alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

remove

Browse Source
This commit is contained in:
Alex Lebens
2025-02-16 22:24:50 -06:00
parent 50811026a5
commit f9da7d31bd
23 changed files with 382 additions and 1118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
clusters/standby/platform/vault/Chart.yaml
View File

@@ -16,13 +16,13 @@ dependencies:
- name: vault
version: 0.29.1
repository: https://helm.releases.hashicorp.com
- name: app-template
alias: snapshot
repository: https://bjw-s.github.io/helm-charts/
version: 3.6.1
- name: app-template
alias: unseal
repository: https://bjw-s.github.io/helm-charts/
version: 3.6.1
# - name: app-template
# alias: snapshot
# repository: https://bjw-s.github.io/helm-charts/
# version: 3.6.1
# - name: app-template
# alias: unseal
# repository: https://bjw-s.github.io/helm-charts/
# version: 3.6.1
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png
appVersion: 1.18.2

748
clusters/standby/platform/vault/templates/external-secret.yaml
View File

@@ -1,379 +1,379 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-agent-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-agent-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: VAULT_APPROLE_ROLE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot/approle
metadataPolicy: None
property: role-id
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot/approle
metadataPolicy: None
property: secret-id
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-agent-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-agent-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: VAULT_APPROLE_ROLE_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot/approle
# metadataPolicy: None
# property: role-id
# - secretKey: VAULT_APPROLE_SECRET_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/snapshot/approle
# metadataPolicy: None
# property: secret-id
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-snapshot-s3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ENDPOINT_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_ENDPOINT_URL
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-snapshot-s3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_ACCESS_KEY_ID
# - secretKey: AWS_DEFAULT_REGION
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_DEFAULT_REGION
# - secretKey: AWS_ENDPOINT_URL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_ENDPOINT_URL
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None
# property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-1
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-1
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-1
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-1
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-1
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-2
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-key-2
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-2
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-2
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-key-2
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-unseal-config-3
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-unseal-config-3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: unseal
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ENVIRONMENT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: ENVIRONMENT
- secretKey: CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: CHECK_INTERVAL
- secretKey: MAX_CHECK_INTERVAL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: MAX_CHECK_INTERVAL
- secretKey: NODES
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NODES
- secretKey: TLS_SKIP_VERIFY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TLS_SKIP_VERIFY
- secretKey: TOKENS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: TOKENS
- secretKey: EMAIL_ENABLED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: EMAIL_ENABLED
- secretKey: NOTIFY_MAX_ELAPSED
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_MAX_ELAPSED
- secretKey: NOTIFY_QUEUE_DELAY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/unseal/config-3
metadataPolicy: None
property: NOTIFY_QUEUE_DELAY
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-unseal-config-3
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-unseal-config-3
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: ENVIRONMENT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: MAX_CHECK_INTERVAL
# - secretKey: NODES
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NODES
# - secretKey: TLS_SKIP_VERIFY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TLS_SKIP_VERIFY
# - secretKey: TOKENS
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: TOKENS
# - secretKey: EMAIL_ENABLED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: token
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: token
- secretKey: unseal_key_1
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_1
- secretKey: unseal_key_2
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_2
- secretKey: unseal_key_3
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_3
- secretKey: unseal_key_4
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_4
- secretKey: unseal_key_5
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/token
metadataPolicy: None
property: unseal_key_5
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vault-token
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vault-token
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: token
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: token
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: token
# - secretKey: unseal_key_1
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_1
# - secretKey: unseal_key_2
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_2
# - secretKey: unseal_key_3
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_3
# - secretKey: unseal_key_4
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_4
# - secretKey: unseal_key_5
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/vault/token
# metadataPolicy: None
# property: unseal_key_5

20
clusters/standby/services/generic-device-plugin/Chart.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v2
name: generic-device-plugin
version: 1.0.0
description: Generic Device Plugin
keywords:
- generic-device-plugin
- device
- plugin
home: https://wiki.alexlebens.dev/doc/generic-device-plugin-PdquJy1lGu
sources:
- https://github.com/squat/generic-device-plugin
- https://github.com/alexlebens/helm-charts/tree/main/charts/generic-device-plugin
maintainers:
- name: alexlebens
dependencies:
- name: generic-device-plugin
repository: http://alexlebens.github.io/helm-charts
version: 0.1.6
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: 0.1.2

