(fleet/netbox) Deploy netbox on Kueyen

Author: gseriche

fleet/lib/netbox/externalsecret-netbox-secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: netbox-secrets
+  namespace: netbox
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: netbox-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: username
+      remoteRef:
+        key: &item netbox-secrets
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: *item
+        property: password
+    - secretKey: email
+      remoteRef:
+        key: *item
+        property: email
+    - secretKey: api_token
+      remoteRef:
+        key: *item
+        property: apiToken

fleet/lib/netbox/externalsecret-netbox-valkey.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: netbox-secrets
+  namespace: netbox
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: netbox-valkey
+    creationPolicy: Owner
+  data:
+    - secretKey: valkey-password
+      remoteRef:
+        key: &item netbox-valkey
+        property: password

fleet/lib/netbox/fleet.yaml

@@ -0,0 +1,15 @@
+---
+defaultNamespace: &name netbox
+labels:
+  bundle: *name
+namespaceLabels:
+  lsst.io/discover: "true"
+helm:
+  chart: &chart netbox
+  releaseName: *chart
+  repo: https://charts.netbox.oss.netboxlabs.com/
+  version: 6.1.5
+  timeoutSeconds: 600
+  waitForJobs: true
+  valuesFiles:
+    - values.yaml

fleet/lib/netbox/values.yaml

@@ -0,0 +1,168 @@
+nameOverride: netbox
+clusterDomain: cluster.local
+
+superuser:
+  name: admin
+  email: [email protected]
+  existingSecret: netbox-secrets
+
+
+allowedHosts:
+  - netbox.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
+
+allowedHostsIncludesPodIP: false
+
+admins:
+  - [Admin User, [email protected]]
+
+allowTokenRetrieval: false
+
+changelogRetention: 90
+
+debug: false
+
+enforceGlobalUnique: true
+
+graphQlEnabled: true
+
+internalIPs: [127.0.0.1]
+
+jobRetention: 90
+
+loginRequired: false
+
+loginTimeout: 1209600
+
+maxPageSize: 1000
+
+paginateCount: 50
+
+secretKey: ZspyW4PeL9Nbo4rRznuNDKRUBJNGBbzwnidraj4m3mobekEbefPALeQjXKVz
+
+timeZone: America/Santiago
+
+replicaCount: 1
+
+persistence:
+  enabled: true
+  storageClass: rook-ceph-block  # Ajusta según tu proveedor de almacenamiento
+  accessMode: ReadWriteOnce
+  size: 10Gi
+  annotations: {}
+
+reportsPersistence:
+  enabled: true
+  storageClass: rook-ceph-block
+  accessMode: ReadWriteOnce
+  size: 1Gi
+  annotations: {}
+
+scriptsPersistence:
+  enabled: true
+  storageClass: rook-ceph-block
+  accessMode: ReadWriteOnce
+  size: 1Gi
+  annotations: {}
+
+resourcesPreset: medium
+resources:
+  requests:
+    cpu: 500m
+    memory: 1Gi
+  limits:
+    cpu: 1000m
+    memory: 2Gi
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: Always
+
+securityContext:
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop: [ALL]
+  seccompProfile:
+    type: RuntimeDefault
+
+## @section Traffic Exposure Parameters
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/client-body-buffer-size: 10m
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
+  hosts:
+    - host: netbox.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
+      paths:
+        - /
+  tls:
+    - secretName: netbox-tls
+      hosts:
+        - netbox.${ get .ClusterLabels "management.cattle.io/cluster-display-name" }.${ .ClusterLabels.site }.lsst.org
+
+valkey:
+  enabled: true
+  auth:
+    existingSecret: netbox-valkey
+    existingSecretPasswordKey: valkey-password
+
+## @section Worker for Netbox parameters
+
+worker:
+  enabled: true
+  replicaCount: 1
+  resourcesPreset: medium
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1000
+    fsGroupChangePolicy: Always
+  securityContext:
+    enabled: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    privileged: false
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: [ALL]
+    seccompProfile:
+      type: RuntimeDefault
+
+## @section Cron housekeeping job parameters
+
+housekeeping:
+  enabled: true
+  schedule: 0 0 * * *
+  successfulJobsHistoryLimit: 5
+  failedJobsHistoryLimit: 5
+  resourcesPreset: medium
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+
+extraEnvs:
+  - name: DB_WAIT_DEBUG
+    value: "1"

fleet/s/dev/c/kueyen/netbox

@@ -0,0 +1 @@
+../../../../lib/netbox