smig/k0s-cluster
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: added registry/certs

Browse source
This commit is contained in:
Smigz 2025-06-21 18:32:15 -04:00
parent 8d217e0778
commit 13aa1bc4a8
11 changed files with 369 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

183
k0sctl.yaml
View file

@ -5,12 +5,13 @@ metadata:
user: admin user: admin
spec: spec:
hosts: hosts:
- ssh: - role: controller
address: k1.lab.smig.tech openSSH:
user: smig user: smig
port: 22 port: 22
keyPath: ~/.ssh/id_ed25519 address: k1.lab.smig.tech
role: controller options:
StrictHostkeyChecking: false # -o StrictHostkeyChecking: no
installFlags: installFlags:
- --enable-metrics-scraper - --enable-metrics-scraper
files: files:
@ -18,16 +19,29 @@ spec:
src: manifests/prometheues-service-monitor.yaml src: manifests/prometheues-service-monitor.yaml
dstDir: /var/lib/k0s/manifests/prometheus/ dstDir: /var/lib/k0s/manifests/prometheus/
perm: 0644 perm: 0644
- name: weed-namespace
src: manifests/weed-namespace.yaml
dstDir: /var/lib/k0s/manifests/weed/
perm: 0644
- name: weed-cnpg-config
src: manifests/weed-pg.yaml
dstDir: /var/lib/k0s/manifests/weed/
perm: 0644
- name: weed-secret-config
src: manifests/weed-secret.yaml
dstDir: /var/lib/k0s/manifests/weed/
perm: 0644
- name: selinux-stuff - name: selinux-stuff
src: selinux.conf src: selinux.conf
dstDir: /etc/containerd.d dstDir: /etc/containerd.d
perm: 0644 perm: 0644
- ssh: - role: worker
openSSH:
address: k2.lab.smig.tech address: k2.lab.smig.tech
user: smig user: smig
port: 22 port: 22
keyPath: ~/.ssh/id_ed25519 options:
role: worker StrictHostkeyChecking: false # -o StrictHostkeyChecking: no
files: files:
- name: selinux-script - name: selinux-script
src: ./selinux-script.sh src: ./selinux-script.sh
@ -48,12 +62,12 @@ spec:
reset: reset:
after: after:
- rm /home/smig/k0s-selinux.log /home/smig/selinux-script.sh /home/smig/.k0s-selinuxsetup-complete - rm /home/smig/k0s-selinux.log /home/smig/selinux-script.sh /home/smig/.k0s-selinuxsetup-complete
- ssh: - role: worker
openSSH:
address: k3.lab.smig.tech address: k3.lab.smig.tech
user: smig user: smig
port: 22 options:
keyPath: ~/.ssh/id_ed25519 StrictHostkeyChecking: false # -o StrictHostkeyChecking: no
role: worker
files: files:
- name: selinux-script - name: selinux-script
src: ./selinux-script.sh src: ./selinux-script.sh
@ -74,12 +88,12 @@ spec:
reset: reset:
after: after:
- rm /home/smig/k0s-selinux.log /home/smig/selinux-script.sh /home/smig/.k0s-selinuxsetup-complete - rm /home/smig/k0s-selinux.log /home/smig/selinux-script.sh /home/smig/.k0s-selinuxsetup-complete
- ssh: - role: worker
openSSH:
address: k4.lab.smig.tech address: k4.lab.smig.tech
user: smig user: smig
port: 22 options:
keyPath: ~/.ssh/id_ed25519 StrictHostkeyChecking: false # -o StrictHostkeyChecking: no
role: worker
files: files:
- name: selinux-script - name: selinux-script
src: ./selinux-script.sh src: ./selinux-script.sh
@ -149,33 +163,107 @@ spec:
url: https://charts.jetstack.io url: https://charts.jetstack.io
- name: openebs-internal - name: openebs-internal
url: https://openebs.github.io/charts url: https://openebs.github.io/charts
- name: seaweedfs-operator - name: cloudnative-pg
url: https://seaweedfs.github.io/seaweedfs-operator/helm url: https://cloudnative-pg.github.io/charts
