extern/christianlempa-boilerplates
1
0
Fork 0
mirror of https://github.com/ChristianLempa/boilerplates.git synced 2024-11-21 15:53:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #502 from ChristianLempa/456-enhance-kubernetes-templates

Browse Source 
Big update to Kubernetes and Helm templates
This commit is contained in:
Christian Lempa 2024-11-08 12:35:13 +01:00 committed by GitHub
commit 3a976e8612
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
53 changed files with 278 additions and 1435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
helm/cert-manager/values.yaml Normal file
View File

@ -0,0 +1,19 @@
---
image:
repository: quay.io/jetstack/cert-manager-controller
tag: v1.16.0
webhook:
image:
repository: quay.io/jetstack/cert-manager-webhook
tag: v1.16.0
cainjector:
image:
repository: quay.io/jetstack/cert-manager-cainjector
tag: v1.16.0
crds:
enabled: true
extraArgs:
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53

53
helm/longhorn/values.yaml Normal file
View File

@ -0,0 +1,53 @@
---
image:
longhorn:
engine:
repository: "longhornio/longhorn-engine"
tag: "v1.7.2"
manager:
repository: "longhornio/longhorn-manager"
tag: "v1.7.2"
ui:
repository: "longhornio/longhorn-ui"
tag: "v1.7.2"
instanceManager:
repository: "longhornio/longhorn-instance-manager"
tag: "v1.7.2"
shareManager:
repository: "longhornio/longhorn-share-manager"
tag: "v1.7.2"
backingImageManager:
repository: "longhornio/backing-image-manager"
tag: "v1.7.2"
supportBundleKit:
repository: "longhornio/support-bundle-kit"
tag: "v0.0.45"
csi:
attacher:
repository: "longhornio/csi-attacher"
tag: "v4.7.0"
provisioner:
repository: "longhornio/csi-provisioner"
tag: "v5.1.0"
nodeDriverRegistrar:
repository: "longhornio/csi-node-driver-registrar"
tag: "v2.12.0"
resizer:
repository: "longhornio/csi-resizer"
tag: "v1.12.0"
snapshotter:
repository: "longhornio/csi-snapshotter"
tag: "v8.1.0"
livenessProbe:
repository: "longhornio/livenessprobe"
tag: "v2.14.0"
# --> (Optional) Reduce the number of replicas of Longhorn UI
# longhornUI:
# replicas: 1
# <--
# --> (Optional) Change the default settings, like Backup Target here...
# defaultSettings:
# backupTarget: "your-backup-target" # <-- Replace with your backup target
# <--

27
helm/portainer/values.yaml Normal file
View File

@ -0,0 +1,27 @@
---
image:
repository: portainer/portainer-ce
tag: 2.22.0
pullPolicy: IfNotPresent
service:
type: ClusterIP
# --> (Optional) When you want to automatically create an Ingress
# ingress:
# enabled: true
# hosts:
# - host: "your-fqdn" # <-- Replace with your FQDN
# paths:
# - path: /
# port: "9000"
# tls:
# - secretName: portainer-certificate-secret
# hosts:
# - "your-fqdn" # <-- Replace with your FQDN
# <--
# --> (Optional) When using an existing PVC
# persistence:
# existingClaim: "portainer"
# <--

19
helm/traefik/values.yaml Normal file
View File

@ -0,0 +1,19 @@
image:
repository: traefik
version: v3.1.4
pullPolicy: IfNotPresent
# --> (Optional) Change log settings here...
# logs:
# general:
# level: ERROR
# access:
# enabled: false
# <--
# --> (Optional) Redirect HTTP to HTTPs by default
# ports:
# web:
# redirectTo:
# port: websecure
# <--

13
kubernetes/cert-manager/certificate.yaml.example Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: your-certificate # <-- Replace with your certificate name
namespace: your-namespace # <-- Replace with your namespace
spec:
secretName: your-secret # <-- Replace with your secret name
issuerRef:
name: clusterissuer # <-- Replace with your issuer name
kind: ClusterIssuer
dnsNames:
- your-hostname # <-- Replace with your hostname

