steffen/kubedeploy-k3s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/illiumst/kubedeploy

Browse Source
This commit is contained in:
Steffen Illium 2024-05-06 07:43:23 +02:00
commit 0b38f69702
54 changed files with 1461 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
apps/emby/base/deployment.yaml Normal file
View File

@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: emby
labels:
app: emby
namespace: emby
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: emby
template:
metadata:
labels:
app: emby
spec:
containers:
- name: emby
image: emby/embyserver:latest
ports:
- name: http
containerPort: 8100
- name: https
containerPort: 8101
- name: http-front
containerPort: 8102
- name: https-front
containerPort: 8103
volumeMounts:
- mountPath: /config
name: config
- mountPath: /mnt/share_movie
name: media
subPath: movie
- mountPath: /mnt/share_shows
name: media
subPath: tvshow
- mountPath: /mnt/share_anime
name: media
subPath: anime
- mountPath: /mnt/share_music
name: media
subPath: music
resources:
limits:
gpu.intel.com/i915: 1 # requesting 1 GPU
livenessProbe:
httpGet:
path: /web/index.html
port: 8100
timeoutSeconds: 30
readinessProbe:
httpGet:
path: /web/index.html
port: 8100
timeoutSeconds: 30
volumes:
- name: config
persistentVolumeClaim:
claimName: emby
readOnly: false
- name: media
nfs:
server: 192.168.178.4
path: /mnt/media

15
apps/emby/base/ingress.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: emby
namespace: emby
spec:
entryPoints:
- websecure-local
tls: {}
routes:
- match: Host(`emby.steffenillium.de`)
kind: Rule
services:
- name: emby
port: http

12
apps/emby/base/pvc.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: emby
spec:
storageClassName: "rook-cephfs"
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 30Gi

18
apps/emby/base/service.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: emby
namespace: emby
annotations:
metallb.universe.tf/loadBalancerIPs: 192.168.178.104
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: emby
sessionAffinity: None
type: LoadBalancer

10
apps/emby/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: emby
resources:
- base/deployment.yaml
- base/ingress.yaml
- base/pvc.yaml
- base/service.yaml

0
apps/gitea/base/gitea-deployment.yaml → apps/gitea/base/deployment.yaml
View File

0
apps/gitea/base/gitea-ingress.yaml → apps/gitea/base/ingress.yaml
View File

0
apps/gitea/base/gitea-namespace.yaml → apps/gitea/base/namespace.yaml
View File

0
apps/gitea/base/gitea-data-pvc.yaml → apps/gitea/base/pvc.yaml
View File

0
apps/gitea/base/gitea-service.yaml → apps/gitea/base/service.yaml
View File

11
apps/gitea/kustomization.yaml
View File

@ -4,11 +4,10 @@ kind: Kustomization
namespace: gitea
resources:
- base/gitea-ingress.yaml
- base/gitea-service.yaml
- base/gitea-deployment.yaml
- base/gitea-data-pvc.yaml
- base/gitea-namespace.yaml
- base/ingress.yaml
- base/service.yaml
- base/deployment.yaml
- base/pvc.yaml
- base/namespace.yaml
components:
- ../../components/local-region-selector.yaml

