Added auto-proxy

Makefile

@@ -47,7 +47,19 @@ ci:
 
 .PHONY: release # Release the latest version of the application
 release:
-	@cd terraform && terraform apply -auto-approve
+	@cd terraform && terraform apply -auto-approve && \
+		kubectx admin@clusterfun-scaleway && \
+		cd ../tekton && \
+		kubectl apply -f ./1-Install/ && \
+		kubectl apply -f ./2-Setup/ && \
+		kubectl apply -f ./bindings/ && \
+		kubectl apply -f ./conditions/ && \
+		kubectl apply -f ./eventlisteners/ && \
+		kubectl apply -f ./pipelines/ && \
+		kubectl apply -f ./tasks/ && \
+		kubectl apply -f ./triggertemplates/ && \
+		cd ../manifests && \
+		kubectl apply -f ./
 
 .PHONY: help # Show this list of commands
 help:

manifests/11-year-anniversary/11-year-anniversary.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: anniversary
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: anniversary
+  namespace: anniversary
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: anniversary
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: anniversary
+  namespace: anniversary
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: anniversary
+  template:
+    metadata:
+      labels:
+        app: anniversary
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: web
+        image: docker.cluster.fun/private/11-year-anniversary:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 283Mi
+          requests:
+            memory: 283Mi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: anniversary
+  namespace: anniversary
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - 11-year-anniversary.marcusnoble.co.uk
+    secretName: anniversary-ingress
+  rules:
+  - host: 11-year-anniversary.marcusnoble.co.uk
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: anniversary
+          servicePort: 80

manifests/_apps/11-year-anniversary.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: anniversary
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: anniversary
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/11-year-anniversary
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/_apps/auth-proxy.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth-proxy
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: cluster.fun
+  destination:
+    namespace: inlets
+    name: cluster-fun (scaleway)
+  source:
+    path: manifests/auth-proxy
+    repoURL: "https://git.cluster.fun/AverageMarcus/cluster.fun.git"
+    targetRevision: HEAD
+  syncPolicy:
+    # automated: {}
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    jsonPointers:
+    - /data

manifests/auth-proxy/auth-proxy.yaml

@@ -1,13 +1,8 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-  name: cctv
----
-apiVersion: v1
 kind: Secret
 metadata:
-  name: cctv-auth
-  namespace: cctv
+  name: auth-proxy
+  namespace: inlets
   annotations:
     kube-1password: mr6spkkx7n3memkbute6ojaarm
     kube-1password/vault: Kubernetes
@@ -16,19 +11,19 @@ type: Opaque
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cctv-auth
-  namespace: cctv
+  name: auth-proxy
+  namespace: inlets
   labels:
-    app: cctv-auth
+    app: auth-proxy
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: cctv-auth
+      app: auth-proxy
   template:
     metadata:
       labels:
-        app: cctv-auth
+        app: auth-proxy
     spec:
       containers:
       - args:
@@ -37,12 +32,12 @@ spec:
         - --provider-display-name=Auth0
         - --upstream=http://inlets.inlets.svc.cluster.local
         - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://cctv.cluster.fun/oauth2/callback
         - --email-domain=*
         - --pass-basic-auth=false
         - --pass-access-token=false
         - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
+        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
+        - --cookie-expire=336h0m0s
         env:
         - name: HOST_IP
           valueFrom:
@@ -53,13 +48,13 @@ spec:
           valueFrom:
             secretKeyRef:
               key: username
-              name: cctv-auth
+              name: auth-proxy
         - name: OAUTH2_PROXY_CLIENT_SECRET
           valueFrom:
             secretKeyRef:
               key: password
-              name: cctv-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
+              name: auth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v6.1.1
         name: oauth-proxy
         ports:
         - containerPort: 8080
@@ -73,10 +68,10 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: cctv-auth
-  namespace: cctv
+  name: auth-proxy
+  namespace: inlets
   labels:
-    app: cctv-auth
+    app: auth-proxy
 spec:
   ports:
   - name: http
@@ -84,31 +79,5 @@ spec:
     protocol: TCP
     targetPort: 8080
   selector:
-    app: cctv-auth
+    app: auth-proxy
   type: ClusterIP
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: cctv-auth
-  namespace: cctv
-  labels:
-    app: cctv-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - cctv.cluster.fun
-    secretName: cctv-ingress
-  rules:
-  - host: cctv.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: cctv-auth
-          servicePort: 80