9
kubernetes/cert-manager/clusterissuer-secret.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
data:
api-token: your-api-token # <-- Replace with your Cloudflare API token

17
kubernetes/cert-manager/clusterissuer.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cloudflare-clusterissuer
spec:
acme:
email: your-email@address # <-- Replace with your email address
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cloudflare-clusterissuer-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token

32
kubernetes/certmanager/README.md
View File

@ -1,32 +0,0 @@
# Kubernetes Cert-Manager Installation Guide
Here is the installation guide for Cert-Manager and the complete configuration.
## Deployment
### 1. Add the Helm Repository & Update
```bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
```
### 2. Install Cert-Manager with Helm & CRDs
```bash
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true
```
## Configuration
Add your Issuer or ClusterIssuer Objects, Credentails and Certificates.
_For more info visit:_ [Official Cert-Manager Documentation](https://cert-manager.io/docs/)
## Best-Practices & Post-Installation
## Troubleshooting
You can troubleshoot issues and inspect log entries for the Certificate Objects with the `kubectl describe` command.
_For more info visit:_ [Official Cert-Manager Troubleshooting Guide](https://cert-manager.io/docs/faq/troubleshooting/)

516
kubernetes/certmanager/default-values.yml
View File

@ -1,516 +0,0 @@
# Default values for cert-manager.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
imagePullSecrets: []
# - name: "image-pull-secret"
# Optional priority class to be used for the cert-manager pods
priorityClassName: ""
rbac:
create: true
podSecurityPolicy:
enabled: false
useAppArmor: true
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
logLevel: 2
leaderElection:
# Override the namespace used to store the ConfigMap for leader election
namespace: "kube-system"
# The duration that non-leader candidates will wait after observing a
# leadership renewal until attempting to acquire leadership of a led but
# unrenewed leader slot. This is effectively the maximum duration that a
# leader can be stopped before it is replaced by another candidate.
# leaseDuration: 60s
# The interval between attempts by the acting master to renew a leadership
# slot before it stops leading. This must be less than or equal to the
# lease duration.
# renewDeadline: 40s
# The duration the clients should wait between attempting acquisition and
# renewal of a leadership.
# retryPeriod: 15s
installCRDs: false
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Comma separated list of feature gates that should be enabled on the
# controller pod.
featureGates: ""
image:
repository: quay.io/jetstack/cert-manager-controller
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-controller
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Additional command line flags to pass to cert-manager controller binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
extraArgs: []
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-certificate-owner-ref=true
# Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
# - --controllers=*,-certificaterequests-approver
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported
# securityContext:
# enabled: false
# fsGroup: 1001
# runAsUser: 1001
# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters
# you want to set, e.g.
# securityContext:
# fsGroup: 1000
# runAsUser: 1000
# runAsNonRoot: true
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
volumes: []
volumeMounts: []
# Optional additional annotations to add to the controller Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the controller Pods
# podAnnotations: {}
podLabels: {}
# Optional annotations to add to the controller Service
# serviceAnnotations: {}
# Optional additional labels to add to the controller Service
# serviceLabels: {}
# Optional DNS settings, useful if you have a public and private DNS zone for
# the same domain on Route 53. What follows is an example of ensuring
# cert-manager can access an ingress or DNS TXT records at all times.
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
# the cluster to work.
# podDnsPolicy: "None"
# podDnsConfig:
# nameservers:
# - "1.1.1.1"
# - "8.8.8.8"
nodeSelector: {}
ingressShim: {}
# defaultIssuerName: ""
# defaultIssuerKind: ""
# defaultIssuerGroup: ""
prometheus:
enabled: true
servicemonitor:
enabled: false
prometheusInstance: default
targetPort: 9402
path: /metrics
interval: 60s
scrapeTimeout: 30s
labels: {}
honorLabels: false
# Use these variables to configure the HTTP_PROXY environment variables
# http_proxy: "http://proxy:8080"
# https_proxy: "https://proxy:8080"
# no_proxy: 127.0.0.1,localhost
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
# for example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
# for example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
webhook:
replicaCount: 1
timeoutSeconds: 10
# Used to configure options for the webhook pod.
# This allows setting options that'd usually be provided via flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags will override options that are set here.
config:
# apiVersion: webhook.config.cert-manager.io/v1alpha1
# kind: WebhookConfiguration
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