39
apps/immich/base/immich-secret-sealed.yaml Normal file
View File

@ -0,0 +1,39 @@
{
"kind": "SealedSecret",
"apiVersion": "bitnami.com/v1alpha1",
"metadata": {
"name": "immich-secret",
"namespace": "immich",
"creationTimestamp": null,
"annotations": {
"sealedsecrets.bitnami.com/namespace-wide": "true"
}
},
"spec": {
"template": {
"metadata": {
"name": "immich-secret",
"namespace": "immich",
"creationTimestamp": null,
"annotations": {
"sealedsecrets.bitnami.com/namespace-wide": "true"
}
},
"type": "Opaque"
},
"encryptedData": {
"DB_DATABASE_NAME": "AgAMldRrZmNXJGz+PpBKygu6Got7SeZ+wZ74jjBE/c26GewW4/SAP3pP3adIfIngeftTIOKKxQhYMjN76hp7O3x5vweJygFRjvwECOyn1feE7vq6mVlAydUtP7XkwLKhZL0EfDh8giKIveWlBaYwTSI7tmHw/MSqLL0L7AlEvdE+uOrTPg1D3CFckGvT2TWe//DPnJ2RPpsJtGlwB9nIyAIHOZ+cjDYxo4Akv5u+l3pP2L+PnbhxhGB7nDvnXoX9jfjAjblfGQ8/oPDdv5pIWoBkuooHksy7GdNXGeoLRWX+XgdpTWpNRT2NX7eid4U3Oxmt4Kzb3LMCYiTn03nJF11r1RpOYBk43hdEfxUHDZ1EgiCDzL+gj7Bduoe1bhphXk0KBoKZM1EHU6XzvJ5lW915feg6/GdAji8OiMX8mRMEmAE2VVUf6SiESjgkEKOYDHa/2QyenEcwgbyg4gocWXvjhrYGwcZg9tu4gc0i+x52Ef19Z22IrGuV0N12Gib2uw3TpjrU50Kn2dIAskeR0C74AtCmjZd9srPTcIp6c76i0xhgMTjUYnETG54KCrxO6TVG7CYY/xpuK5Jgt9RYCTfcGoinjeOp1CLsk4a8a7J+hsEe6JGRETJRW4BLHi3UApT6xw1JH3WWovKdDOY3aHZ0J1t162G2FSNPdHQfkNGU/AC4zBxTzUDw1eVK2vZyC/0bgw4R2zY=",
"DB_HOSTNAME": "AgCXIiMfNMEOKik9Pe2I/x60hejjGHqPd4+W66dK1HDZhCZd/n8mcpo1R82fUsK49VeXtvuexFEE85EQ/Imt8htGquP6f17Vw4EuvZ38v8s/jk/LXOn9ymcsKX8EYY3ZLmiNLmDTNyKEcPe5dbV+Ew9qACKPy2nW0LT5W7HBpy+6GZqR39etpUv2URFwDFjfOS4A2jEWUDHVwJTe4n6/OvYGG3wL5xzjKSYgBTAollrVJlvIj6KXPsTFwrOv0YVaNbUPL348Qk3xZUnh0v7DcpLIXFJnqzPcwFgMII9zQafFTzvw7cTjIYMFGoDd70a2Ph6xO+yx3ouu92l45o1r7RJuW2ky5NfbsvBY19b11zdd7Htj76dIWdJcv6qNsekFDekCzJqUoZkGrlS3n4RItuqSyU6qcprEDVDI7ql4JUf6wQglWrTqBi0i1LWUNj6hqkdk/y3VUXtJulpHFATt5gbY/ciccL+zhi24pWRen/f2ffvVKdifkMMaVNQ/LNb3OyJ1o7sC7tpNS15LNNFGxMHEQRuQCG7GGZbjj+DyB1sPb+q1uGDoLaIacbD7ZPqK/HV1mvNhxBIaDo00mbXPjyLn7+Yr2Mj0DNcrJ1gXahWNnBRZd11afOPJjpgwP77jizJwqPsEvThMq+1PalLLcHGDMfDxwKglvF/Btug9YGxkFbB0WKM/puqVwDqNRABKAinZnI6oS5DD5SwME0hgYlX++oHEK0qKJmpWrgjCu6XN2jI=",
"DB_PASSWORD": "AgAQDNQJKJ++V2ArACIQ4m715W/7z5/7SMQwGJDVaXQfpb1hBmo3xkxiF5F2TV2ctPttcDsQJSjNaCDqnDXbU/DK4ubVDtevlZYQJs3XHthcMy7LIAO2Z86D8EkP0t7jDRxsgzguWpzfuDndcjgSV6EJWqxDig7I+86IcLv3wX3B05HL5HwHaLIXHsYNQUPxMWLjCeQHgPkLhc1lVwnVk4OEEz8lCcKIicxVXstSGgSg/HCl/Q2AKLm/izom0IX+AvAfiiL/2ERYmOZJjozgtHZlVFzcYIqqDKPSaIJhdnL0fEL8GLqfMUKB0Ot/mtyBN9f20rKIn1PkdS1EjkAGf87EaNlXR4DHTZoDLPffhfodyN2TOM8br6aV015rP/ESyGGIPO2BNCf75vHvr7A1OORAU9ZsfPbvPNQBsyIU+rybCpjMuRhu2KwlZppUhIfvS2PUWDtIJCyCDkgn/sqxFA8M/mTuaKICfLVstvg2fP/8Ys8dEpDOrQ1iR2qRqfQx/JMSAjwqa4Waj/6ZkEqkMPZD0gqowbgWz1vUs1P/s5m+7kYqYtItu50GbiMHpBIVOIFhH5fiFXxlyulQ2eGcggD3fCNysrIOckRmaK324wT3WpmuBM5kAofpRvLe9+8TE/HbjnzSWdmsFmHBnuvDQGRcqXh/g/LfjWTvLojoD1btxbKeUAIog3UvePtDlIMMogdFMnPAHF8CHQ==",
"DB_PORT": "AgBFokZN/g6CmG/J3hqnNZEr2HdjwuEv8RBuS/gcsvXgCjN8mXKIJutuF5dX1tlfdXJxlJ6bo7YSTgKl/VcwMO+RD9P4yqjVAumKu4qBrLG/sX0okg5jyRM0YozWG0ZrQ9KQRe/SCT28EEoZMJD8Plucxva5XobC9dACKqyyTkMV9GFGUWBg+mJsa/hwQU8L/rKFAuGICWDHW8Fz4BxG1RqIVaSWPVJCFWcKs0JkvpSF/KkqkyxN9jHRuSg/itdE+w093ZrGpyQzq3B6fXhFkQlMh57u48A9dTpQ5bk/ZTqhYUxem+sCVT+Vbbvif9Lp26DtA2Qdu+egz6PIHAGbRq12zX7x3qzwNCy2Za98HBywY4MJUNzXXhQVZ3gmePsNTeZHw3d/dACp56i1CE5tgK8XxuLGtRquPKoJGJysj5EeCcJNVJHWo8++sHmZzj0DevusjU6MU0DcRorcFpxZzeD6AsA+wfqZW3MvIuPEJQEy1ChAc1qDlCJbZ8wLjE7ymrGJcnJDABXWbsDRw16VdzkfDoSj/kBM9ZVg9hGh6v5SyAPPAEqRRNALjClvFLLz30riuxm8ZfwR7y5nlO1EG9yquKJ9XyoQls5FdvhDxtmGHod+tsjOIuHmsW9p7YOPyTso0ETEC8C9CrDPLLK69apfmlRMhpB5/AL2VAdZwzEA6kS9LBQHNPgfnOq+6mI5gGGDoAR9",
"DB_USERNAME": "AgAWJD75hjfjV+ehaS2WZVw66PdIg59otlZYLA/6+qWOCfkxaWN2Q/a+wneNI5ocZLpq9ifES09JOmbDKov1oFsD7bMc9kxrilCTN3qEEFRH/1OrVJlmdIbj9WNwtFEGzi00X0hUJoKCLbcuZQ5eqizCc6lBgi1Z5lWZppYYOVopXdxXfsOT55nlWqAHV7GrdzPLd8R/84zZzGM7dfjZl1Xum5+9e8UIZ7Zx5snrDJ7F3E0Mmvq0maC0xtANGT/KFh5ne343tGsTwEV1OpkYlcoxQNVKXrh4B+GAOLgLQxakIXXBnXXqG/5MuLAF9RdU3vCry4U7syWqYpB3xlH8Gxhnr301752Tovd0OF9lCYIlpYb5SWwNezkxvzhNkogQlfC5Rxa+MAzgwQKeB9J3mxxCxmFIvRhx48b1egi/av2DqPel2+gd/lp6ICXorWhZtBpOPmkrP/sU3E6Pvfa73GVAL3uZh3orZWtqYoViKghtPKGvprqZ3t2jlvoQsNmxd5K8j4TSGzyaXTO45KoFDZsVvsAKT0vEQbbUeSWF79VNRUKmA/DKkhKJzKfgwS2d/s84ync4FqgEk9+cwCH+pvgO/rKWjxXLPdoksAmZ7HEGjAYPhzeYHGpS+Yb548OsaU96kwgmZbVsom0OPXgbo3Aq8MHnX1g4pQeHaWqiEPn91MA+gY4NY0kl9cDcx1JNZf6csr6K+t5Rog==",
"HOST": "AgADOOOtKb0YtyiRsEZ172MNIcuzxqrxTMQ3nUVteWAi9WYduLUj6L/ByMW5df3lintbeB74XJalLafBwDj59olj6sdQl6kaWR6msyqgQIKQaDD9C7G+A26ntN7HF7Azl9W9mAWWFnc+wemB8l5vA4XCLtCOBJN1LhWJBlZauMmBAj5K4Q3aXew81iddOD2GpKnocWD+VIX2BltnLUPnIWp5DKJhqKZp00yYR1jOGkXU/ZxprCRrpZZ3kLObTA+qjz3RFuUXo8KGMlS+ZwMGrM43sCvcNnwj2snIxBvlFvrM9G2woOsRsjTwFFNUG36jTqoYF3xp62MPp5m4F82E9paWK49WdVCx6pIrtXq0gmCn4lMC8drGXXBBKumPMZPkJssAMR0MfKyTk+bQtoDSnMIHkierf9wRJoOeADHNCuaJFDZ/GSwzA7ge9PxxellRrtpfqKhTpTOifAZgm5UvKG+z6S7Qqjnmg2Y4dx6Uya9iQrdyG5Pn9vMXfSjOsFQUWzg5NLErcugvOT9oxtF3Gy8RPFsnWS1XY/fCMPK+TRVp9u9tbazgiTngaD8lVF2VB+2tUf+S84cWsyxHMShkIbNs0SsSTu8jWqYDNK7KhetEwXOS+d8tTDUc05Pji9hbE3b3LHGBTLudGnUcdftfLoxXstDdBRLtib380gzfszjoBHeaBqbdWTVLqxgmXG7qytK+z2shac4p",
