space.ee
-    # The A record for traefik.k-space.ee is created via annotation
-    # added in ../traefik/ingress.yml
-    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
-spec:
-  rules:
-    - host: cams.k-space.ee
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/tiled"
-            backend:
-              service:
-                name: camtiler
-                port:
-                  number: 5001
-          - pathType: Prefix
-            path: "/events"
-            backend:
-              service:
-                name: log-viewer-backend
-                port:
-                  number: 3002
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: log-viewer-frontend
-                port:
-                  number: 3003
-  tls:
-    - hosts:
-        - cams.k-space.ee
-      secretName: camtiler-tls
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: camera-motion-detect
-spec:
-  podSelector:
-    matchLabels:
-      component: camdetect
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              component: camtiler
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: prometheus-operator
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: prometheus
-  egress:
-    - to:
-        - ipBlock:
-            # Permit access to cameras outside the cluster
-            cidr: 100.102.0.0/16
-    - to:
-        - podSelector:
-            matchLabels:
-              app: mongodb-svc
-      ports:
-        - port: 27017
-    - to:
-        - podSelector:
-            matchLabels:
-              v1.min.io/tenant: minio
-      ports:
-        - port: 9000
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: camera-tiler
-spec:
-  podSelector:
-    matchLabels:
-      component: camtiler
-  policyTypes:
-    - Ingress
-    - Egress
-  egress:
-    - to:
-        - podSelector:
-            matchLabels:
-              component: camdetect
-      ports:
-        - port: 5000
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: prometheus-operator
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: prometheus
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: traefik
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: log-viewer-backend
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: log-viewer-backend
-  policyTypes:
-    - Ingress
-    - Egress
-  egress:
-    - to:
-        - podSelector:
-            matchLabels:
-              app: mongodb-svc
-    - to:
-        # Minio access via Traefik's public endpoint
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: traefik
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: traefik
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: log-viewer-frontend
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: log-viewer-frontend
-  policyTypes:
-    - Ingress
-    - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: traefik
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: minio
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
-spec:
-  rules:
-    - host: cams-s3.k-space.ee
-      http:
-        paths:
-          - pathType: Prefix
-            path: "/"
-            backend:
-              service:
-                name: minio
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - cams-s3.k-space.ee
-      secretName: cams-s3-tls
+  capacity: 150Gi
+  class: dedicated
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -482,12 +97,13 @@ spec:
       metadata:
         name: foobar
         labels:
-          component: camdetect
+          app.kubernetes.io/name: foobar
+          component: camera-motion-detect
       spec:
         type: ClusterIP
         selector:
           app.kubernetes.io/name: foobar
-          component: camdetect
+          component: camera-motion-detect
         ports:
           - protocol: TCP
             port: 80
@@ -497,19 +113,16 @@ spec:
       kind: Deployment
       metadata:
         name: camera-foobar
-        # Make sure keel.sh pulls updates for this deployment
-        annotations:
-          keel.sh/policy: force
-          keel.sh/trigger: poll
       spec:
+        revisionHistoryLimit: 0
         replicas: 1
 
-        # Make sure we do not congest the network during rollout
         strategy:
           type: RollingUpdate
           rollingUpdate:
-            maxSurge: 0
-            maxUnavailable: 1
+            # Swap following two with replicas: 2
+            maxSurge: 1
+            maxUnavailable: 0
         selector:
           matchLabels:
             app.kubernetes.io/name: foobar
@@ -517,18 +130,25 @@ spec:
           metadata:
             labels:
               app.kubernetes.io/name: foobar
-              component: camdetect
+              component: camera-motion-detect
           spec:
             containers:
-              - name: camdetect
+              - name: camera-motion-detect
                 image: harbor.k-space.ee/k-space/camera-motion-detect:latest
+                starupProbe:
+                  httpGet:
+                    path: /healthz
+                    port: 5000
+                  initialDelaySeconds: 2
+                  periodSeconds: 180
+                  timeoutSeconds: 60
                 readinessProbe:
                   httpGet:
                     path: /readyz
                     port: 5000
-                  initialDelaySeconds: 10
-                  periodSeconds: 180
-                  timeoutSeconds: 60
+                  initialDelaySeconds: 60
+                  periodSeconds: 60
+                  timeoutSeconds: 5
                 ports:
                   - containerPort: 5000
                     name: "http"
@@ -538,7 +158,7 @@ spec:
                     cpu: "200m"
                   limits:
                     memory: "256Mi"
-                    cpu: "1"
+                    cpu: "4000m"
                 securityContext:
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
@@ -550,9 +170,25 @@ spec:
                   - name: SOURCE_NAME
                     value: foobar
                   - name: S3_BUCKET_NAME
-                    value: application
+                    valueFrom:
+                      secretKeyRef:
+                        name: miniobucket-camtiler-owner-secrets
+                        key: BUCKET_NAME
                   - name: S3_ENDPOINT_URL
-                    value: http://minio
+                    valueFrom:
+                      secretKeyRef:
+                        name: miniobucket-camtiler-owner-secrets
+                        key: AWS_S3_ENDPOINT_URL
+                  - name: AWS_SECRET_ACCESS_KEY
+                    valueFrom:
+                      secretKeyRef:
+                        name: miniobucket-camtiler-owner-secrets
+                        key: AWS_SECRET_ACCESS_KEY
+                  - name: AWS_ACCESS_KEY_ID
+                    valueFrom:
+                      secretKeyRef:
+                        name: miniobucket-camtiler-owner-secrets
+                        key: AWS_ACCESS_KEY_ID
                   - name: BASIC_AUTH_PASSWORD
                     valueFrom:
                       secretKeyRef:
@@ -563,16 +199,6 @@ spec:
                       secretKeyRef:
                         name: mongodb-application-readwrite
                         key: connectionString.standard
-                  - name: AWS_SECRET_ACCESS_KEY
-                    valueFrom:
-                      secretKeyRef:
-                        name: minio-secret
-                        key: secretkey
-                  - name: AWS_ACCESS_KEY_ID
-                    valueFrom:
-                      secretKeyRef:
-                        name: minio-secret
-                        key: accesskey
 
             # Make sure 2+ pods of same camera are scheduled on different hosts
             affinity:
@@ -580,32 +206,21 @@ spec:
                 requiredDuringSchedulingIgnoredDuringExecution:
                   - labelSelector:
                       matchExpressions:
-                        - key: app
+                        - key: app.kubernetes.io/name
                           operator: In
                           values:
                             - foobar
-                    topologyKey: kubernetes.io/hostname
+                    topologyKey: topology.kubernetes.io/zone
 
             # Make sure camera deployments are spread over workers
             topologySpreadConstraints:
               - maxSkew: 1
-                topologyKey: kubernetes.io/hostname
+                topologyKey: topology.kubernetes.io/zone
                 whenUnsatisfiable: DoNotSchedule
                 labelSelector:
                   matchLabels:
                     app.kubernetes.io/name: foobar
-                    component: camdetect
----
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: camtiler
-spec:
-  selector: {}
-  podMetricsEndpoints:
-    - port: http
-  podTargetLabels:
-    - app.kubernetes.io/name
+                    component: camera-motion-detect
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
@@ -616,21 +231,21 @@ spec:
     - name: cameras
       rules:
         - alert: CameraLost
-          expr: rate(camdetect_rx_frames_total[2m]) < 1
+          expr: rate(camtiler_frames_total{stage="downloaded"}[1m]) < 1
           for: 2m
           labels:
             severity: warning
           annotations:
             summary: Camera feed stopped
         - alert: CameraServerRoomMotion
-          expr: camdetect_event_active {app="camdetect-server-room"} > 0
+          expr: rate(camtiler_events_total{app_kubernetes_io_name="server-room"}[30m]) > 0
           for: 1m
           labels:
             severity: warning
           annotations:
             summary: Motion was detected in server room
         - alert: CameraSlowUploads
-          expr: rate(camdetect_upload_dropped_frames_total[2m]) > 1
+          expr: camtiler_queue_frames{stage="upload"} > 10
           for: 5m
           labels:
             severity: warning
@@ -638,13 +253,20 @@ spec:
             summary: Motion detect snapshots are piling up and
               not getting uploaded to S3
         - alert: CameraSlowProcessing
-          expr: rate(camdetect_download_dropped_frames_total[2m]) > 1
+          expr: camtiler_queue_frames{stage="download"} > 10
           for: 5m
           labels:
             severity: warning
           annotations:
             summary: Motion detection processing pipeline is not keeping up
               with incoming frames
+        - alert: CameraResourcesThrottled
+          expr: sum by (pod) (rate(container_cpu_cfs_throttled_periods_total{namespace="camtiler"}[1m])) > 0
+          for: 5m
+          labels:
+            severity: warning
+          annotations:
+            summary: CPU limits are bottleneck
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
@@ -653,6 +275,7 @@ metadata:
 spec:
   target: http://user@workshop.cam.k-space.ee:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
@@ -661,6 +284,7 @@ metadata:
 spec:
   target: http://user@server-room.cam.k-space.ee:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 2
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
@@ -669,6 +293,7 @@ metadata:
 spec:
   target: http://user@printer.cam.k-space.ee:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
@@ -677,6 +302,7 @@ metadata:
 spec:
   target: http://user@chaos.cam.k-space.ee:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
@@ -685,6 +311,7 @@ metadata:
 spec:
   target: http://user@cyber.cam.k-space.ee:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
@@ -693,19 +320,36 @@ metadata:
 spec:
   target: http://user@kitchen.cam.k-space.ee:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
   name: back-door
 spec:
-  target: http://user@back-door.cam.k-space.ee:8080/?action=stream
+  target: http://user@100.102.3.3:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
 ---
 apiVersion: k-space.ee/v1alpha1
 kind: Camera
 metadata:
   name: ground-door
 spec:
-  target: http://user@ground-door.cam.k-space.ee:8080/?action=stream
+  target: http://user@100.102.3.1:8080/?action=stream
   secretRef: camera-secrets
+  replicas: 1
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: camera-motion-detect
+spec:
+  selector:
+    matchLabels:
+      component: camera-motion-detect
+  podMetricsEndpoints:
+    - port: http
+  podTargetLabels:
+    - app.kubernetes.io/name
+    - component

camtiler/camera-tiler.yml

@@ -0,0 +1,98 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: camera-tiler
+  annotations:
+    keel.sh/policy: force
+    keel.sh/trigger: poll
+spec:
+  revisionHistoryLimit: 0
+  replicas: 2
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: camtiler
+      component: camera-tiler
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      serviceAccountName: camera-tiler
+      containers:
+        - name: camera-tiler
+          image: harbor.k-space.ee/k-space/camera-tiler:latest
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          ports:
+            - containerPort: 5001
+              name: "http"
+          resources:
+            requests:
+              memory: "200Mi"
+              cpu: "100m"
+            limits:
+              memory: "500Mi"
+              cpu: "4000m"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: camera-tiler
+  labels:
+    app.kubernetes.io/name: camtiler
+    component: camera-tiler
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: camtiler
+    component: camera-tiler
+  ports:
+    - protocol: TCP
+      port: 5001
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: camera-tiler
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camera-tiler
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - list
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camera-tiler
+subjects:
+  - kind: ServiceAccount
+    name: camera-tiler
+    apiGroup: ""
+roleRef:
+  kind: Role
+  name: camera-tiler
+  apiGroup: ""
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: camtiler
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: camtiler
+      component: camera-tiler
+  podMetricsEndpoints:
+    - port: http
+  podTargetLabels:
+    - app.kubernetes.io/name
+    - component

camtiler/ingress.yml

@@ -0,0 +1,78 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWMiddlewareClient
+metadata:
+  name: sso
+spec:
+  displayName: Cameras
+  uri: 'https://cams.k-space.ee/tiled'
+  allowedGroups:
+    - k-space:floor
+    - k-space:friends
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: camtiler
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: camtiler-sso@kubernetescrd,camtiler-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+    - host: cams.k-space.ee
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: logmower-frontend
+                port:
+                  number: 8080
+    - host: cam.k-space.ee
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/tiled"
+            backend:
+              service:
+                name: camera-tiler
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: "/m"
+            backend:
+              service:
+                name: camera-tiler
+                port:
+                  number: 5001
+          - pathType: Prefix
+            path: "/events"
+            backend:
+              service:
+                name: logmower-eventsource
+                port:
+                  number: 3002
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: logmower-frontend
+                port:
+                  number: 8080
+  tls:
+    - hosts:
+        - "*.k-space.ee"
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect
+spec:
+  redirectRegex:
+    regex: ^https://cams.k-space.ee/(.*)$
+    replacement: https://cam.k-space.ee/$1
+    permanent: false

camtiler/logmower.yml

@@ -0,0 +1,182 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logmower-eventsource
+spec:
+  revisionHistoryLimit: 0
+  replicas: 2
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: camtiler
+      component: logmower-eventsource
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                      - camtiler
+                  - key: component
+                    operator: In
+                    values:
+                      - logmower-eventsource
+              topologyKey: topology.kubernetes.io/zone
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: storage
+          effect: NoSchedule
+      containers:
+        - name: logmower-eventsource
+          image: harbor.k-space.ee/k-space/logmower-eventsource
+          ports:
+            - containerPort: 3002
+              name: nodejs
+          env:
+            - name: MONGO_COLLECTION
+              value: eventlog
+            - name: MONGODB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-application-readonly
+                  key: connectionString.standard
+            - name: BACKEND
+              value: 'camtiler'
+            - name: BACKEND_BROKER_URL
+              value: 'http://logmower-event-broker'
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logmower-event-broker
+spec:
+  revisionHistoryLimit: 0
+  replicas: 2
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: camtiler
+      component: logmower-event-broker
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                      - camtiler
+                  - key: component
+                    operator: In
+                    values:
+                      - logmower-event-broker
+              topologyKey: topology.kubernetes.io/zone
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: storage
+          effect: NoSchedule
+      containers:
+        - name: logmower-event-broker
+          image: harbor.k-space.ee/k-space/camera-event-broker
+          ports:
+            - containerPort: 3000
+          env:
+            - name: MINIO_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: miniobucket-camtiler-owner-secrets
+                  key: BUCKET_NAME
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: miniobucket-camtiler-owner-secrets
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: miniobucket-camtiler-owner-secrets
+                  key: AWS_ACCESS_KEY_ID
+            - name: MINIO_HOSTNAME
+              value: 'dedicated-5ee6428f-4cb5-4c2e-90b5-364668f515c2.minio-clusters.k-space.ee'
+            - name: MINIO_PORT
+              value: '443'
+            - name: MINIO_SCHEMA
+              value: 'https'
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logmower-frontend
+spec:
+  revisionHistoryLimit: 0
+  replicas: 2
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: camtiler
+      component: logmower-frontend
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      containers:
+        - name: logmower-frontend
+          image: harbor.k-space.ee/k-space/logmower-frontend
+          ports:
+            - containerPort: 8080
+              name: http
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: logmower-frontend
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: camtiler
+    component: logmower-frontend
+  ports:
+    - protocol: TCP
+      port: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: logmower-eventsource
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: camtiler
+    component: logmower-eventsource
+  ports:
+    - protocol: TCP
+      port: 3002
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: logmower-event-broker
+spec:
+  type: ClusterIP
+  selector:
+      app.kubernetes.io/name: camtiler
+      component: logmower-event-broker
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000

