feat(networking): move to gateway api #3543
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bot-blake
bot
added
area/kubernetes
--- kubernetes/apps/monitoring/karma/app Kustomization: monitoring/karma HelmRelease: monitoring/karma
+++ kubernetes/apps/monitoring/karma/app Kustomization: monitoring/karma HelmRelease: monitoring/karma
@@ -70,22 +70,24 @@
strategy: RollingUpdate
defaultPodOptions:
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
+ route:
app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: karma
+ port: 8080
service:
app:
controller: karma
ports:
http:
port: 8080
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
@@ -28,8 +28,8 @@
strategy: rollback
values:
operator:
tolerations: []
valuesFrom:
- kind: ConfigMap
- name: cilium-values-c4chgbmh9c
+ name: cilium-values-45cd27ft4h
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-values-c4chgbmh9c
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-values-c4chgbmh9c
@@ -1,95 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- autoDirectNodeRoutes: true
- bandwidthManager:
- enabled: true
- bbr: true
- bpf:
- datapathMode: netkit
- masquerade: true
- preallocateMaps: true
- tproxy: true
- bgpControlPlane:
- enabled: true
- cgroup:
- automount:
- enabled: false
- hostRoot: /sys/fs/cgroup
- cluster:
- id: 1
- name: main
- cni:
- exclusive: false
- dashboards:
- enabled: true
- enableIPv4BIGTCP: true
- endpointRoutes:
- enabled: true
- envoy:
- enabled: false
- hubble:
- enabled: false
- ipam:
- mode: kubernetes
- ipv4NativeRoutingCIDR: 10.244.0.0/16
- k8sServiceHost: 127.0.0.1
- k8sServicePort: 7445
- kubeProxyReplacement: true
- kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
- l2announcements:
- enabled: true
- loadBalancer:
- algorithm: maglev
- mode: dsr
- localRedirectPolicy: true
- operator:
- replicas: 2
- rollOutPods: true
- prometheus:
- enabled: true
- serviceMonitor:
- enabled: true
- dashboards:
- enabled: true
- prometheus:
- enabled: true
- serviceMonitor:
- enabled: true
- trustCRDsExist: true
- rollOutCiliumPods: true
- routingMode: native
- securityContext:
- capabilities:
- ciliumAgent:
- - CHOWN
- - KILL
- - NET_ADMIN
- - NET_RAW
- - IPC_LOCK
- - SYS_ADMIN
- - SYS_RESOURCE
- - PERFMON
- - BPF
- - DAC_OVERRIDE
- - FOWNER
- - SETGID
- - SETUID
- cleanCiliumState:
- - NET_ADMIN
- - SYS_ADMIN
- - SYS_RESOURCE
- tls:
- secretsNamespace:
- create: false
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cilium
- kustomize.toolkit.fluxcd.io/name: cilium
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: cilium-values-c4chgbmh9c
- namespace: kube-system
-
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-values-45cd27ft4h
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-values-45cd27ft4h
@@ -0,0 +1,95 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ autoDirectNodeRoutes: true
+ bandwidthManager:
+ enabled: true
+ bbr: true
+ bpf:
+ datapathMode: netkit
+ masquerade: true
+ preallocateMaps: true
+ tproxy: true
+ bgpControlPlane:
+ enabled: true
+ cgroup:
+ automount:
+ enabled: false
+ hostRoot: /sys/fs/cgroup
+ cluster:
+ id: 1
+ name: main
+ cni:
+ exclusive: false
+ dashboards:
+ enabled: true
+ enableIPv4BIGTCP: true
+ endpointRoutes:
+ enabled: true
+ envoy:
+ enabled: true
+ gatewayAPI:
+ enabled: true
+ enableAlpn: true
+ hubble:
+ enabled: false
+ ipam:
+ mode: kubernetes
+ ipv4NativeRoutingCIDR: 10.244.0.0/16
+ k8sServiceHost: 127.0.0.1
+ k8sServicePort: 7445
+ kubeProxyReplacement: true
+ kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+ l2announcements:
+ enabled: true
+ loadBalancer:
+ algorithm: maglev
+ mode: dsr
+ localRedirectPolicy: true
+ operator:
+ replicas: 2
+ rollOutPods: true
+ prometheus:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ dashboards:
+ enabled: true
+ prometheus:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ trustCRDsExist: true
+ rollOutCiliumPods: true
+ routingMode: native
+ securityContext:
+ capabilities:
+ ciliumAgent:
+ - CHOWN
+ - KILL
+ - NET_ADMIN
+ - NET_RAW
+ - IPC_LOCK
+ - SYS_ADMIN
+ - SYS_RESOURCE
+ - PERFMON
+ - BPF
+ - DAC_OVERRIDE
+ - FOWNER
+ - SETGID
+ - SETUID
+ cleanCiliumState:
+ - NET_ADMIN
+ - SYS_ADMIN
+ - SYS_RESOURCE
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: cilium-values-45cd27ft4h
+ namespace: kube-system
+
--- kubernetes/apps/monitoring/blackbox-exporter/app Kustomization: monitoring/blackbox-exporter HelmRelease: monitoring/blackbox-exporter
+++ kubernetes/apps/monitoring/blackbox-exporter/app Kustomization: monitoring/blackbox-exporter HelmRelease: monitoring/blackbox-exporter
@@ -42,20 +42,12 @@
tcp_connect:
prober: tcp
tcp:
preferred_ip_protocol: ipv4
timeout: 5s
fullnameOverride: blackbox-exporter
- ingress:
- className: internal
- enabled: true
- hosts:
- - host: blackbox-exporter.ktwo.io
- paths:
- - path: /
- pathType: Prefix
securityContext:
capabilities:
add:
- NET_RAW
serviceMonitor:
enabled: true
--- kubernetes/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
+++ kubernetes/apps/external-secrets/onepassword/app Kustomization: external-secrets/onepassword HelmRelease: external-secrets/onepassword
@@ -119,22 +119,12 @@
strategy: RollingUpdate
defaultPodOptions:
securityContext:
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
globalMounts:
- path: /config
type: emptyDir
service:
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/nginx-internal
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: networking/nginx-internal
@@ -1,27 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: nginx-internal
- namespace: networking
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- dependsOn:
- - name: cert-manager-tls
- namespace: cert-manager
- interval: 1h
- path: ./kubernetes/apps/networking/nginx/internal
- prune: true
- sourceRef:
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- targetNamespace: networking
- timeout: 5m
- wait: true
-
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: kube-system/cilium-ingress
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: kube-system/cilium-ingress
@@ -0,0 +1,31 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-ingress
+ namespace: kube-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: cilium-ingress
+ dependsOn:
+ - name: cert-manager-tls
+ namespace: cert-manager
+ - name: cilium
+ namespace: kube-system
+ - name: cilium-config
+ namespace: kube-system
+ interval: 1h
+ path: ./kubernetes/apps/kube-system/cilium/ingress
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ targetNamespace: kube-system
+ timeout: 5m
+ wait: true
+
--- kubernetes/apps/monitoring/grafana/app Kustomization: monitoring/grafana HelmRelease: monitoring/grafana
+++ kubernetes/apps/monitoring/grafana/app Kustomization: monitoring/grafana HelmRelease: monitoring/grafana
@@ -243,26 +243,30 @@
enabled: true
org_id: 1
org_name: Main Org.
