infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

Compare commits

base: infra:dbfde34e277bb8ed824d3aaad4d59193ad4129db
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets
...
compare: infra:9f78f01f14ec4feffb41f51601a4ab636da102ad
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets

25 Commits
dbfde34e27 ... 9f78f01f14

Author SHA1 Message Date
bot 9f78f01f14 authelia: Update to 4.39.9 2025-09-13 11:32:15 +00:00
Dustin 7158ff89df v-m/alerts: Ignore Restic alert for Purple Pi 
The Purple Pi is no more.  We want to keep it's backups around, though,
but we don't need alerts about them.
 2025-09-12 07:25:21 -05:00
Dustin 5869afa923 jenkins: Add PVC for airplaypi Buildroot job 
Buildroot jobs really benefit from having a persistent workspace volume
instead of an ephemeral one.  This way, only the packages, etc. that
have changed since the last build need to be built, instead of the whole
toolchain and operating system.
 2025-09-07 12:24:11 -05:00
Dustin 4c1992b3c9 v-m/vmagent: Start in parallel 
As with AlertManager, the point of having multiple replicas of `vmagent`
is so that one is always running, even if the other fails.  Thus, we
want to start the pods in parallel so that if the first one does not
come up, the second one at least has a chance.
 2025-09-07 10:49:22 -05:00
Dustin 25d34efb4c v-m/alertmanager: Bring up replicas in parallel 
If something prevents the first AlertManager instance from starting, we
don't want to wait forever for it before starting the second.  That
pretty much defeats the purpose of having two instances.  Fortunately,
we can configure Kubernetes to bring up both instances simultaneously by
setting the pod management policyo to `Parallel`.
 2025-09-07 10:42:50 -05:00
Dustin e605e3d1ea v-m/alertmanager: Migrate PVC to Synology 
We also don't need a 4 GB volume for AlertManager; even 500 MB is
way too big for the tiny amount of data it stores, but that's about the
smallest size a filesystem can be.
 2025-09-07 10:42:13 -05:00
Dustin ab38df1d9f Merge branch 'drop-certs' 2025-09-07 10:33:19 -05:00
Dustin a02dfa1dfc cert-manager: Decommission cert-exporter 
The `cert-exporter` is no longer needed.  All websites manage their own
certificates with _mod_md_ now, and all internal applications that use
the wildcard certificate fetch it directly from the Kubernetes Secret.
 2025-09-07 10:31:36 -05:00
Dustin b068a260e7 cert-manager: Drop HLC certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-09-07 10:30:20 -05:00
Dustin 479a91ae79 Merge branch 'democratic-csi' 2025-09-07 10:25:14 -05:00
Dustin 87331b24b0 v-m/alerts: Ignore Restic alert for bw0 
_bw0.pyrocufflink.blue_ has been decommissioned since some time, so it
doesn't get backed up any more.  We want to keep its previous backups
around, though, in case we ever need to restore something.  This
triggers the "no recent backups" alert, since the last snapshot is over
a week old.  Let's ignore that hostname when generating this alert.
 2025-09-07 08:27:19 -05:00
Dustin 7ad8fff7c6 v-m/vmagent: Use ephemeral storage 
The `vmagent` needs a place to spool data it has not yet sent to
Victoria Metrics, but it doesn't really need to be persistent.  As long
as all of the `vmagent` nodes _and_ all of the `vminsert` nodes do not
go down simultaneously, there shouldn't be any data loss.  If they are
all down at the same time, there's probably something else going on and
lost metrics are the least concerning problem.
 2025-09-07 08:27:19 -05:00
Dustin ee88e5f1c9 dynk8s-provisioner: Remove PVC 
The _dynk8s-provisioner_ only needs writable storage to store copies of
the AWS SNS notifications it receives for debugging purposes.  We don't
need to keep these around indefinitely, so using ephemeral node-local
storage is sufficient.  I actually want to get rid of that "feature"
anyway...
 2025-09-07 08:27:19 -05:00
Dustin cbed5a8d13 jenkins: Drop Gentoo Portage distribution 
Now that Aimee OS is based on Buildroot instead of Gentoo, we don't need
to keep syncing and sharing the Gentoo repository.
 2025-09-07 08:27:19 -05:00
Dustin e63fd199ec firefly-iii: Prefer running on amd64 nodes 
Although Firefly III works on a Raspberry Pi, a few things are pretty
slow.  Notably, the search feature takes a really long time to return
any results, which is particularly annoying when trying to add a receipt
via the Receipts app.  Adding a node affinity rule to prefer running on
an x86_64 machine will ensure that it runs fast whenever possible, but
can fall back to running on a Rasperry Pi if necessary.
 2025-09-07 08:27:19 -05:00
Dustin 687775c595 invoice-ninja: Fix error in cron container 
The "cron" container has not been working correctly for some time.  No
background tasks are getting run, and this error is printed in the log
every minute:

