feat: refactor network folder #3519
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smurf-bot
bot
added
area/kubernetes
--- kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
@@ -1,119 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: echo-server
- kustomize.toolkit.fluxcd.io/name: echo-server
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: echo-server
- namespace: network
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- echo-server:
- containers:
- app:
- env:
- HTTP_PORT: 8080
- LOG_IGNORE_PATH: /healthz
- LOG_WITHOUT_NEWLINE: true
- PROMETHEUS_ENABLED: true
- image:
- repository: ghcr.io/mendhak/http-https-echo
- tag: 35
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- resources:
- limits:
- memory: 64Mi
- requests:
- cpu: 10m
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- seccompProfile:
- type: RuntimeDefault
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: echo-server
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- ingress:
- app:
- className: external
- hosts:
- - host: '{{ .Release.Name }}...PLACEHOLDER_SECRET_DOMAIN..'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- service:
- app:
- controller: echo-server
- ports:
- http:
- port: 8080
- serviceMonitor:
- app:
- endpoints:
- - interval: 1m
- path: /metrics
- port: http
- scheme: http
- scrapeTimeout: 10s
- serviceName: echo-server
-
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/cloudflared
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/cloudflared/app
+ path: ./kubernetes/main/apps/network/external/cloudflared/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/echo-server
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/echo-server
@@ -13,13 +13,13 @@
app.kubernetes.io/name: echo-server
decryption:
provider: sops
secretRef:
name: sops-age
interval: 30m
- path: ./kubernetes/main/apps/network/echo-server/app
+ path: ./kubernetes/main/apps/network/external/echo-server/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-cloudflare
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-cloudflare
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/external-dns/cloudflare
+ path: ./kubernetes/main/apps/network/external/external-dns-cloudflare/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-unifi
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/external-dns-unifi
@@ -15,13 +15,13 @@
provider: sops
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/external-dns/unifi
+ path: ./kubernetes/main/apps/network/internal/external-dns-unifi/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-certificates
@@ -16,13 +16,13 @@
secretRef:
name: sops-age
dependsOn:
- name: cert-manager-issuers
- name: external-secrets-stores
interval: 30m
- path: ./kubernetes/main/apps/network/nginx/certificates
+ path: ./kubernetes/main/apps/network/external/nginx-certificates/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-external
@@ -16,13 +16,13 @@
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
- name: nginx-certificates
interval: 30m
- path: ./kubernetes/main/apps/network/nginx/external
+ path: ./kubernetes/main/apps/network/external/nginx-ingress/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
+++ kubernetes/main/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/nginx-internal
@@ -16,13 +16,13 @@
secretRef:
name: sops-age
dependsOn:
- name: external-secrets-stores
- name: nginx-certificates
interval: 30m
- path: ./kubernetes/main/apps/network/nginx/internal
+ path: ./kubernetes/main/apps/network/internal/nginx-ingress/app
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: true
- kind: ConfigMap
--- kubernetes/main/apps/network/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: network/..PLACEHOLDER_SECRET_DOMAIN..
+++ kubernetes/main/apps/network/nginx/certificates Kustomization: flux-system/nginx-certificates Certificate: network/..PLACEHOLDER_SECRET_DOMAIN..
@@ -1,20 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: ..PLACEHOLDER_SECRET_DOMAIN..
- namespace: network
-spec:
- commonName: ..PLACEHOLDER_SECRET_DOMAIN..
- dnsNames:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- - '*...PLACEHOLDER_SECRET_DOMAIN..'
