alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

Automated Manifest Update #2409

Merged
alexlebens merged 2 commits from auto/update-manifests into manifests 2025-12-12 01:28:41 +00:00
Conversation 0 Commits 2 Files Changed 9 +199 -49
9 changed files with 199 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
clusters/cl01tl/manifests/cilium/Certificate-hubble-relay-client-certs.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hubble-relay-client-certs
namespace: kube-system
spec:
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: ca-issuer
secretName: hubble-relay-client-certs
commonName: "*.hubble-relay.cilium.io"
dnsNames:
- "*.hubble-relay.cilium.io"
duration: 8760h0m0s
privateKey:
rotationPolicy: Always
isCA: false
usages:
- signing
- key encipherment
- client auth

23
clusters/cl01tl/manifests/cilium/Certificate-hubble-server-certs.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hubble-server-certs
namespace: kube-system
spec:
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: ca-issuer
secretName: hubble-server-certs
commonName: "*.default.hubble-grpc.cilium.io"
dnsNames:
- "*.default.hubble-grpc.cilium.io"
duration: 8760h0m0s
privateKey:
rotationPolicy: Always
isCA: false
usages:
- signing
- key encipherment
- server auth
- client auth

71
clusters/cl01tl/manifests/cilium/CronJob-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
app.kubernetes.io/name: hubble-generate-certs
app.kubernetes.io/part-of: cilium
spec:
schedule: "0 0 1 */4 *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: certgen
image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
command:
- "/usr/bin/cilium-certgen"
args:
- "--ca-generate=true"
- "--ca-reuse-secret"
- "--ca-secret-namespace=kube-system"
- "--ca-secret-name=cilium-ca"
- "--ca-common-name=Cilium CA"
env:
- name: CILIUM_CERTGEN_CONFIG
value: |
certs:
- name: hubble-server-certs
namespace: kube-system
commonName: "*.default.hubble-grpc.cilium.io"
hosts:
- "*.default.hubble-grpc.cilium.io"
usage:
- signing
- key encipherment
- server auth
- client auth
validity: 8760h
- name: hubble-relay-client-certs
namespace: kube-system
commonName: "*.hubble-relay.cilium.io"
hosts:
- "*.hubble-relay.cilium.io"
usage:
- signing
- key encipherment
- client auth
validity: 8760h
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true
restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

69
clusters/cl01tl/manifests/cilium/Job-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: batch/v1
kind: Job
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
k8s-app: hubble-generate-certs
app.kubernetes.io/name: hubble-generate-certs
app.kubernetes.io/part-of: cilium
annotations:
"helm.sh/hook": post-install,post-upgrade
spec:
template:
metadata:
labels:
k8s-app: hubble-generate-certs
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: certgen
image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff"
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
command:
- "/usr/bin/cilium-certgen"
args:
- "--ca-generate=true"
- "--ca-reuse-secret"
- "--ca-secret-namespace=kube-system"
- "--ca-secret-name=cilium-ca"
- "--ca-common-name=Cilium CA"
env:
- name: CILIUM_CERTGEN_CONFIG
value: |
certs:
- name: hubble-server-certs
namespace: kube-system
commonName: "*.default.hubble-grpc.cilium.io"
hosts:
- "*.default.hubble-grpc.cilium.io"
usage:
- signing
- key encipherment
- server auth
- client auth
validity: 8760h
- name: hubble-relay-client-certs
namespace: kube-system
commonName: "*.hubble-relay.cilium.io"
hosts:
- "*.hubble-relay.cilium.io"
usage:
- signing
- key encipherment
- client auth
validity: 8760h
hostNetwork: false
serviceAccount: "hubble-generate-certs"
serviceAccountName: "hubble-generate-certs"
automountServiceAccountToken: true
restartPolicy: OnFailure
affinity:
ttlSecondsAfterFinished: 1800

35
clusters/cl01tl/manifests/cilium/Role-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- hubble-server-certs
- hubble-relay-client-certs
- hubble-relay-server-certs
- hubble-metrics-server-certs
- hubble-ui-client-certs
verbs:
- update
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- cilium-ca
verbs:
- get
- update

15
clusters/cl01tl/manifests/cilium/RoleBinding-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: hubble-generate-certs
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: hubble-generate-certs
subjects:
- kind: ServiceAccount
name: "hubble-generate-certs"
namespace: kube-system

5
clusters/cl01tl/manifests/cilium/ServiceAccount-hubble-generate-certs.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: "hubble-generate-certs"
namespace: kube-system

4
clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-remote-cache.yaml
View File

@@ -13,7 +13,7 @@ spec:
runAsUser: 1000 runAsUser: 1000
fsGroup: 1000 fsGroup: 1000
kubernetesConfig: kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3 image: quay.io/opstree/redis:v8.4.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources: resources:
requests: requests:
@@ -29,4 +29,4 @@ spec:
storage: 1Gi storage: 1Gi
redisExporter: redisExporter:
enabled: true enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0 image: quay.io/opstree/redis-exporter:v1.80.1

4
clusters/cl01tl/manifests/grafana-operator/RedisReplication-redis-replication-unified-alerting.yaml
View File

@@ -13,7 +13,7 @@ spec:
runAsUser: 1000 runAsUser: 1000
fsGroup: 1000 fsGroup: 1000
kubernetesConfig: kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3 image: quay.io/opstree/redis:v8.4.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources: resources:
requests: requests:
@@ -29,4 +29,4 @@ spec:
storage: 1Gi storage: 1Gi
redisExporter: redisExporter:
enabled: true enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0 image: quay.io/opstree/redis-exporter:v1.80.1