> `Target class [db.schema] does not exist`

It turns out, this is because of the way the PHP `artisan` tool works.
It MUST be able to write to the code directory, apparently to build some
kind of cache.  There may be a way to cache the data ahead of time, but
I haven't found it yet.  For now, it seems the only way to make
Laravel-based applications run in a container is to make the container
filesystem mutable.
 2025-09-07 08:27:19 -05:00
Dustin 0a89502620 20125: Add Music Assistant 
Tabitha wants to see Music Assistant in the smart home status app,
mostly to use as a shortcut.
 2025-09-07 08:27:19 -05:00
Dustin 92cf0edc4b v-m/scrape: Scrape Music Assistant via Blackbox 
Music Assistant doesn't expose any metrics natively.  Since we really
only care about whether or not it's accessible, scraping it with the
blackbox exporter is fine.
 2025-09-07 08:27:19 -05:00
Dustin c011a99165 authelia: Allow from pyrocufflink.net 
In order to allow access to Authelia from outside the LAN, it needs to
be able to handle the _pyrocufflink.net_ domain in addition to
_pyrocufflink.blue_.  Originally, this was not possible, as Authelia
only supported a single cookie/domain.  Now that it supports multiple
cookies, we can expose both domains.

The main reason for doing this now is use Authelia's password reset
capability for Mom, since she didn't have a password for her Nextcloud
account that she's just begun using.
 2025-09-07 08:27:19 -05:00
Dustin 7c9737e092 kitchen: Update DTEX calendar URL 
I wrote a Thunderbird add-on for my work computer that periodically
exports my entire DTEX calendar to a file.  Unfortunately, the file it
creates is not directly usable by the kitchen screen server currently;
it seems to use a time zone identifier that `tzinfo` doesn't understand:

```
Error in background update:
Traceback (most recent call last):
  File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/agenda.py", line 19, in _background_update
    await self._update()
  File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/agenda.py", line 34, in _update
    calendar = await self.fetch_calendar(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/kitchen/service/caldav.py", line 39, in fetch_calendar
    return icalendar.Calendar.from_ical(r.text)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/icalendar/cal.py", line 369, in from_ical
    _timezone_cache[component['TZID']] = component.to_tz()
                                         ^^^^^^^^^^^^^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/icalendar/cal.py", line 659, in to_tz
    return cls()
           ^^^^^
  File "/usr/local/kitchen/lib64/python3.12/site-packages/pytz/tzinfo.py", line 190, in __init__
    self._transition_info[0])
    ~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range
```

It seems to work fine in Nextcloud, though, so the work-around is to
import it as a subscription in Nextcloud and then read it from there,
using Nextcloud as a sort of proxy.
 2025-09-07 08:27:19 -05:00
Dustin 28d6bdc3a9 kitchen: Pin to amd64 nodes 
There is not (currently) an aarch64 build of the kitchen screen server,
so we need to force the pod to run on a x86_64 node.  This seems a good
candidate for running on a Raspberry Pi, so I should go ahead and build
a multi-arch image.
 2025-09-07 08:27:19 -05:00
Dustin 67a1d8d0d5 democratic-csi: Enable volume resize 
_democratic-csi_ can also dynamically resize Synology iSCSI LUNs when
PVC resource requests increase.  This requires enabling the external
resizer in the controller pod and marking the StorageClass as supporting
resize.
 2025-09-06 23:49:53 -05:00
Dustin d909fc0566 democratic-csi: Enable volume snapshot support 
The _democratic-csi_ controller can create Synology LUN snapshots based
on VolumeSnapshot resources.  This feature can be used to e.g. create
data snapshots before upgrades, etc.
 2025-09-06 23:43:25 -05:00
Dustin f3798c49e3 democratic-csi: Initial deployment 
Deploying _democratic-csi_ to manage PersistentVolumeClaim resources,
mapping them to iSCSI volumes on the Synology.