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- secretName: ..PLACEHOLDER_SECRET_DOMAIN..-tls
-
--- kubernetes/main/apps/network/nginx/certificates Kustomization: flux-system/nginx-certificates PushSecret: network/main-cluster-tls
+++ kubernetes/main/apps/network/nginx/certificates Kustomization: flux-system/nginx-certificates PushSecret: network/main-cluster-tls
@@ -1,34 +0,0 @@
----
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
- labels:
- app.kubernetes.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/name: nginx-certificates
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: main-cluster-tls
- namespace: network
-spec:
- data:
- - match:
- remoteRef:
- property: tls.crt
- remoteKey: main-cluster-tls
- secretKey: tls.crt
- - match:
- remoteRef:
- property: tls.key
- remoteKey: main-cluster-tls
- secretKey: tls.key
- secretStoreRefs:
- - kind: ClusterSecretStore
- name: onepassword-connect
- selector:
- secret:
- name: ..PLACEHOLDER_SECRET_DOMAIN..-tls
- template:
- data:
- tls.crt: '{{ index . "tls.crt" | b64enc }}'
- tls.key: '{{ index . "tls.key" | b64enc }}'
- engineVersion: v2
-
--- kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
+++ kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
@@ -1,24 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-unifi
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: unifi
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: external-dns-unifi
- template:
- data:
- EXTERNAL_DNS_UNIFI_API_KEY: '{{ .EXTERNAL_DNS_UNIFI_API_KEY }}'
- engineVersion: v2
-
--- kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
+++ kubernetes/main/apps/network/external-dns/unifi Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
@@ -1,72 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/name: external-dns-unifi
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-unifi
- namespace: network
-spec:
- chart:
- spec:
- chart: external-dns
- sourceRef:
- kind: HelmRepository
- name: external-dns
- namespace: flux-system
- version: 1.15.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- domainFilters:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- extraArgs:
- - --ignore-ingress-tls-spec
- fullnameOverride: external-dns-unifi
- podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-unifi
- policy: sync
- provider:
- name: webhook
- webhook:
- env:
- - name: UNIFI_HOST
- value: https://192.168.1.1
- - name: UNIFI_API_KEY
- valueFrom:
- secretKeyRef:
- key: EXTERNAL_DNS_UNIFI_API_KEY
- name: external-dns-unifi
- image:
- repository: ghcr.io/kashalls/external-dns-unifi-webhook
- tag: v0.4.0@sha256:f71f9e64f723a1af77e9ecdcbaef2db2095721d33b385baee1848d0bf09d44e7
- livenessProbe:
- httpGet:
- path: /healthz
- port: http-webhook
- initialDelaySeconds: 10
- timeoutSeconds: 5
- readinessProbe:
- httpGet:
- path: /readyz
- port: http-webhook
- initialDelaySeconds: 10
- timeoutSeconds: 5
- serviceMonitor:
- enabled: true
- sources:
- - ingress
- - service
- triggerLoopOnEvent: true
- txtOwnerId: main
- txtPrefix: k8s.main.
-
--- kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
+++ kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
@@ -1,24 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns-secret
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: external-dns-secret
- template:
- data:
- api-token: '{{ .CLOUDFLARE_API_KEY }}'
- engineVersion: v2
-
--- kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns
+++ kubernetes/main/apps/network/external-dns/cloudflare Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns
@@ -1,61 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: external-dns
- namespace: network
-spec:
- chart:
- spec:
- chart: external-dns
- sourceRef:
- kind: HelmRepository
- name: external-dns
- namespace: flux-system
- version: 1.15.0
- install:
- crds: CreateReplace
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- crds: CreateReplace
- remediation:
- retries: 3
- strategy: rollback
- values:
- domainFilters:
- - ..PLACEHOLDER_SECRET_DOMAIN..
- env:
- - name: CF_API_TOKEN
- valueFrom:
- secretKeyRef:
- key: api-token
- name: external-dns-secret
- extraArgs:
- - --cloudflare-dns-records-per-page=1000
- - --cloudflare-proxied
- - --crd-source-apiversion=externaldns.k8s.io/v1alpha1
- - --crd-source-kind=DNSEndpoint
- - --ignore-ingress-tls-spec
- - --ingress-class=external
- fullnameOverride: external-dns
- podAnnotations:
- secret.reloader.stakater.com/reload: external-dns-secret
- policy: sync
- provider:
- name: cloudflare
- serviceMonitor:
- enabled: true
- sources:
- - crd
- - ingress
- triggerLoopOnEvent: true
- txtOwnerId: main
- txtPrefix: k8s.main.