# - name: seaweedfs
# url: oci://git.thecodedom.com/smig/seaweedfs:4.0.392
charts: charts:
- name: seaweedfs-operator - name: seaweedfs
chartname: seaweedfs-operator/seaweedfs-operator namespace: weed
version: "0.0.2" chartname: oci://git.thecodedom.com/smig/seaweedfs
order: 2 order: 4
namespace: seaweefs-operator-system version: 4.0.392
timeout: 20m
values: | values: |
image: global:
registry: git.thecodedom.com logginglevel: 3
repository: smig/seaweedfs-operator master:
tag: 0.1.0 affinity: null
webhook: data:
enabled: false type: "persistentVolumeClaim"
storageClass: openebs-hostpath
size: 1Gi
logs:
type: "emptyDir"
nodeSelector: null
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: 200m
memory: 1Gi
volume:
affinity: null
dataDirs:
- name: data
type: "persistentVolumeClaim"
storageClass: openebs-hostpath
size: 30Gi
maxVolumes: 0
nodeSelector: null
logs:
type: "emptyDir"
resources:
requests:
cpu: 200m
memory: 1Gi
limits:
cpu: 500m
memory: 2Gi
- name: openebs filer:
chartname: openebs-internal/openebs enabled: true
version: "3.9.0" affinity: null
namespace: openebs nodeSelector: null
order: 2 data:
values: | type: "persistentVolumeClaim"
localprovisioner: size: "1Gi"
hostpathClass: storageClass: "openebs-hostpath"
logs:
type: "emptyDir"
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: 400m
memory: 1Gi
extraEnvironmentVars:
WEED_LEVELDB2_ENABLED: "false"
WEED_POSTGRES_ENABLED: "true"
WEED_POSTGRES_HOSTNAME: "weed-pg-rw.weed.svc.cluster.local"
WEED_POSTGRES_PORT: "5432"
WEED_POSTGRES_DATABASE: "weed"
secretExtraEnvironmentVars:
WEED_POSTGRES_USERNAME:
secretKeyRef:
name: weed-pg-secret
key: username
WEED_POSTGRES_PASSWORD:
secretKeyRef:
name: weed-pg-secret
key: password
s3:
enabled: true
enableAuth: true
existingConfigSecret: weed-creds
domainName: k0s-s3.lab.smig.tech
nodeSelector: null
httpsPort: null
logs:
type: "emptryDir"
ingress:
enabled: true enabled: true
isDefaultClass: false className: "cilium"
host: k0s-s3.lab.smig.tech
createBuckets:
- name: registry
anonymousRead: false
- name: prometheus - name: prometheus
chartName: prometheus/kube-prometheus-stack chartName: prometheus/kube-prometheus-stack
@ -208,7 +296,6 @@ spec:
grafana: grafana:
initChownData: initChownData:
enabled: false enabled: false
persistence: persistence:
enabled: true enabled: true
storageClassName: openebs-hostpath storageClassName: openebs-hostpath
@ -218,6 +305,13 @@ spec:
hosts: hosts:
- grafana-k0s.lab.smig.tech - grafana-k0s.lab.smig.tech
- name: cloudnative-pg
namespace: cnpg-system
version: 0.24.0
chartname: cloudnative-pg/cloudnative-pg
order: 2
- name: cert-manager - name: cert-manager
chartName: cert-manager/cert-manager chartName: cert-manager/cert-manager
version: "v1.17.2" version: "v1.17.2"
@ -227,11 +321,22 @@ spec:
crds: crds:
enabled: true enabled: true
- name: openebs
chartname: openebs-internal/openebs
version: "3.9.0"
namespace: openebs
order: 1
values: |
localprovisioner:
hostpathClass:
enabled: true
isDefaultClass: false
- name: cilium - name: cilium
chartName: cilium/cilium chartName: cilium/cilium
namespace: kube-system namespace: kube-system
version: "1.18.0-pre.3" version: "1.18.0-pre.3"
order: 1 order: 0
values: | values: |
hubble: hubble:
enabled: true enabled: true