org_role: Viewer
news:
news_feed_enabled: false
- ingress:
- enabled: true
- hosts:
- - '{{ .Release.Name }}.ktwo.io'
- ingressClassName: internal
persistence:
enabled: false
plugins:
- grafana-clock-panel
- grafana-piechart-panel
- grafana-worldmap-panel
- natel-discrete-panel
- pr0ps-trackmap-panel
- vonage-status-panel
+ route:
+ main:
+ enabled: true
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
serviceMonitor:
enabled: true
sidecar:
dashboards:
enabled: true
folderAnnotation: grafana_folder
--- kubernetes/apps/home/go2rtc/app Kustomization: home/go2rtc HelmRelease: home/go2rtc
+++ kubernetes/apps/home/go2rtc/app Kustomization: home/go2rtc HelmRelease: home/go2rtc
@@ -81,30 +81,32 @@
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
supplementalGroups:
- 44
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
globalMounts:
- path: /config/go2rtc.yaml
readOnly: true
subPath: go2rtc.yaml
name: go2rtc-configmap
type: configMap
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: go2rtc
+ port: 80
service:
app:
controller: go2rtc
ports:
http:
port: 80
--- kubernetes/apps/networking/external-dns/unifi Kustomization: networking/external-dns-unifi HelmRelease: networking/external-dns-unifi
+++ kubernetes/apps/networking/external-dns/unifi Kustomization: networking/external-dns-unifi HelmRelease: networking/external-dns-unifi
@@ -66,12 +66,12 @@
port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
serviceMonitor:
enabled: true
sources:
- - ingress
+ - gateway-httproute
- service
triggerLoopOnEvent: true
txtOwnerId: k8s
txtPrefix: k8s.
--- kubernetes/apps/rook-ceph/rook-ceph/cluster Kustomization: rook-ceph/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster
+++ kubernetes/apps/rook-ceph/rook-ceph/cluster Kustomization: rook-ceph/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster
@@ -84,18 +84,12 @@
storage:
devicePathFilter: /dev/disk/by-id/nvme-SAMSUNG_MZQL23T8HCLS-00A07_.*
useAllDevices: false
useAllNodes: true
cephFileSystems: []
cephObjectStores: []
- ingress:
- dashboard:
- host:
- name: rook.ktwo.io
- path: /
- ingressClassName: internal
monitoring:
createPrometheusRules: true
enabled: true
toolbox:
enabled: true
--- kubernetes/apps/databases/emqx/cluster Kustomization: databases/emqx-cluster Ingress: databases/emqx
+++ kubernetes/apps/databases/emqx/cluster Kustomization: databases/emqx-cluster Ingress: databases/emqx
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- labels:
- app.kubernetes.io/name: emqx-cluster
- kustomize.toolkit.fluxcd.io/name: emqx-cluster
- kustomize.toolkit.fluxcd.io/namespace: databases
- name: emqx
- namespace: databases
-spec:
- ingressClassName: internal
- rules:
- - host: emqx.ktwo.io
- http:
- paths:
- - backend:
- service:
- name: emqx-dashboard
- port:
- number: 18083
- path: /
- pathType: Prefix
-
--- kubernetes/apps/media/bazarr/app Kustomization: media/bazarr HelmRelease: media/bazarr
+++ kubernetes/apps/media/bazarr/app Kustomization: media/bazarr HelmRelease: media/bazarr
@@ -98,22 +98,12 @@
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
supplementalGroups:
- 65536
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
add-ons:
type: emptyDir
config:
existingClaim: bazarr
config-cache:
@@ -133,12 +123,24 @@
globalMounts:
- readOnly: true
name: bazarr-scripts
type: configMap
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: bazarr
+ port: 6767
service:
app:
controller: bazarr
ports:
http:
port: 6767
--- kubernetes/apps/media/qbittorrent/app Kustomization: media/qbittorrent HelmRelease: media/qbittorrent
+++ kubernetes/apps/media/qbittorrent/app Kustomization: media/qbittorrent HelmRelease: media/qbittorrent
@@ -79,40 +79,37 @@
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
supplementalGroups:
- 65536
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- - host: qb.ktwo.io
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: qbittorrent
media:
globalMounts:
- path: /media/downloads/torrents
subPath: downloads/torrents
path: /volume1/media
server: nas.internal
type: nfs
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ - qb.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: qbittorrent
+ port: 8080
service:
app:
controller: qbittorrent
nameOverride: qbittorrent
ports:
http:
--- kubernetes/apps/monitoring/kube-prometheus-stack/app Kustomization: monitoring/kube-prometheus-stack HelmRelease: monitoring/kube-prometheus-stack
+++ kubernetes/apps/monitoring/kube-prometheus-stack/app Kustomization: monitoring/kube-prometheus-stack HelmRelease: monitoring/kube-prometheus-stack
@@ -34,17 +34,21 @@
volumeClaimTemplate:
spec:
resources:
requests:
storage: 1Gi
storageClassName: ceph-block
- ingress:
- enabled: true
- hosts:
- - am.ktwo.io
- ingressClassName: internal
+ route:
+ main:
+ enabled: true
+ hostnames:
+ - am.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
cleanPrometheusOperatorObjectNames: true
crds:
enabled: true
upgradeJob:
enabled: true
forceConflicts: true
@@ -71,17 +75,12 @@
service:
selector:
component: kube-apiserver
kubeProxy:
enabled: false
prometheus:
- ingress:
- enabled: true
- hosts:
- - prometheus.ktwo.io
- ingressClassName: internal
prometheusSpec:
enableAdminAPI: true
enableFeatures:
- memory-snapshot-on-shutdown
externalUrl: https://prometheus.ktwo.io
podMonitorSelectorNilUsesHelmValues: false
@@ -101,12 +100,21 @@
spec:
resources:
requests:
storage: 50Gi
storageClassName: ceph-block
walCompression: true
+ route:
+ main:
+ enabled: true
+ hostnames:
+ - prometheus.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
prometheus-node-exporter:
fullnameOverride: node-exporter
prometheus:
monitor:
enabled: true
relabelings:
--- kubernetes/apps/media/sabnzbd/app Kustomization: media/sabnzbd HelmRelease: media/sabnzbd
+++ kubernetes/apps/media/sabnzbd/app Kustomization: media/sabnzbd HelmRelease: media/sabnzbd
@@ -86,40 +86,37 @@
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
supplementalGroups:
- 65536
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- - host: sab.ktwo.io
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: sabnzbd
media:
globalMounts:
- path: /media/downloads/nzbs
subPath: downloads/nzbs
path: /volume1/media
server: nas.internal
type: nfs
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ - sab.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: sabnzbd
+ port: 8080
service:
app:
controller: sabnzbd
ports:
http:
port: 8080
--- kubernetes/apps/media/tautulli/app Kustomization: media/tautulli HelmRelease: media/tautulli
+++ kubernetes/apps/media/tautulli/app Kustomization: media/tautulli HelmRelease: media/tautulli
@@ -71,22 +71,12 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: tautulli
config-cache:
existingClaim: tautulli-cache
globalMounts:
@@ -94,12 +84,24 @@
config-logs:
globalMounts:
- path: /config/logs
type: emptyDir
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: tautulli
+ port: 8181
service:
app:
controller: tautulli
ports:
http:
port: 8181
--- kubernetes/apps/home/atuin/app Kustomization: home/atuin HelmRelease: home/atuin
+++ kubernetes/apps/home/atuin/app Kustomization: home/atuin HelmRelease: home/atuin
@@ -92,31 +92,28 @@
strategy: RollingUpdate
defaultPodOptions:
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- - host: sh.ktwo.io
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ - sh.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: atuin
+ port: 8080
service:
app:
controller: atuin
ports:
http:
port: 8080
--- kubernetes/apps/media/prowlarr/app Kustomization: media/prowlarr HelmRelease: media/prowlarr
+++ kubernetes/apps/media/prowlarr/app Kustomization: media/prowlarr HelmRelease: media/prowlarr
@@ -88,27 +88,29 @@
tag: 17
defaultPodOptions:
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
type: emptyDir
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: prowlarr
+ port: 9696
service:
app:
controller: prowlarr
ports:
http:
port: 9696
--- kubernetes/apps/home/home-assistant/app Kustomization: home/home-assistant HelmRelease: home/home-assistant
+++ kubernetes/apps/home/home-assistant/app Kustomization: home/home-assistant HelmRelease: home/home-assistant
@@ -58,28 +58,12 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- - host: hass.ktwo.io
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: home-assistant
config-logs:
globalMounts:
- path: /config/logs
@@ -87,12 +71,25 @@
config-tts:
globalMounts:
- path: /config/tts
type: emptyDir
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ - hass.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: home-assistant
+ port: 8123
service:
app:
controller: home-assistant
ports:
http:
port: 8123
--- kubernetes/apps/networking/nginx/internal Kustomization: networking/nginx-internal HelmRelease: networking/nginx-internal
+++ kubernetes/apps/networking/nginx/internal Kustomization: networking/nginx-internal HelmRelease: networking/nginx-internal
@@ -1,90 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/name: nginx-internal
- kustomize.toolkit.fluxcd.io/namespace: networking
- name: nginx-internal
- namespace: networking
-spec:
- chart:
- spec:
- chart: ingress-nginx
- sourceRef:
- kind: HelmRepository
- name: ingress-nginx
- namespace: flux-system
- version: 4.12.0
- install:
- remediation:
- retries: 3
- interval: 1h
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- values:
- controller:
- admissionWebhooks:
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
- config:
- allow-snippet-annotations: true
- annotations-risk-level: Critical
- client-body-buffer-size: 100M
- client-body-timeout: 120
- client-header-timeout: 120
- enable-brotli: true
- enable-ocsp: true
- enable-real-ip: true
- force-ssl-redirect: true
- hide-headers: Server,X-Powered-By
- hsts-max-age: 31449600
- keep-alive: 120
- keep-alive-requests: 10000
- log-format-escape-json: true
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: 0
- proxy-buffer-size: 16k
- ssl-early-data: true
- ssl-protocols: TLSv1.3 TLSv1.2
- extraArgs:
- default-ssl-certificate: cert-manager/ktwo-io-tls
- publish-status-address: internal.ktwo.io
- ingressClass: internal
- ingressClassResource:
- controllerValue: k8s.io/internal
- default: true
- name: internal
- metrics:
- enabled: true
- serviceMonitor:
- enabled: true
- namespace: networking
- namespaceSelector:
- any: true
- publishService:
- enabled: false
- replicaCount: 2
- resources:
- limits:
- memory: 512Mi
- requests:
- cpu: 100m
- service:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal.ktwo.io
- lbipam.cilium.io/ips: 192.168.20.81, ::ffff:c0a8:1451
- terminationGracePeriodSeconds: 120
- defaultBackend:
- enabled: false
- fullnameOverride: nginx-internal
-
--- kubernetes/apps/home/zigbee2mqtt/app Kustomization: home/zigbee2mqtt HelmRelease: home/zigbee2mqtt
+++ kubernetes/apps/home/zigbee2mqtt/app Kustomization: home/zigbee2mqtt HelmRelease: home/zigbee2mqtt
@@ -84,35 +84,32 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
- - host: zigbee.ktwo.io
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: zigbee2mqtt
config-logs:
globalMounts:
- path: /config/log
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ - zigbee.ktwo.io
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: zigbee2mqtt
+ port: 8080
service:
app:
controller: zigbee2mqtt
ports:
http:
port: 8080
--- kubernetes/apps/media/autobrr/app Kustomization: media/autobrr HelmRelease: media/autobrr
+++ kubernetes/apps/media/autobrr/app Kustomization: media/autobrr HelmRelease: media/autobrr
@@ -88,25 +88,27 @@
tag: 17
defaultPodOptions:
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: autobrr
+ port: 7474
service:
app:
controller: autobrr
ports:
http:
port: 7474
--- kubernetes/apps/media/radarr/app Kustomization: media/radarr HelmRelease: media/radarr
+++ kubernetes/apps/media/radarr/app Kustomization: media/radarr HelmRelease: media/radarr
@@ -92,22 +92,12 @@
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
supplementalGroups:
- 65536
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: radarr
config-logs:
globalMounts:
- path: /config/logs
@@ -115,12 +105,24 @@
media:
path: /volume1/media
server: nas.internal
type: nfs
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: radarr
+ port: 7878
service:
app:
controller: radarr
ports:
http:
port: 7878
--- kubernetes/apps/media/sonarr/app Kustomization: media/sonarr HelmRelease: media/sonarr
+++ kubernetes/apps/media/sonarr/app Kustomization: media/sonarr HelmRelease: media/sonarr
@@ -92,22 +92,12 @@
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
supplementalGroups:
- 65536
- ingress:
- app:
- className: internal
- hosts:
- - host: '{{ .Release.Name }}.ktwo.io'
- paths:
- - path: /
- service:
- identifier: app
- port: http
persistence:
config:
existingClaim: sonarr
config-logs:
globalMounts:
- path: /config/logs
@@ -115,12 +105,24 @@
media:
path: /volume1/media
server: nas.internal
type: nfs
tmp:
type: emptyDir
+ route:
+ app:
+ hostnames:
+ - '{{ .Release.Name }}.ktwo.io'
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: sonarr
+ port: 8989
service:
app:
controller: sonarr
ports:
http:
port: 8989
--- kubernetes/apps/kube-system/cilium/ingress Kustomization: kube-system/cilium-ingress Gateway: kube-system/internal
+++ kubernetes/apps/kube-system/cilium/ingress Kustomization: kube-system/cilium-ingress Gateway: kube-system/internal
@@ -0,0 +1,45 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ annotations:
+ external-dns.alpha.kubernetes.io/hostname: internal.ktwo.io
+ labels:
+ app.kubernetes.io/name: cilium-ingress
+ kustomize.toolkit.fluxcd.io/name: cilium-ingress
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: internal
+ namespace: kube-system
+spec:
+ addresses:
+ - type: IPAddress
+ value: 192.168.20.81
+ - type: IPAddress
+ value: ::ffff:c0a8:1451
+ - type: Hostname
+ value: internal.ktwo.io
+ gatewayClassName: cilium
+ infrastructure:
+ annotations:
+ lbipam.cilium.io/ips: 192.168.20.81, ::ffff:c0a8:1451
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ hostname: '*.ktwo.io'
+ name: http
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: All
+ hostname: '*.ktwo.io'
+ name: https
+ port: 443
+ protocol: HTTPS
+ tls:
+ certificateRefs:
+ - kind: Secret
+ name: ktwo-io-tls
+ namespace: cert-manager
+ |
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -13,15 +13,26 @@
debug: 'false'
debug-verbose: ''
enable-policy: default
policy-cidr-match-mode: ''
prometheus-serve-addr: :9962
controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
- proxy-prometheus-port: '9964'
operator-prometheus-serve-addr: :9963
enable-metrics: 'true'
+ enable-envoy-config: 'true'
+ envoy-config-retry-interval: 15s
+ enable-gateway-api: 'true'
+ enable-gateway-api-secrets-sync: 'true'
+ enable-gateway-api-proxy-protocol: 'false'
+ enable-gateway-api-app-protocol: 'true'
+ enable-gateway-api-alpn: 'true'
+ gateway-api-xff-num-trusted-hops: '0'
