From 246da87bdae152e74a5f0ba66464afc9dad7f040 Mon Sep 17 00:00:00 2001
From: Mathis <matus@namesny.com>
Date: Tue, 28 Nov 2023 21:18:02 +0000
Subject: [PATCH] storage: Add local path provisioner

---
 storage/kustomization.yaml    |  7 ++++
 storage/local-path-cm.yaml    | 42 ++++++++++++++++++++++
 storage/storage-class.yaml    |  7 ++++
 traefik/kustomization.yaml    | 17 +++++++++
 traefik/secret-generator.yaml | 16 +++++++++
 traefik/secret.enc.env        |  8 +++++
 traefik/values.yaml           | 67 +++++++++++++++++++++++++++++++++++
 7 files changed, 164 insertions(+)
 create mode 100755 storage/kustomization.yaml
 create mode 100755 storage/local-path-cm.yaml
 create mode 100755 storage/storage-class.yaml
 create mode 100755 traefik/kustomization.yaml
 create mode 100644 traefik/secret-generator.yaml
 create mode 100644 traefik/secret.enc.env
 create mode 100755 traefik/values.yaml

diff --git a/storage/kustomization.yaml b/storage/kustomization.yaml
new file mode 100755
index 0000000..50c3af2
--- /dev/null
+++ b/storage/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+
+resources:
+  - local-path-cm.yaml
+  - storage-class.yaml
diff --git a/storage/local-path-cm.yaml b/storage/local-path-cm.yaml
new file mode 100755
index 0000000..3e20e59
--- /dev/null
+++ b/storage/local-path-cm.yaml
@@ -0,0 +1,42 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: local-path-config
+  namespace: kube-system
+data:
+  config.json: |-
+    {
+      "nodePathMap": [
+        {
+          "node": "DEFAULT_PATH_FOR_NON_LISTED_NODES",
+          "paths": [
+            "/mnt/data"
+          ]
+        }
+      ],
+      "setupCommand": "/manager",
+      "teardownCommand": "/manager"
+    }
+  setup: |-
+        #!/bin/sh
+        set -eu
+        mkdir -m 0777 -p "$VOL_DIR"
+  teardown: |-
+        #!/bin/sh
+        set -eu
+        rm -rf "$VOL_DIR"
+  helperPod.yaml: |-
+        apiVersion: v1
+        kind: Pod
+        metadata:
+          name: helper-pod
+        spec:
+          priorityClassName: system-node-critical
+          tolerations:
+            - key: node.kubernetes.io/disk-pressure
+              operator: Exists
+              effect: NoSchedule
+          containers:
+          - name: helper-pod
+            image: busybox
+
diff --git a/storage/storage-class.yaml b/storage/storage-class.yaml
new file mode 100755
index 0000000..fd0c742
--- /dev/null
+++ b/storage/storage-class.yaml
@@ -0,0 +1,7 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: retain-local-path
+provisioner: rancher.io/local-path
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: Retain
diff --git a/traefik/kustomization.yaml b/traefik/kustomization.yaml
new file mode 100755
index 0000000..0df436b
--- /dev/null
+++ b/traefik/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+
+generators:
+- ./secret-generator.yaml
+
+
+helmCharts:
+  - name: traefik
+    releaseName: traefik
+    version: 25.0.0
+    repo: https://helm.traefik.io/traefik
+    namespace: kube-system
+    includeCRDs: true
+    valuesFile: values.yaml
+
diff --git a/traefik/secret-generator.yaml b/traefik/secret-generator.yaml
new file mode 100644
index 0000000..b9edf1e
--- /dev/null
+++ b/traefik/secret-generator.yaml