# This should be uncommented and set as a default by the chart once we graduate
# the apiVersion of WebhookConfiguration past v1alpha1.
# securePort: 10250
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the webhook component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# Container Security Context to be set on the webhook component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the webhook Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the webhook Pods
# podAnnotations: {}
# Optional additional annotations to add to the webhook Service
# serviceAnnotations: {}
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration
# mutatingWebhookConfigurationAnnotations: {}
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
# validatingWebhookConfigurationAnnotations: {}
# Additional command line flags to pass to cert-manager webhook binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
extraArgs: []
# Path to a file containing a WebhookConfiguration object used to configure the webhook
# - --config=<path-to-config-file>
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
nodeSelector: {}
affinity: {}
tolerations: []
# Optional additional labels to add to the Webhook Pods
podLabels: {}
# Optional additional labels to add to the Webhook Service
serviceLabels: {}
image:
repository: quay.io/jetstack/cert-manager-webhook
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-webhook
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# The port that the webhook should listen on for requests.
# In GKE private clusters, by default kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. so configuring
# securePort: 10250, will work out of the box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
securePort: 10250
# Specifies if the webhook should be started in hostNetwork mode.
#
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
# CNI (such as calico), because control-plane managed by AWS cannot communicate
# with pods' IP CIDR and admission webhooks are not working
#
# Since the default port for the webhook conflicts with kubelet on the host
# network, `webhook.securePort` should be changed to an available port if
# running in hostNetwork mode.
hostNetwork: false
# Specifies how the service should be handled. Useful if you want to expose the
# webhook to outside of the cluster. In some cases, the control plane cannot
# reach internal services.
serviceType: ClusterIP
# loadBalancerIP:
# Overrides the mutating webhook and validating webhook so they reach the webhook
# service using the `url` field instead of a service.
url: {}
# host:
cainjector:
enabled: true
replicaCount: 1
strategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
# Pod Security Context to be set on the cainjector component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# Container Security Context to be set on the cainjector component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Optional additional annotations to add to the cainjector Deployment
# deploymentAnnotations: {}
# Optional additional annotations to add to the cainjector Pods
# podAnnotations: {}
# Additional command line flags to pass to cert-manager cainjector binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
extraArgs: []
# Enable profiling for cainjector
# - --enable-profiling=true
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector: {}
affinity: {}
tolerations: []
# Optional additional labels to add to the CA Injector Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-cainjector
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-cainjector
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the controller's ServiceAccount
# annotations: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# This startupapicheck is a Helm post-install hook that waits for the webhook
# endpoints to become available.
# The check is implemented using a Kubernetes Job- if you are injecting mesh
# sidecar proxies into cert-manager pods, you probably want to ensure that they
# are not injected into this Job's pod. Otherwise the installation may time out
# due to the Job never being completed because the sidecar proxy does not exit.
# See https://github.com/jetstack/cert-manager/pull/4414 for context.
startupapicheck:
enabled: true
# Pod Security Context to be set on the startupapicheck component Pod
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
# Timeout for 'kubectl check api' command
timeout: 1m
# Job backoffLimit
backoffLimit: 4
# Optional additional annotations to add to the startupapicheck Job
jobAnnotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Optional additional annotations to add to the startupapicheck Pods
# podAnnotations: {}
# Additional command line flags to pass to startupapicheck binary.
# To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
extraArgs: []
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
nodeSelector: {}
affinity: {}
tolerations: []
# Optional additional labels to add to the startupapicheck Pods
podLabels: {}
image:
repository: quay.io/jetstack/cert-manager-ctl
# You can manage a registry with
# registry: quay.io
# repository: jetstack/cert-manager-ctl
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# tag: canary
# Setting a digest will override any tag
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
pullPolicy: IfNotPresent
rbac:
# annotations for the startup API Check job RBAC and PSP resources
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# name: ""
# Optional additional annotations to add to the Job's ServiceAccount
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automount API credentials for a Service Account.
automountServiceAccountToken: true