camtiler/minio-support.yml

@@ -1 +0,0 @@
-../shared/minio-support.yml

camtiler/mongodb.yml

@@ -4,12 +4,16 @@ kind: MongoDBCommunity
 metadata:
   name: mongodb
 spec:
+  agent:
+    logLevel: ERROR
+    maxLogFileDurationHours: 1
   additionalMongodConfig:
     systemLog:
       quiet: true
-  members: 3
+  members: 2
+  arbiters: 1
   type: ReplicaSet
-  version: "5.0.9"
+  version: "6.0.3"
   security:
     authentication:
       modes: ["SCRAM"]
@@ -27,7 +31,7 @@ spec:
       passwordSecretRef:
         name: mongodb-application-readonly-password
       roles:
-        - name: readOnly
+        - name: read
           db: application
       scramCredentialsSecretName: mongodb-application-readonly
   statefulSet:
@@ -35,6 +39,24 @@ spec:
       logLevel: WARN
       template:
         spec:
+          containers:
+            - name: mongod
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 512Mi
+                limits:
+                  cpu: 500m
+                  memory: 1Gi
+              volumeMounts:
+                - name: journal-volume
+                  mountPath: /data/journal
+            - name: mongodb-agent
+              resources:
+                requests:
+                  cpu: 1m
+                  memory: 100Mi
+                limits: {}
           affinity:
             podAntiAffinity:
               requiredDuringSchedulingIgnoredDuringExecution:
@@ -44,7 +66,7 @@ spec:
                         operator: In
                         values:
                           - mongodb-svc
-                  topologyKey: kubernetes.io/hostname
+                  topologyKey: topology.kubernetes.io/zone
           nodeSelector:
             dedicated: storage
           tolerations:
@@ -55,76 +77,34 @@ spec:
       volumeClaimTemplates:
         - metadata:
             name: logs-volume
+            labels:
+              usecase: logs
           spec:
-            storageClassName: local-path
+            storageClassName: mongo
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 200Mi
+        - metadata:
+            name: journal-volume
+            labels:
+              usecase: journal
+          spec:
+            storageClassName: mongo
             accessModes:
             - ReadWriteOnce
             resources:
               requests:
-                storage: 512Mi
+                storage: 1Gi
         - metadata:
             name: data-volume
+            labels:
+              usecase: data
           spec:
-            storageClassName: local-path
+            storageClassName: mongo
             accessModes:
             - ReadWriteOnce
             resources:
               requests:
                 storage: 2Gi
----
-apiVersion: minio.min.io/v2
-kind: Tenant
-metadata:
-  name: minio
-  annotations:
-    prometheus.io/path: /minio/prometheus/metrics
-    prometheus.io/port: "9000"
-    prometheus.io/scrape: "true"
-spec:
-  credsSecret:
-    name: minio-secret
-  buckets:
-    - name: application
-  requestAutoCert: false
-  users:
-    - name: minio-user-0
-  pools:
-    - name: pool-0
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchExpressions:
-                  - key: v1.min.io/tenant
-                    operator: In
-                    values:
-                      - minio
-                  - key: v1.min.io/pool
-                    operator: In
-                    values:
-                      - pool-0
-              topologyKey: kubernetes.io/hostname
-      resources:
-        requests:
-          cpu: '1'
-          memory: 512Mi
-      servers: 4
-      volumesPerServer: 1
-      volumeClaimTemplate:
-        metadata:
-          name: data
-        spec:
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: '30Gi'
-          storageClassName: local-path
-        status: {}
-      nodeSelector:
-        dedicated: storage
-      tolerations:
-        - key: dedicated
-          operator: Equal
-          value: storage
-          effect: NoSchedule

camtiler/network-policies.yml

@@ -0,0 +1,154 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: camera-motion-detect
+spec:
+  podSelector:
+    matchLabels:
+      component: camera-motion-detect
+  policyTypes:
+    - Ingress
+#    - Egress # Something wrong with using minio-clusters as namespaceSelector.
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: camtiler
+              component: camera-tiler
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+  egress:
+    - to:
+        - ipBlock:
+            # Permit access to cameras outside the cluster
+            cidr: 100.102.0.0/16
+    - to:
+        - podSelector:
+            matchLabels:
+              app: mongodb-svc
+      ports:
+        - port: 27017
+    - to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: minio
+      ports:
+        - port: 9000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: camera-tiler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: camtiler
+      component: camera-tiler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              component: camera-motion-detect
+      ports:
+        - port: 5000
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-eventsource
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: camtiler
+      component: logmower-eventsource
+  policyTypes:
+    - Ingress
+#    - Egress  # Something wrong with using mongodb-svc as podSelector.
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: mongodb-svc
+        - podSelector:
+            matchLabels:
+              component: logmower-event-broker
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-event-broker
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: camtiler
+      component: logmower-event-broker
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        # Minio access via Traefik's public endpoint
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              component: logmower-eventsource
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: camtiler
+      component: logmower-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik

cluster-role-bindings.yml

@@ -1,12 +1,11 @@
 ---
-# AD/Samba group "Kubernetes Admins" members have full access
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: kubernetes-admins
 subjects:
 - kind: Group
-  name: "Kubernetes Admins"
+  name: "k-space:kubernetes:admins"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole

cnpg-system/README.md

@@ -0,0 +1,8 @@
+# CloudNativePG
+
+To deploy:
+
+```
+wget https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.20/releases/cnpg-1.20.2.yaml -O application.yml
+kubectl apply -f application.yml
+```

drone/README.md

@@ -77,14 +77,11 @@ steps:
   - echo "ENV GIT_COMMIT_TIMESTAMP=$(git log -1 --format=%cd --date=iso-strict)" >> Dockerfile
   - cat Dockerfile
 - name: docker
-  image: plugins/docker
+  image: harbor.k-space.ee/k-space/drone-kaniko
   settings:
-    repo: harbor.k-space.ee/${DRONE_REPO}
+    repo: ${DRONE_REPO}
     tags: latest-arm64
     registry: harbor.k-space.ee
-    squash: true
-    experimental: true
-    mtu: 1300
     username:
       from_secret: docker_username
     password:
@@ -109,14 +106,11 @@ steps:
   - echo "ENV GIT_COMMIT_TIMESTAMP=$(git log -1 --format=%cd --date=iso-strict)" >> Dockerfile
   - cat Dockerfile
 - name: docker
-  image: plugins/docker
+  image: harbor.k-space.ee/k-space/drone-kaniko
   settings:
-    repo: harbor.k-space.ee/${DRONE_REPO}
+    repo: ${DRONE_REPO}
     tags: latest-amd64
     registry: harbor.k-space.ee
-    squash: true
-    experimental: true
-    mtu: 1300
     storage_driver: vfs
     username:
       from_secret: docker_username
@@ -130,8 +124,8 @@ steps:
 - name: manifest
   image: plugins/manifest
   settings:
-    target: harbor.k-space.ee/${DRONE_REPO}:latest
-    template: harbor.k-space.ee/${DRONE_REPO}:latest-ARCH
+    target: ${DRONE_REPO}:latest
+    template: ${DRONE_REPO}:latest-ARCH
     platforms:
       - linux/amd64
       - linux/arm64

drone/application.yml

@@ -1,14 +1,3 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: application-config
-data:
-  DRONE_GITEA_SERVER: "https://git.k-space.ee"
-  DRONE_GIT_ALWAYS_AUTH: "false"
-  DRONE_PROMETHEUS_ANONYMOUS_ACCESS: "true"
-  DRONE_SERVER_HOST: "drone.k-space.ee"
-  DRONE_SERVER_PROTO: "https"
-  DRONE_USER_CREATE: "username:lauri,admin:true"
 ---
 apiVersion: v1
 kind: Service
@@ -59,14 +48,27 @@ spec:
           httpGet:
             path: /
             port: http
+        env:
+          - name: DRONE_GITEA_SERVER
+            value: https://git.k-space.ee
+          - name: DRONE_GIT_ALWAYS_AUTH
+            value: "false"
+          - name: DRONE_SERVER_HOST
+            value: drone.k-space.ee
+          - name: DRONE_SERVER_PROTO
+            value: https
+          - name: DRONE_USER_CREATE
+            value: username:lauri,admin:true
+          - name: DRONE_DEBUG
+            value: "true"
+          - name: DRONE_TRACE
+            value: "true"
         envFrom:
-        - secretRef:
-            name: application-secrets
-        - configMapRef:
-            name: application-config
+          - secretRef:
+              name: application-secrets
         volumeMounts:
-        - name: drone-data
-          mountPath: /data
+          - name: drone-data
+            mountPath: /data
   volumeClaimTemplates:
   - metadata:
       name: drone-data
@@ -78,21 +80,30 @@ spec:
         requests:
           storage: 8Gi
 ---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect
+spec:
+  redirectRegex:
+    regex: ^https://(.*)/register$
+    replacement: https://${1}/
+    permanent: false
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: drone
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.middlewares: drone-redirect@kubernetescrd
 spec:
   tls:
     - hosts:
-        - "drone.k-space.ee"
-      secretName: drone-tls
+        - "*.k-space.ee"
   rules:
     - host: "drone.k-space.ee"
       http:

elastic-system/README.md

@@ -1,7 +1,7 @@
 # elastic-operator
 
 ```
-wget https://download.elastic.co/downloads/eck/2.2.0/crds.yaml
-wget https://download.elastic.co/downloads/eck/2.2.0/operator.yaml
+wget https://download.elastic.co/downloads/eck/2.4.0/crds.yaml
+wget https://download.elastic.co/downloads/eck/2.4.0/operator.yaml
 kubectl apply -n elastic-system -f application.yml -f crds.yaml -f operator.yaml
 ```

elastic-system/application.yml

@@ -1,15 +1,16 @@
+---
 apiVersion: beat.k8s.elastic.co/v1beta1
 kind: Beat
 metadata:
   name: filebeat
 spec:
   type: filebeat
-  version: 8.4.1
+  version: 8.4.3
   elasticsearchRef:
     name: elasticsearch
-  kibanaRef:
-    name: kibana
   config:
+    logging:
+      level: warning
     http:
       enabled: true
       port: 5066
@@ -24,50 +25,15 @@ spec:
               type: container
               paths:
               - /var/log/containers/*${data.kubernetes.container.id}.log
-    processors:
-      - drop_fields:
-          fields:
-            - stream
-            - target
-            - host
-          ignore_missing: true
-      - rename:
-          fields:
-            - from: "kubernetes.node.name"
-              to: "host"
-            - from: "kubernetes.pod.name"
-              to: "pod"
-            - from: "kubernetes.labels.app"
-              to: "app"
-            - from: "kubernetes.namespace"
-              to: "namespace"
-          ignore_missing: true
-      - drop_fields:
-          fields:
-            - input
-            - agent
-            - container
-            - ecs
-            - host
-            - kubernetes
-            - log
-            - "@metadata"
-          ignore_missing: true
-      - decode_json_fields:
-          fields:
-            - message
-          max_depth: 2
-          expand_keys: true
-          target: ""
-          add_error_key: true
   daemonSet:
     podTemplate:
+      metadata:
+        annotations:
+          co.elastic.logs/enabled: 'false'
       spec:
         serviceAccountName: filebeat
         automountServiceAccountToken: true
         terminationGracePeriodSeconds: 30
-        dnsPolicy: ClusterFirstWithHostNet
-        hostNetwork: true # Allows to provide richer host metadata
         containers:
         - name: filebeat
           securityContext:
@@ -84,6 +50,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
         - name: exporter
           image: sepa/beats-exporter
           args:
@@ -108,6 +80,104 @@ spec:
         - operator: "Exists"
           effect: "NoSchedule"
 ---
+apiVersion: beat.k8s.elastic.co/v1beta1
+kind: Beat
+metadata:
+  name: filebeat-syslog
+spec:
+  type: filebeat
+  version: 8.4.3
+  elasticsearchRef:
+    name: elasticsearch
+  config:
+    logging:
+      level: warning
+    http:
+      enabled: true
+      port: 5066
+    filebeat:
+      inputs:
+        - type: syslog
+          format: rfc5424
+          protocol.udp:
+            host: "0.0.0.0:1514"
+        - type: syslog
+          format: rfc5424
+          protocol.tcp:
+            host: "0.0.0.0:1514"
+  deployment:
+    replicas: 2
+    podTemplate:
+      metadata:
+        annotations:
+          co.elastic.logs/enabled: 'false'
+      spec:
+        terminationGracePeriodSeconds: 30
+        containers:
+        - name: filebeat
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          ports:
+            - containerPort: 1514
+              name: syslog
+              protocol: UDP
+          volumeMounts:
+            - name: filebeat-registry
+              mountPath: /usr/share/filebeat/data
+        - name: exporter
+          image: sepa/beats-exporter
+          args:
+            - -p=5066
+          ports:
+            - containerPort: 8080
+              name: exporter
+              protocol: TCP
+        volumes:
+          - name: filebeat-registry
+            emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: filebeat-syslog-udp
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
+    metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.51.4
+  ports:
+    - name: filebeat-syslog
+      port: 514
+      protocol: UDP
+      targetPort: 1514
+  selector:
+    beat.k8s.elastic.co/name: filebeat-syslog
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: filebeat-syslog-tcp
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
+    metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.51.4
+  ports:
+    - name: filebeat-syslog
+      port: 514
+      protocol: TCP
+      targetPort: 1514
+  selector:
+    beat.k8s.elastic.co/name: filebeat-syslog
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -148,12 +218,10 @@ kind: Elasticsearch
 metadata:
   name: elasticsearch
 spec:
-  version: 8.4.1
+  version: 8.4.3
   nodeSets:
   - name: default
-    count: 3
-    config:
-      node.store.allow_mmap: false
+    count: 1
     volumeClaimTemplates:
     - metadata:
         name: elasticsearch-data
@@ -163,7 +231,7 @@ spec:
         resources:
           requests:
             storage: 5Gi
-        storageClassName: local-path
+        storageClassName: longhorn
   http:
     tls:
       selfSignedCertificate:
@@ -174,8 +242,8 @@ kind: Kibana
 metadata:
   name: kibana
 spec:
-  version: 8.4.1
-  count: 2
+  version: 8.4.3
+  count: 1
   elasticsearchRef:
     name: elasticsearch
   http:
@@ -196,6 +264,23 @@ spec:
     entries:
     - key: elastic
       path: xpack.security.authc.providers.anonymous.anonymous1.credentials.password
+  podTemplate:
+    metadata:
+      annotations:
+        co.elastic.logs/enabled: 'false'
+    spec:
+      containers:
+        - name: kibana
+          readinessProbe:
+            httpGet:
+              path: /app/home
+              port: 5601
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -203,7 +288,6 @@ metadata:
   name: kibana
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
@@ -222,5 +306,26 @@ spec:
               number: 5601
   tls:
   - hosts:
-    - kibana.k-space.ee
-    secretName: kibana-tls
+    - "*.k-space.ee"
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: filebeat
+spec:
+  selector:
+    matchLabels:
+      beat.k8s.elastic.co/name: filebeat
+  podMetricsEndpoints:
+    - port: exporter
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: elasticsearch
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: elasticsearch-exporter
+  podMetricsEndpoints:
+    - port: exporter

