alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 7 Actions 1 Activity

add services

Browse Source
This commit is contained in:
Alex Lebens
2025-02-17 15:56:09 -06:00
parent d2b6009a36
commit 8faacd7077
20 changed files with 6 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
clusters/cl01tl/services/descheduler/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v2
name: descheduler
version: 1.0.0
description: descheduler
keywords:
- descheduler
- kube-scheduler
- kubernetes
home: https://wiki.alexlebens.dev/doc/descheduler-satPWfv7Km
sources:
- https://github.com/kubernetes-sigs/descheduler
- https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
maintainers:
- name: alexlebens
dependencies:
- name: descheduler
version: 0.32.2
repository: https://kubernetes-sigs.github.io/descheduler/
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: 0.31.0

70
clusters/cl01tl/services/descheduler/values.yaml Normal file
View File

@@ -0,0 +1,70 @@
descheduler:
kind: Deployment
resources:
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
deschedulingInterval: 5m
replicas: 1
leaderElection:
enabled: false
command:
- "/bin/descheduler"
cmdOptions:
v: 3
deschedulerPolicyAPIVersion: "descheduler/v1alpha2"
deschedulerPolicy:
profiles:
- name: default
pluginConfig:
- name: DefaultEvictor
args:
ignorePvcPods: true
evictLocalStoragePods: false
evictDaemonSetPods: false
- name: RemoveDuplicates
- name: RemovePodsViolatingNodeAffinity
args:
nodeAffinityType:
- requiredDuringSchedulingIgnoredDuringExecution
- name: RemovePodsViolatingNodeTaints
- name: RemovePodsViolatingInterPodAntiAffinity
- name: RemovePodsViolatingTopologySpreadConstraint
- name: LowNodeUtilization
args:
thresholds:
cpu: 20
memory: 20
pods: 20
targetThresholds:
cpu: 60
memory: 60
pods: 60
plugins:
balance:
enabled:
- RemoveDuplicates
- RemovePodsViolatingTopologySpreadConstraint
- LowNodeUtilization
deschedule:
enabled:
- RemovePodsViolatingNodeTaints
- RemovePodsViolatingNodeAffinity
- RemovePodsViolatingInterPodAntiAffinity
rbac:
create: true
serviceAccount:
create: true
service:
enabled: true
serviceMonitor:
enabled: true

20
clusters/cl01tl/services/eraser/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v2
name: eraser
version: 1.0.0
description: Eraser
keywords:
- eraser
- images
- kubernetes
home: https://wiki.alexlebens.dev/doc/eraser-XPOB4BLlm7
sources:
- https://github.com/eraser-dev/eraser
- https://github.com/eraser-dev/eraser/tree/main/charts/eraser
maintainers:
- name: alexlebens
dependencies:
- name: eraser
version: v1.3.1
repository: https://eraser-dev.github.io/eraser/charts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: v1.3.1

70
clusters/cl01tl/services/eraser/values.yaml Normal file
View File

@@ -0,0 +1,70 @@
eraser:
runtimeConfig:
apiVersion: eraser.sh/v1alpha3
kind: EraserConfig
manager:
runtime:
name: containerd
address: unix:///run/containerd/containerd.sock
logLevel: info
scheduling:
repeatInterval: 24h
beginImmediately: true
profile:
enabled: false
port: 6060
imageJob:
successRatio: 1.0
cleanup:
delayOnSuccess: 0s
delayOnFailure: 24h
nodeFilter:
type: exclude
selectors:
- eraser.sh/cleanup.filter
- kubernetes.io/os=windows
components:
collector:
enabled: true
request:
cpu: 10m
memory: 128Mi
scanner:
enabled: false
request:
cpu: 100m
memory: 128Mi
config: "" # |
# cacheDir: /var/lib/trivy
# dbRepo: ghcr.io/aquasecurity/trivy-db
# deleteFailedImages: true
# deleteEOLImages: true
# vulnerabilities:
# ignoreUnfixed: true
# types:
# - os
# - library
# securityChecks:
# - vuln
# severities:
# - CRITICAL
# - HIGH
# - MEDIUM
# - LOW
# ignoredStatuses:
# timeout:
# total: 23h
# perImage: 1h
remover:
request:
cpu: 10m
memory: 128Mi
deploy:
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
cpu: 10m
memory: 30Mi
nodeSelector:
kubernetes.io/os: linux

21
clusters/cl01tl/services/spegel/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: spegel
version: 1.0.0
description: Spegel
keywords:
- spegel
- image
- cache
- kubernetes
home: https://wiki.alexlebens.dev/doc/spegel-sGOCkqO5Gu
sources:
- https://github.com/spegel-org/spegel
- https://github.com/spegel-org/spegel/tree/main/charts/spegel
maintainers:
- name: alexlebens
dependencies:
- name: spegel
version: v0.0.30
repository: oci://ghcr.io/spegel-org/helm-charts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: v0.0.27

6
clusters/cl01tl/services/spegel/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: spegel
labels:
pod-security.kubernetes.io/enforce: privileged

41
clusters/cl01tl/services/spegel/values.yaml Normal file
View File

@@ -0,0 +1,41 @@
spegel:
service:
registry:
port: 5000
nodePort: 30021
hostPort: 30020
topologyAwareHintsEnabled: true
router:
port: 5001
metrics:
port: 9090
resources:
requests:
cpu: 10m
memory: 64Mi
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
serviceMonitor:
enabled: true
priorityClassName: system-node-critical
spegel:
logLevel: "INFO"
registries:
- https://cgr.dev
- https://docker.io
- https://ghcr.io
- https://quay.io
- https://mcr.microsoft.com
- https://public.ecr.aws
- https://gcr.io
- https://registry.k8s.io
- https://k8s.gcr.io
- https://lscr.io
containerdRegistryConfigPath: /etc/cri/conf.d/hosts