12
kubernetes/certmanager/templates/certificate.yaml
View File

@ -1,12 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: your-certificate
namespace: your-namespace
spec:
secretName: your-secret
issuerRef:
name: ssl-issuer
kind: ClusterIssuer
dnsNames:
- your-hostname

48
kubernetes/certmanager/templates/clusterissuer-acme.yml
View File

@ -1,48 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acme-issuer
spec:
acme:
# Configure your email here...
# ---
# email: your-email@address
# Configure your server here...
# ---
# Letsencrypt Production
# server: https://acme-v02.api.letsencrypt.org/directory
# - or -
# Letsencrypt Staging
# server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
# Configure DNS or HTTP Challenge here...
# ---
# DNS Challenge:
# - dns01:
# Configure your DNS Provider here...
# ---
# cloudflare:
# email: your-email@address
# API Key:
# apiKeySecretRef:
# name: cloudflare-api-key-secret
# key: api-key
# - or -
# API Token:
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# (Optional) Add DNS selectors
# ---
# selector:
# dnsZones:
# - 'your-domain'
# HTTP Challenge:
# - http01:
# ingress:
# class: traefik

6
kubernetes/certmanager/templates/clusterissuer-selfsigned.yml
View File

@ -1,6 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}

51
kubernetes/certmanager/templates/issuer-acme.yml
View File

@ -1,51 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: acme-issuer
# (Optional) Metadata
# ---
# namespace: your-namespace
spec:
acme:
# Configure your email here...
# ---
# email: your-email@address
# Configure your server here...
# ---
# Letsencrypt Production
# server: https://acme-v02.api.letsencrypt.org/directory
# - or -
# Letsencrypt Staging
# server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
# Configure DNS or HTTP Challenge here...
# ---
# DNS Challenge:
# - dns01:
# Configure your DNS Provider here...
# ---
# cloudflare:
# email: your-email@address
# API Key:
# apiKeySecretRef:
# name: cloudflare-api-key-secret
# key: api-key
# - or -
# API Token:
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# (Optional) Add DNS selectors
# ---
# selector:
# dnsZones:
# - 'your-domain'
# HTTP Challenge:
# - http01:
# ingress:
# class: traefik

9
kubernetes/certmanager/templates/issuer-selfsigned.yml
View File

@ -1,9 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
# (Optional) Metadata
# ---
# namespace: your-namespace
spec:
selfSigned: {}

14
kubernetes/certmanager/templates/secret-cloudflare.yml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key-secret
namespace: cert-manager
type: Opaque
stringData:
# Configure your API Key or Credentials here...
# ---
# API Key:
# api-key: your-api-key
# - or -
# Token:
# api-token: your-api-token

13
kubernetes/longhorn/certificate.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: longhorn-certificate
namespace: longhorn-system
spec:
secretName: longhorn-certificate-secret
dnsNames:
- your-fqdn # <-- Replace with your FQDN
issuerRef:
name: cloudflare-clusterissuer
kind: ClusterIssuer

17
kubernetes/longhorn/ingressroute.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: longhorn-ingressroute
namespace: longhorn-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`your-fqdn`) # <-- Replace with your FQDN
kind: Rule
services:
- name: longhorn-frontend
port: 80
tls:
secretName: longhorn-certificate-secret

