alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 4 Actions 3 Activity

Merge pull request 'Automated Manifest Update' (#6271) from auto/update-manifests into manifests

Browse Source 
Reviewed-on: #6271
This commit was merged in pull request #6271.
This commit is contained in:
Alex Lebens
2026-04-26 17:47:54 +00:00
parent 54c26bd42a 80ecfc425b
commit f932b1f754
15 changed files with 105 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
clusters/cl01tl/manifests/audiobookshelf/Deployment-audiobookshelf.yaml
View File

@@ -55,7 +55,7 @@ spec:
secretKeyRef:
key: ntfy-url
name: audiobookshelf-config-apprise
image: ghcr.io/caronc/apprise:v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
image: ghcr.io/caronc/apprise:v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
name: apprise-api
- env:
- name: TZ

38
clusters/cl01tl/manifests/rclone/CronJob-rclone-directus-assets.yaml → clusters/cl01tl/manifests/directus/CronJob-directus-directus-assets-rclone.yaml
View File

@@ -1,14 +1,15 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: rclone-directus-assets
name: directus-directus-assets-rclone
labels:
app.kubernetes.io/controller: directus-assets
app.kubernetes.io/instance: rclone
app.kubernetes.io/controller: main
app.kubernetes.io/instance: directus
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: rclone
helm.sh/chart: rclone-4.6.2
namespace: rclone
app.kubernetes.io/name: directus-assets-rclone
app.kubernetes.io/version: v1.73.5
helm.sh/chart: rclone-directus-assets-remote-0.2.0
namespace: directus
spec:
suspend: false
concurrencyPolicy: Forbid
@@ -24,9 +25,9 @@ spec:
template:
metadata:
labels:
app.kubernetes.io/controller: directus-assets
app.kubernetes.io/instance: rclone
app.kubernetes.io/name: rclone
app.kubernetes.io/controller: main
app.kubernetes.io/instance: directus
app.kubernetes.io/name: directus-assets-rclone
spec:
enableServiceLinks: false
serviceAccountName: default
@@ -56,22 +57,22 @@ spec:
valueFrom:
secretKeyRef:
key: ACCESS_KEY_ID
name: garage-directus-secret
name: directus-assets-rclone-source-config
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: ACCESS_SECRET_KEY
name: garage-directus-secret
name: directus-assets-rclone-source-config
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
key: ACCESS_REGION
name: garage-directus-secret
name: directus-assets-rclone-source-config
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
key: SRC_ENDPOINT
name: garage-directus-secret
name: directus-assets-rclone-source-config
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: "true"
- name: RCLONE_CONFIG_DEST_TYPE
@@ -84,23 +85,24 @@ spec:
valueFrom:
secretKeyRef:
key: ACCESS_KEY_ID
name: garage-directus-secret
name: directus-assets-rclone-destination-config
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: ACCESS_SECRET_KEY
name: garage-directus-secret
name: directus-assets-rclone-destination-config
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
key: ACCESS_REGION
name: garage-directus-secret
name: directus-assets-rclone-destination-config
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
key: DEST_ENDPOINT
name: garage-directus-secret
- name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
name: directus-assets-rclone-destination-config
- name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
value: "true"
image: rclone/rclone:1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
imagePullPolicy: IfNotPresent
name: sync

33
clusters/cl01tl/manifests/directus/ExternalSecret-directus-assets-rclone-destination-config.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-assets-rclone-destination-config
namespace: directus
labels:
helm.sh/chart: rclone-directus-assets-remote-0.2.0
app.kubernetes.io/instance: directus
app.kubernetes.io/part-of: directus
app.kubernetes.io/version: "0.2.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: directus-assets-rclone-destination-config
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_KEY_ID
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE

25
clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml → clusters/cl01tl/manifests/directus/ExternalSecret-directus-assets-rclone-source-config.yaml
View File

@@ -1,12 +1,15 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-directus-secret
namespace: rclone
name: directus-assets-rclone-source-config
namespace: directus
labels:
app.kubernetes.io/name: garage-directus-secret
app.kubernetes.io/instance: rclone
app.kubernetes.io/part-of: rclone
helm.sh/chart: rclone-directus-assets-remote-0.2.0
app.kubernetes.io/instance: directus
app.kubernetes.io/part-of: directus
app.kubernetes.io/version: "0.2.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: directus-assets-rclone-source-config
spec:
secretStoreRef:
kind: ClusterSecretStore
@@ -16,19 +19,15 @@ spec:
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_REGION
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE

8
clusters/cl01tl/manifests/music-grabber/Deployment-music-grabber.yaml
View File

@@ -50,24 +50,24 @@ spec:
valueFrom:
secretKeyRef:
key: navidrome-user
name: music-grabber-config-secret
name: music-grabber-config
- name: NAVIDROME_PASS
valueFrom:
secretKeyRef:
key: navidrome-password
name: music-grabber-config-secret
name: music-grabber-config
- name: SLSKD_URL
value: http://slskd.slskd:5030
- name: SLSKD_USER
valueFrom:
secretKeyRef:
key: slskd-user
name: music-grabber-config-secret
name: music-grabber-config
- name: SLSKD_PASS
valueFrom:
secretKeyRef:
key: slskd-password
name: music-grabber-config-secret
name: music-grabber-config
- name: SLSKD_DOWNLOADS_PATH
value: /mnt/store/slskd/Downloads
image: g33kphr33k/musicgrabber:2.6.6@sha256:dad8dec4e32671ef7326d31f58ea626fa4622571e65c6bb34459bc2648f1fead

