init

talos-k8s-flux/clusters/t8s-demo/gotk-sync.yaml

@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  url: https://git.realmanual.ru/pub/courses/talos-kurs.git
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 5m0s
+  path: clusters/t8s-demo
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

talos-k8s-flux/clusters/t8s-demo/install/coroot.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coroot-operator
+  labels:
+    app.kubernetes.io/component: coroot
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: coroot-operator
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: coroot-operator
+  chart:
+    spec:
+      chart: coroot-operator
+      sourceRef:
+        kind: HelmRepository
+        name: coroot-repo
+        namespace: flux-system
+      interval: 60m
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coroot
+  labels:
+    app.kubernetes.io/component: coroot
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: coroot
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: coroot-operator
+  interval: 1h
+  targetNamespace: coroot
+  chart:
+    spec:
+      chart: coroot-ce
+      sourceRef:
+        kind: HelmRepository
+        name: coroot-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    clickhouse:
+      shards: 1
+      replicas: 1

talos-k8s-flux/clusters/t8s-demo/install/cpng.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cnpg-system
+  labels:
+    app.kubernetes.io/component: cnpg
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cnpg
+  namespace: flux-system
+spec:
+  interval: 1h
+  install:
+    createNamespace: true
+  targetNamespace: cnpg-system
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.24.0
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg-repo
+        namespace: flux-system
+      interval: 60m

talos-k8s-flux/clusters/t8s-demo/install/ingress-nginx.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    app.kubernetes.io/component: ingress-nginx
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: ingress-nginx
+  namespace: flux-system
+spec:
+  interval: 1h
+  install:
+    createNamespace: true
+  targetNamespace: ingress-nginx
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: 4.12.3
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    controller:
+      ingressClassResource:
+        name: nginx
+        enabled: true
+        default: true
+      kind: DaemonSet
+      service:
+        type: NodePort
+      config:
+        allow-snippet-annotations: true
+        annotations-risk-level: Critical
+        enable-global-auth: true

talos-k8s-flux/clusters/t8s-demo/install/keycloak.yaml

@@ -0,0 +1,105 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+  labels:
+    app.kubernetes.io/component: keycloak
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: keycloak
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: keycloak
+  chart:
+    spec:
+      chart: keycloak
+      version: 24.7.4
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    ingress:
+      enabled: false
+      # hostname: key-dev.bildme.ru
+      # servicePort: http
+      # tls: true
+      # extraTls:
+      #   - hosts:
+      #       - key-dev.bildme.ru
+      #     secretName: tls-ingress
+    # tls:
+    #   enabled: true
+    #   existingSecret: "tls-ingress"
+
+    service:
+      type: NodePort
+      http:
+        enabled: true
+      ports:
+        http: 80
+        https: 443
+      nodePorts:
+        # http: "8080"
+        # https: "8494"
+        nodePortHttp: "32183"
+        nodePortHttps: "32184"
+
+    # extraVolumes: |
+    #   - name: theme
+    #     emptyDir: {}
+
+    # extraVolumeMounts:
+    #   - name: theme
+    #     mountPath: /opt/bitnami/keycloak/themes
+
+    # initContainers:
+    #   - name: theme-provider
+    #     image: hub.bildme.ru/img/keycloak-theme:0.0.2
+    #     imagePullPolicy: IfNotPresent
+    #     command:
+    #       - sh
+    #     args:
+    #       - -c
+    #       - |
+    #         echo "Copying theme..."
+    #         cp -R -keycloak-theme/* /theme
+    #     volumeMounts:
+    #       - name: theme
+    #         mountPath: /theme
+
+    metrics:
+      enabled: false
+      serviceMonitor:
+        enabled: true
+        labels:
+          app: kube-prometheus-stack
+          release: in-cluster-monitoring
+      prometheusRule:
+        enabled: false
+
+    postgresql:
+      enabled: true
+      storageClass: "nfs-client"
+
+    # externalDatabase:
+    #   host: "keycloak-test-db-rw"
+    #   port: 5432
+    #   user: keycloakdbadmin
+    #   database: keycloakinfradbtest
+    #   password: ""
+    #   existingSecret: "keycloak-test-db-app"
+    #   existingSecretHostKey: ""
+    #   existingSecretPortKey: ""
+    #   existingSecretUserKey: ""
+    #   existingSecretDatabaseKey: ""
+    #   existingSecretPasswordKey: ""
+    #   annotations: {}
+
+    # httpRelativePath: "/auth/"