28
kubernetes/nginx-http/nginx-http-cm.yml
View File

@ -1,28 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-http-cm
data:
# key: value
# file: |
# content
# ---
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /test {
return 401;
}
}
}

32
kubernetes/nginx-http/nginx-http-deploy.yml
View File

@ -1,32 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-http
spec:
replicas: 1
selector:
matchLabels:
app: nginx-http
template:
metadata:
labels:
app: nginx-http
spec:
containers:
- name: nginx-http
image: nginx:1.27.2
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nginx-http-cm
mountPath: /etc/nginx
- name: nginx-http-vol
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-http-cm
configMap:
name: nginx-http-cm
- name: nginx-http-vol
hostPath:
path: /var/nginxserver

15
kubernetes/nginx-http/nginx-http-svc.yml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-http-svc
labels:
app: nginx-http
spec:
type: LoadBalancer
ports:
- port: 30080
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-http

3
kubernetes/portainer/README.md
View File

@ -1,3 +0,0 @@
# Kubernetes Portainer
You can add an additional description here.

13
kubernetes/portainer/certificate.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: portainer-ingressroute-certificate
namespace: portainer
spec:
secretName: portainer-certificate-secret
issuerRef:
name: cloudflare-clusterissuer
kind: ClusterIssuer
dnsNames:
- your-fqdn # <-- Replace with your FQDN

17
kubernetes/portainer/ingressroute.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: portainer-ingressroute
namespace: portainer
spec:
entryPoints:
- websecure
routes:
- match: Host(`your-fqdn`) # <-- Replace with your FQDN
kind: Rule
services:
- name: portainer
port: 9000
tls:
secretName: portainer-certificate-secret

17
kubernetes/portainer/templates/portainer-ingress.yml
View File

@ -1,17 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: wp-clcreative
spec:
rules:
- host: portainer.your-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: portainer
port:
number: 9000

1
kubernetes/portainer/values.yml
View File

@ -1 +0,0 @@

12
kubernetes/templates/certificate.yaml
View File

@ -1,12 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: your-certificate
namespace: your-namespace
spec:
secretName: your-secret
issuerRef:
name: ssl-issuer
kind: ClusterIssuer
dnsNames:
- your-hostname

33
kubernetes/templates/cm-and-secrets/mysql-deploy.yml
View File

@ -1,33 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:5.7
name: mysql
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: root-pass
ports:
- name: mysql
containerPort: 3306
# volumeMounts:
# - name: mysql-vol
# mountPath: /var/lib/mysql
# volumes:
# - name: mysql-vol
# hostPath:
# path: /var/mysql-data

7
kubernetes/templates/cm-and-secrets/mysql-secret.yml
View File

@ -1,7 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: mysql-secret
type: Opaque
stringData:
root-pass: test123

28
kubernetes/templates/cm-and-secrets/nginx-http-cm.yml
View File

@ -1,28 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-http-cm
data:
# key: value
# file: |
# content
# ---
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
server_name _;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /test {
return 401;
}
}
}

32
kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml
View File

@ -1,32 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-http
spec:
replicas: 1
selector:
matchLabels:
app: nginx-http
template:
metadata:
labels:
app: nginx-http
spec:
containers:
- name: nginx-http
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nginx-http-cm
mountPath: /etc/nginx
- name: nginx-http-vol
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-http-cm
configMap:
name: nginx-http-cm
- name: nginx-http-vol
hostPath:
path: /var/nginxserver

15
kubernetes/templates/cm-and-secrets/nginx-http-svc.yml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-http-svc
labels:
app: nginx-http
spec:
type: LoadBalancer
ports:
- port: 30080
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-http

27
kubernetes/templates/cm-and-secrets/nginx-https-cm.yml
View File

@ -1,27 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-https-cm
data:
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/server-key.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}

