From 13aa1bc4a898355571b910b1987851f2e0b82acc Mon Sep 17 00:00:00 2001 From: Mike Smith <89040888+smiggiddy@users.noreply.github.com> Date: Sat, 21 Jun 2025 18:32:15 -0400 Subject: [PATCH] feat: added registry/certs --- k0sctl.yaml | 183 +++++++++++++++----- manifests/cluster-issuer.yaml | 19 ++ manifests/registry/registry-configmap.yaml | 32 ++++ manifests/registry/registry-deployment.yaml | 50 ++++++ manifests/registry/registry-ingress.yaml | 27 +++ manifests/registry/registry-namespace.yaml | 7 + manifests/registry/registry-secret.yaml | 8 + manifests/registry/registry-service.yaml | 18 ++ manifests/weed-namespace.yaml | 7 + manifests/weed-pg.yaml | 32 ++++ manifests/weed-secret.yaml | 25 +++ 11 files changed, 369 insertions(+), 39 deletions(-) create mode 100644 manifests/cluster-issuer.yaml create mode 100644 manifests/registry/registry-configmap.yaml create mode 100644 manifests/registry/registry-deployment.yaml create mode 100644 manifests/registry/registry-ingress.yaml create mode 100644 manifests/registry/registry-namespace.yaml create mode 100644 manifests/registry/registry-secret.yaml create mode 100644 manifests/registry/registry-service.yaml create mode 100644 manifests/weed-namespace.yaml create mode 100644 manifests/weed-pg.yaml create mode 100644 manifests/weed-secret.yaml diff --git a/k0sctl.yaml b/k0sctl.yaml index d61848d..ff6f54e 100644 --- a/k0sctl.yaml +++ b/k0sctl.yaml @@ -5,12 +5,13 @@ metadata: user: admin spec: hosts: - - ssh: - address: k1.lab.smig.tech + - role: controller + openSSH: user: smig port: 22 - keyPath: ~/.ssh/id_ed25519 - role: controller + address: k1.lab.smig.tech + options: + StrictHostkeyChecking: false # -o StrictHostkeyChecking: no installFlags: - --enable-metrics-scraper files: @@ -18,16 +19,29 @@ spec: src: manifests/prometheues-service-monitor.yaml dstDir: /var/lib/k0s/manifests/prometheus/ perm: 0644 + - name: weed-namespace + src: manifests/weed-namespace.yaml + dstDir: /var/lib/k0s/manifests/weed/ + perm: 0644 + - name: weed-cnpg-config + src: manifests/weed-pg.yaml + dstDir: /var/lib/k0s/manifests/weed/ + perm: 0644 + - name: weed-secret-config + src: manifests/weed-secret.yaml + dstDir: /var/lib/k0s/manifests/weed/ + perm: 0644 - name: selinux-stuff src: selinux.conf dstDir: /etc/containerd.d perm: 0644 - - ssh: + - role: worker + openSSH: address: k2.lab.smig.tech user: smig port: 22 - keyPath: ~/.ssh/id_ed25519 - role: worker + options: + StrictHostkeyChecking: false # -o StrictHostkeyChecking: no files: - name: selinux-script src: ./selinux-script.sh @@ -48,12 +62,12 @@ spec: reset: after: - rm /home/smig/k0s-selinux.log /home/smig/selinux-script.sh /home/smig/.k0s-selinuxsetup-complete - - ssh: + - role: worker + openSSH: address: k3.lab.smig.tech user: smig - port: 22 - keyPath: ~/.ssh/id_ed25519 - role: worker + options: + StrictHostkeyChecking: false # -o StrictHostkeyChecking: no files: - name: selinux-script src: ./selinux-script.sh @@ -74,12 +88,12 @@ spec: reset: after: - rm /home/smig/k0s-selinux.log /home/smig/selinux-script.sh /home/smig/.k0s-selinuxsetup-complete - - ssh: + - role: worker + openSSH: address: k4.lab.smig.tech user: smig - port: 22 - keyPath: ~/.ssh/id_ed25519 - role: worker + options: + StrictHostkeyChecking: false # -o StrictHostkeyChecking: no files: - name: selinux-script src: ./selinux-script.sh @@ -149,33 +163,107 @@ spec: url: https://charts.jetstack.io - name: openebs-internal url: https://openebs.github.io/charts - - name: seaweedfs-operator - url: https://seaweedfs.github.io/seaweedfs-operator/helm + - name: cloudnative-pg + url: https://cloudnative-pg.github.io/charts + # - name: seaweedfs + # url: oci://git.thecodedom.com/smig/seaweedfs:4.0.392 charts: - - name: seaweedfs-operator - chartname: seaweedfs-operator/seaweedfs-operator - version: "0.0.2" - order: 2 - namespace: seaweefs-operator-system + - name: seaweedfs + namespace: weed + chartname: oci://git.thecodedom.com/smig/seaweedfs + order: 4 + version: 4.0.392 + timeout: 20m values: | - image: - registry: git.thecodedom.com - repository: smig/seaweedfs-operator - tag: 0.1.0 - webhook: - enabled: false + global: + logginglevel: 3 + master: + affinity: null + data: + type: "persistentVolumeClaim" + storageClass: openebs-hostpath + size: 1Gi + logs: + type: "emptyDir" + nodeSelector: null + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + cpu: 200m + memory: 1Gi + volume: + affinity: null + dataDirs: + - name: data + type: "persistentVolumeClaim" + storageClass: openebs-hostpath + size: 30Gi + maxVolumes: 0 + nodeSelector: null + logs: + type: "emptyDir" + resources: + requests: + cpu: 200m + memory: 1Gi + limits: + cpu: 500m + memory: 2Gi - - name: openebs - chartname: openebs-internal/openebs - version: "3.9.0" - namespace: openebs - order: 2 - values: | - localprovisioner: - hostpathClass: + filer: + enabled: true + affinity: null + nodeSelector: null + data: + type: "persistentVolumeClaim" + size: "1Gi" + storageClass: "openebs-hostpath" + logs: + type: "emptyDir" + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + cpu: 400m + memory: 1Gi + extraEnvironmentVars: + WEED_LEVELDB2_ENABLED: "false" + WEED_POSTGRES_ENABLED: "true" + WEED_POSTGRES_HOSTNAME: "weed-pg-rw.weed.svc.cluster.local" + WEED_POSTGRES_PORT: "5432" + WEED_POSTGRES_DATABASE: "weed" + + secretExtraEnvironmentVars: + WEED_POSTGRES_USERNAME: + secretKeyRef: + name: weed-pg-secret + key: username + WEED_POSTGRES_PASSWORD: + secretKeyRef: + name: weed-pg-secret + key: password + + s3: + enabled: true + enableAuth: true + existingConfigSecret: weed-creds + domainName: k0s-s3.lab.smig.tech + nodeSelector: null + httpsPort: null + logs: + type: "emptryDir" + ingress: enabled: true - isDefaultClass: false + className: "cilium" + host: k0s-s3.lab.smig.tech + createBuckets: + - name: registry + anonymousRead: false + - name: prometheus chartName: prometheus/kube-prometheus-stack @@ -208,7 +296,6 @@ spec: grafana: initChownData: enabled: false - persistence: enabled: true storageClassName: openebs-hostpath @@ -218,6 +305,13 @@ spec: hosts: - grafana-k0s.lab.smig.tech + + - name: cloudnative-pg + namespace: cnpg-system + version: 0.24.0 + chartname: cloudnative-pg/cloudnative-pg + order: 2 + - name: cert-manager chartName: cert-manager/cert-manager version: "v1.17.2" @@ -227,11 +321,22 @@ spec: crds: enabled: true + - name: openebs + chartname: openebs-internal/openebs + version: "3.9.0" + namespace: openebs + order: 1 + values: | + localprovisioner: + hostpathClass: + enabled: true + isDefaultClass: false + - name: cilium chartName: cilium/cilium namespace: kube-system version: "1.18.0-pre.3" - order: 1 + order: 0 values: | hubble: enabled: true diff --git a/manifests/cluster-issuer.yaml b/manifests/cluster-issuer.yaml new file mode 100644 index 0000000..f07bcad --- /dev/null +++ b/manifests/cluster-issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: smigtech-issuer +spec: + ca: + secretName: smigtech-ca + +--- +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYzVENDQThXZ0F3SUJBZ0lVSlN6ek1PNk5WcnR1QmE0dkJGdHVYU1BQcnlZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2ZqRUxNQWtHQTFVRUJoTUNWVk14RVRBUEJnTlZCQWdNQ0ZacGNtZHBibWxoTVJBd0RnWURWUVFIREFkRwpZV2x5Wm1GNE1SRXdEd1lEVlFRS0RBaFRiV2xuZEdWamFERVZNQk1HQTFVRUN3d01UR0ZpTFZOdGFXZDBaV05vCk1TQXdIZ1lEVlFRRERCZHdlRzE0TFdOaE1ERXViR0ZpTG5OdGFXY3VkR1ZqYURBZUZ3MHlNakV5TVRneU1EQXoKTXpaYUZ3MHpNakV5TVRVeU1EQXpNelphTUg0eEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbgphVzVwWVRFUU1BNEdBMVVFQnd3SFJtRnBjbVpoZURFUk1BOEdBMVVFQ2d3SVUyMXBaM1JsWTJneEZUQVRCZ05WCkJBc01ERXhoWWkxVGJXbG5kR1ZqYURFZ01CNEdBMVVFQXd3WGNIaHRlQzFqWVRBeExteGhZaTV6YldsbkxuUmwKWTJnd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUURDMUpGSkRtbkFxNmxPUkd3aApEd1RrOXZKQ1YvQWx4KzZFN091MDFnbHRwamRNTG9rVXV1UnA5YnlXTkJicmNHS3h4SWEyZ05YTktCcWdoYmowCkFOZzMxNGFvdlNUaEplMUh4Mk5TeUhUQ1JBUVZDTFpMY0c5MjVGa1drVUl4STZ0Ym04VW82LzBWbUZ3RVJtTVkKZWRFZ2ZEdERBMG9sbVJuQUVXYzRlaWV3SWd6MUdxK2lGSi92WjQ3SjhWbFpiTVJBdnZFL0tHVE5sR2psOHZabAo4ZWU4WjRLL01LUExBNHYwK0trSE1MTUgyV2lGUXY5UlY0OW9yVldzUUNLL1M4L2dOK1l0ZU9SNnlNTjhTL1g2CjV2N1dSTXR4UVZMVUMrdGdTWmNYMURJWm5zVXFBcVo3YTJja1ptY0pBWkFKVnRoUHVEcStybFZ6ZWRZbHhadEkKOTFqTU9GUGxpaUhkY0ZSRG5FYVprVWdqYmJtWVRROVhFMkV6OGhFNnBLVlF4NkROVU1Ed0ZJa1JJQTBiMy9tNgpxQ3VKRldmWnloUU42R3J2UEtYT08zWnNtRldJWk5RT1ErZFN2N2Iya0k0Yk9FT01oWmpZck1KT2V6V2VCZkN6CjZMOXZyQjBzb3ZRZUF3eGhmRFMyTjlpTlNBNHp4UWhGeUNVZTJDbjViVmY3bDZzUmpSZzFZekZQbXVleVFyTC8KaWpYM2VrWEFmWkdDS0pzVVVWTHJBNitUbkc4RGFYU2xHS214