Eventually, all Longhorn-managed PVCs will be replaced with Synology
iSCSI volumes.  Getting rid of Longhorn should free up a lot of
resources and remove a point of failure from the cluster.
 2025-09-06 22:57:05 -05:00
Dustin 2a0fdc07df cert-manager: Drop dustinandtabitha.com certificate 
This site now obtains its own certificate using Apache _mod_md_.
 2025-08-11 08:59:57 -05:00
32 changed files with 1027 additions and 371 deletions
Show Stats Expand all files Collapse all files

7
20125/config.yml
View File

@ -85,3 +85,10 @@ applications:
url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
alerts: alerts:
- instance: *url5 - instance: *url5
- name: Music Assistant
url: &url6 https://music.pyrocufflink.blue/
icon:
url: https://music.pyrocufflink.blue/apple-touch-icon.png
alerts:
- instance: *url6

16
argocd/applications/csi-synology.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: csi-synology
namespace: argocd
spec:
destination:
server: https://kubernetes.default.svc
project: default
source:
path: democratic-csi
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master
syncPolicy:
automated:
prune: true

6
authelia/authelia.yaml
View File

@ -127,9 +127,10 @@ spec:
tls: tls:
- hosts: - hosts:
- auth.pyrocufflink.blue - auth.pyrocufflink.blue
- auth.pyrocufflink.net
rules: rules:
- host: auth.pyrocufflink.blue - host: auth.pyrocufflink.blue
http: http: &http
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
@ -138,4 +139,5 @@ spec:
name: authelia name: authelia
port: port:
name: http name: http
- host: auth.pyrocufflink.net
http: *http

2
authelia/configuration.yml
View File

@ -189,6 +189,8 @@ session:
cookies: cookies:
- domain: pyrocufflink.blue - domain: pyrocufflink.blue
authelia_url: 'https://auth.pyrocufflink.blue' authelia_url: 'https://auth.pyrocufflink.blue'
- domain: pyrocufflink.net
authelia_url: 'https://auth.pyrocufflink.net'
server: server:
buffers: buffers:

2
authelia/kustomization.yaml
View File

@ -58,4 +58,4 @@ patches:
name: dch-root-ca name: dch-root-ca
images: images:
- name: ghcr.io/authelia/authelia - name: ghcr.io/authelia/authelia
newTag: 4.39.6 newTag: 4.39.9

17
cert-manager/cert-exporter.config.yml
View File

@ -1,17 +0,0 @@
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem

78
cert-manager/cert-exporter.yaml
View File

@ -1,78 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-exporter
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-exporter
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
resourceNames:
- pyrocufflink-cert
- dustinandtabitha-cert
- hlc-cert
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-exporter
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-exporter
subjects:
- kind: ServiceAccount
name: cert-exporter
namespace: cert-manager
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: cert-exporter
namespace: cert-manager
spec:
timeZone: America/Chicago
schedule: '27 9,20 * * *'
jobTemplate: &jobtemplate
spec:
template:
spec:
containers:
- image: git.pyrocufflink.net/containerimages/cert-exporter
name: cert-exporter
volumeMounts:
- mountPath: /etc/cert-exporter/config.yml
name: config
subPath: config.yml
readOnly: true
- mountPath: /home/cert-exporter/.ssh/id_ed25519
name: sshkeys
subPath: cert-exporter.pem
readOnly: true
- mountPath: /etc/ssh/ssh_known_hosts
name: sshkeys
subPath: ssh_known_hosts
readOnly: true
securityContext:
fsGroup: 1000
serviceAccount: cert-exporter
volumes:
- name: config
configMap:
name: cert-exporter
- name: sshkeys
secret:
secretName: cert-exporter-sshkey
defaultMode: 00440
restartPolicy: Never