elastic-system/crds.yaml

@@ -3,12 +3,12 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: agents.agent.k8s.elastic.co
 spec:
   group: agent.k8s.elastic.co
@@ -203,7 +203,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -246,7 +246,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -259,7 +259,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -376,6 +376,13 @@ spec:
                 - standalone
                 - fleet
                 type: string
+              policyID:
+                description: PolicyID optionally determines into which Agent Policy this Agent will be enrolled. If left empty the default policy will be used.
+                type: string
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying DaemonSet or Deployment.
+                format: int32
+                type: integer
               secureSettings:
                 description: SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Agent. Secrets data can be then referenced in the Agent config using the Secret's keys or as specified in `Entries` field of each SecureSetting.
                 items:
@@ -448,24 +455,18 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 # Source: eck-operator-crds/templates/all-crds.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: apmservers.apm.k8s.elastic.co
 spec:
   group: apm.k8s.elastic.co
@@ -565,7 +566,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -608,7 +609,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -621,7 +622,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -736,6 +737,10 @@ spec:
                 description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the APM Server pods.
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment.
+                format: int32
+                type: integer
               secureSettings:
                 description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for APM Server.
                 items:
@@ -792,6 +797,10 @@ spec:
               kibanaAssociationStatus:
                 description: KibanaAssociationStatus is the status of any auto-linking to Kibana.
                 type: string
+              observedGeneration:
+                description: ObservedGeneration represents the .metadata.generation that the status is based upon. It corresponds to the metadata generation, which is updated on mutation by the API Server. If the generation observed in status diverges from the generation in metadata, the APM Server controller has not yet processed the changes contained in the APM Server specification.
+                format: int64
+                type: integer
               secretTokenSecret:
                 description: SecretTokenSecretName is the name of the Secret that contains the secret token
                 type: string
@@ -895,7 +904,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -938,7 +947,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -951,7 +960,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -1112,24 +1121,18 @@ spec:
         type: object
     served: false
     storage: false
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 # Source: eck-operator-crds/templates/all-crds.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: beats.beat.k8s.elastic.co
 spec:
   group: beat.k8s.elastic.co
@@ -1294,6 +1297,10 @@ spec:
                     description: ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of the referenced resource is used.
                     type: string
                 type: object
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying DaemonSet or Deployment.
+                format: int32
+                type: integer
               secureSettings:
                 description: SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Beat. Secrets data can be then referenced in the Beat config using the Secret's keys or as specified in `Entries` field of each SecureSetting.
                 items:
@@ -1353,6 +1360,10 @@ spec:
               kibanaAssociationStatus:
                 description: AssociationStatus is the status of an association resource.
                 type: string
+              observedGeneration:
+                description: ObservedGeneration represents the .metadata.generation that the status is based upon. It corresponds to the metadata generation, which is updated on mutation by the API Server. If the generation observed in status diverges from the generation in metadata, the Beats controller has not yet processed the changes contained in the Beats specification.
+                format: int64
+                type: integer
               version:
                 description: 'Version of the stack resource currently running. During version upgrades, multiple versions may run in parallel: this value specifies the lowest version currently running.'
                 type: string
@@ -1362,24 +1373,18 @@ spec:
     storage: true
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 # Source: eck-operator-crds/templates/all-crds.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: elasticmapsservers.maps.k8s.elastic.co
 spec:
   group: maps.k8s.elastic.co
@@ -1486,7 +1491,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -1529,7 +1534,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -1542,7 +1547,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -1641,6 +1646,10 @@ spec:
                 description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Elastic Maps Server pods
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment.
+                format: int32
+                type: integer
               serviceAccountName:
                 description: ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. Can only be used if ECK is enforcing RBAC on references.
                 type: string
@@ -1667,6 +1676,10 @@ spec:
               health:
                 description: Health of the deployment.
                 type: string
+              observedGeneration:
+                description: ObservedGeneration is the most recent generation observed for this Elastic Maps Server. It corresponds to the metadata generation, which is updated on mutation by the API Server. If the generation observed in status diverges from the generation in metadata, the Elastic Maps controller has not yet processed the changes contained in the Elastic Maps specification.
+                format: int64
+                type: integer
               selector:
                 description: Selector is the label selector used to find all pods.
                 type: string
@@ -1683,24 +1696,18 @@ spec:
         specReplicasPath: .spec.count
         statusReplicasPath: .status.count
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 # Source: eck-operator-crds/templates/all-crds.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: elasticsearches.elasticsearch.k8s.elastic.co
 spec:
   group: elasticsearch.k8s.elastic.co
@@ -1803,7 +1810,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -1846,7 +1853,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -1859,7 +1866,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -2058,15 +2065,15 @@ spec:
                                 type: string
                             type: object
                           spec:
-                            description: 'Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+                            description: 'spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
                             properties:
                               accessModes:
-                                description: 'AccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
+                                description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
                                 items:
                                   type: string
                                 type: array
                               dataSource:
-                                description: 'This field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field.'
+                                description: 'dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field.'
                                 properties:
                                   apiGroup:
                                     description: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
@@ -2081,8 +2088,9 @@ spec:
                                 - kind
                                 - name
                                 type: object
+                                x-kubernetes-map-type: atomic
                               dataSourceRef:
-                                description: 'Specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. (Alpha) Using this field requires the AnyVolumeDataSource feature gate to be enabled.'
+                                description: 'dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.'
                                 properties:
                                   apiGroup:
                                     description: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
@@ -2097,8 +2105,9 @@ spec:
                                 - kind
                                 - name
                                 type: object
+                                x-kubernetes-map-type: atomic
                               resources:
-                                description: 'Resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
+                                description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
                                 properties:
                                   limits:
                                     additionalProperties:
@@ -2120,7 +2129,7 @@ spec:
                                     type: object
                                 type: object
                               selector:
-                                description: A label query over volumes to consider for binding.
+                                description: selector is a label query over volumes to consider for binding.
                                 properties:
                                   matchExpressions:
                                     description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2149,21 +2158,22 @@ spec:
                                     description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                                     type: object
                                 type: object
+                                x-kubernetes-map-type: atomic
                               storageClassName:
-                                description: 'Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
+                                description: 'storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
                                 type: string
                               volumeMode:
                                 description: volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.
                                 type: string
                               volumeName:
-                                description: VolumeName is the binding reference to the PersistentVolume backing this claim.
+                                description: volumeName is the binding reference to the PersistentVolume backing this claim.
                                 type: string
                             type: object
                           status:
-                            description: 'Status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+                            description: 'status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
                             properties:
                               accessModes:
-                                description: 'AccessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
+                                description: 'accessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
                                 items:
                                   type: string
                                 type: array
@@ -2174,7 +2184,7 @@ spec:
                                   - type: string
                                   pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                   x-kubernetes-int-or-string: true
-                                description: The storage resource within AllocatedResources tracks the capacity allocated to a PVC. It may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+                                description: allocatedResources is the storage resource within AllocatedResources tracks the capacity allocated to a PVC. It may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
                                 type: object
                               capacity:
                                 additionalProperties:
@@ -2183,26 +2193,26 @@ spec:
                                   - type: string
                                   pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                   x-kubernetes-int-or-string: true
-                                description: Represents the actual resources of the underlying volume.
+                                description: capacity represents the actual resources of the underlying volume.
                                 type: object
                               conditions:
-                                description: Current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.
+                                description: conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.
                                 items:
                                   description: PersistentVolumeClaimCondition contails details about state of pvc
                                   properties:
                                     lastProbeTime:
-                                      description: Last time we probed the condition.
+                                      description: lastProbeTime is the time we probed the condition.
                                       format: date-time
                                       type: string
                                     lastTransitionTime:
-                                      description: Last time the condition transitioned from one status to another.
+                                      description: lastTransitionTime is the time the condition transitioned from one status to another.
                                       format: date-time
                                       type: string
                                     message:
-                                      description: Human-readable message indicating details about last transition.
+                                      description: message is the human-readable message indicating details about last transition.
                                       type: string
                                     reason:
-                                      description: Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.
+                                      description: reason is a unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.
                                       type: string
                                     status:
                                       type: string
@@ -2215,10 +2225,10 @@ spec:
                                   type: object
                                 type: array
                               phase:
-                                description: Phase represents the current phase of PersistentVolumeClaim.
+                                description: phase represents the current phase of PersistentVolumeClaim.
                                 type: string
                               resizeStatus:
-                                description: ResizeStatus stores status of resize operation. ResizeStatus is not set by default but when expansion is complete resizeStatus is set to empty string by resize controller or kubelet. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+                                description: resizeStatus stores status of resize operation. ResizeStatus is not set by default but when expansion is complete resizeStatus is set to empty string by resize controller or kubelet. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
                                 type: string
                             type: object
                         type: object
@@ -2267,7 +2277,7 @@ spec:
                         description: An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying "100%".
                         x-kubernetes-int-or-string: true
                       selector:
-                        description: Label query over pods whose evictions are managed by the disruption budget. A null selector selects no pods. An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods. In policy/v1, an empty selector will select all pods in the namespace.
+                        description: Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.
                         properties:
                           matchExpressions:
                             description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -2296,6 +2306,7 @@ spec:
                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                             type: object
                         type: object
+                        x-kubernetes-map-type: atomic
                     type: object
                 type: object
               remoteClusters:
@@ -2324,6 +2335,10 @@ spec:
                   - name
                   type: object
                 type: array
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying StatefulSets.
+                format: int32
+                type: integer
               secureSettings:
                 description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for Elasticsearch.
                 items:
@@ -2384,7 +2399,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -2427,7 +2442,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -2440,7 +2455,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -2764,7 +2779,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -2807,7 +2822,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -2820,7 +2835,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -2968,15 +2983,15 @@ spec:
                                 type: string
                             type: object
                           spec:
-                            description: 'Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+                            description: 'spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
                             properties:
                               accessModes:
-                                description: 'AccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
+                                description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
                                 items:
                                   type: string
                                 type: array
                               dataSource:
-                                description: 'This field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field.'
+                                description: 'dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. If the AnyVolumeDataSource feature gate is enabled, this field will always have the same contents as the DataSourceRef field.'
                                 properties:
                                   apiGroup:
                                     description: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
@@ -2991,8 +3006,9 @@ spec:
                                 - kind
                                 - name
                                 type: object
+                                x-kubernetes-map-type: atomic
                               dataSourceRef:
-                                description: 'Specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. (Alpha) Using this field requires the AnyVolumeDataSource feature gate to be enabled.'
+                                description: 'dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any local object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the DataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, both fields (DataSource and DataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. There are two important differences between DataSource and DataSourceRef: * While DataSource only allows two specific types of objects, DataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While DataSource ignores disallowed values (dropping them), DataSourceRef preserves all values, and generates an error if a disallowed value is specified. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.'
                                 properties:
                                   apiGroup:
                                     description: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.
@@ -3007,8 +3023,9 @@ spec:
                                 - kind
                                 - name
                                 type: object
+                                x-kubernetes-map-type: atomic
                               resources:
-                                description: 'Resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
+                                description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
                                 properties:
                                   limits:
                                     additionalProperties:
@@ -3030,7 +3047,7 @@ spec:
                                     type: object
                                 type: object
                               selector:
-                                description: A label query over volumes to consider for binding.
+                                description: selector is a label query over volumes to consider for binding.
                                 properties:
                                   matchExpressions:
                                     description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -3059,21 +3076,22 @@ spec:
                                     description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                                     type: object
                                 type: object
+                                x-kubernetes-map-type: atomic
                               storageClassName:
-                                description: 'Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
+                                description: 'storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
                                 type: string
                               volumeMode:
                                 description: volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.
                                 type: string
                               volumeName:
-                                description: VolumeName is the binding reference to the PersistentVolume backing this claim.
+                                description: volumeName is the binding reference to the PersistentVolume backing this claim.
                                 type: string
                             type: object
                           status:
-                            description: 'Status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+                            description: 'status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
                             properties:
                               accessModes:
-                                description: 'AccessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
+                                description: 'accessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
                                 items:
                                   type: string
                                 type: array
@@ -3084,7 +3102,7 @@ spec:
                                   - type: string
                                   pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                   x-kubernetes-int-or-string: true
-                                description: The storage resource within AllocatedResources tracks the capacity allocated to a PVC. It may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+                                description: allocatedResources is the storage resource within AllocatedResources tracks the capacity allocated to a PVC. It may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
                                 type: object
                               capacity:
                                 additionalProperties:
@@ -3093,26 +3111,26 @@ spec:
                                   - type: string
                                   pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                                   x-kubernetes-int-or-string: true
-                                description: Represents the actual resources of the underlying volume.
+                                description: capacity represents the actual resources of the underlying volume.
                                 type: object
                               conditions:
-                                description: Current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.
+                                description: conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.
                                 items:
                                   description: PersistentVolumeClaimCondition contails details about state of pvc
                                   properties:
                                     lastProbeTime:
-                                      description: Last time we probed the condition.
+                                      description: lastProbeTime is the time we probed the condition.
                                       format: date-time
                                       type: string
                                     lastTransitionTime:
-                                      description: Last time the condition transitioned from one status to another.
+                                      description: lastTransitionTime is the time the condition transitioned from one status to another.
                                       format: date-time
                                       type: string
                                     message:
-                                      description: Human-readable message indicating details about last transition.
+                                      description: message is the human-readable message indicating details about last transition.
                                       type: string
                                     reason:
-                                      description: Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.
+                                      description: reason is a unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.
                                       type: string
                                     status:
                                       type: string
@@ -3125,10 +3143,10 @@ spec:
                                   type: object
                                 type: array
                               phase:
-                                description: Phase represents the current phase of PersistentVolumeClaim.
+                                description: phase represents the current phase of PersistentVolumeClaim.
                                 type: string
                               resizeStatus:
-                                description: ResizeStatus stores status of resize operation. ResizeStatus is not set by default but when expansion is complete resizeStatus is set to empty string by resize controller or kubelet. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
+                                description: resizeStatus stores status of resize operation. ResizeStatus is not set by default but when expansion is complete resizeStatus is set to empty string by resize controller or kubelet. This is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.
                                 type: string
                             type: object
                         type: object
@@ -3207,6 +3225,7 @@ spec:
                             description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                             type: object
                         type: object
+                        x-kubernetes-map-type: atomic
                     type: object
                 type: object
               secureSettings:
@@ -3283,24 +3302,18 @@ spec:
         type: object
     served: false
     storage: false
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 # Source: eck-operator-crds/templates/all-crds.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: enterprisesearches.enterprisesearch.k8s.elastic.co
 spec:
   group: enterprisesearch.k8s.elastic.co
@@ -3407,7 +3420,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -3450,7 +3463,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -3463,7 +3476,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -3562,6 +3575,10 @@ spec:
                 description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Enterprise Search pods.
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment.
+                format: int32
+                type: integer
               serviceAccountName:
                 description: ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. Can only be used if ECK is enforcing RBAC on references.
                 type: string
@@ -3586,6 +3603,10 @@ spec:
               health:
                 description: Health of the deployment.
                 type: string
+              observedGeneration:
+                description: ObservedGeneration represents the .metadata.generation that the status is based upon. It corresponds to the metadata generation, which is updated on mutation by the API Server. If the generation observed in status diverges from the generation in metadata, the Enterprise Search controller has not yet processed the changes contained in the Enterprise Search specification.
+                format: int64
+                type: integer
               selector:
                 description: Selector is the label selector used to find all pods.
                 type: string
@@ -3697,7 +3718,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -3740,7 +3761,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -3753,7 +3774,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -3891,24 +3912,18 @@ spec:
     storage: false
     subresources:
       status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 ---
 # Source: eck-operator-crds/templates/all-crds.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
+    controller-gen.kubebuilder.io/version: v0.9.1
   creationTimestamp: null
   labels:
     app.kubernetes.io/instance: 'elastic-operator'
     app.kubernetes.io/name: 'eck-operator-crds'
-    app.kubernetes.io/version: '2.2.0'
+    app.kubernetes.io/version: '2.4.0'
   name: kibanas.kibana.k8s.elastic.co
 spec:
   group: kibana.k8s.elastic.co
@@ -4024,7 +4039,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -4067,7 +4082,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -4080,7 +4095,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -4229,6 +4244,10 @@ spec:
                 description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Kibana pods
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              revisionHistoryLimit:
+                description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment.
+                format: int32
+                type: integer
               secureSettings:
                 description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for Kibana.
                 items:
@@ -4395,7 +4414,7 @@ spec:
                         description: Spec is the specification of the service.
                         properties:
                           allocateLoadBalancerNodePorts:
-                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is beta-level and is only honored by servers that enable the ServiceLBNodePortControl feature.
+                            description: allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.  Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts.  If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.
                             type: boolean
                           clusterIP:
                             description: 'clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above).  Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required.  Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies'
@@ -4438,7 +4457,7 @@ spec:
                             description: loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.
                             type: string
                           loadBalancerIP:
-                            description: 'Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.'
+                            description: 'Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations, and it cannot support dual-stack. As of Kubernetes v1.24, users are encouraged to use implementation-specific annotations when available. This field may be removed in a future API version.'
                             type: string
                           loadBalancerSourceRanges:
                             description: 'If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/'
@@ -4451,7 +4470,7 @@ spec:
                               description: ServicePort contains information on service's port.
                               properties:
                                 appProtocol:
-                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
+                                  description: The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.
                                   type: string
                                 name:
                                   description: The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.
@@ -4606,10 +4625,4 @@ spec:
         type: object
     served: false
     storage: false
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
 