"MACHINE_LEARNING_PORT": "AgB6Q2YlX0QyBhurB8N5H088GeB2OQU3LVc6X9Df34Xglbqa52fDXsSEQLYNzlCNV/Tm58r2BIhuJyURxE3tlpxskBmU2uQtN6g1DJVdseYuf6kYU3nFpL4UKOKFLFZJ8+VjbVckCqR5Lb/M1mjGkiOdSy21Lhy2l+VNcrXYVdyXGfeV+SPantplAPUjSMCzOER+uvowFQhXVe5Cz+ZRm7pd61Gl331UU9JdcKeGnkb154rk+NK614sqZOu3ceFUk9CjlftL2HhlRQNTnHTJt3n0J9ks/8V3H7n2wDYccOQjVyaEwNUDSkBUFSUUaG9oOoRmeO8oralyuJBeZ2WYClNUB3V6bpG+xgDVERNhRMOls8/uWr2vwZycrDcvTbZ2AFad/iwaxupEYMklNS9ck9UxsrIKZan/sxK01ZZdOGjWmoUoPUdhfwcXmiGP67od/3aGiBc4ReEZID1l/4zWAD6j318DmRa1IQ9E7S5eEHYg7xFLeW8TgrJKpZG1ZtV6O5dT4aiw3cMqZuuyerRvBgQqdCe9i2iwdfBN1Y/lTETNRpHPiQhoZZeslA90R3dXtvZffGXxcqxx1N4z9n5CjitiFtaHmeBRPTiwas72eVhocRqhdoy7qKgqHo/4m6Ku9RhAMMLV5k+7mGqRhg1WJcKgip2xpMB9vP9R5AVH9d4NQn8De9CLZq9OWtKcnmnRahFtocM+",
"MICROSERVICES_PORT": "AgB3z7pO1R6yh9Dv+hPkiLDagSE3jhPZ6Pn7Bb9m+j440uu/6QttzqQcNGlCf1zhxShax9sx5PeSC8HPrLBHdg8WPUh9yr0kzVD+tSAoa/o+TkJXj3+n1OrqD56Q0L4y2+WmRgUD0pn4Lxgi1ZPRqvSS4siuzd5svGEslgweKCOI8aUTiZrgetRS/Smset8N+47CeypZ/HOz76EQpwid5JmkmOgI4f7DhgfcQV7hbiQwubKTnmcBcHy73U8qs7w+VHICGV1BRIxeityNIFCKlhhFzjbZFYJ7oWtqKDYaJySsPauH9TfbVkkUP7Epk3bVF7o4kYbGFbrKbJkQbc7jj/0I/+j0d/nD6QSl+sVfXcLxNuxupUeGdCSFZNEDJ5KYxFsHmWD5HJvg3G3efOmRmOuejS/SWJ2zlntFhr8iP/u+I7AkBkTFLUd3ZIwfETOPDhPc2Dw0Z2re0r1qEdY9aHuU7cxRzTMNDOqq7TOo1CnlGnzICmFQIdUuHBe4Pl/kEM+l890KY6tyKdGl18heJyG729oYfdgtMF76dpn5jAvgnUBj4qrgKedhM0KjhrZtUUbbkb/cDvY78wWrpvTxmxJ7DkdR1G5E5zUkAIniwNJSd9wd6+ZnFWzJxdy2F1n0jhOKavHMsB1udl/4uh4F0kwiKClWv6u/WthN8BKciyNnjSQHbzfCMqtfOLZfs0N1H1lmkgE6",
"REDIS_HOSTNAME": "AgAwZGG8kusJSnTpF3O/L2PeuvNsdP90AJrrx9JYZFQjkVpIGDYMWX5qdj62VklVJGEZBToVccDHP15CN1y+uO1vstYRaR612l5PiFyJ2jizOEyHA1wI4hcXQ/fHL/e9PjbI8OaLdoDR8skgWk5GseIijdXeQLNDZCnrmuOvQHMm6JO1/YnAr1Rprnf0WZTuRRg7WpfUjQDEl6vD1RS7goB83jqAR9plRX282swPBUQgK5YNwQzdAeXvgl/otyLdIw6OZkzmPOJMOS/tsZmXOiHs8Tyi/qXW7VI67blVqrw4ZUUzB+Kmnkk9MBvmIqvGBTgkdQuINTlDobRz3f205uT5f1bNVczyStcZH0sYFGgbSESGujj4K79SSwKRYfCpRv+7gsCrlLcJHvGmXfktl8GjoYobS8p/zWr+eDOl46ZnCJySSp7iG/x5JXNoD2LjWwxS9kvBL95PLDoLPNNsJGlVVHTNg8jsrHn5CDGNh5PrL7poXtmZm7zJx291tRhzHPdgKnecZatbdkak0I9c4gDw6xq7CbFKQqLOegeysmhiAoQjV8c0cd7j4a5TGl0BkVDBdkF6sTrptq/BLC1qnl1MiyaQMsSLom5d5+tc1uOj+pYQ+jmp17q7zQBFw6JeSDGV7Cuolhy1H5iHXBwVupvrRGnXbUWPyd/pgLAcCaeUGWeeyXv/rrTHtGLJIX8C2Z4tDJLuRzUDm4ewVGOyBBTo7zXNMwmegSapbCVu4+g=",
"REDIS_PORT": "AgAsxaqu13fPe4TMsscIALRcxNj5ezwaswLGbhizFoSkhgCP/hvoYkmuTmFBpaBrRHGcb+suXYx4o6RTT/eQC8oKQhjqvCncRkJ/pWvWu4ZnuB/19TDFCUc5LqYFyfo2LCXqHIskcX+pVZKRh52pCc15x8AsdmQ1oi/4cmvlov3sawchkIPOzq+NGq6ZGq9y97rbh2MTzaQUyz1lIVMNhz8XrtgF1OTM7iGo8d/8rBeVRxfeZozp5zToGRMNv3YlUy1I/bvHmX0J28AmohuyIB3JmlPI6XSJsE0XmDeb2HK+48onq1VyPHd22iboPBwaPi2N0D31hGBcwNJd8smivpdcUM4PCjyDAOCZumN6HsMpO+TfPOrtZFsouq0QTH/7WFWHCLklWpwKRbFSvvwsqzU2fs6sJevzTN5FPo4CwQKkqlxcLWGxgDkAew4288vIsy0Pp4nyiZ9m2219ct73jCS7OhVqaJD3KqiMYcCYpV1ltjmWyZNsgqJDRu7Pj9IAshq/28T7JN8PHj50MhKEZ8EHPtPI4diaqzuRoba8NkL4utDuOfGCMjlhEUpRDUhb9pyEwOLJcXMNAHx793tWCZ+h4QSUncr2o+K+Hh4MbStyYcKv4GZpbZ8WRx9J08XCct088DmH11oqEaomZs3H5HkRKdZDllgrctysRJFCW0YhxFVoB5wOObNOsnIPHgB+uMPA0gbr",
"SERVER_PORT": "AgAWxRUjZuFoKixJhAnsocNbkxWsXUiljPKabPcSEMPYk0JkvUbqdilBDj5plIaazLfNxcaKIaIIP9HNSXsACpz/E9zG/N/nXXGYDq0mnDGQgxEwIUixSMlzv73GBWn1IZB2MhaPkiLSTY6JKEDMKzj5bPRgHKxNbf9BWiDzKFYbdt6qOalJ4xTx0m7s2fwJoB3m5GYfRbcwTYvePqLJlr8ntuY4jFgEXd9DQRg/O77Dt3KWAsR08SRWA6qI2j3pWN3tzFdbLvRwsEHRqYZtM+UWQ742esdjU6Z2jG7KWNNb/PZxpICDYfTzdm3SxMhcriHnRd/WffHT5GbImuhCMnlL9skSMe2SIglPxk5F0n5LCDvUw1JEZTnxOsn0TE6vTrxZcYIZ5CsZzZR7oX1+dvWAU4QKgeq08GUo0Fjx+fm2E4lGqOmCQ1AYkqjfjokH1uw3J1m7vu8HiGuO/8ZX/DnUucQrRMcULmXpSp6OJwRidnFpeg+1TV/HcNldABqkQuCe4aEAvdoUU2r1OJPApSgNVAGE/vEFEnh5s8myASlIWjl+BLMOWqqzXtUScdHoJUwYNED/QQPIIIgTKu/3mYKu2XsBxruFY773LMA/rPWYt4RPsVxKruq2BDFpsbT9LbOOTd26H/Q+Xkq2sRb8UOwEfcoB/nVcrcDUlQ45QvMip+cjBMYXUu54vv3A78QFphJZD09F",
"TYPESENSE_API_KEY": "AgCNHh6Bs57I11mI3gNlkny1yxqzBzZ5PaftMnQstIBlzTw6hWuGLqFUdbtFjJ8XYYUCZQ7ubcxWMySyr4J9Xqeh6TTTLNv3rAFLoD1qL7o1xpkSqRJe2O2Q80wIYmFOtFKZMnzEJGrLjuDX1DJj1A2O2zI9sHR8hg85QrunvvSTQNz9zYlBLYy6Aa0MoNcZApXKLpLw7+s+oL9jN9BfG723nJhVilCi3z1dWs9Ydjyj0JK05C9VpJuC5tqmOH8TmrM178ZFdWcMBtS1db4T4hIlGehQPtCGyyy2kBjTPOsi9XbYUuq0N+4e/gPciogIibzsCdx8p307r8/aK6f00BGyrbA4YlGVJZYBbSBbgjqZospoWQ48CjnCxR7fYouZISLuXkdRlOsijD8YMosAeMF0cHPje+pw/h5UhDzPeqtLrB3Av34PDFij0brdMiEGOECdFyOUsMcoYzGjLz0b+SANGM9o/Gy2CJwREn2e9dvX8XzpZTbb/91SJZNli7nlFPAX8aENe9AbQpSwMvW38iAqQECtsYgXoR8821q/RG699YLRLKh3xxZZA5qkuE/fIKaq3p+cZuUT4CT/OUL9XQpNW63PiUML+TPN/mhtx+MCFcNuvdZG7kPAjPe0gu4BEMUrch//WxiudYrYpCM2aIuGzws8NeWv4nnc+tQTkxZgBmtgtCHLrTe8vsAtzwfYSW8IqJJn3YWeFcYQWarQs5wjiCNfrJSd6G5X"
}
}
}

