k-space/kube
12
1
Fork 3
Code Issues 62 Pull Requests 1 Wiki Activity

Compare commits

base: k-space:master
Branches Tags
k-space:master k-space:hackerspaceRefactor k-space:develop k-space:ingressroute k-space:alertmanager-config
..
compare: k-space:hackerspaceRefactor
Branches Tags
k-space:master k-space:hackerspaceRefactor k-space:develop k-space:ingressroute k-space:alertmanager-config

1 Commits
master ... hackerspac

Author SHA1 Message Date
rasmus
9ef252c8ec hackerspace kustomize 
+ move static env to dockerfile
+ doorboy-direct refactor
 2025-08-14 01:19:43 +03:00
36 changed files with 601 additions and 683 deletions
Expand all files Collapse all files

4
_disabled/freeswitch/application.yaml
View File

@@ -5,8 +5,8 @@ metadata:
namespace: freeswitch
annotations:
external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee
metallb.io/address-pool: eenet
metallb.io/ip-allocated-from-pool: eenet
metallb.universe.tf/address-pool: eenet
metallb.universe.tf/ip-allocated-from-pool: eenet
spec:
ports:
- name: sip-internal-udp

20
argocd/applications/unifi.yaml
View File

@@ -1,20 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: unifi
namespace: argocd
spec:
project: k-space.ee
source:
repoURL: 'git@git.k-space.ee:k-space/kube.git'
path: unifi
targetRevision: HEAD
destination:
server: 'https://kubernetes.default.svc'
namespace: unifi
syncPolicy:
automated:
prune: true
syncOptions:
- CreateNamespace=true

4
elastic-system/application.yml
View File

@@ -146,7 +146,7 @@ metadata:
name: filebeat-syslog-udp
annotations:
external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
metallb.io/allow-shared-ip: syslog.k-space.ee
metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
spec:
type: LoadBalancer
externalTrafficPolicy: Local
@@ -165,7 +165,7 @@ metadata:
name: filebeat-syslog-tcp
annotations:
external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
metallb.io/allow-shared-ip: syslog.k-space.ee
metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
spec:
type: LoadBalancer
externalTrafficPolicy: Local

4
frigate/README.md
View File

@@ -14,7 +14,3 @@ kustomize build . --enable-helm
- Amcrest 5MP Turret PoE Outdoor IP Camera with Mic/Audio, 98ft NightVision, 132° FOV, MicroSD (256GB) IP5M-T1179EW-AI-V3 white
Cameras are enumerated (with credentials) in secretspace.
## Coral setup
1. Map USB to VM (#TODO: blog post coming up for exact steps)
2. `k label no worker91.kube.k-space.ee coral.ai/tpu=Exists`

1
frigate/kustomization.yaml
View File

@@ -16,4 +16,5 @@ resources:
- ssh://git@git.k-space.ee/secretspace/kube/frigate # secrets (.env): go2rtc-config, frigate-mqtt-secret, frigate-rtsp-secret
- ./auth.yml
- ./rabbitmq.yml
- ./storage.yml
- ./transcode.yml

32
frigate/storage.yml Normal file
View File

@@ -0,0 +1,32 @@
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: frigate-storage
spec:
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 1Ti
accessModes:
- ReadWriteMany
storageClassName: ""
nfs:
server: 172.21.0.7
path: /nas/k6/frigate
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: frigate-storage
spec:
volumeName: frigate-storage
storageClassName: ""
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Ti

13
frigate/transcode.yml
View File

@@ -29,6 +29,13 @@ spec:
values:
- go2rtc
topologyKey: "kubernetes.io/hostname"
nodeSelector:
dedicated: nvr
tolerations:
- key: dedicated
operator: Equal
value: nvr
effect: NoSchedule
containers:
- name: go2rtc
image: alexxit/go2rtc
@@ -43,9 +50,9 @@ spec:
- mountPath: /config/go2rtc.yaml
subPath: config.yml
name: config
# resources:
# limits:
# nvidia.com/gpu: 1
resources:
limits:
nvidia.com/gpu: 1
volumes:
- name: config
secret:

18
frigate/values.yaml
View File

@@ -125,16 +125,24 @@ ingress:
- "*.k-space.ee"
persistence:
config:
# WIP :)
enabled: false
storageClass: "null"
accessMode: ReadWriteOnce
size: 1000Mi
skipuninstall: false
media:
enabled: true
storageClass: "hdd-ceph"
size: 1Ti
existingClaim: "frigate-storage"
skipuninstall: true
# Force application to run on nvr node
nodeSelector:
coral.ai/tpu: Exists
dedicated: nvr
tolerations:
- key: coral.ai/tpu
- key: dedicated
operator: Equal
value: Exists
value: nvr
effect: NoSchedule

22
hackerspace/README.md
View File

@@ -1,8 +1,20 @@
## inventory.k-space.ee
Reads-writes to mongo.
## hackerspace / inventory
<!-- Referenced/linked by https://wiki.k-space.ee/en/hosting/doors -->
A component of inventory is 'doorboy' (https://wiki.k-space.ee/en/hosting/doors)
## k6.ee
## [doorboy-proxy](https://github.com/k-space/doorboy-proxy)
- Dispatches open events (from mongodb) to door controllers.
- Handles Slack open events (to mongodb).
- Forwards logs from door controllers to mongodb.
- Broadcasts mongodb logs to Slack.
See also:
- inventory-app door components
- https://wiki.k-space.ee/en/hosting/doors
## [inventory-app](https://github.com/k-space/inventory-app) (inventory.k-space.ee)
- Inventory
- Manages door keycards.
- Forwards door opens from website to mongodb (what are picked up by doorboy-proxy).
## [goredirect](https://github.com/k-space/goredirect) (k6.ee)
Reads from mongo, HTTP redirect to //inventory.k-space.ee/m/inventory/{uuid}/view

22
hackerspace/doorboy.yml → hackerspace/doorboy.yaml
View File

@@ -26,6 +26,7 @@ spec:
- doorboy-proxy
topologyKey: topology.kubernetes.io/zone
weight: 100
serviceAccountName: inventory-svcacc
containers:
- name: doorboy-proxy
image: harbor.k-space.ee/k-space/doorboy-proxy:latest
@@ -33,21 +34,14 @@ spec:
- secretRef:
name: inventory-mongodb
- secretRef:
name: doorboy-api
name: doorboy-godoor
- secretRef:
name: doorboy-slack
env:
- name: FLOOR_ACCESS_GROUP
value: 'k-space:floor'
- name: WORKSHOP_ACCESS_GROUP
value: 'k-space:workshop'
- name: CARD_URI
value: 'https://inventory.k-space.ee/cards'
- name: SWIPE_URI
value: 'https://inventory.k-space.ee/m/doorboy/swipe'
- name: INVENTORY_API_KEY
valueFrom:
secretKeyRef:
name: inventory-api-key
key: INVENTORY_API_KEY
- name: OIDC_USERS_NAMESPACE
value: passmower
- name: SLACK_CHANNEL_ID
value: CDL9H8Q9W
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true

47
hackerspace/inventory-extras.yaml
View File

@@ -1,37 +1,24 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: members-inventory-redirect
spec:
redirectRegex:
regex: ^https://members.k-space.ee/(.*)
replacement: https://inventory.k-space.ee/${1}
permanent: false
---
# Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
kind: OIDCClient
metadata:
name: doorboy
name: inventory-app
spec:
displayName: Doorboy
uri: 'https://inventory.k-space.ee/m/doorboy'
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: members-inventory
spec:
entryPoints:
- websecure
routes:
- match: Host(`members.k-space.ee`)
kind: Rule
middlewares:
- name: members-inventory-redirect
services:
- kind: TraefikService
name: api@internal
uri: 'https://inventory.k-space.ee'
redirectUris:
- 'https://inventory.k-space.ee/login-callback'
grantTypes:
- 'authorization_code'
- 'refresh_token'
responseTypes:
- 'code'
availableScopes:
- 'openid'
- 'profile'
- 'groups'
- 'offline_access'
tokenEndpointAuthMethod: 'client_secret_basic'
pkce: false
---
apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim

