diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 2c1deec..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Deploy platform - -on: - push: - branches: [master] - -env: - PROJECT_NAME: 'platform' - -jobs: - packer: - name: Build snapshots with Packer - runs-on: ubuntu-latest - env: - PACKER_FILE: 'terraform/hcloud-microos-snapshots.pkr.hcl' - HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup Packer - uses: hashicorp/setup-packer@v3 - - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c - with: - files: ${{ env.PACKER_FILE }} - - - name: Setup Packer - uses: hashicorp/setup-packer@v3 - - - name: Build snapshot - if: ${{ steps.changed-files.outputs.any_changed == 'true' }} - run: | - packer init "$PACKER_FILE" - packer build --force "$PACKER_FILE" - - terraform: - name: Deploy infrastructure with Terraform - runs-on: ubuntu-latest - needs: [packer] - concurrency: - group: 'terraform' - env: - TF_CLOUD_ORGANIZATION: ${{ github.repository_owner }} - TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Upload Terraform configuration - uses: hashicorp/tfc-workflows-github/actions/upload-configuration@v1.3.2 - id: apply-upload - with: - workspace: ${{ env.PROJECT_NAME }} - directory: 'terraform' - - - name: Create Terraform run - uses: hashicorp/tfc-workflows-github/actions/create-run@v1.3.2 - id: apply-run - with: - workspace: ${{ env.PROJECT_NAME }} - configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }} - - - name: Apply Terraform changes - uses: hashicorp/tfc-workflows-github/actions/apply-run@v1.3.2 - if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable - with: - run: ${{ steps.apply-run.outputs.run_id }} - comment: 'Applying changes from GitHub Actions, commit ${{ github.sha }}' diff --git a/.github/workflows/trivy-iac-scan.yml b/.github/workflows/trivy-iac-scan.yml deleted file mode 100644 index b52b19d..0000000 --- a/.github/workflows/trivy-iac-scan.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Trivy IaC Scan - -on: - push: - branches: [master] - -jobs: - trivy-iac-scan: - name: Trivy IaC Scan - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.30.0 - with: - scan-type: 'config' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' diff --git a/.gitignore b/.gitignore index 8bdfa91..41aece8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ -.terraform.lock.hcl -.terraform +.terraform* +terraform.tfvars +terraform.tfstate* diff --git a/manifests/applications/bakseter-net/deployment.yaml b/manifests/applications/bakseter-net/deployment.yaml deleted file mode 100644 index 0e1c847..0000000 --- a/manifests/applications/bakseter-net/deployment.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - keel.sh/match-tag: 'true' - keel.sh/policy: force - keel.sh/trigger: poll - name: web - namespace: bakseter-net -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - containers: - - name: web - image: ghcr.io/bakseter/bakseter.net:latest - ports: - - containerPort: 8080 - volumeMounts: - - name: nginx-tmp - mountPath: /tmp/nginx - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - volumes: - - name: nginx-tmp - emptyDir: {} - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsGroup: 1001 - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - supplementalGroups: - - 1001 diff --git a/manifests/applications/bakseter-net/networkpolicy.yaml b/manifests/applications/bakseter-net/networkpolicy.yaml deleted file mode 100644 index 77bae3f..0000000 --- a/manifests/applications/bakseter-net/networkpolicy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: web -spec: - podSelector: - matchLabels: - app: web - policyTypes: - - Ingress - - Egress - ingress: - - ports: - - protocol: TCP - port: 8080 diff --git a/manifests/applications/bakseter-net/verticalpodautoscaler.yaml b/manifests/applications/bakseter-net/verticalpodautoscaler.yaml deleted file mode 100644 index 9e29971..0000000 --- a/manifests/applications/bakseter-net/verticalpodautoscaler.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: web - namespace: bakseter-net -spec: - targetRef: - apiVersion: 'apps/v1' - kind: Deployment - name: web - updatePolicy: - updateMode: 'Auto' diff --git a/manifests/applications/five31/backend/configmap.yaml b/manifests/applications/five31/backend/configmap.yaml deleted file mode 100644 index 4a198e6..0000000 --- a/manifests/applications/five31/backend/configmap.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -data: - DATABASE_URL: jdbc:postgresql://database.five31.svc.cluster.local:5432/postgres -kind: ConfigMap -metadata: - creationTimestamp: null - name: backend-config diff --git a/manifests/applications/five31/backend/deployment.yaml b/manifests/applications/five31/backend/deployment.yaml deleted file mode 100644 index db4dc65..0000000 --- a/manifests/applications/five31/backend/deployment.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - keel.sh/match-tag: 'true' - keel.sh/policy: force - keel.sh/trigger: poll - name: backend - namespace: five31 -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app: backend - template: - metadata: - labels: - app: backend - spec: - containers: - - name: backend - image: ghcr.io/bakseter/five31/backend:latest - envFrom: - - configMapRef: - name: backend-config - env: - - name: DATABASE_USERNAME - valueFrom: - configMapKeyRef: - key: POSTGRES_USER - name: database-config - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: POSTGRES_PASSWORD - name: database-secret - ports: - - containerPort: 8080 - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsGroup: 1001 - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - supplementalGroups: - - 1001 diff --git a/manifests/applications/five31/backend/service.yaml b/manifests/applications/five31/backend/service.yaml deleted file mode 100644 index 09faf23..0000000 --- a/manifests/applications/five31/backend/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: backend - namespace: five31 -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: backend - type: ClusterIP diff --git a/manifests/applications/five31/backend/verticalpodautoscaler.yaml b/manifests/applications/five31/backend/verticalpodautoscaler.yaml deleted file mode 100644 index 3f8a75b..0000000 --- a/manifests/applications/five31/backend/verticalpodautoscaler.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: backend - namespace: five31 -spec: - targetRef: - apiVersion: 'apps/v1' - kind: Deployment - name: backend - updatePolicy: - updateMode: 'Auto' diff --git a/manifests/applications/five31/database-config.yaml b/manifests/applications/five31/database-config.yaml deleted file mode 100644 index bc61547..0000000 --- a/manifests/applications/five31/database-config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: database-config - namespace: five31 -data: - PGDATA: /var/lib/postgresql/data/pgdata - POSTGRES_DB: postgres - POSTGRES_USER: postgres diff --git a/manifests/applications/five31/database-networkpolicy.yaml b/manifests/applications/five31/database-networkpolicy.yaml deleted file mode 100644 index 1998011..0000000 --- a/manifests/applications/five31/database-networkpolicy.yaml +++ /dev/null @@ -1,20 +0,0 @@ -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: database - namespace: five31 -spec: - podSelector: - matchLabels: - app: database - policyTypes: - - Ingress - - Egress - ingress: - - from: - - podSelector: - matchLabels: - app: backend - ports: - - protocol: TCP - port: 5432 diff --git a/manifests/applications/five31/database-persistentvolumeclaim.yaml b/manifests/applications/five31/database-persistentvolumeclaim.yaml deleted file mode 100644 index 90b92d9..0000000 --- a/manifests/applications/five31/database-persistentvolumeclaim.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: database - namespace: five31 -spec: - storageClassName: hcloud-volumes - volumeName: five31-database # <-- reference PV name - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/manifests/applications/five31/database-secret.yaml b/manifests/applications/five31/database-secret.yaml deleted file mode 100644 index f0a05c4..0000000 --- a/manifests/applications/five31/database-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: database-secret - namespace: five31 -spec: - encryptedData: - POSTGRES_PASSWORD: AgAouUM1GeT60VUIhIp+l76F8UZwqvqORpKcg7Cdk0SxoBvofU5tnBIPvIbJO9pDep6uIFK80bwex8fQSJ/3P8/4eW8NPJ6tXvDNC1e0nS3fxrEW0mU0Xxdpzwe3BF1rSh9V0r9s4MxkhgLtHOk3M8E5pKyuUR7RxKolO39ndGEZECvXeYWqR82b9Z2cbFoLA6L5me6iovnqQSBkaVQ/HgJtZVgbpuX3mQ1loZSq7zck1yLPehVTyQm4zXFdhqJ/dLxUCl1CbQMJdVPxX7KSM8aaNp79e0Fu5N2llMCLkJnT9N0Q5EYw0bESITbjBjT5A7Zv+VO7JQU6/WQiHyl8UYTLuhsN/WEZ75ecj4dqzo7DgYEd71nfIutH5YUrSBFvCW/TTyLr28iSFlQzDyk0pDeswbkmnyjd3YQJm5dkziGrPg332Cj3gpb1qfkwUdeo9TYllt0RAYlVB62V24A9jxlvzRl5wj2arWOrAafsMWJk/OWQG3EYhvg+GmBgHZx+/wOICh/zbMHIBqdcEVOt3R239RTfIe9omeHe3jIixe2CUQI5GKrRJdSb/VsZegqXMFUTeDXwgb+Q8MQbF189Iti3DaJSv61c8J5WIkxm8Daaqpkg34ipGHtWfr3EmSli8NwCYLBG7Wt5qqzElRU2ASSv3/jjb7kcloAf5vvrCSfuTPPBVoBPOWQEktgwOYGAdUx66pTCkMgKiHOARo65/Dp42doT3MXPEJf1KIc0n/hFOQ== - template: - metadata: - creationTimestamp: null - name: database-secret - namespace: five31 diff --git a/manifests/applications/five31/database-service.yaml b/manifests/applications/five31/database-service.yaml deleted file mode 100644 index 8395735..0000000 --- a/manifests/applications/five31/database-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: database - namespace: five31 -spec: - ports: - - port: 5432 - targetPort: 5432 - selector: - app: database - type: ClusterIP diff --git a/manifests/applications/five31/database-statefulset.yaml b/manifests/applications/five31/database-statefulset.yaml deleted file mode 100644 index 240105e..0000000 --- a/manifests/applications/five31/database-statefulset.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: database - namespace: five31 -spec: - replicas: 1 - selector: - matchLabels: - app: database - serviceName: database - template: - metadata: - labels: - app: database - spec: - containers: - - name: database - image: postgres:17-alpine - envFrom: - - configMapRef: - name: database-config - - secretRef: - name: database-secret - volumeMounts: - - mountPath: /var/lib/postgresql/data - mountPropagation: None - name: postgres-data - volumes: - - name: postgres-data - persistentVolumeClaim: - claimName: database - securityContext: - seccompProfile: - type: RuntimeDefault diff --git a/manifests/applications/five31/database-verticalpodautoscaler.yaml b/manifests/applications/five31/database-verticalpodautoscaler.yaml deleted file mode 100644 index 49f4b39..0000000 --- a/manifests/applications/five31/database-verticalpodautoscaler.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: database - namespace: five31 -spec: - targetRef: - apiVersion: 'apps/v1' - kind: StatefulSet - name: database - updatePolicy: - updateMode: 'Auto' diff --git a/manifests/applications/five31/frontend/configmap.yaml b/manifests/applications/five31/frontend/configmap.yaml deleted file mode 100644 index 3423c1a..0000000 --- a/manifests/applications/five31/frontend/configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: frontend-config - namespace: five31 -data: - NEXT_PUBLIC_ENVIRONMENT: production - NEXT_PUBLIC_BACKEND_URL: https://api.five31.bakseter.net - NEXT_PUBLIC_BACKEND_API_VERSION: v2 - NEXTAUTH_URL: https://five31.bakseter.net diff --git a/manifests/applications/five31/frontend/deployment.yaml b/manifests/applications/five31/frontend/deployment.yaml deleted file mode 100644 index 6a30d0e..0000000 --- a/manifests/applications/five31/frontend/deployment.