15
apps/immich/base/ingress.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: immich
namespace: immich
spec:
entryPoints:
- websecure-local
tls: {}
routes:
- match: Host(`photos.steffenillium.de`)
kind: Rule
services:
- name: server
port: server

6
apps/immich/base/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ingress.yaml
- pvc.yaml
- immich-secret-sealed.yaml

27
apps/immich/base/pvc.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app: pgdata
name: pgdata
spec:
storageClassName: rook-cephfs
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app: model-cache
name: model-cache
spec:
storageClassName: rook-cephfs
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi

38
apps/immich/deployment/database.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: database
name: database
spec:
replicas: 1
selector:
matchLabels:
app: database
strategy:
type: Recreate
template:
metadata:
labels:
app: database
spec:
containers:
- image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
name: immich-postgres
envFrom:
- secretRef:
name: immich-secret
resources: {}
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: pgdata
ports:
- name: http
containerPort: 5432
hostPort: 5432
protocol: TCP
restartPolicy: Always
volumes:
- name: pgdata
persistentVolumeClaim:
claimName: pgdata

6
apps/immich/deployment/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- database.yaml
- redis.yaml
- server.yaml

35
apps/immich/deployment/machine-learning.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: immich-machine-learning
name: immich-machine-learning
spec:
replicas: 1
selector:
matchLabels:
app: immich-machine-learning
strategy:
type: Recreate
template:
metadata:
labels:
app: immich-machine-learning
spec:
containers:
- image: ghcr.io/immich-app/immich-machine-learning:release
name: immich-machine-learning
resources: {}
ports:
- name: http
containerPort: 3003
hostPort: 3003
protocol: TCP
volumeMounts:
- mountPath: /cache
name: model-cache
restartPolicy: Always
volumes:
- name: model-cache
persistentVolumeClaim:
claimName: model-cache

27
apps/immich/deployment/redis.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: redis
name: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
strategy: {}
template:
metadata:
labels:
app: redis
spec:
containers:
- image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:84882e87b54734154586e5f8abd4dce69fe7311315e2fc6d67c29614c8de2672
name: immich-redis
resources: {}
ports:
- name: http
containerPort: 6379
hostPort: 6379
protocol: TCP
restartPolicy: Always