+ gateway-api-service-externaltrafficpolicy: Cluster
+ gateway-api-secrets-namespace: cilium-secrets
+ gateway-api-hostnetwork-enabled: 'false'
+ gateway-api-hostnetwork-nodelabelselector: ''
enable-policy-secrets-sync: 'true'
policy-secrets-only-from-secrets-namespace: 'true'
policy-secrets-namespace: cilium-secrets
enable-ipv4: 'true'
enable-ipv6: 'false'
custom-cni-conf: 'false'
@@ -137,13 +148,13 @@
proxy-initial-fetch-timeout: '30'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
proxy-max-concurrent-retries: '128'
http-retry-count: '3'
- external-envoy-proxy: 'false'
+ external-envoy-proxy: 'true'
envoy-base-id: '0'
envoy-access-log-buffer-size: '4096'
envoy-keep-cap-netbindservice: 'false'
max-connected-clusters: '255'
clustermesh-enable-endpoint-sync: 'false'
clustermesh-enable-mcs-api: 'false'
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
@@ -67,12 +67,16 @@
- services
- endpoints
verbs:
- get
- list
- watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
@@ -214,7 +218,40 @@
resources:
- leases
verbs:
- create
- get
- update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ - gateways
+ - tlsroutes
+ - httproutes
+ - grpcroutes
+ - referencegrants
+ - referencepolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses/status
+ - gateways/status
+ - httproutes/status
+ - grpcroutes/status
+ - tlsroutes/status
+ verbs:
+ - update
+ - patch
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceimports
+ verbs:
+ - get
+ - list
+ - watch
--- HelmRelease: kube-system/cilium Service: kube-system/cilium-agent
+++ HelmRelease: kube-system/cilium Service: kube-system/cilium-agent
@@ -15,11 +15,7 @@
k8s-app: cilium
ports:
- name: metrics
port: 9962
protocol: TCP
targetPort: prometheus
- - name: envoy-metrics
- port: 9964
- protocol: TCP
- targetPort: envoy-metrics
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -16,13 +16,13 @@
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: f2a167ef83cff46d0df2b83ac3d04fcb23c13d6d0ed53efb3a42005d337fd8f4
+ cilium.io/cilium-configmap-checksum: 58495bf60150df9bc369c64c3070777892db955fe15ac897e8f0ff3b4f30e6d6
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
@@ -133,20 +133,12 @@
hostPort: 4244
protocol: TCP
- name: prometheus
containerPort: 9962
hostPort: 9962
protocol: TCP
- - name: envoy-metrics
- containerPort: 9964
- hostPort: 9964
- protocol: TCP
- - name: envoy-admin
- containerPort: 9901
- hostPort: 9901
- protocol: TCP
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
@@ -164,12 +156,15 @@
- SETGID
- SETUID
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
+ - name: envoy-sockets
+ mountPath: /var/run/cilium/envoy/sockets
+ readOnly: false
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- name: bpf-maps
mountPath: /sys/fs/bpf
@@ -417,12 +412,16 @@
hostPath:
path: /lib/modules
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
+ - name: envoy-sockets
+ hostPath:
+ path: /var/run/cilium/envoy/sockets
+ type: DirectoryOrCreate
- name: clustermesh-secrets
projected:
defaultMode: 256
sources:
- secret:
name: cilium-clustermesh
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -20,13 +20,13 @@
maxSurge: 25%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: f2a167ef83cff46d0df2b83ac3d04fcb23c13d6d0ed53efb3a42005d337fd8f4
+ cilium.io/cilium-configmap-checksum: 58495bf60150df9bc369c64c3070777892db955fe15ac897e8f0ff3b4f30e6d6
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium ServiceAccount: kube-system/cilium-envoy
+++ HelmRelease: kube-system/cilium ServiceAccount: kube-system/cilium-envoy
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cilium-envoy
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cilium-envoy-config
+ namespace: kube-system
+data:
+ bootstrap-config.json: |
+ {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-gateway-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-gateway-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-gateway-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-gateway-secrets
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-gateway-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-gateway-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-gateway-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-gateway-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-gateway-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-gateway-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium Service: kube-system/cilium-envoy
+++ HelmRelease: kube-system/cilium Service: kube-system/cilium-envoy
@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: cilium-envoy
+ namespace: kube-system
+ annotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '9964'
+ labels:
+ k8s-app: cilium-envoy
+ app.kubernetes.io/name: cilium-envoy
+ app.kubernetes.io/part-of: cilium
+ io.cilium/app: proxy
+spec:
+ clusterIP: None
+ type: ClusterIP
+ selector:
+ k8s-app: cilium-envoy
+ ports:
+ - name: envoy-metrics
+ port: 9964
+ protocol: TCP
+ targetPort: envoy-metrics
+
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
@@ -0,0 +1,168 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: cilium-envoy
+ namespace: kube-system
+ labels:
+ k8s-app: cilium-envoy
+ app.kubernetes.io/part-of: cilium
+ app.kubernetes.io/name: cilium-envoy
+ name: cilium-envoy
+spec:
+ selector:
+ matchLabels:
+ k8s-app: cilium-envoy
+ updateStrategy:
+ rollingUpdate:
+ maxUnavailable: 2
+ type: RollingUpdate
+ template:
+ metadata:
+ annotations: null
+ labels:
+ k8s-app: cilium-envoy
+ name: cilium-envoy
+ app.kubernetes.io/name: cilium-envoy
+ app.kubernetes.io/part-of: cilium
+ spec:
+ securityContext:
+ appArmorProfile:
+ type: Unconfined
+ containers:
+ - name: cilium-envoy
+ image: quay.io/cilium/cilium-envoy:v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae@sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521
+ imagePullPolicy: IfNotPresent
+ command:
+ - /usr/bin/cilium-envoy-starter
+ args:
+ - --
+ - -c /var/run/cilium/envoy/bootstrap-config.json
+ - --base-id 0
+ - --log-level info
+ startupProbe:
+ httpGet:
+ host: 127.0.0.1
+ path: /healthz
+ port: 9878
+ scheme: HTTP
+ failureThreshold: 105
+ periodSeconds: 2
+ successThreshold: 1
+ initialDelaySeconds: 5
+ livenessProbe:
+ httpGet:
+ host: 127.0.0.1
+ path: /healthz
+ port: 9878
+ scheme: HTTP
+ periodSeconds: 30
+ successThreshold: 1
+ failureThreshold: 10
+ timeoutSeconds: 5
+ readinessProbe:
+ httpGet:
+ host: 127.0.0.1
+ path: /healthz
+ port: 9878
+ scheme: HTTP
+ periodSeconds: 30
+ successThreshold: 1
+ failureThreshold: 3
+ timeoutSeconds: 5
+ env:
+ - name: K8S_NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: CILIUM_K8S_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_SERVICE_HOST
+ value: 127.0.0.1
+ - name: KUBERNETES_SERVICE_PORT
+ value: '7445'
+ ports:
+ - name: envoy-metrics
+ containerPort: 9964
+ hostPort: 9964
+ protocol: TCP
+ securityContext:
+ seLinuxOptions:
+ level: s0
+ type: spc_t
+ capabilities:
+ add:
+ - NET_ADMIN
+ - SYS_ADMIN
+ drop:
+ - ALL
+ terminationMessagePolicy: FallbackToLogsOnError
+ volumeMounts:
+ - name: envoy-sockets
+ mountPath: /var/run/cilium/envoy/sockets
+ readOnly: false
+ - name: envoy-artifacts
+ mountPath: /var/run/cilium/envoy/artifacts
+ readOnly: true
+ - name: envoy-config
+ mountPath: /var/run/cilium/envoy/
+ readOnly: true
+ - name: bpf-maps
+ mountPath: /sys/fs/bpf
+ mountPropagation: HostToContainer
+ restartPolicy: Always