35
hackerspace/inventory-redirects.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
# Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: doorboy
spec:
displayName: Doorboy
uri: 'https://inventory.k-space.ee/m/doorboy'
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: members-inventory-redirect
spec:
redirectRegex:
regex: ^https://members.k-space.ee/(.*)
replacement: https://inventory.k-space.ee/${1}
permanent: false
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: members-inventory
spec:
entryPoints:
- websecure
routes:
- match: Host(`members.k-space.ee`)
kind: Rule
middlewares:
- name: members-inventory-redirect
services:
- kind: TraefikService
name: api@internal

80
hackerspace/inventory.yaml
View File

@@ -20,36 +20,12 @@ spec:
- image: harbor.k-space.ee/k-space/inventory-app:latest
imagePullPolicy: Always
env:
- name: ENVIRONMENT_TYPE
value: PROD
- name: PYTHONUNBUFFERED
value: "1"
- name: INVENTORY_ASSETS_BASE_URL
value: https://external.minio-clusters.k-space.ee/hackerspace-701d9303-0f27-4829-a2be-b1084021ad91/
- name: MACADDRESS_OUTLINK_BASEURL
value: https://grafana.k-space.ee/d/ddwyidbtbc16oa/ip-usage?orgId=1&from=now-2y&to=now&timezone=browser&var-Filters=mac%7C%3D%7C
- name: OIDC_USERS_NAMESPACE
value: passmower
- name: SECRET_KEY
valueFrom:
secretKeyRef:
key: SECRET_KEY
name: inventory-secrets
- name: INVENTORY_API_KEY
valueFrom:
secretKeyRef:
key: INVENTORY_API_KEY
name: inventory-api-key
- name: SLACK_DOORLOG_CALLBACK
valueFrom:
secretKeyRef:
key: SLACK_DOORLOG_CALLBACK
name: slack-secrets
- name: SLACK_VERIFICATION_TOKEN
valueFrom:
secretKeyRef:
key: SLACK_VERIFICATION_TOKEN
name: slack-secrets
envFrom:
- secretRef:
name: miniobucket-inventory-external-owner-secrets
@@ -122,59 +98,3 @@ spec:
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: inventory-app
spec:
uri: 'https://inventory.k-space.ee'
redirectUris:
- 'https://inventory.k-space.ee/login-callback'
grantTypes:
- 'authorization_code'
- 'refresh_token'
responseTypes:
- 'code'
availableScopes:
- 'openid'
- 'profile'
- 'groups'
- 'offline_access'
tokenEndpointAuthMethod: 'client_secret_basic'
pkce: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: inventory-role
namespace: hackerspace
rules:
- verbs:
- get
- list
- watch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: inventory-roles
namespace: hackerspace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: inventory-role
subjects:
- kind: ServiceAccount
name: inventory-svcacc
namespace: hackerspace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: inventory-svcacc

13
hackerspace/kustomization.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: hackerspace
resources:
- ssh://git@git.k-space.ee/secretspace/kube/hackerspace # secrets: inventory-mongodb, inventory-s3, doorboy-godoor, doorboy-slack
- ./doorboy.yaml
- ./svcacc.yaml
- ./inventory.yaml
- ./inventory-extras.yaml
- ./inventory-redirects.yaml
- ./goredirect.yaml