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
@@ -1,17 +0,0 @@
----
-apiVersion: externaldns.k8s.io/v1alpha1
-kind: DNSEndpoint
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: network
-spec:
- endpoints:
- - dnsName: external...PLACEHOLDER_SECRET_DOMAIN..
- recordType: CNAME
- targets:
- - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID...cfargotunnel.com
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
@@ -1,29 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared-secret
- namespace: network
-spec:
- dataFrom:
- - extract:
- key: cloudflare
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword-connect
- target:
- name: cloudflared-secret
- template:
- data:
- credentials.json: |
- {
- "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
- "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
- "TunnelID": "..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID.."
- }
- engineVersion: v2
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
@@ -1,131 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared
- namespace: network
-spec:
- chart:
- spec:
- chart: app-template
- sourceRef:
- kind: HelmRepository
- name: bjw-s
- namespace: flux-system
- version: 3.6.1
- dependsOn:
- - name: nginx-external
- namespace: network
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controllers:
- cloudflared:
- annotations:
- reloader.stakater.com/auto: 'true'
- containers:
- app:
- args:
- - tunnel
- - --config
- - /etc/cloudflared/config/config.yaml
- - run
- - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID..
- env:
- NO_AUTOUPDATE: true
- TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
- TUNNEL_METRICS: 0.0.0.0:8080
- TUNNEL_ORIGIN_ENABLE_HTTP2: true
- TUNNEL_POST_QUANTUM: true
- TUNNEL_TRANSPORT_PROTOCOL: quic
- image:
- repository: docker.io/cloudflare/cloudflared
- tag: 2025.1.0@sha256:3247f3ef49eda23244b8aa5583f82b7c3880b0d057e1172d0e818f5e678d9f27
- probes:
- liveness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- readiness:
- custom: true
- enabled: true
- spec:
- failureThreshold: 3
- httpGet:
- path: /ready
- port: 8080
- initialDelaySeconds: 0
- periodSeconds: 10
- timeoutSeconds: 1
- resources:
- limits:
- memory: 256M
- requests:
- cpu: 5m
- memory: 128M
- replicas: 2
- strategy: RollingUpdate
- defaultPodOptions:
- securityContext:
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 100
- runAsNonRoot: true
- runAsUser: 1000
- seccompProfile:
- type: RuntimeDefault
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: cloudflared
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- persistence:
- config:
- globalMounts:
- - path: /etc/cloudflared/config/config.yaml
- readOnly: true
- subPath: config.yaml
- name: cloudflared-configmap
- type: configMap
- creds:
- globalMounts:
- - path: /etc/cloudflared/creds/credentials.json
- readOnly: true
- subPath: credentials.json
- name: cloudflared-secret
- type: secret
- service:
- app:
- controller: cloudflared
- ports:
- http:
- port: 8080
- serviceMonitor:
- app:
- endpoints:
- - interval: 1m
- path: /metrics
- port: http
- scheme: http
- scrapeTimeout: 10s
- serviceName: cloudflared
-
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-data:
- config.yaml: |
- ---
- originRequest:
- originServerName: external...PLACEHOLDER_SECRET_DOMAIN..
-
- ingress:
- - hostname: ..PLACEHOLDER_SECRET_DOMAIN..
- service: https://nginx-external-controller.network.svc.cluster.local:443
- - hostname: "*...PLACEHOLDER_SECRET_DOMAIN.."
- service: https://nginx-external-controller.network.svc.cluster.local:443
- - service: http_status:404
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/name: cloudflared
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cloudflared-configmap
- namespace: network
-
--- kubernetes/main/apps/network/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
+++ kubernetes/main/apps/network/nginx/internal Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
@@ -1,99 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-internal
- namespace: network
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
- extraArgs:
- default-ssl-certificate: network/..PLACEHOLDER_SECRET_DOMAIN..-tls
- publish-status-address: internal...PLACEHOLDER_SECRET_DOMAIN..