19
manifests/cluster-issuer.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: smigtech-issuer
spec:
ca:
secretName: smigtech-ca
---
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUYzVENDQThXZ0F3SUJBZ0lVSlN6ek1PNk5WcnR1QmE0dkJGdHVYU1BQcnlZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2ZqRUxNQWtHQTFVRUJoTUNWVk14RVRBUEJnTlZCQWdNQ0ZacGNtZHBibWxoTVJBd0RnWURWUVFIREFkRwpZV2x5Wm1GNE1SRXdEd1lEVlFRS0RBaFRiV2xuZEdWamFERVZNQk1HQTFVRUN3d01UR0ZpTFZOdGFXZDBaV05vCk1TQXdIZ1lEVlFRRERCZHdlRzE0TFdOaE1ERXViR0ZpTG5OdGFXY3VkR1ZqYURBZUZ3MHlNakV5TVRneU1EQXoKTXpaYUZ3MHpNakV5TVRVeU1EQXpNelphTUg0eEN6QUpCZ05WQkFZVEFsVlRNUkV3RHdZRFZRUUlEQWhXYVhKbgphVzVwWVRFUU1BNEdBMVVFQnd3SFJtRnBjbVpoZURFUk1BOEdBMVVFQ2d3SVUyMXBaM1JsWTJneEZUQVRCZ05WCkJBc01ERXhoWWkxVGJXbG5kR1ZqYURFZ01CNEdBMVVFQXd3WGNIaHRlQzFqWVRBeExteGhZaTV6YldsbkxuUmwKWTJnd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUURDMUpGSkRtbkFxNmxPUkd3aApEd1RrOXZKQ1YvQWx4KzZFN091MDFnbHRwamRNTG9rVXV1UnA5YnlXTkJicmNHS3h4SWEyZ05YTktCcWdoYmowCkFOZzMxNGFvdlNUaEplMUh4Mk5TeUhUQ1JBUVZDTFpMY0c5MjVGa1drVUl4STZ0Ym04VW82LzBWbUZ3RVJtTVkKZWRFZ2ZEdERBMG9sbVJuQUVXYzRlaWV3SWd6MUdxK2lGSi92WjQ3SjhWbFpiTVJBdnZFL0tHVE5sR2psOHZabAo4ZWU4WjRLL01LUExBNHYwK0trSE1MTUgyV2lGUXY5UlY0OW9yVldzUUNLL1M4L2dOK1l0ZU9SNnlNTjhTL1g2CjV2N1dSTXR4UVZMVUMrdGdTWmNYMURJWm5zVXFBcVo3YTJja1ptY0pBWkFKVnRoUHVEcStybFZ6ZWRZbHhadEkKOTFqTU9GUGxpaUhkY0ZSRG5FYVprVWdqYmJtWVRROVhFMkV6OGhFNnBLVlF4NkROVU1Ed0ZJa1JJQTBiMy9tNgpxQ3VKRldmWnloUU42R3J2UEtYT08zWnNtRldJWk5RT1ErZFN2N2Iya0k0Yk9FT01oWmpZck1KT2V6V2VCZkN6CjZMOXZyQjBzb3ZRZUF3eGhmRFMyTjlpTlNBNHp4UWhGeUNVZTJDbjViVmY3bDZzUmpSZzFZekZQbXVleVFyTC8KaWpYM2VrWEFmWkdDS0pzVVVWTHJBNitUbkc4RGFYU2xHS214QWdpUlA4Q0E5djEwZWJURGxBOHdGVVJ2ZGk5aQppQW9pQVFraVI1Ylp4NEdkQjhpOGtreW1FdEF6eWVScnVPTWhiTGxDMmpuMDZyUFRCL3VlYU5PYlR2UEpuS3lsClRMUjFYczc3Yzd4OU5kUEhJYnF5QU4vRjR3SURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVJVHk4aGVNZXpnTlAKR2FUWTVsREc0UXBNajNRd0h3WURWUjBqQkJnd0ZvQVVJVHk4aGVNZXpnTlBHYVRZNWxERzRRcE1qM1F3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQXNCTXJ0cFo0b21saWVaYm1mSmJHClU5dnRVbXFBT3V2bTQ2ajVJNGxXK3dCRmhVRmY2dlBuTUNIVjY1N1NiWUZEa3A3MXJOdXg1elBHRGlTYXhnR2gKR2w3WTlia1dHcEkrcXhnM1lnbTE3Y1AyMkd1UWJhRFhiTTU5N2k4WWtEakhqZVl4cGhPWEpYZkR6VzQ4dEQ1Qgo2cmRWcnc5MDNKc25CYmMvUWpHVUl1SU9lM3NFMW1veHVqcHdYdzZLSW0vemhXRnhXWkt3RzNuOGJvUllSUUxnCitKRkMyMnFaSVJsbkduSkQ5d1EwRmQ1QTZGRWJUOStsM09iMDQ2N25pMWZnK1ZQVjVtTVV0SjkwYmViQnd3S3oKRTdnYmdGQ2pPS2RRSU5lNmJwcXBZbmkyTHBiV01vZWJYWFFiRzVTRzkxOTZaR2FMdmpWOCtEMjMwclROV2xYcgpQVlpGUlg4VzZJRDN5c1hJMkovNHREd3duempNQXZQd0dUaytSMHhOQXpzZlAvMWJ4QUV2VmNid1VJUmhCTHAwCkU2K0NRTFg3NnNRRy9GUVhEVDNmTHZwSnhlYytiSk9iditBUnFWZVQ4cTdkYXRLYVpMS0RCSUhXWGFYV2xJVlIKQ3BVVGVRNmt3NlpJUE5kSkZndm01elRCbXR6aHcyRXFpVzR2dWNDTVBHV1hiUmk0RTd0V3R6dE52QlFCMGRNMwo5V3ZlZ1E4Y2ZaZGdRTmcrYnFkQVdHN0czb3pkcVkxbThyVWt6VllRY3Q3UGpsYTFEcjNIREpwY0pUZVhxSmVWCkh4WmswNm9QQk1TM3JITCtjUXd3OGhXSEtlODFPcWhEV1hQN0hPQ015TzNEbG84ampaZGRMenBtSEYvbWhUMS8KS1hEQ3NuWUFFdE80bTRoM25YZzREbWs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRREMxSkZKRG1uQXE2bE8KUkd3aER3VGs5dkpDVi9BbHgrNkU3T3UwMWdsdHBqZE1Mb2tVdXVScDlieVdOQmJyY0dLeHhJYTJnTlhOS0JxZwpoYmowQU5nMzE0YW92U1RoSmUxSHgyTlN5SFRDUkFRVkNMWkxjRzkyNUZrV2tVSXhJNnRibThVbzYvMFZtRndFClJtTVllZEVnZkR0REEwb2xtUm5BRVdjNGVpZXdJZ3oxR3EraUZKL3ZaNDdKOFZsWmJNUkF2dkUvS0dUTmxHamwKOHZabDhlZThaNEsvTUtQTEE0djArS2tITUxNSDJXaUZRdjlSVjQ5b3JWV3NRQ0svUzgvZ04rWXRlT1I2eU1OOApTL1g2NXY3V1JNdHhRVkxVQyt0Z1NaY1gxRElabnNVcUFxWjdhMmNrWm1jSkFaQUpWdGhQdURxK3JsVnplZFlsCnhadEk5MWpNT0ZQbGlpSGRjRlJEbkVhWmtVZ2piYm1ZVFE5WEUyRXo4aEU2cEtWUXg2RE5VTUR3RklrUklBMGIKMy9tNnFDdUpGV2ZaeWhRTjZHcnZQS1hPTzNac21GV0laTlFPUStkU3Y3YjJrSTRiT0VPTWhaallyTUpPZXpXZQpCZkN6Nkw5dnJCMHNvdlFlQXd4aGZEUzJOOWlOU0E0enhRaEZ5Q