elastic-system/operator.yaml

@@ -14,7 +14,7 @@ metadata:
   namespace: elastic-system
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 ---
 # Source: eck-operator/templates/webhook.yaml
 apiVersion: v1
@@ -24,7 +24,7 @@ metadata:
   namespace: elastic-system
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 ---
 # Source: eck-operator/templates/configmap.yaml
 apiVersion: v1
@@ -34,7 +34,7 @@ metadata:
   namespace: elastic-system
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 data:
   eck.yaml: |-
     log-verbosity: 0
@@ -54,6 +54,7 @@ data:
     validate-storage-class: true
     enable-webhook: true
     webhook-name: elastic-webhook.k8s.elastic.co
+    enable-leader-election: true
 ---
 # Source: eck-operator/templates/cluster-roles.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -62,7 +63,7 @@ metadata:
   name: elastic-operator
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 rules:
 - apiGroups:
   - "authorization.k8s.io"
@@ -70,6 +71,22 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  resourceNames:
+  - elastic-operator-leader
+  verbs:
+  - get
+  - watch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -251,7 +268,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 rules:
 - apiGroups: ["elasticsearch.k8s.elastic.co"]
   resources: ["elasticsearches"]
@@ -284,7 +301,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 rules:
 - apiGroups: ["elasticsearch.k8s.elastic.co"]
   resources: ["elasticsearches"]
@@ -315,7 +332,7 @@ metadata:
   name: elastic-operator
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -333,7 +350,7 @@ metadata:
   namespace: elastic-system
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 spec:
   ports:
   - name: https
@@ -350,7 +367,7 @@ metadata:
   namespace: elastic-system
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 spec:
   selector:
     matchLabels:
@@ -363,7 +380,7 @@ spec:
         # Rename the fields "error" to "error.message" and "source" to "event.source"
         # This is to avoid a conflict with the ECS "error" and "source" documents.
         "co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
-        "checksum/config": 302bbb79b6fb0ffa41fcc06e164252c7dad887cf4d8149c8e1e5203c7651277e
+        "checksum/config": a99a5f63f628a1ca8df440c12506cdfbf17827a1175dc5765b05f22f92b12b95
       labels:
         control-plane: elastic-operator
     spec:
@@ -372,7 +389,7 @@ spec:
       securityContext:
         runAsNonRoot: true
       containers:
-      - image: "docker.elastic.co/eck/eck-operator:2.2.0"
+      - image: "docker.elastic.co/eck/eck-operator:2.4.0"
         imagePullPolicy: IfNotPresent
         name: manager
         args:
@@ -423,7 +440,7 @@ metadata:
   name: elastic-webhook.k8s.elastic.co
   labels:
     control-plane: elastic-operator
-    app.kubernetes.io/version: "2.2.0"
+    app.kubernetes.io/version: "2.4.0"
 webhooks:
 - clientConfig:
     caBundle: Cg==

etherpad/README.md

@@ -1,12 +1,5 @@
 To apply changes:
 
 ```
-kubectl apply -n etherpad -f application.yml -f networkpolicy-base.yml
+kubectl apply -n etherpad -f application.yml
 ```
-
-Initialize MySQL secrets:
-
-```
-kubectl create secret generic -n etherpad mariadb-secrets \
-     --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
-     --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)

etherpad/application.yml

@@ -1,4 +1,12 @@
 ---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWMiddlewareClient
+metadata:
+  name: sso
+spec:
+  displayName: Etherpad
+  uri: 'https://pad.k-space.ee/'
+---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -32,6 +40,8 @@ spec:
           ports:
             - containerPort: 9001
           env:
+            - name: MINIFY
+              value: 'false'
             - name: DB_TYPE
               value: mysql
             - name: DB_HOST
@@ -79,7 +89,6 @@ metadata:
   namespace: etherpad
   annotations:
     kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
@@ -97,8 +106,7 @@ spec:
               number: 9001
   tls:
   - hosts:
-    - pad.k-space.ee
-    secretName: pad-tls
+    - "*.k-space.ee"
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -110,97 +118,20 @@ spec:
     matchLabels:
       app: etherpad
   policyTypes:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
   ingress:
     - from:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: traefik
       ports:
-        - protocol: TCP
-          port: 9001
+        - port: 9001
+          protocol: TCP
   egress:
-    - to:
+    - ports:
+        - port: 3306
+          protocol: TCP
+      to:
         - ipBlock:
             cidr: 172.20.36.1/32
-      ports:
-        - protocol: TCP
-          port: 3306
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: mysql-operator
-spec:
-  podSelector:
-    matchLabels:
-      app: etherpad
-  policyTypes:
-  - Ingress
-  - Egress
-  ingress:
-    - # TODO: Not sure why mysql-operator needs to be able to connect
-      from:
-        - namespaceSelector:
-           matchExpressions:
-             - key: kubernetes.io/metadata.name
-               operator: In
-               values:
-                 - mysql-operator
-      ports:
-        - protocol: TCP
-          port: 3306
-    - # Allow connecting from other MySQL pods in same namespace
-      from:
-        - podSelector:
-            matchLabels:
-              app.kubernetes.io/managed-by: mysql-operator
-      ports:
-        - protocol: TCP
-          port: 3306
-  egress:
-    - # Allow connecting to other MySQL pods in same namespace
-      to:
-        - podSelector:
-            matchLabels:
-              app.kubernetes.io/managed-by: mysql-operator
-      ports:
-        - protocol: TCP
-          port: 3306
----
-apiVersion: mysql.oracle.com/v2
-kind: InnoDBCluster
-metadata:
-  name: mysql-cluster
-spec:
-  secretName: mysql-secrets
-  instances: 3
-  router:
-    instances: 1
-  tlsUseSelfSigned: true
-  datadirVolumeClaimTemplate:
-    storageClassName: local-path
-    accessModes:
-      - ReadWriteOnce
-    resources:
-      requests:
-        storage: "10Gi"
-  podSpec:
-    affinity:
-      podAntiAffinity:
-        requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchExpressions:
-                - key: app.kubernetes.io/managed-by
-                  operator: In
-                  values:
-                    - mysql-operator
-            topologyKey: kubernetes.io/hostname
-    nodeSelector:
-      dedicated: storage
-    tolerations:
-      - key: dedicated
-        operator: Equal
-        value: storage
-        effect: NoSchedule

external-dns/README.md

@@ -1,15 +0,0 @@
-Before applying replace the secret with the actual one.
-
-For debugging add `- --log-level=debug`:
-
-
-```
-kubectl apply -n external-dns -f external-dns.yml
-```
-
-Insert TSIG secret:
-
-```
- kubectl -n external-dns create secret generic tsig-secret \
-    --from-literal=TSIG_SECRET=<secret>
-```

external-dns/application.yml

@@ -1,84 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-dns
-  namespace: external-dns
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - services
-  - endpoints
-  - pods
-  - nodes
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - extensions
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-dns
-  namespace: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-dns-viewer
-  namespace: external-dns
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-dns
-subjects:
-- kind: ServiceAccount
-  name: external-dns
-  namespace: external-dns
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: external-dns
-  namespace: external-dns
-spec:
-  revisionHistoryLimit: 0
-  selector:
-    matchLabels:
-      app: external-dns
-  template:
-    metadata:
-      labels:
-        app: external-dns
-    spec:
-      serviceAccountName: external-dns
-      containers:
-      - name: external-dns
-        image: k8s.gcr.io/external-dns/external-dns:v0.10.2
-        envFrom:
-        - secretRef:
-            name: tsig-secret
-        args:
-        - --registry=txt
-        - --txt-prefix=external-dns-
-        - --txt-owner-id=k8s
-        - --provider=rfc2136
-        - --source=ingress
-        - --source=service
-        - --domain-filter=k-space.ee
-        - --rfc2136-host=193.40.103.2
-        - --rfc2136-port=53
-        - --rfc2136-zone=k-space.ee
-        - --rfc2136-tsig-keyname=acme
-        - --rfc2136-tsig-secret-alg=hmac-sha512
-        - --rfc2136-tsig-secret=$(TSIG_SECRET)
-        # https://github.com/kubernetes-sigs/external-dns/issues/2446

freescout/README.md

@@ -0,0 +1,9 @@
+# Freescout
+
+This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/freescout)
+
+Should ArgoCD be down manifests here can be applied with:
+
+```
+kubectl apply -n freescout -f application.yaml
+```

freescout/application.yml

@@ -1,4 +1,217 @@
 ---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWMiddlewareClient
+metadata:
+  name: freescout
+spec:
+  displayName: Freescout Middleware
+  uri: 'https://freescout.k-space.ee'
+  allowedGroups:
+    - k-space:floor
+  headerMapping:
+    email: Remote-Email
+    groups: Remote-Groups
+    name: Remote-Name
+    user: Remote-User
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: freescout
+spec:
+  displayName: Freescout
+  uri: https://freescout.k-space.ee
+  redirectUris:
+    - https://freescout.k-space.ee/oauth_callback
+  allowedGroups:
+    - k-space:floor
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oidc-gateway
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.middlewares: freescout-freescout@kubernetescrd
+spec:
+  rules:
+    - host: freescout.k-space.ee
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: freescout
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - "*.k-space.ee"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: freescout
+spec:
+  type: ClusterIP
+  selector:
+    app: freescout
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: freescout
+  labels:
+    app: freescout
+spec:
+  selector:
+    matchLabels:
+      app: freescout
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: freescout
+    spec:
+      containers:
+        - name: freescout
+          image: harbor.k-space.ee/k-space/freescout@sha256:de1a6c8bd1f285f6f6c61aa48921a884fe7a1496655b31c9536805397c01ee58
+          ports:
+            - containerPort: 8080
+          env:
+            - name: DISPLAY_ERRORS
+              value: 'true'
+            - name: SITE_URL
+              value: 'https://freescout.k-space.ee'
+            - name: APP_URL
+              value: 'https://freescout.k-space.ee'
+            - name: DB_HOST
+              value: mariadb.infra.k-space.ee
+            - name: DB_PORT
+              value: "3306"
+            - name: DB_DATABASE
+              value: kspace_freescout
+            - name: DB_USERNAME
+              value: kspace_freescout
+            - name: ADMIN_EMAIL
+              value: lauri@k-space.ee
+            - name: ADMIN_PASS
+              value: Salakala1!
+            - name: TIMEZONE
+              value: Europe/Tallinn
+            - name: FREESCOUT_ATTACHMENTS_DRIVER
+              value: s3
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: freescout-secrets
+                  key: DB_PASS
+            - name: AWS_USE_PATH_STYLE_ENDPOINT
+              value: "true"
+            - name: AWS_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: miniobucket-attachments-owner-secrets
+                  key: BUCKET_NAME
+            - name: APP_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: freescout-app
+                  key: APP_KEY
+          envFrom:
+            - secretRef:
+                name: miniobucket-attachments-owner-secrets
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: freescout-cron
+spec:
+  schedule: "0,30 * * * *" # Should be every minute in theory, keeps hanging
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: 1800 # this is unholy https://github.com/freescout-helpdesk/freescout/blob/dist/app/Console/Kernel.php
+      ttlSecondsAfterFinished: 100
+      template:
+        spec:
+          containers:
+            - name: freescout-cron
+              image: harbor.k-space.ee/k-space/freescout@sha256:de1a6c8bd1f285f6f6c61aa48921a884fe7a1496655b31c9536805397c01ee58
+              imagePullPolicy: Always
+              command:
+                - php
+                - artisan
+                - schedule:run
+              env:
+                - name: DISPLAY_ERRORS
+                  value: 'true'
+                - name: SITE_URL
+                  value: 'https://freescout.k-space.ee'
+                - name: APP_URL
+                  value: 'https://freescout.k-space.ee'
+                - name: DB_HOST
+                  value: mariadb.infra.k-space.ee
+                - name: DB_PORT
+                  value: "3306"
+                - name: DB_DATABASE
+                  value: kspace_freescout
+                - name: DB_USERNAME
+                  value: kspace_freescout
+                - name: ADMIN_EMAIL
+                  value: lauri@k-space.ee
+                - name: ADMIN_PASS
+                  value: Salakala1!
+                - name: TIMEZONE
+                  value: Europe/Tallinn
+                - name: FREESCOUT_ATTACHMENTS_DRIVER
+                  value: s3
+                - name: DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: freescout-secrets
+                      key: DB_PASS
+                - name: AWS_USE_PATH_STYLE_ENDPOINT
+                  value: "true"
+                - name: AWS_BUCKET
+                  valueFrom:
+                    secretKeyRef:
+                      name: miniobucket-attachments-owner-secrets
+                      key: BUCKET_NAME
+                - name: APP_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: freescout-app
+                      key: APP_KEY
+              envFrom:
+                - secretRef:
+                    name: miniobucket-attachments-owner-secrets
+          restartPolicy: Never
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: MinioBucketClaim
+metadata:
+  name: attachments
+spec:
+  capacity: 10Gi
+  class: external
+---
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:

freescout/reset-oidc-config.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: reset-oidc-config
+spec:
+  template:
+    spec:
+      volumes:
+        - name: tmp
+          emptyDir: {}
+      initContainers:
+        - name: jq
+          image: alpine/k8s:1.24.16@sha256:06f8942d87fa17b40795bb9a8eff029a9be3fc3c9bcc13d62071de4cc3324153
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+          envFrom:
+            - secretRef:
+                name: oidc-client-freescout-owner-secrets
+          command:
+            - /bin/bash
+            - -c
+            - rm -fv /tmp/update.sql;
+              jq '{"name":"oauth.client_id","value":$ENV.OIDC_CLIENT_ID} | "UPDATE options SET value=\(.value|tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
+              jq '{"name":"oauth.client_secret","value":$ENV.OIDC_CLIENT_SECRET} | "UPDATE options SET value=\(.value|tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
+              jq '{"name":"oauth.auth_url","value":$ENV.OIDC_GATEWAY_AUTH_URI} | "UPDATE options SET value=\(.value + "?scope=openid+profile" |tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
+              jq '{"name":"oauth.token_url","value":$ENV.OIDC_GATEWAY_TOKEN_URI} | "UPDATE options SET value=\(.value|tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
+              jq '{"name":"oauth.user_url","value":$ENV.OIDC_GATEWAY_USERINFO_URI} | "UPDATE options SET value=\(.value|tostring|@sh) WHERE name=\(.name|tostring|@sh) LIMIT 1;"' -n -r >> /tmp/update.sql;
+              cat /tmp/update.sql
+      containers:
+        - name: mysql
+          image: mysql
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+          env:
+            - name: MYSQL_PWD
+              valueFrom:
+                secretKeyRef:
+                  name: freescout-secrets
+                  key: DB_PASS
+          command:
+            - /bin/bash
+            - -c
+            - mysql -u kspace_freescout kspace_freescout -h 172.20.36.1 -p${MYSQL_PWD} < /tmp/update.sql
+      restartPolicy: OnFailure
+  backoffLimit: 4

gitea/README.md

@@ -0,0 +1,9 @@
+# Gitea
+
+This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/gitea)
+
+Should ArgoCD be down manifests here can be applied with:
+
+```
+kubectl apply -n gitea -f application.yaml
+```

