Merge remote-tracking branch 'upstream/main' into main

Author: mrnicegyu11

charts/Makefile

@@ -27,9 +27,9 @@ helmfile-lint: .check-helmfile-installed helmfile.yaml ## Lints the helmfile
 .helmfile-local-post-install: ## Post install steps for local helmfile deployment
 	@$(MAKE) -s configure-local-hosts
 	@echo "";
-	@echo "Cluster has been deployed locally: http://$(MACHINE_FQDN)";
+	@echo "Cluster has been deployed locally: https://$(MACHINE_FQDN)";
 	@echo "    For secure connections self-signed certificates are used.";
-	@echo "
+	@echo "";
 
 .PHONY: helmfile-apply
 helmfile-apply: .check-helmfile-installed helmfile.yaml ## Applies the helmfile configuration
@@ -41,7 +41,7 @@ helmfile-apply: .check-helmfile-installed helmfile.yaml ## Applies the helmfile
 	fi
 
 .PHONY: helmfile-sync
-helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile configuration
+helmfile-sync: .check-helmfile-installed helmfile.yaml ## Syncs the helmfile configuration (use `helmfile-apply` to deploy the app)
 	set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml sync
 
@@ -64,3 +64,10 @@ helmfile-diff: .check-helmfile-installed helmfile.yaml ## Shows the differences
 helmfile-delete: .check-helmfile-installed helmfile.yaml ## Deletes the helmfile configuration
 	@set -a; source $(REPO_CONFIG_LOCATION); set +a; \
 	helmfile -f $(REPO_BASE_DIR)/charts/helmfile.yaml delete
+
+.PHONY: up
+up: helmfile-apply ## Start the stack
+
+.PHONY: leave
+leave: ## Leaves kind cluster
+	kind delete clusters kind

charts/adminer/values.yaml.gotmpl

@@ -49,6 +49,7 @@ ingress:
   enabled: true
   className: ""
   annotations:
+    namespace: {{ .Release.Namespace }}
     cert-manager.io/cluster-issuer: "cert-issuer"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
   tls:

charts/cert-manager/values.selfsigned.yaml.gotmpl

@@ -22,6 +22,12 @@ extraObjects:
       "helm.sh/hook": post-install,post-upgrade
       "helm.sh/hook-weight": "1"
   spec:
+    secretTemplate:
+      annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: ""  # Control destination namespaces: emptystring means all
+        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
+        reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "" # Control auto-reflection namespaces
     isCA: true
     commonName: local-ca
     subject:

charts/portainer/values.yaml.gotmpl

@@ -0,0 +1,68 @@
+# Default values for adminer.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: portainer/portainer-ce
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: portainer-sa-clusteradmin
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext:
+  {}
+
+securityContext:
+  {}
+
+service:
+  type: "ClusterIP"
+  port: 9000
+
+ingress:
+  enabled: true
+  className: ""
+  annotations:
+    namespace: {{ .Release.Namespace }}
+    cert-manager.io/cluster-issuer: "cert-issuer"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-traefik-basic-auth@kubernetescrd,traefik-portainer-strip-prefix@kubernetescrd  # namespace + middleware name
+  tls:
+    - hosts:
+        - {{ requiredEnv "K8S_MONITORING_FQDN" }}
+      secretName: monitoring-tls
+  hosts:
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
+      paths:
+        - path: /portainer
+          pathType: Prefix
+          backend:
+            service:
+              name: portainer
+              port:
+                number: 9000
+
+
+resources:
+  limits:
+    cpu: 2
+    memory: 1024Mi
+  requests:
+    cpu: 0.1
+    memory: 128Mi
+
+nodeSelector:
+  ops: "true"