- ingressClassResource:
- controllerValue: k8s.io/internal
- default: true
- name: internal
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
- externalTrafficPolicy: Cluster
- terminationGracePeriodSeconds: 120
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-internal
-
--- kubernetes/main/apps/network/nginx/external Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
+++ kubernetes/main/apps/network/nginx/external Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
@@ -1,98 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-external
- kustomize.toolkit.fluxcd.io/name: nginx-external
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-external
- namespace: network
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - external
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-protocols: TLSv1.3 TLSv1.2
- use-forwarded-headers: 'true'
- extraArgs:
- default-ssl-certificate: network/..PLACEHOLDER_SECRET_DOMAIN..-tls
- publish-status-address: external...PLACEHOLDER_SECRET_DOMAIN..
- ingressClassResource:
- controllerValue: k8s.io/external
- default: false
- name: external
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 500Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
- lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
- terminationGracePeriodSeconds: 120
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: nginx-external
- app.kubernetes.io/name: ingress-nginx
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-external
-
--- kubernetes/main/apps/network/external/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/external/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
@@ -0,0 +1,119 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: echo-server
+ kustomize.toolkit.fluxcd.io/name: echo-server
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: echo-server
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ echo-server:
+ containers:
+ app:
+ env:
+ HTTP_PORT: 8080
+ LOG_IGNORE_PATH: /healthz
+ LOG_WITHOUT_NEWLINE: true
+ PROMETHEUS_ENABLED: true
+ image:
+ repository: ghcr.io/mendhak/http-https-echo
+ tag: 35
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /healthz
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 64Mi
+ requests:
+ cpu: 10m
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 100
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: echo-server
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ ingress:
+ app:
+ className: external
+ hosts:
+ - host: '{{ .Release.Name }}...PLACEHOLDER_SECRET_DOMAIN..'
+ paths:
+ - path: /
+ service:
+ identifier: app
+ port: http
+ service:
+ app:
+ controller: echo-server
+ ports:
+ http:
+ port: 8080
+ serviceMonitor:
+ app:
+ endpoints:
+ - interval: 1m
+ path: /metrics
+ port: http
+ scheme: http
+ scrapeTimeout: 10s
+ serviceName: echo-server
+
--- kubernetes/main/apps/network/external/external-dns-cloudflare/app Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
+++ kubernetes/main/apps/network/external/external-dns-cloudflare/app Kustomization: flux-system/external-dns-cloudflare ExternalSecret: network/external-dns-secret
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-secret
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: external-dns-secret
+ template:
+ data:
+ api-token: '{{ .CLOUDFLARE_API_KEY }}'
+ engineVersion: v2
+
--- kubernetes/main/apps/network/external/external-dns-cloudflare/app Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns
+++ kubernetes/main/apps/network/external/external-dns-cloudflare/app Kustomization: flux-system/external-dns-cloudflare HelmRelease: network/external-dns
@@ -0,0 +1,61 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/name: external-dns-cloudflare
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: external-dns
+ sourceRef:
+ kind: HelmRepository
+ name: external-dns
+ namespace: flux-system
+ version: 1.15.0
+ install:
+ crds: CreateReplace
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ crds: CreateReplace
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ domainFilters:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ env:
+ - name: CF_API_TOKEN
+ valueFrom:
+ secretKeyRef:
+ key: api-token
+ name: external-dns-secret
+ extraArgs:
+ - --cloudflare-dns-records-per-page=1000
+ - --cloudflare-proxied
+ - --crd-source-apiversion=externaldns.k8s.io/v1alpha1
+ - --crd-source-kind=DNSEndpoint
+ - --ignore-ingress-tls-spec
+ - --ingress-class=external
+ fullnameOverride: external-dns
+ podAnnotations:
+ secret.reloader.stakater.com/reload: external-dns-secret
+ policy: sync
+ provider:
+ name: cloudflare
+ serviceMonitor:
+ enabled: true
+ sources:
+ - crd
+ - ingress
+ triggerLoopOnEvent: true
+ txtOwnerId: main
+ txtPrefix: k8s.main.
