migrate

clusters/cl01tl/helm/rook-ceph/Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: rook-ceph
+  repository: https://charts.rook.io/release
+  version: v1.18.7
+- name: rook-ceph-cluster
+  repository: https://charts.rook.io/release
+  version: v1.18.7
+- name: cloudflared
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 1.23.0
+digest: sha256:af8dd1358e17c5b88a9ac10a9864b960da1cbdd7f6d0aa9bdadcb8d0a65c6d31
+generated: "2025-12-01T20:27:15.315208-06:00"

clusters/cl01tl/helm/rook-ceph/Chart.yaml

@@ -0,0 +1,29 @@
+apiVersion: v2
+name: rook-ceph
+version: 1.0.0
+description: Rook Ceph
+keywords:
+  - rook-ceph
+  - ceph
+  - storage
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/8592da1d-8168-4c6c-a3e4-106902fe878c
+sources:
+  - https://github.com/rook/rook
+  - https://quay.io/repository/ceph/ceph?tab=tags
+  - https://github.com/rook/rook/tree/master/deploy/charts
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: rook-ceph
+    version: v1.18.7
+    repository: https://charts.rook.io/release
+  - name: rook-ceph-cluster
+    version: v1.18.7
+    repository: https://charts.rook.io/release
+  - name: cloudflared
+    alias: cloudflared-rgw
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 1.23.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ceph.png
+appVersion: v1.17.1

clusters/cl01tl/helm/rook-ceph/templates/external-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ceph-rgw-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: ceph-rgw-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/ceph-rgw
+        metadataPolicy: None
+        property: token

clusters/cl01tl/helm/rook-ceph/templates/http-route.yaml

@@ -0,0 +1,58 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-rook-ceph
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-rook-ceph
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - ceph.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: rook-ceph-mgr-dashboard
+          port: 7000
+          weight: 100
+
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-rook-ceph-rgw
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-rook-ceph-rgw
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - objects.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: rook-ceph-rgw-ceph-objectstore
+          port: 80
+          weight: 100

clusters/cl01tl/helm/rook-ceph/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rook-ceph
+  labels:
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/rook-ceph/values.yaml

@@ -0,0 +1,198 @@
+rook-ceph:
+  crds:
+    enabled: true
+  csi:
+    rookUseCsiOperator: true
+    cephFSKernelMountOptions: "ms_mode=secure"
+    enableMetadata: true
+    provisionerReplicas: 3
+    serviceMonitor:
+      enabled: true
+  enableDiscoveryDaemon: true
+  monitoring:
+    enabled: true
+
+rook-ceph-cluster:
+  toolbox:
+    enabled: true
+  monitoring:
+    enabled: true
+    createPrometheusRules: true
+    prometheusRuleOverrides:
+      CephNodeDiskspaceWarning:
+        disabled: true
+  cephImage:
+    # https://quay.io/repository/ceph/ceph?tab=tags
+    repository: quay.io/ceph/ceph
+    tag: v19.2.3-20250717
+  cephClusterSpec:
+    mgr:
+      count: 1
+      modules:
+        - name: pg_autoscaler
+          enabled: true
+        - name: rook
+          enabled: true
+    dashboard:
+      enabled: true
+      ssl: false
+    network:
+      connections:
+        encryption:
+          enabled: true
+        compression:
+          enabled: true
+        requireMsgr2: true
+    placement:
+      all:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/rook-osd-node
+                    operator: Exists
+      mon:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/rook-mon-node
+                    operator: Exists
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+        tolerations:
+          - key: node-role.kubernetes.io/rook-mon-node
+            operator: Exists
+          - key: node-role.kubernetes.io/control-plane
+            operator: Exists
+    resources:
+      mgr:
+        requests:
+          cpu: 100m
+          memory: 512Mi
+      mon:
+        requests:
+          cpu: 200m
+          memory: 256Mi
+      osd:
+        requests:
+          cpu: 100m
+          memory: 2Gi
+      prepareosd:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    storage:
+      deviceFilter: sda
+      config:
+        osdsPerDevice: "1"
+    csi:
+      readAffinity:
+        enabled: true
+  cephBlockPools:
+    - name: ceph-blockpool
+      spec:
+        failureDomain: host
+        replicated:
+          size: 3
+        enableRBDStats: false
+      storageClass:
+        enabled: true
+        name: ceph-block
+        isDefault: true
+        reclaimPolicy: Delete
+        allowVolumeExpansion: true
+        volumeBindingMode: "Immediate"
+        parameters:
+          imageFormat: "2"
+          imageFeatures: layering,exclusive-lock,object-map,fast-diff
+          csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
+          csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
+          csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
+          csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
+          csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
+          csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
+          csi.storage.k8s.io/fstype: ext4
+  cephFileSystems:
+    - name: ceph-filesystem
+      spec:
+        metadataPool:
+          replicated:
+            size: 3
+        dataPools:
+          - failureDomain: host
+            replicated:
+              size: 3
+            name: data0
+        metadataServer:
+          activeCount: 1
+          activeStandby: true
+          resources:
+            requests:
+              cpu: "1000m"
+              memory: "4Gi"
+          priorityClassName: system-cluster-critical
+      storageClass:
+        enabled: true
+        isDefault: false
+        name: ceph-filesystem
+        pool: data0
+        reclaimPolicy: Delete
+        allowVolumeExpansion: true
+        volumeBindingMode: "Immediate"
+        parameters:
+          csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
+          csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
+          csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
+          csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
+          csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
+          csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
+          csi.storage.k8s.io/fstype: ext4
+  cephFileSystemVolumeSnapshotClass:
+    enabled: true
+    name: ceph-filesystem
+    isDefault: false
+    deletionPolicy: Delete
+  cephBlockPoolsVolumeSnapshotClass:
+    enabled: true
+    name: ceph-blockpool-snapshot
+    isDefault: true
+    deletionPolicy: Delete
+  cephObjectStores:
+    - name: ceph-objectstore
+      spec:
+        metadataPool:
+          failureDomain: host
+          replicated:
+            size: 3
+        dataPool:
+          failureDomain: host
+          erasureCoded:
+            dataChunks: 2
+            codingChunks: 1
+          parameters:
+            bulk: "true"
+        preservePoolsOnDelete: true
+        gateway:
+          port: 80
+          resources:
+            requests:
+              cpu: "1000m"
+              memory: "1Gi"
+          instances: 1
+          priorityClassName: system-cluster-critical
+        hosting:
+          dnsNames:
+            - objects.alexlebens.dev
+            - objects.alexlebens.net
+      storageClass:
+        enabled: true
+        name: ceph-bucket
+        reclaimPolicy: Delete
+        volumeBindingMode: "Immediate"
+        parameters:
+          region: us-east-1
+
+cloudflared-rgw:
+  existingSecretName: ceph-rgw-cloudflared-secret
+  name: cloudflared-rgw