1VlMkNuNWJWZjdsNnNSalJnMVl6RlBtdWV5ClFyTC9palgzZWtYQWZaR0NLSnNVVVZMckE2K1RuRzhEYVhTbEdLbXhBZ2lSUDhDQTl2MTBlYlREbEE4d0ZVUnYKZGk5aWlBb2lBUWtpUjViWng0R2RCOGk4a2t5bUV0QXp5ZVJydU9NaGJMbEMyam4wNnJQVEIvdWVhTk9iVHZQSgpuS3lsVExSMVhzNzdjN3g5TmRQSElicXlBTi9GNHdJREFRQUJBb0lDQVFDeFoxTS9mWk5IOEVkQzBFVFJPVmJRCmtoZjMxeEVCcGZLSE1TQlRVbzNWUFFPZko4U0Vqc1VMd3NuTXozT0xRSk50b1RDMUg4ME9lUlQ5MDZXYzhPUHcKdlJ5TnEyVFlhbXVMNzM5K1VxOFdjVTV5UkxPUkw3a2ZQai9zcjZuaENzU3Vyc0V4U09qemIvOWhtU0lFbUcrWApMK2ZhVmpWKzFOREF0bGdSOGhFUGJZSDA4UzY1M0NQaG41OUNQTFNLRytMN3ZhSDRTM1MyU1F2WFRvdVVPbGd6Cmt1Rlg3QmRJOVZyTVhsdXpBMklScEtKcXJaM0VXSUZwNUdOZGJDejNtVFdZeWUyYXZEajNvTFY0Q2NiYWh0bkgKQzI5Z0dnWXN0UW5IYkZyYlJNbTEwSDloaUhaRmJYL0dna1FSekUxMlk1Q2x6bkFYVHJEYWJEZFZ2NEJ0U1dTZApRR2taUUcxMllFMHcySE1LZUFWcU93UFl3bXowR0RZdlFvaGJpcExoOUg0eDBnOE8veUhOWnEwNjNEV1dRaDU0CnJ3Q0FLbVRkNitFdFBNU0RidG9SbFZjQlg1ODUzSWUzLyswVkJaeTBTM01zTnZXclRIUnJPNS96a2ZUbGhHNGwKVEtUakN5MU5QZXFwZzVqbEsydW1wazlrUVFOTkhaRzFtS3VYWlMyM1lhMVZYMGtDcGtMZjlRMkorb08xN1dISQpRQ1VhSy9aQm9rb0JWaGFCU2lzMEFkbnlzTXBiblBIeHd2dWlsaDdTQzdGWjFSSDNsakxiOFV0SVBOTFd2aFBsCk0xamNGNUk3MHYvTys1SHBsMUY2b3hzZm9yYy8zSnFjOHVKSS9GRUZSZjBkT0dQbEFpS2t5MUZVUDJ6Rm1Rb1EKc0pkSTc5bjVZU01NeWQrUnVxajU0UUtDQVFFQThCZVEyQW5DWkQrQlRrWFpXQUlvVDFjaWFHZDdvR05mTHFUQgpDb0VMR0h4NFFvSklVSHlGTmJZdHpBUWxudVNzSVd5T0w2MzhHUytIdndDcmQ4eWdzOHFkcmM5TTd3ZHc0Q1FUCmI2UEJHN2tHWDdtT2c1bjZKREVScXRWMzlIaE8weUhjQ1V2eFE2RWNJWi9WZlRDTzdoVmRKYjJVam4rNHdYSjIKUkcxdnhaUjN6ZWx6dDRnM1NGU1k0YVcwSTlJdGFyVEE1Tm1Sd1F6ZFR6TDQ0WFhKcmRKOXFhWHFCWnEvNVdlSQoxV2JJZ2dzYjBqTkcwbEIzY2k0eTgxTFNCMlNmb2VLWklXYTNCa2Z2SVJYQ3p2UjdTdmFTTUtRZVdhdm1NK0E2Clhia1lGRUpDSGRvWFNWZ0JpeEdCZllEVkFiS1l2eVMwNnJ3MXNqMTVpWEVDUHdDeDh3S0NBUUVBejcxR0gvb2IKY1dCTGhOREYzNDRJZDQ3NlVrT1MvdzBvS3p5Ym9sdjh1V0dibm9LcjZMYzJ1bzAzWjBXSDlqMUh3YnFaTzlHdQpNZG9yTnE2N1FHeWtXdkVEZE5YdHg4QmFnY2RxMVJqTGZqUDdIc09zcWozd1pMKzdxMnliZXZwY2xNTktRRHBtCkRqemkrZ1hNTll1cXdqRFdHdy9LbG0vOUlFUHUrR3NaYktWcVlSdVNoZm5MdGFCWW9pMmtqbjlTejNUaGk2Wk8KRmNodU02azJhY2Q2c1dxSHBwcXBsMytJR0dYQnY3ZkNRTFR4VWxTa1kvbHcybnMrZ1dwaHlCTXhQRlp6dTJ4KwpOZEo2SjV3djNjaGtKSXNJWVpHWDZ4Q0huVklUMzVxNmJhWHZzcVVWcDZlSXFuQ2hsSWFTSEpWWWQxS3ZzV2RlCmVSMFdnUmMrUjZDb1VRS0NBUUVBbStKQkdmT2tNaUNGWFFPKzdRUmhsYm4yVGlFNlJGV2d2QkVlZ1NwdHdOVTMKNDc3aEl0am1TSXhqU2I0N2l1SGYzTWUxdmNGU0dDd2pEK0ZvY3h6NkRpSDBwS0FlekdkaFl6WXBKR2dHL20vdwpjb0J3eG9OWHhOM1RJYjc5NWsyaXFEU292NlIrSGpIaHFQYzB6dGFUUm9PNmVjR1FUY0VoZlFCTFIzeGlnTDgzCjFncklKaGFjQml0Zkk4ckpuaVJkZHBXclZDcnJGcE82c1N4Z0tVcW55bU1MVWZXMmJ6TWRldDN4R3RWa1JBTGcKYW1iK2laalRKT0JZRm1Ia21nWThHd2liOGZMVnpJOHg5S0pEWE1taHIzZE9UYVNSVEJsdkdxbHdXOS9NZ1lMUAptTUE4TkZPZWxPT2wxbzJxUHpMdE45V21YVzRiMHdGVkF1YkwxWW9tL3dLQ0FRQk5wcEU4eUs5VFhNdzl0QkFTCnRUT2pCUlc2aERuQkRuanlXSEJRYXhQM2MyM0kvVTBtNnIwUlZGSGVUMVk0QzhYenV6MGw2QVcxNnJmMmM2L1kKc0FOclh1V00yWjVNNlRDcmpBLzU0WS9HOThVcFJia1gxWmt5LzV3MXdwNEhoT2Z3VDJORXlNOTNDUGxLdmJvTQpWYzJaVXNubFNhelBPTU1rT1dCdENSTnkwZzRHaUZqbnJXeWcwblB2QXlLY2hTaytGSkZ1TXRiRE82MDlzRVYvCm1xblpBVm45UTVpYTRYZk1ydFNTUml6ZEpRV0RZZElrOEl0bmoyUFkyaHY4dm5mTDl3REJrUmRJSlFtMkhxS2gKd3hMenVlaURGL255U3JaMmJzU3c4MVEyUWkxcjJGdFUxTUczKyt2WjZjZFoyZFU4blBMQlhFTXJBRjEyR1dzVgpPUTlSQW9JQkFRRGd0WGlVNkxSeFAyWG1aczQvWWVLY1V1VDBGRnJyVTJhTUhZREJGTGVBWFBWa1VCSHU0R3JQCmhnT0NtYllsbDh3MVdBY2IrNmp1aXZEcVdyRkVXdDdURVFUOGIxd0RHaC8vQVVTb1VsTGVWNy9NZDhVVS9obXoKN2RiL29kNDRBR0hvUm9XOFJUTnNaWGh3SHd3Z0w2N0FvVzQ0dUdaSS9nSlpBc1BNdS9YYzJQeWE0dmQ3YXVKOQp4cmxwRUduNkp5bVRYK3J2NnNIUkE0N0VTVEdpWHdrVkpuNENJRjlSc1VjRG51Zllpajhka2RMcDVsRGVHc21QCmNLYThVMVNrd2VzYVoxMDRtVHV5bk40Ykk3cWpUSERyQXNLbDJVS3pUTGdzcUZYc1NtcFFJUWVWcUd4T045Q0gKeTE2S052MjRrT3hiU2NyRjJ2aEt1bG5VTEUvK1g1N3EKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
name: smigtech-ca
namespace: cert-manager
type: kubernetes.io/tls