QWdpUlA4Q0E5djEwZWJURGxBOHdGVVJ2ZGk5aQppQW9pQVFraVI1Ylp4NEdkQjhpOGtreW1FdEF6eWVScnVPTWhiTGxDMmpuMDZyUFRCL3VlYU5PYlR2UEpuS3lsClRMUjFYczc3Yzd4OU5kUEhJYnF5QU4vRjR3SURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVJVHk4aGVNZXpnTlAKR2FUWTVsREc0UXBNajNRd0h3WURWUjBqQkJnd0ZvQVVJVHk4aGVNZXpnTlBHYVRZNWxERzRRcE1qM1F3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQXNCTXJ0cFo0b21saWVaYm1mSmJHClU5dnRVbXFBT3V2bTQ2ajVJNGxXK3dCRmhVRmY2dlBuTUNIVjY1N1NiWUZEa3A3MXJOdXg1elBHRGlTYXhnR2gKR2w3WTlia1dHcEkrcXhnM1lnbTE3Y1AyMkd1UWJhRFhiTTU5N2k4WWtEakhqZVl4cGhPWEpYZkR6VzQ4dEQ1Qgo2cmRWcnc5MDNKc25CYmMvUWpHVUl1SU9lM3NFMW1veHVqcHdYdzZLSW0vemhXRnhXWkt3RzNuOGJvUllSUUxnCitKRkMyMnFaSVJsbkduSkQ5d1EwRmQ1QTZGRWJUOStsM09iMDQ2N25pMWZnK1ZQVjVtTVV0SjkwYmViQnd3S3oKRTdnYmdGQ2pPS2RRSU5lNmJwcXBZbmkyTHBiV01vZWJYWFFiRzVTRzkxOTZaR2FMdmpWOCtEMjMwclROV2xYcgpQVlpGUlg4VzZJRDN5c1hJMkovNHREd3duempNQXZQd0dUaytSMHhOQXpzZlAvMWJ4QUV2VmNid1VJUmhCTHAwCkU2K0NRTFg3NnNRRy9GUVhEVDNmTHZwSnhlYytiSk9iditBUnFWZVQ4cTdkYXRLYVpMS0RCSUhXWGFYV2xJVlIKQ3BVVGVRNmt3NlpJUE5kSkZndm01elRCbXR6aHcyRXFpVzR2dWNDTVBHV1hiUmk0RTd0V3R6dE52QlFCMGRNMwo5V3ZlZ1E4Y2ZaZGdRTmcrYnFkQVdHN0czb3pkcVkxbThyVWt6VllRY3Q3UGpsYTFEcjNIREpwY0pUZVhxSmVWCkh4WmswNm9QQk1TM3JITCtjUXd3OGhXSEtlODFPcWhEV1hQN0hPQ015TzNEbG84ampaZGRMenBtSEYvbWhUMS8KS1hEQ3NuWUFFdE80bTRoM25YZzREbWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRREMxSkZKRG1uQXE2bE8KUkd3aER3VGs5dkpDVi9BbHgrNkU3T3UwMWdsdHBqZE1Mb2tVdXVScDlieVdOQmJyY0dLeHhJYTJnTlhOS0JxZwpoYmowQU5nMzE0YW92U1RoSmUxSHgyTlN5SFRDUkFRVkNMWkxjRzkyNUZrV2tVSXhJNnRibThVbzYvMFZtRndFClJtTVllZEVnZkR0REEwb2xtUm5BRVdjNGVpZXdJZ3oxR3EraUZKL3ZaNDdKOFZsWmJNUkF2dkUvS0dUTmxHamwKOHZabDhlZThaNEsvTUtQTEE0djArS2tITUxNSDJXaUZRdjlSVjQ5b3JWV3NRQ0svUzgvZ04rWXRlT1I2eU1OOApTL1g2NXY3V1JNdHhRVkxVQyt0Z1NaY1gxRElabnNVcUFxWjdhMmNrWm1jSkFaQUpWdGhQdURxK3JsVnplZFlsCnhadEk5MWpNT0ZQbGlpSGRjRlJEbkVhWmtVZ2piYm1ZVFE5WEUyRXo4aEU2cEtWUXg2RE5VTUR3RklrUklBMGIKMy9tNnFDdUpGV2ZaeWhRTjZHcnZQS1hPTzNac21GV0laTlFPUStkU3Y3YjJrSTRiT0VPTWhaallyTUpPZXpXZQpCZkN6Nkw5dnJCMHNvdlFlQXd4aGZEUzJOOWlOU0E0enhRaEZ5Q1VlMkNuNWJWZjdsNnNSalJnMVl6RlBtdWV5ClFyTC9palgzZWtYQWZaR0NLSnNVVVZMckE2K1RuRzhEYVhTbEdLbXhBZ2lSUDhDQTl2MTBlYlREbEE4d0ZVUnYKZGk5aWlBb2lBUWtpUjViWng0R2RCOGk4a2t5bUV0QXp5ZVJydU9NaGJMbEMyam4wNnJQVEIvdWVhTk9iVHZQSgpuS3lsVExSMVhzNzdjN3g5TmRQSElicXlBTi9GNHdJREFRQUJBb0lDQVFDeFoxTS9mWk5IOEVkQzBFVFJPVmJRCmtoZjMxeEVCcGZLSE1TQlRVbzNWUFFPZko4U0Vqc1VMd3NuTXozT0xRSk50b1RDMUg4ME9lUlQ5MDZXYzhPUHcKdlJ5TnEyVFlhbXVMNzM5K1VxOFdjVTV5UkxPUkw3a2ZQai9zcjZuaENzU3Vyc0V4U09qemIvOWhtU0lFbUcrWApMK2ZhVmpWKzFOREF0bGdSOGhFUGJZSDA4UzY1M0NQaG41OUNQTFNLRytMN3ZhSDRTM1MyU1F2WFRvdVVPbGd6Cmt1Rlg3QmRJOVZyTVhsdXpBMklScEtKcXJaM0VXSUZwNUdOZGJDejNtVFdZeWUyYXZEajNvTFY0Q2NiYWh0bkgKQzI5Z0dnWXN0UW5IYkZyYlJNbTEwSDloaUhaRmJYL0dna1FSekUxMlk1Q2x6bkFYVHJEYWJEZFZ2NEJ0U1dTZApRR2taUUcxMllFMHcySE1LZUFWcU93UFl3bXowR0RZdlFvaGJpcExoOUg0eDBnOE8veUhOWnEwNjNEV1dRaDU0CnJ3Q0FLbVRkNitFdFBNU0RidG9SbFZjQlg1ODUzSWUzLyswVkJaeTBTM01zTnZXclRIUnJPNS96a2ZUbGhHNGwKVEtUakN5MU5QZXFwZzVqbEsydW1wazlrUVFOTkhaRzFtS3VYWlMyM1lhMVZYMGtDcGtMZjlRMkorb08xN1dISQpRQ1VhSy9aQm9rb0JWaGFCU2lzMEFkbnlzTXBiblBIeHd2dWlsaDdTQzdGWjFSSDNsakxiOFV0SVBOTFd2aFBsCk0xamNGNUk3MHYvTys1SHBsMUY2b3hzZm9yYy8zSnFjOHVKSS9GRUZSZjBkT0dQbEFpS2t5MUZVUDJ6Rm1Rb1EKc0pkSTc5bjVZU01NeWQrUnVxajU0UUtDQVFFQThCZVEyQW5DWkQrQlRrWFpXQUlvVDFjaWFHZDdvR05mTHFUQgpDb0VMR0h4NFFvSklVSHlGTmJZdHpBUWxudVNzSVd5T0w2MzhHUytIdndDcmQ4eWdzOHFkcmM5TTd3ZHc0Q1FUCmI2UEJHN2tHWDdtT2c1bjZKREVScXRWMzlIaE8weUhjQ1V2eFE2RWNJWi9WZlRDTzdoVmRKYjJVam4rNHdYSjIKUkcxdnhaUjN6ZWx6dDRnM1NGU1k0YVcwSTlJdGFyVEE1Tm1Sd1F6ZFR6TDQ0WFhKcmRKOXFhWHFCWnEvNVdlSQoxV2JJZ2dzYjBqTkcwbEIzY2k0eTgxTFNCMlNmb2VLWklXYTNCa2Z2SVJYQ3p2UjdTdmFTTUtRZVdhdm1NK0E2Clhia1lGRUpDSGRvWFNWZ0JpeEdCZllEVkFiS1l2eVMwNnJ3MXNqMTVpWEVDUHdDeDh3S0NBUUVBejcxR0gvb2IKY1dCTGhOREYzNDRJZDQ3NlVrT1MvdzBvS3p5Ym9sdjh1V0dibm9LcjZMYzJ1bzAzWjBXSDlqMUh3YnFaTzlHdQpNZG9yTnE2N1FHeWtXdkVEZE5YdHg4QmFnY2RxMVJqTGZqUDdIc09zcWozd1pMKzdxMnliZXZwY2xNTktRRHBtCkRqemkrZ1hNTll1cXdqRFdHdy9LbG0vOUlFUHUrR3NaYktWcVlSdVNoZm5MdGFCWW9pMmtqbjlTejNUaGk2Wk8KRmNodU02azJhY2Q2c1dxSHBwcXBsMytJR0dYQnY3ZkNRTFR4VWxTa1kvbHcybnMrZ1dwaHlCTXhQRlp6dTJ4KwpOZEo2SjV3djNjaGtKSXNJWVpHWDZ4Q0huVklUMzVxNmJhWHZzcVVWcDZlSXFuQ2hsSWFTSEpWWWQxS3ZzV2RlCmVSMFdnUmMrUjZDb1VRS0NBUUVBbStKQkdmT2tNaUNGWFFPKzdRUmhsYm4yVGlFNlJGV2d2QkVlZ1NwdHdOVTMKNDc3aEl0am1TSXhqU2I0N2l1SGYzTWUxdmNGU0dDd2pEK0ZvY3h6NkRpSDBwS0FlekdkaFl6WXBKR2dHL20vdwpjb0J3eG9OWHhOM1RJYjc5NWsyaXFEU292NlIrSGpIaHFQYzB6dGFUUm9PNmVjR1FUY0VoZlFCTFIzeGlnTDgzCjFncklKaGFjQml0Zkk4ckpuaVJkZHBXclZDcnJGcE82c1N4Z0tVcW55bU1MVWZXMmJ6TWRldDN4R3RWa1JBTGcKYW1iK2laalRKT0JZRm1Ia21nWThHd2liOGZMVnpJOHg5S0pEWE1taHIzZE9UYVNSVEJsdkdxbHdXOS9NZ1lMUAptTUE4TkZPZWxPT2wxbzJxUHpMdE45V21YVzRiMHdGVkF1YkwxWW9tL3dLQ0FRQk5wcEU4eUs5VFhNdzl0QkFTCnRUT2pCUlc2aERuQkRuanlXSEJRYXhQM2MyM0kvVTBtNnIwUlZGSGVUMVk0QzhYenV6MGw2QVcxNnJmMmM2L1kKc0FOclh1V00yWjVNNlRDcmpBLzU0WS9HOThVcFJia1gxWmt5LzV3MXdwNEhoT2Z3VDJORXlNOTNDUGxLdmJvTQpWYzJaVXNubFNhelBPTU1rT1dCdENSTnkwZzRHaUZqbnJXeWcwblB2QXlLY2hTaytGSkZ1TXRiRE82MDlzRVYvCm1xblpBVm45UTVpYTRYZk1ydFNTUml6ZEpRV0RZZElrOEl0bmoyUFkyaHY4dm5mTDl3REJrUmRJSlFtMkhxS2gKd3hMenVlaURGL255U3JaMmJzU3c4MVEyUWkxcjJGdFUxTUczKyt2WjZjZFoyZFU4blBMQlhFTXJBRjEyR1dzVgpPUTlSQW9JQkFRRGd0WGlVNkxSeFAyWG1aczQvWWVLY1V1VDBGRnJyVTJhTUhZREJGTGVBWFBWa1VCSHU0R3JQCmhnT0NtYllsbDh3MVdBY2IrNmp1aXZEcVdyRkVXdDdURVFUOGIxd0RHaC8vQVVTb1VsTGVWNy9NZDhVVS9obXoKN2RiL29kNDRBR0hvUm9XOFJUTnNaWGh3SHd3Z0w2N0FvVzQ0dUdaSS9nSlpBc1BNdS9YYzJQeWE0dmQ3YXVKOQp4cmxwRUduNkp5bVRYK3J2NnNIUkE0N0VTVEdpWHdrVkpuNENJRjlSc1VjRG51Zllpajhka2RMcDVsRGVHc21QCmNLYThVMVNrd2VzYVoxMDRtVHV5bk40Ykk3cWpUSERyQXNLbDJVS3pUTGdzcUZYc1NtcFFJUWVWcUd4T045Q0gKeTE2S052MjRrT3hiU2NyRjJ2aEt1bG5VTEUvK1g1N3EKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + name: smigtech-ca + namespace: cert-manager +type: kubernetes.io/tls + diff --git a/manifests/registry/registry-configmap.yaml b/manifests/registry/registry-configmap.yaml new file mode 100644 index 0000000..3b1dd90 --- /dev/null +++ b/manifests/registry/registry-configmap.