35
hackerspace/svcacc.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: inventory-role
namespace: hackerspace
rules:
- verbs:
- get
- list
- watch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: inventory-roles
namespace: hackerspace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: inventory-role
subjects:
- kind: ServiceAccount
name: inventory-svcacc
namespace: hackerspace
---
# used by inventory and doorboy
apiVersion: v1
kind: ServiceAccount
metadata:
name: inventory-svcacc

2
harbor-operator/values.yaml
View File

@@ -34,7 +34,7 @@ persistence:
jobservice:
jobLog:
existingClaim: ""
storageClass: "cephfs"
storageClass: "longhorn"
subPath: ""
accessMode: ReadWriteMany
size: 5Gi

0
kube-system/kube-state-metrics.yaml → kube-system/kube-state-metrics.yml
View File

8
kube-system/kustomization.yaml
View File

@@ -4,7 +4,7 @@ kind: Kustomization
namespace: kube-system
resources:
- ./descheduler.yaml
- ./kube-state-metrics.yaml
- ./metrics-server.yaml
# - ./nvidia-device-plugin.yml
- ./descheduler.yml
- ./kube-state-metrics.yml
- ./metrics-server.yml
- ./nvidia-device-plugin.yml

0
kube-system/metrics-server.yaml → kube-system/metrics-server.yml
View File

0
kube-system/nvidia-device-plugin.yaml → kube-system/nvidia-device-plugin.yml
View File

1
longhorn-system/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
longhorn.yaml

41
longhorn-system/README.md Normal file
View File

@@ -0,0 +1,41 @@
# Longhorn distributed block storage system
## For users
You should really avoid using Longhorn as it has over time
[proven to be unreliable system](https://www.reddit.com/r/kubernetes/comments/1cbggo8/longhorn_is_unreliable/).
Prefer using remote databases in your application via
the Kubernetes operator pattern.
Use Longhorn for applications that need persistent storage, but are unable
to provide replication in the application layer:
* Applications that insist writing into filesystem
* Applications that serve Git repositories (eg Gitea)
* Applications that check out Git repositories (eg Woodpecker, Drone and CI systems)
* Applications that need to use SQLite
Instead of using built-in `longhorn` storage class, please add new storage class
with suitable replication, data locality parameters and reclaim policy
[here](https://git.k-space.ee/k-space/kube/src/branch/master/storage-class.yaml)
Longhorn backups are made once per day and it's configured to be uploaded to
the Minio S3 bucket hosted at nas.k-space.ee
## For administrators
Longhorn was last upgraded with following snippet:
```
wget https://raw.githubusercontent.com/longhorn/longhorn/v1.8.2/deploy/longhorn.yaml
patch -p0 < changes.diff
kubectl -n longhorn-system apply -f longhorn.yaml -f application-extras.yml -f backup.yaml
```
After initial deployment `dedicated=storage:NoSchedule` was specified
for `Kubernetes Taint Toleration` under `Setting -> General` on
[Longhorn Dashboard](https://longhorn.k-space.ee/).
Suitable nodes were tagged with `storage` and Longhorn scheduling was disabled on others.
This is to prevent scheduling Longhorn data on arbitrary Kubernetes nodes as
`storage[1-4].kube.k-space.ee` nodes are the ones which have additional 200G volume mounted at `/mnt/persistent/`