48
cert-manager/certificates.yaml
View File

@ -16,51 +16,3 @@ spec:
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dustinandtabitha-cert
spec:
secretName: dustinandtabitha-cert
dnsNames:
- dustinandtabitha.com
- '*.dustinandtabitha.com'
- dustinandtabitha.xyz
- '*.dustinandtabitha.xyz'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hlc-cert
spec:
secretName: hlc-cert
dnsNames:
- hatchlearningcenter.org
- '*.hatchlearningcenter.org'
- hatchlearningcenter.com
- '*.hatchlearningcenter.com'
- hlckc.org
- '*.hlckc.org'
- hlckc.com
- '*.hlckc.com'
- hlcks.org
- '*.hlcks.org'
- hlcks.com
- '*.hlcks.com'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

2
cert-manager/jenkins.yaml
View File

@ -11,8 +11,6 @@ rules:
- get - get
resourceNames: resourceNames:
- pyrocufflink-cert - pyrocufflink-cert
- dustinandtabitha-cert
- hlc-cert
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

15
cert-manager/kustomization.yaml
View File

@ -5,19 +5,10 @@ resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml - https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml
- cluster-issuer.yaml - cluster-issuer.yaml
- certificates.yaml - certificates.yaml
- cert-exporter.yaml
- dch-ca-issuer.yaml - dch-ca-issuer.yaml
- secrets.yaml - secrets.yaml
- jenkins.yaml - jenkins.yaml
configMapGenerator:
- name: cert-exporter
namespace: cert-manager
files:
- config.yml=cert-exporter.config.yml
options:
disableNameSuffixHash: True
secretGenerator: secretGenerator:
- name: zerossl-eab - name: zerossl-eab
namespace: cert-manager namespace: cert-manager
@ -26,12 +17,6 @@ secretGenerator:
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
- name: cert-exporter-sshkey
namespace: cert-manager
files:
- cert-exporter.pem
- ssh_known_hosts
- name: cloudflare - name: cloudflare
namespace: cert-manager namespace: cert-manager
files: files:

2
democratic-csi/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
synology.password
synology-iscsi-chap.yaml

