diff --git a/namespaces/monitoring/diun/extra/clusterrole.yaml b/namespaces/monitoring/diun/extra/clusterrole.yaml new file mode 100644 index 0000000..9906fee --- /dev/null +++ b/namespaces/monitoring/diun/extra/clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: diun +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list diff --git a/namespaces/monitoring/diun/extra/clusterrolebinding.yaml b/namespaces/monitoring/diun/extra/clusterrolebinding.yaml new file mode 100644 index 0000000..66162f0 --- /dev/null +++ b/namespaces/monitoring/diun/extra/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: diun +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: diun +subjects: + - kind: ServiceAccount + name: diun + namespace: monitoring diff --git a/namespaces/monitoring/diun/extra/serviceaccount.yaml b/namespaces/monitoring/diun/extra/serviceaccount.yaml new file mode 100644 index 0000000..4128ca4 --- /dev/null +++ b/namespaces/monitoring/diun/extra/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: diun diff --git a/namespaces/monitoring/diun/kustomization.yaml b/namespaces/monitoring/diun/kustomization.yaml new file mode 100644 index 0000000..462e656 --- /dev/null +++ b/namespaces/monitoring/diun/kustomization.yaml @@ -0,0 +1,92 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: monitoring + unsetOnly: true + +namePrefix: diun- +resources: + - ../../../kustomize/noservice/ + - extra/serviceaccount.yaml + - extra/clusterrole.yaml + - extra/clusterrolebinding.yaml + +replacements: + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 1 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + +patches: + - path: patches/deployment.yaml + target: + kind: Deployment + name: app + - path: patches/pvc.yaml + target: + kind: PersistentVolumeClaim + name: pvc + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: diun + - pairs: + app.kubernetes.io/appNamespace: monitoring + +configMapGenerator: + - name: config + literals: + - TZ=America/New_York + - DIUN_DEFAULTS_MAXTAGS=10 + # Watch setup + - DIUN_WATCH_WORKERS=10 + - DIUN_WATCH_JITTER=30s + - DIUN_WATCH_SCHEDULE=0 */6 * * * + - DIUN_WATCH_FIRSTCHECKNOTIF=true + # Diun k8s provider + - DIUN_PROVIDERS_KUBERNETES=true + - DIUN_PROVIDERS_KUBERNETES_NAMESPACES=ai,apps,auth,core,homelab,monitoring + - DIUN_PROVIDERS_KUBERNETES_WATCHBYDEFAULT=true + # # Notifications to self-hosted healthcheck.io + # - DIUN_WATCH_HEALTHCHECKS_BASEURL=https://health.leechpepin.com + # - DIUN_WATCH_HEALTHCHECKS_UUID= + # Ntfy + - DIUN_NOTIF_NTFY_ENDPOINT=https://ntfy.leechpepin.com diff --git a/namespaces/monitoring/diun/patches/deployment.yaml b/namespaces/monitoring/diun/patches/deployment.yaml new file mode 100644 index 0000000..9ff3d1c --- /dev/null +++ b/namespaces/monitoring/diun/patches/deployment.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + template: + spec: + tolerations: + - key: "public" + operator: "Equal" + value: "true" + effect: "NoSchedule" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: public + operator: In + values: + - "true" + serviceAccountName: diun + containers: + - name: diun + image: crazymax/diun:latest + imagePullPolicy: Always + args: ["serve"] + envFrom: + - configMapRef: + name: diun-config + env: + - name: DIUN_NOTIF_NTFY_TOKEN + valueFrom: + secretKeyRef: + name: diun-secrets + key: DIUN_NTFY_TOKEN + - name: DIUN_NOTIF_NTFY_TOPIC + valueFrom: + secretKeyRef: + name: diun-secrets + key: DIUN_NTFY_TOPIC + volumeMounts: + - mountPath: "/data" + name: diun-data + subPath: data + restartPolicy: Always + volumes: + # Set up a data directory for diun + # For production usage, you should consider using PV/PVC instead(or simply using storage like NAS) + # For more details, please see https://kubernetes.io/docs/concepts/storage/volumes/ + - name: diun-data + persistentVolumeClaim: + claimName: diun-pvc diff --git a/namespaces/monitoring/diun/patches/pvc.yaml b/namespaces/monitoring/diun/patches/pvc.yaml new file mode 100644 index 0000000..8985946 --- /dev/null +++ b/namespaces/monitoring/diun/patches/pvc.