13
clusters/standby/services/generic-device-plugin/values.yaml
View File

@@ -1,13 +0,0 @@
generic-device-plugin:
image:
repository: ghcr.io/squat/generic-device-plugin
tag: latest@sha256:ba6f0b4cf6c858d6ad29ba4d32e4da11638abbc7d96436bf04f582a97b2b8821
config:
enabled: true
data: |
devices:
- name: tun
groups:
- count: 1000
paths:
- path: /dev/net/tun

25
clusters/standby/services/intel-device-plugin/Chart.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: v2
name: intel-device-plugin
version: 1.0.0
description: Intel Device Plugin
keywords:
- intel-device-plugin
- operator
- gpu
- kubernetes
home: https://wiki.alexlebens.dev/doc/intel-device-plugin-WGuYx3UYE3
sources:
- https://github.com/intel/intel-device-plugins-for-kubernetes
- https://github.com/intel/helm-charts/tree/main/charts/device-plugin-operator
- https://github.com/intel/helm-charts/tree/main/charts/gpu-device-plugin
maintainers:
- name: alexlebens
dependencies:
- name: intel-device-plugins-operator
version: 0.32.0
repository: https://intel.github.io/helm-charts/
- name: intel-device-plugins-gpu
version: 0.32.0
repository: https://intel.github.io/helm-charts/
icon: https://avatars.githubusercontent.com/u/17888862?s=48&v=4
appVersion: 0.31.1

10
clusters/standby/services/intel-device-plugin/values.yaml
View File

@@ -1,10 +0,0 @@
intel-device-plugins-gpu:
name: gpudeviceplugin
resourceManager: false
sharedDevNum: 5
logLevel: 2
enableMonitoring: true
allocationPolicy: "none"
nodeSelector:
intel.feature.node.kubernetes.io/gpu: 'true'
nodeFeatureRule: false

19
clusters/standby/services/node-feature-discovery/Chart.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: v2
name: node-feature-discovery
version: 1.0.0
description: Node Feature Discovery
keywords:
- node-feature-discovery
- labels
- kubernetes
home: https://wiki.alexlebens.dev/doc/node-feature-discovery-ie3OiqJrjc
sources:
- https://github.com/kubernetes-sigs/node-feature-discovery
maintainers:
- name: alexlebens
dependencies:
- name: node-feature-discovery
version: 0.17.1
repository: https://kubernetes-sigs.github.io/node-feature-discovery/charts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: 0.16.6

