Compare commits
1 Commits
a4d5f9fe03
...
916aa3df74
| Author | SHA1 | Date | |
|---|---|---|---|
916aa3df74
|
@@ -6,7 +6,7 @@ libation:
|
||||
suspend: false
|
||||
concurrencyPolicy: Forbid
|
||||
timeZone: US/Central
|
||||
schedule: "30 4 * * *"
|
||||
schedule: "0 * * * *"
|
||||
startingDeadlineSeconds: 90
|
||||
successfulJobsHistory: 3
|
||||
failedJobsHistory: 3
|
||||
|
||||
@@ -75,7 +75,7 @@ roundcube:
|
||||
suspend: false
|
||||
concurrencyPolicy: Forbid
|
||||
timeZone: US/Central
|
||||
schedule: 30 4 * * *
|
||||
schedule: 0 4 * * *
|
||||
startingDeadlineSeconds: 90
|
||||
successfulJobsHistory: 3
|
||||
failedJobsHistory: 3
|
||||
|
||||
@@ -63,21 +63,12 @@ argo-cd:
|
||||
enabled: true
|
||||
server:
|
||||
replicas: 2
|
||||
extensions:
|
||||
enabled: true
|
||||
extensionList:
|
||||
- name: extension-trivy
|
||||
env:
|
||||
- name: EXTENSION_URL
|
||||
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
|
||||
- name: EXTENSION_CHECKSUM_URL
|
||||
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
|
||||
ingress:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
ingress:
|
||||
enabled: false
|
||||
repoServer:
|
||||
replicas: 2
|
||||
extraContainers:
|
||||
|
||||
@@ -189,3 +189,41 @@ spec:
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
- PruneLast=true
|
||||
|
||||
---
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: snapshot-controller
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: snapshot-controller
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/part-of: {{ .Release.Name }}
|
||||
finalizers:
|
||||
- resources-finalizer.argocd.argoproj.io
|
||||
spec:
|
||||
project: default
|
||||
source:
|
||||
repoURL: {{ .Values.git.repo }}
|
||||
targetRevision: {{ .Values.git.revision }}
|
||||
path: clusters/{{ .Values.cluster.name }}/standalone/snapshot-controller
|
||||
destination:
|
||||
name: in-cluster
|
||||
namespace: snapshot-controller
|
||||
revisionHistoryLimit: 3
|
||||
syncPolicy:
|
||||
automated:
|
||||
prune: true
|
||||
selfHeal: true
|
||||
retry:
|
||||
limit: 10
|
||||
backoff:
|
||||
duration: 1m
|
||||
factor: 2
|
||||
maxDuration: 16m
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ApplyOutOfSyncOnly=true
|
||||
- ServerSideApply=true
|
||||
- PruneLast=true
|
||||
|
||||
@@ -19,9 +19,6 @@ headlamp:
|
||||
- name: cert-manager
|
||||
source: https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager
|
||||
version: 0.1.0
|
||||
- name: trivy
|
||||
source: https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy
|
||||
version: 0.3.1
|
||||
installOptions:
|
||||
parallel: true
|
||||
maxConcurrent: 2
|
||||
|
||||
@@ -8,7 +8,7 @@ kronic:
|
||||
adminUsername: kronic
|
||||
existingSecretName: kronic-config-secret
|
||||
env:
|
||||
KRONIC_ALLOW_NAMESPACES: "gitea,vault,talos,libation,kubernetes-cloudflare-ddns"
|
||||
KRONIC_ALLOW_NAMESPACES: "gitea vault talos libation kubernetes-cloudflare-ddns"
|
||||
ingress:
|
||||
enabled: false
|
||||
resources:
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
apiVersion: v2
|
||||
name: trivy
|
||||
version: 1.0.0
|
||||
description: Trivy
|
||||
keywords:
|
||||
- trivy
|
||||
- vulnerability
|
||||
- monitoring
|
||||
- kubernetes
|
||||
home: https://wiki.alexlebens.dev/s/5cffa529-4c2e-4126-99eb-cc4aeb5a49b3
|
||||
sources:
|
||||
- https://github.com/aquasecurity/trivy
|
||||
- https://github.com/aquasecurity/trivy-operator
|
||||
- https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
|
||||
maintainers:
|
||||
- name: alexlebens
|
||||
dependencies:
|
||||
- name: trivy-operator
|
||||
version: 0.28.1
|
||||
repository: https://aquasecurity.github.io/helm-charts/
|
||||
icon: https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png
|
||||
appVersion: v0.26.1
|
||||
@@ -1,113 +0,0 @@
|
||||
trivy-operator:
|
||||