67
apps/immich/deployment/server.yaml Normal file
View File

@ -0,0 +1,67 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: server
name: server
spec:
replicas: 1
selector:
matchLabels:
app: server
strategy:
type: Recreate
template:
metadata:
labels:
app: server
spec:
containers:
- args:
- start.sh
- microservices
envFrom:
- secretRef:
name: immich-secret
image: ghcr.io/immich-app/immich-server:release
name: microservices
ports:
- name: microservices
containerPort: 3002
hostPort: 3002
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /usr/src/app/upload
name: photos
subPath: upload
- mountPath: /usr/src/app/external
name: photos
- args:
- start.sh
- immich
envFrom:
- secretRef:
name: immich-secret
image: ghcr.io/immich-app/immich-server:release
name: server
ports:
- name: server
containerPort: 3001
hostPort: 3001
protocol: TCP
resources: {}
volumeMounts:
- mountPath: /usr/src/app/upload
name: photos
subPath: upload
- mountPath: /usr/src/app/external
name: photos
readOnly: true
restartPolicy: Always
volumes:
- name: photos
nfs:
server: 192.168.178.4
path: /mnt/photos
readOnly: false

9
apps/immich/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: immich
resources:
- deployment
- base
- service

13
apps/immich/service/database.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: database
name: database
spec:
ports:
- name: "http"
port: 5432
targetPort: http
selector:
app: database

6
apps/immich/service/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- database.yaml
- redis.yaml
- server.yaml

13
apps/immich/service/machine-learning.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: machine-learning
name: machine-learning
spec:
ports:
- name: "http"
port: 3003
targetPort: http
selector:
app: machine-learning

13
apps/immich/service/redis.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: redis
name: redis
spec:
ports:
- name: "http"
port: 6379
targetPort: http
selector:
app: redis

16
apps/immich/service/server.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: server
name: server
spec:
ports:
- name: "server"
port: 3001
targetPort: server
- name: "microservices"
port: 3002
targetPort: microservices
selector:
app: server

25
apps/nextcloud/base/nextcloud.yaml → apps/nextcloud/base/deployment.yaml
View File

@ -18,11 +18,13 @@ spec:
spec:
containers:
- name: cron
image: nextcloud
image: nextcloud:latest
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-pvc
name: nextcloud
subPath: html
- mountPath: /var/www/html/data
name: nextcloud-data
command: [ "/cron.sh" ]
resources: {}
- image: mariadb
@ -59,7 +61,7 @@ spec:
protocol: TCP
volumeMounts:
- mountPath: /var/lib/mysql
name: nextcloud-pvc
name: nextcloud
subPath: db-storage
- image: redis:alpine
name: redis
@ -98,15 +100,20 @@ spec:
resources: {}
volumeMounts:
- mountPath: /var/www/html
name: nextcloud-pvc
name: nextcloud
subPath: html
- mountPath: /var/www/html/data
name: nextcloud-pvc
subPath: data
name: nextcloud-data
restartPolicy: Always
volumes:
- name: nextcloud-pvc
- name: nextcloud
persistentVolumeClaim:
claimName: nextcloud
- name: nextcloud-data
nfs:
server: 192.168.178.4
path: /mnt/storage/service/nextcloud
readOnly: false
path: /mnt/storage/service/nextcloud/data
readOnly: false

3
apps/nextcloud/base/kustomization.yaml
View File

@ -4,7 +4,8 @@ kind: Kustomization
namespace: nextcloud
resources:
- nextcloud.yaml
- deployment.yaml
- pvc.yaml
- service.yaml
- ingress.yaml
- middleware.yaml

12
apps/nextcloud/base/pvc.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud
spec:
storageClassName: "rook-cephfs"
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 40Gi

16
apps/paperless/base/paperless.yaml → apps/paperless/base/deployment.yaml
View File

@ -25,7 +25,7 @@ spec:
memory: "1Gi"
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: paperless-pvc
name: paperless
subPath: pgdata
ports:
- containerPort: 5432
@ -52,13 +52,12 @@ spec:
resources: {}
volumeMounts:
- mountPath: /usr/src/paperless/data
name: paperless-pvc
name: paperless
subPath: app
- mountPath: /usr/src/paperless/media
name: paperless-pvc
subPath: media
name: paperless-media
- mountPath: /usr/src/paperless/consume
name: paperless-pvc
name: paperless
subPath: consume
env:
- name: DEBUG
@ -103,8 +102,11 @@ spec:
memory: "1Gi"
restartPolicy: Always
volumes:
- name: paperless-pvc
- name: paperless
persistentVolumeClaim:
claimName: paperless
- name: paperless-media
nfs:
server: 192.168.178.4
path: /mnt/storage/service/paperless
path: /mnt/storage/service/paperless/media
readOnly: false

12
apps/paperless/base/pvc.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: paperless
spec:
storageClassName: "rook-cephfs"
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi

3
apps/paperless/kustomization.yaml
View File

@ -4,10 +4,11 @@ kind: Kustomization
namespace: paperless
resources:
- base/pvc.yaml
- base/paperless-secret-sealed.yaml
- base/paperless-ingress.yaml
- base/paperless-service.yaml
- base/paperless.yaml
- base/deployment.yaml
- base/paperless-namespace.yaml
components:

0
apps/vaultwarden/base/vaultwarden-deployment.yaml → apps/vaultwarden/base/deployment.yaml
View File

0
apps/vaultwarden/base/vaultwarden-ingress.yaml → apps/vaultwarden/base/ingress.yaml
View File

0
apps/vaultwarden/base/vaultwarden-namespace.yaml → apps/vaultwarden/base/namespace.yaml
View File

12
apps/vaultwarden/base/pvc.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden
spec:
storageClassName: "rook-cephfs"
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi

0
apps/vaultwarden/base/vaultwarden-secret-sealed.yaml → apps/vaultwarden/base/secret-sealed.yaml
View File

0
apps/vaultwarden/base/vaultwarden-service.yaml → apps/vaultwarden/base/service.yaml
View File

44
apps/vaultwarden/base/vaultwarden-data-pvc.yaml
View File

@ -1,44 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: vaultwarden
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 20Gi
csi:
driver: cephfs.csi.ceph.com
nodeStageSecretRef:
# node stage secret name
name: csi-cephfs-secret
# node stage secret namespace where above secret is created
namespace: default
volumeAttributes:
# optional file system to be mounted
"fsName": "myfs"
# Required options from storageclass parameters need to be added in volumeAttributes
"clusterID": "99c133b4-bd71-4eb9-9c00-ced76abf2a40"
# "staticVolume": "true"
"rootPath": /volumes/csi/vaultwarden/aa82dc92-5ed0-4d99-b156-670f51b05a6b
# volumeHandle can be anything, need not to be same
# as PV name or volume name. keeping same for brevity
volumeHandle: vaultwarden
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app: vaultwarden
name: vaultwarden
spec:
storageClassName: ""
volumeMode: Filesystem
accessModes:
- ReadWriteMany
resources:
requests:
storage: 20Gi
volumeName: vaultwarden