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - keel.sh/match-tag: 'true' - keel.sh/policy: force - keel.sh/trigger: poll - name: frontend - namespace: five31 -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app: frontend - template: - metadata: - labels: - app: frontend - spec: - containers: - - name: frontend - image: ghcr.io/bakseter/five31/frontend:latest - envFrom: - - configMapRef: - name: frontend-config - - secretRef: - name: frontend-secret - ports: - - containerPort: 3000 - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsGroup: 1001 - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - supplementalGroups: - - 1001 diff --git a/manifests/applications/five31/frontend/secret.yaml b/manifests/applications/five31/frontend/secret.yaml deleted file mode 100644 index d59e6b2..0000000 --- a/manifests/applications/five31/frontend/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: frontend-secret - namespace: five31 -spec: - encryptedData: - AUTH_GOOGLE_ID: AgBGi8zHyVDyteYzL9gMdN0XdP/q799Cz9jtNa1kd7bscNtd/2afVSyCe2r2Md2rxzg7dU8kYSlxeHD8ttiwe+nN3j45QvyGKPrvtlyXqERtc3XW47e6tF5+DIyTaCAHNwwRnLPeDX+0PitUWDW90G9Lv+RpS9pizDnJj4EZ36Fpv25p314HoELe16wAx9/VoWOG+QVXWSFasnVz9I7dYF3Asjf1Q2EGd3zzLk18+vzaiN/rQGmbB1BT1UAF1Zn7fLlj5QZ3Xottlx29gOcESbdxWbpNZRko7nfA1MSDTBNqB+qyLUyNKidmtplarMoABzrqQuDV4hy7zyt7REVnlMV97/X+XznafpuuMOMmj0BlNVLsVR6h4YcwngAPZg0mGvxD0Yh8G8xZQbpNmq4hDe6QlZpTRCtPOIkcQpYSTU0Wp2Z4jyR/eGxbK1OjTJFMyUNGH0LvyIQaDEve69IrqU/8bDoNg/gNkfdMo1I50L4n0+n7DAtZwvouU1fnzvIwqWav8l5Lnuw/BCldd6JDGNGZ+IJCypoddqqnwKpfPOFTgnKhLDsNpxEUXgira12hFEuECXtV9He/TwW+0yDUp90loJx30xaYthsO5GR0oJFKIC2xj25O2H5PiKVcM02Lut0sHevW1WZAdjSxXENxHe1XDuHf0G6CS5YAL8TNAFYLdhHlzsFXOAyjS+mCjg1dJymKzgRSRuhyxwY9QYQHJVxKSE5nW7GHhhIoypAFCVMizBZ0NoRZa0pFwpjOZKLCGaA5M5baoq8rGgWDdLOqvpsfiHEP9xIYCKc= - AUTH_GOOGLE_SECRET: AgAWrCCAysslEP5gy3qrccC5C3DVB4tLnCGxrauQcvHPFtIkJez671XWk1v5yXPZblgsQ5s2naOkB80confjoojguSbn1m16EMdFNGgO4JpqWS6gxKFbVhTS1kjse4vh4pHtTUW1M0XvWVa88TUs0zQ5k6D/QmgEr3U/zR31//Bgl7bjtGrSPoZRxEODQOA6z5fCyf/iS9CPuRCvJZPvvMItqC8NBCvmR1oOKn0ZYsv9QDqOJURftZ4amrKB0SCd0/iWr8/XQyEXoaSOzfWJhmN/U0q55NvHiLwASmSYE+3IOGSdytHsO9gZHTUVuRenLPYPV4e4s1bCOKobXMJOI/EdqWqRSCupKWlZ4RGKOa76gZ54ZgWm0RgL7/nsX7JnGVYUoLktFGP627mC95Rl1yqbsZyHCqDaCXX/mJWuXw/L+ZTxMSM0Q2V+706UMaLqCMtlp1NZj2WT91Mog3XOoVstJLPYAp/LVq+ED8M1+ttlwhQoJQvvry490Xg9z000aq27XSb3f3JmxtKpfjzgOu49+ryFRbziDQIjcaQM0PanCmOKjDqzDemi2DtS7XnAoHJi3WdvclU2C3e7kNamx6w/TREjBAzNjQ0DYSSqPEtZS3+EoBswJDHYo3JJXGyZn6iN0umsDMPAnNfsO4bdKMFwXkIL6ZJUGRn6g7GB6e3YL6dOWyoGBzVMnxCd/eIeT4kBFC76arZWLmCgDq/UMWew6Bs/AqcREqzv4jsu5bAZmcpvPA== - AUTH_SECRET: AgB0PCNZugS/k5Ss0W6sTGj2Bh01MPLE9qpX3KMs2DWVBtaXTfPEYxdCFjT8LWrWtOGoy00aQBKDbhejqlWlHgJ7FnZ9H/uFB+NqQE5KepCyacWwIDVJgu8Asu+9QOzXDuGqIKVCNAndlVGW6BPLut56CsdVVu/Gm0241xhyXRjElZmvKqQEaQSqxeOYeE6Ts081JCAy4Y8Co8MfSeeeDqrfVG2Yg0tD05c+cR4gmu4kvrvrF+MYROhm87tJZR6vykOUeAKDmgpSk3jBidOw3aEEJXZPQCopw86kwk1wpFSo+9WliiSup1eOLyPVaEwv0enW1Zn/kND30Tj7Wl271cxZH3z16/ZkGdEuFNHkOap0e4i7kAuN+YQwm8B0n/xZ3li9FZcc9K2x9RV7NX80uHU859gos+/XilATVIEllC9oj0rcjNaKICAOutyEOLZpXc/OOIofQXDM2UV985ygxrDzNllu+Q9qhMMrplIxk2S34cR5Aay+JU52sbtfZOIOovtVHDRO39yxAlDQE1A0XD17/BAlT8K44mu+3UeU8Ax3OOZDPpTXP2goKzZT99+xOLHvWU+t/JSvpprck9QNCXDwqb30pYSah80h6D1PVyKhVDB1F1l6fJHMNEyA2qn9gD3Mu3BJ6itVlQbiuakrxImspSjBJm2qlBKLtv1Lzmf8pjoYUaQU3q926bRZpYbfrDABAUAd/Z/H+iLCv+Rv91ZK6cmRrFTWko1yF6J1/scJIw== - template: - metadata: - name: frontend-secret - namespace: five31 diff --git a/manifests/applications/five31/frontend/service.yaml b/manifests/applications/five31/frontend/service.yaml deleted file mode 100644 index febd91c..0000000 --- a/manifests/applications/five31/frontend/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: frontend - namespace: five31 -spec: - ports: - - port: 80 - protocol: TCP - targetPort: 3000 - selector: - app: frontend - type: ClusterIP diff --git a/manifests/applications/five31/frontend/verticalpodautoscaler.yaml b/manifests/applications/five31/frontend/verticalpodautoscaler.yaml deleted file mode 100644 index cc1fdc9..0000000 --- a/manifests/applications/five31/frontend/verticalpodautoscaler.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: frontend - namespace: five31 -spec: - targetRef: - apiVersion: 'apps/v1' - kind: Deployment - name: frontend - updatePolicy: - updateMode: 'Auto' diff --git a/manifests/applications/five31/ingress.yaml b/manifests/applications/five31/ingress.yaml deleted file mode 100644 index e1b143b..0000000 --- a/manifests/applications/five31/ingress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt - name: five31 - namespace: five31 -spec: - ingressClassName: traefik - rules: - - host: five31.bakseter.net - http: - paths: - - backend: - service: - name: frontend - port: - number: 80 - path: / - pathType: Prefix - - host: api.five31.bakseter.net - http: - paths: - - backend: - service: - name: backend - port: - number: 80 - path: / - pathType: Prefix - tls: - - hosts: - - five31.bakseter.net - - api.five31.bakseter.net - secretName: ingress-tls diff --git a/manifests/applications/my-app/deployment.yaml b/manifests/applications/my-app/deployment.yaml new file mode 100644 index 0000000..e972dc6 --- /dev/null +++ b/manifests/applications/my-app/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: my-app + namespace: my-app + labels: + app: my-app +spec: + replicas: 2 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + spec: + containers: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 diff --git a/manifests/applications/bakseter-net/ingress.yaml b/manifests/applications/my-app/ingress.yaml similarity index 69% rename from manifests/applications/bakseter-net/ingress.yaml rename to manifests/applications/my-app/ingress.yaml index 7e13abf..56e288e 100644 --- a/manifests/applications/bakseter-net/ingress.yaml +++ b/manifests/applications/my-app/ingress.yaml @@ -1,24 +1,24 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: + name: my-app + namespace: my-app annotations: cert-manager.io/cluster-issuer: letsencrypt - name: web - namespace: bakseter-net spec: ingressClassName: traefik rules: - - host: bakseter.net + - host: my-app.computas.cloud http: paths: - backend: service: - name: web + name: my-app port: number: 80 path: / pathType: Prefix tls: - hosts: - - bakseter.net - secretName: ingress-tls + - my-app.computas.cloud + secretName: my-app-tls diff --git a/manifests/applications/bakseter-net/service.yaml b/manifests/applications/my-app/service.yaml similarity index 50% rename from manifests/applications/bakseter-net/service.yaml rename to manifests/applications/my-app/service.yaml index 0b83ac8..f14816b 100644 --- a/manifests/applications/bakseter-net/service.yaml +++ b/manifests/applications/my-app/service.yaml @@ -1,12 +1,14 @@ apiVersion: v1 kind: Service metadata: - name: web - namespace: bakseter-net + name: my-app + namespace: my-app + labels: + app: my-app spec: ports: - port: 80 - targetPort: 8080 + targetPort: 80 selector: - app: web + app: my-app type: ClusterIP diff --git a/manifests/applications/spenn/app-config.yaml b/manifests/applications/spenn/app-config.yaml deleted file mode 100644 index eb33c37..0000000 --- a/manifests/applications/spenn/app-config.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: app-config - namespace: spenn -data: - DATABASE_HOST: database.spenn.svc.cluster.local - HOST: https://spenn.bakseter.net - OAUTH2_USERINFO_ENDPOINT: https://auth.bakseter.net/oauth2/userinfo - GIN_MODE: release diff --git a/manifests/applications/spenn/app-deployment.yaml b/manifests/applications/spenn/app-deployment.yaml deleted file mode 100644 index f76855d..0000000 --- a/manifests/applications/spenn/app-deployment.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - keel.sh/match-tag: 'true' - keel.sh/policy: force - keel.sh/trigger: poll - name: app - namespace: spenn -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - containers: - - name: app - image: ghcr.io/bakseter/spenn:latest - envFrom: - - configMapRef: - name: app-config - env: - - name: DATABASE_USERNAME - valueFrom: - configMapKeyRef: - key: POSTGRES_USER - name: database-config - - name: DATABASE_NAME - valueFrom: - configMapKeyRef: - key: POSTGRES_DB - name: database-config - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: POSTGRES_PASSWORD - name: database-secret - ports: - - containerPort: 8080 - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsGroup: 1001 - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - supplementalGroups: - - 1001 diff --git a/manifests/applications/spenn/app-service.yaml b/manifests/applications/spenn/app-service.yaml deleted file mode 100644 index b7b5404..0000000 --- a/manifests/applications/spenn/app-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: app - namespace: spenn -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - app: app - type: ClusterIP diff --git a/manifests/applications/spenn/app-verticalpodautoscaler.yaml b/manifests/applications/spenn/app-verticalpodautoscaler.yaml deleted file mode 100644 index 16d5671..0000000 --- a/manifests/applications/spenn/app-verticalpodautoscaler.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: app - namespace: spenn -spec: - targetRef: - apiVersion: 'apps/v1' - kind: Deployment - name: app - updatePolicy: - updateMode: 'Auto' diff --git a/manifests/applications/spenn/database-config.yaml b/manifests/applications/spenn/database-config.yaml deleted file mode 100644 index 20c53d0..0000000 --- a/manifests/applications/spenn/database-config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: database-config - namespace: spenn -data: - PGDATA: /var/lib/postgresql/data/pgdata - POSTGRES_DB: postgres - POSTGRES_USER: postgres diff --git a/manifests/applications/spenn/database-networkpolicy.yaml b/manifests/applications/spenn/database-networkpolicy.yaml deleted file mode 100644 index ec21d14..0000000 --- a/manifests/applications/spenn/database-networkpolicy.yaml +++ /dev/null @@ -1,20 +0,0 @@ -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: database - namespace: spenn -spec: - podSelector: - matchLabels: - app: database - policyTypes: - - Ingress - - Egress - ingress: - - from: - - podSelector: - matchLabels: - app: app - ports: - - protocol: TCP - port: 5432 diff --git a/manifests/applications/spenn/database-persistentvolumeclaim.yaml b/manifests/applications/spenn/database-persistentvolumeclaim.yaml deleted file mode 100644 index 16e14ee..0000000 --- a/manifests/applications/spenn/database-persistentvolumeclaim.