+ priorityClassName: system-node-critical
+ serviceAccountName: cilium-envoy
+ automountServiceAccountToken: true
+ terminationGracePeriodSeconds: 1
+ hostNetwork: true
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: cilium.io/no-schedule
+ operator: NotIn
+ values:
+ - 'true'
+ podAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels:
+ k8s-app: cilium
+ topologyKey: kubernetes.io/hostname
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels:
+ k8s-app: cilium-envoy
+ topologyKey: kubernetes.io/hostname
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ - operator: Exists
+ volumes:
+ - name: envoy-sockets
+ hostPath:
+ path: /var/run/cilium/envoy/sockets
+ type: DirectoryOrCreate
+ - name: envoy-artifacts
+ hostPath:
+ path: /var/run/cilium/envoy/artifacts
+ type: DirectoryOrCreate
+ - name: envoy-config
+ configMap:
+ name: cilium-envoy-config
+ defaultMode: 256
+ items:
+ - key: bootstrap-config.json
+ path: bootstrap-config.json
+ - name: bpf-maps
+ hostPath:
+ path: /sys/fs/bpf
+ type: DirectoryOrCreate
+
--- HelmRelease: media/bazarr Ingress: media/bazarr
+++ HelmRelease: media/bazarr Ingress: media/bazarr
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: bazarr
- labels:
- app.kubernetes.io/instance: bazarr
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: bazarr
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: bazarr.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: bazarr
- port:
- number: 6767
-
--- HelmRelease: media/bazarr HTTPRoute: media/bazarr-app
+++ HelmRelease: media/bazarr HTTPRoute: media/bazarr-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: bazarr-app
+ labels:
+ app.kubernetes.io/instance: bazarr
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: bazarr
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - bazarr.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: bazarr
+ namespace: media
+ port: 6767
+ weight: 1
+
--- HelmRelease: home/zigbee2mqtt Ingress: home/zigbee2mqtt
+++ HelmRelease: home/zigbee2mqtt Ingress: home/zigbee2mqtt
@@ -1,34 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: zigbee2mqtt
- labels:
- app.kubernetes.io/instance: zigbee2mqtt
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: zigbee2mqtt
- namespace: home
-spec:
- ingressClassName: internal
- rules:
- - host: zigbee2mqtt.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: zigbee2mqtt
- port:
- number: 8080
- - host: zigbee.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: zigbee2mqtt
- port:
- number: 8080
-
--- HelmRelease: home/zigbee2mqtt HTTPRoute: home/zigbee2mqtt-app
+++ HelmRelease: home/zigbee2mqtt HTTPRoute: home/zigbee2mqtt-app
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: zigbee2mqtt-app
+ labels:
+ app.kubernetes.io/instance: zigbee2mqtt
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: zigbee2mqtt
+ namespace: home
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - zigbee2mqtt.ktwo.io
+ - zigbee.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: zigbee2mqtt
+ namespace: home
+ port: 8080
+ weight: 1
+
--- HelmRelease: home/home-assistant Ingress: home/home-assistant
+++ HelmRelease: home/home-assistant Ingress: home/home-assistant
@@ -1,34 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: home-assistant
- labels:
- app.kubernetes.io/instance: home-assistant
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: home-assistant
- namespace: home
-spec:
- ingressClassName: internal
- rules:
- - host: home-assistant.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: home-assistant
- port:
- number: 8123
- - host: hass.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: home-assistant
- port:
- number: 8123
-
--- HelmRelease: home/home-assistant HTTPRoute: home/home-assistant-app
+++ HelmRelease: home/home-assistant HTTPRoute: home/home-assistant-app
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: home-assistant-app
+ labels:
+ app.kubernetes.io/instance: home-assistant
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: home-assistant
+ namespace: home
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - home-assistant.ktwo.io
+ - hass.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: home-assistant
+ namespace: home
+ port: 8123
+ weight: 1
+
--- HelmRelease: media/autobrr Ingress: media/autobrr
+++ HelmRelease: media/autobrr Ingress: media/autobrr
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: autobrr
- labels:
- app.kubernetes.io/instance: autobrr
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: autobrr
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: autobrr.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: autobrr
- port:
- number: 7474
-
--- HelmRelease: media/autobrr HTTPRoute: media/autobrr-app
+++ HelmRelease: media/autobrr HTTPRoute: media/autobrr-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: autobrr-app
+ labels:
+ app.kubernetes.io/instance: autobrr
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: autobrr
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - autobrr.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: autobrr
+ namespace: media
+ port: 7474
+ weight: 1
+
--- HelmRelease: media/sabnzbd Ingress: media/sabnzbd
+++ HelmRelease: media/sabnzbd Ingress: media/sabnzbd
@@ -1,34 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: sabnzbd
- labels:
- app.kubernetes.io/instance: sabnzbd
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: sabnzbd
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: sabnzbd.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: sabnzbd
- port:
- number: 8080
- - host: sab.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: sabnzbd
- port:
- number: 8080
-
--- HelmRelease: media/sabnzbd HTTPRoute: media/sabnzbd-app
+++ HelmRelease: media/sabnzbd HTTPRoute: media/sabnzbd-app
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: sabnzbd-app
+ labels:
+ app.kubernetes.io/instance: sabnzbd
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: sabnzbd
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - sabnzbd.ktwo.io
+ - sab.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: sabnzbd
+ namespace: media
+ port: 8080
+ weight: 1
+
--- HelmRelease: monitoring/karma Ingress: monitoring/karma
+++ HelmRelease: monitoring/karma Ingress: monitoring/karma
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: karma
- labels:
- app.kubernetes.io/instance: karma
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: karma
- namespace: monitoring
-spec:
- ingressClassName: internal
- rules:
- - host: karma.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: karma
- port:
- number: 8080
-
--- HelmRelease: monitoring/karma HTTPRoute: monitoring/karma-app
+++ HelmRelease: monitoring/karma HTTPRoute: monitoring/karma-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: karma-app
+ labels:
+ app.kubernetes.io/instance: karma
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: karma
+ namespace: monitoring
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - karma.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: karma
+ namespace: monitoring
+ port: 8080
+ weight: 1
+
--- HelmRelease: media/radarr Ingress: media/radarr
+++ HelmRelease: media/radarr Ingress: media/radarr
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: radarr
- labels:
- app.kubernetes.io/instance: radarr
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: radarr
