Add goaccess container

Makefile

@@ -1,9 +0,0 @@
-FOLDERS := infra/traefik infra/storage infra/monitoring infra/authelia apps/namesny-com apps/mlflow apps/gitea apps/code-server apps/dev-container
-
-all: $(FOLDERS)
-
-$(FOLDERS):
-	@echo "Deploying $@..."
-	cd $(CURDIR)/$@ && kustomize build --enable-helm --enable-alpha-plugins --enable-exec . | kubectl apply -f -
-
-.PHONY: deploy $(FOLDERS)

apps/code-server/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       initContainers:
       - name: init-chmod-data
-        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
+        image: busybox:1.36
         imagePullPolicy: IfNotPresent
         command:
           - sh
@@ -30,7 +30,7 @@ spec:
         - name: data
           mountPath: /home/coder
       containers:
-      - image: codercom/code-server:4.89.1-ubuntu@sha256:d7faf97bc59933b398d5df5c5aec786637a9e40ae8c842bb8d23ca20e0946739
+      - image: codercom/code-server:4.20.0
         imagePullPolicy: IfNotPresent
         name: code-server
         args:

apps/dev-container/deployment.yaml

@@ -1,32 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dev-container
-  namespace: dev
-  labels:
-    app: dev-container
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: dev-container
-  template:
-    metadata:
-      labels:
-        app: dev-container
-    spec:
-      securityContext:
-        fsGroup: 1000
-      containers:
-      - name: dev-container
-        image: git.namesny.com/mathis/dev-container:2024-04-25@sha256:54e0a338fec52e4f124bb8b9030892bbb85b61717f237107377a2ad1d1db567c
-        imagePullPolicy: Always
-        ports:
-        - containerPort: 7681
-        volumeMounts:
-        - name: projects
-          mountPath: /home/dev/projects
-      volumes:
-      - name: projects
-        persistentVolumeClaim:
-          claimName: dev-projects

apps/dev-container/ingress.yaml

@@ -1,16 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dev-cnt-ingress
-  namespace: dev
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`dev.namesny.com`)
-    kind: Rule
-    middlewares:
-    - name: "auth-authelia@kubernetescrd"
-    services:
-    - name: dev-cnt-svc
-      port: 7681

apps/dev-container/kustomization.yaml

@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: dev
-
-resources:
-- namespace.yaml
-- pvc.yaml
-- deployment.yaml
-- service.yaml
-- ingress.yaml
-

apps/dev-container/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dev

apps/dev-container/pvc.yaml

@@ -1,12 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: dev-projects
-  namespace: dev
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 10Gi
-  storageClassName: retain-local-path

apps/dev-container/service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: dev-cnt-svc
-  namespace: dev
-spec:
-  selector:
-    app: dev-container
-  type: ClusterIP
-  ports:
-  - protocol: TCP
-    port: 7681
-    targetPort: 7681

apps/gitea/gitea-values.yaml

@@ -5,10 +5,7 @@ postgresql-ha:
 postgresql:
   enabled: true
   image:
-    registry: docker.io
-    repository: bitnami/postgresql
-    tag: 15.3.0-debian-11-r24
-    digest: sha256:fff6086d557d962422c6d751b6723877642170bbcc25d6f23e5c2c2f079987d5
+    tag: 15.3.0-debian-11-r24 
   primary:
     persistence:
       storageClass: retain-local-path
@@ -36,7 +33,7 @@ gitea:
     cache:
       ADAPTER: memory
     queue:
-      TYPE: channel
+      TYPE: level
     server:
       BUILTIN_SSH_SERVER_USER: git
       ROOT_URL: https://git.namesny.com

apps/gitea/kustomization.yaml

@@ -7,7 +7,6 @@ resources:
 - gitea-ingress.yaml
 - runner-pvc.yaml
 - runner-deployment.yaml
-- ./restic
 
