Merge branch 'main' into cloudflared-rolling-strategy

dark-vex · Sep 10, 2024 · 3ef17a1 · 3ef17a1
2 parents 24e527a + 141825f
commit 3ef17a1
Show file tree

Hide file tree

Showing 6 changed files with 94 additions and 59 deletions.
diff --git a/clusters/kubenuc/apps/harbor/manifests/release.yml b/clusters/kubenuc/apps/harbor/manifests/release.yml
@@ -26,6 +26,8 @@ spec:
     remediation:
       retries: 6
   values:
+    updateStrategy:
+      type: Recreate
     externalURL: https://harbor.ddlns.net
     core:
      replicas: 3
@@ -48,7 +50,7 @@ spec:
           topologyKey: topology.kubernetes.io/zone
           whenUnsatisfiable: DoNotSchedule
     metrics:
-      enabled: "true"
+      enabled: true
     # registry:
       # podAnnotations:
       #   prometheus.io/scrape: "true"
@@ -65,7 +67,7 @@ spec:
         hosts:
           core: "harbor.ddlns.net"
       tls:
-        enabled: "true"
+        enabled: true
         secretName: "harbor-ingress-certificate"
       type: ingress
     database:
@@ -93,3 +95,34 @@ spec:
       persistentVolumeClaim:
         redis:
           storageClass: longhorn
+  ##postRenderers:
+  ##  - kustomize:
+  ##      patches:
+  ##        - patch: |
+  ##            - op: replace
+  ##              path: /spec/strategy/rollingUpdate/maxSurge
+  ##              value: 1
+  ##          target:
+  ##            kind: Deployment
+  ##            name: harbor-core
+  ##        - patch: |
+  ##            - op: replace
+  ##              path: /spec/strategy/rollingUpdate/maxUnavailable
+  ##              value: 1
+  ##          target:
+  ##            kind: Deployment
+  ##            name: harbor-core
+  ##        - patch: |
+  ##            - op: replace
+  ##              path: /spec/strategy/rollingUpdate/maxSurge
+  ##              value: 1
+  ##          target:
+  ##            kind: Deployment
+  ##            name: harbor-portal
+  ##        - patch: |
+  ##            - op: replace
+  ##              path: /spec/strategy/rollingUpdate/maxUnavailable
+  ##              value: 1
+  ##          target:
+  ##            kind: Deployment
+  ##            name: harbor-portal
diff --git a/clusters/kubenuc/apps/minio/manifests/release.yml b/clusters/kubenuc/apps/minio/manifests/release.yml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: operator
-      version: "5.0.11"
+      version: "6.0.2"
       sourceRef:
         kind: HelmRepository
         name: minio-operator
@@ -43,7 +43,7 @@ spec:
   chart:
     spec:
       chart: tenant
-      version: "5.0.11"
+      version: "6.0.2"
       sourceRef:
         kind: HelmRepository
         name: minio-operator
@@ -71,9 +71,25 @@ spec:
         host: nx.minio.ddlns.net
         path: /
         pathType: Prefix
+        annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt"
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        tls:
+          - secretName: api-minio-tls
+            hosts:
+              - nx.minio.ddlns.net
       console:
         enabled: true
         ingressClassName: "nginx"
         host: nx.minio-console.ddlns.net
         path: /
         pathType: Prefix
+        annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt"
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        tls:
+          - secretName: console-minio-tls
+            hosts:
+              - nx.minio-console.ddlns.net
diff --git a/clusters/kubenuc/apps/nextcloud/manifests/release.yml b/clusters/kubenuc/apps/nextcloud/manifests/release.yml
@@ -45,54 +45,15 @@ spec:
       tls:
         - secretName: nx-fastnet-tls
           hosts:
-            - nx.fastnetserv.cloud
+            - cloud.ddlns.net
     nextcloud:
-      host: nx.fastnetserv.cloud
+      host: cloud.ddlns.net
       ## Use an existing secret
       existingSecret:
         enabled: true
         secretName: nextcloud
         usernameKey: nextcloud-username
         passwordKey: nextcloud-password
-      configs:
-        reverse-proxy.config.php: |-
-          <?php
-          $overwriteHost = getenv('OVERWRITEHOST');
-          if ($overwriteHost) {
-            $CONFIG['overwritehost'] = $overwriteHost;
-          }
-
-          $overwriteProtocol = getenv('OVERWRITEPROTOCOL');
-          if ($overwriteProtocol) {
-            $CONFIG['overwriteprotocol'] = $overwriteProtocol;
-          }
-
-          $overwriteCliUrl = getenv('OVERWRITECLIURL');
-          if ($overwriteCliUrl) {
-            $CONFIG['overwrite.cli.url'] = $overwriteCliUrl;
-          }
-
-          $overwriteWebRoot = getenv('OVERWRITEWEBROOT');
-          if ($overwriteWebRoot) {
-            $CONFIG['overwritewebroot'] = $overwriteWebRoot;
-          }
-
-          $overwriteCondAddr = getenv('OVERWRITECONDADDR');
-          if ($overwriteCondAddr) {
-            $CONFIG['overwritecondaddr'] = $overwriteCondAddr;
-          }
-
-          $trustedProxies = getenv('TRUSTED_PROXIES');
-          if ($trustedProxies) {
-            $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
-          }
-          $CONFIG = array (
-            'overwriteprotocol' => 'https',
-            'trusted_proxies'   => ['10.10.8.20'],
-            'default_phone_region' => 'IT',
-            'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
-            'maintenance_window_start' => 1,
-          );
     resources:
       requests:
         cpu: 300m