138
longhorn-system/application-extras.yml Normal file
View File

@@ -0,0 +1,138 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: ui
spec:
displayName: Longhorn
uri: 'https://longhorn.k-space.ee'
allowedGroups:
- k-space:kubernetes:admins
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-Username
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-dashboard
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-ui@kubernetescrd
spec:
rules:
- host: longhorn.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: longhorn-frontend
port:
number: 80
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: manager
spec:
selector: {}
podMetricsEndpoints:
- port: manager
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: longhorn
spec:
# Copied from https://longhorn.io/docs/1.2.4/monitoring/alert-rules-example/
groups:
- name: longhorn
rules:
- alert: LonghornVolumeActualSpaceUsedWarning
annotations:
description: The accumulated snapshots for volume use up more space than the volume's capacity
summary: The actual used space of Longhorn volume is twice the size of the volume capacity.
expr: longhorn_volume_actual_size_bytes > longhorn_volume_capacity_bytes * 2
for: 5m
labels:
issue: The actual used space of Longhorn volume {{$labels.volume}} on {{$labels.node}} is high.
severity: warning
- alert: LonghornVolumeStatusCritical
annotations:
description: Longhorn volume {{$labels.volume}} on {{$labels.node}} is Fault for
more than 2 minutes.
summary: Longhorn volume {{$labels.volume}} is Fault
expr: longhorn_volume_robustness == 3
for: 5m
labels:
issue: Longhorn volume {{$labels.volume}} is Fault.
severity: critical
- alert: LonghornVolumeStatusWarning
annotations:
description: Longhorn volume {{$labels.volume}} on {{$labels.node}} is Degraded for
more than 5 minutes.
summary: Longhorn volume {{$labels.volume}} is Degraded
expr: longhorn_volume_robustness == 2
for: 5m
labels:
issue: Longhorn volume {{$labels.volume}} is Degraded.
severity: warning
- alert: LonghornNodeStorageWarning
annotations:
description: The used storage of node {{$labels.node}} is at {{$value}}% capacity for
more than 5 minutes.
summary: The used storage of node is over 70% of the capacity.
expr: (longhorn_node_storage_usage_bytes / longhorn_node_storage_capacity_bytes) * 100 > 70
for: 5m
labels:
issue: The used storage of node {{$labels.node}} is high.
severity: warning
- alert: LonghornDiskStorageWarning
annotations:
description: The used storage of disk {{$labels.disk}} on node {{$labels.node}} is at {{$value}}% capacity for
more than 5 minutes.
summary: The used storage of disk is over 70% of the capacity.
expr: (longhorn_disk_usage_bytes / longhorn_disk_capacity_bytes) * 100 > 70
for: 5m
labels:
issue: The used storage of disk {{$labels.disk}} on node {{$labels.node}} is high.
severity: warning
- alert: LonghornNodeDown
annotations:
description: There are {{$value}} Longhorn nodes which have been offline for more than 5 minutes.
summary: Longhorn nodes is offline
expr: (avg(longhorn_node_count_total) or on() vector(0)) - (count(longhorn_node_status{condition="ready"} == 1) or on() vector(0)) > 0
for: 5m
labels:
issue: There are {{$value}} Longhorn nodes are offline
severity: critical
- alert: LonghornIntanceManagerCPUUsageWarning
annotations:
description: Longhorn instance manager {{$labels.instance_manager}} on {{$labels.node}} has CPU Usage / CPU request is {{$value}}% for
more than 5 minutes.
summary: Longhorn instance manager {{$labels.instance_manager}} on {{$labels.node}} has CPU Usage / CPU request is over 300%.
expr: (longhorn_instance_manager_cpu_usage_millicpu/longhorn_instance_manager_cpu_requests_millicpu) * 100 > 300
for: 5m
labels:
issue: Longhorn instance manager {{$labels.instance_manager}} on {{$labels.node}} consumes 3 times the CPU request.
severity: warning
- alert: LonghornNodeCPUUsageWarning
annotations:
description: Longhorn node {{$labels.node}} has CPU Usage / CPU capacity is {{$value}}% for
more than 5 minutes.
summary: Longhorn node {{$labels.node}} experiences high CPU pressure for more than 5m.
expr: (longhorn_node_cpu_usage_millicpu / longhorn_node_cpu_capacity_millicpu) * 100 > 90
for: 5m
labels:
issue: Longhorn node {{$labels.node}} experiences high CPU pressure.
severity: warning