charts/traefik/values.insecure.yaml.gotmpl

@@ -3,11 +3,12 @@ extraObjects:
   kind: Service
   metadata:
     name: traefik-api
+    namespace: {{.Release.Namespace}}
   spec:
     type: ClusterIP
     selector:
       app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik-default
+      app.kubernetes.io/instance: {{.Release.Namespace}}-traefik
     ports:
     - port: 8080
       name: traefik
@@ -17,7 +18,7 @@ extraObjects:
   kind: Secret
   metadata:
     name: traefik-authorized-users
-    namespace: default
+    namespace: {{.Release.Namespace}}
   data:
     users: |2
       {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }}
@@ -28,20 +29,31 @@ extraObjects:
   spec:
     basicAuth:
       secret: traefik-authorized-users  # https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: portainer-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /portainer
 - apiVersion: networking.k8s.io/v1
   kind: Ingress
   metadata:
     name: traefik-dashboard
+    namespace: {{.Release.Namespace}}
     annotations:
       traefik.ingress.kubernetes.io/router.entrypoints: web,websecure  # allow http(s) for local deployment
-      traefik.ingress.kubernetes.io/router.middlewares: default-traefik-basic-auth@kubernetescrd  # namespace + middleware name
+      traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd  # namespace + middleware name
+      cert-manager.io/cluster-issuer: "cert-issuer"
   spec:
     tls:
-    - hosts:
-        - k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }}
-      secretName: monitoring-tls
+      - hosts:
+          - {{ requiredEnv "K8S_MONITORING_FQDN" }}
+        secretName: monitoring-tls
     rules:
-    - host: k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }}
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
       http:
         paths:
         - path: /dashboard
@@ -51,7 +63,7 @@ extraObjects:
               name: traefik-api
               port:
                 name: traefik
-    - host: k8s.monitoring.{{ requiredEnv "MACHINE_FQDN" }}
+    - host: {{ requiredEnv "K8S_MONITORING_FQDN" }}
       http:
         paths:
         - path: /api

charts/traefik/values.secure.yaml.gotmpl

@@ -10,11 +10,12 @@ extraObjects:
   kind: Service
   metadata:
     name: traefik-api
+    namespace: {{.Release.Namespace}}
   spec:
     type: ClusterIP
     selector:
       app.kubernetes.io/name: traefik
-      app.kubernetes.io/instance: traefik-default
+      app.kubernetes.io/instance: {{.Release.Namespace}}-traefik
     ports:
     - port: 8080
       name: traefik
@@ -25,7 +26,7 @@ extraObjects:
   kind: Secret
   metadata:
     name: traefik-authorized-users
-    namespace: default
+    namespace: {{.Release.Namespace}}
   data:
     users: |2
       {{ requiredEnv "TRAEFIK_K8S_AUTHORIZED_USER" }}
@@ -34,10 +35,19 @@ extraObjects:
   kind: Middleware
   metadata:
     name: traefik-basic-auth
+    namespace: {{.Release.Namespace}}
   spec:
     basicAuth:
       secret: traefik-authorized-users  # https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
-
+- apiVersion: traefik.io/v1alpha1
+  kind: Middleware
+  metadata:
+    name: portainer-strip-prefix
+    namespace: {{.Release.Namespace}}
+  spec:
+    stripPrefix:
+      prefixes:
+      - /portainer
 - apiVersion: traefik.io/v1alpha1
   kind: Middleware
   metadata:
@@ -53,9 +63,11 @@ extraObjects:
   kind: Ingress
   metadata:
     name: traefik-dashboard
+    namespace: {{.Release.Namespace}}
     annotations:
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      traefik.ingress.kubernetes.io/router.middlewares: default-traefik-basic-auth@kubernetescrd
+      traefik.ingress.kubernetes.io/router.middlewares: {{.Release.Namespace}}-traefik-basic-auth@kubernetescrd # namespace + middleware name
+      cert-manager.io/cluster-issuer: "cert-issuer"
   spec:
     tls:
     - hosts:

charts/traefik/values.webinternal.yaml.gotmpl

@@ -9,4 +9,4 @@ ports:
     http3:
       enabled: false
     middlewares:
-      - default-internal-ipallowlist@kubernetescrd
+      - {{.Release.Namespace}}-internal-ipallowlist@kubernetescrd

scripts/kind_config.yaml

@@ -10,3 +10,6 @@ nodes:
         hostPort: 443
       - containerPort: 32443
         hostPort: 8443  ## handle traefik [interal] http --> https redirect
+    labels:
+      ops: "true"
+      simcore: "true"