 generators:
 - secret-generator.yaml
@@ -15,8 +14,15 @@ generators:
 helmCharts:
 - name: gitea
   releaseName: gitea
-  version: 10.2.0
+  version: 10.0.2
   repo: https://dl.gitea.io/charts/
   namespace: gitea
   valuesMerge: merge
   valuesFile: gitea-values.yaml
+- name: renovate
+  releaseName: renovate
+  version: 37.115.0
+  repo: https://docs.renovatebot.com/helm-charts
+  namespace: gitea
+  valuesFile: renovate-bot-values.yaml
+

apps/gitea/renovate-bot-secret.enc.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: renovate-bot-secret
+    namespace: gitea
+stringData:
+    RENOVATE_AUTODISCOVER: ENC[AES256_GCM,data:20/nNkA=,iv:o6OgPwx03/U7kHbO4WBh1HVLAdr8HBsWWGRlrIx3ZvE=,tag:7BpQuJpwI20Jqlf0zrVqBA==,type:str]
+    RENOVATE_ENDPOINT: ENC[AES256_GCM,data:PfAFF87I1COu9aGUf8uxPbzaUeyYvFpHmlK5DuP6,iv:JUgHIzaTSjCGpGucftT9AzFB7Gclwau8y9o2cbEJ2XU=,tag:52QvbgdaJRVTB5ARW0gn2Q==,type:str]
+    RENOVATE_GIT_AUTHOR: ENC[AES256_GCM,data:5tCkXdiheQkI293yf7Fh0Tb1kvWtDXHTIikP21IJQgFUyw==,iv:L1x3FDp6m/oJRq4Gcp3lusUF8Fufx+wWUVUQeYerDGk=,tag:h2XSao9P/wDHTpPRhEzVuQ==,type:str]
+    RENOVATE_PLATFORM: ENC[AES256_GCM,data:5bRuvgQ=,iv:m2RtjwWANMCNjXaEmzZc8QZKff5oxy+cVazmM0Qs6bE=,tag:Zp+2HLlEJgSZB0U2xRS2uw==,type:str]
+    RENOVATE_TOKEN: ENC[AES256_GCM,data:lPV9X8pZsSHzb7xFLuQ0Ixg5EaBgsuEmCFvXSkmxImUnImAKWINjBw==,iv:/hkxQNNqLcH/pbYs/Mn4P9FW1/DOIOKAUEjZNutoZok=,tag:Pd/NCxYZRJVaUiWT9FaMcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0NWRIZnROK3dkY0xMa1ha
+            cXBINWpXU000YXQ5QW0zMjllRnlzOEJoRlVZClhCUWhqK0M4bTVqNjBFR05LU1NP
+            ejJaaHJSc003Q0V6UlpzWFdCTnd5RVEKLS0tIDllcVhFUE51Z1VsOGVJZ216TVdE
+            eVhjc2VlOVROOC9oakF3K29nODdEM0EKZkIo+FdHZAyQ9ogoK9994B0q5lkWWXOw
+            EgXamhJ800zjy9zFeO6bxPMsgPze1iNshhlV7HjT8uh+qs5laCqatg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-28T21:31:06Z"
+    mac: ENC[AES256_GCM,data:O/Vw1S40Dz0g6Fo9K87iCIFh3TSNW4/f+mWNnbjPpjehj1+JbOovpchjizI1c+OZ++/rqlow8Ib/yesMDdPd16ErkyHgINMBtLuqfUYJ1WSwg52Rp5zfZP7eSXHTeqcGuuASIfzEcclZ/5QIPeiSOJG5iSAl/MDeNte6/YwEqQo=,iv:lieOLB5tOP4XagOr+cRWQZQC00EHz9UUcx7e2uwUjpU=,tag:JJ4YgTKMCZtujAJfi+TcxA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

apps/gitea/renovate-bot-values.yaml

@@ -0,0 +1,12 @@
+renovate:
+  config : |
+    {
+      "repositories": ["Cluster/k3s-configs", "Cluster/mlflow"]
+    }
+  persistence:
+    cache:
+      enabled: true
+      storageClass: retain-local-path
+existingSecret: renovate-bot-secret
+apiVersionOverrides:
+  cronjob: 'batch/v1'