385
democratic-csi/democratic-csi.yaml Normal file
View File

@ -0,0 +1,385 @@
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-node
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
spec:
selector:
matchLabels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
template:
metadata:
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: node
app.kubernetes.io/component: node-linux
spec:
serviceAccount: csi-synology-democratic-csi-node-sa
priorityClassName: system-node-critical
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
hostAliases: []
hostIPC: true
hostPID: false
containers:
- name: csi-driver
image: docker.io/democraticcsi/democratic-csi:latest
args:
- --csi-version=1.5.0
- --csi-name=org.democratic-csi.iscsi-synology
- --driver-config-file=/config/driver-config-file.yaml
- --log-level=info
- --csi-mode=node
- --server-socket=/csi-data/csi.sock.internal
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
privileged: true
env:
- name: CSI_NODE_ID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
terminationMessagePath: /tmp/termination-log
terminationMessagePolicy: File
livenessProbe:
failureThreshold: 3
exec:
command:
- bin/liveness-probe
- --csi-version=1.5.0
- --csi-address=/csi-data/csi.sock.internal
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 60
volumeMounts:
- name: socket-dir
mountPath: /csi-data
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
- name: iscsi-dir
mountPath: /etc/iscsi
mountPropagation: Bidirectional
- name: iscsi-info
mountPath: /var/lib/iscsi
mountPropagation: Bidirectional
- name: modules-dir
mountPath: /lib/modules
readOnly: true
- name: localtime
mountPath: /etc/localtime
readOnly: true
- name: udev-data
mountPath: /run/udev
- name: host-dir
mountPath: /host
mountPropagation: Bidirectional
- mountPath: /sys
name: sys-dir
- name: dev-dir
mountPath: /dev
- name: config
mountPath: /config
- name: csi-proxy
image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
env:
- name: BIND_TO
value: unix:///csi-data/csi.sock
- name: PROXY_TO
value: unix:///csi-data/csi.sock.internal
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
args:
- --v=5
- --csi-address=/csi-data/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
livenessProbe:
exec:
command:
- /csi-node-driver-registrar
- --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock
- --mode=kubelet-registration-probe
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: registration-dir
mountPath: /registration
- name: kubelet-dir
mountPath: /var/lib/kubelet
- name: cleanup
image: docker.io/busybox:1.37.0
command:
- /bin/sh
args:
- -c
- |-
sleep infinity &
trap 'kill !$' INT TERM
wait
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock
volumeMounts:
- name: plugins-dir
mountPath: /plugins
- name: registration-dir
mountPath: /registration
volumes:
- name: socket-dir
hostPath:
path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology
type: DirectoryOrCreate
- name: plugins-dir
hostPath:
path: /var/lib/kubelet/plugins
type: Directory
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: iscsi-dir
hostPath:
path: /etc/iscsi
type: Directory
- name: iscsi-info
hostPath:
path: /var/lib/iscsi
- name: dev-dir
hostPath:
path: /dev
type: Directory
- name: modules-dir
hostPath:
path: /lib/modules
- name: localtime
hostPath:
path: /etc/localtime
- name: udev-data
hostPath:
path: /run/udev
- name: sys-dir
hostPath:
path: /sys
type: Directory
- name: host-dir
hostPath:
path: /
type: Directory
- name: config
secret:
secretName: csi-synology-democratic-csi-driver-config
nodeSelector:
kubernetes.io/os: linux
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-controller
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
template:
metadata:
labels:
app.kubernetes.io/name: democratic-csi
app.kubernetes.io/csi-role: controller
app.kubernetes.io/component: controller-linux
spec:
serviceAccount: csi-synology-democratic-csi-controller-sa
priorityClassName: system-cluster-critical
hostNetwork: false
dnsPolicy: ClusterFirst
hostAliases: []
hostIPC: false
containers:
- name: external-attacher
image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
- name: external-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --extra-create-metadata
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: external-resizer
image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0"
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --workers=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
# https://github.com/kubernetes-csi/external-snapshotter
# beware upgrading version:
# - https://github.com/rook/rook/issues/4178
# - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310
- name: external-snapshotter
image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1"
args:
- --v=5
- --leader-election
- --leader-election-namespace=democratic-csi
- --timeout=90s
- --worker-threads=10
- --csi-address=/csi-data/csi.sock
volumeMounts:
- mountPath: /csi-data
name: socket-dir
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: csi-driver
image: docker.io/democraticcsi/democratic-csi:latest
args:
- --csi-version=1.5.0
- --csi-name=org.democratic-csi.iscsi-synology
- --driver-config-file=/config/driver-config-file.yaml
- --log-level=debug
- --csi-mode=controller
- --server-socket=/csi-data/csi.sock.internal
livenessProbe:
failureThreshold: 3
exec:
command:
- bin/liveness-probe
- --csi-version=1.5.0
- --csi-address=/csi-data/csi.sock.internal
initialDelaySeconds: 10
timeoutSeconds: 15
periodSeconds: 60
volumeMounts:
- name: socket-dir
mountPath: /csi-data
- name: config
mountPath: /config
- name: csi-proxy
image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6
env:
- name: BIND_TO
value: unix:///csi-data/csi.sock
- name: PROXY_TO
value: unix:///csi-data/csi.sock.internal
volumeMounts:
- mountPath: /csi-data
name: socket-dir
volumes:
- name: socket-dir
emptyDir: {}
- name: config
secret:
secretName: csi-synology-democratic-csi-driver-config
nodeSelector:
kubernetes.io/os: linux
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: org.democratic-csi.iscsi-synology
labels:
app.kubernetes.io/name: democratic-csi
spec:
attachRequired: true
podInfoOnMount: true

