chore(deps): update postgresql docker tag to v15.5.28

Reviewed-on: #107

Makefile

@@ -0,0 +1,9 @@
+FOLDERS := infra/traefik infra/storage infra/monitoring infra/authelia apps/namesny-com apps/mlflow apps/gitea apps/code-server apps/dev-container
+
+all: $(FOLDERS)
+
+$(FOLDERS):
+	@echo "Deploying $@..."
+	cd $(CURDIR)/$@ && kustomize build --enable-helm --enable-alpha-plugins --enable-exec . | kubectl apply -f -
+
+.PHONY: deploy $(FOLDERS)

apps/code-server/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       initContainers:
       - name: init-chmod-data
-        image: busybox:1.36
+        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
         imagePullPolicy: IfNotPresent
         command:
           - sh
@@ -30,7 +30,7 @@ spec:
         - name: data
           mountPath: /home/coder
       containers:
-      - image: codercom/code-server:4.20.0
+      - image: codercom/code-server:4.89.1-ubuntu@sha256:d7faf97bc59933b398d5df5c5aec786637a9e40ae8c842bb8d23ca20e0946739
         imagePullPolicy: IfNotPresent
         name: code-server
         args:

apps/dev-container/deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dev-container
+  namespace: dev
+  labels:
+    app: dev-container
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dev-container
+  template:
+    metadata:
+      labels:
+        app: dev-container
+    spec:
+      securityContext:
+        fsGroup: 1000
+      containers:
+      - name: dev-container
+        image: git.namesny.com/mathis/dev-container:2024-04-25@sha256:54e0a338fec52e4f124bb8b9030892bbb85b61717f237107377a2ad1d1db567c
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 7681
+        volumeMounts:
+        - name: projects
+          mountPath: /home/dev/projects
+      volumes:
+      - name: projects
+        persistentVolumeClaim:
+          claimName: dev-projects

apps/dev-container/ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: dev-cnt-ingress
+  namespace: dev
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`dev.namesny.com`)
+    kind: Rule
+    middlewares:
+    - name: "auth-authelia@kubernetescrd"
+    services:
+    - name: dev-cnt-svc
+      port: 7681

apps/dev-container/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: dev
+
+resources:
+- namespace.yaml
+- pvc.yaml
+- deployment.yaml
+- service.yaml
+- ingress.yaml
+

apps/dev-container/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev

apps/dev-container/pvc.yaml

@@ -0,0 +1,12 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: dev-projects
+  namespace: dev
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: retain-local-path

apps/dev-container/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dev-cnt-svc
+  namespace: dev
+spec:
+  selector:
+    app: dev-container
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 7681
+    targetPort: 7681

apps/gitea/gitea-values.yaml

@@ -5,7 +5,10 @@ postgresql-ha:
 postgresql:
   enabled: true
   image:
-    tag: 15.3.0-debian-11-r24 
+    registry: docker.io
+    repository: bitnami/postgresql
+    tag: 15.3.0-debian-11-r24
+    digest: sha256:fff6086d557d962422c6d751b6723877642170bbcc25d6f23e5c2c2f079987d5
   primary:
     persistence:
       storageClass: retain-local-path
@@ -33,7 +36,7 @@ gitea:
     cache:
       ADAPTER: memory
     queue:
-      TYPE: level
+      TYPE: channel
     server:
       BUILTIN_SSH_SERVER_USER: git
       ROOT_URL: https://git.namesny.com

apps/gitea/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - gitea-ingress.yaml
 - runner-pvc.yaml
 - runner-deployment.yaml
+- ./restic
 
 generators:
 - secret-generator.yaml
@@ -14,15 +15,8 @@ generators:
 helmCharts:
 - name: gitea
   releaseName: gitea
-  version: 10.0.2
+  version: 10.2.0
   repo: https://dl.gitea.io/charts/
   namespace: gitea
   valuesMerge: merge
   valuesFile: gitea-values.yaml
-- name: renovate
-  releaseName: renovate
-  version: 37.115.0
-  repo: https://docs.renovatebot.com/helm-charts
-  namespace: gitea
-  valuesFile: renovate-bot-values.yaml
-