apps/gitea/restic/backup.sh

@@ -1,22 +0,0 @@
-#!/bin/sh
-
-# Set up colors
-GREEN='\033[0;32m'
-NC='\033[0m'
-
-echo -e "\n${GREEN}`date` - Starting backup...${NC}\n"
-
-restic unlock
-
-# Gitea
-echo -e "\n${GREEN}`date` - Backing up Gitea...${NC}\n"
-gitea=$(kubectl get deploy -n gitea -l app=gitea -o name --no-headers=true)
-kubectl scale -n gitea --replicas=0 $gitea
-restic backup /gitea
-restic backup /backup/postgres_backup.dump
-kubectl scale -n gitea --replicas=1 $gitea
-
-# Forget and prune
-echo -e "\n${GREEN}`date` - Running forget and prune...${NC}\n"
-restic forget --prune --keep-daily 7 --keep-weekly 2
-echo -e "\n${GREEN}`date` - Backup finished.${NC}\n"

apps/gitea/restic/cronjob.yaml

@@ -1,58 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: restic-backup-cronjob
-  namespace: gitea
-spec:
-  schedule: "0 3 * * *"  # Cron expression for running daily at 2 AM
-  jobTemplate:
-    spec:
-      template:
-        spec:
-
-          serviceAccountName: restic-sa
-          hostname: restic-cronjob
-
-          volumes:
-          - name: gitea-data
-            persistentVolumeClaim:
-              claimName: gitea-shared-storage
-          - name: restic-backup-vol
-            persistentVolumeClaim:
-              claimName: restic-backup-vol
-          - name: backup-script-vol
-            configMap:
-              name: restic-backup-script
-
-          initContainers:
-          - name: postgres-dump-init
-            image: bitnami/postgresql:16.3.0-debian-12-r17@sha256:5f5da81926e99bde90bd188bb43bf8de4bbcc1da45087e375631693e82d8b1c7
-            command: ["/bin/sh", "-c"]
-            args: ["pg_dump -h gitea-postgresql -p 5432 -U gitea gitea -Fc > /backup/postgres_backup.dump"]
-            env:
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: gitea-postgresql
-                  key: password
-            volumeMounts:
-            - name: restic-backup-vol
-              mountPath: /backup
-
-          containers:
-          - name: restic-container
-            image: git.namesny.com/cluster/restic:latest@sha256:8efb9776d9b3250012d17bbfff865420e5ffa0688010d006448c4ff358b0ee32
-            imagePullPolicy: Always
-            command: ["/bin/sh", "/app/backup.sh"]
-            envFrom:
-            - secretRef:
-                name: restic-secret
-            volumeMounts:
-            - name: restic-backup-vol
-              mountPath: /backup
-            - name: gitea-data
-              mountPath: /gitea
-            - name: backup-script-vol
-              mountPath: /app
-
-          restartPolicy: OnFailure

apps/gitea/restic/debug-pod.yaml

@@ -1,28 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: restic-debug-pod
-  namespace: gitea
-spec:
-  serviceAccountName: restic-sa
-  volumes:
-  - name: restic-backup-vol
-    persistentVolumeClaim:
-      claimName: restic-backup-vol
-  - name: gitea-data
-    persistentVolumeClaim:
-      claimName: gitea-shared-storage
-  containers:
-  - name: restic-debug
-    image: git.namesny.com/cluster/restic:latest@sha256:8efb9776d9b3250012d17bbfff865420e5ffa0688010d006448c4ff358b0ee32
-    command: ["/bin/sh", "-c"]
-    args: ["sleep infinity"]
-    envFrom:
-    - secretRef:
-        name: restic-secret
-    volumeMounts:
-    - name: restic-backup-vol
-      mountPath: /backup
-    - name: gitea-data
-      mountPath: /gitea
-