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +data: + config.yml: | + version: 0.1 + log: + fields: + service: registry + storage: + s3: + accesskey: registry + secretkey: registry123 + region: deeznuts + regionendpoint: http://seaweedfs-s3.weed.svc.cluster.local:8333 + forcepathstyle: true + bucket: registry + delete: + enabled: true + redirect: + disable: true + tag: + concurrencylimit: 8 + auth: + htpasswd: + realm: deeznuts-realm + path: /etc/distribution/passwd + http: + addr: :5000 +kind: ConfigMap +metadata: + creationTimestamp: null + name: registry-cm + namespace: production-system diff --git a/manifests/registry/registry-deployment.yaml b/manifests/registry/registry-deployment.yaml new file mode 100644 index 0000000..47d93f1 --- /dev/null +++ b/manifests/registry/registry-deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: registry-deploy + name: registry-deploy + namespace: production-system +spec: + replicas: 1 + selector: + matchLabels: + app: registry-deploy + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: registry-deploy + spec: + containers: + - image: registry:3.0.0 + name: registry + ports: + - containerPort: 5000 + env: + - name: OTEL_TRACES_EXPORTER + value: "none" + resources: + limits: + memory: "500Mi" + cpu: "200m" + requests: + memory: "128Mi" + cpu: "100m" + + volumeMounts: + - name: registry-setup + mountPath: /etc/distribution + readOnly: true + volumes: + - name: registry-setup + projected: + sources: + - secret: + name: registry-credentials + - configMap: + name: registry-cm + +status: {} diff --git a/manifests/registry/registry-ingress.yaml b/manifests/registry/registry-ingress.yaml new file mode 100644 index 0000000..2bfaed5 --- /dev/null +++ b/manifests/registry/registry-ingress.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: registry-ingress + namespace: production-system + annotations: + cert-manager.io/cluster-issuer: smigtech-issuer +spec: + ingressClassName: cilium + rules: + - host: images.lab.smig.tech + http: + paths: + - backend: + service: + name: registry-service + port: + number: 5000 + path: / + pathType: Prefix + tls: + - hosts: + - images.lab.smig.tech + secretName: registry-tls +status: + loadBalancer: {} diff --git a/manifests/registry/registry-namespace.yaml b/manifests/registry/registry-namespace.yaml new file mode 100644 index 0000000..ca16393 --- /dev/null +++ b/manifests/registry/registry-namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: production-system +spec: {} +status: {} diff --git a/manifests/registry/registry-secret.yaml