apps/gitea/renovate-bot-secret.enc.yaml

@@ -1,31 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: renovate-bot-secret
-    namespace: gitea
-stringData:
-    RENOVATE_AUTODISCOVER: ENC[AES256_GCM,data:20/nNkA=,iv:o6OgPwx03/U7kHbO4WBh1HVLAdr8HBsWWGRlrIx3ZvE=,tag:7BpQuJpwI20Jqlf0zrVqBA==,type:str]
-    RENOVATE_ENDPOINT: ENC[AES256_GCM,data:PfAFF87I1COu9aGUf8uxPbzaUeyYvFpHmlK5DuP6,iv:JUgHIzaTSjCGpGucftT9AzFB7Gclwau8y9o2cbEJ2XU=,tag:52QvbgdaJRVTB5ARW0gn2Q==,type:str]
-    RENOVATE_GIT_AUTHOR: ENC[AES256_GCM,data:5tCkXdiheQkI293yf7Fh0Tb1kvWtDXHTIikP21IJQgFUyw==,iv:L1x3FDp6m/oJRq4Gcp3lusUF8Fufx+wWUVUQeYerDGk=,tag:h2XSao9P/wDHTpPRhEzVuQ==,type:str]
-    RENOVATE_PLATFORM: ENC[AES256_GCM,data:5bRuvgQ=,iv:m2RtjwWANMCNjXaEmzZc8QZKff5oxy+cVazmM0Qs6bE=,tag:Zp+2HLlEJgSZB0U2xRS2uw==,type:str]
-    RENOVATE_TOKEN: ENC[AES256_GCM,data:lPV9X8pZsSHzb7xFLuQ0Ixg5EaBgsuEmCFvXSkmxImUnImAKWINjBw==,iv:/hkxQNNqLcH/pbYs/Mn4P9FW1/DOIOKAUEjZNutoZok=,tag:Pd/NCxYZRJVaUiWT9FaMcA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0NWRIZnROK3dkY0xMa1ha
-            cXBINWpXU000YXQ5QW0zMjllRnlzOEJoRlVZClhCUWhqK0M4bTVqNjBFR05LU1NP
-            ejJaaHJSc003Q0V6UlpzWFdCTnd5RVEKLS0tIDllcVhFUE51Z1VsOGVJZ216TVdE
-            eVhjc2VlOVROOC9oakF3K29nODdEM0EKZkIo+FdHZAyQ9ogoK9994B0q5lkWWXOw
-            EgXamhJ800zjy9zFeO6bxPMsgPze1iNshhlV7HjT8uh+qs5laCqatg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-28T21:31:06Z"
-    mac: ENC[AES256_GCM,data:O/Vw1S40Dz0g6Fo9K87iCIFh3TSNW4/f+mWNnbjPpjehj1+JbOovpchjizI1c+OZ++/rqlow8Ib/yesMDdPd16ErkyHgINMBtLuqfUYJ1WSwg52Rp5zfZP7eSXHTeqcGuuASIfzEcclZ/5QIPeiSOJG5iSAl/MDeNte6/YwEqQo=,iv:lieOLB5tOP4XagOr+cRWQZQC00EHz9UUcx7e2uwUjpU=,tag:JJ4YgTKMCZtujAJfi+TcxA==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1

apps/gitea/renovate-bot-values.yaml

@@ -1,12 +0,0 @@
-renovate:
-  config : |
-    {
-      "repositories": ["Cluster/k3s-configs", "Cluster/mlflow"]
-    }
-  persistence:
-    cache:
-      enabled: true
-      storageClass: retain-local-path
-existingSecret: renovate-bot-secret
-apiVersionOverrides:
-  cronjob: 'batch/v1'

apps/gitea/restic/backup.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Set up colors
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+echo -e "\n${GREEN}`date` - Starting backup...${NC}\n"
+
+restic unlock
+
+# Gitea
+echo -e "\n${GREEN}`date` - Backing up Gitea...${NC}\n"
+gitea=$(kubectl get deploy -n gitea -l app=gitea -o name --no-headers=true)
+kubectl scale -n gitea --replicas=0 $gitea
+restic backup /gitea
+restic backup /backup/postgres_backup.dump
+kubectl scale -n gitea --replicas=1 $gitea
+
+# Forget and prune
+echo -e "\n${GREEN}`date` - Running forget and prune...${NC}\n"
+restic forget --prune --keep-daily 7 --keep-weekly 2
+echo -e "\n${GREEN}`date` - Backup finished.${NC}\n"