apps/gitea/restic/kustomization.yaml

@@ -1,21 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: gitea
-
-resources:
-- service-account.yaml
-- role.yaml
-- role-binding.yaml
-- pvc.yaml
-- debug-pod.yaml
-- cronjob.yaml
-
-generators:
-- secret-generator.yaml
-
-configMapGenerator:
-- name: restic-backup-script
-  namespace: gitea
-  files:
-  - ./backup.sh
-

apps/gitea/restic/pvc.yaml

@@ -1,12 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: restic-backup-vol
-  namespace: gitea
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
-  storageClassName: retain-local-path

apps/gitea/restic/role-binding.yaml

@@ -1,13 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: restic-role-binding
-  namespace: gitea
-subjects:
-- kind: ServiceAccount
-  name: restic-sa
-  namespace: gitea
-roleRef:
-  kind: Role
-  name: restic-role
-  apiGroup: rbac.authorization.k8s.io

apps/gitea/restic/role.yaml

@@ -1,9 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: restic-role
-  namespace: gitea
-rules:
-- apiGroups: ["apps"]
-  resources: ["deployments", "deployments/scale"]
-  verbs: ["get", "list", "update", "patch"]

apps/gitea/restic/secret-generator.yaml

@@ -1,11 +0,0 @@
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: restic-secret-generator
-  annotations:
-    config.kubernetes.io/function: |
-        exec:
-          path: ksops
-files:
-- ./secret.enc.yaml
-

apps/gitea/restic/secret.enc.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: restic-secret
-    namespace: gitea
-stringData:
-    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:IjDw3i+8BIvA816obn5BpQBTkzo=,iv:A/CrhyIm5kljCwvneQziux36O6+SWG5Z9mOlV+mRIXQ=,tag:XVh4X8Xf587nmbDCtgazAg==,type:str]
-    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:WdfHxdXnPOLvIOecN+WFONAEDr2Sc/r6bKQ/H9KS1BT2C9cj,iv:GCY6MaSEhu9WEsVA23hWN30Ix7x6dz/umNRsQ0jsb8I=,tag:8Qa0dvU3bq+J2S6trBDFDw==,type:str]
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:FZCqro3fpgQ7NJc+4ORVC2yWdqMNCLd4AjCwdolXgu5uJXq0IQ==,iv:nWttNrSvFpcj1HMOFwZNfJqVUy0esR7fVXlvidp3MlY=,tag:T0HzAZ/w83IFrvap8Gx3gg==,type:str]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:PjSE4FejVPW8e8e/PDtoSCsuskI=,iv:MTUMYim3obMHaYBEoEJBMEj9GMbaqdbdVV09o3ep/fw=,tag:pQ6vakVWHUdk4F/PwqpgAw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RTlocERzUmtUdnhsNHJk
-            SkNXZFpVdmM5Y1hnQlQzcUg1OUxNYkRiaEFZCi82MW9TbkI2VCtjMDVKYTlWTVBs
-            QVZMekVoT1JSQWRZV3F3SHgxOGR3a2sKLS0tIGJCd21aY05jS0xva2RmclBlQWdl
-            UVZSNm9pRUM3YmFFSWl3NGNUdnZOOGsKIuepNrrdgoNoOMZQ77cIrtwPTL8acahG
-            paE+K2EKa8pqXnAVkxORTkUYRlorKRLjiyalxrDZYsMAbCSrrtfx/A==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-30T17:21:08Z"
-    mac: ENC[AES256_GCM,data:mR4vi8WLLiuUY5i7NgIYHfAZcBsQ3u2Cg9TtXcFtwtDAuyy9Xzx07yeR1HC0D+YhiAu+mYAJPmk6jHZsCE2OX26sLTyvEULqDQc71sCgM8dsyl50hoZ2BsbY7o6g8D9Yks+2szuKmlxZ0nN5aHxcf+67+gotzjlBfcmLx+E1TfA=,iv:+9Kv7ZwGoMU0QBTvCgq232nHo+tjoeHTJBdOuOiqpPk=,tag:9VrOFmUFbdiPKSWnt+8z7w==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1