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
|
||||
operator:
|
||||
replicas: 1
|
||||
vulnerabilityScannerEnabled: true
|
||||
sbomGenerationEnabled: false
|
||||
clusterSbomCacheEnabled: false
|
||||
configAuditScannerEnabled: false
|
||||
rbacAssessmentScannerEnabled: false
|
||||
infraAssessmentScannerEnabled: false
|
||||
clusterComplianceEnabled: false
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
trivy:
|
||||
createConfig: true
|
||||
image:
|
||||
registry: mirror.gcr.io
|
||||
repository: aquasec/trivy
|
||||
tag: 0.62.1
|
||||
storageClassEnabled: true
|
||||
storageClassName: ceph-block
|
||||
storageSize: "5Gi"
|
||||
registry:
|
||||
mirror:
|
||||
"registry-1.docker.io": proxy-registry-1.docker.io
|
||||
"quay.io": proxy-quay.io
|
||||
"registry.k8s.io": proxy-registry.k8s
|
||||
"gcr.io": proxy-gcr.io
|
||||
"ghcr.io": proxy-ghcr.io
|
||||
"hub.docker": proxy-hub.docker
|
||||
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
||||
slow: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128M
|
||||
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
|
||||
server:
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 512Mi
|
||||
replicas: 1
|
||||
compliance:
|
||||
reportType: summary
|
||||
cron: 0 5 * * *
|
||||
specs:
|
||||
- k8s-cis-1.23
|
||||
- k8s-nsa-1.0
|
||||
- k8s-pss-baseline-0.1
|
||||
- k8s-pss-restricted-0.1
|
||||
volumeMounts:
|
||||
- mountPath: /tmp
|
||||
name: cache-policies
|
||||
readOnly: false
|
||||
volumes:
|
||||
- name: cache-policies
|
||||
emptyDir: {}
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
nodeCollector:
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
readOnly: true
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
readOnly: true
|
||||
- name: var-lib-kube-scheduler
|
||||
mountPath: /var/lib/kube-scheduler
|
||||
readOnly: true
|
||||
- name: var-lib-kube-controller-manager
|
||||
mountPath: /var/lib/kube-controller-manager
|
||||
readOnly: true
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
readOnly: true
|
||||
- name: lib-systemd
|
||||
mountPath: /lib/systemd/
|
||||
readOnly: true
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
readOnly: true
|
||||
- name: etc-cni-netd
|
||||
mountPath: /etc/cni/net.d/
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: /var/lib/etcd
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: /var/lib/kubelet
|
||||
- name: var-lib-kube-scheduler
|
||||
hostPath:
|
||||
path: /var/lib/kube-scheduler
|
||||
- name: var-lib-kube-controller-manager
|
||||
hostPath:
|
||||
path: /var/lib/kube-controller-manager
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: /etc/systemd
|
||||
- name: lib-systemd
|
||||
hostPath:
|
||||
path: /lib/systemd
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: /etc/kubernetes
|
||||
- name: etc-cni-netd
|
||||
hostPath:
|
||||
path: /etc/cni/net.d/
|
||||
@@ -151,6 +151,80 @@ gitea:
|
||||
enabled: false
|
||||
mariadb:
|
||||
enabled: false
|
||||
# renovate:
|
||||
# global:
|
||||
# fullnameOverride: gitea-renovate
|
||||
# controllers:
|
||||
# renovate:
|
||||
# type: cronjob
|
||||
# cronjob:
|
||||
# suspend: false
|
||||
# concurrencyPolicy: Forbid
|
||||
# timeZone: US/Central
|
||||
# schedule: "0 4 * * *"
|
||||
# startingDeadlineSeconds: 90
|
||||
# successfulJobsHistory: 3
|
||||
# failedJobsHistory: 3
|
||||
# backoffLimit: 3
|
||||
# parallelism: 1
|
||||
# containers:
|
||||
# main:
|
||||
# image:
|
||||
# repository: renovate/renovate
|
||||
# tag: 40
|
||||
# pullPolicy: IfNotPresent
|
||||
# env:
|
||||
# - name: RENOVATE_PLATFORM
|
||||
# value: gitea
|
||||
# - name: RENOVATE_AUTODISCOVER
|
||||
# value: 'true'
|
||||
# - name: RENOVATE_ONBOARDING
|
||||
# value: 'true'
|
||||
# - name: RENOVATE_BASE_DIR
|
||||
# value: /tmp/renovate
|
||||
# - name: RENOVATE_PERSIST_REPO_DATA
|
||||
# value: true
|
||||