apps/gitea/restic/cronjob.yaml

@@ -0,0 +1,58 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: restic-backup-cronjob
+  namespace: gitea
+spec:
+  schedule: "0 3 * * *"  # Cron expression for running daily at 2 AM
+  jobTemplate:
+    spec:
+      template:
+        spec:
+
+          serviceAccountName: restic-sa
+          hostname: restic-cronjob
+
+          volumes:
+          - name: gitea-data
+            persistentVolumeClaim:
+              claimName: gitea-shared-storage
+          - name: restic-backup-vol
+            persistentVolumeClaim:
+              claimName: restic-backup-vol
+          - name: backup-script-vol
+            configMap:
+              name: restic-backup-script
+
+          initContainers:
+          - name: postgres-dump-init
+            image: bitnami/postgresql:16.3.0-debian-12-r17@sha256:5f5da81926e99bde90bd188bb43bf8de4bbcc1da45087e375631693e82d8b1c7
+            command: ["/bin/sh", "-c"]
+            args: ["pg_dump -h gitea-postgresql -p 5432 -U gitea gitea -Fc > /backup/postgres_backup.dump"]
+            env:
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-postgresql
+                  key: password
+            volumeMounts:
+            - name: restic-backup-vol
+              mountPath: /backup
+
+          containers:
+          - name: restic-container
+            image: git.namesny.com/cluster/restic:latest@sha256:8efb9776d9b3250012d17bbfff865420e5ffa0688010d006448c4ff358b0ee32
+            imagePullPolicy: Always
+            command: ["/bin/sh", "/app/backup.sh"]
+            envFrom:
+            - secretRef:
+                name: restic-secret
+            volumeMounts:
+            - name: restic-backup-vol
+              mountPath: /backup
+            - name: gitea-data
+              mountPath: /gitea
+            - name: backup-script-vol
+              mountPath: /app
+
+          restartPolicy: OnFailure

apps/gitea/restic/debug-pod.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restic-debug-pod
+  namespace: gitea
+spec:
+  serviceAccountName: restic-sa
+  volumes:
+  - name: restic-backup-vol
+    persistentVolumeClaim:
+      claimName: restic-backup-vol
+  - name: gitea-data
+    persistentVolumeClaim:
+      claimName: gitea-shared-storage
+  containers:
+  - name: restic-debug
+    image: git.namesny.com/cluster/restic:latest@sha256:8efb9776d9b3250012d17bbfff865420e5ffa0688010d006448c4ff358b0ee32
+    command: ["/bin/sh", "-c"]
+    args: ["sleep infinity"]
+    envFrom:
+    - secretRef:
+        name: restic-secret
+    volumeMounts:
+    - name: restic-backup-vol
+      mountPath: /backup
+    - name: gitea-data
+      mountPath: /gitea
+

apps/gitea/restic/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitea
+
+resources:
+- service-account.yaml
+- role.yaml
+- role-binding.yaml
+- pvc.yaml
+- debug-pod.yaml
+- cronjob.yaml
+
+generators:
+- secret-generator.yaml
+
+configMapGenerator:
+- name: restic-backup-script
+  namespace: gitea
+  files:
+  - ./backup.sh
+

apps/gitea/restic/pvc.yaml

@@ -0,0 +1,12 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: restic-backup-vol
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: retain-local-path

apps/gitea/restic/role-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: restic-role-binding
+  namespace: gitea
+subjects:
+- kind: ServiceAccount
+  name: restic-sa
+  namespace: gitea
+roleRef:
+  kind: Role
+  name: restic-role
+  apiGroup: rbac.authorization.k8s.io

apps/gitea/restic/role.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: restic-role
+  namespace: gitea
+rules:
+- apiGroups: ["apps"]
+  resources: ["deployments", "deployments/scale"]
+  verbs: ["get", "list", "update", "patch"]

apps/gitea/restic/secret-generator.yaml

@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: restic-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+- ./secret.enc.yaml
+