apps/gitea/restic/service-account.yaml

@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: restic-sa
-  namespace: gitea

apps/gitea/runner-deployment.yaml

@@ -24,13 +24,9 @@ spec:
           claimName: act-runner-vol
       securityContext:
         fsGroup: 1001
-      initContainers:
-      - name: wait-for-gitea
-        image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
-        command: ['sh', '-c', "until wget https://git.namesny.com 2>/dev/null; do echo waiting for gitea; sleep 2; done"]
       containers:
       - name: runner
-        image: gitea/act_runner:latest-dind-rootless@sha256:2f4c10a8354062ff3f8faa1df17006e650dcf21853a34713dfc2ed961f6ca50f
+        image: gitea/act_runner:nightly-dind-rootless
         imagePullPolicy: Always
         env:
         - name: DOCKER_HOST

apps/gitea/secret-generator.yaml

@@ -8,5 +8,5 @@ metadata:
           path: ksops
 files:
 - ./gitea-admin-secret.enc.yaml
+- ./renovate-bot-secret.enc.yaml
 - ./runner-secret.enc.yaml
-

apps/mlflow/kustomization.yaml

@@ -18,7 +18,7 @@ generators:
 helmCharts:
 - name: postgresql
   releaseName: postgresql
-  version: 15.5.28
+  version: 13.2.24
   repo: oci://registry-1.docker.io/bitnamicharts
   namespace: mlflow
   valuesInline:

apps/mlflow/minio-deployment.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: minio
-        image: minio/minio:latest@sha256:0bd79595dbcf155782860716abf4cf79d5ee32a9508b60fa1a88793bbe55b245
+        image: quay.io/minio/minio:RELEASE.2023-12-09T18-17-51Z
         command:
         - /bin/bash
         - -c

apps/mlflow/mlflow-deployment.yaml

@@ -17,7 +17,7 @@ spec:
       - name: gitea-regcred
       initContainers:
       - name: init-s3-bucket
-        image: minio/mc:latest@sha256:10fea08805ab76fe9b8ff0d3755db7af3f5a2468a60a48826bd21ec7c8b5000e
+        image: minio/mc
         command: ["/bin/sh", "-c"]
         args: 
         - until mc alias set mlflow-minio http://minio-svc.mlflow.svc.cluster.local:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD; do sleep 5; done;
@@ -30,18 +30,9 @@ spec:
             name: minio-admin-secret
         - secretRef:
             name: minio-user-secret
-      - name: init-db-upgrade
-        image: git.namesny.com/cluster/mlflow:latest@sha256:9d935268bc318d6cadbfe8d480744ce898cdfb906be5ba7125ab87c555894798
-        envFrom:
-        - secretRef:
-            name: mlflow-secret
-        command: ["/bin/sh", "-c"]
-        args:
-          - mlflow db upgrade $MLFLOW_BACKEND_STORE_URI;
-            exit 0;
       containers:
       - name: mlflow
-        image: git.namesny.com/cluster/mlflow:latest@sha256:9d935268bc318d6cadbfe8d480744ce898cdfb906be5ba7125ab87c555894798
+        image: git.namesny.com/cluster/mlflow:2.9.1
         imagePullPolicy: Always
         args:
         - --host=0.0.0.0

apps/namesny-com/deployment.yaml

@@ -19,6 +19,17 @@ spec:
       - name: gitea-regcred
       containers:
       - name: namesny-com
-        image: git.namesny.com/mathis/namesny-com:2024-04-22@sha256:df51fff0dcc4e252b13f3c61debf2b3e2335e4c8e2d7441174457d9e7709a6ea
+        image: git.namesny.com/mathis/namesny-com:2023-12-28
         ports:
         - containerPort: 80
+        volumeMounts:
+        - name: access-logs
+          mountPath: /var/log/nginx/access.log
+      - name: goaccess
+        image: allinurl/goaccess
+        ports:
+        - containerPort: 7890
+        volumeMounts:
+        - name: access-logs
+          mountPath: /var/log/nginx/access.log
+          