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: radarr.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: radarr
- port:
- number: 7878
-
--- HelmRelease: media/radarr HTTPRoute: media/radarr-app
+++ HelmRelease: media/radarr HTTPRoute: media/radarr-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: radarr-app
+ labels:
+ app.kubernetes.io/instance: radarr
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: radarr
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - radarr.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: radarr
+ namespace: media
+ port: 7878
+ weight: 1
+
--- HelmRelease: media/qbittorrent Ingress: media/qbittorrent
+++ HelmRelease: media/qbittorrent Ingress: media/qbittorrent
@@ -1,34 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: qbittorrent
- labels:
- app.kubernetes.io/instance: qbittorrent
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: qbittorrent
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: qbittorrent.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: qbittorrent
- port:
- number: 8080
- - host: qb.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: qbittorrent
- port:
- number: 8080
-
--- HelmRelease: media/qbittorrent HTTPRoute: media/qbittorrent-app
+++ HelmRelease: media/qbittorrent HTTPRoute: media/qbittorrent-app
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: qbittorrent-app
+ labels:
+ app.kubernetes.io/instance: qbittorrent
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: qbittorrent
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - qbittorrent.ktwo.io
+ - qb.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: qbittorrent
+ namespace: media
+ port: 8080
+ weight: 1
+
--- HelmRelease: media/sonarr Ingress: media/sonarr
+++ HelmRelease: media/sonarr Ingress: media/sonarr
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: sonarr
- labels:
- app.kubernetes.io/instance: sonarr
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: sonarr
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: sonarr.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: sonarr
- port:
- number: 8989
-
--- HelmRelease: media/sonarr HTTPRoute: media/sonarr-app
+++ HelmRelease: media/sonarr HTTPRoute: media/sonarr-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: sonarr-app
+ labels:
+ app.kubernetes.io/instance: sonarr
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: sonarr
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - sonarr.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: sonarr
+ namespace: media
+ port: 8989
+ weight: 1
+
--- HelmRelease: external-secrets/onepassword Ingress: external-secrets/onepassword
+++ HelmRelease: external-secrets/onepassword Ingress: external-secrets/onepassword
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: onepassword
- labels:
- app.kubernetes.io/instance: onepassword
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: onepassword
- namespace: external-secrets
-spec:
- ingressClassName: internal
- rules:
- - host: onepassword.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: onepassword
- port:
- number: 80
-
--- HelmRelease: home/atuin Ingress: home/atuin
+++ HelmRelease: home/atuin Ingress: home/atuin
@@ -1,34 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: atuin
- labels:
- app.kubernetes.io/instance: atuin
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: atuin
- namespace: home
-spec:
- ingressClassName: internal
- rules:
- - host: atuin.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: atuin
- port:
- number: 8080
- - host: sh.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: atuin
- port:
- number: 8080
-
--- HelmRelease: home/atuin HTTPRoute: home/atuin-app
+++ HelmRelease: home/atuin HTTPRoute: home/atuin-app
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: atuin-app
+ labels:
+ app.kubernetes.io/instance: atuin
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: atuin
+ namespace: home
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - atuin.ktwo.io
+ - sh.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: atuin
+ namespace: home
+ port: 8080
+ weight: 1
+
--- HelmRelease: home/go2rtc Ingress: home/go2rtc
+++ HelmRelease: home/go2rtc Ingress: home/go2rtc
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: go2rtc
- labels:
- app.kubernetes.io/instance: go2rtc
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: go2rtc
- namespace: home
-spec:
- ingressClassName: internal
- rules:
- - host: go2rtc.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: go2rtc
- port:
- number: 80
-
--- HelmRelease: home/go2rtc HTTPRoute: home/go2rtc-app
+++ HelmRelease: home/go2rtc HTTPRoute: home/go2rtc-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: go2rtc-app
+ labels:
+ app.kubernetes.io/instance: go2rtc
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: go2rtc
+ namespace: home
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - go2rtc.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: go2rtc
+ namespace: home
+ port: 80
+ weight: 1
+
--- HelmRelease: media/prowlarr Ingress: media/prowlarr
+++ HelmRelease: media/prowlarr Ingress: media/prowlarr
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: prowlarr
- labels:
- app.kubernetes.io/instance: prowlarr
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: prowlarr
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: prowlarr.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: prowlarr
- port:
- number: 9696
-
--- HelmRelease: media/prowlarr HTTPRoute: media/prowlarr-app
+++ HelmRelease: media/prowlarr HTTPRoute: media/prowlarr-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: prowlarr-app
+ labels:
+ app.kubernetes.io/instance: prowlarr
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: prowlarr
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - prowlarr.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: prowlarr
+ namespace: media
+ port: 9696
+ weight: 1
+
--- HelmRelease: monitoring/blackbox-exporter Ingress: monitoring/blackbox-exporter
+++ HelmRelease: monitoring/blackbox-exporter Ingress: monitoring/blackbox-exporter
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: blackbox-exporter
- namespace: monitoring
- labels:
- app.kubernetes.io/name: prometheus-blackbox-exporter
- app.kubernetes.io/instance: blackbox-exporter
- app.kubernetes.io/managed-by: Helm
-spec:
- ingressClassName: internal
- rules:
- - host: blackbox-exporter.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: blackbox-exporter
- port:
- number: 9115
-
--- HelmRelease: networking/external-dns-unifi ClusterRole: networking/external-dns-unifi
+++ HelmRelease: networking/external-dns-unifi ClusterRole: networking/external-dns-unifi
@@ -30,15 +30,30 @@
- endpoints
verbs:
- get
- watch
- list
- apiGroups:
- - extensions
- - networking.k8s.io
+ - gateway.networking.k8s.io
resources:
- - ingresses
+ - gateways
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - httproutes
verbs:
- get
- watch
- list
--- HelmRelease: networking/external-dns-unifi Deployment: networking/external-dns-unifi
+++ HelmRelease: networking/external-dns-unifi Deployment: networking/external-dns-unifi
@@ -46,13 +46,13 @@
imagePullPolicy: IfNotPresent
args:
- --log-level=info
- --log-format=text
- --interval=1m
- --events
- - --source=ingress
+ - --source=gateway-httproute
- --source=service
- --policy=sync
- --registry=txt
- --txt-owner-id=k8s
- --txt-prefix=k8s.