+
--- kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
+++ kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared DNSEndpoint: network/cloudflared
@@ -0,0 +1,17 @@
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared
+ namespace: network
+spec:
+ endpoints:
+ - dnsName: external...PLACEHOLDER_SECRET_DOMAIN..
+ recordType: CNAME
+ targets:
+ - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID...cfargotunnel.com
+
--- kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
+++ kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared ExternalSecret: network/cloudflared-secret
@@ -0,0 +1,29 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared-secret
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: cloudflare
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: cloudflared-secret
+ template:
+ data:
+ credentials.json: |
+ {
+ "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}",
+ "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}",
+ "TunnelID": "..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID.."
+ }
+ engineVersion: v2
+
--- kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
@@ -0,0 +1,131 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: app-template
+ sourceRef:
+ kind: HelmRepository
+ name: bjw-s
+ namespace: flux-system
+ version: 3.6.1
+ dependsOn:
+ - name: nginx-external
+ namespace: network
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controllers:
+ cloudflared:
+ annotations:
+ reloader.stakater.com/auto: 'true'
+ containers:
+ app:
+ args:
+ - tunnel
+ - --config
+ - /etc/cloudflared/config/config.yaml
+ - run
+ - ..PLACEHOLDER_CLOUDFLARE_TUNNEL_ID..
+ env:
+ NO_AUTOUPDATE: true
+ TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
+ TUNNEL_METRICS: 0.0.0.0:8080
+ TUNNEL_ORIGIN_ENABLE_HTTP2: true
+ TUNNEL_POST_QUANTUM: true
+ TUNNEL_TRANSPORT_PROTOCOL: quic
+ image:
+ repository: docker.io/cloudflare/cloudflared
+ tag: 2025.1.0@sha256:3247f3ef49eda23244b8aa5583f82b7c3880b0d057e1172d0e818f5e678d9f27
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ failureThreshold: 3
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ resources:
+ limits:
+ memory: 256M
+ requests:
+ cpu: 5m
+ memory: 128M
+ replicas: 2
+ strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 100
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: cloudflared
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ persistence:
+ config:
+ globalMounts:
+ - path: /etc/cloudflared/config/config.yaml
+ readOnly: true
+ subPath: config.yaml
+ name: cloudflared-configmap
+ type: configMap
+ creds:
+ globalMounts:
+ - path: /etc/cloudflared/creds/credentials.json
+ readOnly: true
+ subPath: credentials.json
+ name: cloudflared-secret
+ type: secret
+ service:
+ app:
+ controller: cloudflared
+ ports:
+ http:
+ port: 8080
+ serviceMonitor:
+ app:
+ endpoints:
+ - interval: 1m
+ path: /metrics
+ port: http
+ scheme: http
+ scrapeTimeout: 10s
+ serviceName: cloudflared
+
--- kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
+++ kubernetes/main/apps/network/external/cloudflared/app Kustomization: flux-system/cloudflared ConfigMap: network/cloudflared-configmap
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ config.yaml: |
+ ---
+ originRequest:
+ originServerName: external...PLACEHOLDER_SECRET_DOMAIN..
+
+ ingress:
+ - hostname: ..PLACEHOLDER_SECRET_DOMAIN..
+ service: https://nginx-external-controller.network.svc.cluster.local:443
+ - hostname: "*...PLACEHOLDER_SECRET_DOMAIN.."
+ service: https://nginx-external-controller.network.svc.cluster.local:443
+ - service: http_status:404
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/name: cloudflared
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cloudflared-configmap
+ namespace: network
+
--- kubernetes/main/apps/network/external/nginx-certificates/app Kustomization: flux-system/nginx-certificates Certificate: network/..PLACEHOLDER_SECRET_DOMAIN..
+++ kubernetes/main/apps/network/external/nginx-certificates/app Kustomization: flux-system/nginx-certificates Certificate: network/..PLACEHOLDER_SECRET_DOMAIN..
@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ app.kubernetes.io/name: nginx-certificates
+ kustomize.toolkit.fluxcd.io/name: nginx-certificates
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: ..PLACEHOLDER_SECRET_DOMAIN..