gitea/application.yaml

@@ -0,0 +1,240 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  dnsNames:
+    - git.k-space.ee
+  issuerRef:
+    kind: ClusterIssuer
+    name: default
+  secretName: git-tls
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: gitea-security-secret-key
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: gitea-security-internal-token
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: gitea
+spec:
+  displayName: Gitea
+  uri: https://git.k-space.ee/user/oauth2/OpenID
+  redirectUris:
+    - https://git.k-space.ee/user/oauth2/OpenID/callback
+  allowedGroups:
+    - k-space:floor
+    - k-space:friends
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: gitea
+  labels:
+    app.kubernetes.io/name: gitea
+spec:
+  revisionHistoryLimit: 0
+  serviceName: gitea
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gitea
+    spec:
+      enableServiceLinks: false
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+      containers:
+        - name: gitea
+          image: gitea/gitea:1.21.5-rootless
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: true
+          env:
+            - name: GITEA__REPOSITORY__DISABLED_REPO_UNITS
+              value: repo.releases,repo.wiki
+            - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
+              value: "true"
+            - name: GITEA__SERVER__SSH_SERVER_HOST_KEYS
+              value: ssh/gitea.rsa,ssh/gitea.ecdsa,ssh/gitea.ed25519
+            - name: GITEA__SERVER__START_SSH_SERVER
+              value: "true"
+            - name: GITEA__SERVER__CERT_FILE
+              value: "/cert/tls.crt"
+            - name: GITEA__SERVER__KEY_FILE
+              value: "/cert/tls.key"
+            - name: GITEA__SERVER__SSH_PORT
+              value: "22"
+            - name: GITEA__SERVER__PROTOCOL
+              value: https
+            - name: GITEA__SERVER__REDIRECT_OTHER_PORT
+              value: "true"
+            - name: GITEA__SERVER__PORT_TO_REDIRECT
+              value: "8080"
+            - name: GITEA__SERVER__DOMAIN
+              value: git.k-space.ee
+            - name: GITEA__SERVER__SSH_DOMAIN
+              value: git.k-space.ee
+            - name: GITEA__SERVER__HTTP_ADDR
+              value: 0.0.0.0
+            - name: GITEA__SERVER__ROOT_URL
+              value: https://git.k-space.ee
+            - name: GITEA__SSH.MINIMUM_KEY_SIZES__DSA
+              value: "-1"
+            - name: GITEA__DATABASE__DB_TYPE
+              value: mysql
+            - name: GITEA__DATABASE__HOST
+              value: mariadb.infra.k-space.ee:3306
+            - name: GITEA__DATABASE__NAME
+              value: kspace_git
+            - name: GITEA__DATABASE__USER
+              value: kspace_git
+            - name: GITEA__DATABASE__SSL_MODE
+              value: disable
+            - name: GITEA__DATABASE__LOG_SQL
+              value: "false"
+            - name: GITEA__SECURITY__INSTALL_LOCK
+              value: "true"
+            - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM
+              value: "true"
+            - name: GITEA__SERVICE__DISABLE_REGISTRATION
+              value: "true"
+            - name: GITEA__SERVICE__ENABLE_NOTIFY_MAIL
+              value: "true"
+            - name: GITEA__MAILER__ENABLED
+              value: "true"
+            - name: GITEA__MAILER__SMTP_ADDR
+              value: mail.k-space.ee
+            - name: GITEA__MAILER__SMTP_PORT
+              value: "465"
+            - name: GITEA__MAILER__FROM
+              value: Gitea <git@k-space.ee>
+            - name: GITEA__MAILER__USER
+              value: git
+            - name: GITEA__MAILER__USE_PLAIN_TEXT
+              value: "false"
+            - name: GITEA__SESSION__PROVIDER
+              value: file
+            - name: GITEA__SESSION__COOKIE_SECURE
+              value: "true"
+            - name: GITEA__CRON__ENABLED
+              value: "true"
+            - name: GITEA__OAUTH2_CLIENT__ENABLE_AUTO_REGISTRATION
+              value: "true"
+            - name: GITEA__DATABASE__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: GITEA__DATABASE__PASSWD
+            - name: GITEA__MAILER__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: GITEA__MAILER__PASSWD
+            - name: GITEA__OAUTH2__JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-secrets
+                  key: GITEA__OAUTH2__JWT_SECRET
+            - name: GITEA__SECURITY__INTERNAL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-security-internal-token
+                  key: secret
+            - name: GITEA__SECURITY__SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-security-secret-key
+                  key: secret
+          ports:
+            - containerPort: 8080
+              name: http
+            - containerPort: 3000
+              name: https
+            - containerPort: 2222
+              name: ssh
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /etc/gitea
+              name: etc
+            - mountPath: /cert
+              name: cert
+            - mountPath: /var/lib/gitea
+              name: data
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: etc
+          emptyDir: {}
+        - name: cert
+          secret:
+            secretName: git-tls
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: gitea
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+  namespace: gitea
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: git.k-space.ee
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app.kubernetes.io/name: gitea
+  ports:
+  - port: 22
+    name: ssh
+    targetPort: 2222
+  - port: 80
+    name: http
+    targetPort: 8080
+  - port: 443
+    name: https
+    targetPort: 3000
+  sessionAffinity: ClientIP

grafana/README.md

@@ -0,0 +1,15 @@
+# Grafana
+
+This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/grafana)
+
+Should ArgoCD be down manifests here can be applied with:
+
+```
+kubectl create namespace grafana
+kubectl apply -n grafana -f application.yml
+```
+
+## Grafana post deployment steps
+
+* Configure Prometheus datasource with URL set to
+  `http://prometheus-operated.monitoring.svc.cluster.local:9090`

grafana/application.yml

@@ -0,0 +1,195 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: grafana
+spec:
+  displayName: Grafana
+  uri: https://grafana.k-space.ee/login/generic_oauth
+  redirectUris:
+    - https://grafana.k-space.ee/login/generic_oauth
+  allowedGroups:
+    - k-space:floor
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  tokenEndpointAuthMethod: none
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-config
+data:
+  grafana.ini: |
+    [log]
+    level = warn
+    [server]
+    domain = grafana.k-space.ee
+    root_url = https://%(domain)s/
+    [auth.generic_oauth]
+    name = OAuth
+    icon = signin
+    enabled = true
+    empty_scopes = false
+    allow_sign_up = true
+    use_pkce = true
+    role_attribute_path = contains(groups[*], 'github.com:codemowers') && 'Admin' || 'Viewer'
+    [security]
+    disable_initial_admin_creation = true
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: grafana
+  name: grafana
+spec:
+  revisionHistoryLimit: 0
+  serviceName: grafana
+  selector:
+    matchLabels:
+      app: grafana
+  template:
+    metadata:
+      labels:
+        app: grafana
+    spec:
+      securityContext:
+        fsGroup: 472
+      containers:
+        - name: grafana
+          image: grafana/grafana:8.5.24
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 472
+          env:
+            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_URI
+            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_CLIENT_ID
+            - name: GF_AUTH_GENERIC_OAUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_CLIENT_SECRET
+            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_AVAILABLE_SCOPES
+            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_AUTH_URI
+            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_TOKEN_URI
+            - name: GF_AUTH_GENERIC_OAUTH_API_URL
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-grafana-owner-secrets
+                  key: OIDC_GATEWAY_USERINFO_URI
+          ports:
+            - containerPort: 3000
+              name: http-grafana
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /robots.txt
+              port: 3000
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 2
+          livenessProbe:
+            failureThreshold: 3
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: 3000
+            timeoutSeconds: 1
+          resources:
+            requests:
+              cpu: 250m
+              memory: 750Mi
+          volumeMounts:
+            - mountPath: /var/lib/grafana
+              name: grafana-data
+            - mountPath: /etc/grafana
+              name: grafana-config
+      volumes:
+        - name: grafana-config
+          configMap:
+            name: grafana-config
+  volumeClaimTemplates:
+    - metadata:
+        name: grafana-data
+      spec:
+        storageClassName: longhorn
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana
+spec:
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: http-grafana
+  selector:
+    app: grafana
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grafana
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: grafana.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: grafana
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - "*.k-space.ee"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: MysqlDatabaseClaim
+metadata:
+  name: grafana
+spec:
+  capacity: 1Gi
+  class: shared

hackerspace/goredirect.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: goredirect
+  namespace: hackerspace
+spec:
+  replicas: 2
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: goredirect
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: goredirect
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                    - goredirect
+                topologyKey: topology.kubernetes.io/zone
+              weight: 100
+      containers:
+        - image: harbor.k-space.ee/k-space/goredirect:latest
+          imagePullPolicy: Always 
+          env:
+            - name: GOREDIRECT_NOT_FOUND
+              value: https://inventory.k-space.ee/m/inventory/add-slug/%s
+            - name: GOREDIRECT_FOUND
+              value: https://inventory.k-space.ee/m/inventory/%s/view
+            - name: MONGO_URI
+              valueFrom:
+                secretKeyRef:
+                  key: connectionString.standard
+                  name: inventory-mongodb-application-readwrite
+          name: goredirect
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              cpu: "1"
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 200Mi
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000

hackerspace/inventory.yaml

@@ -0,0 +1,200 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inventory
+  namespace: hackerspace
+spec:
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: inventory
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: inventory
+    spec:
+      containers:
+      - image: harbor.k-space.ee/k-space/inventory-app:latest
+        imagePullPolicy: Always
+        env:
+        - name: ENVIRONMENT_TYPE
+          value: PROD
+        - name: PYTHONUNBUFFERED
+          value: "1"
+        - name: MEMBERS_HOST
+          value: https://members.k-space.ee
+        - name: INVENTORY_ASSETS_BASE_URL
+          value: https://minio-cluster-shared.k-space.ee/inventory-5b342be1-60a1-4290-8061-e0b8fc17d40d/
+        - name: OIDC_USERS_NAMESPACE
+          value: oidc-gateway
+        - name: MONGO_URI
+          valueFrom:
+            secretKeyRef:
+              key: connectionString.standard
+              name: inventory-mongodb-application-readwrite
+        - name: SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              key: SECRET_KEY
+              name: inventory-secrets
+        - name: INVENTORY_API_KEY
+          valueFrom:
+            secretKeyRef:
+              key: INVENTORY_API_KEY
+              name: inventory-api-key
+        - name: SLACK_DOORLOG_CALLBACK
+          valueFrom:
+            secretKeyRef:
+              key: SLACK_DOORLOG_CALLBACK
+              name: slack-secrets
+        - name: SLACK_VERIFICATION_TOKEN
+          valueFrom:
+            secretKeyRef:
+              key: SLACK_VERIFICATION_TOKEN
+              name: slack-secrets
+        envFrom:
+        - secretRef:
+            name: miniobucket-inventory-owner-secrets
+        - secretRef:
+            name: oidc-client-inventory-app-owner-secrets
+        name: inventory
+        ports:
+        - containerPort: 5000
+          name: http
+          protocol: TCP
+        resources:
+          limits:
+            cpu: "1"
+            memory: 500Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccount: inventory
+      serviceAccountName: inventory
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: tmp
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: inventory-mongodb-readwrite-password
+spec:
+  size: 32
+  mapping:
+    - key: password
+      value: "%(plaintext)s"
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: inventory-mongodb
+spec:
+  agent:
+    logLevel: ERROR
+    maxLogFileDurationHours: 1
+  additionalMongodConfig:
+    systemLog:
+      quiet: true
+  members: 3
+  type: ReplicaSet
+  version: "6.0.3"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: readwrite
+      db: application
+      passwordSecretRef:
+        name: inventory-mongodb-readwrite-password
+      roles:
+        - name: readWrite
+          db: application
+      scramCredentialsSecretName: inventory-mongodb-readwrite
+  statefulSet:
+    spec:
+      logLevel: WARN
+      template:
+        spec:
+          containers:
+            - name: mongod
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 1Gi
+                limits:
+                  cpu: 4000m
+                  memory: 1Gi
+              volumeMounts:
+                - name: journal-volume
+                  mountPath: /data/journal
+            - name: mongodb-agent
+              resources:
+                requests:
+                  cpu: 1m
+                  memory: 100Mi
+                limits: {}
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: app
+                        operator: In
+                        values:
+                          - inventory-mongodb-svc
+                  topologyKey: kubernetes.io/hostname
+          nodeSelector:
+            dedicated: monitoring
+          tolerations:
+            - key: dedicated
+              operator: Equal
+              value: monitoring
+              effect: NoSchedule
+      volumeClaimTemplates:
+        - metadata:
+            name: logs-volume
+            labels:
+              usecase: logs
+          spec:
+            storageClassName: mongo
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 100Mi
+        - metadata:
+            name: journal-volume
+            labels:
+              usecase: journal
+          spec:
+            storageClassName: mongo
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 512Mi
+        - metadata:
+            name: data-volume
+            labels:
+              usecase: data
+          spec:
+            storageClassName: mongo
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 10Gi