93
democratic-csi/driver-config-file.yaml Normal file
View File

@ -0,0 +1,93 @@
driver: synology-iscsi
httpConnection:
protocol: https
host: storage0.pyrocufflink.blue
port: 5001
username: democratic-csi
allowInsecure: true
# should be uniqe across all installs to the same nas
session: "democratic-csi"
serialize: true
# Choose the DSM volume this driver operates on. The default value is /volume1.
# synology:
# volume: /volume1
iscsi:
targetPortal: "server[:port]"
# for multipath
targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
# leave empty to omit usage of -I with iscsiadm
interface: ""
# can be whatever you would like
baseiqn: "iqn.2000-01.com.synology:csi."
# MUST ensure uniqueness
# full iqn limit is 223 bytes, plan accordingly
namePrefix: ""
nameSuffix: ""
# documented below are several blocks
# pick the option appropriate for you based on what your backing fs is and desired features
# you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases
# These options can also be configured per storage-class:
# See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md
lunTemplate:
# can be static value or handlebars template
#description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
# btrfs thin provisioning
type: "BLUN"
# tpws = Hardware-assisted zeroing
# caw = Hardware-assisted locking
# 3pc = Hardware-assisted data transfer
# tpu = Space reclamation
# can_snapshot = Snapshot
#dev_attribs:
#- dev_attrib: emulate_tpws
# enable: 1
#- dev_attrib: emulate_caw
# enable: 1
#- dev_attrib: emulate_3pc
# enable: 1
#- dev_attrib: emulate_tpu
# enable: 0
#- dev_attrib: can_snapshot
# enable: 1
# btfs thick provisioning
# only zeroing and locking supported
#type: "BLUN_THICK"
# tpws = Hardware-assisted zeroing
# caw = Hardware-assisted locking
#dev_attribs:
#- dev_attrib: emulate_tpws
# enable: 1
#- dev_attrib: emulate_caw
# enable: 1
# ext4 thinn provisioning UI sends everything with enabled=0
#type: "THIN"
# ext4 thin with advanced legacy features set
# can only alter tpu (all others are set as enabled=1)
#type: "ADV"
#dev_attribs:
#- dev_attrib: emulate_tpu
# enable: 1
# ext4 thick
# can only alter caw
#type: "FILE"
#dev_attribs:
#- dev_attrib: emulate_caw
# enable: 1
lunSnapshotTemplate:
is_locked: true
# https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot
is_app_consistent: true
targetTemplate:
auth_type: 0
max_sessions: 0

32
democratic-csi/kustomization.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: democratic-csi
labels:
- pairs:
app.kubernetes.io/instance: csi-synology
resources:
- namespace.yaml
- rbac.yaml
- democratic-csi.yaml
- secrets.yaml
- storageclass.yaml
patches:
- patch: |
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-synology-democratic-csi-controller
namespace: democratic-csi
spec:
template:
spec:
hostNetwork: true
images:
- name: docker.io/democraticcsi/democratic-csi
newName: ghcr.io/democratic-csi/democratic-csi
digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1

4
democratic-csi/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: democratic-csi

316
democratic-csi/rbac.yaml Normal file
View File

@ -0,0 +1,316 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-synology-democratic-csi-controller-sa
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-synology-democratic-csi-node-sa
namespace: democratic-csi
labels:
app.kubernetes.io/name: democratic-csi
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-controller-cr
labels:
app.kubernetes.io/name: democratic-csi
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- create
- apiGroups:
-
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- secrets
verbs:
- get
- list
- apiGroups:
-
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
-
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- persistentvolumeclaims/status
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
-
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
-
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotclasses
verbs:
- get
- list
- watch
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots/status
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshotcontents/status
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- snapshot.storage.k8s.io
resources:
- volumesnapshots
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
- apiGroups:
- csi.storage.k8s.io
resources:
- csinodeinfos
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- watch
- list
- delete
- update
- create
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
-
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-node-cr
labels:
app.kubernetes.io/name: democratic-csi
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- create
- apiGroups:
-
resources:
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
-
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- get
- list
- watch
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-controller-rb
labels:
app.kubernetes.io/name: democratic-csi
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: csi-synology-democratic-csi-controller-cr
subjects:
- kind: ServiceAccount
name: csi-synology-democratic-csi-controller-sa
namespace: democratic-csi
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-synology-democratic-csi-node-rb
labels:
app.kubernetes.io/name: democratic-csi
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: csi-synology-democratic-csi-node-cr
subjects:
- kind: ServiceAccount
name: csi-synology-democratic-csi-node-sa
namespace: democratic-csi