@@ -0,0 +1,16 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: authelia-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+secretFrom:
+- metadata:
+    name: traefik-cf-secret
+    namespace: kube-system
+    annotations:
+      kustomize.config.k8s.io/needs-hash: "false"
+  envs:
+  - ./secret.enc.env
diff --git a/traefik/secret.enc.env b/traefik/secret.enc.env
new file mode 100644
index 0000000..7096843
--- /dev/null
+++ b/traefik/secret.enc.env
@@ -0,0 +1,8 @@
+CF_DNS_API_TOKEN=ENC[AES256_GCM,data:pgwhUhsLXCc4dtXtdPYlhhQ66H8ur7Nj+PWsWaFFtdUtvL5BR2LBLA==,iv:ngsYYLF1ByRsMaYsLcDnGtIRN5+m19LN75o8XV8nWRQ=,tag:ui60I/hhLTJbuRCgRlVYOg==,type:str]
+CF_API_EMAIL=ENC[AES256_GCM,data:VhQlU6MsfhjEjvuRJXSt4mk=,iv:Inv+pthRc8PaAYT48I05ImF1JJtYwqWB2g57kH0UyI4=,tag:0zrcVQJMTdUE6rW9QZweWg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzK2EraFF2aURMMnFRZjF5\nS3FDZHRwNldBbldyMTlCZ0d3MmowK29qMzJvCk9KL01CZERTL0haZFRBci9MazNy\naTlNQTk2Yk9TWSs2QUdRNlJweTNMTm8KLS0tIG13OWFBUi92UG54a1FobUdmQkhh\nZCtzZHFtSlhnSUFobU1DeTR2Qy9ib2sKcNKGJLPhJkZ5h3FMYi4oxMatlhgpfXws\nWI9h6x4aTJAvQXUHWQXieA4SlCE6vO1pesLDuoNdsyPZIQaW6i6+Fw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+sops_lastmodified=2023-11-28T21:12:41Z
+sops_mac=ENC[AES256_GCM,data:G9f/oSqe+ewSY7F72//Q3vNbBN5C9+mTTF/Vxwd22sc32rpgB2Zv2xbofb/yMcBZnTHBjYsW3pDKYvKC134BOezdQs7HoC5QcQ1O4OfSIV26uuXqHz2JZfHadrhkSjT1zLSV4NakAEsAj9U2XlepYWRtmGhUW5ElxCkocgHR+KI=,iv:CwgkHxqUGB/vjQePH3tI+Q5cBkkSwgJnrfE9dhaxTWs=,tag:pCBDRFtdbnUqb25czJKj5A==,type:str]
+sops_unencrypted_regex=^(apiVersion|metadata|kind|type)$
+sops_version=3.8.1
diff --git a/traefik/values.yaml b/traefik/values.yaml
new file mode 100755
index 0000000..05d96cf
--- /dev/null
+++ b/traefik/values.yaml
@@ -0,0 +1,67 @@
+
+deployment:
+  initContainers:
+  - name: volume-permissions
+    image: busybox:latest
+    command: ["sh", "-c", "rm /data/acme.json; touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
+    securityContext:
+      runAsNonRoot: false
+      runAsGroup: 0
+      runAsUser: 0
+    volumeMounts:
+      - name: data
+        mountPath: /data
+      - name: access-log
+        mountPath: /var/log/traefik
+  additionalVolumes:
+  - name: access-log
+    hostPath:
+      path:  /var/log/traefik/
+certResolvers:
+  letsencrypt:
+    email: namesny.matus@gmail.com
+    dnsChallenge:
+      provider: cloudflare
+      delayBeforeCheck: 30
+      resolvers:
+      - 1.1.1.1
+      - 8.8.8.8
+    storage: /data/acme.json
+envFrom:
+- secretRef:
+    name: traefik-cf-secret
+additionalVolumeMounts:
+- name: access-log
+  mountPath: /var/log/traefik/
+logs:
+  access:
+    enabled: true
+    filePath: /var/log/traefik/access.log
+ingressRoute:
+  dashboard:
+    enabled: true
+    matchRule: Host(`traefik.namesny.com`)
+    entryPoints: ["websecure"]
+    middlewares:
+      - name: "auth-authelia@kubernetescrd"
+providers:
+  kubernetesCRD:
+    allowCrossNamespace: true
+persistence:
+  enabled: true
+  storageClass: retain-local-path
+ports:
+  websecure:
+    tls:
+      enabled: true
+      certResolver: letsencrypt
+      domains:
+      - main: namesny.com
+        sans:
+        - "*.namesny.com"
+  web:
+    redirectTo:
+      port: websecure
+service:
+  spec:
+    externalTrafficPolicy: Local