23
clusters/cl01tl/services/tailscale-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v2
name: tailscale-operator
version: 1.0.0
description: Tailscale Operator
keywords:
- tailscale-operator
- tailscale
- wireguard
- vpn
- kubernetes
home: https://wiki.alexlebens.dev/doc/tailscale-operator-u9TCoCqP12
sources:
- https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy
- https://hub.docker.com/r/tailscale/k8s-operator
- https://github.com/tailscale/tailscale/tree/main/cmd/k8s-operator/deploy/chart
maintainers:
- name: alexlebens
dependencies:
- name: tailscale-operator
version: 1.80.0
repository: https://pkgs.tailscale.com/helmcharts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/tailscale.png
appVersion: v1.80.0

19
clusters/cl01tl/services/tailscale-operator/templates/connector.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
name: subnet-router-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: subnet-router-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: tailscale
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
hostname: subnet-router-local-cl01tl
proxyClass: default
subnetRouter:
advertiseRoutes:
- 192.168.1.0/24
- 10.230.0.0/24
- 10.232.0.0/22

16
clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: tailscale.com/v1alpha1
kind: DNSConfig
metadata:
name: ts-dns
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: ts-dns
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: tailscale
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
nameserver:
image:
repo: tailscale/k8s-nameserver
tag: unstable-v1.81.44

30
clusters/cl01tl/services/tailscale-operator/templates/external-secrets.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: operator-oauth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: operator-oauth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client_id
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tailscale/k8s-operator
metadataPolicy: None
property: clientId
- secretKey: client_secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tailscale/k8s-operator
metadataPolicy: None
property: clientSecret

26
clusters/cl01tl/services/tailscale-operator/templates/proxy-class.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: tailscale.com/v1alpha1
kind: ProxyClass
metadata:
name: default
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: default
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: proxy
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
metrics:
enable: true
serviceMonitor:
enable: true
statefulSet:
pod:
tailscaleContainer:
resources:
limits:
squat.ai/tun: "1"
tailscaleInitContainer:
resources:
limits:
squat.ai/tun: "1"

21
clusters/cl01tl/services/tailscale-operator/values.yaml Normal file
View File

@@ -0,0 +1,21 @@
tailscale-operator:
oauth: {}
installCRDs: true
operatorConfig:
defaultTags:
- "tag:k8s-operator"
logging: info
hostname: tailscale-operator-cl01tl
nodeSelector:
kubernetes.io/os: linux
operatorConfig:
securityContext:
capabilities:
add:
- NET_ADMIN
proxyConfig:
defaultTags: "tag:k8s"
firewallMode: auto
defaultProxyClass: "default"
apiServerProxyConfig:
mode: "false"

21
clusters/cl01tl/services/traefik/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: traefik
version: 1.0.0
description: Traefik
keywords:
- traefik
- reverse-proxy
- tls
- kubernetes
home: https://wiki.alexlebens.dev/doc/traefik-nMRQxYCVUF
sources:
- https://github.com/traefik/traefik
- https://github.com/traefik/traefik-helm-chart
maintainers:
- name: alexlebens
dependencies:
- name: traefik
version: 34.2.0
repository: https://traefik.github.io/charts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/traefik.png
appVersion: v3.2.3

19
clusters/cl01tl/services/traefik/templates/certificate.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: traefik-certificate
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretName: traefik-secret-tls
dnsNames:
- "alexlebens.net"
- "*.alexlebens.net"
issuerRef:
name: letsencrypt-issuer
kind: ClusterIssuer

88
clusters/cl01tl/services/traefik/values.yaml Normal file
View File

@@ -0,0 +1,88 @@
traefik:
deployment:
kind: DaemonSet
ingressClass:
enabled: true
isDefaultClass: true
ingressRoute:
dashboard:
enabled: true
matchRule: (Host(`traefik-cl01tl.alexlebens.net`) && (PathPrefix(`/api/`) || PathPrefix(`/dashboard/`)))
entryPoints: ["websecure"]
providers:
kubernetesCRD:
allowCrossNamespace: true
allowEmptyServices: true
kubernetesIngress:
allowEmptyServices: true
publishedService:
enabled: true
metrics:
prometheus:
service:
enabled: true
disableAPICheck:
serviceMonitor:
enabled: true
prometheusRule:
enabled: false
globalArguments: []
ports:
web:
expose:
default: true
exposedPort: 80
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
forwardedHeaders:
trustedIPs:
- 10.0.0.0/8
- 172.16.0.0/16
- 192.168.0.0/16
- fc00::/7
insecure: false
proxyProtocol:
trustedIPs:
- 10.0.0.0/8
- 172.16.0.0/16
- 192.168.0.0/16
- fc00::/7
insecure: false
websecure:
port: 8443
expose:
default: true
exposedPort: 443
forwardedHeaders:
trustedIPs:
- 10.0.0.0/8
- 172.16.0.0/16
- 192.168.0.0/16
- fc00::/7
insecure: false
proxyProtocol:
trustedIPs:
- 10.0.0.0/8
- 172.16.0.0/16
- 192.168.0.0/16
- fc00::/7
insecure: false
tls:
enabled: true
metrics:
expose:
default: false
tlsStore:
default:
defaultCertificate:
secretName: traefik-secret-tls
service:
enabled: true
type: LoadBalancer
externalIPs:
- 192.168.1.17
- 192.168.1.16
- 192.168.1.15