apps/gitea/restic/secret.enc.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: restic-secret
+    namespace: gitea
+stringData:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:IjDw3i+8BIvA816obn5BpQBTkzo=,iv:A/CrhyIm5kljCwvneQziux36O6+SWG5Z9mOlV+mRIXQ=,tag:XVh4X8Xf587nmbDCtgazAg==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:WdfHxdXnPOLvIOecN+WFONAEDr2Sc/r6bKQ/H9KS1BT2C9cj,iv:GCY6MaSEhu9WEsVA23hWN30Ix7x6dz/umNRsQ0jsb8I=,tag:8Qa0dvU3bq+J2S6trBDFDw==,type:str]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:FZCqro3fpgQ7NJc+4ORVC2yWdqMNCLd4AjCwdolXgu5uJXq0IQ==,iv:nWttNrSvFpcj1HMOFwZNfJqVUy0esR7fVXlvidp3MlY=,tag:T0HzAZ/w83IFrvap8Gx3gg==,type:str]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:PjSE4FejVPW8e8e/PDtoSCsuskI=,iv:MTUMYim3obMHaYBEoEJBMEj9GMbaqdbdVV09o3ep/fw=,tag:pQ6vakVWHUdk4F/PwqpgAw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTlocERzUmtUdnhsNHJk
+            SkNXZFpVdmM5Y1hnQlQzcUg1OUxNYkRiaEFZCi82MW9TbkI2VCtjMDVKYTlWTVBs
+            QVZMekVoT1JSQWRZV3F3SHgxOGR3a2sKLS0tIGJCd21aY05jS0xva2RmclBlQWdl
+            UVZSNm9pRUM3YmFFSWl3NGNUdnZOOGsKIuepNrrdgoNoOMZQ77cIrtwPTL8acahG
+            paE+K2EKa8pqXnAVkxORTkUYRlorKRLjiyalxrDZYsMAbCSrrtfx/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-30T17:21:08Z"
+    mac: ENC[AES256_GCM,data:mR4vi8WLLiuUY5i7NgIYHfAZcBsQ3u2Cg9TtXcFtwtDAuyy9Xzx07yeR1HC0D+YhiAu+mYAJPmk6jHZsCE2OX26sLTyvEULqDQc71sCgM8dsyl50hoZ2BsbY7o6g8D9Yks+2szuKmlxZ0nN5aHxcf+67+gotzjlBfcmLx+E1TfA=,iv:+9Kv7ZwGoMU0QBTvCgq232nHo+tjoeHTJBdOuOiqpPk=,tag:9VrOFmUFbdiPKSWnt+8z7w==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

apps/gitea/restic/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: restic-sa
+  namespace: gitea

apps/gitea/runner-deployment.yaml

@@ -24,9 +24,13 @@ spec:
           claimName: act-runner-vol
       securityContext:
         fsGroup: 1001
+      initContainers:
+      - name: wait-for-gitea
+        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
+        command: ['sh', '-c', "until wget https://git.namesny.com 2>/dev/null; do echo waiting for gitea; sleep 2; done"]
       containers:
       - name: runner
-        image: gitea/act_runner:nightly-dind-rootless
+        image: gitea/act_runner:latest-dind-rootless@sha256:2f4c10a8354062ff3f8faa1df17006e650dcf21853a34713dfc2ed961f6ca50f
         imagePullPolicy: Always
         env:
         - name: DOCKER_HOST

apps/gitea/secret-generator.yaml

@@ -8,5 +8,5 @@ metadata:
           path: ksops
 files:
 - ./gitea-admin-secret.enc.yaml
-- ./renovate-bot-secret.enc.yaml
 - ./runner-secret.enc.yaml
+

apps/mlflow/kustomization.yaml

@@ -18,7 +18,7 @@ generators:
 helmCharts:
 - name: postgresql
   releaseName: postgresql
-  version: 13.2.24
+  version: 15.5.28
   repo: oci://registry-1.docker.io/bitnamicharts
   namespace: mlflow
   valuesInline:

apps/mlflow/minio-deployment.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: minio
-        image: quay.io/minio/minio:RELEASE.2023-12-09T18-17-51Z
+        image: minio/minio:latest@sha256:0bd79595dbcf155782860716abf4cf79d5ee32a9508b60fa1a88793bbe55b245
         command:
         - /bin/bash
         - -c