apps/namesny-com/goaccess-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: namesny-com-svc
+  namespace: namesny-com
+spec:
+  selector:
+    app: namesny-com
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 7890
+    targetPort: 7890

infra/authelia/kustomization.yaml

@@ -6,6 +6,7 @@ namespace: auth
 resources:
 - namespace.yaml
 - ingress.yaml
+- basic-auth-middleware.yaml
 - forward-auth-middleware.yaml
 
 generators:

infra/k9s/deployment.yaml

@@ -1,23 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: k9s
-  namespace: k9s
-  labels:
-    app: k9s
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: k9s
-  template:
-    metadata:
-      labels:
-        app: k9s
-    spec:
-      serviceAccountName: k9s-sa
-      containers:
-      - name: k9s
-        image: ghcr.io/lordmathis/k9s-web:latest@sha256:6db8f8812fa09a93433682bb64a32c16ddf8286091f2886699dd4b84f875d150
-        ports:
-        - containerPort: 7681

infra/k9s/ingress.yaml

@@ -1,16 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: k9s-ingress
-  namespace: k9s
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`k9s.namesny.com`)
-    kind: Rule
-    middlewares:
-    - name: "auth-authelia@kubernetescrd"
-    services:
-    - name: k9s-svc
-      port: 7681

infra/k9s/kustomization.yaml

@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: k9s
-
-resources:
-- namespace.yaml
-- rbac.yaml
-- deployment.yaml
-- service.yaml
-- ingress.yaml
-

infra/k9s/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: k9s

infra/k9s/rbac.yaml

@@ -1,35 +0,0 @@
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: k9s-reader
-rules:
-  - apiGroups: [""]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["apps"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["batch"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: k9s
-subjects:
-  - kind: ServiceAccount
-    name: k9s-sa
-    namespace: k9s
-roleRef:
-  kind: ClusterRole
-  name: k9s-reader
-  apiGroup: rbac.authorization.k8s.io
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k9s-sa
-  namespace: k9s

infra/k9s/service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: k9s-svc
-  namespace: k9s
-spec:
-  selector:
-    app: k9s
-  type: ClusterIP
-  ports:
-  - protocol: TCP
-    port: 7681
-    targetPort: 7681

infra/monitoring/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-generatorOptions:
-  disableNameSuffixHash: true
-namespace: monitoring
-resources:
-- namespace.yaml
-
-generators:
-- ./secret-generator.yaml
-
-helmCharts:
-- name: k8s-monitoring
-  releaseName: grafana-k8s-monitoring
-  version: 1.0.13
-  repo: https://grafana.github.io/helm-charts 
-  namespace: monitoring
-  valuesFile: values.yaml