46
longhorn-system/backup.yaml Normal file
View File

@@ -0,0 +1,46 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim
metadata:
name: backup
spec:
capacity: 1Ti
class: external
---
apiVersion: longhorn.io/v1beta2
kind: Setting
metadata:
name: backup-target
namespace: longhorn-system
value: 's3://longhorn-system-a4b235c5-7919-4cb0-9949-259e60c579f1@us-east1/'
---
apiVersion: longhorn.io/v1beta2
kind: Setting
metadata:
name: backup-target-credential-secret
namespace: longhorn-system
value: 'miniobucket-backup-owner-secrets'
---
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: backup
namespace: longhorn-system
spec:
cron: "0 2 * * *"
task: backup
groups:
- default
retain: 1
concurrency: 4
---
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: trim
namespace: longhorn-system
spec:
cron: "0 * * * *"
task: trim
groups:
- default

53
longhorn-system/changes.diff Normal file
View File

@@ -0,0 +1,53 @@
--- longhorn.yaml 2024-07-07 14:16:47.953593433 +0300
+++ longhorn.modded 2024-07-07 14:18:51.103452617 +0300
@@ -86,14 +86,14 @@
storageclass.kubernetes.io/is-default-class: "true"
provisioner: driver.longhorn.io
allowVolumeExpansion: true
- reclaimPolicy: "Delete"
+ reclaimPolicy: "Retain"
volumeBindingMode: Immediate
parameters:
- numberOfReplicas: "3"
+ numberOfReplicas: "2"
staleReplicaTimeout: "30"
fromBackup: ""
- fsType: "ext4"
- dataLocality: "disabled"
+ fsType: "xfs"
+ dataLocality: "best-effort"
unmapMarkSnapChainRemoved: "ignored"
---
# Source: longhorn/templates/crds.yaml
@@ -4379,6 +4379,15 @@
app.kubernetes.io/version: v1.6.2
app: longhorn-manager
spec:
+ tolerations:
+ - key: dedicated
+ operator: Equal
+ value: nvr
+ effect: NoSchedule
+ - key: arch
+ operator: Equal
+ value: arm64
+ effect: NoSchedule
containers:
- name: longhorn-manager
image: longhornio/longhorn-manager:v1.6.2
@@ -4484,6 +4493,15 @@
app.kubernetes.io/version: v1.6.2
app: longhorn-driver-deployer
spec:
+ tolerations:
+ - key: dedicated
+ operator: Equal
+ value: nvr
+ effect: NoSchedule
+ - key: arch
+ operator: Equal
+ value: arm64
+ effect: NoSchedule
initContainers:
- name: wait-longhorn-manager
image: longhornio/longhorn-manager:v1.6.2

9
metallb-system/application-extras.yaml
View File

@@ -40,15 +40,6 @@ spec:
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: unifi
namespace: metallb-system
spec:
addresses:
- 172.21.102.0/24
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: bind-secondary-external
namespace: metallb-system

10
monitoring/node-exporter.yaml
View File

@@ -8,11 +8,11 @@ spec:
targets:
staticConfig:
static:
- pve90.proxmox.infra.k-space.ee:9100
- pve91.proxmox.infra.k-space.ee:9100
- pve92.proxmox.infra.k-space.ee:9100
- pve93.proxmox.infra.k-space.ee:9100
- pbs.infra.k-space.ee:9100
- nas.mgmt.k-space.ee:9100
- pve1.proxmox.infra.k-space.ee:9100
- pve2.proxmox.infra.k-space.ee:9100
- pve8.proxmox.infra.k-space.ee:9100
- pve9.proxmox.infra.k-space.ee:9100
relabelingConfigs:
- sourceLabels: [__param_target]
targetLabel: instance

22
monitoring/pbs.yaml
View File

@@ -1,22 +0,0 @@
---
apiVersion: monitoring.coreos.com/v1
kind: Probe
metadata:
name: pbs-proxmox
spec:
scrapeTimeout: 30s
targets:
staticConfig:
static:
- pbs.infra.k-space.ee:10019
relabelingConfigs:
- sourceLabels: [__param_target]
targetLabel: instance
- sourceLabels: [__param_target]
targetLabel: __address__
prober:
url: localhost
path: /metrics
metricRelabelings:
- sourceLabels: [__address__]
targetLabel: target