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: database - namespace: spenn -spec: - storageClassName: hcloud-volumes - volumeName: spenn-database # <-- reference PV name - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/manifests/applications/spenn/database-secret.yaml b/manifests/applications/spenn/database-secret.yaml deleted file mode 100644 index ca2a89f..0000000 --- a/manifests/applications/spenn/database-secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: database-secret - namespace: spenn -spec: - encryptedData: - POSTGRES_PASSWORD: AgBKSvDztdWOO7D3sAN0Za1ob0VoJCgcbmF2LhrK+q++TDKm87Qlw7LetYZrZ2FfqeXlLIZa3D62HXm8bInpWHY5J2ZxJE0V6gXt3fLiPOQGhj7v5NkZ0g+0kVZrv57KIuTil++vHLASYB0Agk+i8EYcsntIKvft1XkO3XhBgcl4mkx7QPw9tGweHCPc7n0qxjbJH2DyACAtEyCBglIq/63SjXINfBukEEu5M2qCq1ywesen9L9m8So+/w/psMs2u6D87TW5T76JiO/EGBZLaRq5n5LeeHnHV68kSu0yjnOHbiE2Yjr/iGR4XvxLjyhn3j82F+ShWv0lF0MqcEzcn64vXcYfLIypPA8EeEHDA4XLHUvb+7zedwFDqcfSeeh1QajaUJ6LmEAVuZrH6wjtZ/eMaiM3pIgQOX4DyPgmFNOtUI9QWDRjc22prsu4lZTHWicShux+c2/0oEtBNfXIYG/9lNWiGuHMl+Rigd6uSdxAOrGb8LytLv+orrxFk/RbZ99kap7lOIMwVlWgcZfKj4yvkAzZdEFBr+0yAqo7p1KsDTvXH6j+8tyJCuOzYvS2wa8+x5QqsylyJcT8pFnYMrXQCcJ4EKn9BYKCawpKpIL8Minp++Rz6xZmfUG+lExLK9FcX/IAe6huJe1vQR0v5CInv7KFfUrUS3l69we0s80/fPaf0xIDzSkCzJg1LSBXNHpwDfcl26zTrGUnGwlztF/eu8pO/M9ifLoj1TqCMB2mhA== - template: - metadata: - name: database-secret - namespace: spenn diff --git a/manifests/applications/spenn/database-service.yaml b/manifests/applications/spenn/database-service.yaml deleted file mode 100644 index 4b86a95..0000000 --- a/manifests/applications/spenn/database-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: database - namespace: spenn -spec: - ports: - - port: 5432 - targetPort: 5432 - selector: - app: database - type: ClusterIP diff --git a/manifests/applications/spenn/database-statefulset.yaml b/manifests/applications/spenn/database-statefulset.yaml deleted file mode 100644 index f680b6e..0000000 --- a/manifests/applications/spenn/database-statefulset.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: database - namespace: spenn -spec: - replicas: 1 - selector: - matchLabels: - app: database - serviceName: database - template: - metadata: - labels: - app: database - spec: - containers: - - name: database - image: postgres:17-alpine - envFrom: - - configMapRef: - name: database-config - - secretRef: - name: database-secret - volumeMounts: - - mountPath: /var/lib/postgresql/data - mountPropagation: None - name: postgres-data - volumes: - - name: postgres-data - persistentVolumeClaim: - claimName: database - securityContext: - seccompProfile: - type: RuntimeDefault diff --git a/manifests/applications/spenn/database-verticalpodautoscaler.yaml b/manifests/applications/spenn/database-verticalpodautoscaler.yaml deleted file mode 100644 index 7b90b0f..0000000 --- a/manifests/applications/spenn/database-verticalpodautoscaler.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: database - namespace: spenn -spec: - targetRef: - apiVersion: 'apps/v1' - kind: StatefulSet - name: database - updatePolicy: - updateMode: 'Auto' diff --git a/manifests/applications/spenn/grafanadashboard.yaml b/manifests/applications/spenn/grafanadashboard.yaml deleted file mode 100644 index 1217e88..0000000 --- a/manifests/applications/spenn/grafanadashboard.yaml +++ /dev/null @@ -1,94 +0,0 @@ -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDashboard -metadata: - name: spenn -spec: - instanceSelector: - matchLabels: - dashboards: 'grafana' - resyncPeriod: 30s - allowCrossNamespaceImport: true - json: > - { - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": 1, - "links": [], - "panels": [ - { - "datasource": { - "type": "loki", - "uid": "59db3fa3-c853-4066-8a16-fdac73c460c3" - }, - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "dedupStrategy": "none", - "enableLogDetails": true, - "prettifyLogMessage": false, - "showCommonLabels": false, - "showLabels": false, - "showTime": false, - "sortOrder": "Descending", - "wrapLogMessage": false - }, - "pluginVersion": "11.3.0", - "targets": [ - { - "datasource": { - "type": "loki", - "uid": "59db3fa3-c853-4066-8a16-fdac73c460c3" - }, - "editorMode": "builder", - "expr": "{container=\"app\"} |= ``", - "queryType": "range", - "refId": "A" - } - ], - "title": "Logs", - "type": "logs" - } - ], - "preload": false, - "schemaVersion": 40, - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-6h", - "to": "now" - }, - "timepicker": {}, - "timezone": "browser", - "title": "Spenn", - "uid": "cej8956cfagaoc", - "version": 1, - "weekStart": "" - } diff --git a/manifests/applications/spenn/ingress.yaml b/manifests/applications/spenn/ingress.yaml deleted file mode 100644 index 2f47c90..0000000 --- a/manifests/applications/spenn/ingress.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt - traefik.ingress.kubernetes.io/router.middlewares: 'oauth2-proxy-forwardauth@kubernetescrd,oauth2-proxy-errors@kubernetescrd' - name: spenn - namespace: spenn -spec: - ingressClassName: traefik - rules: - - host: spenn.bakseter.net - http: - paths: - - backend: - service: - name: app - port: - number: 80 - path: / - pathType: Prefix - tls: - - hosts: - - spenn.bakseter.net - secretName: ingress-tls diff --git a/manifests/cluster-addons/argocd/templates/certificate.yaml b/manifests/cluster-addons/argocd/templates/certificate.yaml index 0cd8f26..b0fd033 100644 --- a/manifests/cluster-addons/argocd/templates/certificate.yaml +++ b/manifests/cluster-addons/argocd/templates/certificate.yaml @@ -6,7 +6,7 @@ metadata: spec: secretName: ingress-tls dnsNames: - - argocd.bakseter.net + - argocd.computas.cloud issuerRef: name: letsencrypt kind: ClusterIssuer diff --git a/manifests/cluster-addons/argocd/templates/ingressroute.yaml b/manifests/cluster-addons/argocd/templates/ingressroute.yaml index b18468a..2b3560f 100644 --- a/manifests/cluster-addons/argocd/templates/ingressroute.yaml +++ b/manifests/cluster-addons/argocd/templates/ingressroute.yaml @@ -8,16 +8,13 @@ spec: - websecure routes: - kind: Rule - match: Host(`argocd.bakseter.net`) + match: Host(`argocd.computas.cloud`) priority: 10 services: - name: argocd-server port: 80 - middlewares: - - name: forwardauth - namespace: oauth2-proxy - kind: Rule - match: Host(`argocd.bakseter.net`) && Header(`Content-Type`, `application/grpc`) + match: Host(`argocd.computas.cloud`) && Header(`Content-Type`, `application/grpc`) priority: 11 services: - name: argocd-server diff --git a/manifests/cluster-addons/argocd/values.yaml b/manifests/cluster-addons/argocd/values.yaml index 73fcd84..bcbf37b 100644 --- a/manifests/cluster-addons/argocd/values.yaml +++ b/manifests/cluster-addons/argocd/values.yaml @@ -1,45 +1,17 @@ argo-cd: global: - domain: argocd.bakseter.net - revisionHistoryLimit: 1 + domain: argocd.computas.cloud + networkPolicy: create: true configs: repositories: argocd: - url: https://github.com/bakseter/whpah - - cm: - admin.enabled: false - dex.config: | - connectors: - - type: authproxy - id: oauth2-proxy - name: Proxy - config: - userHeader: X-Auth-Request-Email - groupHeader: X-Auth-Request-Groups - - rbac: - scopes: '[groups, email]' - policy.default: '' - policy.csv: | - p, role:org-admin, *, get, *, allow - p, role:org-admin, applications, sync, *, allow - p, role:org-admin, applicationsets, sync, *, allow - g, andreas_tkd@hotmail.com, role:org-admin + url: https://github.com/baksetercx/whpah.git dex: - enabled: true + enabled: false params: server.insecure: true - - notifications: - enabled: false - - controller: - env: - - name: ARGOCD_APPLICATION_TREE_SHARD_SIZE - value: '50' diff --git a/manifests/cluster-addons/cert-manager/templates/clusterissuer.yaml b/manifests/cluster-addons/cert-manager/templates/clusterissuer.yaml index 0913f1b..ec943f5 100644 --- a/manifests/cluster-addons/cert-manager/templates/clusterissuer.yaml +++ b/manifests/cluster-addons/cert-manager/templates/clusterissuer.yaml @@ -4,7 +4,7 @@ metadata: name: letsencrypt spec: acme: - email: andreas_tkd@hotmail.com + email: andreas.salhus.bakseter@computas.com privateKeySecretRef: name: letsencrypt server: https://acme-v02.api.letsencrypt.org/directory diff --git a/manifests/cluster-addons/keel/Chart.yaml b/manifests/cluster-addons/keel/Chart.yaml deleted file mode 100644 index 6529911..0000000 --- a/manifests/cluster-addons/keel/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: keel-umbrella -version: 0.1.0 -dependencies: - - name: keel - version: 1.0.5 - repository: https://charts.keel.sh diff --git a/manifests/cluster-addons/keel/values.yaml b/manifests/cluster-addons/keel/values.yaml deleted file mode 100644 index 9488a2e..0000000 --- a/manifests/cluster-addons/keel/values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -keel: - helmProvider: - enabled: false - - secret: - enabled: false - - nodeSelector: - kubernetes.io/arch: amd64 - - tolerations: - - key: 'node-role.kubernetes.io/control-plane' - operator: 'Exists' - effect: 'NoSchedule' diff --git a/manifests/cluster-addons/monitoring/Chart.yaml b/manifests/cluster-addons/monitoring/Chart.yaml deleted file mode 100644 index 1c78dbd..0000000 --- a/manifests/cluster-addons/monitoring/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v2 -name: monitoring-umbrella -version: 0.1.0 -dependencies: - - name: k8s-monitoring - version: 2.0.27 - repository: https://grafana.github.io/helm-charts - - name: loki - version: 6.29.0 - repository: https://grafana.github.io/helm-charts - - name: grafana-operator - version: 5.17.1 - repository: https://grafana.github.io/helm-charts diff --git a/manifests/cluster-addons/monitoring/templates/grafana-admin-secret.yaml b/manifests/cluster-addons/monitoring/templates/grafana-admin-secret.yaml deleted file mode 100644 index 0f70015..0000000 --- a/manifests/cluster-addons/monitoring/templates/grafana-admin-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: grafana-admin-secret - namespace: monitoring -spec: - encryptedData: - admin-password: AgAI/vhXNh8ZKSnDl/lmu8WZhOt7QtjeMS4m+GQ9tlefYHd7BTBFzP/YBmiVK/bM1pdnkjfGeReZY0rRwx2BqE777e7lEnCKfsLM9N7Su1PPjT17M1LwunDo6mf3e4Rw2WZ3Rs0Ukew1httZrgYKpEl70lVDUIxKMYGstpP1y56HnV8wDXz9PuyeP3eGxD3a70dVnWytfKFtiSmtdWQQXS8SP2HseEebkF0bR0zeGSRo/XK4zL4X2rXNjDhB8fARsyeqFWLLi5iHcv43qMI3b+yQIPZ64remwXzdGwKOQdft7i7vDYpH8XUTfhQSgSi9opXKT5Ck2aAwyF3B+9QSG912rD/Tem+RPv5UKaCpDHtiQBftHdh4DD/PtuYMmt7XazcyaKy+2x+aTBObk3fdlXKusbvIGT/i7ld4f45YDHCWdYLrP4oVeHLrPGJBK9WXVPabM30ylVPYyEJJC9nFUdytaJs8XCIvoAU/M5LtJnXH9TPmgA/uz1Xkmn4vj/BDsKcSTnUc+JutIK60OxO6SQk4IFntA5gwXrsWTBvvumNjcHNqhzV5RgGFs0ITKkK//JMK6KT+TE+Z/WrpUswDzV+T4yzNw5Q5a5y1XIXn93HkEsogclA6GGSREEZYzrEyJHKnrIiS8zLcnT9UorxSjig6KfUKZiNrMu3mfE5KV8MahyOmL1lAtoVmi9XABnu8svX8V+RT6WNsqoFyzvyzMnE3BawChHnwyOJ6pgotih2zCQ== - admin-user: AgAON0xYmNr2bTWHAo06wy8SwxEss5d/oJiM8esxM4kUZJI1ReLN9/3Ozix+DgucBgaIqlozB0p86v+GkYEjv6bTipQew+SbPU49Y/avlBDRRRbe8T5PtVTTWBhvQgrx1zkxIgaMeyr5GZi6jYrUR58J9CbO6snpK3uZPYCblwT9MYkQPTbLEZldj3xwNEojVMLLZQyJbO2GrTH4wBRZIF0IJ7zpQ6r8UQnVpsB6W/MpXIxar3qxAS4o9ylMLlksWo0QPgS+nzB+5j4mC/LXeLQPkIZEyQYhc/2rDjnJRnIz80QuY2UcaK4nwNE8aT1I5GYpW8jo4KIcGYF5UwfHhRaUzHunym6N2/qfm2GOMOC3aIL9OeGNgHpvbN++r9QfNzFgACEo+ODhKRuIPEmJ080GTLi4xEgNohkZzCb5LbPCFU6Ywer5pr62HKMrHWRDMuNoUwNLUCkpg+HPCzIRY2hteagz6rMmVH92Nj2sIUVoPYzKiWbn4hbiq2u/XAB16tzh3lIlJY/M3FdZ4k2xSoWCwBwTkDccpCZR0sI57QsRqbmitMDkvXJpROGKJinyNML/SMnGeNHXfGNZniWtG0nEMLVAgMhAI9TWchIAtuEptjEFXaR3o5705jSzYYJbtXCjV9NfaZKOXBoR7FyKU+QdOEtQkv5M5VukDG53MCozZaSkNHwlKI91/O6bmabL6b85hPlvUSmGrcX2Yws= - template: - metadata: - name: grafana-admin-secret - namespace: monitoring diff --git a/manifests/cluster-addons/monitoring/templates/grafana.yaml b/manifests/cluster-addons/monitoring/templates/grafana.yaml deleted file mode 100644 index ca0aa69..0000000 --- a/manifests/cluster-addons/monitoring/templates/grafana.