infra/monitoring/loki-secret.enc.yaml

@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: loki-secret
-    namespace: monitoring
-stringData:
-    host: ENC[AES256_GCM,data:rVMcsxS2yzOC+SeqPlVOVLlg/FviDoT79Z00NTi9nKHu,iv:vKZvn0b9lLMWsBbAvBIfAf/fkQ1KSIkXMJi4hTr+tHY=,tag:PIAZm1O/QbH6Ad3yMRmEvQ==,type:str]
-    username: ENC[AES256_GCM,data:HViufT0S,iv:g4LldPUsiALA6KUXn6xg1dxO1PaEx7PqKbpaTFbtcoQ=,tag:Asad1eWQKJOFCulm3xJBYg==,type:str]
-    password: ENC[AES256_GCM,data:KzafvYQ9hLeZcwTAJpE9z0ZDpGQL0lVMk7tSRKp6yQFZBl+u0V4u4leBtUDPm80605dP0BidHKL9MQ5c+2iayxjoBoBDDH6YDLjytN+2TnTU8fabY1wRYiAInOPxitcdoPLVzcw1/1DH9qiPJu7pdMWoz/JdM2PbHILW4G0uY/T9HERAwA28FX0R5sfQnfRPfaxSoea4HAMB2IG3lXn5wvwwsc2JZ+1KkInZ3XYg/vv0KwLD,iv:aWrgu6B2O9Is7tYqnSgTlz1fhYQEB5TIS4xl9PKoFwc=,tag:KLYaUsF6fDxHzXJdjnwHwQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcGE2VTZPcmpPQVNLbW5s
-            U3ZNaVZnMkRhOCtpYk1KdUpSalArRXI3VTFrClJORVVDRXBCM01lQVlnbjQ1RVhT
-            aFJEdk5oOHBVK1VJWTFwRXI5YXZmeUUKLS0tIEcwWmp5aHRDMHVrNFg0bnhVV2FI
-            UGpPaU54QjM4Y0pIQ0I3elVXakl0Uk0KXqd8LjaLjwzcgzi0WBAHBJLjNaP8yqKB
-            zQsrvGJvSIo3TdEVaRGvM9F/4nsLmQC6mYfENwtlyV4IWn0w8psMyw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-27T14:02:57Z"
-    mac: ENC[AES256_GCM,data:kkWKaG6+dobfZjr7xlKyJs5FOOSP8UXRci2wOhVKoa9BnWONdeKHIP8L4+xFvxXGs69EAUK0242ZM+cpPge8XtTFCbq9z+23OcFZej0nlO9yQxEOwTEE/zmOqnh8s3j3hmOUlyQPzgnLubbwiMEdhtHky/YdffziM8K1b+u4EPc=,iv:JpD6gj9vRp8Iap1+wH6zaewDUAubRJlUaicupoeVQkc=,tag:S+IG9K+wgkazgLi7tUIbSw==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1

infra/monitoring/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring

infra/monitoring/prometheus-secret.enc.yaml

@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: prometheus-secret
-    namespace: monitoring
-stringData:
-    host: ENC[AES256_GCM,data:2GDOS1737kJ2xTjloQolicFSyalglzI3qlUl2mZo1rIvYLwrHipetqjEkYHQSiA096jvtsU=,iv:bUfdSzfnEqXwv4eozpepwabPiSH792aW0GOtTChORKw=,tag:j8pPRVIvqLkjUBcMUV4poQ==,type:str]
-    username: ENC[AES256_GCM,data:0ZQu0t4iJw==,iv:stS/U68x0ZglXPAa3eICmzlEtCEd1nnO2B+hwPzOvHE=,tag:vWVe2D8cpL4BKn9odjP+ZQ==,type:str]
-    password: ENC[AES256_GCM,data:VuugS5hwdaFE81ig8INkvLzO0M/81cvSenMuEUeOgcDL9b1H58YT65WFu/ouO1cCd3hF6SWChcLmfw2Z9wCTqhDnUiQ/JnLOriBqDeQFBK9qY5rPnHX/efvXRcNfwNUoQqlPAjUfubyjduPmHxtYHw62Ov0KSo3sG9ExWdNWEVkTUgXp662Al6E24njxMTSFssy4zY75Cwz0a9Uw9ILPnLnRwe1XIPdXL9PhAzUEVuRWycqC,iv:BO9HdE+Ql1TQ1j+0MF0NdiW5DVTbShLEduEFbMMIR8U=,tag:GA/u1MBBJaaWFF93N0i37A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdFhzSDEwdjZDVTRxN3Yx
-            OExHd3BYekx4TllPVi96c2JHamdQTlpaUHdrCi90dXBjaFBTSTA4c0JsbWt2WTBm
-            anB5NXkxeS9IbU9TT3dseGRjME1PeEUKLS0tIGhLUi9GQUNvczhId2k5RExNQ2lk
-            S3ZLUVNvd1BKWjZhRXVrR2NJV3FrMDAKxvoeNeR+mYBCEd4JtU+L52M0Lhj1W07H
-            UbD0+Bi8KTJWGWPVPm4prPA2jqk7zKhZ7BeSkZtwp1QQ+tVJF52fAA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-27T14:03:01Z"
-    mac: ENC[AES256_GCM,data:i02frS7UI//prqlbCnFF9D+mpcUnshgZ7YCeJwk5/SCZh9QJEDDAgANpz5V8rnp4v3NQlQt1mT6JWvi/N6MgfeePvwvNT85Hewo1iH2wPbyB4IMA2n4qJ8oK5lAYy/7WR/Cvi9LD/4FedTQ0xvNsj/GECwbI8YMmvUz3EUo3W3Y=,iv:ywp0ojCYd1rahm8Ltk821bLcofynCjv5mEv6QR9RDTs=,tag:UxKEpd09IB1H8GlZbXqhPw==,type:str]
-    pgp: []
-    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.8.1