harbor/application.yml

@@ -35,7 +35,7 @@ data:
   TRIVY_ADAPTER_URL: "http://harbor-trivy:8080"
   REGISTRY_STORAGE_PROVIDER_NAME: "filesystem"
   WITH_CHARTMUSEUM: "false"
-  LOG_LEVEL: "info"
+  LOG_LEVEL: "warning"
   CONFIG_PATH: "/etc/core/app.conf"
   CHART_CACHE_DRIVER: "redis"
   _REDIS_URL_CORE: "redis://harbor-redis:6379/0?idle_timeout_seconds=30"
@@ -396,8 +396,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: core
-        image: goharbor/harbor-core:v2.4.2
-        imagePullPolicy: IfNotPresent
+        image: mirror.gcr.io/goharbor/harbor-core:v2.4.2
         startupProbe:
           httpGet:
             path: /api/v2.0/ping
@@ -406,16 +405,9 @@ spec:
           failureThreshold: 360
           initialDelaySeconds: 10
           periodSeconds: 10
-        livenessProbe:
-          httpGet:
-            path: /api/v2.0/ping
-            scheme: HTTP
-            port: 8080
-          failureThreshold: 2
-          periodSeconds: 10
         readinessProbe:
           httpGet:
-            path: /api/v2.0/ping
+            path: /api/v2.0/projects
             scheme: HTTP
             port: 8080
           failureThreshold: 2
@@ -472,6 +464,13 @@ spec:
         secret:
       - name: psc
         emptyDir: {}
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/jobservice/jobservice-dpl.yaml
 apiVersion: apps/v1
@@ -501,15 +500,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: jobservice
-        image: goharbor/harbor-jobservice:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /api/v1/stats
-            scheme: HTTP
-            port: 8080
-          initialDelaySeconds: 300
-          periodSeconds: 10
+        image: mirror.gcr.io/goharbor/harbor-jobservice:v2.4.2
         readinessProbe:
           httpGet:
             path: /api/v1/stats
@@ -544,6 +535,13 @@ spec:
       - name: job-logs
         persistentVolumeClaim:
           claimName: harbor-jobservice
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/portal/deployment.yaml
 apiVersion: apps/v1
@@ -573,15 +571,7 @@ spec:
       automountServiceAccountToken: false
       containers:
       - name: portal
-        image: goharbor/harbor-portal:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            scheme: HTTP
-            port: 8080
-          initialDelaySeconds: 300
-          periodSeconds: 10
+        image: mirror.gcr.io/goharbor/harbor-portal:v2.4.2
         readinessProbe:
           httpGet:
             path: /
@@ -599,6 +589,13 @@ spec:
       - name: portal-config
         configMap:
           name: "harbor-portal"
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/registry/registry-dpl.yaml
 apiVersion: apps/v1
@@ -628,15 +625,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: registry
-        image: goharbor/registry-photon:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /
-            scheme: HTTP
-            port: 5000
-          initialDelaySeconds: 300
-          periodSeconds: 10
+        image: mirror.gcr.io/goharbor/registry-photon:v2.4.2
         readinessProbe:
           httpGet:
             path: /
@@ -663,15 +652,7 @@ spec:
           mountPath: /etc/registry/config.yml
           subPath: config.yml
       - name: registryctl
-        image: goharbor/harbor-registryctl:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /api/health
-            scheme: HTTP
-            port: 8080
-          initialDelaySeconds: 300
-          periodSeconds: 10
+        image: mirror.gcr.io/goharbor/harbor-registryctl:v2.4.2
         readinessProbe:
           httpGet:
             path: /api/health
@@ -722,6 +703,13 @@ spec:
       - name: registry-data
         persistentVolumeClaim:
           claimName: harbor-registry
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
 ---
 # Source: harbor/templates/database/database-ss.yaml
 apiVersion: apps/v1
@@ -755,8 +743,7 @@ spec:
       # for more detail.
       # we may remove it after several releases
       - name: "data-migrator"
-        image: goharbor/harbor-db:v2.4.2
-        imagePullPolicy: IfNotPresent
+        image: mirror.gcr.io/goharbor/harbor-db:v2.4.2
         command: ["/bin/sh"]
         args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"]
         volumeMounts:
@@ -768,8 +755,7 @@ spec:
       # use this init container to correct the permission
       # as "fsGroup" applied before the init container running, the container has enough permission to execute the command
       - name: "data-permissions-ensurer"
-        image: goharbor/harbor-db:v2.4.2
-        imagePullPolicy: IfNotPresent
+        image: mirror.gcr.io/goharbor/harbor-db:v2.4.2
         command: ["/bin/sh"]
         args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
         volumeMounts:
@@ -778,14 +764,7 @@ spec:
             subPath: 
       containers:
       - name: database
-        image: goharbor/harbor-db:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          exec:
-            command:
-            - /docker-healthcheck.sh
-          initialDelaySeconds: 300
-          periodSeconds: 10
+        image: mirror.gcr.io/goharbor/harbor-db:v2.4.2
         readinessProbe:
           exec:
             command:
@@ -811,6 +790,13 @@ spec:
         emptyDir:
           medium: Memory
           sizeLimit: 512Mi
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
   volumeClaimTemplates:
   - metadata:
       name: "database-data"
@@ -852,13 +838,7 @@ spec:
       terminationGracePeriodSeconds: 120
       containers:
       - name: redis
-        image: goharbor/redis-photon:v2.4.2
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          tcpSocket:
-            port: 6379
-          initialDelaySeconds: 300
-          periodSeconds: 10
+        image: mirror.gcr.io/goharbor/redis-photon:v2.4.2
         readinessProbe:
           tcpSocket:
             port: 6379
@@ -868,6 +848,13 @@ spec:
         - name: data
           mountPath: /var/lib/redis
           subPath: 
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
   volumeClaimTemplates:
   - metadata:
       name: data
@@ -908,7 +895,7 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: trivy
-          image: goharbor/trivy-adapter-photon:v2.4.2
+          image: mirror.gcr.io/goharbor/trivy-adapter-photon:v2.4.2
           imagePullPolicy: IfNotPresent
           securityContext:
             privileged: false
@@ -970,15 +957,6 @@ spec:
             mountPath: /home/scanner/.cache
             subPath: 
             readOnly: false
-          livenessProbe:
-            httpGet:
-              scheme: HTTP
-              path: /probe/healthy
-              port: api-server
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 10
           readinessProbe:
             httpGet:
               scheme: HTTP
@@ -995,6 +973,13 @@ spec:
             requests:
               cpu: 200m
               memory: 512Mi
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule
   volumeClaimTemplates:
   - metadata:
       name: data
@@ -1016,7 +1001,6 @@ metadata:
   labels:
     app: harbor
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     ingress.kubernetes.io/proxy-body-size: "0"
     ingress.kubernetes.io/ssl-redirect: "true"
@@ -1027,9 +1011,8 @@ metadata:
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   tls:
-  - secretName: harbor-tls
-    hosts:
-    - harbor.k-space.ee
+  - hosts:
+    - "*.k-space.ee"
   rules:
   - http:
       paths:

inventory.yml

@@ -0,0 +1,38 @@
+all:
+  children:
+    bind:
+      hosts:
+        ns1.k-space.ee:
+    kubernetes:
+      children:
+        masters:
+          hosts:
+            master1.kube.k-space.ee:
+            master2.kube.k-space.ee:
+            master3.kube.k-space.ee:
+        kubelets:
+          children:
+            mon:
+              hosts:
+                mon1.kube.k-space.ee:
+                mon2.kube.k-space.ee:
+                mon3.kube.k-space.ee:
+            storage:
+              hosts:
+                storage1.kube.k-space.ee:
+                storage2.kube.k-space.ee:
+                storage3.kube.k-space.ee:
+                storage4.kube.k-space.ee:
+            workers:
+              hosts:
+                worker1.kube.k-space.ee:
+                worker2.kube.k-space.ee:
+                worker3.kube.k-space.ee:
+                worker4.kube.k-space.ee:
+                worker9.kube.k-space.ee:
+    doors:
+      hosts:
+        100.102.3.1:
+        100.102.3.2:
+        100.102.3.3:
+        100.102.3.4:

keel/README.md

@@ -1,10 +0,0 @@
-To generate secrets and to deploy:
-
-```
-kubectl create secret generic -n $(basename $(pwd)) application-secrets \
-    --from-literal=BASIC_AUTH_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
-    --from-literal=MAIL_SMTP_PASS=... \
-    --from-literal=SLACK_TOKEN=...
-kubectl apply -n keel -f application.yml
-kubectl -n keel rollout restart deployment.apps/keel
-```

keel/application.yml

@@ -1,176 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: keel
-  namespace: keel
-  labels:
-    app: keel
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: keel
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - watch
-      - list
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - ""
-      - extensions
-      - apps
-      - batch
-    resources:
-      - pods
-      - replicasets
-      - replicationcontrollers
-      - statefulsets
-      - deployments
-      - daemonsets
-      - jobs
-      - cronjobs
-    verbs:
-      - get
-      - delete # required to delete pods during force upgrade of the same tag
-      - watch
-      - list
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - pods/portforward
-    verbs:
-      - get
-      - create
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: keel
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: keel
-subjects:
-  - kind: ServiceAccount
-    name: keel
-    namespace: keel
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: keel
-  namespace: keel
-  labels:
-    app: keel
-spec:
-  type: ClusterIP
-  ports:
-    - port: 9300
-      targetPort: 9300
-      protocol: TCP
-      name: keel
-  selector:
-    app: keel
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: keel
-  labels:
-    app: keel
-  annotations:
-    keel.sh/policy: force
-    keel.sh/trigger: poll
-    keel.sh/pollSchedule: "@midnight"
-spec:
-  replicas: 1
-  serviceName: keel
-  selector:
-    matchLabels:
-      app: keel
-  template:
-    metadata:
-      labels:
-        app: keel
-    spec:
-      serviceAccountName: keel
-      containers:
-        - name: keel
-          image: keelhq/keel:latest
-          imagePullPolicy: Always
-          command: ["/bin/keel"]
-          volumeMounts:
-          env:
-            - name: NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: POLL
-              value: "true"
-            - name: HELM_PROVIDER
-              value: "false"
-            - name: TILLER_NAMESPACE
-              value: "kube-system"
-            - name: TILLER_ADDRESS
-              value: "tiller-deploy:44134"
-            - name: NOTIFICATION_LEVEL
-              value: "info"
-            - name: BASIC_AUTH_USER
-              value: admin
-            - name: SLACK_CHANNELS
-              value: kube-prod
-            - name: SLACK_BOT_NAME
-              value: keel.k-space.ee
-          envFrom:
-            - secretRef:
-                name: application-secrets
-          ports:
-            - containerPort: 9300
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 9300
-            initialDelaySeconds: 30
-            timeoutSeconds: 10
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 9300
-            initialDelaySeconds: 30
-            timeoutSeconds: 10
-          resources:
-            limits:
-              cpu: 100m
-              memory: 128Mi
-            requests:
-              cpu: 50m
-              memory: 64Mi
-
-          volumeMounts:
-          - name: keel-data
-            mountPath: /data
-  volumeClaimTemplates:
-  - metadata:
-      name: keel-data
-    spec:
-      storageClassName: longhorn
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 2Gi

kube-system/descheduler.yaml

@@ -0,0 +1,165 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: descheduler
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: descheduler
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: descheduler
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: descheduler
+data:
+  policy.yaml: |
+    apiVersion: "descheduler/v1alpha1"
+    kind: "DeschedulerPolicy"
+    strategies:
+      LowNodeUtilization:
+        enabled: true
+        params:
+          nodeResourceUtilizationThresholds:
+            targetThresholds:
+              cpu: 50
+              memory: 50
+              pods: 50
+            thresholds:
+              cpu: 20
+              memory: 20
+              pods: 20
+      RemoveDuplicates:
+        enabled: true
+      RemovePodsHavingTooManyRestarts:
+        enabled: true
+        params:
+          podsHavingTooManyRestarts:
+            includingInitContainers: true
+            podRestartThreshold: 100
+      RemovePodsViolatingInterPodAntiAffinity:
+        enabled: true
+      RemovePodsViolatingNodeAffinity:
+        enabled: true
+        params:
+          nodeAffinityType:
+          - requiredDuringSchedulingIgnoredDuringExecution
+      RemovePodsViolatingNodeTaints:
+        enabled: true
+      RemovePodsViolatingTopologySpreadConstraint:
+        enabled: true
+        params:
+          includeSoftConstraints: false
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: descheduler
+  labels:
+    app.kubernetes.io/name: descheduler
+rules:
+- apiGroups: ["events.k8s.io"]
+  resources: ["events"]
+  verbs: ["create", "update"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list", "delete"]
+- apiGroups: [""]
+  resources: ["pods/eviction"]
+  verbs: ["create"]
+- apiGroups: ["scheduling.k8s.io"]
+  resources: ["priorityclasses"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["create", "update"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  resourceNames: ["descheduler"]
+  verbs: ["get", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: descheduler
+  labels:
+    app.kubernetes.io/name: descheduler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: descheduler
+subjects:
+  - kind: ServiceAccount
+    name: descheduler
+    namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: descheduler
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: descheduler
+spec:
+  replicas: 2
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: descheduler
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: descheduler
+      containers:
+        - name: descheduler
+          image: "k8s.gcr.io/descheduler/descheduler:v0.25.1"
+          imagePullPolicy: IfNotPresent
+          command:
+            - "/bin/descheduler"
+          args:
+            - "--policy-config-file"
+            - "/policy-dir/policy.yaml"
+            - "--descheduling-interval"
+            - 5m
+            - "--v"
+            - "3"
+            - --leader-elect=true
+          ports:
+            - containerPort: 10258
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: 10258
+              scheme: HTTPS
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 500m
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+          volumeMounts:
+            - mountPath: /policy-dir
+              name: policy-volume
+      volumes:
+        - name: policy-volume
+          configMap:
+            name: descheduler

kube-system/kube-state-metrics.yml

@@ -159,7 +159,9 @@ spec:
     spec:
       automountServiceAccountToken: true
       containers:
-      - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
+      - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.9.2
+        args:
+          - --metric-labels-allowlist=pods=[*]
         livenessProbe:
           httpGet:
             path: /healthz
@@ -219,3 +221,252 @@ spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: kube-state-metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: kube-state-metrics
+spec:
+  groups:
+    - name: kube-state-metrics
+      rules:
+        - alert: KubernetesNodeReady
+          expr: kube_node_status_condition{condition="Ready",status="true"} == 0
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes Node ready (instance {{ $labels.instance }})
+            description: "Node {{ $labels.node }} has been unready for a long time\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesMemoryPressure
+          expr: kube_node_status_condition{condition="MemoryPressure",status="true"} == 1
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes memory pressure (instance {{ $labels.instance }})
+            description: "{{ $labels.node }} has MemoryPressure condition\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesDiskPressure
+          expr: kube_node_status_condition{condition="DiskPressure",status="true"} == 1
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes disk pressure (instance {{ $labels.instance }})
+            description: "{{ $labels.node }} has DiskPressure condition\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesOutOfDisk
+          expr: kube_node_status_condition{condition="OutOfDisk",status="true"} == 1
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes out of disk (instance {{ $labels.instance }})
+            description: "{{ $labels.node }} has OutOfDisk condition\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesOutOfCapacity
+          expr: sum by (node) ((kube_pod_status_phase{phase="Running"} == 1) + on(uid) group_left(node) (0 * kube_pod_info{pod_template_hash=""})) / sum by (node) (kube_node_status_allocatable{resource="pods"}) * 100 > 90
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes out of capacity (instance {{ $labels.instance }})
+            description: "{{ $labels.node }} is out of capacity\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesContainerOomKiller
+          expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes container oom killer (instance {{ $labels.instance }})
+            description: "Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesJobFailed
+          expr: kube_job_status_failed > 0
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes Job failed (instance {{ $labels.instance }})
+            description: "Job {{$labels.namespace}}/{{$labels.exported_job}} failed to complete\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesCronjobSuspended
+          expr: kube_cronjob_spec_suspend != 0
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes CronJob suspended (instance {{ $labels.instance }})
+            description: "CronJob {{ $labels.namespace }}/{{ $labels.cronjob }} is suspended\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesPersistentvolumeclaimPending
+          expr: kube_persistentvolumeclaim_status_phase{phase="Pending"} == 1
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes PersistentVolumeClaim pending (instance {{ $labels.instance }})
+            description: "PersistentVolumeClaim {{ $labels.namespace }}/{{ $labels.persistentvolumeclaim }} is pending\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesVolumeOutOfDiskSpace
+          expr: kubelet_volume_stats_available_bytes / kubelet_volume_stats_capacity_bytes * 100 < 10
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes Volume out of disk space (instance {{ $labels.instance }})
+            description: "Volume is almost full (< 10% left)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesPersistentvolumeError
+          expr: kube_persistentvolume_status_phase{phase=~"Failed|Pending", job="kube-state-metrics"} > 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes PersistentVolume error (instance {{ $labels.instance }})
+            description: "Persistent volume is in bad state\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesStatefulsetDown
+          expr: (kube_statefulset_status_replicas_ready / kube_statefulset_status_replicas_current) != 1
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes StatefulSet down (instance {{ $labels.instance }})
+            description: "A StatefulSet went down\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesHpaScalingAbility
+          expr: kube_horizontalpodautoscaler_status_condition{status="false", condition="AbleToScale"} == 1
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes HPA scaling ability (instance {{ $labels.instance }})
+            description: "Pod is unable to scale\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesHpaMetricAvailability
+          expr: kube_horizontalpodautoscaler_status_condition{status="false", condition="ScalingActive"} == 1
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes HPA metric availability (instance {{ $labels.instance }})
+            description: "HPA is not able to collect metrics\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesHpaScaleCapability
+          expr: kube_horizontalpodautoscaler_status_desired_replicas >= kube_horizontalpodautoscaler_spec_max_replicas
+          for: 2m
+          labels:
+            severity: info
+          annotations:
+            summary: Kubernetes HPA scale capability (instance {{ $labels.instance }})
+            description: "The maximum number of desired Pods has been hit\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesPodNotHealthy
+          expr: min_over_time(sum by (namespace, pod) (kube_pod_status_phase{phase=~"Pending|Unknown|Failed"})[15m:1m]) > 0
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes Pod not healthy (instance {{ $labels.instance }})
+            description: "Pod has been in a non-ready state for longer than 15 minutes.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesPodCrashLooping
+          expr: increase(kube_pod_container_status_restarts_total[1m]) > 3
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes pod crash looping (instance {{ $labels.instance }})
+            description: "Pod {{ $labels.pod }} is crash looping\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesReplicassetMismatch
+          expr: kube_replicaset_spec_replicas != kube_replicaset_status_ready_replicas
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes ReplicasSet mismatch (instance {{ $labels.instance }})
+            description: "Deployment Replicas mismatch\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesDeploymentReplicasMismatch
+          expr: kube_deployment_spec_replicas != kube_deployment_status_replicas_available
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes Deployment replicas mismatch (instance {{ $labels.instance }})
+            description: "Deployment Replicas mismatch\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesStatefulsetReplicasMismatch
+          expr: kube_statefulset_status_replicas_ready != kube_statefulset_status_replicas
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes StatefulSet replicas mismatch (instance {{ $labels.instance }})
+            description: "A StatefulSet does not match the expected number of replicas.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesDeploymentGenerationMismatch
+          expr: kube_deployment_status_observed_generation != kube_deployment_metadata_generation
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes Deployment generation mismatch (instance {{ $labels.instance }})
+            description: "A Deployment has failed but has not been rolled back.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesStatefulsetGenerationMismatch
+          expr: kube_statefulset_status_observed_generation != kube_statefulset_metadata_generation
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes StatefulSet generation mismatch (instance {{ $labels.instance }})
+            description: "A StatefulSet has failed but has not been rolled back.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesStatefulsetUpdateNotRolledOut
+          expr: max without (revision) (kube_statefulset_status_current_revision unless kube_statefulset_status_update_revision) * (kube_statefulset_replicas != kube_statefulset_status_replicas_updated)
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes StatefulSet update not rolled out (instance {{ $labels.instance }})
+            description: "StatefulSet update has not been rolled out.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesDaemonsetRolloutStuck
+          expr: kube_daemonset_status_number_ready / kube_daemonset_status_desired_number_scheduled * 100 < 100 or kube_daemonset_status_desired_number_scheduled - kube_daemonset_status_current_number_scheduled > 0
+          for: 10m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes DaemonSet rollout stuck (instance {{ $labels.instance }})
+            description: "Some Pods of DaemonSet are not scheduled or not ready\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesDaemonsetMisscheduled
+          expr: sum by (namespace, daemonset) (kube_daemonset_status_number_misscheduled) > 0
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes DaemonSet misscheduled (instance {{ $labels.instance }})
+            description: "Some DaemonSet Pods are running where they are not supposed to run\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesApiServerErrors
+          expr: sum(rate(apiserver_request_total{job="apiserver",code=~"^(?:5..)$"}[1m])) / sum(rate(apiserver_request_total{job="apiserver"}[1m])) * 100 > 3
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes API server errors (instance {{ $labels.instance }})
+            description: "Kubernetes API server is experiencing high error rate\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesApiClientErrors
+          expr: (sum(rate(rest_client_requests_total{code=~"(4|5).."}[1m])) by (instance, job) / sum(rate(rest_client_requests_total[1m])) by (instance, job)) * 100 > 1
+          for: 2m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes API client errors (instance {{ $labels.instance }})
+            description: "Kubernetes API client is experiencing high error rate\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesClientCertificateExpiresNextWeek
+          expr: apiserver_client_certificate_expiration_seconds_count{job="apiserver"} > 0 and histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job="apiserver"}[5m]))) < 7*24*60*60
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes client certificate expires next week (instance {{ $labels.instance }})
+            description: "A client certificate used to authenticate to the apiserver is expiring next week.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesClientCertificateExpiresSoon
+          expr: apiserver_client_certificate_expiration_seconds_count{job="apiserver"} > 0 and histogram_quantile(0.01, sum by (job, le) (rate(apiserver_client_certificate_expiration_seconds_bucket{job="apiserver"}[5m]))) < 24*60*60
+          for: 0m
+          labels:
+            severity: critical
+          annotations:
+            summary: Kubernetes client certificate expires soon (instance {{ $labels.instance }})
+            description: "A client certificate used to authenticate to the apiserver is expiring in less than 24.0 hours.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+        - alert: KubernetesApiServerLatency
+          expr: histogram_quantile(0.99, sum(rate(apiserver_request_latencies_bucket{subresource!="log",verb!~"^(?:CONNECT|WATCHLIST|WATCH|PROXY)$"} [10m])) WITHOUT (instance, resource)) / 1e+06 > 1
+          for: 2m
+          labels:
+            severity: warning
+          annotations:
+            summary: Kubernetes API server latency (instance {{ $labels.instance }})
+            description: "Kubernetes API server has a 99th percentile latency of {{ $value }} seconds for {{ $labels.verb }} {{ $labels.resource }}.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"