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: grafana.integreatly.org/v1beta1 -kind: Grafana -metadata: - name: grafana - labels: - dashboards: 'grafana' -spec: - ingress: - metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt - traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forwardauth@kubernetescrd,oauth2-proxy-errors@kubernetescrd - spec: - ingressClassName: traefik - rules: - - host: grafana.bakseter.net - http: - paths: - - backend: - service: - name: grafana-service - port: - number: 3000 - path: / - pathType: Prefix - tls: - - hosts: - - grafana.bakseter.net - secretName: grafana-tls - deployment: - spec: - template: - spec: - containers: - - name: grafana - env: - - name: GF_SECURITY_ADMIN_USER - valueFrom: - secretKeyRef: - key: admin-user - name: grafana-admin-secret - - name: GF_SECURITY_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: admin-password - name: grafana-admin-secret - config: - log: - mode: 'console' - auth: - disable_login_form: 'false' diff --git a/manifests/cluster-addons/monitoring/templates/loki.yaml b/manifests/cluster-addons/monitoring/templates/loki.yaml deleted file mode 100644 index d1cedb1..0000000 --- a/manifests/cluster-addons/monitoring/templates/loki.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: grafana.integreatly.org/v1beta1 -kind: GrafanaDatasource -metadata: - name: loki -spec: - instanceSelector: - matchLabels: - dashboards: 'grafana' - allowCrossNamespaceImport: true - datasource: - name: loki - type: loki - access: proxy - basicAuth: false - url: http://monitoring-loki-gateway.monitoring.svc.cluster.local:80 - isDefault: false diff --git a/manifests/cluster-addons/monitoring/values.yaml b/manifests/cluster-addons/monitoring/values.yaml deleted file mode 100644 index 38105f1..0000000 --- a/manifests/cluster-addons/monitoring/values.yaml +++ /dev/null @@ -1,197 +0,0 @@ -k8s-monitoring: - cluster: - name: whpah - - destinations: - - name: loki - type: loki - url: http://monitoring-loki-gateway.monitoring.svc.cluster.local/loki/api/v1/push - - clusterEvents: - enabled: true - collector: alloy-logs - - nodeLogs: - enabled: false - - podLogs: - enabled: true - gatherMethod: kubernetesApi - collector: alloy-logs - namespaces: - - spenn - - five31 - - bakseter-net - labelsToKeep: - [ - 'app_kubernetes_io_name', - 'container', - 'instance', - 'job', - 'level', - 'namespace', - 'service_name', - 'service_namespace', - 'deployment_environment', - 'deployment_environment_name', - ] - structuredMetadata: - pod: pod # Set structured metadata "pod" from label "pod" - - # Collectors - alloy-singleton: - enabled: false - - alloy-metrics: - enabled: false - - alloy-logs: - enabled: true - # Required when using the Kubernetes API to pod logs - alloy: - mounts: - varlog: false - dockercontainers: false - clustering: - enabled: true - - alloy-profiles: - enabled: false - - alloy-receiver: - enabled: false - -loki: - loki: - auth_enabled: false - commonConfig: - replication_factor: 1 - schemaConfig: - configs: - - from: 2024-04-01 - store: tsdb - object_store: s3 - schema: v13 - index: - prefix: loki_index_ - period: 24h - ingester: - chunk_encoding: snappy - limits_config: - allow_structured_metadata: true - volume_enabled: true - ruler: - enable_api: true - querier: - # Default is 4, if you have enough memory and CPU you can increase, reduce if OOMing - max_concurrent: 2 - - minio: - enabled: true - - lokiCanary: - enabled: true - push: false - - resultsCache: - enabled: false - - deploymentMode: SingleBinary - singleBinary: - replicas: 1 - persistence: - enableStatefulSetAutoDeletePVC: true - enabled: true - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 50m - memory: 128Mi - extraEnv: - # Keep a little bit lower than memory limits - - name: GOMEMLIMIT - value: 400MiB - - chunksCache: - enabled: false - # default is 500MB, with limited memory keep this smaller - writebackSizeLimit: 10MB - - # Zero out replica counts of other deployment modes - backend: - replicas: 0 - read: - replicas: 0 - write: - replicas: 0 - - ingester: - replicas: 0 - querier: - replicas: 0 - queryFrontend: - replicas: 0 - queryScheduler: - replicas: 0 - distributor: - replicas: 0 - compactor: - replicas: 0 - indexGateway: - replicas: 0 - bloomCompactor: - replicas: 0 - bloomGateway: - replicas: 0 - -grafana: - # grafana.ini: - # auth.proxy: - # enabled: true - # header_name: X-Auth-Request-Email - # header_property: email - # auto_sign_up: true - # headers: Groups:X-Auth-Request-Groups - # enable_login_token: false - - persistence: - enabled: false - type: pvc - - admin: - existingSecret: grafana-admin-secret - userKey: admin-user - passwordKey: admin-password - - service: - enabled: true - type: ClusterIP - - ingress: - enabled: true - ingressClassName: traefik - annotations: - cert-manager.io/cluster-issuer: letsencrypt - traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forwardauth@kubernetescrd,oauth2-proxy-errors@kubernetescrd - hosts: - - grafana.bakseter.net - tls: - - secretName: grafana-tls - hosts: - - grafana.bakseter.net - - datasources: - datasources.yaml: - apiVersion: 1 - datasources: - - name: Loki - type: loki - access: proxy - orgId: 1 - url: http://monitoring-loki-gateway.monitoring.svc.cluster.local:80 - basicAuth: false - isDefault: false - version: 1 - editable: false diff --git a/manifests/cluster-addons/oauth2-proxy/Chart.yaml b/manifests/cluster-addons/oauth2-proxy/Chart.yaml deleted file mode 100644 index 33e910e..0000000 --- a/manifests/cluster-addons/oauth2-proxy/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: ouath2-proxy-umbrella -version: 0.1.0 -dependencies: - - name: oauth2-proxy - version: 7.12.13 - repository: https://oauth2-proxy.github.io/manifests diff --git a/manifests/cluster-addons/oauth2-proxy/templates/google-credentials.yaml b/manifests/cluster-addons/oauth2-proxy/templates/google-credentials.yaml deleted file mode 100644 index d900478..0000000 --- a/manifests/cluster-addons/oauth2-proxy/templates/google-credentials.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: google-credentials - namespace: oauth2-proxy -spec: - encryptedData: - client-id: AgBAx2SfPlacg0o7uarY59mF5i/wnGxUkXClt/iaqyTP4q5WpDsJH99lpuF9+qbAfyXefkYprIHobSgGk1aWScO73DlK9C1eDo9x+noO55sVt+libHnTWgL0ad5A/7SS53QQdgPp9/q0BhiVNnAZ5JwiOguOfqhEtf2S+CmWSryBMwEwEudivfy/XIKW2VLi2YbWVF72cNXgdHYlii+oepzBl4VAMTxdR595UgXhrxLJ0rvBZgED8BsK3YiOjCOmEVFyFQJDk3QDDDkUkomW4kiGgYS4Ka9cmINtyM2tfRDI7ws29GdYk4JUMNjZUiXOt0o352kaTdWaqE/Bb2QZGVCFLOFyxDaoNC0Wu0tO8IRwCIop7LG5AQjHrYlZyWQXCux5RsyT0FhH0sLKFvpSYevM2TJATseJHUM9aSW07atsYkIWIdrHI2T0D9YRCNKHG460qtRz32KTFlkvDtsatENgE4aOd6W0IRzj7OvOc+nwtB8BLQeXAwQjy2doFIYBCTkBw2iV1z3ath8TezXAGSZLPUzZ1AnxbT+DGL/Jv481s6GTrNkYMTJgxbOcbLGGCnCR8RoZ9xrGupsqyuBMCiA8oOiurl43VkWPKTuLMcpCipl0um5eENnoGyp7oM1ibW/tc5HOT7xqvO6S8GdrcbByqImDF4i0xRAJHdcDTtyKudFglZ1kY1jdbjXPyNtgvwFw0JBtnjhMAU+7adw8T/D+kZkuh+ZBCsL+CD1uVGwW5wQHUhlYXGlySSV9ICKGx8ABWHtHZp0Byp4z7p6AFKsQPzDhe+xfdVQ= - client-secret: AgBSiJlPcXusn1o1caSYsCaCdHIANOv26Ss9/PJPLCCPfSXUAi0DpnaA6knicHiCNYE33FkgHpiSrv6yJ3vO6EeJILOGmbS+kExi+r1JScnERqn0OGIYFObuWUBhH70PYXhwEHIW/M6MNfvZcyoy0Z6zDHemewFkObXNlQJ+EBxq5iGRh0/iqxVO7vACxrTtvUyP8VfvhgiILJlrMVgfgvkA82W+dqx/+jYU14T3h3bZUY5+Ouftr8MUBdYBz1DynWR/Xvihyx3D9LPWFYTsLGjzdu8H3XrW9119eV+omcLwMD5556QsxmBBPCgG9lZqYeAYcn3DCUYMShoEvb1GYega0e7NKEEfE4hr65ejcsZAFyUEA7+RqQ+YlpTqAsrA/1Q7Dz7b34LVHPwbSqADNFUBlvu7RIRx71tdpKlWkzobnMFRWjp6LHTesj4pJrNWz4+Z01JInZqYdJ3Nu85RCBpG5yke9cGNNlla2CVAPV0pasT1qJyotoYEqLY1YM+V/rVXaknWVvZtXCHfvdqfOqfssnNd53rkv8enOLTWcPMVNZJPsH0aOkjrJx1LqbQ5CeFOQ9muw8crIY0coTgyoDMExLVrTZPJhM9SxqS+34KAfxXe3QaOkbCwJizHn/i2fvc2AsovK0u+Nv710Gqxmoqoy+Bxoc30cHjC5tfNhj6dxOmeFeNASFwlKSme8iJJsJfm1gqtRiyno61uq+5InPZkmqY73mWzN9prGJ6AJldA8Yy06g== - cookie-secret: AgAadyqFO6ZJ2hakq2NlqiJbEHp1nbJH/kKUKdx6D52UV2pYvHIDvR/EjlRPp8+bS2NTEjXKN0vt9DnbQ9y7jHJm5gtpTiy7xwmr8Oe/U8P9gZ8BDxUpVzPGcL0kx4zPVQjZPtADnh1W7uHMPvzu1Zuu9Tn0DPT5dwbIJfTv11PvLDL3y08SDtFVdfYGxVzB6oxP84W7CXwF+R75+knEFeSIK4geSRkzuQc0sXja3r15wVDTMHhDld9fTNvX5G6YQmMkjxCUpSGKehLpZJQOrCesG4hF9NvFyssSOlJzNHz1aEKMFYbiKDEUOT6TUJ2CJS6lF06/vBPvPX2iXdBh5pIFb4Jmr/MtCptNVLviYkGwUi6XRyg4oj9aJzLXhZcPBWi3ihMuqT5Jlymy6bpR8gNX8NfbHnkVwQUxt9O4pSDEYSP7Nitr1fGfEPYx5Moq5H9ZvdUSkmYD1oFzqfsbHn8GxY/nFFTjkSulCoOMXQrvcV4+pzXnWQjPVjokeHEDZFvgG+VSAu13vMYkK+MwoKqB8EOLRgqrF/9wkqDnWToA0mo326jARWgnC363AmB1LKu4qBs4JyZb/AmnG70NPz64EhllqvSxTSmzvN7yszaOUA6fjnMq82sgEsB94TO/R/SbA2NbmCVf55Ftwav0aw07xTOoGPedTJ0spyEj17NPoEnQGVeejH/0UFSZkKWP06iLpcEecOQX6rLASBvwR9Urx/c36ne06DxdrbfjWLO/Gw== - template: - metadata: - name: google-credentials - namespace: oauth2-proxy - type: Opaque diff --git a/manifests/cluster-addons/oauth2-proxy/templates/middleware.yaml b/manifests/cluster-addons/oauth2-proxy/templates/middleware.yaml deleted file mode 100644 index 37c6a45..0000000 --- a/manifests/cluster-addons/oauth2-proxy/templates/middleware.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: headers - namespace: oauth2-proxy -spec: - headers: - sslRedirect: true - stsSeconds: 315360000 - browserXssFilter: true - contentTypeNosniff: true - forceSTSHeader: true - stsIncludeSubdomains: true - stsPreload: true - frameDeny: true ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: forwardauth - namespace: oauth2-proxy -spec: - forwardAuth: - address: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2 - trustForwardHeader: true - authResponseHeaders: - - X-Auth-Request-User - - X-Auth-Request-Email - - X-Auth-Request-Groups - - X-Auth-Request-Preferred-Username ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: errors - namespace: oauth2-proxy -spec: - errors: - status: - - '401' - - '403' - service: - name: oauth2-proxy - port: 80 - query: '/oauth2/sign_in' diff --git a/manifests/cluster-addons/oauth2-proxy/values.yaml b/manifests/cluster-addons/oauth2-proxy/values.yaml deleted file mode 100644 index 370998f..0000000 --- a/manifests/cluster-addons/oauth2-proxy/values.yaml +++ /dev/null @@ -1,34 +0,0 @@ -oauth2-proxy: - config: - existingSecret: google-credentials - - extraArgs: - provider: google - oidc-issuer-url: https://accounts.google.com - http-address: 0.0.0.0:4180 - code-challenge-method: S256 - redirect-url: https://auth.bakseter.net/oauth2/callback - cookie-csrf-per-request: true - cookie-domain: .bakseter.net - whitelist-domain: .bakseter.net - silence-ping-logging: true - skip-provider-button: true - reverse-proxy: true - real-client-ip-header: X-Forwarded-For - upstream: static://200 - email-domain: '*' - set-xauthrequest: true - - revisionHistoryLimit: 1 - - ingress: - enabled: true - className: traefik - annotations: - cert-manager.io/cluster-issuer: letsencrypt - hosts: - - auth.bakseter.net - tls: - - hosts: - - auth.bakseter.net - secretName: ingress-tls diff --git a/manifests/cluster-addons/sealed-secrets/Chart.yaml b/manifests/cluster-addons/sealed-secrets/Chart.yaml deleted file mode 100644 index ff26429..0000000 --- a/manifests/cluster-addons/sealed-secrets/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -name: sealed-secrets-umbrella -version: 0.1.0 -dependencies: - - name: sealed-secrets - version: 2.17.2 - repository: https://bitnami-labs.github.io/sealed-secrets diff --git a/manifests/cluster-addons/sealed-secrets/values.yaml b/manifests/cluster-addons/sealed-secrets/values.yaml deleted file mode 100644 index 8680c46..0000000 --- a/manifests/cluster-addons/sealed-secrets/values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -sealed-secrets: - revisionHistoryLimit: 1 diff --git a/manifests/cluster-addons/vertical-pod-autoscaler/vpa-tls-certs.yaml b/manifests/cluster-addons/vertical-pod-autoscaler/vpa-tls-certs.yaml deleted file mode 100644 index 65c1647..0000000 --- a/manifests/cluster-addons/vertical-pod-autoscaler/vpa-tls-certs.