+ namespace: network
+spec:
+ commonName: ..PLACEHOLDER_SECRET_DOMAIN..
+ dnsNames:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ - '*...PLACEHOLDER_SECRET_DOMAIN..'
+ issuerRef:
+ kind: ClusterIssuer
+ name: letsencrypt-production
+ secretName: ..PLACEHOLDER_SECRET_DOMAIN..-tls
+
--- kubernetes/main/apps/network/external/nginx-certificates/app Kustomization: flux-system/nginx-certificates PushSecret: network/main-cluster-tls
+++ kubernetes/main/apps/network/external/nginx-certificates/app Kustomization: flux-system/nginx-certificates PushSecret: network/main-cluster-tls
@@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: nginx-certificates
+ kustomize.toolkit.fluxcd.io/name: nginx-certificates
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: main-cluster-tls
+ namespace: network
+spec:
+ data:
+ - match:
+ remoteRef:
+ property: tls.crt
+ remoteKey: main-cluster-tls
+ secretKey: tls.crt
+ - match:
+ remoteRef:
+ property: tls.key
+ remoteKey: main-cluster-tls
+ secretKey: tls.key
+ secretStoreRefs:
+ - kind: ClusterSecretStore
+ name: onepassword-connect
+ selector:
+ secret:
+ name: ..PLACEHOLDER_SECRET_DOMAIN..-tls
+ template:
+ data:
+ tls.crt: '{{ index . "tls.crt" | b64enc }}'
+ tls.key: '{{ index . "tls.key" | b64enc }}'
+ engineVersion: v2
+
--- kubernetes/main/apps/network/internal/external-dns-unifi/app Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
+++ kubernetes/main/apps/network/internal/external-dns-unifi/app Kustomization: flux-system/external-dns-unifi ExternalSecret: network/external-dns-unifi
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-unifi
+ namespace: network
+spec:
+ dataFrom:
+ - extract:
+ key: unifi
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: external-dns-unifi
+ template:
+ data:
+ EXTERNAL_DNS_UNIFI_API_KEY: '{{ .EXTERNAL_DNS_UNIFI_API_KEY }}'
+ engineVersion: v2
+
--- kubernetes/main/apps/network/internal/external-dns-unifi/app Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
+++ kubernetes/main/apps/network/internal/external-dns-unifi/app Kustomization: flux-system/external-dns-unifi HelmRelease: network/external-dns-unifi
@@ -0,0 +1,72 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/name: external-dns-unifi
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: external-dns-unifi
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: external-dns
+ sourceRef:
+ kind: HelmRepository
+ name: external-dns
+ namespace: flux-system
+ version: 1.15.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ domainFilters:
+ - ..PLACEHOLDER_SECRET_DOMAIN..
+ extraArgs:
+ - --ignore-ingress-tls-spec
+ fullnameOverride: external-dns-unifi
+ podAnnotations:
+ secret.reloader.stakater.com/reload: external-dns-unifi
+ policy: sync
+ provider:
+ name: webhook
+ webhook:
+ env:
+ - name: UNIFI_HOST
+ value: https://192.168.1.1
+ - name: UNIFI_API_KEY
+ valueFrom:
+ secretKeyRef:
+ key: EXTERNAL_DNS_UNIFI_API_KEY
+ name: external-dns-unifi
+ image:
+ repository: ghcr.io/kashalls/external-dns-unifi-webhook
+ tag: v0.4.0@sha256:f71f9e64f723a1af77e9ecdcbaef2db2095721d33b385baee1848d0bf09d44e7
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: http-webhook
+ initialDelaySeconds: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: http-webhook
+ initialDelaySeconds: 10
+ timeoutSeconds: 5
+ serviceMonitor:
+ enabled: true
+ sources:
+ - ingress
+ - service
+ triggerLoopOnEvent: true
+ txtOwnerId: main
+ txtPrefix: k8s.main.
