diff --git a/apps/base/futureporn/ipfs-pod.yaml b/apps/base/futureporn/ipfs-pod.yaml new file mode 100644 index 0000000..078b441 --- /dev/null +++ b/apps/base/futureporn/ipfs-pod.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: ipfs-pod + namespace: default + labels: + app.kubernetes.io/name: ipfs +spec: + containers: + - name: ipfs + image: ipfs/kubo + ports: + - containerPort: 5001 + - containerPort: 8080 + volumeMounts: + - name: ipfs-pvc + mountPath: /data/ipfs + restartPolicy: OnFailure + volumes: + - name: ipfs-pvc + persistentVolumeClaim: + claimName: ipfs-pvc diff --git a/apps/base/futureporn/ipfs-pvc.yaml b/apps/base/futureporn/ipfs-pvc.yaml new file mode 100644 index 0000000..616fb97 --- /dev/null +++ b/apps/base/futureporn/ipfs-pvc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ipfs-pvc + namespace: default + annotations: + meta.helm.sh/release-name: fp + meta.helm.sh/release-namespace: default + labels: + app.kubernetes.io/managed-by: {{ .Values.managedBy }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 40Gi + storageClassName: {{ .Values.storageClassName }} + diff --git a/apps/base/futureporn/ipfs-service.yaml b/apps/base/futureporn/ipfs-service.yaml new file mode 100644 index 0000000..c43bc44 --- /dev/null +++ b/apps/base/futureporn/ipfs-service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: ipfs-service + namespace: default + annotations: + meta.helm.sh/release-name: fp + meta.helm.sh/release-namespace: default + labels: + app.kubernetes.io/managed-by: {{ .Values.managedBy }} +spec: + selector: + app.kubernetes.io/name: ipfs + ports: + - name: gateway + protocol: TCP + port: 8080 + targetPort: 8080 + - name: api + protocol: TCP + port: 5001 + targetPort: 5001 + diff --git a/apps/base/futureporn/kustomization.yaml b/apps/base/futureporn/kustomization.yaml new file mode 100644 index 0000000..1da3702 --- /dev/null +++ b/apps/base/futureporn/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - link2cid.yaml \ No newline at end of file diff --git a/apps/base/futureporn/link2cid.yaml b/apps/base/futureporn/link2cid.yaml new file mode 100644 index 0000000..2fe8609 --- /dev/null +++ b/apps/base/futureporn/link2cid.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: Service +metadata: + name: link2cid + namespace: default +spec: + selector: + app: link2cid + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 3939 + - name: https + protocol: TCP + port: 443 + targetPort: 3939 + + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: link2cid + namespace: default +spec: + selector: + matchLabels: + app: link2cid + template: + metadata: + labels: + app: link2cid + spec: + containers: + - image: {{ .Values.link2cid.containerName }} + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + name: link2cid + ports: + - containerPort: 3939 + env: + - name: IPFS_URL + value: http://ipfs-service:5001 + - name: PORT + value: '3939' + - name: API_KEY + valueFrom: + secretKeyRef: + name: link2cid + key: apiKey + + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: link2cid + namespace: default + annotations: + meta.helm.sh/release-name: fp + meta.helm.sh/release-namespace: default + labels: + app.kubernetes.io/managed-by: {{ .Values.managedBy }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 40Gi + storageClassName: {{ .Values.storageClassName }} + + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: link2cid-ingress + namespace: default + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "" + tls: + - hosts: + - link2cid.sbtp.xyz + secretName: link2cid-tls + rules: + - host: link2cid.sbtp.xyz + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: link2cid + port: + number: 80 + diff --git a/apps/base/futureporn/values-dev.yaml b/apps/base/futureporn/values-dev.yaml new file mode 100644 index 0000000..40c9cc4 --- /dev/null +++ b/apps/base/futureporn/values-dev.yaml @@ -0,0 +1,12 @@ +# storageClassName: csi-hostpath-sc # used by minikube +storageClassName: standard # used by Kind +link2cid: + containerName: fp/link2cid +next: + containerName: fp/next +strapi: + containerName: fp/strapi + port: 1337 + url: http://localhost:1337 +managedBy: Dildo +adminEmail: cj@futureporn.net \ No newline at end of file diff --git a/apps/base/futureporn/values-prod.yaml b/apps/base/futureporn/values-prod.yaml new file mode 100644 index 0000000..a1f01e6 --- /dev/null +++ b/apps/base/futureporn/values-prod.yaml @@ -0,0 +1,14 @@ +storageClassName: vultr-block-storage-hdd +link2cid: + containerName: gitea.futureporn.net/futureporn/link2cid:latest +next: + containerName: sjc.vultrcr.com/fpcontainers/next +strapi: + containerName: sjc.vultrcr.com/fpcontainers/strapi + port: 1337 + url: https://portal.futureporn.net +managedBy: Helm +adminEmail: cj@futureporn.net +extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 \ No newline at end of file diff --git a/apps/base/futureporn/windmill-ingress.yaml b/apps/base/futureporn/windmill-ingress.yaml new file mode 100644 index 0000000..77a6130 --- /dev/null +++ b/apps/base/futureporn/windmill-ingress.