68
kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml
View File

@ -1,68 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-https
spec:
replicas: 1
selector:
matchLabels:
app: nginx-https
template:
metadata:
labels:
app: nginx-https
spec:
containers:
- name: nginx-https
image: nginx
ports:
- name: web
containerPort: 80
- name: secureweb
containerPort: 443
volumeMounts:
- name: nginx-https-cm
mountPath: /etc/nginx
- name: nginx-https-secret
mountPath: /etc/nginx/ssl
readOnly: true
- name: nginx-https-vol
mountPath: /usr/share/nginx/html
volumes:
- name: nginx-https-cm
configMap:
name: nginx-https-cm
- name: nginx-https-secret
secret:
secretName: nginx-https-secret
- name: nginx-https-vol
hostPath:
path: /var/nginxserver
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-https-cm
data:
nginx.conf: |
user nginx;
worker_processes 1;
events {
worker_connections 10240;
}
http {
server {
listen 80;
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/ssl/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/server-key.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}

12
kubernetes/templates/cm-and-secrets/nginx-https-secret-blank.yml
View File

@ -1,12 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: nginx-https-secret
type: Opaque
stringData:
server-cert.pem: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
server-key.pem: |

19
kubernetes/templates/cm-and-secrets/nginx-https-svc.yml
View File

@ -1,19 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nginx-https-svc
labels:
app: nginx-https
spec:
type: LoadBalancer
ports:
- port: 31080
targetPort: 80
protocol: TCP
name: http
- port: 31443
targetPort: 443
protocol: TCP
name: https
selector:
app: nginx-https

41
kubernetes/templates/deployment.yaml
View File

@ -1,41 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: appname # Name of the deployment
namespace: namespace # Name of the namespace
labels:
app: appname # Name of your application
spec:
selector:
matchLabels:
app: appname # Name of your application
replicas: 1 # Number of replicas
template:
metadata:
labels:
app: appname # Name of your application
spec:
containers:
# Containers are the individual pieces of your application that you want
# to run.
- name: helloworld # Name of the container
image: helloworld:latest # The image you want to run
# resources:
# limits:
# memory: 512Mi
# cpu: "1"
# requests:
# memory: 256Mi
# cpu: "0.2"
ports:
# Ports are the ports that your application uses.
- containerPort: 8080 # The port that your application uses
volumeMounts:
# VolumeMounts are the volumes that your application uses.
- mountPath: /var/www/html # The path that your application uses
name: vol0 # Name of the volume
volumes:
# Volumes are the persistent storage that your application uses.
- name: vol0 # Name of the volume
persistentVolumeClaim:
claimName: pvc0 # Name of the persistent volume claim

18
kubernetes/templates/ingress.yaml
View File

@ -1,18 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress # Name of the ingress object
namespace: namespace # Name of the namespace
spec:
rules:
- host: "your-hostname.com" # Your hostname
http:
paths:
# Path-based routing settings:
- path: /
pathType: Prefix
backend:
service:
name: your-service-name # The name of the service
port:
number: 80 # Service Portnumber

4
kubernetes/templates/namespace.yml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: your-namespace

29
kubernetes/templates/persistentvolumeclaim.yaml
View File

@ -1,29 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc0
namespace: namespace
labels:
app: namespace
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
# ---
# Digital Ocean
# storageClassName: do-block-storage
# ---
# AWS
# storageClassName: aws-ebs
# ---
# Azure
# storageClassName: azure-disk
# ---
# GCE PD
# storageClassName: gce-pd
# ---
# CIVO
# storageClassName: civo-volume
# ---

11
kubernetes/templates/pv-and-pvc/civo-pvc.yml
View File

@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: civo
spec:
accessModes:
- ReadWriteOnce
storageClassName: civo-volume
resources:
requests:
storage: 1Gi

27
kubernetes/templates/pv-and-pvc/civo-web.yml
View File

@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: civo-web
spec:
replicas: 1
selector:
matchLabels:
app: civo-web
template:
metadata:
labels:
app: civo-web
spec:
containers:
- name: civo-web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: civo
mountPath: /usr/share/nginx/html
volumes:
- name: civo
persistentVolumeClaim:
claimName: civo