73
democratic-csi/secrets.yaml Normal file
View File

@ -0,0 +1,73 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: csi-synology-democratic-csi-driver-config
namespace: democratic-csi
labels: &labels
app.kubernetes.io/name: synology-iscsi-driver-config
app.kubernetes.io/component: democratic-csi
app.kubernetes.io/part-of: democratic-csi
spec:
encryptedData:
synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ==
template:
metadata:
name: csi-synology-democratic-csi-driver-config
namespace: democratic-csi
data:
driver-config-file.yaml: |
driver: synology-iscsi
httpConnection:
protocol: https
host: storage0.pyrocufflink.blue
port: 5001
username: democratic-csi
password: {{ index . "synology.password" }}
allowInsecure: true
session: democratic-csi
serialize: true
iscsi:
targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260'
baseiqn: iqn.2000-01.com.synology:csi.
lunTemplate:
type: BLUN
targetTemplate:
auth_type: 2 # 0: None; 1: CHAP; 2: Mutual CHAP
max_sessions: 0 # 0: Unlimited
chap: true
mutual_chap: true
lunSnapshotTemplate:
is_app_consistent: true
is_locked: true
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: synology-iscsi-provisioner
namespace: democratic-csi
spec:
encryptedData:
targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg==
template:
metadata:
name: synology-iscsi-provisioner
namespace: democratic-csi
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: synology-iscsi-chap
namespace: democratic-csi
spec:
encryptedData:
node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ=
node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY=
node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf
node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw==
template:
metadata:
name: synology-iscsi-chap
namespace: democratic-csi

20
democratic-csi/storageclass.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: synology-iscsi
allowVolumeExpansion: true
provisioner: org.democratic-csi.iscsi-synology
parameters:
fsType: xfs
csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi
csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap
csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi
---
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: synology-iscsi
driver: org.democratic-csi.iscsi-synology
deletionPolicy: Delete

20
dynk8s-provisioner/dynk8s-provisioner.yaml
View File

@ -1,20 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dynk8s-provisioner-pvc
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner-pvc
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@ -70,8 +53,7 @@ spec:
serviceAccountName: dynk8s-provisioner serviceAccountName: dynk8s-provisioner
volumes: volumes:
- name: dynk8s-provisioner - name: dynk8s-provisioner
persistentVolumeClaim: emptyDir: {}
claimName: dynk8s-provisioner-pvc
--- ---
apiVersion: v1 apiVersion: v1

10
firefly-iii/kustomization.yaml
View File

@ -36,6 +36,16 @@ patches:
spec: spec:
template: template:
spec: spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
containers: containers:
- name: firefly-iii - name: firefly-iii
volumeMounts: volumeMounts:

2
invoice-ninja/invoice-ninja.yaml
View File

@ -154,8 +154,6 @@ spec:
while sleep 60; do php artisan schedule:run; done while sleep 60; do php artisan schedule:run; done
env: *env env: *env
envFrom: *envFrom envFrom: *envFrom
securityContext:
readOnlyRootFilesystem: true
volumeMounts: *mounts volumeMounts: *mounts
enableServiceLinks: false enableServiceLinks: false
affinity: affinity:

170
jenkins/gentoo-storage.yaml
View File

@ -1,170 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: portage
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: binpkgs
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: binpkgs
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
data:
rsyncd.conf: |+
[gentoo-portage]
path = /var/db/repos/gentoo
[binpkgs]
path = /var/cache/binpkgs
---
apiVersion: v1
kind: Service
metadata:
name: gentoo-dist
namespace: jenkins-jobs
spec:
selector:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
ports:
- name: rsync
port: 873
targetPort: rsync
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: rsync
image: docker.io/gentoo/stage3
command:
- /usr/bin/rsync
- --daemon
- --no-detach
- --port=8873
- --log-file=/dev/stderr
ports:
- name: rsync
containerPort: 8873
securityContext:
readOnlyRootFilesystem: true
runAsUser: 250
runAsGroup: 250
volumeMounts:
- mountPath: /etc/rsyncd.conf
name: config
subPath: rsyncd.conf
- mountPath: /var/db/repos/gentoo
name: portage
- mountPath: /var/cache/binpkgs
name: binpkgs
volumes:
- name: binpkgs
persistentVolumeClaim:
claimName: binpkgs
- name: config
configMap:
name: gentoo-dist
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: Job
metadata:
name: emerge-webrsync
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: emerge-webrsync
app.kubernetes.io/component: gentoo
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emerge-webrsync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: sync-portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: sync-portage
app.kubernetes.io/component: gentoo
spec:
schedule: 4 19 * * *
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emaint
- sync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage

2
jenkins/kustomization.yaml
View File

@ -9,8 +9,8 @@ resources:
- jenkins.yaml - jenkins.yaml
- secrets.yaml - secrets.yaml
- iscsi.yaml - iscsi.yaml
- gentoo-storage.yaml
- ssh-host-keys - ssh-host-keys
- workspace-volume.yaml
patches: patches:
- patch: | - patch: |

