(fleet/netbox) Deploy netbox on Kueyen

fleet/lib/netbox/README.md

@@ -0,0 +1,59 @@
+# NetBox Kubernetes Deployment
+
+## Overview
+
+NetBox is an Infrastructure Resource Modeling (IRM) application designed to empower network automation. This deployment provides a production-ready NetBox instance on Kubernetes using Helm charts and Fleet configuration management.
+
+## Architecture
+
+- **Chart**: netbox v6.1.5 from <https://charts.netbox.oss.netboxlabs.com/>
+- **Namespace**: netbox
+- **Components**: Web application, worker processes, PostgreSQL database, Valkey cache
+- **Ingress**: NGINX with Let's Encrypt TLS certificates
+
+## Configuration
+
+### Core Settings
+
+- **Timezone**: America/Santiago
+- **Superuser**: <[email protected]>
+- **Change Log Retention**: 90 days
+- **Job Retention**: 90 days
+- **GraphQL**: Enabled
+- **Login Required**: False
+
+### Security
+
+- Non-root container execution (UID/GID: 1000)
+- Read-only root filesystem
+- Dropped capabilities
+- Runtime security profile enabled
+- External secret management via Kubernetes secrets
+
+### Storage
+
+- **Persistence**: Disabled (ephemeral storage)
+- **PostgreSQL**: 20Gi persistent storage (rook-ceph-block)
+- **Media/Reports/Scripts**: Stored in ephemeral volumes
+
+### Resources
+
+| Component | CPU Request | Memory Request | CPU Limit | Memory Limit |
+|-----------|-------------|----------------|-----------|--------------|
+| NetBox    | 500m        | 1Gi            | 1000m     | 2Gi          |
+| Worker    | 500m        | 1Gi            | 1000m     | 2Gi          |
+| PostgreSQL| 250m        | 512Mi          | 500m      | 1Gi          |
+
+## Access
+
+NetBox is accessible via dynamically generated hostnames based on cluster configuration:
+
+```bash
+https://netbox.{cluster-name}.{site}.lsst.org
+```
+
+## Maintenance
+
+- **Housekeeping**: Daily automated cleanup (00:00 UTC)
+- **Job History**: 5 successful/failed jobs retained
+- **Monitoring**: Available via cluster monitoring stack

fleet/lib/netbox/base/externalsecret-netbox-keycloak.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: netbox-keycloak
+  namespace: netbox
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: netbox-keycloak
+    creationPolicy: Owner
+  data:
+    - secretKey: SOCIAL_AUTH_KEYCLOAK_KEY
+      remoteRef:
+        key: &item netbox-keycloak-sso
+        property: client-id
+    - secretKey: SOCIAL_AUTH_KEYCLOAK_SECRET
+      remoteRef:
+        key: *item
+        property: client-secret

fleet/lib/netbox/base/externalsecret-netbox-postgresql.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: netbox-postgresql
+  namespace: netbox
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: netbox-postgresql
+    creationPolicy: Owner
+  data:
+    - secretKey: password
+      remoteRef:
+        key: &item netbox-postgresql
+        property: password
+    - secretKey: postgres-password
+      remoteRef:
+        key: *item
+        property: postgres-password

fleet/lib/netbox/base/externalsecret-netbox-secrets.yaml

@@ -0,0 +1,33 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: netbox-secrets
+  namespace: netbox
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: netbox-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: username
+      remoteRef:
+        key: &item netbox-secrets
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: *item
+        property: password
+    - secretKey: email
+      remoteRef:
+        key: *item
+        property: email
+    - secretKey: api_token
+      remoteRef:
+        key: *item
+        property: apiToken
+    - secretKey: secret-key
+      remoteRef:
+        key: *item
+        property: secretKey

fleet/lib/netbox/base/externalsecret-netbox-valkey.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: netbox-valkey
+  namespace: netbox
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: netbox-valkey
+    creationPolicy: Owner
+  data:
+    - secretKey: valkey-password
+      remoteRef:
+        key: &item netbox-valkey
+        property: password

fleet/lib/netbox/base/kustomization.yaml

@@ -0,0 +1,12 @@
+---
+resources:
+  - externalsecret-netbox-secrets.yaml
+  - externalsecret-netbox-valkey.yaml
+  - externalsecret-netbox-postgresql.yaml
+  - externalsecret-netbox-keycloak.yaml
+
+patches:
+  - path: netbox-plugin-init-patch.yaml
+    target:
+      kind: Deployment
+      name: netbox

fleet/lib/netbox/base/netbox-plugin-init-patch.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: netbox
+spec:
+  template:
+    spec:
+      # Add shared volume for plugins
+      volumes:
+        - name: plugins-volume
+          emptyDir: {}
+      # Init container to install slurpit_netbox plugin
+      initContainers:
+        - name: install-plugins
+          image: python:3.11-slim
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+              echo "Installing slurpit_netbox plugin..."
+
+              # Install pip if not available
+              python -m ensurepip --upgrade
+
+              # Install the slurpit_netbox plugin to shared volume
+              pip install --target /opt/plugins slurpit_netbox
+
+              echo "Plugin installation completed"
+              ls -la /opt/plugins/
+          volumeMounts:
+            - name: plugins-volume
+              mountPath: /opt/plugins
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+      containers:
+        - name: netbox
+          # Mount the plugins volume
+          volumeMounts:
+            - name: plugins-volume
+              mountPath: /opt/netbox/plugins
+          # Update PYTHONPATH to include plugins directory
+          env:
+            - name: PYTHONPATH
+              value: "/opt/netbox/plugins:/opt/netbox"

fleet/lib/netbox/fleet.yaml

@@ -0,0 +1,17 @@
+---
+defaultNamespace: &name netbox
+labels:
+  bundle: *name
+namespaceLabels:
+  lsst.io/discover: "true"
+kustomize:
+  dir: base
+helm:
+  chart: &chart netbox
+  releaseName: *chart
+  repo: https://charts.netbox.oss.netboxlabs.com/
+  version: 6.1.5
+  timeoutSeconds: 600
+  waitForJobs: true
+  valuesFiles:
+    - values.yaml