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: vpa-tls-certs - namespace: kube-system -spec: - encryptedData: - caCert.pem: AgAfbg9y376GGjZ88xT4THxnCGIje1L97ZZTGSbdu5vKzOXqpR9KUpvnlXSy1Ps485iWDGuNXOeEIZP1yGhMH/hI+t93IugGSVfcoGo2WUQTm1XjkqUnEXuwFAz2U4tSRdv4mGkxESy5d6D30DWSVSG+fLFi3pZKZU3nX9qZ087PXlWm/c+YD+/2wYX6sYtBIrwlXzkxaySaGtEZL4qW7aK5BIWIu+AO0iZBkgZWt7wf1Em5k0GtHxBPfQhfNIfO1wjM1CcWDXmMzL356AT71FJ6e5FGZ/m1CPUikc2j3jdTw0DAsykI3vgtUN6B1F1nqX+7Ad/g4iBs4z2FJru9ES/HUYTsVzclLk+IKRX+O/H0yEft1UJ+ShG85+YbpssZ51tkObLTqltfBNZ0KtFioqWY8J1+QvOdI+EEqYh+PtqHGteUqD6aRV9BUQ87QugSTbLl7sHd0Y2IZ5j/ojGGiVDjzUkBtRJyaECm8XXCi+aSr7yK2tDxN9/0b20ZIUm6idzj8sGsECR3g67PvdosLn8tx6p95mKeScfe57wJsSo7rLbCUG6NhtqG7GjoKJGcEP7vDT9jRC8sIx0SD0cp4RjJWD4i1sNRe+IPA2KdTWBBFhmVVGbYo0n/RF0qkHM8/Seu2VJeTWQp61lbkHm8nfdzZobzY0lr+NmcLb9QBKrnbadxJyifRbV9wnrtvBtrHruuGkfMJxRALsYdgxzuc7i+Hm4ZrHyHyWhShzyqhc8GcZZbx60oj7Ir8fSu5hrt1gWAIfNwPR4/gTZsmtyf0JvgUusOn2WfQzmIxupd1+BnGuyUAlihtWZmIFNs2tGQlqsNUAjdjW8lE66yAMSlpggknU1sn2CPb8h2p6yo97jim6q7zYPhq1Cf1ulpBr9f2ezmI/2jpCvqKNJMfp1gYwfjGqBCEPussZgZK8mx+5eWDbP2wg2m6IK/rUblHpzBga7HHflVugLKD1OCX84wmtrutFXSz/MZ+Do7iWzjkbLqHEIoFeTcDqjCPcPGkjF/tkcIEKiaGnMQXOjXN+euJj/DdIr1qRmSisz5FfX74ATfe3wx5zXB5bFYZpsoE48JCrL8S9FLDHunD+fvcJNHP9qB47WuMyEaZGwKpKGgKG7we/CzFu5nPHUssZQhHWotIB85Rti1mvojJ8ygLbO3xiFZcaVu3urjvnKBeEKOfc4QU9iurc9HjNJlPl3Z1gBNpptTqsi9j4Al7Te38qDINRuE0jDs3KgpF+24WeOUeMNkgokeFNeLBUdAUDM53rsA03UJY/8HLtROgQSrtpUTZ4i9QnNv3ztxdES2gtg/dMIrWbunIM6zQKDI//2KUO60KOm0/2OiN+5bRfshD3Ei3elXyJipjso1BJHtXALbiA16K4wAB2+t4oSIzpxH2D1e4g68lDrsWTnkm+JC6kmdZCAnycSXRNG3P+wMtYJqMfbbQ3aUp+HZblvmEWr5TejM9LHNGt4OsJpKlff3rfG2HBknN1C710SNjz4SFs2bDA4SmV/D7vfZ0wUGjY7pmxYT0LU+ftsyhTeEkJR2U7/7UeAFsDBG0/nGVA7oGsjSXNwS39UVmLSYYKtFruf3ByMPWsb2p63xGdClIQezEIisEc0kdlPKyNSdPhqgid4rwR3LVKlPCKvQ0IuQHmAagc1uO9AA23xQAJShVwdKmcmghV3q9/7V3P7E72Gob+TD+8/nN2fyLfYUrxYMexuirzNou5vYXEt4uAZNGKAsV/3CKk24YqQyagGl6o1oCd+cM0fDcEt0wqfKHBxAzV1fmcPp7wJJMliUZdii/g+R8AxQYpOOArWVIfXAN7h2zTvkMAul0EH/y3WQ00XQt7lW6famajRkqDDj+l8hArjX7Ap5+XVbMXABWI2Mh2R0Tf2b2ZI2MdZQkIOPpRi3lQD4tRj5KN+MEt5cX1T06D567XT5Gh3+2BGKCxn+YVhVGOEWMZt/j8QrasCwAJreUrCX72E+9NYmenYnNwwJ553aZ7wHcJ4Ka6yufzc/NzpsYLEYcPJPhhFxamZRsW9amC3MY0GVFhvyg6mkgY4zgKNcpHXIuM6kcFyqALh+21L4Le2Atv9albipeGKFGjGJ6UkMSheBly8fJVmanNYj7fOSWg+DgKzv0d12M1QuzjtptHKXPi0uYjp4BBm6RYaCF0HYGIOLq9RVpmRxDll89bCY+CB1BUlmdjqbhK+MK6Vi+V75UGjkiqJUJPWvCUdA/rrkLOPM6ECgYE61BNZasZbuMivNImPh - caKey.pem: AgBgsqNy/c2oY/BXlhAH8NciwBnD7mmmw/Olw9V2pfnvzTNrqIp42XWaesbe8k805ezszUXCiZgSOjHwf/azzWYR3UB1ubWY0lJO9YEhjBZNr9gzkHDfb1AznSZqbU+b4C52ML0Dr52ThMbPh9NJuo/gddYWqolhcyU1jWmxIjtLYVABkAsWwTMAUin4teCSn04cpCXvl9QD+ufnVIkaHUZYnb+lZ+PtBVd7Qwcmln4Cj7vP1ZiACTWVV6NvBlztdHGuitLSsjYyBGRCqt5uzHMfMYbGHz+jcXdNZdyGlDv0gIUSn+LFGHxOF9F2mmpOu3kT9n9tv1xEp7sTVEQJet3SADdOAXRxL+LIzkbSlQrFrBErQHbB7zDwf2//yFqYcsLtZegLvAshyx0pIb7TqT3ac5+hviJz0fXsQS/pMoeCturubkASsXbzjJ/hCLXZUwXm/eIMZAuNLJWI71IwHPlUhDARjOuOGRc4EqwZcjk9sTX9UyWCwYPYwVzSCgP8NZB1/RzrVr1xWrYO8/bA8q491enFbBuvy8bAGm2dl/I6DMhQGyQ8edECdqLlC3vIVEkCb+giiWRRSy9xvQo+QcRgCpa8OPipiZ4hHmJpkfcDBqfFmZJqQgIMncskdQgQFe/1/jQt8TlALxsX5J8WLyAbNsaVpXuDSaHIPWbIRIqt/GSeTlZl7x7NbayaJvsp2aBp2tVjw4hkvLpClH57mL/7ZUJgeNnRUn8Oi07vwJ2k0AUsUGPLbD0BrLSWhfMBKvAXzoecSHfLOqbjmutJ87COy/89rldBMurqZqHoQFbUaw34rChjwBBUCbKjvPpWGsXC/mBtwpFRKL/d5hNgSiXmkF2apLL4WdSR3U130PwWeOqGz+HE2TADyk6PWgRV/8B6Hg1Y8sEhKl7gvsqKgYF6rNEYeZ4MHeoZ+BUxOSYHJ6yhzCIsTqwPxWcekbjnWpytlIGi+KEOh/nO96Ad2UlQK9sWhYw0T1R1J5DVDKdM1Zci1Oz5lGodoc8u8Jpaqbu8rut85w998qX+57wa+MpmBfbpc6I1P7LjyJNm14YueLWSRdTyD0F2wd0GXIML7FYK1MYNs8mQoDCn0AW7WdccKkx042G/tZGIxkT+GqxyFxXyIvpCyoCPbdYhvzj2Snni49fYGgHKvgvmgVOh+OFyYNcmO0wXKBLm+poe8J6tmlddNRLlinx5IbxzCUhBFUUZZkPwrDxZIsU4mzUUf2DjCT+GfjjKgIC//q3kd7LHuj8rYSpG8PFWT/+wOG2KVcyIW0DPi2g7TiWhB8zHqCA5ndagYbi/Dx8n2z3TqqgOQ3vgZsts6fClkF6qi72m/9bG8Qj847x+UU7xwmQCJdiwWLUQ1+8YKblLqdfjs9XaMG+NLOZ9QCHW1Ly4UizutN7bIR9bUdDn4Hdb2RHzsTr7IOqHkWimalGk4XyDj+jRCW3hQ8uSZIwA5M44ZgfnV2WkG5WqsOgMk+ajPyntoGC4gCpc19KDp1PIZs8va5Gm/b1/uszfz1k2gnThWZRggdckuhNBD+E/X41//TEEqFalKUNdH8bLu0HIiXneYaNrW+B9dUMQstobDsKmId0k7bQJlMk8+spNwa/sNXjQbRFExbVmERWx7W7G0PCBmjBhoZW9gYNEJn/elRlxiz1/XecrylY4lxwqle3Cz/AQejink+rg9/hPvSVfsEIrkd6PSTvCWyleq3uVgTIhFTojrZFKELFT6Y4jbrftTe7zYVBL0AkkSRv3Yh3pKWf+gfbXUe2kBx3iSBqo5tUDkCpE9PbnhF/tia8Hm8XoW3e2h1xmi4lTaIjHnHqeoKYsrzaJOU8SBrb6ROYIwWwO16ZoAQVoHs8vTg6jhCX0abmkShPWvc2UfXd/lW1H2TKGG0LO7qMO3b071PfmIHT1gFmYdox+sWehOEQRXu53ajAXhuEmXcg7JEER2QWu299JthACWFFvDaKNZOmdg1A1DxzuSkOO7LjWlWqWVEUTYH0LkBMitaAcjC9g5rz4KIbSKTQ5TqDtxxHoT8/um2BLClRKVrDUhCauu67uMwKumW7xhOkoQMV3XdDXzcfN6p79321cvuBZT+3mrOto9SQG7ygzhrBCg2vZDc5U+sfBCmlIFl7B9LcNfK7/KhDz1CaZ8UMKZdZH7KOTIfxMweFGRpt6yrZIkeIUpFf3uBFuWyH2dsGEGYPQnhOZRgN/j/1GuUA0mKAVKwNKVcjlLmyTqjqQy3gS9/d6XugwfNgq6OR+7IDUJmttgayYU9LRepzZLrPkg1pn/N/+725hl4WORWZA3OIlJFneMkudvi65lHbS9p5LwGknhHxm1k+JcVie/10bLdlFxQ7164YKCZ8iqQnrWvNdR6YI10d6oxrV1qZYPTLlG7hPkCtKZ5/iCEb1A10qbDXTy6NR9xIEhtrd0v+EncOZUQcdpKlSTKJ/sW68Bld4NP4YhSVpLLsP18SwTi2CQwAtz7nKTinoiDnKPNsYRB+vMuTeFJVr1spnJ67GHVblNecL9fYgAzyXAKi6X7XvsPA4RD5DszG4TdDoyGR9U5ISbVkQQaY0DjubAl/32Zdg7O6SITaONK8npz01bknn/4ToaOI7We7NIxtnGIeQLCJ6whVhs+qyI5D6hq+TjR3wOHgVHxMekHjrKujV+ZE3ft5aphZXJiMbjMlSZFnAAW4elOif0kZRHfz5qd2tYtroYqpRPnBijWrvDcNqBvUnaGT7sIll+qq6nxQw//WhggL65eCkNXzzXWZhn7WK9kcMlCKy5wmL9tiFnOEGszUbt9i20Dx6gkYEHnKNqGFwzUjGe0x3gep5wps76uwe3aK/+CziF7nw4Amb7gycizdT/jx3pDM44wJ6j4NYB62ncSQJ9cy8i9nMx8kQqco4zW9jpLSRi7bDKadyKYQ0N/aZUcPboihzgmpBUGfhPU3gVFRVJ/KIF8vVWTZuzREK3KzNUa3hUOS15aY= - serverCert.pem: AgCOutUTSG+zJP6mKXceg2Icnc3yfphLpITeu0wi9E2Sy/dadhB9meykFd3sSZLG22jM+B68+JDUT/N/UUtHN7UffRspyEhsjIsjQjgsdsF7ILsnELc2Fte82zK5JMa+BvsgcZvI5HjHJjPjk/JPd1X9tmjljSJF+rqtHmJuYxQs3thAQFEpXQLmINw9E2luE0TcT00QhOMk2G6X2C1nrZIP69vx+c22QM1WK2KF3VDO1mVhbtO/Icvm/KrLBKPFn0rfwjgBUJqqVVNhQqwRgvizSRqrexjamKM07639UwDuVfKIWLPT1CQeXFLcARgOrQ9dpVoA43oKkIv+tzK5wlAKHpT56R1RpVxWlxvGTZdr0I+DoxC4399QG9kk4D5ud0Ph/pRJRcSOqZgjVCeIh6ZzCnV5NWk+5ZsZAVlN00lcQMC9eFhlpnZaNjak5ZYiZKZfQ2rC1hhqoXFQXts3t1d2X+8zJ0SLuOEs5YtRgG0YG+JeZYFH+8GfZCXmmlr59JoCv6TlFNe3dT1Z55zq5cnM/A5CcNN/d/Dz3bz0VWpxqDfa3FFvUKE2QazIRtSYGXNbwGMrLKKBn4GS2t1SPoYalKQLlZ01BBSmZfGnJ4IFdpAT052j9wzEp6OvBQsMQ+rUDaIxdxFWBlKoNfx7blL4vGgMqc2XJOWXc9+9v4NHI6S3HvbgjTxT/rbYdCF0a2rez3NG8EfNCydAzTXM/p6RbfX6aeuqCpT7vAWaXwbBiu91wgKzejyT9FIGfLqQifcvZzXYB9nZY/BbPAlCZMKXrAbRbgjYuXt13YROB9/jDLdMm5wGDGKzTYW2GfaXqWQDMOHKNTydh979vmBMKfHoSjjZVV1UYlKjqR4vIkVuFUiqtaRBZlEshBsxpzhCpwfFg/gaWEIMX3i5mHCjNZbvL9SqjdUAGoYcpDGH9KubLoyA4JMoW7E2vvwWXoJY7pLU7ME4bhMapuyuGmgb0FEhHQXUIQcFCftz4QYra1MVQoayNf1DZIhe5Y81hVlnql1H8oaTbWLc3xQhidjbFiHuiRJHKra8/tJzqizpBIhZiaIk97Lr74GDkLsWTbbLRMegcNuBFSwre0XzORIcwxH3ARZwjGMWIFp4GG5SQ8pJ3zfxa1wL98R8oCk9h7kOiAO+/eBR57X8urLWrxEQwc49fvzSnY7Z7X7FK6qoyoFCP1sA2HOloHu4DEwhqsCbjeI7tMxY5R+ozK2zHn2HwrMtE7BksLuVR//sgyIGrGSsDZlOmciajH3XbRh5D/bruxFfrI3fruPr8FABlfykAI06k8pObIfaX3Yiy6Zf0SYlMfpfWj0r9PPFAHm/dIjIQzvyO0PaU7rplr/toX09txqBpqQcgIMuwgYo8MUNWt+7Ve/1dkq/COrsO0k7olFfAwRHwtAZC4YsMQxnv1Vr2oebQFPTJdaXhHrTvFXKy7TrqZTSCZ8/8HfP/cJY85LCsXXHU2rjvxseH0ufocf/P1lDQPaBjIi7VeeJzxiOKWFoctH7M+3e24eAVHg34bEhN/kbU6IknvnNP8CCYnns1pxFvVjZjSoatIIHXdlWZDio4VUMsCggvF1s7Qb/RG+vK1Acd/Pq0ulKtg9OrnKIrsJX2LWcDODawaL13xnkmvAFsRD13+9dYerg6ocEOv5Dx1xb+a+9Xo9KPKQ30hHhYfrxEl0yDG2loZW18S7R3joeM6muYsQr6Kavowd6c0ac8c8biU6CnzhjgYjs5NzZaAiBv+eoEh6vWSy5FQhCTZAqdodeTlzb6zYVQdGmgGiULQ+9KY51oB5lTc7FxypbWVFNL7yWfcgPRJw7SA5G9QoJ4yDAII4gijRfhc782rxcHfupGrb8xjbBQQVMAB7n5+UYqPu+Dqao9DvFd+olzeqpauoPtoEHTzs4xqyntNkjF64DiSo339rif8A0/PLp7zUlKkRdVkb5OHuW/OHfhJ0QB4jv8MjDf2zpB5z02Gd876cUVegFrfaX8e1woM3kH3F8AE5/crMmXuCCb849Vdx0qYuWE9tZcoIcVrqBGk6AYaBVEoMnN7gPzgygr9PHhwmugxc5a0SGJzS0FNxbEg1nl1LSx+c0ajYCafy3AldwpI1e+MoOme7eaBI5tBGpDT7xJPV8ZMdiUVm+a5zSWUz0mCDumJnK8IRp4JFsUpGMihai5q7Eon0wBPM/T84dYrv9hLOyXWWEDbscd7eD/5zdJcMMgb52HtBH+2Ok+5SLDYev2xNLI1xBI0NNlx2Lm6EQbEZQ71UyBeUZxvqfLs+XtCRrDEHPiD4xTQQf6zz2alSBjj1GNFQgomsMnBZNIbdNAdCZyyXNMR4hckN3gUHw6VKYq0Vtbb160bfLxZybqoT2fZ4aA5IQiWU= - serverKey.pem: AgA1nzZ7APqyJSY2VYzdKVzdsU7E7OO0/Twx1ok2IUo2nlOH7snteIevY8K3gBiLUNuNO0kzVaGjcCGz8OHJCsHaUm+gQPUTngOPf9imp7FHT2I6W1M6CGE7dwrOi6ByXWvaxqcQ5N8IAG7Y0QdejVFDBIDr/C5SHCxg0nn773BCUWah9kenqhNFX7VO1BfKHW4fC45TkgJJGFR7nti4k2ifbmbEoyMB9Ifw30siizOWqRCs/B/gLC5I8NiN9Vbrw+U83l0GBVZFx0ykxC+6bx86l2tl+QvjvK8DJf/uzHSQ2fPsAVwg74cJFrCtmmm6y4orKTg+KviHb2VKQSgxk8A9dNRMhPPHi2LdFxqMmFg/JeD6vBW7UEYCFEBhZjdwMpSXMiIv8xi3CAU30MajL4ajZ0KPKYIRIw6pUYaaSNny1eDhBpB+xgdIzKsY9Pr35X9jKS3TbVjfhDXQKAv2zctqwf+j63bLrFOoGCXQabkCBwiTbGvqhEcOpXHPp7NRK2kzn6b8b/CFPAjnR8iuyAcZCYFwQ5N4fiutemlee9K6x5HYp8PgbfGVSvM9LRnkFBrjJynT5GudYw8x+pWQWUiRNlr3Q8/GbfUvhkZJGAWLKCmhSDfzLBWdUSFk1GrEoPtkZkm50XL2KaSa/pbF0Q9Raq86U/Wa/Wr1U8t7hbTlsES0du+hb44g7PDQSf1mhXD4pJAcnQpaaS/mSbuFBGtWK9xJIvzgDLn0R0oRgGYNXYQaGWs7JxchbswktTa/Jurhad3itECVmriuQL/RHE8gJ2nnJw+loVnjSwzy9F58ss4TbQj9k+HiOM+DeRJ8U+PBs3/KWLpYIdMqj+/5YSGnTJ8mUntSZ03yMZ0MOI0Q0PkI4H5ur659cQ5ZFnt/DWD/FmBnJPeXslGGPEpOJQkpA5RLGsGPEu7yenD39CXeZgwmSBC9Hrt6S9AaGEo6p6cUGn2zELJbCex7mSxLjpbjVAM9U44aEs9th648rwAwh639WhADe/IEl5dJefJ1QN2nWry2ShDswVl9wUhOEudU/7+nAtmZGc20gzJ5ellCqTwP1eB7/qRDrrHTsj1q4HH+aVVkWkHsfroKv7ZQ+dWvikreBS1wLeSrKcpifSvT3PAsytkKu8tclI0+PaPEglRXsPZY7wFBAjWqaAi/qKDh/h6fcIAe7jaGQu9rMLhyx0aLPUkBvgm1ZlmEbyqSIelu56PSr5kX3YBRNtpmS99R58QXqEmrG6ZSO1bxbnUMaLYgZxQLebq3HUgwp7LR11oKrdtm2JwhycWnXbXjYQAOP0r89uatJOOrfyV9ua7u91gvTaoh/VO7jjOzfuOWVpLj+TC26mu9Oy+CgoVo1WaZ3/O70ZKYukwWpPcZNURN1YeL+/eQS7H8EWEQffKhdHp7nUgRpJjS/FF/jpXGJGMYYK5ETv2b0JVJj5BGOPJS62+eViy6ccEJv1Vt0O1PsdGTXybYSWX33NPfjXGSzzWs5wmPrUwUGyGmbI0RqqcPpASl6fuEBf6fW75KezCALAn/B9yomoYT1mUSv5NUU8XfcJh1EEVA6GqEaqE7K4a9GK+/X6we0ZE7aubOkc+kDv/zAS/2jfr8ePoYFtMwqRF99HWdLpk9CtSPPiptmdyviwIBK4pg5qRVRtZmm0ZqcAbTeDP2jm+j1+dZsxQpfIgq+Hw5eiwDfexHmNfSFEuvOaJxKb7fXrPA3M+I8NEnsI9PABdAYzf6DvVR9emqlttiZX1kqVlygfjsjz06igCWdvlgG5yuX0+xVW2VWOlWYU0AzZooeUVtt74kbb7J03uR10Ml+G1UMs3tlzJFz8ZrQ0yX9UeA/CwV5JR8q321RikTYgPSuwcJQgdTK8yZf4jqhpJEiLc+lwJ++wNA6QEbOVGpfd3AIOAJCJ0cUXPzxjP0FnpmlSwif9NL2vLVVBbJTcDoNSD9GU3yUzz67wuPOvU8NvhJ6lh7bx3Y7XnwQ8TRdCOr3nUokMbVNo8BXevluGwBQF4C1vKXQObOk0MQMgsQ4xpVXkqEnGIp8ZBjAGDxcQanBv4VMjeBBwe5+dqbtvUZmP7DgTsC2dMeaBfKs1tv9Jrg0h2loCnUILpdsdosuudoRQZwsME9ZY/svwK3XAuB2un/F2/ig3ZnSvcA0Jg5rbMph/g2qijmiT0Nki0XMU/t0WbXeItLX7aWAyu48MzSK3T/L9npte92aw0uxqE5FzfUoOzQy4DYPFUsaS8JiNspFa8jnjjbYMMVB3GhjXBaWsMVSuqHvZr14YGdrRvLkOtUxB+GwTJaFgQ06WUMu4krLaImN2cqBQXvWo8x0kkDY9iAOz9sCBlQ8hKMrBZ7tVVE4y4+Rw+mIPgL3N4JS4xsJIzuV2voMOkDei7Edgnk5o8bFZDGLx7C0V9IIRTymonOh0wHjMPk1P/OLmTRGWS56w9TGknTQMlvctPNVJHYIwGSMTzfhcAroTKCuilGub1w9ycsaQkURt9bnwsJFnRvnuBks9RNYSBqRkEyXP4QnPutj56RRCcFCnTUowFUclAT6mRaiJW8nEj2bJeD4U0Q6w8ERHF6cCnN1fsz1sn5Vnu0AI12C8I75ZMyNGM4wca9R6hqJz+7OYu0LCRUQh3DDy/ItsWmUTvofEJQGYHutLk5IDrmSEY15PXW3uSpXiPXHo07Aa/O79EdSvtFlXUgtRHtSGfiqWToRfyadsuM7bTadaBwthPescFA2WfrmQ0U/XZ/jmc6q+B9F3fisz/OZHeoH/pQ8n9qA2sj9oipjITtSfDzunQqv9aRU89b0o22VUaIj0wD+4FrSB9FQEQf8uIthlESYktwblsUXRrn4D/N3fMHP4Fm83iiXWtj8Jqe/vvJbI+pPxcitTVFbdoWEJ6mydsDzuL8AkofDGWElTn8GfNCRfTVEQvs+sBkN960/Yof8kv4kzPErv1LcDtJBgLF+XFWiofrhRs7QRdcIMf3prU= - template: - metadata: - name: vpa-tls-certs - namespace: kube-system diff --git a/manifests/cluster-addons/vertical-pod-autoscaler/vpa.yaml b/manifests/cluster-addons/vertical-pod-autoscaler/vpa.yaml deleted file mode 100644 index 94669cf..0000000 --- a/manifests/cluster-addons/vertical-pod-autoscaler/vpa.yaml +++ /dev/null @@ -1,1441 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 - controller-gen.kubebuilder.io/version: v0.16.5 - name: verticalpodautoscalercheckpoints.autoscaling.k8s.io -spec: - group: autoscaling.k8s.io - names: - kind: VerticalPodAutoscalerCheckpoint - listKind: VerticalPodAutoscalerCheckpointList - plural: verticalpodautoscalercheckpoints - shortNames: - - vpacheckpoint - singular: verticalpodautoscalercheckpoint - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - VerticalPodAutoscalerCheckpoint is the checkpoint of the internal state of VPA that - is used for recovery after recommender's restart. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the checkpoint. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. - properties: - containerName: - description: Name of the checkpointed container. - type: string - vpaObjectName: - description: - Name of the VPA object that stored VerticalPodAutoscalerCheckpoint - object. - type: string - type: object - status: - description: Data of the checkpoint. - properties: - cpuHistogram: - description: Checkpoint of histogram for consumption of CPU. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: - Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: - Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - firstSampleStart: - description: Timestamp of the fist sample from the histograms. - format: date-time - nullable: true - type: string - lastSampleStart: - description: Timestamp of the last sample from the histograms. - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The time when the status was last refreshed. - format: date-time - nullable: true - type: string - memoryHistogram: - description: Checkpoint of histogram for consumption of memory. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: - Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: - Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - totalSamplesCount: - description: Total number of samples in the histograms. - type: integer - version: - description: Version of the format of the stored data. - type: string - type: object - type: object - served: true - storage: true - - name: v1beta2 - schema: - openAPIV3Schema: - description: |- - VerticalPodAutoscalerCheckpoint is the checkpoint of the internal state of VPA that - is used for recovery after recommender's restart. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the checkpoint. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. - properties: - containerName: - description: Name of the checkpointed container. - type: string - vpaObjectName: - description: - Name of the VPA object that stored VerticalPodAutoscalerCheckpoint - object. - type: string - type: object - status: - description: Data of the checkpoint. - properties: - cpuHistogram: - description: Checkpoint of histogram for consumption of CPU. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: - Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: - Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - firstSampleStart: - description: Timestamp of the fist sample from the histograms. - format: date-time - nullable: true - type: string - lastSampleStart: - description: Timestamp of the last sample from the histograms. - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The time when the status was last refreshed. - format: date-time - nullable: true - type: string - memoryHistogram: - description: Checkpoint of histogram for consumption of memory. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: - Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: - Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - totalSamplesCount: - description: Total number of samples in the histograms. - type: integer - version: - description: Version of the format of the stored data. - type: string - type: object - type: object - served: false - storage: false ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 - controller-gen.kubebuilder.io/version: v0.16.5 - name: verticalpodautoscalers.autoscaling.k8s.io -spec: - group: autoscaling.k8s.io - names: - kind: VerticalPodAutoscaler - listKind: VerticalPodAutoscalerList - plural: verticalpodautoscalers - shortNames: - - vpa - singular: verticalpodautoscaler - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.updatePolicy.updateMode - name: Mode - type: string - - jsonPath: .status.recommendation.containerRecommendations[0].target.cpu - name: CPU - type: string - - jsonPath: .status.recommendation.containerRecommendations[0].target.memory - name: Mem - type: string - - jsonPath: .status.conditions[?(@.type=='RecommendationProvided')].status - name: Provided - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: |- - VerticalPodAutoscaler is the configuration for a vertical pod - autoscaler, which automatically manages pod resources based on historical and - real time resource utilization. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the behavior of the autoscaler. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. - properties: - recommenders: - description: |- - Recommender responsible for generating recommendation for this object. - List should be empty (then the default recommender will generate the - recommendation) or contain exactly one recommender. - items: - description: |- - VerticalPodAutoscalerRecommenderSelector points to a specific Vertical Pod Autoscaler recommender. - In the future it might pass parameters to the recommender. - properties: - name: - description: - Name of the recommender responsible for generating - recommendation for this object. - type: string - required: - - name - type: object - type: array - resourcePolicy: - description: |- - Controls how the autoscaler computes recommended resources. - The resource policy may be used to set constraints on the recommendations - for individual containers. - If any individual containers need to be excluded from getting the VPA recommendations, then - it must be disabled explicitly by setting mode to "Off" under containerPolicies. - If not specified, the autoscaler computes recommended resources for all containers in the pod, - without additional constraints. - properties: - containerPolicies: - description: Per-container resource policies. - items: - description: |- - ContainerResourcePolicy controls how autoscaler computes the recommended - resources for a specific container. - properties: - containerName: - description: |- - Name of the container or DefaultContainerResourcePolicy, in which - case the policy is used by the containers that don't have their own - policy specified. - type: string - controlledResources: - description: |- - Specifies the type of recommendations that will be computed - (and possibly applied) by VPA. - If not specified, the default of [ResourceCPU, ResourceMemory] will be used. - items: - description: - ResourceName is the name identifying various - resources in a ResourceList. - type: string - type: array - controlledValues: - description: |- - Specifies which resource values should be controlled. - The default is "RequestsAndLimits". - enum: - - RequestsAndLimits - - RequestsOnly - type: string - maxAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Specifies the maximum amount of resources that will be recommended - for the container. The default is no maximum. - type: object - minAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Specifies the minimal amount of resources that will be recommended - for the container. The default is no minimum. - type: object - mode: - description: - Whether autoscaler is enabled for the container. - The default is "Auto". - enum: - - Auto - - 'Off' - type: string - type: object - type: array - type: object - targetRef: - description: |- - TargetRef points to the controller managing the set of pods for the - autoscaler to control - e.g. Deployment, StatefulSet. VerticalPodAutoscaler - can be targeted at controller implementing scale subresource (the pod set is - retrieved from the controller's ScaleStatus) or some well known controllers - (e.g. for DaemonSet the pod set is read from the controller's spec). - If VerticalPodAutoscaler cannot use specified target it will report - ConfigUnsupported condition. - Note that VerticalPodAutoscaler does not require full implementation - of scale subresource - it will not use it to modify the replica count. - The only thing retrieved is a label selector matching pods grouped by - the target resource. - properties: - apiVersion: - description: apiVersion is the API version of the referent - type: string - kind: - description: 'kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - updatePolicy: - description: |- - Describes the rules on how changes are applied to the pods. - If not specified, all fields in the `PodUpdatePolicy` are set to their - default values. - properties: - evictionRequirements: - description: |- - EvictionRequirements is a list of EvictionRequirements that need to - evaluate to true in order for a Pod to be evicted. If more than one - EvictionRequirement is specified, all of them need to be fulfilled to allow eviction. - items: - description: |- - EvictionRequirement defines a single condition which needs to be true in - order to evict a Pod - properties: - changeRequirement: - description: - EvictionChangeRequirement refers to the relationship - between the new target recommendation for a Pod and its - current requests, what kind of change is necessary for - the Pod to be evicted - enum: - - TargetHigherThanRequests - - TargetLowerThanRequests - type: string - resources: - description: |- - Resources is a list of one or more resources that the condition applies - to. If more than one resource is given, the EvictionRequirement is fulfilled - if at least one resource meets `changeRequirement`. - items: - description: - ResourceName is the name identifying various - resources in a ResourceList. - type: string - type: array - required: - - changeRequirement - - resources - type: object - type: array - minReplicas: - description: |- - Minimal number of replicas which need to be alive for Updater to attempt - pod eviction (pending other checks like PDB). Only positive values are - allowed. Overrides global '--min-replicas' flag. - format: int32 - type: integer - updateMode: - description: |- - Controls when autoscaler applies changes to the pod resources. - The default is 'Auto'. - enum: - - 'Off' - - Initial - - Recreate - - Auto - type: string - type: object - required: - - targetRef - type: object - status: - description: Current information about the autoscaler. - properties: - conditions: - description: |- - Conditions is the set of conditions required for this autoscaler to scale its target, - and indicates whether or not those conditions are met. - items: - description: |- - VerticalPodAutoscalerCondition describes the state of - a VerticalPodAutoscaler at a certain point. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from - one status to another - format: date-time - type: string - message: - description: |- - message is a human-readable explanation containing details about - the transition - type: string - reason: - description: reason is the reason for the condition's last transition. - type: string - status: - description: - status is the status of the condition (True, False, - Unknown) - type: string - type: - description: type describes the current condition - type: string - required: - - status - - type - type: object - type: array - recommendation: - description: |- - The most recently computed amount of resources recommended by the - autoscaler for the controlled pods. - properties: - containerRecommendations: - description: - Resources recommended by the autoscaler for each - container. - items: - description: |- - RecommendedContainerResources is the recommendation of resources computed by - autoscaler for a specific container. Respects the container resource policy - if present in the spec. In particular the recommendation is not produced for - containers with `ContainerScalingMode` set to 'Off'. - properties: - containerName: - description: Name of the container. - type: string - lowerBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Minimum recommended amount of resources. Observes ContainerResourcePolicy. - This amount is not guaranteed to be sufficient for the application to operate in a stable way, however - running with less resources is likely to have significant impact on performance/availability. - type: object - target: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Recommended amount of resources. Observes ContainerResourcePolicy. - type: object - uncappedTarget: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - The most recent recommended resources target computed by the autoscaler - for the controlled pods, based only on actual resource usage, not taking - into account the ContainerResourcePolicy. - May differ from the Recommendation if the actual resource usage causes - the target to violate the ContainerResourcePolicy (lower than MinAllowed - or higher that MaxAllowed). - Used only as status indication, will not affect actual resource assignment. - type: object - upperBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Maximum recommended amount of resources. Observes ContainerResourcePolicy. - Any resources allocated beyond this value are likely wasted. This value may be larger than the maximum - amount of application is actually capable of consuming. - type: object - required: - - target - type: object - type: array - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} - - deprecated: true - deprecationWarning: autoscaling.k8s.io/v1beta2 API is deprecated - name: v1beta2 - schema: - openAPIV3Schema: - description: |- - VerticalPodAutoscaler is the configuration for a vertical pod - autoscaler, which automatically manages pod resources based on historical and - real time resource utilization. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: |- - Specification of the behavior of the autoscaler. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. - properties: - resourcePolicy: - description: |- - Controls how the autoscaler computes recommended resources. - The resource policy may be used to set constraints on the recommendations - for individual containers. If not specified, the autoscaler computes recommended - resources for all containers in the pod, without additional constraints. - properties: - containerPolicies: - description: Per-container resource policies. - items: - description: |- - ContainerResourcePolicy controls how autoscaler computes the recommended - resources for a specific container. - properties: - containerName: - description: |- - Name of the container or DefaultContainerResourcePolicy, in which - case the policy is used by the containers that don't have their own - policy specified. - type: string - maxAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Specifies the maximum amount of resources that will be recommended - for the container. The default is no maximum. - type: object - minAllowed: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Specifies the minimal amount of resources that will be recommended - for the container. The default is no minimum. - type: object - mode: - description: - Whether autoscaler is enabled for the container. - The default is "Auto". - enum: - - Auto - - 'Off' - type: string - type: object - type: array - type: object - targetRef: - description: |- - TargetRef points to the controller managing the set of pods for the - autoscaler to control - e.g. Deployment, StatefulSet. VerticalPodAutoscaler - can be targeted at controller implementing scale subresource (the pod set is - retrieved from the controller's ScaleStatus) or some well known controllers - (e.g. for DaemonSet the pod set is read from the controller's spec). - If VerticalPodAutoscaler cannot use specified target it will report - ConfigUnsupported condition. - Note that VerticalPodAutoscaler does not require full implementation - of scale subresource - it will not use it to modify the replica count. - The only thing retrieved is a label selector matching pods grouped by - the target resource. - properties: - apiVersion: - description: apiVersion is the API version of the referent - type: string - kind: - description: 'kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - updatePolicy: - description: |- - Describes the rules on how changes are applied to the pods. - If not specified, all fields in the `PodUpdatePolicy` are set to their - default values. - properties: - updateMode: - description: |- - Controls when autoscaler applies changes to the pod resources. - The default is 'Auto'. - enum: - - 'Off' - - Initial - - Recreate - - Auto - type: string - type: object - required: - - targetRef - type: object - status: - description: Current information about the autoscaler. - properties: - conditions: - description: |- - Conditions is the set of conditions required for this autoscaler to scale its target, - and indicates whether or not those conditions are met. - items: - description: |- - VerticalPodAutoscalerCondition describes the state of - a VerticalPodAutoscaler at a certain point. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from - one status to another - format: date-time - type: string - message: - description: |- - message is a human-readable explanation containing details about - the transition - type: string - reason: - description: reason is the reason for the condition's last transition. - type: string - status: - description: - status is the status of the condition (True, False, - Unknown) - type: string - type: - description: type describes the current condition - type: string - required: - - status - - type - type: object - type: array - recommendation: - description: |- - The most recently computed amount of resources recommended by the - autoscaler for the controlled pods. - properties: - containerRecommendations: - description: - Resources recommended by the autoscaler for each - container. - items: - description: |- - RecommendedContainerResources is the recommendation of resources computed by - autoscaler for a specific container. Respects the container resource policy - if present in the spec. In particular the recommendation is not produced for - containers with `ContainerScalingMode` set to 'Off'. - properties: - containerName: - description: Name of the container. - type: string - lowerBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Minimum recommended amount of resources. Observes ContainerResourcePolicy. - This amount is not guaranteed to be sufficient for the application to operate in a stable way, however - running with less resources is likely to have significant impact on performance/availability. - type: object - target: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Recommended amount of resources. Observes ContainerResourcePolicy. - type: object - uncappedTarget: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - The most recent recommended resources target computed by the autoscaler - for the controlled pods, based only on actual resource usage, not taking - into account the ContainerResourcePolicy. - May differ from the Recommendation if the actual resource usage causes - the target to violate the ContainerResourcePolicy (lower than MinAllowed - or higher that MaxAllowed). - Used only as status indication, will not affect actual resource assignment. - type: object - upperBound: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Maximum recommended amount of resources. Observes ContainerResourcePolicy. - Any resources allocated beyond this value are likely wasted. This value may be larger than the maximum - amount of application is actually capable of consuming. - type: object - required: - - target - type: object - type: array - type: object - type: object - required: - - spec - type: object - served: false - storage: false - subresources: - status: {} - ---- - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:metrics-reader -rules: - - apiGroups: - - 'metrics.k8s.io' - resources: - - pods - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:vpa-actor -rules: - - apiGroups: - - '' - resources: - - pods - - nodes - - limitranges - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - get - - list - - watch - - create - - apiGroups: - - 'poc.autoscaling.k8s.io' - resources: - - verticalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - 'autoscaling.k8s.io' - resources: - - verticalpodautoscalers - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:vpa-status-actor -rules: - - apiGroups: - - 'autoscaling.k8s.io' - resources: - - verticalpodautoscalers/status - verbs: - - get - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:vpa-checkpoint-actor -rules: - - apiGroups: - - 'poc.autoscaling.k8s.io' - resources: - - verticalpodautoscalercheckpoints - verbs: - - get - - list - - watch - - create - - patch - - delete - - apiGroups: - - 'autoscaling.k8s.io' - resources: - - verticalpodautoscalercheckpoints - verbs: - - get - - list - - watch - - create - - patch - - delete - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:evictioner -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - replicasets - verbs: - - get - - apiGroups: - - '' - resources: - - pods/eviction - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:metrics-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:metrics-reader -subjects: - - kind: ServiceAccount - name: vpa-recommender - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-actor -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:vpa-actor -subjects: - - kind: ServiceAccount - name: vpa-recommender - namespace: kube-system - - kind: ServiceAccount - name: vpa-updater - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-status-actor -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:vpa-status-actor -subjects: - - kind: ServiceAccount - name: vpa-recommender - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-checkpoint-actor -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:vpa-checkpoint-actor -subjects: - - kind: ServiceAccount - name: vpa-recommender - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:vpa-target-reader -rules: - - apiGroups: - - '*' - resources: - - '*/scale' - verbs: - - get - - watch - - apiGroups: - - '' - resources: - - replicationcontrollers - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-target-reader-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:vpa-target-reader -subjects: - - kind: ServiceAccount - name: vpa-recommender - namespace: kube-system - - kind: ServiceAccount - name: vpa-admission-controller - namespace: kube-system - - kind: ServiceAccount - name: vpa-updater - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-evictioner-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:evictioner -subjects: - - kind: ServiceAccount - name: vpa-updater - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vpa-admission-controller - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vpa-recommender - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: vpa-updater - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:vpa-admission-controller -rules: - - apiGroups: - - '' - resources: - - pods - - configmaps - - nodes - - limitranges - verbs: - - get - - list - - watch - - apiGroups: - - 'admissionregistration.k8s.io' - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - apiGroups: - - 