diff --git a/clusters/kubenuc/apps/sso/manifests/release.yml b/clusters/kubenuc/apps/sso/manifests/release.yml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: authentik
-      version: "2024.6.0"
+      version: "2024.6.4"
       sourceRef:
         kind: HelmRepository
         name: goauthentik-chart
@@ -132,7 +132,6 @@ spec:
 
     redis:
       enabled: true
-      architecture: replication
       global:
         storageClass: "longhorn"
 

diff --git a/clusters/kubenuc/apps/sysdig-agent/manifests/release.yml b/clusters/kubenuc/apps/sysdig-agent/manifests/release.yml
@@ -26,10 +26,10 @@ spec:
       sysdig:
         region: "eu1"
       kspm:
-        deploy: true
+        deploy: false
 
-    kspmCollector:
-      enabled: false
+    #kspmCollector:
+    #  enabled: false
 
     admissionController:
       enabled: false
@@ -44,6 +44,13 @@ spec:
           memory: 2Gi
       sysdig:
         settings:
+          sysdig_api_endpoint: eu1.app.sysdig.com
+          host_scanner:
+            enabled: true
+          kspm_analyzer:
+            enabled: true
+          rapid_response:
+            enabled: true
           #feature:
           #  mode: secure_light
           #secure_audit_streams:
@@ -59,17 +66,31 @@ spec:
             file_priority: warning
             console_priority: warning
             event_priority: warning
-            file_priority_by_component:
-              - "cm_socket_endpoint: debug"
-              - "endpoint: debug: debug"
-              - "conn_mgr: debug: debug"
-              - "connection_manager: debug"
-              - "cm_collector_endpoint: debug"
+            #file_priority_by_component:
+            #  - "cm_socket_endpoint: debug"
+            #  - "endpoint: debug: debug"
+            #  - "conn_mgr: debug: debug"
+            #  - "connection_manager: debug"
+            #  - "cm_collector_endpoint: debug"
           prometheus:
             enabled: true
             prom_service_discovery: true
           jmx:
             enabled: false
+            extraVolumes:
+        volumes:
+        - name: root-vol
+          hostPath:
+            path: /
+        - name: tmp-vol
+          hostPath:
+            path: /tmp
+        mounts:
+        - mountPath: /host
+          name: root-vol
+          readOnly: true
+        - mountPath: /host/tmp
+          name: tmp-vol
 
       prometheus:
         file: true
@@ -93,6 +114,8 @@ spec:
 
     clusterShield:
       enabled: true
+      image:
+        tag: int-f1e1b1d7
       cluster_shield:
         features:
           admission_control:
@@ -105,6 +128,7 @@ spec:
             enabled: true
 
     nodeAnalyzer:
+      enabled: false
       nodeAnalyzer:
         imageAnalyzer:
           deploy: false
@@ -134,4 +158,4 @@ spec:
           newEngineOnly: true
 
     rapidResponse:
-      enabled: true
+      enabled: false
diff --git a/clusters/kubenuc/apps/system-upgrade-controller/manifests/plan.yml b/clusters/kubenuc/apps/system-upgrade-controller/manifests/plan.yml
@@ -7,6 +7,8 @@ metadata:
 spec:
   concurrency: 1
   cordon: true
+  tolerations:
+  - {key: node-role.kubernetes.io/control-plane, effect: NoSchedule, operator: Exists}
   nodeSelector:
     matchExpressions:
     - key: node-role.kubernetes.io/control-plane
@@ -16,7 +18,7 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.28.10+k3s1
+  version: v1.28.13+k3s1
   channel: https://update.k3s.io/v1-release/channels/v1.28
 ---
 # Agent plan
@@ -40,5 +42,5 @@ spec:
   serviceAccountName: system-upgrade
   upgrade:
     image: rancher/k3s-upgrade
-  version: v1.28.10+k3s1
+  version: v1.28.13+k3s1
   channel: https://update.k3s.io/v1-release/channels/v1.28