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: windmill-ingress + namespace: default + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-staging" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + # If you encounter a redirect loop or are getting a 307 response code + # then you need to force the nginx ingress to connect to the backend using HTTPS. + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +spec: + ingressClassName: nginx + rules: + - host: windmill2.sbtp.xyz + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: windmmill-app + port: + name: https + tls: + - hosts: + - windmill2.sbtp.xyz + secretName: windmill-tls \ No newline at end of file diff --git a/apps/base/windmill/kustomization.yaml b/apps/base/windmill/kustomization.yaml new file mode 100644 index 0000000..f699445 --- /dev/null +++ b/apps/base/windmill/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: windmill +resources: + - windmill.yaml \ No newline at end of file diff --git a/clusters/prod/windmill.yaml b/apps/base/windmill/windmill.yaml similarity index 100% rename from clusters/prod/windmill.yaml rename to apps/base/windmill/windmill.yaml diff --git a/apps/production/fp-values.yaml b/apps/production/fp-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/production/kustomization.yaml b/apps/production/kustomization.yaml new file mode 100644 index 0000000..a4c7973 --- /dev/null +++ b/apps/production/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../base/futureporn +patches: + - path: futureporn-values.yaml + target: + kind: HelmRelease \ No newline at end of file diff --git a/apps/staging/futureporn-values.yaml b/apps/staging/futureporn-values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/staging/kustomization.yaml b/apps/staging/kustomization.yaml new file mode 100644 index 0000000..851e3f2 --- /dev/null +++ b/apps/staging/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../base/futureporn \ No newline at end of file diff --git a/clusters/prod/fp.yaml b/clusters/prod/fp.yaml deleted file mode 100644 index 7512075..0000000 --- a/clusters/prod/fp.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: fp - namespace: default -spec: - dependsOn: cert-manager - interval: 1m - url: https://gitea.futureporn.net/futureporn/fp.git - ref: - branch: main - ignore: | - # exclude all - /* - # include charts directory - !/charts/ \ No newline at end of file diff --git a/clusters/prod/podinfo-source.yaml b/clusters/prod/podinfo-source.yaml deleted file mode 100644 index 2804838..0000000 --- a/clusters/prod/podinfo-source.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: podinfo - namespace: flux-system -spec: - dependsOn: cert-manager - interval: 10m0s - ref: - branch: master - url: https://github.com/stefanprodan/podinfo diff --git a/clusters/prod/podinfo-kustomization.yaml b/clusters/production/apps.yaml similarity index 55% rename from clusters/prod/podinfo-kustomization.yaml rename to clusters/production/apps.yaml index 07e30d6..3312de9 100644 --- a/clusters/prod/podinfo-kustomization.yaml +++ b/clusters/production/apps.yaml @@ -2,16 +2,16 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: podinfo + name: apps namespace: flux-system spec: - interval: 30m0s - path: ./kustomize - prune: true - retryInterval: 2m0s + interval: 10m0s + dependsOn: + - name: infra-configs sourceRef: kind: GitRepository - name: podinfo - targetNamespace: default - timeout: 3m0s + name: flux-system + path: ./apps/production + prune: true wait: true + timeout: 5m0s \ No newline at end of file diff --git a/clusters/prod/flux-system/gotk-components.yaml b/clusters/production/flux-system/gotk-components.yaml similarity index 100% rename from clusters/prod/flux-system/gotk-components.yaml rename to clusters/production/flux-system/gotk-components.yaml diff --git a/clusters/prod/flux-system/gotk-sync.yaml b/clusters/production/flux-system/gotk-sync.yaml similarity index 100% rename from clusters/prod/flux-system/gotk-sync.yaml rename to clusters/production/flux-system/gotk-sync.yaml diff --git a/clusters/prod/flux-system/kustomization.yaml b/clusters/production/flux-system/kustomization.yaml similarity index 100% rename from clusters/prod/flux-system/kustomization.yaml rename to clusters/production/flux-system/kustomization.yaml diff --git a/clusters/production/infrastructure.yaml b/clusters/production/infrastructure.yaml new file mode 100644 index 0000000..4199d88 --- /dev/null +++ b/clusters/production/infrastructure.