'poc.autoscaling.k8s.io' - resources: - - verticalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - 'autoscaling.k8s.io' - resources: - - verticalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - 'coordination.k8s.io' - resources: - - leases - verbs: - - create - - update - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-admission-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:vpa-admission-controller -subjects: - - kind: ServiceAccount - name: vpa-admission-controller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:vpa-status-reader -rules: - - apiGroups: - - 'coordination.k8s.io' - resources: - - leases - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:vpa-status-reader-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:vpa-status-reader -subjects: - - kind: ServiceAccount - name: vpa-updater - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: system:leader-locking-vpa-updater - namespace: kube-system -rules: - - apiGroups: - - 'coordination.k8s.io' - resources: - - leases - verbs: - - create - - apiGroups: - - 'coordination.k8s.io' - resourceNames: - - vpa-updater - resources: - - leases - verbs: - - get - - watch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: system:leader-locking-vpa-updater - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: system:leader-locking-vpa-updater -subjects: - - kind: ServiceAccount - name: vpa-updater - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: system:leader-locking-vpa-recommender - namespace: kube-system -rules: - - apiGroups: - - 'coordination.k8s.io' - resources: - - leases - verbs: - - create - - apiGroups: - - 'coordination.k8s.io' - resourceNames: - # TODO: Clean vpa-recommender up once vpa-recommender-lease is used everywhere. See https://github.com/kubernetes/autoscaler/issues/7461. - - vpa-recommender - - vpa-recommender-lease - resources: - - leases - verbs: - - get - - watch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: system:leader-locking-vpa-recommender - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: system:leader-locking-vpa-recommender -subjects: - - kind: ServiceAccount - name: vpa-recommender - namespace: kube-system - ---- - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vpa-updater - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app: vpa-updater - template: - metadata: - labels: - app: vpa-updater - spec: - serviceAccountName: vpa-updater - securityContext: - runAsNonRoot: true - runAsUser: 65534 # nobody - containers: - - name: updater - args: - - '--min-replicas=1' - image: registry.k8s.io/autoscaling/vpa-updater:1.3.0 - imagePullPolicy: IfNotPresent - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - limits: - cpu: 200m - memory: 1000Mi - requests: - cpu: 50m - memory: 500Mi - ports: - - name: prometheus - containerPort: 8943 - ---- - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vpa-recommender - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app: vpa-recommender - template: - metadata: - labels: - app: vpa-recommender - spec: - serviceAccountName: vpa-recommender - securityContext: - runAsNonRoot: true - runAsUser: 65534 # nobody - containers: - - name: recommender - image: registry.k8s.io/autoscaling/vpa-recommender:1.3.0 - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 200m - memory: 1000Mi - requests: - cpu: 50m - memory: 500Mi - ports: - - name: prometheus - containerPort: 8942 - ---- - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vpa-admission-controller - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app: vpa-admission-controller - template: - metadata: - labels: - app: vpa-admission-controller - spec: - serviceAccountName: vpa-admission-controller - securityContext: - runAsNonRoot: true - runAsUser: 65534 # nobody - containers: - - name: admission-controller - image: registry.k8s.io/autoscaling/vpa-admission-controller:1.3.0 - imagePullPolicy: IfNotPresent - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - args: ['--v=4', '--stderrthreshold=info', '--reload-cert'] - volumeMounts: - - name: tls-certs - mountPath: '/etc/tls-certs' - readOnly: true - resources: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 50m - memory: 200Mi - ports: - - containerPort: 8000 - - name: prometheus - containerPort: 8944 - volumes: - - name: tls-certs - secret: - secretName: vpa-tls-certs ---- -apiVersion: v1 -kind: Service -metadata: - name: vpa-webhook - namespace: kube-system -spec: - ports: - - port: 443 - targetPort: 8000 - selector: - app: vpa-admission-controller - ---- - diff --git a/scripts/clean.sh b/scripts/clean.sh index f0c4878..99e33ad 100755 --- a/scripts/clean.sh +++ b/scripts/clean.sh @@ -1,14 +1,15 @@ #!/bin/bash -rm -rf manifests/applications/* -rm -rf manifests/cluster-addons/monitoring -rm -rf manifests/cluster-addons/oauth2-proxy -rm -rf manifests/cluster-addons/vertical-pod-autoscaler +main() { + rm -rf manifests/applications/* + rm -rf manifests/cluster-addons/monitoring + rm -rf manifests/cluster-addons/oauth2-proxy + rm -rf manifests/cluster-addons/vertical-pod-autoscaler -# Get email from user -read -r -p "Enter your email address (used for cert-manager): " email + # Get email from user + read -r -p "Enter your email address (used for cert-manager): " email -cat < manifests/cluster-addons/cert-manager/templates/clusterissuer.yaml + cat < manifests/cluster-addons/cert-manager/templates/clusterissuer.yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: @@ -25,10 +26,10 @@ spec: ingressClassName: traefik EOF -read -r -p "What is the domain name for your cluster? (e.g. example.com, used for Argo CD): " domain_name -read -r -p "What is your GitHub repository name? (e.g. my-org/my-repo, used for Argo CD): " repo_name + read -r -p "What is the domain name for your cluster? (e.g. example.com, used for Argo CD): " domain_name + read -r -p "What is your GitHub repository name? (e.g. my-org/my-repo, used for Argo CD): " repo_name -cat < terraform/extra-manifests/helm-chart.yaml.tpl + cat < terraform/extra-manifests/helm-chart.yaml.tpl apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -54,7 +55,7 @@ spec: enabled: false EOF -cat < manifests/cluster-addons/argocd/values.yaml + cat < manifests/cluster-addons/argocd/values.yaml argo-cd: global: domain: argocd.$domain_name @@ -71,7 +72,7 @@ argo-cd: enabled: false EOF -cat < terraform/extra-manifests/applicationset.yaml.tpl + cat < terraform/extra-manifests/applicationset.yaml.tpl apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: @@ -110,7 +111,7 @@ spec: - ServerSideApply=true EOF -cat < manifests/cluster-addons/argocd/templates/certificate.yaml + cat < manifests/cluster-addons/argocd/templates/certificate.yaml apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -125,7 +126,7 @@ spec: kind: ClusterIssuer EOF -cat < manifests/cluster-addons/argocd/templates/ingressroute.yaml + cat < manifests/cluster-addons/argocd/templates/ingressroute.yaml apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: @@ -154,3 +155,6 @@ spec: tls: secretName: ingress-tls EOF +} + +main diff --git a/scripts/packer.sh b/scripts/packer.sh new file mode 100755 index 0000000..5dbcc21 --- /dev/null +++ b/scripts/packer.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +main() { + local packer_file + packer_file='terraform/hcloud-microos-snapshots.pkr.hcl' + + if [[ -z "$HCLOUD_TOKEN" ]]; then + echo "HCLOUD_TOKEN is not set. Please get and API token with read/write access and set it in your environment, e.g. 'export HCLOUD_TOKEN=your_token_here'." + exit 1 + fi + + packer init "$packer_file" + packer build "$packer_file" +} + +main diff --git a/terraform/extra-manifests/applications.yaml.tpl b/terraform/extra-manifests/applications.yaml.tpl index a7a2315..afc8396 100644 --- a/terraform/extra-manifests/applications.yaml.tpl +++ b/terraform/extra-manifests/applications.yaml.tpl @@ -8,7 +8,7 @@ spec: goTemplateOptions: ['missingkey=error'] generators: - git: - repoURL: https://github.com/bakseter/whpah + repoURL: https://github.com/baksetercx/whpah revision: HEAD directories: - path: manifests/applications/** @@ -20,18 +20,15 @@ spec: spec: project: default source: - repoURL: https://github.com/bakseter/whpah + repoURL: https://github.com/baksetercx/whpah targetRevision: HEAD path: '{{.path.path}}' - directory: - recurse: true destination: server: https://kubernetes.default.svc namespace: '{{.path.basename}}' syncPolicy: automated: selfHeal: true - prune: true syncOptions: - CreateNamespace=true - ServerSideApply=true diff --git a/terraform/extra-manifests/applicationset.yaml.tpl b/terraform/extra-manifests/applicationset.yaml.tpl new file mode 100644 index 0000000..6da49de --- /dev/null +++ b/terraform/extra-manifests/applicationset.yaml.tpl @@ -0,0 +1,36 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: root + namespace: argocd +spec: + goTemplate: true + goTemplateOptions: ['missingkey=error'] + generators: + - git: + repoURL: https://github.com/baksetercx/whpah.git + revision: HEAD + directories: + - path: manifests/applications/** + - path: manifests/cluster-addons/** + template: + metadata: + name: '{{.path.basename}}' + labels: + bakseter.net/type: '{{trimSuffix "s" (index .path.segments 1)}}' + spec: + project: default + sources: + - repoURL: https://github.com/baksetercx/whpah.git + targetRevision: HEAD + path: '{{.path.path}}' + destination: + server: https://kubernetes.default.svc + namespace: '{{.path.basename}}' + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/terraform/extra-manifests/cluster-addons.yaml.tpl b/terraform/extra-manifests/cluster-addons.yaml.tpl index ff4893d..b204a2b 100644 --- a/terraform/extra-manifests/cluster-addons.yaml.tpl +++ b/terraform/extra-manifests/cluster-addons.yaml.tpl @@ -8,7 +8,7 @@ spec: goTemplateOptions: ['missingkey=error'] generators: - git: - repoURL: https://github.com/bakseter/whpah + repoURL: https://github.com/baksetercx/whpah revision: HEAD directories: - path: manifests/cluster-addons/** @@ -20,7 +20,7 @@ spec: spec: project: default source: - repoURL: https://github.com/bakseter/whpah + repoURL: https://github.com/baksetercx/whpah targetRevision: HEAD path: '{{.path.path}}' destination: diff --git a/terraform/extra-manifests/helm-chart.yaml.tpl b/terraform/extra-manifests/helm-chart.yaml.tpl index 39e41eb..da24aac 100644 --- a/terraform/extra-manifests/helm-chart.yaml.tpl +++ b/terraform/extra-manifests/helm-chart.yaml.tpl @@ -9,7 +9,7 @@ spec: targetNamespace: argocd valuesContent: |- global: - domain: argocd.bakseter.net + domain: argocd.computas.cloud networkPolicy: create: true @@ -17,7 +17,7 @@ spec: configs: repositories: argocd: - url: https://github.com/bakseter/whpah + url: https://github.com/baksetercx/whpah.git dex: enabled: false diff --git a/terraform/extra-manifests/kustomization.yaml.tpl b/terraform/extra-manifests/kustomization.yaml.tpl index c1cc669..89f9851 100644 --- a/terraform/extra-manifests/kustomization.yaml.tpl +++ b/terraform/extra-manifests/kustomization.yaml.tpl @@ -3,5 +3,5 @@ kind: Kustomization resources: - namespace.yaml - helm-chart.yaml - - applications.yaml - cluster-addons.yaml + - applications.yaml diff --git a/terraform/versions.tf b/terraform/versions.tf index 23cb660..36b7fd5 100644 --- a/terraform/versions.tf +++ b/terraform/versions.tf @@ -1,12 +1,4 @@ terraform { - cloud { - organization = "bakseter" - - workspaces { - name = "platform" - } - } - required_providers { hcloud = { source = "hetznercloud/hcloud"