apps/mlflow/mlflow-deployment.yaml

@@ -17,7 +17,7 @@ spec:
       - name: gitea-regcred
       initContainers:
       - name: init-s3-bucket
-        image: minio/mc
+        image: minio/mc:latest@sha256:10fea08805ab76fe9b8ff0d3755db7af3f5a2468a60a48826bd21ec7c8b5000e
         command: ["/bin/sh", "-c"]
         args: 
         - until mc alias set mlflow-minio http://minio-svc.mlflow.svc.cluster.local:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD; do sleep 5; done;
@@ -30,9 +30,18 @@ spec:
             name: minio-admin-secret
         - secretRef:
             name: minio-user-secret
+      - name: init-db-upgrade
+        image: git.namesny.com/cluster/mlflow:latest@sha256:9d935268bc318d6cadbfe8d480744ce898cdfb906be5ba7125ab87c555894798
+        envFrom:
+        - secretRef:
+            name: mlflow-secret
+        command: ["/bin/sh", "-c"]
+        args:
+          - mlflow db upgrade $MLFLOW_BACKEND_STORE_URI;
+            exit 0;
       containers:
       - name: mlflow
-        image: git.namesny.com/cluster/mlflow:2.9.1
+        image: git.namesny.com/cluster/mlflow:latest@sha256:9d935268bc318d6cadbfe8d480744ce898cdfb906be5ba7125ab87c555894798
         imagePullPolicy: Always
         args:
         - --host=0.0.0.0

apps/namesny-com/deployment.yaml

@@ -19,6 +19,6 @@ spec:
       - name: gitea-regcred
       containers:
       - name: namesny-com
-        image: git.namesny.com/mathis/namesny-com:2023-12-28
+        image: git.namesny.com/mathis/namesny-com:2024-04-22@sha256:df51fff0dcc4e252b13f3c61debf2b3e2335e4c8e2d7441174457d9e7709a6ea
         ports:
         - containerPort: 80

infra/authelia/kustomization.yaml

@@ -6,7 +6,6 @@ namespace: auth
 resources:
 - namespace.yaml
 - ingress.yaml
-- basic-auth-middleware.yaml
 - forward-auth-middleware.yaml
 
 generators:

infra/k9s/deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k9s
+  namespace: k9s
+  labels:
+    app: k9s
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: k9s
+  template:
+    metadata:
+      labels:
+        app: k9s
+    spec:
+      serviceAccountName: k9s-sa
+      containers:
+      - name: k9s
+        image: ghcr.io/lordmathis/k9s-web:latest@sha256:6db8f8812fa09a93433682bb64a32c16ddf8286091f2886699dd4b84f875d150
+        ports:
+        - containerPort: 7681

infra/k9s/ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: k9s-ingress
+  namespace: k9s
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`k9s.namesny.com`)
+    kind: Rule
+    middlewares:
+    - name: "auth-authelia@kubernetescrd"
+    services:
+    - name: k9s-svc
+      port: 7681

infra/k9s/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: k9s
+
+resources:
+- namespace.yaml
+- rbac.yaml
+- deployment.yaml
+- service.yaml
+- ingress.yaml
+

infra/k9s/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: k9s

infra/k9s/rbac.yaml

@@ -0,0 +1,35 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k9s-reader
+rules:
+  - apiGroups: [""]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["batch"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k9s
+subjects:
+  - kind: ServiceAccount
+    name: k9s-sa
+    namespace: k9s
+roleRef:
+  kind: ClusterRole
+  name: k9s-reader
+  apiGroup: rbac.authorization.k8s.io
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k9s-sa
+  namespace: k9s

infra/k9s/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: k9s-svc
+  namespace: k9s
+spec:
+  selector:
+    app: k9s
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 7681
+    targetPort: 7681

infra/monitoring/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generatorOptions:
+  disableNameSuffixHash: true
+namespace: monitoring
+resources:
+- namespace.yaml
+
+generators:
+- ./secret-generator.yaml
+
+helmCharts:
+- name: k8s-monitoring
+  releaseName: grafana-k8s-monitoring
+  version: 1.0.13
+  repo: https://grafana.github.io/helm-charts 
+  namespace: monitoring
+  valuesFile: values.yaml