12
apps/vaultwarden/kustomization.yaml
View File

@ -4,12 +4,12 @@ kind: Kustomization
namespace: vaultwarden
resources:
- base/vaultwarden-ingress.yaml
- base/vaultwarden-data-pvc.yaml
- base/vaultwarden-deployment.yaml
- base/vaultwarden-namespace.yaml
- base/vaultwarden-secret-sealed.yaml
- base/vaultwarden-service.yaml
- base/ingress.yaml
- base/pvc.yaml
- base/deployment.yaml
- base/namespace.yaml
- base/secret-sealed.yaml
- base/service.yaml
components:
- ../../components/local-region-selector.yaml

9
infrastructure/00-default-setup.sh
View File

@ -6,3 +6,12 @@ kubectl apply -k ./01-metallb
# Install argoCD for deployment and secret management
kubectl apply -k ./02-argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj-labs/argocd-image-updater/stable/manifests/install.yaml
# Start NFD - if your cluster doesn't have NFD installed yet
kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd?ref=v0.29.0'
# Create NodeFeatureRules for detecting GPUs on nodes
kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/nfd/overlays/node-feature-rules?ref=v0.29.0'
# Create GPU plugin daemonset
kubectl apply -k 'https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/gpu_plugin/overlays/nfd_labeled_nodes?ref=v0.29.0'

13
infrastructure/02-argocd/patches/argocd-server-service.yaml
View File

@ -5,4 +5,17 @@ metadata:
spec:
type: LoadBalancer
loadBalancerIP: 192.168.178.103
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8080
- name: metrics
port: 8083
protocol: TCP
targetPort: 8083

16
infrastructure/03-traefik/base/deployment.yaml
View File

@ -133,23 +133,17 @@ spec:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /certs
name: traefik-pvc
name: traefik
subPath: certs
- mountPath: /data
name: traefik-pvc
name: traefik
subPath: data
- mountPath: /tmp
name: traefik-pvc
name: traefik
subPath: tmp
securityContext:
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
volumes:
- name: traefik-pvc
- name: traefik
persistentVolumeClaim:
claimName: traefik-pvc
claimName: traefik

10
infrastructure/03-traefik/base/pvc.yaml
View File

@ -1,12 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik-pvc
namespace: traefik
name: traefik
spec:
storageClassName: "rook-cephfs"
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
storageClassName: local-path
- ReadWriteMany
resources:
requests:
storage: 1Gi
storage: 500Mi

3
infrastructure/03-traefik/foreign/immich/ingress.yaml
View File

@ -9,9 +9,8 @@ spec:
- websecure-front
tls: {}
routes:
- match: Host(`photos.steffenillium.de`) || Host(`immich.steffenillium.de`)
- match: Host(`photos.steffenillium.de`)
kind: Rule
services:
- name: immich
port: http

4
infrastructure/04-rook-ceph/nfs/nfs-service.yaml
View File

@ -3,8 +3,10 @@ kind: Service
metadata:
name: rook-ceph-nfs-load-balancer
namespace: rook-ceph
annotations:
metallb.universe.tf/loadBalancerIPs: 192.168.178.100
spec:
ports:
ports:
- name: nfs
port: 2049
type: LoadBalancer

53
infrastructure/07-prometheus/grafana/deployment.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: grafana
name: grafana
spec:
selector:
matchLabels:
app: grafana
template:
metadata:
labels:
app: grafana
spec:
securityContext:
fsGroup: 472
supplementalGroups:
- 0
containers:
- name: grafana
image: grafana/grafana:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 3000
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /robots.txt
port: 3000
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: 3000
timeoutSeconds: 1
resources: {}
volumeMounts:
- mountPath: /var/lib/grafana
name: grafana
volumes:
- name: grafana
persistentVolumeClaim:
claimName: grafana

14
infrastructure/07-prometheus/grafana/ingress.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: grafana
spec:
entryPoints:
- websecure-local
tls: {}
routes:
- match: Host(`grafana.steffenillium.de`)
kind: Rule
services:
- name: grafana
port: http

10
infrastructure/07-prometheus/grafana/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ingress.yaml
- deployment.yaml
- pvc.yaml
- service.yaml

12
infrastructure/07-prometheus/grafana/pvc.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grafana
spec:
storageClassName: "rook-cephfs"
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

14
infrastructure/07-prometheus/grafana/service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: grafana
spec:
ports:
- port: 3000
protocol: TCP
targetPort: http
name: http
selector:
app: grafana
sessionAffinity: None
type: ClusterIP

14
infrastructure/07-prometheus/ingress.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: prometheus-server
spec:
entryPoints:
- websecure-local
tls: {}
routes:
- match: Host(`prometheus.steffenillium.de`)
kind: Rule
services:
- name: prometheus-server
port: http

16
infrastructure/07-prometheus/kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- grafana
- ingress.yaml
helmCharts:
- name: prometheus
includeCRDs: true
version: 25.20.1
releaseName: "prometheus"
repo: https://prometheus-community.github.io/helm-charts
valuesFile: values.yaml