- --domain-filter=ktwo.io
--- HelmRelease: rook-ceph/rook-ceph-cluster Ingress: rook-ceph/rook-ceph-dashboard
+++ HelmRelease: rook-ceph/rook-ceph-cluster Ingress: rook-ceph/rook-ceph-dashboard
@@ -1,20 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: rook-ceph-dashboard
- namespace: rook-ceph
-spec:
- rules:
- - host: rook.ktwo.io
- http:
- paths:
- - path: /
- backend:
- service:
- name: rook-ceph-mgr-dashboard
- port:
- name: http-dashboard
- pathType: Prefix
- ingressClassName: internal
-
--- HelmRelease: monitoring/grafana ConfigMap: monitoring/grafana
+++ HelmRelease: monitoring/grafana ConfigMap: monitoring/grafana
@@ -28,13 +28,13 @@
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
- domain = grafana.ktwo.io
+ domain = ''
datasources.yaml: |
apiVersion: 1
datasources:
- access: proxy
jsonData:
implementation: prometheus
--- HelmRelease: monitoring/grafana Ingress: monitoring/grafana
+++ HelmRelease: monitoring/grafana Ingress: monitoring/grafana
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: grafana
- namespace: monitoring
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
-spec:
- ingressClassName: internal
- rules:
- - host: grafana.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: grafana
- port:
- number: 80
-
--- HelmRelease: monitoring/grafana HTTPRoute: monitoring/grafana
+++ HelmRelease: monitoring/grafana HTTPRoute: monitoring/grafana
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: grafana
+ namespace: monitoring
+ labels:
+ app: grafana-prometheus
+ app.kubernetes.io/name: grafana
+ app.kubernetes.io/instance: grafana
+spec:
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - grafana.ktwo.io
+ rules:
+ - backendRefs:
+ - name: grafana
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: networking/nginx-internal PodDisruptionBudget: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal PodDisruptionBudget: networking/nginx-internal-controller
@@ -1,20 +0,0 @@
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: networking
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- minAvailable: 1
-
--- HelmRelease: networking/nginx-internal ServiceAccount: networking/nginx-internal
+++ HelmRelease: networking/nginx-internal ServiceAccount: networking/nginx-internal
@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: networking
-automountServiceAccountToken: true
-
--- HelmRelease: networking/nginx-internal ConfigMap: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal ConfigMap: networking/nginx-internal-controller
@@ -1,34 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: networking
-data:
- allow-snippet-annotations: 'true'
- annotations-risk-level: Critical
- client-body-buffer-size: 100M
- client-body-timeout: '120'
- client-header-timeout: '120'
- enable-brotli: 'true'
- enable-ocsp: 'true'
- enable-real-ip: 'true'
- force-ssl-redirect: 'true'
- hide-headers: Server,X-Powered-By
- hsts-max-age: '3.14496e+07'
- keep-alive: '120'
- keep-alive-requests: '10000'
- log-format-escape-json: 'true'
- log-format-upstream: |
- {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"}
- proxy-body-size: '0'
- proxy-buffer-size: 16k
- ssl-early-data: 'true'
- ssl-protocols: TLSv1.3 TLSv1.2
-
--- HelmRelease: networking/nginx-internal ClusterRole: networking/nginx-internal
+++ HelmRelease: networking/nginx-internal ClusterRole: networking/nginx-internal
@@ -1,82 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-internal
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: networking/nginx-internal ClusterRoleBinding: networking/nginx-internal
+++ HelmRelease: networking/nginx-internal ClusterRoleBinding: networking/nginx-internal
@@ -1,19 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- name: nginx-internal
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-internal
-subjects:
-- kind: ServiceAccount
- name: nginx-internal
- namespace: networking
-
--- HelmRelease: networking/nginx-internal Role: networking/nginx-internal
+++ HelmRelease: networking/nginx-internal Role: networking/nginx-internal
@@ -1,91 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: networking
-rules:
-- apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- resourceNames:
- - nginx-internal-leader
- verbs:
- - get
- - update
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - list
- - watch
- - get
-
--- HelmRelease: networking/nginx-internal RoleBinding: networking/nginx-internal
+++ HelmRelease: networking/nginx-internal RoleBinding: networking/nginx-internal
@@ -1,21 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal
- namespace: networking
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-internal
-subjects:
-- kind: ServiceAccount
- name: nginx-internal
- namespace: networking
-
--- HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller-metrics
+++ HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller-metrics
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller-metrics
- namespace: networking
-spec:
- type: ClusterIP
- ports:
- - name: metrics
- port: 10254
- protocol: TCP
- targetPort: metrics
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller-admission
+++ HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller-admission
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller-admission
- namespace: networking
-spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal Service: networking/nginx-internal-controller
@@ -1,36 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- external-dns.alpha.kubernetes.io/hostname: internal.ktwo.io
- lbipam.cilium.io/ips: 192.168.20.81, ::ffff:c0a8:1451
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: networking
-spec:
- type: LoadBalancer
- ipFamilyPolicy: SingleStack
- ipFamilies:
- - IPv4
- ports:
- - name: http
- port: 80
- protocol: TCP
- targetPort: http
- appProtocol: http
- - name: https
- port: 443
- protocol: TCP
- targetPort: https
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
-
--- HelmRelease: networking/nginx-internal Deployment: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal Deployment: networking/nginx-internal-controller
@@ -1,128 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx-internal-controller
- namespace: networking
-spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- replicas: 2
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- spec:
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=nginx-internal-leader
- - --controller-class=k8s.io/internal
- - --ingress-class=internal
- - --configmap=$(POD_NAMESPACE)/nginx-internal-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- - --enable-metrics=true
- - --default-ssl-certificate=cert-manager/ktwo-io-tls
- - --publish-status-address=internal.ktwo.io
- securityContext:
- runAsNonRoot: true
- runAsUser: 101
- runAsGroup: 82
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- readOnlyRootFilesystem: false
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: metrics
- containerPort: 10254
- protocol: TCP
- - name: webhook
- containerPort: 8443
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- limits:
- memory: 512Mi
- requests:
- cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- serviceAccountName: nginx-internal
- terminationGracePeriodSeconds: 120
- volumes:
- - name: webhook-cert
- secret:
- secretName: nginx-internal-admission
-
--- HelmRelease: networking/nginx-internal IngressClass: networking/internal
+++ HelmRelease: networking/nginx-internal IngressClass: networking/internal
@@ -1,16 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: internal
- annotations:
- ingressclass.kubernetes.io/is-default-class: 'true'
-spec:
- controller: k8s.io/internal
-
--- HelmRelease: networking/nginx-internal ServiceMonitor: networking/nginx-internal-controller
+++ HelmRelease: networking/nginx-internal ServiceMonitor: networking/nginx-internal-controller
@@ -1,24 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
- name: nginx-internal-controller
- namespace: networking
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- namespaceSelector:
- any: true
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/component: controller
- endpoints:
- - port: metrics
- interval: 30s