+
--- kubernetes/main/apps/network/internal/nginx-ingress/app Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
+++ kubernetes/main/apps/network/internal/nginx-ingress/app Kustomization: flux-system/nginx-internal HelmRelease: network/nginx-internal
@@ -0,0 +1,99 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: nginx-internal
+ kustomize.toolkit.fluxcd.io/name: nginx-internal
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: nginx-internal
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: ingress-nginx
+ sourceRef:
+ kind: HelmRepository
+ name: ingress-nginx
+ namespace: flux-system
+ version: 4.12.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controller:
+ admissionWebhooks:
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - internal
+ config:
+ allow-snippet-annotations: true
+ annotations-risk-level: Critical
+ block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
+ client-body-buffer-size: 100M
+ client-body-timeout: 120
+ client-header-timeout: 120
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: 31449600
+ keep-alive: 120
+ keep-alive-requests: 10000
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: 0
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+ extraArgs:
+ default-ssl-certificate: network/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ publish-status-address: internal...PLACEHOLDER_SECRET_DOMAIN..
+ ingressClassResource:
+ controllerValue: k8s.io/internal
+ default: true
+ name: internal
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
+ publishService:
+ enabled: false
+ replicaCount: 2
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ service:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: internal...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_INTERNAL..
+ externalTrafficPolicy: Cluster
+ terminationGracePeriodSeconds: 120
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: nginx-internal
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ defaultBackend:
+ enabled: false
+ fullnameOverride: nginx-internal
+
--- kubernetes/main/apps/network/external/nginx-ingress/app Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
+++ kubernetes/main/apps/network/external/nginx-ingress/app Kustomization: flux-system/nginx-external HelmRelease: network/nginx-external
@@ -0,0 +1,98 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: nginx-external
+ kustomize.toolkit.fluxcd.io/name: nginx-external
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: nginx-external
+ namespace: network
+spec:
+ chart:
+ spec:
+ chart: ingress-nginx
+ sourceRef:
+ kind: HelmRepository
+ name: ingress-nginx
+ namespace: flux-system
+ version: 4.12.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ controller:
+ admissionWebhooks:
+ objectSelector:
+ matchExpressions:
+ - key: ingress-class
+ operator: In
+ values:
+ - external
+ config:
+ allow-snippet-annotations: true
+ annotations-risk-level: Critical
+ block-user-agents: GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*
+ client-body-buffer-size: 100M
+ client-body-timeout: 120
+ client-header-timeout: 120
+ enable-brotli: 'true'
+ enable-ocsp: 'true'
+ enable-real-ip: 'true'
+ force-ssl-redirect: 'true'
+ hide-headers: Server,X-Powered-By
+ hsts-max-age: 31449600
+ keep-alive: 120
+ keep-alive-requests: 10000
+ log-format-escape-json: 'true'
+ log-format-upstream: |
+ {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
+ proxy-body-size: 0
+ proxy-buffer-size: 16k
+ ssl-protocols: TLSv1.3 TLSv1.2
+ use-forwarded-headers: 'true'
+ extraArgs:
+ default-ssl-certificate: network/..PLACEHOLDER_SECRET_DOMAIN..-tls
+ publish-status-address: external...PLACEHOLDER_SECRET_DOMAIN..
+ ingressClassResource:
+ controllerValue: k8s.io/external
+ default: false
+ name: external
+ metrics:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ namespaceSelector:
+ any: true
+ publishService:
+ enabled: false
+ replicaCount: 2
+ resources:
+ limits:
+ memory: 500Mi
+ requests:
+ cpu: 100m
+ service:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: external...PLACEHOLDER_SECRET_DOMAIN..
+ lbipam.cilium.io/ips: ..PLACEHOLDER_SVC_NGINX_EXTERNAL..
+ terminationGracePeriodSeconds: 120
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ app.kubernetes.io/instance: nginx-external
+ app.kubernetes.io/name: ingress-nginx
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ defaultBackend:
+ enabled: false
+ fullnameOverride: nginx-external
+ |
joryirving
force-pushed
the
main
branch
12 times, most recently
from
f175dd2 to
1ca0238
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.