Kubernetes manifests of services running on k-space.ee domains
Go to file
2024-10-19 13:51:13 +03:00
argocd remove logmower 2024-09-08 23:54:32 +03:00
asterisk asterisk: update network policy 2024-09-29 19:05:42 +03:00
bind bind: Fix resource limits 2024-08-24 23:28:28 +03:00
camtiler camtiler: unify to cam.k-space.ee 2024-08-03 06:04:27 +03:00
cert-manager bind, cert-manager: More updates 2024-08-14 10:07:26 +03:00
cnpg-system Upgrade CloudNativePG to 1.23.2 2024-07-26 17:35:42 +03:00
default add netshoot container to debug network issues 2024-08-24 19:23:35 +03:00
dragonfly-operator-system dragonfly-operator-system: Add grep example 2024-08-14 09:33:45 +03:00
elastic-system migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
etherpad etherpad: Cleanup 2024-08-14 06:58:28 +03:00
freescout freescout: Elaborate about mail sync 2024-08-24 15:49:05 +03:00
freeswitch freeswitch: fix network policy 2024-10-01 22:32:16 +03:00
frigate frigate: move storage to dedicated nfs share and offload transcoding to separate go2rtc deployment 2024-10-19 13:51:13 +03:00
gitea fix gitea oidc reg 2024-10-18 18:44:27 +03:00
grafana grafana: Specify OIDC scopes on Grafana side 2024-09-05 09:32:34 +03:00
hackerspace goredirect: add nopath env var 2024-09-13 21:54:49 +03:00
harbor expose harbor via traefik 2024-09-29 19:05:42 +03:00
kube-system kube-system: Remove noisy KubernetesJobSlowCompletion alert 2023-08-28 20:55:28 +03:00
kubernetes-dashboard migrate to new passmower 2024-07-27 03:17:24 +03:00
local-path-storage Initial commit 2022-08-25 11:22:50 +03:00
logging Updates and cleanups 2023-08-29 09:29:36 +03:00
longhorn-system Move yamllint config to separate file 2024-08-14 10:30:08 +03:00
metallb-system migrate workers to infra vlan, use bgp for calico, use calico for lb service annoucements 2024-08-14 18:16:21 +03:00
minio-clusters Add more revisionHistoryLimit: 1 defs 2024-08-20 12:25:15 +03:00
mongodb-operator mongodb: use mirror.gcr.io 2024-02-19 05:24:09 +02:00
monitoring monitoring: Temporarily disable monitoring of core switches 2024-10-15 10:07:28 +03:00
mysql-clusters migrate to new passmower 2024-07-27 03:17:24 +03:00
nextcloud nextcloud: Fix Dragonfly topology spread constraints 2024-08-25 00:02:51 +03:00
nyancat nyancat: Move to internal IP 2023-05-18 22:54:50 +03:00
openebs remove rawfile-csi 2024-08-13 20:27:16 +03:00
opensearch-operator Add OpenSearch operator 2024-07-27 08:42:16 +03:00
passmower update passmower config 2024-08-29 14:38:44 +03:00
playground playground: Initial commit 2022-10-14 00:14:35 +03:00
postgres-clusters Integrate dos4dev PR #29: postgres-cluster docs 2024-08-16 18:07:45 +03:00
prometheus-operator Update Prometheus operator 2024-07-25 19:17:24 +03:00
proxmox-csi add proxmox-nas storage class 2024-08-25 11:34:31 +03:00
redis-clusters use gcr mirror for images with full docker.io path 2024-04-28 05:01:02 +03:00
reloader Initial commit 2022-08-25 11:22:50 +03:00
ripe87 ripe87: add ripe87.k-space.ee website 2023-11-19 16:45:51 +02:00
rosdump fix rosdump scheduling 2024-10-18 18:45:42 +03:00
shared mongoexpress: fix usage 2024-02-22 12:43:20 +02:00
signs Add redirects sign.k-space.ee, members.k-space.ee 2024-08-03 04:27:31 +03:00
tigera-operator add and configure calico ippool 2024-09-04 23:12:35 +03:00
traefik Add more revisionHistoryLimit: 1 defs 2024-08-20 12:25:15 +03:00
whoami whoami: Set higher port 2024-08-25 00:25:49 +03:00
whoami-oidc debug 2024-02-12 09:29:00 +02:00
wiki migrate wiki to new passmower 2024-07-27 22:57:01 +03:00
wildduck wildduck: Restore MongoDB 2024-08-25 09:26:27 +03:00
woodpecker woodpecker: Use RWX 2024-08-15 22:23:45 +03:00
.gitignore Add Ansible tasks to update authorized SSH keys 2024-07-19 14:08:51 +03:00
.yamllint Move yamllint config to separate file 2024-08-14 10:30:08 +03:00
cluster-role-bindings.yml Deprecate Authelia 2023-07-28 12:23:29 +03:00
CLUSTER.md argo: drone no longer exists 2024-08-03 06:04:27 +03:00
CONTRIBUTORS.md chore: add eaas as contributor 2024-07-30 14:15:13 +03:00
LICENSE.md Initial commit 2022-08-25 11:22:50 +03:00
README.md update readme about network 2024-08-15 13:40:22 +03:00
SLACK.md docs: Slack bots 2024-07-30 10:32:57 +03:00
storage-class.yaml Update storage classes 2024-08-25 09:26:57 +03:00

k-space.ee infrastructure

Kubernetes manifests, Ansible playbooks, and documentation for K-SPACE services.

Jump to docs: inventory-app / cameras / doors / list of apps // all infra / network / retro / non-infra

Tip: Search the repo for kind: xyz for examples.

Supporting services

  • Build Git repositories with Woodpecker.
  • Passmower: Authz with kind: OIDCClient (or kind: OIDCMiddlewareClient1).
  • Traefik2: Expose services with kind: Service + kind: Ingress (TLS and DNS included).

Additional

  • bind: Manage additional DNS records with kind: DNSEndpoint.
  • Prometheus: Collect metrics with kind: PodMonitor (alerts with kind: PrometheusRule).
  • Slack bots and Kubernetes CLUSTER.md itself.

Network

All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic. See the Calico installation for Kube side and Routing / BGP in the router. Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.

Databases / -stores:

  • KeyDB: kind: KeydbClaim (replaces Redis3)
  • Dragonfly: kind: Dragonfly (replaces Redis3)
  • Longhorn: storageClassName: longhorn (filesystem storage)
  • Mongo4: kind: MongoDBCommunity (NAS* inventory-mongodb)
  • Minio S3: kind: MinioBucketClaim with class: dedicated (NAS*: class: external)
  • MariaDB*: search for mysql, mariadb5 (replaces MySQL)
  • Postgres*: hardcoded to harbor/application.yml

* External, hosted directly on nas.k-space.ee


This page is referenced by wiki front page as the technical documentation for infra.


  1. Applications should use OpenID Connect (kind: OIDCClient) for authentication, whereever possible. If not possible, use kind: OIDCMiddlewareClient client, which will provide authentication via a Traefik middleware (traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd). Sometimes you might use both for extra security. ↩︎

  2. No nginx annotations! Use kind: Ingress instead. IngressRoute is not used as it doesn't support external-dns out of the box. ↩︎

  3. Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. ArgoCD still hosts its own Redis. ↩︎

  4. Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template). ↩︎

  5. As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker ↩︎