infra/monitoring/loki-secret.enc.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: loki-secret
+    namespace: monitoring
+stringData:
+    host: ENC[AES256_GCM,data:rVMcsxS2yzOC+SeqPlVOVLlg/FviDoT79Z00NTi9nKHu,iv:vKZvn0b9lLMWsBbAvBIfAf/fkQ1KSIkXMJi4hTr+tHY=,tag:PIAZm1O/QbH6Ad3yMRmEvQ==,type:str]
+    username: ENC[AES256_GCM,data:HViufT0S,iv:g4LldPUsiALA6KUXn6xg1dxO1PaEx7PqKbpaTFbtcoQ=,tag:Asad1eWQKJOFCulm3xJBYg==,type:str]
+    password: ENC[AES256_GCM,data:KzafvYQ9hLeZcwTAJpE9z0ZDpGQL0lVMk7tSRKp6yQFZBl+u0V4u4leBtUDPm80605dP0BidHKL9MQ5c+2iayxjoBoBDDH6YDLjytN+2TnTU8fabY1wRYiAInOPxitcdoPLVzcw1/1DH9qiPJu7pdMWoz/JdM2PbHILW4G0uY/T9HERAwA28FX0R5sfQnfRPfaxSoea4HAMB2IG3lXn5wvwwsc2JZ+1KkInZ3XYg/vv0KwLD,iv:aWrgu6B2O9Is7tYqnSgTlz1fhYQEB5TIS4xl9PKoFwc=,tag:KLYaUsF6fDxHzXJdjnwHwQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcGE2VTZPcmpPQVNLbW5s
+            U3ZNaVZnMkRhOCtpYk1KdUpSalArRXI3VTFrClJORVVDRXBCM01lQVlnbjQ1RVhT
+            aFJEdk5oOHBVK1VJWTFwRXI5YXZmeUUKLS0tIEcwWmp5aHRDMHVrNFg0bnhVV2FI
+            UGpPaU54QjM4Y0pIQ0I3elVXakl0Uk0KXqd8LjaLjwzcgzi0WBAHBJLjNaP8yqKB
+            zQsrvGJvSIo3TdEVaRGvM9F/4nsLmQC6mYfENwtlyV4IWn0w8psMyw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-27T14:02:57Z"
+    mac: ENC[AES256_GCM,data:kkWKaG6+dobfZjr7xlKyJs5FOOSP8UXRci2wOhVKoa9BnWONdeKHIP8L4+xFvxXGs69EAUK0242ZM+cpPge8XtTFCbq9z+23OcFZej0nlO9yQxEOwTEE/zmOqnh8s3j3hmOUlyQPzgnLubbwiMEdhtHky/YdffziM8K1b+u4EPc=,iv:JpD6gj9vRp8Iap1+wH6zaewDUAubRJlUaicupoeVQkc=,tag:S+IG9K+wgkazgLi7tUIbSw==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