-
--- HelmRelease: networking/nginx-internal ValidatingWebhookConfiguration: networking/nginx-internal-admission
+++ HelmRelease: networking/nginx-internal ValidatingWebhookConfiguration: networking/nginx-internal-admission
@@ -1,41 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: nginx-internal-admission
-webhooks:
-- name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: nginx-internal-controller-admission
- namespace: networking
- port: 443
- path: /networking/v1/ingresses
- objectSelector:
- matchExpressions:
- - key: ingress-class
- operator: In
- values:
- - internal
-
--- HelmRelease: networking/nginx-internal ServiceAccount: networking/nginx-internal-admission
+++ HelmRelease: networking/nginx-internal ServiceAccount: networking/nginx-internal-admission
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: nginx-internal-admission
- namespace: networking
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-automountServiceAccountToken: true
-
--- HelmRelease: networking/nginx-internal ClusterRole: networking/nginx-internal-admission
+++ HelmRelease: networking/nginx-internal ClusterRole: networking/nginx-internal-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: nginx-internal-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
-
--- HelmRelease: networking/nginx-internal ClusterRoleBinding: networking/nginx-internal-admission
+++ HelmRelease: networking/nginx-internal ClusterRoleBinding: networking/nginx-internal-admission
@@ -1,23 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: nginx-internal-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: nginx-internal-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-internal-admission
- namespace: networking
-
--- HelmRelease: networking/nginx-internal Role: networking/nginx-internal-admission
+++ HelmRelease: networking/nginx-internal Role: networking/nginx-internal-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: nginx-internal-admission
- namespace: networking
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
-
--- HelmRelease: networking/nginx-internal RoleBinding: networking/nginx-internal-admission
+++ HelmRelease: networking/nginx-internal RoleBinding: networking/nginx-internal-admission
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: nginx-internal-admission
- namespace: networking
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: nginx-internal-admission
-subjects:
-- kind: ServiceAccount
- name: nginx-internal-admission
- namespace: networking
-
--- HelmRelease: networking/nginx-internal Job: networking/nginx-internal-admission-create
+++ HelmRelease: networking/nginx-internal Job: networking/nginx-internal-admission-create
@@ -1,56 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-internal-admission-create
- namespace: networking
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-internal-admission-create
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=nginx-internal-controller-admission,nginx-internal-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=nginx-internal-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-internal-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: networking/nginx-internal Job: networking/nginx-internal-admission-patch
+++ HelmRelease: networking/nginx-internal Job: networking/nginx-internal-admission-patch
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nginx-internal-admission-patch
- namespace: networking
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
-spec:
- template:
- metadata:
- name: nginx-internal-admission-patch
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: nginx-internal
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=nginx-internal-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=nginx-internal-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
- runAsGroup: 65532
- runAsNonRoot: true
- runAsUser: 65532
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
- serviceAccountName: nginx-internal-admission
- nodeSelector:
- kubernetes.io/os: linux
-
--- HelmRelease: media/tautulli Ingress: media/tautulli
+++ HelmRelease: media/tautulli Ingress: media/tautulli
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: tautulli
- labels:
- app.kubernetes.io/instance: tautulli
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: tautulli
- namespace: media
-spec:
- ingressClassName: internal
- rules:
- - host: tautulli.ktwo.io
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: tautulli
- port:
- number: 8181
-
--- HelmRelease: media/tautulli HTTPRoute: media/tautulli-app
+++ HelmRelease: media/tautulli HTTPRoute: media/tautulli-app
@@ -0,0 +1,28 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: tautulli-app
+ labels:
+ app.kubernetes.io/instance: tautulli
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: tautulli
+ namespace: media
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - tautulli.ktwo.io
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: tautulli
+ namespace: media
+ port: 8181
+ weight: 1
+
--- HelmRelease: monitoring/kube-prometheus-stack Ingress: monitoring/kube-prometheus-stack-alertmanager
+++ HelmRelease: monitoring/kube-prometheus-stack Ingress: monitoring/kube-prometheus-stack-alertmanager
@@ -1,27 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: kube-prometheus-stack-alertmanager
- namespace: monitoring
- labels:
- app: kube-prometheus-stack-alertmanager
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/instance: kube-prometheus-stack
- app.kubernetes.io/part-of: kube-prometheus-stack
- release: kube-prometheus-stack
- heritage: Helm
-spec:
- ingressClassName: internal
- rules:
- - host: am.ktwo.io
- http:
- paths:
- - path: /
- pathType: ImplementationSpecific
- backend:
- service:
- name: kube-prometheus-stack-alertmanager
- port:
- number: 9093
-
--- HelmRelease: monitoring/kube-prometheus-stack Ingress: monitoring/kube-prometheus-stack-prometheus
+++ HelmRelease: monitoring/kube-prometheus-stack Ingress: monitoring/kube-prometheus-stack-prometheus
@@ -1,27 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: kube-prometheus-stack-prometheus
- namespace: monitoring
- labels:
- app: kube-prometheus-stack-prometheus
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/instance: kube-prometheus-stack
- app.kubernetes.io/part-of: kube-prometheus-stack
- release: kube-prometheus-stack
- heritage: Helm
-spec:
- ingressClassName: internal
- rules:
- - host: prometheus.ktwo.io
- http:
- paths:
- - path: /
- pathType: ImplementationSpecific
- backend:
- service:
- name: kube-prometheus-stack-prometheus
- port:
- number: 9090
-
--- HelmRelease: monitoring/kube-prometheus-stack HTTPRoute: monitoring/kube-prometheus-stack-alertmanager
+++ HelmRelease: monitoring/kube-prometheus-stack HTTPRoute: monitoring/kube-prometheus-stack-alertmanager
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: kube-prometheus-stack-alertmanager
+ namespace: monitoring
+ labels:
+ app: kube-prometheus-stack-alertmanager
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/instance: kube-prometheus-stack
+ app.kubernetes.io/part-of: kube-prometheus-stack
+ release: kube-prometheus-stack
+ heritage: Helm
+spec:
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - am.ktwo.io
+ rules:
+ - backendRefs:
+ - name: kube-prometheus-stack-alertmanager
+ port: 9093
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: monitoring/kube-prometheus-stack HTTPRoute: monitoring/kube-prometheus-stack-prometheus
+++ HelmRelease: monitoring/kube-prometheus-stack HTTPRoute: monitoring/kube-prometheus-stack-prometheus
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: kube-prometheus-stack-prometheus
+ namespace: monitoring
+ labels:
+ app: kube-prometheus-stack-prometheus
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/instance: kube-prometheus-stack
+ app.kubernetes.io/part-of: kube-prometheus-stack
+ release: kube-prometheus-stack
+ heritage: Helm
+spec:
+ parentRefs:
+ - name: internal
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - prometheus.ktwo.io
+ rules:
+ - backendRefs:
+ - name: kube-prometheus-stack-prometheus
+ port: 9090
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.