763
infrastructure/07-prometheus/values.yaml Normal file
View File

@ -0,0 +1,763 @@
## env sets environment variables to pass to the container. Can be set as name/value pairs,
## read from secrets or configmaps.
env: []
# - name: SOMEVAR
# value: somevalue
# - name: PASSWORD
# valueFrom:
# secretKeyRef:
# name: mysecret
# key: password
# optional: false
prometheus:
enabled: true
## configmap-reload container name
##
name: configmap-reload
## configmap-reload container image
##
image:
repository: quay.io/prometheus-operator/prometheus-config-reloader
# When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value).
digest: "latest"
pullPolicy: IfNotPresent
server:
name: server
# sidecarContainers - add more containers to prometheus server
# Key/Value where Key is the sidecar `- name: <Key>`
# Example:
# sidecarContainers:
# oauth-proxy:
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.2
# args:
# - --upstream=http://127.0.0.1:9090
# - --http-address=0.0.0.0:8081
# - ...
# ports:
# - containerPort: 8081
# name: oauth-proxy
# protocol: TCP
# resources: {}
sidecarContainers: {}
## Prometheus server container image
##
image:
repository: quay.io/prometheus/prometheus
# When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value).
digest: "latest"
pullPolicy: IfNotPresent
## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug
## so that the various internal URLs are still able to access as they are in the default case.
## (Optional)
prefixURL: "prom.steffenillium.de"
## External URL which can access prometheus
## Maybe same with Ingress host name
baseURL: "metrics.steffenillium.de"
## Additional server container environment variables
##
## You specify this manually like you would a raw deployment manifest.
## This means you can bind in environment variables from secrets.
##
## e.g. static environment variable:
## - name: DEMO_GREETING
## value: "Hello from the environment"
##
## e.g. secret environment variable:
## - name: USERNAME
## valueFrom:
## secretKeyRef:
## name: mysecret
## key: username
env: []
extraFlags:
- web.enable-lifecycle
## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as
## deleting time series. This is disabled by default.
# - web.enable-admin-api
##
## storage.tsdb.no-lockfile flag controls BD locking
# - storage.tsdb.no-lockfile
##
## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL)
# - storage.tsdb.wal-compression
## Path to a configuration file on prometheus server container FS
configPath: /etc/config/prometheus.yml
global:
scrape_interval: 1m
scrape_timeout: 10s
evaluation_interval: 1m
ingress:
## If true, Prometheus server Ingress will be created
##
enabled: false
## Server Deployment Strategy type
strategy:
type: Recreate
persistentVolume:
## If true, Prometheus server will create/use a Persistent Volume Claim
## If false, use emptyDir
##
enabled: true
## If set it will override the name of the created persistent volume claim
## generated by the stateful set.
##
statefulSetNameOverride: ""
## Prometheus server data Persistent Volume access modes
## Must match those of existing PV or dynamic provisioner
## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
accessModes:
- ReadWriteMany
## Prometheus server data Persistent Volume labels
##
labels: {}
## Prometheus server data Persistent Volume annotations
##
annotations: {}
## Prometheus server data Persistent Volume existing claim name
## Requires server.persistentVolume.enabled: true
## If defined, PVC must be created manually before volume will be bound
existingClaim: ""
## Prometheus server data Persistent Volume mount root path
##
mountPath: /data
## Prometheus server data Persistent Volume size
##
size: 8Gi
## Prometheus server data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass: "rook-cephfs"
## Prometheus server data Persistent Volume Binding Mode
## If defined, volumeBindingMode: <volumeBindingMode>
## If undefined (the default) or set to null, no volumeBindingMode spec is
## set, choosing the default mode.
##
volumeBindingMode: "Filesystem"
## Subdirectory of Prometheus server data Persistent Volume to mount
## Useful if the volume's root directory is not empty
##
subPath: ""
statefulSet:
## If true, use a statefulset instead of a deployment for pod management.
## This allows to scale replicas to more than 1 pod
##
enabled: false
## Security context to be added to server pods
##
securityContext:
runAsUser: 65534
runAsNonRoot: true
runAsGroup: 65534
fsGroup: 65534
service:
## If false, no Service will be created for the Prometheus server
##
enabled: true
type: ClusterIP
## Enable gRPC port on service to allow auto discovery with thanos-querier
gRPC:
enabled: true
servicePort: 10901
# nodePort: 10901
## Prometheus server pod termination grace period
##
terminationGracePeriodSeconds: 300
## Prometheus data retention period (default if not specified is 15 days)
##
retention: "90d"
## Prometheus' data retention size. Supported units: B, KB, MB, GB, TB, PB, EB.
##
retentionSize: "5GB"
## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation)
ruleFiles: {}
## Prometheus server ConfigMap entries for scrape_config_files
## (allows scrape configs defined in additional files)
##
scrapeConfigFiles: []
## Prometheus server ConfigMap entries
##
serverFiles:
## Alerts configuration
## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
alerting_rules.yml: {}
# groups:
# - name: Instances
# rules:
# - alert: InstanceDown
# expr: up == 0
# for: 5m
# labels:
# severity: page
# annotations:
# description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.'
# summary: 'Instance {{ $labels.instance }} down'
## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml
alerts: {}
## Records configuration
## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/
recording_rules.yml: {}
## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml
rules: {}
prometheus.yml:
rule_files:
- /etc/config/recording_rules.yml
- /etc/config/alerting_rules.yml
## Below two files are DEPRECATED will be removed from this default values file
- /etc/config/rules
- /etc/config/alerts
scrape_configs:
- job_name: prometheus
static_configs:
- targets:
- localhost:9090
# A scrape configuration for running Prometheus on a Kubernetes cluster.
# This uses separate scrape configs for cluster components (i.e. API server, node)
# and services to allow each to use different authentication configs.
#
# Kubernetes labels will be added as Prometheus labels on metrics via the
# `labelmap` relabeling action.
# Scrape config for API servers.
#
# Kubernetes exposes API servers as endpoints to the default/kubernetes
# service so this uses `endpoints` role and uses relabelling to only keep
# the endpoints associated with the default/kubernetes service using the
# default named port `https`. This works for single API server deployments as
# well as HA API server deployments.
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
# Default to scraping over https. If required, just disable this or change to
# `http`.
scheme: https
# This TLS & bearer token file config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in
# Prometheus. The discovery auth config is automatic if Prometheus runs inside
# the cluster. Otherwise, more config options have to be provided within the
# <kubernetes_sd_config>.
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# If your node certificates are self-signed or use a different CA to the
# master CA, then disable certificate verification below. Note that
# certificate verification is an integral part of a secure infrastructure
# so this should only be disabled in a controlled environment. You can
# disable certificate verification by uncommenting the line below.
#
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
# Keep only the default/kubernetes service endpoints for the https port. This
# will add targets for each API server which Kubernetes adds an endpoint to
# the default/kubernetes service.
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: default;kubernetes;https
- job_name: 'kubernetes-nodes'
# Default to scraping over https. If required, just disable this or change to
# `http`.
scheme: https
# This TLS & bearer token file config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in
# Prometheus. The discovery auth config is automatic if Prometheus runs inside
# the cluster. Otherwise, more config options have to be provided within the
# <kubernetes_sd_config>.
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# If your node certificates are self-signed or use a different CA to the
# master CA, then disable certificate verification below. Note that
# certificate verification is an integral part of a secure infrastructure
# so this should only be disabled in a controlled environment. You can
# disable certificate verification by uncommenting the line below.
#
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$1/proxy/metrics
- job_name: 'kubernetes-nodes-cadvisor'
# Default to scraping over https. If required, just disable this or change to
# `http`.
scheme: https
# This TLS & bearer token file config is used to connect to the actual scrape
# endpoints for cluster components. This is separate to discovery auth
# configuration because discovery & scraping are two separate concerns in
# Prometheus. The discovery auth config is automatic if Prometheus runs inside
# the cluster. Otherwise, more config options have to be provided within the
# <kubernetes_sd_config>.
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# If your node certificates are self-signed or use a different CA to the
