diff --git a/namespaces/core/secrets.yaml b/namespaces/core/core-secrets.yaml similarity index 87% rename from namespaces/core/secrets.yaml rename to namespaces/core/core-secrets.yaml index 8e9bca6..7d4f268 100644 --- a/namespaces/core/secrets.yaml +++ b/namespaces/core/core-secrets.yaml @@ -1,7 +1,7 @@ apiVersion: secrets.infisical.com/v1alpha1 kind: InfisicalSecret metadata: - name: core-postgres-secrets + name: core-secrets namespace: infisical labels: label-to-be-passed-to-managed-secret: homelab @@ -16,12 +16,12 @@ spec: secretsScope: projectSlug: homelab-n-f-yj envSlug: prod - secretsPath: "/core/postgres" # Root is "/" + secretsPath: "/core" # Root is "/" recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false credentialsRef: secretName: universal-auth-credentials secretNamespace: infisical managedSecretReference: - secretName: postgres-secrets + secretName: core-secrets secretNamespace: core creationPolicy: "Orphan" ## Owner | Orphan diff --git a/namespaces/core/kustomization.yaml b/namespaces/core/kustomization.yaml index 4530ed9..2f546c8 100644 --- a/namespaces/core/kustomization.yaml +++ b/namespaces/core/kustomization.yaml @@ -3,7 +3,10 @@ kind: Kustomization resources: - namespace.yaml + - core-secrets.yaml - postgres/ - redis/ - tika/ - gotenburg/ + - pgdump/ + - minio/ diff --git a/namespaces/core/minio/extras/server-route.yaml b/namespaces/core/minio/extras/server-route.yaml new file mode 100644 index 0000000..c50a0c6 --- /dev/null +++ b/namespaces/core/minio/extras/server-route.yaml @@ -0,0 +1,20 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: server-route +spec: + parentRefs: + - name: homelab-gateway + sectionName: minio + kind: Gateway + namespace: homelab + hostnames: + - minio.leechpepin.com + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: minio-server-svc + port: 9000 diff --git a/namespaces/core/minio/extras/server-svc.yaml b/namespaces/core/minio/extras/server-svc.yaml new file mode 100644 index 0000000..cd79858 --- /dev/null +++ b/namespaces/core/minio/extras/server-svc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: server-svc +spec: + type: ClusterIP + ports: + - port: 9000 + name: minio + targetPort: minio + protocol: TCP diff --git a/namespaces/core/minio/kustomization.yaml b/namespaces/core/minio/kustomization.yaml new file mode 100644 index 0000000..a21583f --- /dev/null +++ b/namespaces/core/minio/kustomization.yaml @@ -0,0 +1,139 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: core + unsetOnly: true + +namePrefix: minio- +resources: + - ../../../kustomize/statefulset/ + - extras/server-svc.yaml + - extras/server-route.yaml + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: minio + - pairs: + app.kubernetes.io/appNamespace: core + +patches: + - path: patches/statefulset.yaml + target: + kind: StatefulSet + name: ss + +replacements: + - source: + kind: StatefulSet + name: ss + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 1 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - source: + kind: StatefulSet + name: ss + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: StatefulSet + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.volumeClaimTemplates.0.metadata.annotations.name + - spec.volumeClaimTemplates.0.metadata.name + - spec.serviceName + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: HTTPRoute + name: https + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - select: + kind: HTTPRoute + name: http + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - source: + kind: StatefulSet + name: ss + fieldPath: spec.template.spec.containers.0.ports.0.name + targets: + - select: + kind: Service + name: svc + fieldPaths: + - spec.ports.0.name + - spec.ports.0.targetPort + - source: + kind: Service + name: svc + targets: + - select: + kind: HTTPRoute + name: http + fieldPaths: + - spec.rules.0.backendRefs.0.name + - select: + kind: HTTPRoute + name: https + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: StatefulSet + name: ss + fieldPath: spec.template.spec.containers.0.ports.0.containerPort + targets: + - select: + kind: Service + name: svc + fieldPaths: + - spec.ports.0.port + - select: + kind: HTTPRoute + name: http + fieldPaths: + - spec.rules.0.backendRefs.0.port + - select: + kind: HTTPRoute + name: https + fieldPaths: + - spec.rules.0.backendRefs.0.port diff --git a/namespaces/core/minio/patches/statefulset.yaml b/namespaces/core/minio/patches/statefulset.yaml new file mode 100644 index 0000000..7aa4fac --- /dev/null +++ b/namespaces/core/minio/patches/statefulset.