244
clusters/standby/services/node-feature-discovery/values.yaml
View File

@@ -1,244 +0,0 @@
node-feature-discovery:
enableNodeFeatureApi: true
master:
enable: true
config: ### <NFD-MASTER-CONF-START-DO-NOT-REMOVE>
# noPublish: false
# autoDefaultNs: true
# extraLabelNs: ["added.ns.io","added.kubernets.io","intel.com","devicetree.org"]
# denyLabelNs: ["denied.ns.io","denied.kubernetes.io"]
# resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"]
# enableTaints: false
# labelWhiteList: "foo"
# resyncPeriod: "2h"
# klog:
# addDirHeader: false
# alsologtostderr: false
# logBacktraceAt:
# logtostderr: true
# skipHeaders: false
# stderrthreshold: 2
# v: 0
# vmodule:
## NOTE: the following options are not dynamically run-time configurable
## and require a nfd-master restart to take effect after being changed
# logDir:
# logFile:
# logFileMaxSize: 1800
# skipLogHeaders: false
# leaderElection:
# leaseDuration: 15s
# # this value has to be lower than leaseDuration and greater than retryPeriod*1.2
# renewDeadline: 10s
# # this value has to be greater than 0
# retryPeriod: 2s
# nfdApiParallelism: 10
### <NFD-MASTER-CONF-END-DO-NOT-REMOVE>
port: 8080
metricsPort: 8081
instance:
featureApi:
resyncPeriod:
denyLabelNs: []
extraLabelNs: []
resourceLabels: []
enableTaints: false
crdController: null
featureRulesController: null
nfdApiParallelism: null
deploymentAnnotations: {}
replicaCount: 1
podSecurityContext: {}
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
# runAsUser: 1000
serviceAccount:
create: true
name:
rbac:
create: true
service:
type: ClusterIP
port: 8080
resources:
requests:
cpu: 20m
memory: 60Mi
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Equal"
value: ""
effect: "NoSchedule"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: "node-role.kubernetes.io/control-plane"
operator: In
values: [""]
worker:
enable: true
config: ### <NFD-WORKER-CONF-START-DO-NOT-REMOVE>
#core:
# labelWhiteList:
# noPublish: false
# sleepInterval: 60s
# featureSources: [all]
# labelSources: [all]
# klog:
# addDirHeader: false
# alsologtostderr: false
# logBacktraceAt:
# logtostderr: true
# skipHeaders: false
# stderrthreshold: 2
# v: 0
# vmodule:
## NOTE: the following options are not dynamically run-time configurable
## and require a nfd-worker restart to take effect after being changed
# logDir:
# logFile:
# logFileMaxSize: 1800
# skipLogHeaders: false
sources:
cpu:
cpuid:
attributeWhitelist:
- "AVX512BW"
- "AVX512CD"
- "AVX512DQ"
- "AVX512F"
- "AVX512VL"
kernel:
configOpts:
- "NO_HZ"
- "X86"
- "DMI"
usb:
deviceClassWhitelist:
- "02"
- "03"
- "0e"
- "ef"
- "fe"
- "ff"
deviceLabelFields:
- "vendor"
- "device"
- "class"
pci:
deviceClassWhitelist:
- "0200"
- "01"
- "08"
- "0300"
- "0302"
deviceLabelFields:
- "vendor"
- "device"
- "class"
custom:
- # Intel integrated GPU
name: "intel-gpu"
labels:
intel.feature.node.kubernetes.io/gpu: 'true'
matchOn:
- pciId:
class: ["0300"]
vendor: ["8086"]
- # Google Coral USB Accelerator
name: google.coral
labels:
google.feature.node.kubernetes.io/coral: "true"
matchFeatures:
- feature: usb.device
matchExpressions:
vendor: { op: In, value: ["1a6e", "18d1"] }
- # Aeotec Z-Stick Gen5+
name: aeotec.zwave
labels:
aeotec.feature.node.kubernetes.io/zwave: "true"
matchFeatures:
- feature: usb.device
matchExpressions:
class: { op: In, value: ["02"] }
vendor: { op: In, value: ["0658"] }
device: { op: In, value: ["0200"] }
### <NFD-WORKER-CONF-END-DO-NOT-REMOVE>
metricsPort: 8081
podSecurityContext: {}
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
# runAsUser: 1000
serviceAccount:
create: true
name:
rbac:
create: true
mountUsrSrc: false
resources:
requests:
cpu: 20m
memory: 60Mi
topologyUpdater:
config: ### <NFD-TOPOLOGY-UPDATER-CONF-START-DO-NOT-REMOVE>
## key = node name, value = list of resources to be excluded.
## use * to exclude from all nodes.
## an example for how the exclude list should looks like
#excludeList:
# node1: [cpu]
# node2: [memory, example/deviceA]
# *: [hugepages-2Mi]
### <NFD-TOPOLOGY-UPDATER-CONF-END-DO-NOT-REMOVE>
enable: true
createCRDs: true
serviceAccount:
create: true
name:
rbac:
create: true
metricsPort: 8081
updateInterval: 60s
watchNamespace: "*"
kubeletStateDir: /var/lib/kubelet
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsUser: 0
resources:
requests:
cpu: 20m
memory: 60Mi
gc:
enable: true
replicaCount: 1
serviceAccount:
create: true
name:
rbac:
create: true
interval: 1h
resources:
requests:
cpu: 20m
memory: 60Mi
metricsPort: 8081
tls:
enable: false
certManager: false
prometheus:
enable: false

20
clusters/standby/services/reloader/Chart.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v2
name: reloader
version: 1.0.0
description: Reloader
keywords:
- reloader
- config-map
- kubernetes
home: https://wiki.alexlebens.dev/doc/reloader-4L6pr8JdPl
sources:
- https://github.com/stakater/Reloader
- https://github.com/stakater/Reloader/blob/master/deployments/kubernetes/chart/reloader/Chart.yaml
maintainers:
- name: alexlebens
dependencies:
- name: reloader
version: 1.2.1
repository: https://stakater.github.io/stakater-charts
icon: https://avatars.githubusercontent.com/u/15930712?s=48&v=4
appVersion: 1.2.0