# master CA, then disable certificate verification below. Note that
# certificate verification is an integral part of a secure infrastructure
# so this should only be disabled in a controlled environment. You can
# disable certificate verification by uncommenting the line below.
#
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
# This configuration will work only on kubelet 1.7.3+
# As the scrape endpoints for cAdvisor have changed
# if you are using older version you need to change the replacement to
# replacement: /api/v1/nodes/$1:4194/proxy/metrics
# more info here https://github.com/coreos/prometheus-operator/issues/633
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor
# Metric relabel configs to apply to samples before ingestion.
# [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
# metric_relabel_configs:
# - action: labeldrop
# regex: (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os|beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone)
# Scrape config for service endpoints.
#
# The relabeling allows the actual service scrape endpoint to be configured
# via the following annotations:
#
# * `prometheus.io/scrape`: Only scrape services that have a value of
# `true`, except if `prometheus.io/scrape-slow` is set to `true` as well.
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
# to set this to `https` & most likely set the `tls_config` of the scrape config.
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`: If the metrics are exposed on a different port to the
# service then set this appropriately.
# * `prometheus.io/param_<parameter>`: If the metrics endpoint uses parameters
# then you can set any parameter
- job_name: 'kubernetes-service-endpoints'
honor_labels: true
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
action: drop
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+?)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
replacement: __param_$1
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: service
- source_labels: [__meta_kubernetes_pod_node_name]
action: replace
target_label: node
# Scrape config for slow service endpoints; same as above, but with a larger
# timeout and a larger interval
#
# The relabeling allows the actual service scrape endpoint to be configured
# via the following annotations:
#
# * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true`
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
# to set this to `https` & most likely set the `tls_config` of the scrape config.
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`: If the metrics are exposed on a different port to the
# service then set this appropriately.
# * `prometheus.io/param_<parameter>`: If the metrics endpoint uses parameters
# then you can set any parameter
- job_name: 'kubernetes-service-endpoints-slow'
honor_labels: true
scrape_interval: 5m
scrape_timeout: 30s
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: (.+?)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+)
replacement: __param_$1
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: service
- source_labels: [__meta_kubernetes_pod_node_name]
action: replace
target_label: node
- job_name: 'prometheus-pushgateway'
honor_labels: true
kubernetes_sd_configs:
- role: service
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe]
action: keep
regex: pushgateway
# Example scrape config for probing services via the Blackbox Exporter.
#
# The relabeling allows the actual service scrape endpoint to be configured
# via the following annotations:
#
# * `prometheus.io/probe`: Only probe services that have a value of `true`
- job_name: 'kubernetes-services'
honor_labels: true
metrics_path: /probe
params:
module: [http_2xx]
kubernetes_sd_configs:
- role: service
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe]
action: keep
regex: true
- source_labels: [__address__]
target_label: __param_target
- target_label: __address__
replacement: blackbox
- source_labels: [__param_target]
target_label: instance
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
target_label: namespace
- source_labels: [__meta_kubernetes_service_name]
target_label: service
# Example scrape config for pods
#
# The relabeling allows the actual pod scrape endpoint to be configured via the
# following annotations:
#
# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`,
# except if `prometheus.io/scrape-slow` is set to `true` as well.
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
# to set this to `https` & most likely set the `tls_config` of the scrape config.
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`.
- job_name: 'kubernetes-pods'
honor_labels: true
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]
action: drop
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
action: replace
regex: (https?)
target_label: __scheme__
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
action: replace
regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
replacement: '[$2]:$1'
target_label: __address__
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
action: replace
regex: (\d+);((([0-9]+?)(\.|$)){4})
replacement: $2:$1
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
replacement: __param_$1
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- source_labels: [__meta_kubernetes_pod_phase]
regex: Pending|Succeeded|Failed|Completed
action: drop
- source_labels: [__meta_kubernetes_pod_node_name]
action: replace
target_label: node
# Example Scrape config for pods which should be scraped slower. An useful example
# would be stackriver-exporter which queries an API on every scrape of the pod
#
# The relabeling allows the actual pod scrape endpoint to be configured via the
# following annotations:
#
# * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true`
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
# to set this to `https` & most likely set the `tls_config` of the scrape config.
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`.
- job_name: 'kubernetes-pods-slow'
honor_labels: true
scrape_interval: 5m
scrape_timeout: 30s
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme]
action: replace
regex: (https?)
target_label: __scheme__
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
action: replace
regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
replacement: '[$2]:$1'
target_label: __address__
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip]
action: replace
regex: (\d+);((([0-9]+?)(\.|$)){4})
replacement: $2:$1
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+)
replacement: __param_$1
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod
- source_labels: [__meta_kubernetes_pod_phase]
regex: Pending|Succeeded|Failed|Completed
action: drop
- source_labels: [__meta_kubernetes_pod_node_name]
action: replace
target_label: node
# adds additional scrape configs to prometheus.yml
# must be a string so you have to add a | after extraScrapeConfigs:
# example adds prometheus-blackbox-exporter scrape config
extraScrapeConfigs: ""
# - job_name: 'prometheus-blackbox-exporter'
# metrics_path: /probe
# params:
# module: [http_2xx]
# static_configs:
# - targets:
# - https://example.com
# relabel_configs:
# - source_labels: [__address__]
# target_label: __param_target
# - source_labels: [__param_target]
# target_label: instance
# - target_label: __address__
# replacement: prometheus-blackbox-exporter:9115
# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager
# useful in H/A prometheus with different external labels but the same alerts
alertRelabelConfigs: {}
# alert_relabel_configs:
# - source_labels: [dc]
# regex: (.+)\d+
# target_label: dc
networkPolicy:
## Enable creation of NetworkPolicy resources.
##
enabled: false
# Force namespace of namespaced resources
forceNamespace: ""
# Extra manifests to deploy as an array
extraManifests: []
# - |
# apiVersion: v1
# kind: ConfigMap
# metadata:
# labels:
# name: prometheus-extra
# data:
# extra-data: "value"
# Configuration of subcharts defined in Chart.yaml
## alertmanager sub-chart configurable values
## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/alertmanager
##
alertmanager:
## If false, alertmanager will not be installed
##
enabled: false
persistence:
size: 2Gi
podSecurityContext:
runAsUser: 65534
runAsNonRoot: true
runAsGroup: 65534
fsGroup: 65534
## kube-state-metrics sub-chart configurable values
## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics
##
kube-state-metrics:
## If false, kube-state-metrics sub-chart will not be installed
##
enabled: true
## prometheus-node-exporter sub-chart configurable values
## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter
##
prometheus-node-exporter:
## If false, node-exporter will not be installed
##
enabled: true
rbac:
pspEnabled: false
containerSecurityContext:
allowPrivilegeEscalation: false
## prometheus-pushgateway sub-chart configurable values
## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway
##
prometheus-pushgateway:
## If false, pushgateway will not be installed
##
enabled: true
# Optional service annotations
serviceAnnotations:
prometheus.io/probe: pushgateway