2
nyancat/application.yaml
View File

@@ -36,7 +36,7 @@ metadata:
name: nyancat
namespace: nyancat
annotations:
metallb.io/address-pool: zoo
metallb.universe.tf/address-pool: zoo
external-dns.alpha.kubernetes.io/hostname: nyancat.k-space.ee
spec:
type: LoadBalancer

236
rook-ceph/storage-classes.yaml
View File

@@ -1,236 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mongo
annotations:
kubernetes.io/description: |
Storage class for Mongo and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: prometheus
annotations:
kubernetes.io/description: |
Storage class for Prometheus and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: woodpecker
annotations:
kubernetes.io/description: |
Storage class for Drone, Woodpecker and similar application
pipeline runs where Git repos are checked out to.
This storage class uses XFS, has no block level redundancy and it's
deleted as soon as the pod exits.
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gitea
annotations:
kubernetes.io/description: |
Storage class for Gitea and similar applications needing
block device level replication with 3 replicas using XFS filesystem and
best effort data locality.
provisioner: rook-ceph.rbd.csi.ceph.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nextcloud
annotations:
kubernetes.io/description: |
Storage class for Nextcloud needing
block device level replication with 3 replicas using XFS filesystem and
best effort data locality.
provisioner: rook-ceph.rbd.csi.ceph.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rabbitmq
annotations:
kubernetes.io/description: |
Storage class for RabbitMQ and similar applications
deployed in highly available fashion utilizing application level
replication needing persistent volume.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: unifi
annotations:
kubernetes.io/description: |
Storage class for Unifi and similar applications
deployed in highly available fashion utilizing application level
replication needing persistent volume.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: hdd-ceph
annotations:
kubernetes.io/description: |
Generic HDD storage on CEPH.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-hdd
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: "null"
annotations:
kubernetes.io/description: |
Storage class for applications insisting on having a PV, but actually do
not and for data that can be discarded immediately
provisioner: rancher.io/local-path
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
fsName: ks-fs
pool: ks-fs_data
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate

125
storage-class.yaml Normal file
View File

@@ -0,0 +1,125 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mongo
annotations:
kubernetes.io/description: |
Storage class for Mongo and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: prometheus
annotations:
kubernetes.io/description: |
Storage class for Prometheus and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: woodpecker
annotations:
kubernetes.io/description: |
Storage class for Drone, Woodpecker and similar application
pipeline runs where Git repos are checked out to.
This storage class uses XFS, has no block level redundancy and it's
deleted as soon as the pod exits.
provisioner: driver.longhorn.io
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
dataLocality: best-effort
numberOfReplicas: "1"
fsType: "xfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gitea
annotations:
kubernetes.io/description: |
Storage class for Gitea and similar applications needing
block device level replication with 3 replicas using XFS filesystem and
best effort data locality.
provisioner: driver.longhorn.io
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
dataLocality: best-effort
numberOfReplicas: "3"
fsType: "xfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rabbitmq
annotations:
kubernetes.io/description: |
Storage class for RabbitMQ and similar applications
deployed in highly available fashion utilizing application level
replication needing persistent volume.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: "null"
annotations:
kubernetes.io/description: |
Storage class for applications insisting on having a PV, but actually do
not and for data that can be discarded immediately
provisioner: rancher.io/local-path
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer

1
tigera-operator/custom-resources.yaml
View File

@@ -199,7 +199,6 @@ spec:
- cidr: 172.21.53.1/32
- cidr: 172.21.53.2/32
- cidr: 172.21.53.3/32
- cidr: 172.21.102.1/32
- cidr: 193.40.103.36/32
- cidr: 193.40.103.37/32
- cidr: 193.40.103.38/32