5
clusters/standby/services/reloader/values.yaml
View File

@@ -1,5 +0,0 @@
reloader:
reloader:
serviceMonitor:
enabled: true
namespace: reloader

21
clusters/standby/storage/cloudnative-pg/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: cloudnative-pg
version: 1.0.0
description: Cloudnative PG
keywords:
- cloudnative-pg
- operator
- postgresql
- kubernetes
home: https://wiki.alexlebens.dev/doc/cloudnative-pg-87MyLNw4xG
sources:
- https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
maintainers:
- name: alexlebens
dependencies:
- name: cloudnative-pg
version: 0.23.0
repository: https://cloudnative-pg.io/charts/
icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
appVersion: 1.24.1

4
clusters/standby/storage/cloudnative-pg/values.yaml
View File

@@ -1,4 +0,0 @@
cloudnative-pg:
replicaCount: 2
monitoring:
podMonitorEnabled: true

21
clusters/standby/storage/local-path-provisioner/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: local-path-provisioner
version: 1.0.0
description: Local Path Provisioner
keywords:
- local-path-provisioner
- storage
- kubernetes
home: https://wiki.alexlebens.dev/doc/local-path-provisioner-40NQQKSDVu
sources:
- https://github.com/rancher/local-path-provisioner
- https://hub.docker.com/r/rancher/local-path-provisioner
- https://github.com/containeroo/helm-charts/tree/master/charts/local-path-provisioner
maintainers:
- name: alexlebens
dependencies:
- name: local-path-provisioner
version: 0.0.32
repository: https://charts.containeroo.ch
icon: https://avatars.githubusercontent.com/u/9343010?s=48&v=4
appVersion: v0.0.30

45
clusters/standby/storage/local-path-provisioner/values.yaml
View File

@@ -1,45 +0,0 @@
local-path-provisioner:
image:
repository: rancher/local-path-provisioner
tag: v0.0.31
helperImage:
repository: busybox
tag: 1.37.0
storageClass:
create: true
defaultClass: false
defaultVolumeType: hostPath
name: local-path
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
nodePathMap:
- node: talos-di4-2sr
paths:
- /var/local-path-provisioner
- node: talos-iyl-d2a
paths:
- /var/local-path-provisioner
- node: talos-2ok-0ky
paths:
- /var/local-path-provisioner
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- talos-di4-2sr
- talos-iyl-d2a
- talos-2ok-0ky
configmap:
name: local-path-config
setup: |-
#!/bin/sh
set -eu
mkdir -m 0777 -p "$VOL_DIR"
teardown: |-
#!/bin/sh
set -eu
rm -rf "$VOL_DIR"

23
clusters/standby/storage/minio-operator/Chart.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v2
name: minio-operator
version: 1.0.0
description: Minio Operator
keywords:
- minio-operator
- minio
- operator
- storage
- s3
- kubernetes
home: https://wiki.alexlebens.dev/doc/minio-operator-bEvMUpVreJ
sources:
- https://github.com/minio/operator
- https://github.com/minio/operator/tree/master/helm/operator
maintainers:
- name: alexlebens
dependencies:
- name: operator
version: 7.0.0
repository: https://operator.min.io
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/minio.png
appVersion: v6.0.4

7
clusters/standby/storage/minio-operator/values.yaml
View File

@@ -1,7 +0,0 @@
operator:
operator:
env:
- name: OPERATOR_STS_ENABLED
value: "off"
- name: MINIO_CONSOLE_TLS_ENABLE
value: "off"

21
clusters/standby/storage/nfs/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: nfs-subdir-external-provisioner
version: 1.0.0
description: NFS Subdir External Provisioner
keywords:
- nfs-subdir-external-provisioner
- nfs
- storage
- kubernetes
home: https://wiki.alexlebens.dev/doc/nfs-z7rfU2dz5C
sources:
- https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner
- https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/tree/master/charts/nfs-subdir-external-provisioner
maintainers:
- name: alexlebens
dependencies:
- name: nfs-subdir-external-provisioner
version: 4.0.18
repository: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: 4.0.18

8
clusters/standby/storage/nfs/values.yaml
View File

@@ -1,8 +0,0 @@
nfs-subdir-external-provisioner:
nfs:
server: 192.168.1.194
path: /volume2/Talos
mountOptions:
- hard
- vers=4
- minorversion=1