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + storageClassName: longhorn-public diff --git a/namespaces/monitoring/ntfy/kustomization.yaml b/namespaces/monitoring/ntfy/kustomization.yaml new file mode 100644 index 0000000..f6a1e35 --- /dev/null +++ b/namespaces/monitoring/ntfy/kustomization.yaml @@ -0,0 +1,108 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: monitoring + unsetOnly: true + +namePrefix: ntfy- +resources: + - ../../../kustomize/deployment/ + +replacements: + - source: + kind: Service + name: svc + targets: + - select: + kind: HTTPRoute + options: + create: true + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - select: + kind: InfisicalSecret + options: + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: Service + fieldPaths: + - spec.ports.0.name + - spec.ports.0.targetPort + - source: + kind: Deployment + name: app + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + - select: + kind: InfisicalSecret + options: + delimiter: "/" + index: 1 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + +patches: + - path: patches/deployment.yaml + target: + kind: Deployment + name: app + - path: patches/pvc.yaml + target: + kind: PersistentVolumeClaim + name: pvc + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: ntfy + - pairs: + app.kubernetes.io/appNamespace: monitoring + +configMapGenerator: + - name: config + literals: + - TZ=America/New_York + - NTFY_BASE_URL=https://ntfy.leechpepin.com + - NTFY_CACHE_FILE=/var/cache/ntfy/cache.db + - NTFY_ATTACHMENT_CACHE_DIR=/var/cache/ntfy/attachments + - NTFY_AUTH_FILE=/var/cache/ntfy/auth.db + - NTFY_AUTH_DEFAULT_ACCESS=deny-all + - NTFY_BEHIND_PROXY=true + - NTFY_ENABLE_LOGIN=true + - NTFY_WEB_PUSH_FILE=/var/cache/ntfy/webpush.db + - NTFY_WEB_PUSH_PUBLIC_KEY=BMsh_qTqBI5D9BNPgXBLUsKd5O9PBycfkEyk5ikLx2KAgIxxXfPe8r_cjDPkaU-eMF2sptm6p__bvht70qcuu3 + - NTFY_WEB_PUSH_EMAIL_ADDRESS=homelab@leechpepin.com + # - NTFY_WEB_ROOT=disable diff --git a/namespaces/monitoring/ntfy/patches/deployment.yaml b/namespaces/monitoring/ntfy/patches/deployment.yaml new file mode 100644 index 0000000..4c3b8ec --- /dev/null +++ b/namespaces/monitoring/ntfy/patches/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + template: + spec: + tolerations: + - key: "public" + operator: "Equal" + value: "true" + effect: "NoSchedule" + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: public + operator: In + values: + - "true" + containers: + - name: ntfy + image: binwiederhier/ntfy:v2.11.0 # set deployed version + args: ["serve"] + ports: + - containerPort: 80 + name: ntfy + resources: + limits: + memory: 300Mi + cpu: 200m + requests: + cpu: 150m + memory: 150Mi + volumeMounts: + - mountPath: /var/cache/ntfy + name: ntfy-data + subPath: "data" + envFrom: + - configMapRef: + name: ntfy-config + env: + - name: NTFY_WEB_PUSH_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: ntfy-secrets + key: VAPID_PRIVATE_KEY + optional: false + livenessProbe: + httpGet: + path: /v1/health + port: ntfy + readinessProbe: + httpGet: + path: /v1/health + port: ntfy + startupProbe: + httpGet: + path: /v1/health + port: ntfy + volumes: + - name: ntfy-data + persistentVolumeClaim: + claimName: ntfy-pvc diff --git a/namespaces/monitoring/ntfy/patches/pvc.yaml b/namespaces/monitoring/ntfy/patches/pvc.yaml new file mode 100644 index 0000000..8985946 --- /dev/null +++ b/namespaces/monitoring/ntfy/patches/pvc.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc +spec: + storageClassName: longhorn-public