27
kubernetes/templates/pv-and-pvc/local-web.yml
View File

@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: local-web
spec:
replicas: 1
selector:
matchLabels:
app: local-web
template:
metadata:
labels:
app: local-web
spec:
containers:
- name: local-web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: local
mountPath: /usr/share/nginx/html
volumes:
- name: local
hostPath:
path: /var/nginxserver

13
kubernetes/templates/pv-and-pvc/nfs-pv.yml
View File

@ -1,13 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: nfs
spec:
capacity:
storage: 500Mi
accessModes:
- ReadWriteMany
storageClassName: nfs
nfs:
server: 192.168.1.7
path: "/srv/nfs"

11
kubernetes/templates/pv-and-pvc/nfs-pvc.yml
View File

@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs
resources:
requests:
storage: 100Mi

27
kubernetes/templates/pv-and-pvc/nfs-web.yml
View File

@ -1,27 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nfs-web
spec:
replicas: 1
selector:
matchLabels:
app: nfs-web
template:
metadata:
labels:
app: nfs-web
spec:
containers:
- name: nfs-web
image: nginx
ports:
- name: web
containerPort: 80
volumeMounts:
- name: nfs
mountPath: /usr/share/nginx/html
volumes:
- name: nfs
persistentVolumeClaim:
claimName: nfs

32
kubernetes/templates/service.yaml
View File

@ -1,32 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: servicename
namespace: namespace
spec:
selector:
app: appname
# ---
# type: ClusterIP
# ClusterIP means this service can be accessed by any pod in the cluster
# ports:
# - name: http
# port: 8080
# targetPort: 80
# protocol: TCP # optional protocol
# ---
# type: NodePort
# NodePort means this service is only accessible by pods in the same namespace
# ports:
# - name: http
# port: 80
# nodePort: 30001
# protocol: TCP # optional protocol
# ---
# type: LoadBalancer
# LoadBalancer means this service is load-balanced across all nodes in the cluster
# ports:
# - name: http
# port: 80
# targetPort: 30001
# protocol: TCP # optional protocol

5
kubernetes/traefik/README.md
View File

@ -1,5 +0,0 @@
# Kubernetes Traefik Helm Deployment
This Deployment uses the official Helm Chart from [traefik](https://github.com/traefik/traefik-helm-chart) repository.
These are templates to modify the deployment.

19
kubernetes/traefik/ingressroute.yaml.example Normal file
View File

@ -0,0 +1,19 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: your-ingressroute # <-- Replace with your IngressRoute name
namespace: your-namespace # <-- Replace with your namespace
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`your-fqdn`) # <-- Replace with your FQDN
kind: Rule
services:
- name: your-service # <-- Replace with your service name
port: 80
# --> (Optional) Add certificate secret
# tls:
# secretName: your-certificate-secret
# <--

19
kubernetes/traefik/ingressroutetcp.yaml.example Normal file
View File

@ -0,0 +1,19 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: your-ingressroutetcp # <-- Replace with your IngressRouteTCP name
namespace: your-namespace # <-- Replace with your namespace
spec:
entryPoints:
- web
- websecure
routes:
- match: HostSNI(`your-sni`) # <-- Replace with your SNI
priority: 10 # <-- (Optional) change rule priority
services:
- name: your-service # <-- Replace with your service name
port: 80
# --> (Optional) Enable TLS Passthrough
# tls:
# passthrough: true
# <--

35
kubernetes/traefik/templates/ingress.yml
View File

@ -1,35 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wp-clcreative
namespace: wp-clcreative
annotations:
# (Optional): Annotations for the Ingress Controller
# -- ingress class is needed when traefik is not the default
# kubernetes.io/ingress.class: traefik
# ---
# -- entrypoint and tls configurations
# traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# ---
# -- optional middlewares
# traefik.ingress.kubernetes.io/router.middlewares:your-middleware@kubernetescrd
# ---
spec:
rules:
- host: "your-hostname"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-service-name
port:
number: 80
# (Optional) TLS settings
# tls:
# - hosts:
# - your-hostname.com # Your hostname
# secretName: your-secret # Your TLS Secret
# ---