infra/monitoring/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring

infra/monitoring/prometheus-secret.enc.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: prometheus-secret
+    namespace: monitoring
+stringData:
+    host: ENC[AES256_GCM,data:2GDOS1737kJ2xTjloQolicFSyalglzI3qlUl2mZo1rIvYLwrHipetqjEkYHQSiA096jvtsU=,iv:bUfdSzfnEqXwv4eozpepwabPiSH792aW0GOtTChORKw=,tag:j8pPRVIvqLkjUBcMUV4poQ==,type:str]
+    username: ENC[AES256_GCM,data:0ZQu0t4iJw==,iv:stS/U68x0ZglXPAa3eICmzlEtCEd1nnO2B+hwPzOvHE=,tag:vWVe2D8cpL4BKn9odjP+ZQ==,type:str]
+    password: ENC[AES256_GCM,data:VuugS5hwdaFE81ig8INkvLzO0M/81cvSenMuEUeOgcDL9b1H58YT65WFu/ouO1cCd3hF6SWChcLmfw2Z9wCTqhDnUiQ/JnLOriBqDeQFBK9qY5rPnHX/efvXRcNfwNUoQqlPAjUfubyjduPmHxtYHw62Ov0KSo3sG9ExWdNWEVkTUgXp662Al6E24njxMTSFssy4zY75Cwz0a9Uw9ILPnLnRwe1XIPdXL9PhAzUEVuRWycqC,iv:BO9HdE+Ql1TQ1j+0MF0NdiW5DVTbShLEduEFbMMIR8U=,tag:GA/u1MBBJaaWFF93N0i37A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdFhzSDEwdjZDVTRxN3Yx
+            OExHd3BYekx4TllPVi96c2JHamdQTlpaUHdrCi90dXBjaFBTSTA4c0JsbWt2WTBm
+            anB5NXkxeS9IbU9TT3dseGRjME1PeEUKLS0tIGhLUi9GQUNvczhId2k5RExNQ2lk
+            S3ZLUVNvd1BKWjZhRXVrR2NJV3FrMDAKxvoeNeR+mYBCEd4JtU+L52M0Lhj1W07H
+            UbD0+Bi8KTJWGWPVPm4prPA2jqk7zKhZ7BeSkZtwp1QQ+tVJF52fAA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-27T14:03:01Z"
+    mac: ENC[AES256_GCM,data:i02frS7UI//prqlbCnFF9D+mpcUnshgZ7YCeJwk5/SCZh9QJEDDAgANpz5V8rnp4v3NQlQt1mT6JWvi/N6MgfeePvwvNT85Hewo1iH2wPbyB4IMA2n4qJ8oK5lAYy/7WR/Cvi9LD/4FedTQ0xvNsj/GECwbI8YMmvUz3EUo3W3Y=,iv:ywp0ojCYd1rahm8Ltk821bLcofynCjv5mEv6QR9RDTs=,tag:UxKEpd09IB1H8GlZbXqhPw==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

infra/monitoring/secret-generator.yaml

@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: monitoring-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+- ./loki-secret.enc.yaml
+- ./prometheus-secret.enc.yaml

infra/monitoring/values.yaml

@@ -0,0 +1,44 @@
+cluster:
+  name: auberon
+externalServices:
+  prometheus:
+    secret:
+      create: false
+      name: prometheus-secret
+      namespace: monitoring
+  loki:
+    secret:
+      create: false
+      name: loki-secret
+      namespace: monitoring
+metrics:
+  enabled: true
+  cost:
+    enabled: false
+  node-exporter:
+    enabled: true
+logs:
+  enabled: true
+  pod_logs:
+    enabled: true
+  cluster_events:
+    enabled: true
+traces:
+  enabled: false
+receivers:
+  grpc:
+    enabled: false
+  http:
+    enabled: false
+  zipkin:
+    enabled: false
+opencost:
+  enabled: false
+kube-state-metrics:
+  enabled: true
+prometheus-node-exporter:
+  enabled: true
+prometheus-operator-crds:
+  enabled: true
+alloy: {}
+alloy-logs: {}

infra/storage/local-path-cm.yaml

@@ -38,5 +38,5 @@ data:
               effect: NoSchedule
           containers:
           - name: helper-pod
-            image: busybox
+            image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
 

infra/traefik/kustomization.yaml

@@ -9,7 +9,7 @@ generators:
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 26.0.0
+    version: 28.2.0
     repo: https://helm.traefik.io/traefik
     namespace: kube-system
     includeCRDs: true

infra/traefik/values.yaml

@@ -1,9 +1,8 @@
-
 deployment:
   initContainers:
   - name: volume-permissions
-    image: busybox:latest
+    image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
-    command: ["sh", "-c", "rm /data/acme.json; touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
+    command: ["sh", "-c", "touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
     securityContext:
       runAsNonRoot: false
       runAsGroup: 0

renovate.json

@@ -1,10 +1,21 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:best-practices"
   ],
-  "separateMinorPatch": true,
+  "platformAutomerge": false,
+  "ignoreTests": true,
+  "separateMinorPatch": false,
   "patch": {
-    "enabled": false
+    "automerge": true
+  },
+  "pin": {
+    "automerge": true
+  },
+  "digest": {
+    "automerge": true
+  },
+  "kubernetes": {
+    "fileMatch": ["\\.yaml$"]
   }
 }