talos-k8s-flux/clusters/t8s-demo/install/kyverno.yaml

@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kyverno
+  labels:
+    app.kubernetes.io/component: kyverno
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kyverno
+  namespace: flux-system
+spec:
+  interval: 1h
+  install:
+    createNamespace: true
+  targetNamespace: kyverno
+  chart:
+    spec:
+      chart: kyverno
+      version: 3.4.2
+      sourceRef:
+        kind: HelmRepository
+        name: kyverno-repo
+        namespace: flux-system
+  values:
+    installCRDs: true
+    admissionControler:
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups: [""]
+              resources: ["secrets"]
+              verbs: ["*"]
+    backgroundControler:
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups: [""]
+              resources: ["secrets"]
+              verbs: ["*"]
+---
+
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kyverno-policies
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ../../soft/kyverno/
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+---

talos-k8s-flux/clusters/t8s-demo/install/loki.yaml

@@ -0,0 +1,121 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: loki
+  labels:
+    app.kubernetes.io/component: loki
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: loki
+  namespace: flux-system
+spec:
+  interval: 5m
+  dependsOn:
+    - name: monitoring
+  chart:
+    spec:
+      version: "6.x"
+      chart: loki
+      sourceRef:
+        kind: HelmRepository
+        name: grafana-charts
+      interval: 60m
+  targetNamespace: loki
+  values:
+    chunksCache:
+      enabled: false
+    resultsCache:
+      enabled: false
+    test:
+      enabled: false
+    # following https://github.com/fluxcd/flux2-monitoring-example/pull/23/files#diff-5e041afacf25eb055565b4a1c32d5b81201ddce29c84adf13a6ae88463e0832b
+    extraObjects:
+      - apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: loki-datasource
+          labels:
+            app: loki
+            chart: loki
+            release: loki
+            grafana_datasource: "1"
+            app.kubernetes.io/part-of: kube-prometheus-stack
+        data:
+          loki-datasource.yaml: |-
+            apiVersion: 1
+            datasources:
+            - name: Loki
+              type: loki
+              access: proxy
+              url: http://loki:{{ .Values.loki.server.http_listen_port }}
+              version: 1
+              isDefault: true
+    loki:
+      auth_enabled: false
+      # serviceMonitor:
+      #   enabled: true
+      #   labels:
+      #     app.kubernetes.io/part-of: kube-prometheus-stack
+      limits_config:
+        allow_structured_metadata: true
+        retention_period: 24h
+        volume_enabled: true
+      # https://grafana.com/docs/loki/latest/setup/install/helm/install-monolithic/
+      commonConfig:
+        replication_factor: 1
+      schemaConfig:
+        configs:
+          - from: "2024-04-01"
+            store: tsdb
+            object_store: s3
+            schema: v13
+            index:
+              prefix: loki_index_
+              period: 24h
+      pattern_ingester:
+        enabled: true
+      ruler:
+        enable_api: true
+    minio:
+      enabled: true
+      persistence:
+        enabled: true
+        storageClass: nfs-client
+        size: 20Gi
+    lokiCanary:
+      enabled: false
+    deploymentMode: SingleBinary
+    singleBinary:
+      replicas: 1
+      persistence:
+        enabled: true
+        storageClass: nfs-client
+        size: 10Gi
+    backend:
+      replicas: 0
+    read:
+      replicas: 0
+    write:
+      replicas: 0
+    ingester:
+      replicas: 0
+    querier:
+      replicas: 0
+    queryFrontend:
+      replicas: 0
+    queryScheduler:
+      replicas: 0
+    distributor:
+      replicas: 0
+    compactor:
+      replicas: 0
+    indexGateway:
+      replicas: 0
+    bloomCompactor:
+      replicas: 0
+    bloomGateway:
+      replicas: 0