kube-system/metrics-server.yml

@@ -0,0 +1,197 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:aggregated-metrics-reader
+rules:
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    k8s-app: metrics-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: metrics-server
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metrics-server
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        k8s-app: metrics-server
+    spec:
+      containers:
+      - args:
+        - --cert-dir=/tmp
+        - --secure-port=4443
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --kubelet-use-node-status-port
+        - --kubelet-insecure-tls
+        - --metric-resolution=15s
+        image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /livez
+            port: https
+            scheme: HTTPS
+          periodSeconds: 10
+        name: metrics-server
+        ports:
+        - containerPort: 4443
+          name: https
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /readyz
+            port: https
+            scheme: HTTPS
+          initialDelaySeconds: 20
+          periodSeconds: 10
+        resources:
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-dir
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      serviceAccountName: metrics-server
+      volumes:
+      - emptyDir: {}
+        name: tmp-dir
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    k8s-app: metrics-server
+  name: v1beta1.metrics.k8s.io
+spec:
+  group: metrics.k8s.io
+  groupPriorityMinimum: 100
+  insecureSkipTLSVerify: true
+  service:
+    name: metrics-server
+    namespace: kube-system
+  version: v1beta1
+  versionPriority: 100

kubernetes-dashboard/application.yml

@@ -269,7 +269,6 @@ metadata:
     certManager: "true"
     rewriteTarget: "true"
   annotations:
-    cert-manager.io/cluster-issuer: default
     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -289,5 +288,4 @@ spec:
                   number: 80
   tls:
     - hosts:
-      - dashboard.k-space.ee
-      secretName: dashboard-tls
+      - "*.k-space.ee"

logging/README.md

@@ -1,5 +1,7 @@
 # Logging infrastructure
 
+Note: This is deprecated since we moved to [Logmower stack](https://github.com/logmower)
+
 ## Background
 
 Fluent Bit picks up the logs from Kubernetes workers and sends them to Graylog
@@ -14,7 +16,7 @@ To deploy:
 
 ```
 kubectl create namespace logging
-kubectl apply -n logging -f mongodb-support.yml -f application.yml -f filebeat.yml -f networkpolicy-base.yml
+kubectl apply -n logging -f zinc.yml -f application.yml -f filebeat.yml -f networkpolicy-base.yml
 kubectl rollout restart -n logging daemonset.apps/filebeat
 ```
 

logging/application.yml

@@ -1,452 +0,0 @@
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: elasticsearch
-  labels:
-    app: elasticsearch
-spec:
-  serviceName: elasticsearch
-  revisionHistoryLimit: 0
-  replicas: 1
-  selector:
-    matchLabels:
-      app: elasticsearch
-  template:
-    metadata:
-      labels:
-        app: elasticsearch
-    spec:
-      securityContext:
-        fsGroup: 1000
-      containers:
-        - name: elasticsearch
-          image: elasticsearch:7.17.3
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 1000
-          env:
-            - name: discovery.type
-              value: single-node
-            - name: xpack.security.enabled
-              value: "false"
-          ports:
-            - containerPort: 9200
-          readinessProbe:
-            httpGet:
-              path: /_cluster/health
-              port: 9200
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            failureThreshold: 3
-            successThreshold: 1
-            timeoutSeconds: 5
-          resources:
-            limits:
-              memory: "2147483648"
-          volumeMounts:
-          - name: elasticsearch-data
-            mountPath: /usr/share/elasticsearch/data
-          - name: elasticsearch-tmp
-            mountPath: /tmp/
-      volumes:
-      - emptyDir: {}
-        name: elasticsearch-keystore
-      - emptyDir: {}
-        name: elasticsearch-tmp
-      - emptyDir: {}
-        name: elasticsearch-logs
-  volumeClaimTemplates:
-    - metadata:
-        name: elasticsearch-data
-      spec:
-        accessModes:
-          - "ReadWriteOnce"
-        resources:
-          requests:
-            storage: "10Gi"
-        storageClassName: longhorn
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: elasticsearch
-  labels:
-    app: elasticsearch
-spec:
-  ports:
-  - name: api
-    port: 80
-    targetPort: 9200
-  selector:
-    app: elasticsearch
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: graylog-gelf-tcp
-  labels:
-    app: graylog
-spec:
-  ports:
-    - name: graylog-gelf-tcp
-      port: 12201
-      protocol: TCP
-      targetPort: 12201
-  selector:
-    app: graylog
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: graylog-logstash
-  labels:
-    app: graylog
-spec:
-  ports:
-    - name: graylog-logstash
-      port: 5044
-      protocol: TCP
-  selector:
-    app: graylog
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: graylog-syslog-tcp
-  labels:
-    app: graylog
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
-    metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
-spec:
-  type: LoadBalancer
-  externalTrafficPolicy: Local
-  loadBalancerIP: 172.20.51.4
-  ports:
-    - name: graylog-syslog
-      port: 514
-      protocol: TCP
-  selector:
-    app: graylog
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: graylog-syslog-udp
-  labels:
-    app: graylog
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
-    metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
-spec:
-  type: LoadBalancer
-  externalTrafficPolicy: Local
-  loadBalancerIP: 172.20.51.4
-  ports:
-    - name: graylog-syslog
-      port: 514
-      protocol: UDP
-  selector:
-    app: graylog
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: graylog
-  labels:
-    app: graylog
-spec:
-  ports:
-    - name: graylog
-      port: 9000
-      protocol: TCP
-  selector:
-    app: graylog
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: graylog
-  labels:
-    app: graylog
-  annotations:
-    keel.sh/policy: minor
-    keel.sh/trigger: poll
-    keel.sh/pollSchedule: "@midnight"
-spec:
-  serviceName: graylog
-  revisionHistoryLimit: 0
-  replicas: 1
-  selector:
-    matchLabels:
-      app: graylog
-  template:
-    metadata:
-      labels:
-        app: graylog
-      annotations:
-        prometheus.io/port: "9833"
-        prometheus.io/scrape: "true"
-    spec:
-      securityContext:
-        fsGroup: 1100
-      volumes:
-        - name: graylog-config
-          downwardAPI:
-            items:
-              - path: id
-                fieldRef:
-                  fieldPath: metadata.name
-      containers:
-        - name: graylog
-          image: graylog/graylog:4.3
-          env:
-            - name: GRAYLOG_MONGODB_URI
-              valueFrom:
-                secretKeyRef:
-                  name: mongodb-application-readwrite
-                  key: connectionString.standard
-            - name: GRAYLOG_PROMETHEUS_EXPORTER_ENABLED
-              value: "true"
-            - name: GRAYLOG_PROMETHEUS_EXPORTER_BIND_ADDRESS
-              value: "0.0.0.0:9833"
-            - name: GRAYLOG_NODE_ID_FILE
-              value: /config/id
-            - name: GRAYLOG_HTTP_EXTERNAL_URI
-              value: "https://graylog.k-space.ee/"
-            - name: GRAYLOG_TRUSTED_PROXIES
-              value: "0.0.0.0/0"
-            - name: GRAYLOG_ELASTICSEARCH_HOSTS
-              value: "http://elasticsearch"
-            - name: GRAYLOG_MESSAGE_JOURNAL_ENABLED
-              value: "false"
-            - name: GRAYLOG_ROTATION_STRATEGY
-              value: "size"
-            - name: GRAYLOG_ELASTICSEARCH_MAX_SIZE_PER_INDEX
-              value: "268435456"
-            - name: GRAYLOG_ELASTICSEARCH_MAX_NUMBER_OF_INDICES
-              value: "16"
-          envFrom:
-            - secretRef:
-                name: graylog-secrets
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 1100
-          ports:
-            - containerPort: 9000
-              name: graylog
-            - containerPort: 9833
-              name: graylog-metrics
-          livenessProbe:
-            httpGet:
-              path: /api/system/lbstatus
-              port: 9000
-            initialDelaySeconds: 5
-            periodSeconds: 30
-            failureThreshold: 3
-            successThreshold: 1
-            timeoutSeconds: 5
-          readinessProbe:
-            httpGet:
-              path: /api/system/lbstatus
-              port: 9000
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            failureThreshold: 3
-            successThreshold: 1
-            timeoutSeconds: 5
-          volumeMounts:
-            - name: graylog-config
-              mountPath: /config
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: graylog
-  annotations:
-    cert-manager.io/cluster-issuer: default
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
-    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
-spec:
-  rules:
-  - host: graylog.k-space.ee
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: graylog
-            port:
-              number: 9000
-  tls:
-  - hosts:
-    - graylog.k-space.ee
-    secretName: graylog-tls
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: graylog
-spec:
-  podSelector:
-    matchLabels:
-      app: graylog
-  policyTypes:
-  - Ingress
-  - Egress
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app: elasticsearch
-    ports:
-    - port: 9200
-  - to:
-    - podSelector:
-        matchLabels:
-          app: mongodb-svc
-    ports:
-    - port: 27017
-  ingress:
-  - from:
-    - ipBlock:
-        cidr: 172.23.0.0/16
-    - ipBlock:
-        cidr: 172.21.0.0/16
-    - ipBlock:
-        cidr: 100.102.0.0/16
-    ports:
-    - protocol: UDP
-      port: 514
-    - protocol: TCP
-      port: 514
-  - from:
-    - podSelector:
-        matchLabels:
-          app: filebeat
-    ports:
-    - protocol: TCP
-      port: 5044
-  - from:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: monitoring
-      podSelector:
-        matchLabels:
-          app: prometheus
-    ports:
-    - port: 9833
-  - from:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: traefik
-      podSelector:
-        matchLabels:
-          app.kubernetes.io/name: traefik
-    ports:
-    - protocol: TCP
-      port: 9000
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: elasticsearch
-spec:
-  podSelector:
-    matchLabels:
-      app: elasticsearch
-  policyTypes:
-  - Ingress
-  - Egress
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app: graylog
-  - from:
-    - namespaceSelector:
-        matchLabels:
-          kubernetes.io/metadata.name: monitoring
-      podSelector:
-        matchLabels:
-          app: grafana
-  egress:
-  - to:
-    - ipBlock:
-        # geoip.elastic.co updates
-        cidr: 0.0.0.0/0
-    ports:
-    - port: 443
----
-apiVersion: mongodbcommunity.mongodb.com/v1
-kind: MongoDBCommunity
-metadata:
-  name: mongodb
-spec:
-  members: 3
-  type: ReplicaSet
-  version: "5.0.9"
-  security:
-    authentication:
-      modes: ["SCRAM"]
-  users:
-    - name: readwrite
-      db: application
-      passwordSecretRef:
-        name: mongodb-application-readwrite-password
-      roles:
-        - name: readWrite
-          db: application
-      scramCredentialsSecretName: mongodb-application-readwrite
-    - name: readonly
-      db: application
-      passwordSecretRef:
-        name: mongodb-application-readonly-password
-      roles:
-        - name: readOnly
-          db: application
-      scramCredentialsSecretName: mongodb-application-readonly
-  statefulSet:
-    spec:
-      template:
-        spec:
-          affinity:
-            podAntiAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                - labelSelector:
-                    matchExpressions:
-                      - key: app
-                        operator: In
-                        values:
-                          - mongodb-svc
-                  topologyKey: kubernetes.io/hostname
-          nodeSelector:
-            dedicated: storage
-          tolerations:
-            - key: dedicated
-              operator: Equal
-              value: storage
-              effect: NoSchedule
-      volumeClaimTemplates:
-        - metadata:
-            name: logs-volume
-          spec:
-            storageClassName: local-path
-            accessModes:
-            - ReadWriteOnce
-            resources:
-              requests:
-                storage: 512Mi
-        - metadata:
-            name: data-volume
-          spec:
-            storageClassName: local-path
-            accessModes:
-            - ReadWriteOnce
-            resources:
-              requests:
-                storage: 2Gi