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-controllers + namespace: flux-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: flux-system + path: ./infrastructure/controllers + prune: true + wait: true +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: infra-configs + namespace: flux-system +spec: + dependsOn: + - name: infra-controllers + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: flux-system + path: ./infrastructure/configs + prune: true diff --git a/infrastructure/configs/cluster-issuers.yaml b/infrastructure/configs/cluster-issuers.yaml new file mode 100644 index 0000000..ec4cc4e --- /dev/null +++ b/infrastructure/configs/cluster-issuers.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + # server: https://acme-staging-v02.api.letsencrypt.org/directory + server: https://acme-v02.api.letsencrypt.org/directory + email: cj@futureporn.net + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - dns01: + webhook: + groupName: acme.vultr.com + solverName: vultr + config: + apiKeySecretRef: + key: apiKey + name: vultr +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # You must replace this email address with your own. + # Let's Encrypt will use this to contact you about expiring + # certificates, and issues related to your account. + email: cj@futureporn.net + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + # Secret resource that will be used to store the account's private key. + name: letsencrypt-staging + solvers: + - dns01: + webhook: + groupName: acme.vultr.com + solverName: vultr + config: + apiKeySecretRef: + key: apiKey + name: vultr-credentials diff --git a/infrastructure/configs/kustomization.yaml b/infrastructure/configs/kustomization.yaml new file mode 100644 index 0000000..3c10646 --- /dev/null +++ b/infrastructure/configs/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cluster-issuers.yaml \ No newline at end of file diff --git a/clusters/prod/cert-manager-webhook-vultr.yaml b/infrastructure/controllers/cert-manager-webhook-vultr.yaml similarity index 100% rename from clusters/prod/cert-manager-webhook-vultr.yaml rename to infrastructure/controllers/cert-manager-webhook-vultr.yaml diff --git a/clusters/prod/cert-manager.yaml b/infrastructure/controllers/cert-manager.yaml similarity index 100% rename from clusters/prod/cert-manager.yaml rename to infrastructure/controllers/cert-manager.yaml diff --git a/infrastructure/controllers/external-dns.yaml b/infrastructure/controllers/external-dns.yaml new file mode 100644 index 0000000..7b4f223 --- /dev/null +++ b/infrastructure/controllers/external-dns.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-dns +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-dns +rules: +- apiGroups: [""] + resources: ["services","endpoints","pods"] + verbs: ["get","watch","list"] +- apiGroups: ["extensions","networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get","watch","list"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: +- kind: ServiceAccount + name: external-dns + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns +spec: + strategy: + type: Recreate + selector: + matchLabels: + app: external-dns + template: + metadata: + labels: + app: external-dns + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + image: registry.k8s.io/external-dns/external-dns:v0.14.1 + args: + - --source=ingress + - --domain-filter=sbtp.xyz + - --provider=vultr + env: + - name: VULTR_API_KEY + valueFrom: + secretKeyRef: + name: vultr + key: apiKey diff --git a/infrastructure/controllers/ingress-nginx.yaml b/infrastructure/controllers/ingress-nginx.yaml new file mode 100644 index 0000000..2b4fefe --- /dev/null +++ b/infrastructure/controllers/ingress-nginx.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + toolkit.fluxcd.io/tenant: sre-team +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + interval: 24h + url: https://kubernetes.github.io/ingress-nginx +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: ingress-nginx + namespace: ingress-nginx +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: "*" + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: ingress-nginx + interval: 12h + values: + controller: + service: + type: "NodePort" + admissionWebhooks: + enabled: false \ No newline at end of file diff --git a/infrastructure/controllers/kustomization.yaml b/infrastructure/controllers/kustomization.yaml new file mode 100644 index 0000000..46b141f --- /dev/null +++ b/infrastructure/controllers/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cert-manager.yaml + - ingress-nginx.yaml \ No newline at end of file diff --git a/infrastructure/controllers/roles.yaml b/infrastructure/controllers/roles.yaml new file mode 100644 index 0000000..69a432d --- /dev/null +++ b/infrastructure/controllers/roles.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cert-manager-webhook-vultr-secret-reader + namespace: cert-manager +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cert-manager-webhook-vultr-secret-reader-binding + namespace: cert-manager +subjects: +- kind: ServiceAccount + name: cert-manager-webhook-vultr + namespace: cert-manager +roleRef: + kind: Role + name: cert-manager-webhook-vultr-secret-reader + apiGroup: rbac.authorization.k8s.io +