2
clusters/cl01tl/manifests/qbittorrent/Deployment-qbittorrent-qbit-manage.yaml
View File

@@ -72,7 +72,7 @@ spec:
secretKeyRef:
key: ntfy-url
name: qbit-manage-config
image: ghcr.io/caronc/apprise:v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
image: ghcr.io/caronc/apprise:v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
name: apprise-api
- env:
- name: TZ

2
clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-1.yaml
View File

@@ -29,7 +29,7 @@ spec:
app.kubernetes.io/name: talos
spec:
enableServiceLinks: false
serviceAccountName: default
serviceAccountName: talos-defrag
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false

2
clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-2.yaml
View File

@@ -29,7 +29,7 @@ spec:
app.kubernetes.io/name: talos
spec:
enableServiceLinks: false
serviceAccountName: default
serviceAccountName: talos-defrag
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false

2
clusters/cl01tl/manifests/talos/CronJob-etcd-defrag-defrag-3.yaml
View File

@@ -29,7 +29,7 @@ spec:
app.kubernetes.io/name: talos
spec:
enableServiceLinks: false
serviceAccountName: default
serviceAccountName: talos-defrag
automountServiceAccountToken: true
hostIPC: false
hostNetwork: false

2
clusters/cl01tl/manifests/talos/SecretProviderClass-talos-etcd-defrag-config.yaml
View File

@@ -11,7 +11,7 @@ spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: talos-backup
roleName: talos-defrag
objects: |
- objectName: config
fileName: config

10
clusters/cl01tl/manifests/talos/ServiceAccount-etcd-defrag.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: etcd-defrag
labels:
app.kubernetes.io/instance: talos
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: talos
helm.sh/chart: etcd-defrag-4.6.2
namespace: talos

9
clusters/cl01tl/manifests/talos/ServiceAccount-talos-backup.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: talos-backup
namespace: talos
labels:
app.kubernetes.io/name: talos-backup
app.kubernetes.io/instance: talos
app.kubernetes.io/part-of: talos

10
clusters/cl01tl/manifests/talos/ServiceAccount-talos.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: talos
labels:
app.kubernetes.io/instance: talos
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: talos
helm.sh/chart: etcd-backup-4.6.2
namespace: talos

72
clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml
View File

@@ -12,75 +12,3 @@ data:
echo " ";
echo ">> Running S3 backup for Vault snapshot";
OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
STATUS=$?
if [ $STATUS -ne 0 ]; then
if echo "$OUTPUT" | grep -q "403 Forbidden"; then
MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
elif echo "$OUTPUT" | grep -q "404 Not Found"; then
MESSAGE="404 Error: The bucket or folder does not exist"
elif echo "$OUTPUT" | grep -q "Connection refused"; then
MESSAGE="Network Error: Cannot reach the S3 endpoint"
else
MESSAGE="Unknown Error"
echo " ";
echo ">> Unknown Error, output:"
echo " "
echo "$OUTPUT"
fi
MAX_RETRIES=5
SUCCESS=false
echo " "
echo ">> Sending message to ntfy using curl ..."
echo " "
echo ">> Verifying required commands ..."
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
fi
if ! command -v curl 2>&1 >/dev/null; then
echo ">> Command curl could not be found, installing";
apk add --no-cache -q curl;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " "
echo ">> Sending to NTFY ..."
echo ">> Message: $MESSAGE"
HTTP_STATUS=$(curl \
--silent \
--write-out '%{http_code}' \
-H "Authorization: Bearer ${NTFY_TOKEN}" \
-H "X-Priority: 5" \
-H "X-Tags: warning" \
-H "X-Title: Vault Backup Failed for ${TARGET}" \
-d "$MESSAGE" \
${NTFY_ENDPOINT}/${NTFY_TOPIC}
)
echo ">> HTTP Status Code: $HTTP_STATUS"
else
echo " ";
echo ">> S3 Sync succeeded"
fi

50
clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml
View File

@@ -10,56 +10,26 @@ metadata:
data:
snapshot.sh: |
DATE=$(date +"%Y%m%d-%H-%M")
MAX_RETRIES=5
SUCCESS=false
echo " "
echo ">> Running Vault Snapshot Script ..."
echo " "
echo ">> Verifying required commands ..."
echo " "
echo ">> Fetching Vault token ..."
export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID)
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
if [ -z "$VAULT_TOKEN" ]; then
echo ">> ERROR: Failed to fetch Vault token! Exiting..."
exit 1
fi
echo " "
if ! command -v jq 2>&1 >/dev/null; then
echo ">> Command jq could not be found, installing";
apk add --no-cache -q jq;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " ";
echo ">> Fetching Vault token ...";
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
echo " ";
echo ">> Taking Vault snapsot ...";
echo ">> Taking Vault snapshot ..."
vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap
echo " ";
echo ">> Setting ownership of Vault snapsot ...";
echo " "
echo ">> Setting ownership of Vault snapshot ..."
chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap
echo " ";
echo ">> Completed Vault snapshot";
echo " "
echo ">> Completed Vault snapshot"