# - name: RENOVATE_REPOSITORY_CACHE
|
||||
# value: true
|
||||
# - name: RENOVATE_REDIS_URL
|
||||
# value: redis://gitea-renovate-valkey-primary.gitea:6379
|
||||
# - name: LOG_LEVEL
|
||||
# value: info
|
||||
# envFrom:
|
||||
# - secretRef:
|
||||
# name: gitea-renovate-secret
|
||||
# resources:
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# persistence:
|
||||
# base:
|
||||
# storageClass: ceph-block
|
||||
# accessMode: ReadWriteOnce
|
||||
# size: 5Gi
|
||||
# retain: true
|
||||
# advancedMounts:
|
||||
# renovate:
|
||||
# main:
|
||||
# - path: /tmp/renovate
|
||||
# readOnly: false
|
||||
# ssh:
|
||||
# enabled: true
|
||||
# type: secret
|
||||
# name: gitea-renovate-ssh-secret
|
||||
# advancedMounts:
|
||||
# renovate:
|
||||
# main:
|
||||
# - path: /home/ubuntu/.ssh
|
||||
# readOnly: true
|
||||
# mountPropagation: None
|
||||
# cache:
|
||||
# type: emptyDir
|
||||
# advancedMounts:
|
||||
# renovate:
|
||||
# main:
|
||||
# - path: /tmp/renovate/cache
|
||||
# readOnly: false
|
||||
backup:
|
||||
global:
|
||||
fullnameOverride: gitea-backup
|
||||
|
||||
@@ -76,7 +76,7 @@ harbor:
|
||||
# interval: 24h
|
||||
# dryrun: false
|
||||
trivy:
|
||||
enabled: true
|
||||
enabled: false
|
||||
database:
|
||||
type: external
|
||||
external:
|
||||
|
||||
@@ -6,7 +6,7 @@ kubernetes-cloudflare-ddns:
|
||||
suspend: false
|
||||
concurrencyPolicy: Forbid
|
||||
timeZone: US/Central
|
||||
schedule: "30 4 * * *"
|
||||
schedule: "0 0 * * *"
|
||||
startingDeadlineSeconds: 90
|
||||
successfulJobsHistory: 3
|
||||
failedJobsHistory: 3
|
||||
|
||||
@@ -13,7 +13,7 @@ etcd-backup:
|
||||
suspend: false
|
||||
concurrencyPolicy: Forbid
|
||||
timeZone: US/Central
|
||||
schedule: "0 2 * * *"
|
||||
schedule: "0 0 * * *"
|
||||
startingDeadlineSeconds: 90
|
||||
successfulJobsHistory: 3
|
||||
failedJobsHistory: 3
|
||||
|
||||
20
clusters/cl01tl/standalone/snapshot-controller/Chart.yaml
Normal file
20
clusters/cl01tl/standalone/snapshot-controller/Chart.yaml
Normal file
@@ -0,0 +1,20 @@
|
||||
apiVersion: v2
|
||||
name: snapshot-controller
|
||||
version: 1.0.0
|
||||
description: Snapshot Controller
|
||||
keywords:
|
||||
- snapshot-controller
|
||||
- storage
|
||||
- kubernetes
|
||||
home: https://wiki.alexlebens.dev/s/3057b7d3-4715-44ea-8617-5ef53657330b
|
||||
sources:
|
||||
- https://github.com/kubernetes-csi/external-snapshotter
|
||||
- https://github.com/piraeusdatastore/helm-charts/tree/main/charts/snapshot-controller
|
||||
maintainers:
|
||||
- name: alexlebens
|
||||
dependencies:
|
||||
- name: snapshot-controller
|
||||
version: 4.0.2
|
||||
repository: https://piraeus.io/helm-charts/
|
||||
icon: https://raw.githubusercontent.com/piraeusdatastore/piraeus/master/artwork/sandbox-artwork/icon/color.svg
|
||||
appVersion: "v8.2.1"
|
||||
16
clusters/cl01tl/standalone/snapshot-controller/values.yaml
Normal file
16
clusters/cl01tl/standalone/snapshot-controller/values.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
snapshot-controller:
|
||||
controller:
|
||||
replicaCount: 3
|
||||
args:
|
||||
leaderElection: true
|
||||
leaderElectionNamespace: snapshot-controller
|
||||
httpEndpoint: ":8080"
|
||||
image:
|
||||
repository: registry.k8s.io/sig-storage/snapshot-controller
|
||||
tag: ""
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
serviceMonitor:
|
||||
create: true
|
||||
@@ -3,13 +3,10 @@ snapshot-controller:
|
||||
replicaCount: 3
|
||||
args:
|
||||
leaderElection: true
|
||||
leaderElectionNamespace: snapshot-controller
|
||||
leaderElectionNamespace: "$(NAMESPACE)"
|
||||
image:
|
||||
repository: registry.k8s.io/sig-storage/snapshot-controller
|
||||
tag: v8.2.1
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
serviceMonitor:
|
||||
create: true
|
||||
volumeSnapshotClasses: []
|
||||
|
||||
Reference in New Issue
Block a user