21
kubernetes/traefik/templates/ingressroutetcp.yml
View File

@ -1,21 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcp
# (Optional) Namespace
# namespace: your-namespace
# ---
spec:
entryPoints:
- web
- websecure
routes:
- match: HostSNI(`your-hostname-sni`)
priority: 10
services:
- name: your-service
port: 80
# (Optional) TLS Passthrough
# tls:
# passthrough: true
# ---

97
kubernetes/traefik/values.yml
View File

@ -1,97 +0,0 @@
additionalArguments:
# Configure your CertificateResolver here...
#
# HTTP Challenge
# ---
# Generic Example:
# - --certificatesresolvers.generic.acme.email=your-email@example.com
# - --certificatesresolvers.generic.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.generic.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json
#
# Prod / Staging Example:
# - --certificatesresolvers.staging.acme.email=your-email@example.com
# - --certificatesresolvers.staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.staging.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.staging.acme.storage=/ssl-certs/acme-staging.json
# - --certificatesresolvers.production.acme.email=your-email@example.com
# - --certificatesresolvers.production.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
# - --certificatesresolvers.production.acme.httpChallenge.entryPoint=web
# - --certificatesresolvers.production.acme.storage=/ssl-certs/acme-production.json
#
# DNS Challenge
# ---
# Cloudflare Example:
# - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
# - --certificatesresolvers.cloudflare.acme.email=your-email@example.com
# - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
# - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
#
# Generic (replace with your DNS provider):
# - --certificatesresolvers.generic.acme.dnschallenge.provider=generic
# - --certificatesresolvers.generic.acme.email=your-email@example.com
# - --certificatesresolvers.generic.acme.storage=/ssl-certs/acme-generic.json
logs:
# Configure log settings here...
general:
level: ERROR
ports:
# Configure your entrypoints here...
web:
# (optional) Permanent Redirect to HTTPS
# redirectTo:
# port: websecure
websecure:
tls:
enabled: true
# (optional) Set a Default CertResolver
# certResolver: cloudflare
env:
# Set your environment variables here...
#
# DNS Challenge Credentials
# ---
# Cloudflare Example:
# - name: CF_API_EMAIL
# valueFrom:
# secretKeyRef:
# key: email
# name: cloudflare-credentials
# - name: CF_API_KEY
# valueFrom:
# secretKeyRef:
# key: apiKey
# name: cloudflare-credentials
# Disable Dashboard
ingressRoute:
dashboard:
enabled: false
# Persistent Storage
persistence:
enabled: true
name: ssl-certs
size: 1Gi
path: /ssl-certs
deployment:
initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
- name: volume-permissions
image: busybox:1.37.0
command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
volumeMounts:
- name: ssl-certs
mountPath: /ssl-certs
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass:
enabled: true
isDefaultClass: true

23
renovate.json
View File

@ -110,6 +110,29 @@
"allowedVersions": "!/^v?2\\.19\\.10$/"
}
],
"customManagers": [
{
"customType": "regex",
"description": "Update Longhorn images in Helm",
"fileMatch": ["(^|/)helm/longhorn/.+\\.yaml$"],
"matchStrings": [
"engine:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"manager:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"ui:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"instanceManager:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"shareManager:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"backingImageManager:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"supportBundleKit:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"attacher:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"provisioner:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"nodeDriverRegistrar:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"resizer:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"snapshotter:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?",
"livenessProbe:\\s*repository:\\s*\"?(?<depName>[^\"]+)\"?\\s*tag:\\s*\"?(?<currentValue>[^\"]+)\"?"
],
"datasourceTemplate": "docker"
}
],
"separateMinorPatch": true,
"stopUpdatingLabel": "renovate/stop_updating"
}