9
unifi/kustomization.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: &ns unifi
resources:
- ssh://git@git.k-space.ee/secretspace/kube/unifi # secrets: unifi, unifi-mongo
- unifi-mongo.yaml
- unifi.yaml

53
unifi/unifi-mongo.yaml
View File

@@ -1,53 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: unifi-db
namespace: unifi
spec:
selector:
matchLabels:
app: unifi-db
replicas: 1
minReadySeconds: 10
template:
metadata:
labels:
app: unifi-db
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mongodb
image: mongo:8
ports:
- containerPort: 27017
name: mongo
envFrom:
- secretRef:
name: unifi-mongo
volumeMounts:
- name: data
mountPath: /data/db
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: unifi
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: unifi-db
namespace: unifi
spec:
ports:
- port: 27017
name: mongo
targetPort: 27017
selector:
app: unifi-db
type: ClusterIP

176
unifi/unifi.yaml
View File

@@ -1,176 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-app
namespace: unifi
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: unifi
---
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: unifi
namespace: unifi
spec:
serviceName: "unifi"
replicas: 1
selector:
matchLabels:
name: unifi
template:
metadata:
name: unifi
labels:
name: unifi
spec:
containers:
- name: unifi
image: lscr.io/linuxserver/unifi-network-application:latest
env:
- name: PUID
value: '1000'
- name: GUID
value: '1000'
- name: TZ
value: Etc/UTC
envFrom:
- secretRef:
name: unifi
ports:
- containerPort: 3478
protocol: UDP
- containerPort: 10001
protocol: UDP
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 1900
protocol: UDP
- containerPort: 8843
protocol: TCP
- containerPort: 8880
protocol: TCP
- containerPort: 6789
protocol: TCP
- containerPort: 5514
protocol: UDP
volumeMounts:
- name: unifi-persistent-storage
mountPath: /config
volumes:
- name: unifi-persistent-storage
persistentVolumeClaim:
claimName: unifi-app
---
kind: Service
apiVersion: v1
metadata:
name: lb-unifi
namespace: unifi
annotations:
metallb.io/allow-shared-ip: 'true'
traefik.ingress.kubernetes.io/service.serverstransport: unifi-unifi@kubernetescrd
spec:
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 172.21.102.1
selector:
name: unifi
ports:
- name: '8080'
protocol: TCP
port: 8080
targetPort: 8080
- name: '8443'
protocol: TCP
port: 8443
targetPort: 8443
- name: '1900'
protocol: TCP
port: 1900
targetPort: 1900
- name: '8843'
protocol: TCP
port: 8843
targetPort: 8843
- name: '8880'
protocol: TCP
port: 8880
targetPort: 8880
- name: '6789'
protocol: TCP
port: 6789
targetPort: 6789
---
kind: Service
apiVersion: v1
metadata:
name: lb-unifi-udp
namespace: unifi
annotations:
metallb.io/allow-shared-ip: 'true'
spec:
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 172.21.102.1
selector:
name: unifi
ports:
- name: '3478'
protocol: UDP
port: 3478
targetPort: 3478
- name: '10001'
protocol: UDP
port: 10001
targetPort: 10001
- name: '5514'
protocol: UDP
port: 5514
targetPort: 5514
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: unifi
namespace: unifi
spec:
insecureSkipVerify: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: unifi
namespace: unifi
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: "unifi.k-space.ee"
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: lb-unifi
port:
number: 8443
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: unifi
namespace: unifi
spec:
uri: 'https://unifi.k-space.ee/'

2
wildduck/loadbalancer.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: wildduck
annotations:
external-dns.alpha.kubernetes.io/hostname: mail.k-space.ee
metallb.io/address-pool: wildduck
metallb.universe.tf/address-pool: wildduck
spec:
loadBalancerIP: 193.40.103.25
type: LoadBalancer