infra/monitoring/secret-generator.yaml

@@ -1,11 +0,0 @@
-apiVersion: viaduct.ai/v1
-kind: ksops
-metadata:
-  name: monitoring-secret-generator
-  annotations:
-    config.kubernetes.io/function: |
-        exec:
-          path: ksops
-files:
-- ./loki-secret.enc.yaml
-- ./prometheus-secret.enc.yaml

infra/monitoring/values.yaml

@@ -1,44 +0,0 @@
-cluster:
-  name: auberon
-externalServices:
-  prometheus:
-    secret:
-      create: false
-      name: prometheus-secret
-      namespace: monitoring
-  loki:
-    secret:
-      create: false
-      name: loki-secret
-      namespace: monitoring
-metrics:
-  enabled: true
-  cost:
-    enabled: false
-  node-exporter:
-    enabled: true
-logs:
-  enabled: true
-  pod_logs:
-    enabled: true
-  cluster_events:
-    enabled: true
-traces:
-  enabled: false
-receivers:
-  grpc:
-    enabled: false
-  http:
-    enabled: false
-  zipkin:
-    enabled: false
-opencost:
-  enabled: false
-kube-state-metrics:
-  enabled: true
-prometheus-node-exporter:
-  enabled: true
-prometheus-operator-crds:
-  enabled: true
-alloy: {}
-alloy-logs: {}

infra/storage/local-path-cm.yaml

@@ -38,5 +38,5 @@ data:
               effect: NoSchedule
           containers:
           - name: helper-pod
-            image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
+            image: busybox
 

infra/traefik/kustomization.yaml

@@ -9,7 +9,7 @@ generators:
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 28.2.0
+    version: 26.0.0
     repo: https://helm.traefik.io/traefik
     namespace: kube-system
     includeCRDs: true

infra/traefik/values.yaml

@@ -1,8 +1,9 @@
+
 deployment:
   initContainers:
   - name: volume-permissions
-    image: busybox:1.36@sha256:34b191d63fbc93e25e275bfccf1b5365664e5ac28f06d974e8d50090fbb49f41
-    command: ["sh", "-c", "touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
+    image: busybox:latest
+    command: ["sh", "-c", "rm /data/acme.json; touch /data/acme.json; chown 65532:65532 /data/acme.json; chmod -v 600 /data/acme.json; chown -R 65532:65532 /var/log/traefik"]
     securityContext:
       runAsNonRoot: false
       runAsGroup: 0

renovate.json

@@ -1,21 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:best-practices"
+    "config:base"
   ],
-  "platformAutomerge": false,
-  "ignoreTests": true,
-  "separateMinorPatch": false,
+  "separateMinorPatch": true,
   "patch": {
-    "automerge": true
-  },
-  "pin": {
-    "automerge": true
-  },
-  "digest": {
-    "automerge": true
-  },
-  "kubernetes": {
-    "fileMatch": ["\\.yaml$"]
+    "enabled": false
   }
 }