talos-k8s-flux/clusters/t8s-demo/install/metrics-server.yaml

@@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: metrics-server
+  namespace: flux-system
+spec:
+  interval: 1h
+  install:
+    createNamespace: true
+  targetNamespace: kube-system
+  chart:
+    spec:
+      chart: metrics-server
+      version: 3.12.2
+      sourceRef:
+        kind: HelmRepository
+        name: metrics-server-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    args:
+      - --kubelet-insecure-tls

talos-k8s-flux/clusters/t8s-demo/install/monitoring.yaml

@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    app.kubernetes.io/component: monitoring
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: monitoring
+  namespace: flux-system
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: kube-prometheus-stack
+      version: 72.9.1
+      sourceRef:
+        kind: HelmRepository
+        name: monitoring-repo
+        namespace: flux-system
+  install:
+    crds: Create
+    timeout: 10m0s
+  upgrade:
+    crds: Create
+    timeout: 10m0s
+  targetNamespace: monitoring
+  driftDetection:
+    mode: enabled
+    ignore:
+      - paths: [ "/metadata/annotations/prometheus-operator-validated" ]
+        target:
+          kind: PrometheusRule
+  values:
+    alertmanager:
+      enabled: false
+    prometheus:
+      ingress:
+        enabled: false
+      prometheusSpec:
+        replicas: 1
+        retention: 24h
+        retentionSize: "18GB"
+        storageSpec:
+          volumeClaimTemplate:
+            spec:
+              storageClassName: nfs-client
+              resources:
+                requests:
+                  storage: 20Gi
+    grafana:
+      enabled: false
+    kubeControllerManager:
+      enabled: false
+    kubeEtcd:
+      enabled: false
+    kubeScheduler:
+      enabled: false
+    kubeProxy:
+      enabled: false
+    kubeApiServer:
+      enabled: false

talos-k8s-flux/clusters/t8s-demo/install/nfs-provisioner.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nfs-provisioner
+  labels:
+    app.kubernetes.io/component: nfs-provisioner
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: nfs-provisioner
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: nfs-provisioner
+  chart:
+    spec:
+      chart: nfs-subdir-external-provisioner
+      version: 4.0.18
+      sourceRef:
+        kind: HelmRepository
+        name: nfs-provisioner-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    nfs:
+      server: 192.168.23.5
+      path: /mnt/data
+      mountOptions:
+      volumeName: nfs-subdir-external-provisioner-root
+      reclaimPolicy: Retain
+    storageClass:
+      create: true
+      defaultClass: true
+      name: nfs-client
+      archiveOnDelete: false

talos-k8s-flux/clusters/t8s-demo/install/pgadmin.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pgadmin
+  labels:
+    app.kubernetes.io/component: pgadmin
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: pgadmin4
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: pgadmin
+  chart:
+    spec:
+      chart: pgadmin4
+      version: 1.47.0
+      sourceRef:
+        kind: HelmRepository
+        name: pgadmin-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    ingress:
+      enabled: false
+      # annotations: {}
+      # ingressClassName: "nginx"
+      # hosts:
+      #   - host: pgadmin-oat.bildme.ru
+      #     paths:
+      #       - path: /
+      #         pathType: Prefix
+      # tls:
+      # - secretName: tls-self
+      #   hosts:
+      #     - pgadmin-oat.bildme.ru
+
+    persistentVolume:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      size: 1Gi
+      storageClass: "nfs-client"

talos-k8s-flux/clusters/t8s-demo/install/piraeus.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: piraeus-cluster
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ../../soft/piraeus/
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system