logging/filebeat.yml

@@ -6,18 +6,15 @@ metadata:
   namespace: logging
 data:
   filebeat.yml: |-
+    logging:
+      level: warning
+    setup:
+      ilm:
+        enabled: false
+      template:
+        name: filebeat
+        pattern: filebeat-*
     http.enabled: true
-    filebeat.inputs:
-    - type: container
-      paths:
-        - /var/log/containers/*.log
-      processors:
-        - add_kubernetes_metadata:
-            in_cluster: true
-            host: ${NODE_NAME}
-            matchers:
-            - logs_path:
-                logs_path: "/var/log/containers/"
     filebeat.autodiscover:
       providers:
         - type: kubernetes
@@ -27,50 +24,24 @@ data:
             type: container
             paths:
               - /var/log/containers/*${data.kubernetes.container.id}.log
-    processors:
-      - add_host_metadata:
-      - drop_fields:
-          fields:
-            - stream
-          ignore_missing: true
-      - rename:
-          fields:
-            - from: "kubernetes.node.name"
-              to: "source"
-            - from: "kubernetes.pod.name"
-              to: "pod"
-            - from: "stream"
-              to: "stream"
-            - from: "kubernetes.labels.app"
-              to: "app"
-            - from: "kubernetes.namespace"
-              to: "namespace"
-          ignore_missing: true
-      - drop_fields:
-          fields:
-            - agent
-            - container
-            - ecs
-            - host
-            - kubernetes
-            - log
-            - "@metadata"
-          ignore_missing: true
-    output.logstash:
-      hosts: ["graylog-logstash:5044"]
-    #output.console:
-    #  pretty: true
+    output:
+      elasticsearch:
+        hosts:
+          - http://zinc:4080
+        path: "/es/"
+        index: "filebeat-%{+yyyy.MM.dd}"
+        username: "${ZINC_FIRST_ADMIN_USER}"
+        password: "${ZINC_FIRST_ADMIN_PASSWORD}"
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: filebeat
-  namespace: logging
 spec:
   updateStrategy:
     type: RollingUpdate
     rollingUpdate:
-      maxUnavailable: 100%
+      maxUnavailable: 50%
   selector:
     matchLabels:
       app: filebeat
@@ -78,72 +49,86 @@ spec:
     metadata:
       labels:
         app: filebeat
+      annotations:
+        co.elastic.logs/json.keys_under_root: "true"
     spec:
       serviceAccountName: filebeat
       containers:
-      - name: filebeat
-        image: docker.elastic.co/beats/filebeat:7.17.6
-        args:
-         - -c
-         - /etc/filebeat.yml
-         - -e
-        securityContext:
-          runAsUser: 0
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        ports:
-          - containerPort: 5066
-        resources:
-          limits:
-            memory: 200Mi
-          requests:
-            cpu: 100m
-            memory: 100Mi
-        volumeMounts:
-        - name: filebeat-config
-          mountPath: /etc/filebeat.yml
-          readOnly: true
-          subPath: filebeat.yml
-        - name: data
-          mountPath: /usr/share/filebeat/data
-        - name: varlibdockercontainers
-          mountPath: /var/lib/docker/containers
-          readOnly: true
-        - name: varlog
-          mountPath: /var/log
-          readOnly: true
+        - name: filebeat
+          image: docker.elastic.co/beats/filebeat:8.4.1
+          args:
+            - -c
+            - /etc/filebeat.yml
+            - -e
+          securityContext:
+            runAsUser: 0
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: ZINC_FIRST_ADMIN_USER
+              value: admin
+            - name: ZINC_FIRST_ADMIN_PASSWORD
+              value: salakala
+          ports:
+            - containerPort: 5066
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: filebeat-config
+              mountPath: /etc/filebeat.yml
+              readOnly: true
+              subPath: filebeat.yml
+            - name: data
+              mountPath: /usr/share/filebeat/data
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+        - name: exporter
+          image: sepa/beats-exporter
+          args:
+            - -p=5066
+          ports:
+            - containerPort: 8080
+              name: exporter
+              protocol: TCP
       volumes:
-      - name: filebeat-config
-        configMap:
-          defaultMode: 0600
-          name: filebeat-config
-      - name: varlibdockercontainers
-        hostPath:
-          path: /var/lib/docker/containers
-      - name: varlog
-        hostPath:
-          path: /var/log
-      - name: data
-        hostPath:
-          path: /var/lib/filebeat-data
-          type: DirectoryOrCreate
+        - name: filebeat-config
+          configMap:
+            defaultMode: 0600
+            name: filebeat-config
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: varlog
+          hostPath:
+            path: /var/log
+        - name: data
+          hostPath:
+            path: /var/lib/filebeat-data
+            type: DirectoryOrCreate
       tolerations:
-      - operator: "Exists"
-        effect: "NoExecute"
-      - operator: "Exists"
-        effect: "NoSchedule"
+        - operator: "Exists"
+          effect: "NoExecute"
+        - operator: "Exists"
+          effect: "NoSchedule"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: logging-filebeat
 subjects:
-- kind: ServiceAccount
-  name: filebeat
-  namespace: logging
+  - kind: ServiceAccount
+    name: filebeat
+    namespace: logging
 roleRef:
   kind: ClusterRole
   name: filebeat
@@ -166,13 +151,35 @@ spec:
     matchLabels:
       app: filebeat
   policyTypes:
-  - Ingress
-  - Egress
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: prometheus-operator
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+      ports:
+        - protocol: TCP
+          port: 8080
   egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app: graylog
-    ports:
-    - protocol: TCP
-      port: 5044
+    - to:
+        - podSelector:
+            matchLabels:
+              app: zinc
+      ports:
+        - protocol: TCP
+          port: 4080
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: filebeat
+spec:
+  selector:
+    matchLabels:
+      app: filebeat
+  podMetricsEndpoints:
+    - port: exporter

logging/zinc.yml

@@ -0,0 +1,122 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: zinc
+spec:
+  clusterIP: None
+  selector:
+    app: zinc
+  ports:
+  - name: http
+    port: 4080
+    targetPort: 4080
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: zinc
+spec:
+  serviceName: zinc
+  replicas: 1
+  selector:
+    matchLabels:
+      app: zinc
+  template:
+    metadata:
+      labels:
+        app: zinc
+    spec:
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 10000
+        runAsGroup: 3000
+        runAsNonRoot: true
+      containers:
+        - name: zinc
+          image: public.ecr.aws/zinclabs/zinc:latest
+          env:
+            - name: GIN_MODE
+              value: release
+            - name: ZINC_FIRST_ADMIN_USER
+              value: admin
+            - name: ZINC_FIRST_ADMIN_PASSWORD
+              value: salakala
+            - name: ZINC_DATA_PATH
+              value: /data
+          imagePullPolicy: Always
+          resources:
+            limits:
+              cpu: "4"
+              memory: 4Gi
+            requests:
+              cpu: 32m
+              memory: 50Mi
+          ports:
+            - containerPort: 4080
+              name: http
+          volumeMounts:
+          - name: data
+            mountPath: /data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: longhorn
+      resources:
+        requests:
+          storage: 20Gi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: zinc
+  annotations:
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
+spec:
+  rules:
+  - host: zinc.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: zinc
+            port:
+              number: 4080
+  tls:
+  - hosts:
+    - zinc.k-space.ee
+    secretName: zinc-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: zinc
+spec:
+  podSelector:
+    matchLabels:
+      app: zinc
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: filebeat
+    ports:
+    - protocol: TCP
+      port: 4080
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: traefik

logmower/application.yml

@@ -0,0 +1,512 @@
+---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWMiddlewareClient
+metadata:
+  name: frontend
+spec:
+  displayName: Kubernetes pod log aggregator
+  uri: 'https://log.k-space.ee'
+  allowedGroups:
+    - k-space:kubernetes:developers
+    - k-space:kubernetes:admins
+  headerMapping:
+    email: Remote-Email
+    groups: Remote-Groups
+    name: Remote-Name
+    user: Remote-Username
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: logmower-readwrite-password
+spec:
+  size: 32
+  mapping:
+    - key: password
+      value: "%(plaintext)s"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: logmower-readonly-password
+spec:
+  size: 32
+  mapping:
+    - key: password
+      value: "%(plaintext)s"
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: logmower-mongodb
+spec:
+  agent:
+    logLevel: ERROR
+    maxLogFileDurationHours: 1
+  additionalMongodConfig:
+    systemLog:
+      quiet: true
+  members: 2
+  arbiters: 1
+  type: ReplicaSet
+  version: "6.0.3"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: readwrite
+      db: application
+      passwordSecretRef:
+        name: logmower-readwrite-password
+      roles:
+        - name: readWrite
+          db: application
+      scramCredentialsSecretName: logmower-readwrite
+    - name: readonly
+      db: application
+      passwordSecretRef:
+        name: logmower-readonly-password
+      roles:
+        - name: read
+          db: application
+      scramCredentialsSecretName: logmower-readonly
+  statefulSet:
+    spec:
+      logLevel: WARN
+      template:
+        spec:
+          containers:
+            - name: mongod
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 1Gi
+                limits:
+                  cpu: 4000m
+                  memory: 1Gi
+              volumeMounts:
+                - name: journal-volume
+                  mountPath: /data/journal
+            - name: mongodb-agent
+              resources:
+                requests:
+                  cpu: 1m
+                  memory: 100Mi
+                limits: {}
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: app
+                        operator: In
+                        values:
+                          - logmower-mongodb-svc
+                  topologyKey: kubernetes.io/hostname
+          nodeSelector:
+            dedicated: monitoring
+          tolerations:
+            - key: dedicated
+              operator: Equal
+              value: monitoring
+              effect: NoSchedule
+      volumeClaimTemplates:
+        - metadata:
+            name: logs-volume
+            labels:
+              usecase: logs
+          spec:
+            storageClassName: mongo
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 100Mi
+        - metadata:
+            name: journal-volume
+            labels:
+              usecase: journal
+          spec:
+            storageClassName: mongo
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 512Mi
+        - metadata:
+            name: data-volume
+            labels:
+              usecase: data
+          spec:
+            storageClassName: mongo
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 10Gi
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: logmower-shipper
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: logmower-shipper
+  template:
+    metadata:
+      labels:
+        app: logmower-shipper
+    spec:
+      serviceAccountName: logmower-shipper
+      containers:
+        - name: logmower-shipper
+          image: logmower/shipper:latest
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MONGO_URI
+              valueFrom:
+                secretKeyRef:
+                  name: logmower-mongodb-application-readwrite
+                  key: connectionString.standard
+          ports:
+            - containerPort: 8000
+              name: metrics
+          securityContext:
+            readOnlyRootFilesystem: true
+          command:
+            - /app/log_shipper.py
+            - --parse-json
+            - --normalize-log-level
+            - --stream-to-log-level
+            - --merge-top-level
+            - --max-collection-size
+            - "10000000000"
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: etcmachineid
+              mountPath: /etc/machine-id
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+      volumes:
+        - name: etcmachineid
+          hostPath:
+            path: /etc/machine-id
+        - name: varlog
+          hostPath:
+            path: /var/log
+      tolerations:
+        - operator: "Exists"
+          effect: "NoSchedule"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: logging-logmower-shipper
+subjects:
+  - kind: ServiceAccount
+    name: logmower-shipper
+    namespace: logmower
+roleRef:
+  kind: ClusterRole
+  name: filebeat
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: logmower-shipper
+  labels:
+    app: logmower-shipper
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-shipper
+spec:
+  podSelector:
+    matchLabels:
+      app: logmower-shipper
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: logmower-mongodb-svc
+      ports:
+        - port: 27017
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-eventsource
+spec:
+  podSelector:
+    matchLabels:
+      app: logmower-eventsource
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: logmower-mongodb-svc
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app: logmower-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: logmower-shipper
+spec:
+  selector:
+    matchLabels:
+      app: logmower-shipper
+  podMetricsEndpoints:
+    - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: logmower-shipper
+spec:
+  groups:
+    - name: logmower-shipper
+      rules:
+        - alert: LogmowerSingleInsertionErrors
+          annotations:
+            summary: Logmower shipper is having issues submitting log records
+              to database
+          expr: rate(logmower_insertion_error_count_total[30m]) > 0
+          for: 0m
+          labels:
+            severity: warning
+        - alert: LogmowerBulkInsertionErrors
+          annotations:
+            summary: Logmower shipper is having issues submitting log records
+              to database
+          expr: rate(logmower_bulk_insertion_error_count_total[30m]) > 0
+          for: 0m
+          labels:
+            severity: warning
+        - alert: LogmowerHighDatabaseLatency
+          annotations:
+            summary: Database operations are slow
+          expr: histogram_quantile(0.95, logmower_database_operation_latency_bucket) > 10
+          for: 1m
+          labels:
+            severity: warning
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: logmower
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: logmower-frontend@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: log.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/events"
+        backend:
+          service:
+            name: logmower-eventsource
+            port:
+              number: 3002
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: logmower-frontend
+            port:
+              number: 8080
+  tls:
+  - hosts:
+    - "*.k-space.ee"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: logmower-eventsource
+spec:
+  type: ClusterIP
+  selector:
+    app: logmower-eventsource
+  ports:
+    - protocol: TCP
+      port: 3002
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: logmower-frontend
+spec:
+  type: ClusterIP
+  selector:
+    app: logmower-frontend
+  ports:
+    - protocol: TCP
+      port: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logmower-frontend
+spec:
+  selector:
+    matchLabels:
+      app: logmower-frontend
+  template:
+    metadata:
+      labels:
+        app: logmower-frontend
+    spec:
+      containers:
+        - name: logmower-frontend
+          image: logmower/frontend:latest
+          ports:
+          - containerPort: 8080
+            name: http
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          resources:
+            limits:
+              memory: 50Mi
+            requests:
+              cpu: 1m
+              memory: 20Mi
+          volumeMounts:
+          - name : nginx-cache
+            mountPath: /var/cache/nginx/
+          - name : nginx-config
+            mountPath: /var/config/nginx/
+          - name: var-run
+            mountPath: /var/run/
+      volumes:
+      - emptyDir: {}
+        name: nginx-cache
+      - emptyDir: {}
+        name: nginx-config
+      - emptyDir: {}
+        name: var-run
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logmower-eventsource
+spec:
+  selector:
+    matchLabels:
+      app: logmower-eventsource
+  template:
+    metadata:
+      labels:
+        app: logmower-eventsource
+    spec:
+      containers:
+        - name: logmower-eventsource
+          image: logmower/eventsource:latest
+          ports:
+            - containerPort: 3002
+              name: nodejs
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          resources:
+            limits:
+              cpu: 500m
+              memory: 200Mi
+            requests:
+              cpu: 10m
+              memory: 100Mi
+          env:
+            - name: MONGODB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: logmower-mongodb-application-readonly
+                  key: connectionString.standard
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-mongodb
+spec:
+  podSelector:
+    matchLabels:
+      app: logmower-mongodb-svc
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    - from:
+      - podSelector: {}
+      ports:
+      - port: 27017
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app: logmower-mongodb-svc
+      ports:
+      - port: 27017

logmower/mongodb-support.yml

@@ -0,0 +1 @@
+../mongodb-operator/mongodb-support.yml

logmower/mongoexpress.yml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: logmower-mongoexpress
+spec:
+  revisionHistoryLimit: 0
+  replicas: 1
+  selector:
+    matchLabels:
+      app: logmower-mongoexpress
+  template:
+    metadata:
+      labels:
+        app: logmower-mongoexpress
+    spec:
+      containers:
+        - name: mongoexpress
+          image: mongo-express
+          ports:
+           - name: mongoexpress
+             containerPort: 8081
+          env:
+            - name: ME_CONFIG_MONGODB_URL
+              valueFrom:
+                secretKeyRef:
+                  name: logmower-mongodb-application-readonly
+                  key: connectionString.standard
+            - name: ME_CONFIG_MONGODB_ENABLE_ADMIN
+              value: "true"
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: logmower-mongoexpress
+spec:
+  podSelector:
+    matchLabels:
+      app: logmower-mongoexpress
+  policyTypes:
+  - Egress
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app: logmower-mongodb-svc
+      ports:
+      - port: 27017