32
manifests/registry/registry-configmap.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: v1
data:
config.yml: |
version: 0.1
log:
fields:
service: registry
storage:
s3:
accesskey: registry
secretkey: registry123
region: deeznuts
regionendpoint: http://seaweedfs-s3.weed.svc.cluster.local:8333
forcepathstyle: true
bucket: registry
delete:
enabled: true
redirect:
disable: true
tag:
concurrencylimit: 8
auth:
htpasswd:
realm: deeznuts-realm
path: /etc/distribution/passwd
http:
addr: :5000
kind: ConfigMap
metadata:
creationTimestamp: null
name: registry-cm
namespace: production-system

50
manifests/registry/registry-deployment.yaml Normal file
View file

@ -0,0 +1,50 @@
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: registry-deploy
name: registry-deploy
namespace: production-system
spec:
replicas: 1
selector:
matchLabels:
app: registry-deploy
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: registry-deploy
spec:
containers:
- image: registry:3.0.0
name: registry
ports:
- containerPort: 5000
env:
- name: OTEL_TRACES_EXPORTER
value: "none"
resources:
limits:
memory: "500Mi"
cpu: "200m"
requests:
memory: "128Mi"
cpu: "100m"
volumeMounts:
- name: registry-setup
mountPath: /etc/distribution
readOnly: true
volumes:
- name: registry-setup
projected:
sources:
- secret:
name: registry-credentials
- configMap:
name: registry-cm
status: {}

27
manifests/registry/registry-ingress.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
creationTimestamp: null
name: registry-ingress
namespace: production-system
annotations:
cert-manager.io/cluster-issuer: smigtech-issuer
spec:
ingressClassName: cilium
rules:
- host: images.lab.smig.tech
http:
paths:
- backend:
service:
name: registry-service
port:
number: 5000
path: /
pathType: Prefix
tls:
- hosts:
- images.lab.smig.tech
secretName: registry-tls
status:
loadBalancer: {}

7
manifests/registry/registry-namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: null
name: production-system
spec: {}
status: {}

8
manifests/registry/registry-secret.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
data:
passwd: c21pZ3o6JDJ5JDEwJGtiOGRzMkZrMUNXMGgvOGhNYjlVMnUudy5WRlpjSk1velA3dXp2djRibU1EQ2d4MkpBcWo2
kind: Secret
metadata:
creationTimestamp: null
name: registry-credentials
namespace: production-system

18
manifests/registry/registry-service.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: registry-deploy
name: registry-service
namespace: production-system
spec:
ports:
- port: 5000
protocol: TCP
targetPort: 5000
selector:
app: registry-deploy
type: ClusterIP
status:
loadBalancer: {}

7
manifests/weed-namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: null
name: weed
spec: {}
status: {}

32
manifests/weed-pg.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: weed-pg
namespace: weed
spec:
instances: 2
bootstrap:
initdb:
database: weed
owner: weed
secret:
name: weed-pg-secret
postInitApplicationSQL:
- |
CREATE TABLE IF NOT EXISTS filemeta (
dirhash BIGINT NOT NULL,
name VARCHAR(766) NOT NULL,
directory TEXT NOT NULL,
meta BYTEA,
PRIMARY KEY (dirhash, name)
);
- ALTER TABLE filemeta OWNER to weed;
storage:
size: 4Gi
storageClass: openebs-hostpath

25
manifests/weed-secret.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: v1
data:
stringData:
username: weed
password: weed-database
kind: Secret
metadata:
name: weed-pg-secret
namespace: weed
type: kubernetes.io/basic-auth
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: weed-creds
namespace: weed
labels:
app.kubernetes.io/name: seaweedfs
app.kubernetes.io/component: s3
stringData:
# this key must be an inline json config file
seaweedfs_s3_config: '{"identities":[{"actions":["Admin","Read","Write","List","Tagging"],"credentials":[{"accessKey":"smigz","secretKey":"smigtechlab"}],"name":"anvAdmin"},{"actions":["Read"],"credentials":[{"accessKey":"weed-ro","secretKey":"readonlyweed"}],"name":"anvReadOnly"},{"actions":["Read:registry","Write:registry","List:registry","Tagging:registry","Admin:registry"],"credentials":[{"accessKey":"registry","secretKey":"registry123"}],"name":"registry"}]}'