Kubernetes manifests of services running on k-space.ee domains (mirrored to https://gitlab.com/k-space/kube)
Go to file
2024-08-15 13:40:22 +03:00
argocd camtiler: disable, it broken 2024-08-03 09:03:14 +03:00
asterisk asterisk: update network policy 2023-10-09 13:45:23 +03:00
bind migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
camtiler camtiler: unify to cam.k-space.ee 2024-08-03 06:04:27 +03:00
cert-manager bind, cert-manager: More updates 2024-08-14 10:07:26 +03:00
cnpg-system Upgrade CloudNativePG to 1.23.2 2024-07-26 17:35:42 +03:00
dragonfly-operator-system dragonfly-operator-system: Add grep example 2024-08-14 09:33:45 +03:00
elastic-system migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
etherpad etherpad: Cleanup 2024-08-14 06:58:28 +03:00
freescout Move yamllint config to separate file 2024-08-14 10:30:08 +03:00
gitea migrate gitea to new passmower 2024-07-27 22:57:01 +03:00
grafana migrate grafana to new passmower and external db 2024-07-27 23:08:29 +03:00
hackerspace add goredirect service manifest 2024-08-15 11:11:20 +03:00
harbor fix/update harbor 2024-08-08 12:45:57 +03:00
kube-system kube-system: Remove noisy KubernetesJobSlowCompletion alert 2023-08-28 20:55:28 +03:00
kubernetes-dashboard migrate to new passmower 2024-07-27 03:17:24 +03:00
local-path-storage Initial commit 2022-08-25 11:22:50 +03:00
logging Updates and cleanups 2023-08-29 09:29:36 +03:00
logmower Remove more Mongoose 2024-08-14 11:02:45 +03:00
longhorn-system Move yamllint config to separate file 2024-08-14 10:30:08 +03:00
metallb-system migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
minio-clusters use gcr mirror for images with full docker.io path 2024-04-28 05:01:02 +03:00
mongodb-operator mongodb: use mirror.gcr.io 2024-02-19 05:24:09 +02:00
monitoring migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
mysql-clusters migrate to new passmower 2024-07-27 03:17:24 +03:00
nextcloud migrate to new passmower 2024-07-27 03:17:24 +03:00
nyancat nyancat: Move to internal IP 2023-05-18 22:54:50 +03:00
oidc-gateway auth migra: whoami 2024-08-03 06:04:27 +03:00
openebs remove rawfile-csi 2024-08-13 20:27:16 +03:00
opensearch-operator Add OpenSearch operator 2024-07-27 08:42:16 +03:00
passmower Move yamllint config to separate file 2024-08-14 10:30:08 +03:00
playground playground: Initial commit 2022-10-14 00:14:35 +03:00
postgres-clusters migrate to new passmower 2024-07-27 03:17:24 +03:00
prometheus-operator Update Prometheus operator 2024-07-25 19:17:24 +03:00
redis-clusters use gcr mirror for images with full docker.io path 2024-04-28 05:01:02 +03:00
reloader Initial commit 2022-08-25 11:22:50 +03:00
ripe87 ripe87: add ripe87.k-space.ee website 2023-11-19 16:45:51 +02:00
rosdump rosdump: Easier to navigate commit messages 2023-08-26 08:54:04 +03:00
shared mongoexpress: fix usage 2024-02-22 12:43:20 +02:00
signs Add redirects sign.k-space.ee, members.k-space.ee 2024-08-03 04:27:31 +03:00
tigera-operator migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
traefik run traefik with 4 replicas 2024-08-15 12:43:08 +03:00
whoami auth migra: whoami 2024-08-03 06:04:27 +03:00
whoami-oidc debug 2024-02-12 09:29:00 +02:00
wiki migrate wiki to new passmower 2024-07-27 22:57:01 +03:00
wildduck wildduck: Limit CPU for Dragonfly 2024-08-15 10:58:34 +03:00
woodpecker argo config drift: woodpecker 2024-08-03 05:35:31 +03:00
.gitignore Add Ansible tasks to update authorized SSH keys 2024-07-19 14:08:51 +03:00
.yamllint Move yamllint config to separate file 2024-08-14 10:30:08 +03:00
cluster-role-bindings.yml Deprecate Authelia 2023-07-28 12:23:29 +03:00
CLUSTER.md argo: drone no longer exists 2024-08-03 06:04:27 +03:00
CONTRIBUTORS.md chore: add eaas as contributor 2024-07-30 14:15:13 +03:00
LICENSE.md Initial commit 2022-08-25 11:22:50 +03:00
README.md update readme about network 2024-08-15 13:40:22 +03:00
SLACK.md docs: Slack bots 2024-07-30 10:32:57 +03:00
storage-class.yaml Restore mongo storage class 2024-08-14 10:49:46 +03:00

k-space.ee infrastructure

Kubernetes manifests, Ansible playbooks, and documentation for K-SPACE services.

Jump to docs: inventory-app / cameras / doors / list of apps // all infra / network / retro / non-infra

Tip: Search the repo for kind: xyz for examples.

Supporting services

  • Build Git repositories with Woodpecker.
  • Passmower: Authz with kind: OIDCClient (or kind: OIDCMiddlewareClient1).
  • Traefik2: Expose services with kind: Service + kind: Ingress (TLS and DNS included).

Additional

  • bind: Manage additional DNS records with kind: DNSEndpoint.
  • Prometheus: Collect metrics with kind: PodMonitor (alerts with kind: PrometheusRule).
  • Slack bots and Kubernetes CLUSTER.md itself.

Network

All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic. See the Calico installation for Kube side and Routing / BGP in the router. Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.

Databases / -stores:

  • KeyDB: kind: KeydbClaim (replaces Redis3)
  • Dragonfly: kind: Dragonfly (replaces Redis3)
  • Longhorn: storageClassName: longhorn (filesystem storage)
  • Mongo4: kind: MongoDBCommunity (NAS* inventory-mongodb)
  • Minio S3: kind: MinioBucketClaim with class: dedicated (NAS*: class: external)
  • MariaDB*: search for mysql, mariadb5 (replaces MySQL)
  • Postgres*: hardcoded to harbor/application.yml

* External, hosted directly on nas.k-space.ee


This page is referenced by wiki front page as the technical documentation for infra.


  1. Applications should use OpenID Connect (kind: OIDCClient) for authentication, whereever possible. If not possible, use kind: OIDCMiddlewareClient client, which will provide authentication via a Traefik middleware (traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd). Sometimes you might use both for extra security. ↩︎

  2. No nginx annotations! Use kind: Ingress instead. IngressRoute is not used as it doesn't support external-dns out of the box. ↩︎

  3. Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. ArgoCD still hosts its own Redis. ↩︎

  4. Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template). ↩︎

  5. As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker ↩︎