talos-k8s-flux/clusters/t8s-demo/install/promtail.yaml

@@ -0,0 +1,28 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: promtail
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 1m
+  dependsOn:
+    - name: monitoring
+    - name: loki
+  chart:
+    spec:
+      version: "6.x"
+      chart: promtail
+      sourceRef:
+        kind: HelmRepository
+        name: grafana-charts
+      interval: 60m
+  targetNamespace: loki
+  values:
+    # https://grafana.com/docs/loki/latest/send-data/promtail/installation/
+    config:
+    # publish data to loki
+      clients:
+        - url: http://loki-loki-gateway/loki/api/v1/push
+          tenant_id: 1
+---

talos-k8s-flux/clusters/t8s-demo/install/redis.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: redis
+  labels:
+    app.kubernetes.io/component: redis
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: redis
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: redis
+  chart:
+    spec:
+      chart: redis
+      version: 21.2.3
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami-repo
+        namespace: flux-system
+      interval: 60m
+  values:
+    global:
+      redis:
+        password: ""
+    auth:
+      enabled: false
+    master:
+      count: 1
+      persistence:
+        enabled: true
+        storageClass: "nfs-client"
+        size: 4Gi
+    replica:
+      replicaCount: 1
+      persistence:
+        enabled: true
+        storageClass: "nfs-client"
+        size: 4Gi
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        additionalLabels:
+          prometheus: redis-cluster
+          app: kube-prometheus-stack
+          # release: in-cluster-monitoring
+      prometheusRule:
+        enabled: true
+        additionalLabels:
+          prometheus: redis-cluster
+          app: kube-prometheus-stack
+          # release: in-cluster-monitoring

talos-k8s-flux/clusters/t8s-demo/install/stakater.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stakater
+  labels:
+    app.kubernetes.io/component: stakater
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: stakater
+  namespace: flux-system
+spec:
+  interval: 1h
+  targetNamespace: stakater
+  chart:
+    spec:
+      chart: reloader
+      sourceRef:
+        kind: HelmRepository
+        name: stakater-repo
+        namespace: flux-system
+      interval: 60m

talos-k8s-flux/clusters/t8s-demo/install/vswh.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vswh
+  labels:
+    app.kubernetes.io/component: vswh
+    pod-security.kubernetes.io/enforce: privileged
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault-secrets-webhook
+  namespace: flux-system
+spec:
+  interval: 10m
+  releaseName: vswh
+  chartRef:
+    kind: OCIRepository
+    name: vault-secrets-webhook
+    namespace: flux-system
+  targetNamespace: vswh
+  values:
+    # vaultEnv:
+    #   repository: hub.ntk.novotelecom.ru/img/vault-env
+    certificate:
+      certLifespan: 3650
+---
+
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vault-operator-rbac
+  namespace: flux-system
+spec:
+  interval: 5m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: vault-operator
+    namespace: flux-system
+  targetNamespace: vswh
+  path: ./deploy/rbac

talos-k8s-flux/clusters/t8s-demo/kustomization.yaml

@@ -0,0 +1,33 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml
+- ../../soft/piraeus.yaml
+- ../../soft/cpng.yaml
+- ../../soft/ingress-nginx.yaml
+- ../../soft/metrics-server.yaml
+- ../../soft/nfs-provisioner.yaml
+- ../../soft/monitoring.yaml
+- ../../soft/kyverno.yaml
+- ../../soft/loki.yaml
+- ../../soft/vault-secrets-webhook.yaml
+- ../../soft/stakater.yaml
+- ../../soft/bitnami.yaml
+- ../../soft/pgadmin.yaml
+- ../../soft/coroot.yaml
+- install/piraeus.yaml
+# - install/nfs-provisioner.yaml
+- install/ingress-nginx.yaml
+- install/metrics-server.yaml
+# - install/monitoring.yaml
+# - install/loki.yaml
+# - install/promtail.yaml
+# - install/kyverno.yaml
+# - install/cpng.yaml
+# - install/vswh.yaml
+# - install/stakater.yaml
+# - install/keycloak.yaml
+# - install/redis.yaml
+# - install/pgadmin.yaml
+# - install/coroot.yaml