b/manifests/registry/registry-secret.yaml new file mode 100644 index 0000000..dbd7edd --- /dev/null +++ b/manifests/registry/registry-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + passwd: c21pZ3o6JDJ5JDEwJGtiOGRzMkZrMUNXMGgvOGhNYjlVMnUudy5WRlpjSk1velA3dXp2djRibU1EQ2d4MkpBcWo2 +kind: Secret +metadata: + creationTimestamp: null + name: registry-credentials + namespace: production-system diff --git a/manifests/registry/registry-service.yaml b/manifests/registry/registry-service.yaml new file mode 100644 index 0000000..ca95b9b --- /dev/null +++ b/manifests/registry/registry-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: registry-deploy + name: registry-service + namespace: production-system +spec: + ports: + - port: 5000 + protocol: TCP + targetPort: 5000 + selector: + app: registry-deploy + type: ClusterIP +status: + loadBalancer: {} diff --git a/manifests/weed-namespace.yaml b/manifests/weed-namespace.yaml new file mode 100644 index 0000000..a3251a0 --- /dev/null +++ b/manifests/weed-namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + name: weed +spec: {} +status: {} diff --git a/manifests/weed-pg.yaml b/manifests/weed-pg.yaml new file mode 100644 index 0000000..2504a35 --- /dev/null +++ b/manifests/weed-pg.yaml @@ -0,0 +1,32 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: weed-pg + namespace: weed +spec: + instances: 2 + bootstrap: + initdb: + database: weed + owner: weed + secret: + name: weed-pg-secret + postInitApplicationSQL: + - | + CREATE TABLE IF NOT EXISTS filemeta ( + dirhash BIGINT NOT NULL, + name VARCHAR(766) NOT NULL, + directory TEXT NOT NULL, + meta BYTEA, + PRIMARY KEY (dirhash, name) + ); + - ALTER TABLE filemeta OWNER to weed; + + storage: + size: 4Gi + storageClass: openebs-hostpath + + + + + diff --git a/manifests/weed-secret.yaml b/manifests/weed-secret.yaml new file mode 100644 index 0000000..48899d2 --- /dev/null +++ b/manifests/weed-secret.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +data: +stringData: + username: weed + password: weed-database +kind: Secret +metadata: + name: weed-pg-secret + namespace: weed +type: kubernetes.io/basic-auth + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: weed-creds + namespace: weed + labels: + app.kubernetes.io/name: seaweedfs + app.kubernetes.io/component: s3 +stringData: + # this key must be an inline json config file + seaweedfs_s3_config: '{"identities":[{"actions":["Admin","Read","Write","List","Tagging"],"credentials":[{"accessKey":"smigz","secretKey":"smigtechlab"}],"name":"anvAdmin"},{"actions":["Read"],"credentials":[{"accessKey":"weed-ro","secretKey":"readonlyweed"}],"name":"anvReadOnly"},{"actions":["Read:registry","Write:registry","List:registry","Tagging:registry","Admin:registry"],"credentials":[{"accessKey":"registry","secretKey":"registry123"}],"name":"registry"}]}' +