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: app +spec: + template: + spec: + restartPolicy: Always + containers: + - name: minio + image: quay.io/minio/minio:latest + command: + - /bin/bash + - -c + args: + - minio server /data --console-address ":80" + env: + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: minio-secrets + key: ROOT_PASSWORD + optional: false + - name: MINIO_ROOT_USER + value: minio + volumeMounts: + - mountPath: /data + name: minio-data + subPath: "data" + ports: + - containerPort: 80 + protocol: TCP + name: console + - containerPort: 9000 + protocol: TCP + name: minio + volumes: + - name: minio-data + hostPath: + path: /data/minio + type: DirectoryOrCreate diff --git a/namespaces/homelab/gateway.yaml b/namespaces/homelab/gateway.yaml index 1eb8e55..26b1d73 100644 --- a/namespaces/homelab/gateway.yaml +++ b/namespaces/homelab/gateway.yaml @@ -71,3 +71,17 @@ spec: name: forgejo-ssh port: 2222 protocol: TCP + - allowedRoutes: + namespaces: + from: Selector + selector: + matchLabels: + homelab-access: "true" + name: minio + port: 9000 + protocol: HTTPS + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: wildcard-leechpepin-tls diff --git a/namespaces/longhorn/longhorn/extras/longhorn-backupjob.yaml b/namespaces/longhorn/longhorn/extras/longhorn-backupjob.yaml new file mode 100644 index 0000000..3ddbd33 --- /dev/null +++ b/namespaces/longhorn/longhorn/extras/longhorn-backupjob.yaml @@ -0,0 +1,13 @@ +apiVersion: longhorn.io/v1beta1 +kind: RecurringJob +metadata: + name: daily-backup +spec: + cron: "0 23 * * *" # Daily at 11pm + task: "backup" + groups: + - default + retain: 3 # Keep last 7 backups + concurrency: 2 + labels: + type: scheduled-backup diff --git a/namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml b/namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml index 875fe13..363639e 100644 --- a/namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml +++ b/namespaces/longhorn/longhorn/extras/longhorn-private-storageclass.yaml @@ -10,3 +10,4 @@ parameters: dataLocality: "best-effort" diskSelector: "private" nodeSelector: "private" + # recurringJobSelector: '[{"name":"backup-all-volumes","isGroup":true}]' diff --git a/namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml b/namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml index 2a0b588..ce27fe2 100644 --- a/namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml +++ b/namespaces/longhorn/longhorn/extras/longhorn-public-storageclass.yaml @@ -9,3 +9,4 @@ parameters: numberOfReplicas: "2" dataLocality: "best-effort" diskSelector: "public" + # recurringJobSelector: '[{"name":"backup-all-volumes","isGroup":true}]' diff --git a/namespaces/longhorn/longhorn/extras/longhorn-secret.yaml b/namespaces/longhorn/longhorn/extras/longhorn-secret.yaml new file mode 100644 index 0000000..65aba66 --- /dev/null +++ b/namespaces/longhorn/longhorn/extras/longhorn-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: longhorn-minio-secrets + namespace: infisical + labels: + label-to-be-passed-to-managed-secret: homelab + annotations: + example.com/annotation-to-be-passed-to-managed-secret: "homelab" +spec: + hostAPI: https://app.infisical.com/api + resyncInterval: 10 + authentication: + # Universal Auth + universalAuth: + secretsScope: + projectSlug: homelab-n-f-yj + envSlug: prod + secretsPath: "/longhorn/longhorn" # Root is "/" + recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false + credentialsRef: + secretName: universal-auth-credentials + secretNamespace: infisical + managedSecretReference: + secretName: longhorn-minio-secrets + secretNamespace: longhorn + creationPolicy: "Orphan" ## Owner | Orphan diff --git a/namespaces/longhorn/longhorn/kustomization.yaml b/namespaces/longhorn/longhorn/kustomization.yaml index 9174371..cdcf42e 100644 --- a/namespaces/longhorn/longhorn/kustomization.yaml +++ b/namespaces/longhorn/longhorn/kustomization.yaml @@ -15,6 +15,8 @@ resources: - ../../../kustomize/helmchart - extras/longhorn-public-storageclass.yaml - extras/longhorn-private-storageclass.yaml + - extras/longhorn-secret.yaml + - extras/longhorn-backupjob.yaml patches: - path: patches/chart.yaml diff --git a/namespaces/traefik/traefik/patches/chart.yaml b/namespaces/traefik/traefik/patches/chart.yaml index 6b04c71..6ecd916 100644 --- a/namespaces/traefik/traefik/patches/chart.yaml +++ b/namespaces/traefik/traefik/patches/chart.yaml @@ -34,6 +34,11 @@ spec: default: true port: 2222 exposedPort: 2222 + minio: + expose: + default: true + port: 9000 + exposedPort: 9000 service: annotations: svccontroller.k3s.cattle.io/tolerations: |