15
jenkins/workspace-volume.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: buildroot-airplaypi
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: buildroot-airplaypi
app.kubernetes.io/component: jenkins
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
storageClassName: synology-iscsi

2
kitchen/kitchen.yaml
View File

@ -49,6 +49,8 @@ spec:
mountPath: /kitchen.yaml mountPath: /kitchen.yaml
subPath: config.yaml subPath: config.yaml
readOnly: true readOnly: true
nodeSelector:
kubernetes.io/arch: amd64
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsUser: 17402 runAsUser: 17402

3
kitchen/secrets.yaml
View File

@ -48,8 +48,9 @@ spec:
calendar_url: >- calendar_url: >-
https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/ https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/projects_shared_by_332E433E-43B2-4E3D-A0A0-EB264C624707/
dtex: &dtex dtex: &dtex
<<: *credentials
calendar_url: >- calendar_url: >-
https://outlook.office365.com/owa/calendar/0f775a4f7bba4abe91d2684668b0b04f@dtexsystems.com/5f42742af8ae4f8daaa810e1efca6e9e8531195936760897056/S-1-8-960331003-2552388381-4206165038-1812416686/reachcalendar.ics https://nextcloud.pyrocufflink.net/remote.php/dav/calendars/B53DE34E-D21F-46AA-B0F4-1EC0933AE220/pyrocufflinknet-1/?export
agenda: agenda:
calendars: calendars:

8
snapshot-controller/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kube-system
resources:
- https://github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v8.3.0
- https://github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v8.3.0

3
victoria-metrics/alertmanager.yaml
View File

@ -70,6 +70,7 @@ spec:
- name: config - name: config
configMap: configMap:
name: alertmanager name: alertmanager
podManagementPolicy: Parallel
volumeClaimTemplates: volumeClaimTemplates:
- apiVersion: v1 - apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
@ -83,4 +84,4 @@ spec:
- ReadWriteOnce - ReadWriteOnce
resources: resources:
requests: requests:
storage: 4G storage: 500M

2
victoria-metrics/alerts.yml
View File

@ -246,7 +246,9 @@ groups:
- alert: Last Backup Age - alert: Last Backup Age
expr: >- expr: >-
time() - restic_backup_timestamp{ time() - restic_backup_timestamp{
client_hostname!="bw0.pyrocufflink.blue",
client_hostname!="luma.pyrocufflink.blue", client_hostname!="luma.pyrocufflink.blue",
client_hostname!="purplepi.hatch",
client_hostname!="toad.pyrocufflink.blue", client_hostname!="toad.pyrocufflink.blue",
}> 604800 }> 604800
annotations: annotations:

10
victoria-metrics/kustomization.yaml
View File

@ -216,6 +216,16 @@ patches:
- --cluster.peer=alertmanager-0.alertmanager:9094 - --cluster.peer=alertmanager-0.alertmanager:9094
- --cluster.peer=alertmanager-1.alertmanager:9094 - --cluster.peer=alertmanager-1.alertmanager:9094
- patch: |
- op: add
path: /spec/volumeClaimTemplates/0/spec/storageClassName
value: synology-iscsi
target:
group: apps
version: v1
kind: StatefulSet
name: alertmanager
- patch: | - patch: |
- op: add - op: add
path: /spec/volumeClaimTemplates/0/spec/storageClassName path: /spec/volumeClaimTemplates/0/spec/storageClassName

16
victoria-metrics/scrape.yml
View File

@ -522,3 +522,19 @@ scrape_configs:
target_label: instance target_label: instance
- target_label: __address__ - target_label: __address__
replacement: blackbox-exporter:9115 replacement: blackbox-exporter:9115
- job_name: music-assistant
metrics_path: /probe
params:
module:
- http
static_configs:
- targets:
- music.pyrocufflink.blue
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox-exporter:9115

17
victoria-metrics/vmagent.yaml
View File

@ -136,17 +136,6 @@ spec:
- name: config - name: config
configMap: configMap:
name: vmagent name: vmagent
volumeClaimTemplates: - name: tmpdata
- apiVersion: v1 emptyDir: {}
kind: PersistentVolumeClaim podManagementPolicy: Parallel
metadata:
name: tmpdata
labels:
app.kubernetes.io/name: vmagent
app.kubernetes.io/component: vmagent
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4G