25
clusters/standby/storage/rook-ceph/Chart.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: v2
name: rook-ceph
version: 1.0.0
description: Rook Ceph
keywords:
- rook-ceph
- ceph
- storage
- kubernetes
home: https://wiki.alexlebens.dev/doc/rook-ceph-C7G7SNuP5Z
sources:
- https://github.com/rook/rook
- https://quay.io/repository/ceph/ceph?tab=tags
- https://github.com/rook/rook/tree/master/deploy/charts
maintainers:
- name: alexlebens
dependencies:
- name: rook-ceph
version: v1.16.3
repository: https://charts.rook.io/release
- name: rook-ceph-cluster
version: v1.16.3
repository: https://charts.rook.io/release
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/rook.png
appVersion: v1.16.0

20
clusters/standby/storage/rook-ceph/templates/storage-class.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ceph-block-delete
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: ext4
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering,exclusive-lock,object-map,fast-diff
imageFormat: "2"
pool: ceph-blockpool
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: Immediate

146
clusters/standby/storage/rook-ceph/values.yaml
View File

@@ -1,146 +0,0 @@
rook-ceph:
crds:
enabled: true
csi:
enableMetadata: true
provisionerReplicas: 3
serviceMonitor:
enabled: true
enableDiscoveryDaemon: true
monitoring:
enabled: true
rook-ceph-cluster:
operatorNamespace: rook-ceph
toolbox:
enabled: true
monitoring:
enabled: true
createPrometheusRules: true
cephClusterSpec:
cephVersion:
# https://quay.io/repository/ceph/ceph?tab=tags
image: quay.io/ceph/ceph:v19.2.0-20240927
mon:
count: 3
mgr:
count: 1
modules:
- name: pg_autoscaler
enabled: true
- name: rook
enabled: true
dashboard:
enabled: true
ssl: false
network:
connections:
encryption:
enabled: true
compression:
enabled: true
requireMsgr2: true
placement:
all:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/rook-osd-node
operator: Exists
mon:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/rook-control-node
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: node-role.kubernetes.io/rook-control-node
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
resources:
mgr:
limits:
cpu: 2000m
requests:
cpu: 100m
memory: 512Mi
mon:
limits:
cpu: 2000m
requests:
cpu: 200m
memory: 256Mi
osd:
limits:
cpu: 5000m
requests:
cpu: 100m
memory: 2Gi
prepareosd:
requests:
cpu: 100m
memory: 128Mi
storage:
useAllNodes: true
useAllDevices: true
deviceFilter: sda
config:
osdsPerDevice: "1"
csi:
readAffinity:
enabled: true
ingress:
dashboard:
ingressClassName: tailscale
host:
name: ceph-cl01tl
path: /
tls:
- secretName: ceph-cl01tl
hosts:
- ceph-cl01tl
rules:
- host: ceph-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: rook-ceph-mgr-dashboard
port:
name: http-dashboard
cephBlockPools:
- name: ceph-blockpool
spec:
failureDomain: host
replicated:
size: 3
enableRBDStats: false
storageClass:
enabled: true
name: ceph-block
isDefault: true
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: "Immediate"
parameters:
imageFormat: "2"
imageFeatures: layering,exclusive-lock,object-map,fast-diff
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}"
csi.storage.k8s.io/fstype: ext4
cephBlockPoolsVolumeSnapshotClass:
enabled: true
name: ceph-blockpool-snapshot
isDefault: false
deletionPolicy: Retain

22
clusters/standby/storage/volsync/Chart.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: v2
name: volsync
version: 1.0.0
description: Volsync
keywords:
- volsync
- backup
- storage
- s3
- kubernetes
home: https://wiki.alexlebens.dev/doc/volsync-iusm70xWOf
sources:
- https://github.com/backube/volsync
- https://github.com/backube/volsync/tree/main/helm/volsync
maintainers:
- name: alexlebens
dependencies:
- name: volsync
version: 0.11.0
repository: https://backube.github.io/helm-charts/
icon: https://raw.githubusercontent.com/backube/volsync/main/docs/media/volsync.svg?sanitize=true
appVersion: 0.11.1

17
clusters/standby/storage/volsync/values.yaml
View File

@@ -1,17 +0,0 @@
volsync:
replicaCount: 3
manageCRDs: true
metrics:
disableAuth: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources:
limits:
cpu: 2000m
requests:
cpu: 10m
memory: 128Mi