diff --git a/k8s-peterg/argo-workflows/kustomization.yaml b/k8s-peterg/argo-workflows/kustomization.yaml new file mode 100644 index 0000000..7451e9a --- /dev/null +++ b/k8s-peterg/argo-workflows/kustomization.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - secrets.yaml + +helmCharts: + - name: argo-workflows + repo: https://argoproj.github.io/argo-helm + namespace: argo-workflows + releaseName: argo-workflows + version: 1.0.7 + valuesFile: values.yaml diff --git a/k8s-peterg/argo-workflows/namespace.yaml b/k8s-peterg/argo-workflows/namespace.yaml new file mode 100644 index 0000000..67653ed --- /dev/null +++ b/k8s-peterg/argo-workflows/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: argo-workflows diff --git a/k8s-peterg/argo-workflows/secrets.yaml b/k8s-peterg/argo-workflows/secrets.yaml new file mode 100644 index 0000000..7838756 --- /dev/null +++ b/k8s-peterg/argo-workflows/secrets.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: argo-workflows-sso + namespace: argo-workflows +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: argo-workflows-sso + template: + metadata: + labels: + app.kubernetes.io/part-of: argo-workflows + data: + - secretKey: client-id + remoteRef: + key: secrets/managed/argo-workflows/authentik-sso + property: client-id + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + - secretKey: client-secret + remoteRef: + key: secrets/managed/argo-workflows/authentik-sso + property: client-secret + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml new file mode 100644 index 0000000..26b8dcf --- /dev/null +++ b/k8s-peterg/argo-workflows/values.yaml @@ -0,0 +1,313 @@ +## Custom resource configuration +crds: + # -- Install and upgrade CRDs + install: true + # -- Keep CRDs on chart uninstall + keep: true + # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields. + # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply. + full: true + +# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs. +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +createAggregateRoles: true + +# -- Restrict Argo to operate only in a single namespace (the namespace of the +# Helm release) by apply Roles and RoleBindings instead of the Cluster +# equivalents, and start workflow-controller with the --namespaced flag. Use it +# in clusters with strict access policy. +singleNamespace: false + +workflow: + serviceAccount: + # -- Specifies whether a service account should be created + create: false + # -- Labels applied to created service account + labels: {} + # -- Annotations applied to created service account + annotations: {} + # -- Service account which is used to run workflows + name: "argo-workflow" + # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` + pullSecrets: [] + rbac: + # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows. + # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) + create: true + # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates + agentPermissions: false + # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc + artifactGC: false + # -- Extra service accounts to be added to the RoleBinding + serviceAccounts: [] + # - name: my-service-account + # namespace: my-namespace + # -- Additional rules for the service account that runs the workflows. + rules: [] + +controller: + rbac: + # -- Adds Role and RoleBinding for the controller. + create: true + # -- Allows controller to get, list, and watch certain k8s secrets + secretWhitelist: [] + # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. + accessAllSecrets: false + # -- Allows controller to create and update ConfigMaps. Enables memoization feature + writeConfigMaps: false + + configMap: + # -- Create a ConfigMap for the controller + create: true + # -- ConfigMap name + name: "" + # -- ConfigMap annotations + annotations: {} + + # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available. + ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/ + persistence: {} + # connectionPool: + # maxIdleConns: 100 + # maxOpenConns: 0 + # # save the entire workflow into etcd and DB + # nodeStatusOffLoad: false + # # enable archiving of old workflows + # archive: false + # postgresql: + # host: localhost + # port: 5432 + # database: postgres + # tableName: argo_workflows + # # the database secrets must be in the same namespace of the controller + # userNameSecret: + # name: argo-postgres-config + # key: username + # passwordSecret: + # name: argo-postgres-config + # key: password + # ssl: true + # # sslMode must be one of: disable, require, verify-ca, verify-full + # # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq + # sslMode: require + # mysql: + # host: localhost + # port: 3306 + # database: argo + # tableName: argo_workflows + # userNameSecret: + # name: argo-mysql-config + # key: username + # passwordSecret: + # name: argo-mysql-config + # key: password + + # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. + # Only valid for 2.7+ + ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/ + workflowDefaults: {} + # spec: + # ttlStrategy: + # secondsAfterCompletion: 86400 + # # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/ + # artifactRepositoryRef: + # configMap: my-artifact-repository # default is "artifact-repositories" + # key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map. + + serviceAccount: + # -- Create a service account for the controller + create: true + # -- Service account name + name: "" + # -- Labels applied to created service account + labels: {} + # -- Annotations applied to created service account + annotations: {} + + # -- Workflow controller name string + name: workflow-controller + + # -- Specify all namespaces where this workflow controller instance will manage + # workflows. This controls where the service account and RBAC resources will + # be created. Only valid when singleNamespace is false. + workflowNamespaces: + - default + + logging: + # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`) + level: info + # -- Set the glog logging level + globallevel: "0" + # -- Set the logging format (one of: `text`, `json`) + format: "text" + +server: + # -- Deploy the Argo Server + enabled: true + # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. + ## only updates base url of resources on client side, + ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix + ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190 + baseHref: / + image: + # -- Registry to use for the server + registry: quay.io + # -- Repository to use for the server + repository: argoproj/argocli + # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. + tag: "" + rbac: + # -- Adds Role and RoleBinding for the server. + create: true + # -- Servers container-level security context + serviceAccount: + # -- Create a service account for the server + create: true + # -- Service account name + name: "" + # -- Labels applied to created service account + labels: {} + # -- Annotations applied to created service account + annotations: {} + + # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well. + ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/ + authModes: + - sso + + ## Ingress configuration. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ingress: + # -- Enable an ingress resource + enabled: false + + # Gateway API HTTPRoute configuration + # NOTE: Gateway API support is in EXPERIMENTAL status + # Support depends on your Gateway controller implementation + # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends) + # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details + httproute: + # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API) + enabled: true + # -- Additional HTTPRoute labels + labels: {} + # -- Additional HTTPRoute annotations + annotations: {} + # -- Gateway API parentRefs for the HTTPRoute + ## Must reference an existing Gateway + # @default -- `[]` (See [values.yaml]) + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: internal + namespace: kube-system + sectionName: https + # -- List of hostnames for the HTTPRoute + # @default -- `[]` (See [values.yaml]) + hostnames: + - "workflows.peterg.nl" + # @default -- `[]` (See [values.yaml]) + rules: + - matches: + - path: + type: PathPrefix + value: / + # filters: [] + # - type: RequestHeaderModifier + # requestHeaderModifier: + # add: + # - name: X-Custom-Header + # value: custom-value + + # Gateway API BackendTLSPolicy configuration + # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status + # Required for HTTPS backends when using Gateway API + # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet) + backendTLSPolicy: + # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API) + enabled: false + # -- Additional BackendTLSPolicy labels + labels: {} + # -- Additional BackendTLSPolicy annotations + annotations: {} + # -- Target references for the BackendTLSPolicy + # @default -- `[]` (See [values.yaml]) + targetRefs: [] + # - group: "" + # kind: Service + # name: argo-workflows-server + # sectionName: https + # -- TLS validation configuration + # @default -- `{}` (See [values.yaml]) + validation: {} + # hostname: argo-workflows-server.argo.svc.cluster.local + # caCertificateRefs: + # - name: example-ca-cert + # group: "" + # kind: ConfigMap + # wellKnownCACertificates: System + + clusterWorkflowTemplates: + # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. + enabled: true + # -- Give the server permissions to edit ClusterWorkflowTemplates. + enableEditing: true + + # SSO configuration when SSO is specified as a server auth mode. + sso: + enabled: true + issuer: https://auth.peterg.nl/application/o/argo-workflows/ + clientId: + name: argo-workflows-sso + key: client-id + clientSecret: + name: argo-workflows-sso + key: client-secret + redirectUrl: https://workflows.peterg.nl/oauth2/callback + scopes: + - groups + rbac: + enabled: true + +# -- Array of extra K8s manifests to deploy +extraObjects: + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: admin-user + namespace: argo-workflows + annotations: + workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups" + workflows.argoproj.io/rbac-rule-precedence: "1" + - apiVersion: v1 + kind: ServiceAccount + metadata: + name: read-only + namespace: argo-workflows + annotations: + workflows.argoproj.io/rbac-rule: "true" + workflows.argoproj.io/rbac-rule-precedence: "0" + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: argo-workflows-admin-user + subjects: + - kind: ServiceAccount + name: admin-user + namespace: argo-workflows + roleRef: + kind: ClusterRole + name: argo-workflows-admin + apiGroup: rbac.authorization.k8s.io + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: argo-workflows-read-only + subjects: + - kind: ServiceAccount + name: read-only + namespace: argo-workflows + roleRef: + kind: ClusterRole + name: argo-workflows-view + apiGroup: rbac.authorization.k8s.io diff --git a/k8s-peterg/argocd/applications-peterg.yaml b/k8s-peterg/argocd/applications-peterg.yaml index 915b119..26d36ff 100644 --- a/k8s-peterg/argocd/applications-peterg.yaml +++ b/k8s-peterg/argocd/applications-peterg.yaml @@ -78,3 +78,24 @@ spec: selfHeal: true syncOptions: - ServerSideApply=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argo-workflows + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-peterg/argo-workflows + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: argo-workflows + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ServerSideApply=true diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml index b45056e..c587b7e 100644 --- a/k8s-peterg/argocd/oidc.yaml +++ b/k8s-peterg/argocd/oidc.yaml @@ -27,3 +27,28 @@ spec: remoteRef: key: secrets/managed/argocd/authentik-oidc-credentials property: clientSecret +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: argo-workflows-sso + namespace: argocd +spec: + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: argo-workflows-sso + template: + metadata: + labels: + app.kubernetes.io/part-of: argo-workflows + data: + - secretKey: client-id + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-id + - secretKey: client-secret + remoteRef: + key: secrets/managed/argo-workflows/dex-sso + property: client-secret diff --git a/k8s-peterg/external-secrets-operator/kustomization.yaml b/k8s-peterg/external-secrets-operator/kustomization.yaml index bf9ffc9..91ef006 100644 --- a/k8s-peterg/external-secrets-operator/kustomization.yaml +++ b/k8s-peterg/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.1.0 + version: 2.3.0 diff --git a/k8s-peterg/vault-wheatley-approle.yaml b/k8s-peterg/vault-wheatley-approle.yaml new file mode 100644 index 0000000..f116d9d --- /dev/null +++ b/k8s-peterg/vault-wheatley-approle.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg== + approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg== +kind: Secret +metadata: + name: vault-wheatley-approle + namespace: external-secrets +type: Opaque diff --git a/k8s-wheatley/cloudnative-pg/kustomization.yaml b/k8s-wheatley/cloudnative-pg/kustomization.yaml index 5d961e4..7f720ec 100644 --- a/k8s-wheatley/cloudnative-pg/kustomization.yaml +++ b/k8s-wheatley/cloudnative-pg/kustomization.yaml @@ -11,5 +11,5 @@ helmCharts: repo: https://cloudnative-pg.github.io/charts namespace: cnpg-system releaseName: cloudnative-pg - version: 0.27.1 + version: 0.28.0 valuesFile: values.yaml diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml index bf9ffc9..91ef006 100644 --- a/k8s-wheatley/external-secrets-operator/kustomization.yaml +++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.1.0 + version: 2.3.0 diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index eb8b1eb..7676da5 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -14,4 +14,4 @@ resources: images: - name: plexinc/pms-docker - newTag: 1.43.0.10492-121068a07@sha256:1131c4cd21fa22f8196f749f1dbb69af306776c3c83c7f5b061e51dc49bcff7f + newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c diff --git a/k8s-wheatley/prowlarr/kustomization.yaml b/k8s-wheatley/prowlarr/kustomization.yaml index 71d1948..c9a7a47 100644 --- a/k8s-wheatley/prowlarr/kustomization.yaml +++ b/k8s-wheatley/prowlarr/kustomization.yaml @@ -16,4 +16,4 @@ images: - name: flaresolverr/flaresolverr newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e - name: linuxserver/prowlarr - newTag: 2.3.0@sha256:9ef5d8bf832edcacb6082f9262cb36087854e78eb7b1c3e1d4375056055b2d82 + newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 939dd66..0e1600b 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -36,6 +36,15 @@ spec: - name: gluetun-tmp mountPath: /tmp/gluetun restartPolicy: Always + lifecycle: + postStart: + exec: + command: + [ + "/bin/sh", + "-c", + "(ip rule del table 51820; ip -6 rule del table 51820) || true", + ] readinessProbe: exec: command: diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index 25417d3..dcb0205 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -14,4 +14,4 @@ resources: images: - name: linuxserver/radarr - newTag: 6.0.4@sha256:ca43905eaf2dd11425efdcfe184892e43806b1ae0a830440c825cecbc2629cfb + newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7 diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index 8ea7bb6..eed76a3 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -14,4 +14,4 @@ resources: images: - name: linuxserver/sonarr - newTag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b + newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13 diff --git a/kustomize-bases/alloy/kustomization.yaml b/kustomize-bases/alloy/kustomization.yaml index f186140..69e9687 100644 --- a/kustomize-bases/alloy/kustomization.yaml +++ b/kustomize-bases/alloy/kustomization.yaml @@ -9,14 +9,14 @@ resources: helmCharts: - name: alloy repo: https://grafana.github.io/helm-charts - version: "1.6.2" + version: "1.7.0" releaseName: alloy valuesFile: values.yaml - name: kube-state-metrics repo: https://prometheus-community.github.io/helm-charts - version: "7.2.1" + version: "7.2.2" releaseName: kube-state-metrics - name: prometheus-operator-crds repo: https://prometheus-community.github.io/helm-charts - version: "27.0.0" + version: "28.0.1" releaseName: prometheus-operator-crds diff --git a/kustomize-bases/alloy/values.yaml b/kustomize-bases/alloy/values.yaml index fd88ceb..8f2540b 100644 --- a/kustomize-bases/alloy/values.yaml +++ b/kustomize-bases/alloy/values.yaml @@ -127,7 +127,7 @@ configReloader: # -- Repository to get config reloader image from. repository: prometheus-operator/prometheus-config-reloader # -- Tag of image to use for config reloading. - tag: v0.89.0@sha256:cb4ac6a56555bef0e202bec11e367dfe07ffb241cf4d30566b12b864692607a8 + tag: v0.90.1@sha256:693faa0b87243cddca2cffb13586e4e2778b0cdf319cb2e601ba7af3fd19ef7d # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag` digest: "" # -- Override the args passed to the container. diff --git a/kustomize-bases/cilium/kustomization.yaml b/kustomize-bases/cilium/kustomization.yaml index 4cccdf0..37b61c4 100644 --- a/kustomize-bases/cilium/kustomization.yaml +++ b/kustomize-bases/cilium/kustomization.yaml @@ -13,5 +13,5 @@ helmCharts: repo: https://helm.cilium.io namespace: kube-system releaseName: cilium - version: 1.18.6 + version: 1.19.3 valuesFile: values.yaml