manifests/base64/base64.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: base64
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: base64
+  namespace: base64
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: base64
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: base64
+  namespace: base64
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: base64
+  template:
+    metadata:
+      labels:
+        app: base64
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: web
+        image: docker.cluster.fun/averagemarcus/base64:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 10Mi
+          requests:
+            memory: 10Mi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: base64
+  namespace: base64
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - base64.cluster.fun
+    secretName: base64-ingress
+  rules:
+  - host: base64.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: base64
+          servicePort: 80

manifests/cctv/cctv.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: cctv-auth
+  namespace: inlets
+  labels:
+    app: cctv-auth
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - cctv.cluster.fun
+    secretName: cctv-ingress
+  rules:
+  - host: cctv.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/code-server/code-server.yaml

@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: code
+  namespace: inlets
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - code.cluster.fun
+    secretName: code-ingress
+  rules:
+  - host: code.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/downloads/downloads.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: downloads-auth
+  namespace: inlets
+  labels:
+    app: downloads-auth
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - downloads.cluster.fun
+    secretName: downloads-ingress
+  rules:
+  - host: downloads.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/feed-fetcher/feed-fetcher.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: feed-fetcher
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: feed-fetcher
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: feed-fetcher
+  template:
+    metadata:
+      labels:
+        app: feed-fetcher
+    spec:
+      containers:
+      - name: web
+        image: docker.cluster.fun/averagemarcus/feed-fetcher:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: feed-fetcher
+  namespace: feed-fetcher
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - feed-fetcher.cluster.fun
+    secretName: feed-fetcher-ingress
+  rules:
+  - host: feed-fetcher.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: feed-fetcher
+            port:
+              number: 80
+

manifests/git-sync/git-sync.yaml

@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: git-sync
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-github
+  namespace: git-sync
+  annotations:
+    kube-1password: cfo2ufhgem57clbscxetxgevue
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-gitea
+  namespace: git-sync
+  annotations:
+    kube-1password: b7kpdlcvt7y63bozu3i4j4lojm
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-gitlab
+  namespace: git-sync
+  annotations:
+    kube-1password: t47v3xdgadiifgoi4wmqibrlty
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-bitbucket
+  namespace: git-sync
+  annotations:
+    kube-1password: adrki45krr2tq34sug7dhdk5iy
+    kube-1password/vault: Kubernetes
+    kube-1password/password-key: token
+type: Opaque
+data:
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: git-sync
+  namespace: git-sync
+spec:
+  schedule: "0 */1 * * *"
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 1
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          containers:
+          - name: sync
+            image: docker.cluster.fun/averagemarcus/git-sync:latest
+            imagePullPolicy: Always
+            env:
+            - name: GITHUB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-github
+                  key: token
+            - name: GITEA_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-gitea
+                  key: token
+            - name: GITLAB_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-gitlab
+                  key: token
+            - name: BITBUCKET_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: git-sync-bitbucket
+                  key: token
+          restartPolicy: Never

manifests/gitea/gitea.yaml

@@ -47,7 +47,7 @@ spec:
     spec:
       containers:
       - name: git
-        image: gitea/gitea:1.11
+        image: gitea/gitea:1.12.3
         env:
         - name: APP_NAME
           value: "Git"

manifests/goplayground/goplayground.yaml

@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: goplayground
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: goplayground
+  namespace: goplayground
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: goplayground
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: goplayground
+  namespace: goplayground
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: goplayground
+  template:
+    metadata:
+      labels:
+        app: goplayground
+    spec:
+      containers:
+      - name: web
+        image: x1unix/go-playground:1.6.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8000
+          name: web
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: goplayground
+  namespace: goplayground
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - go.cluster.fun
+    secretName: goplayground-ingress
+  rules:
+  - host: go.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: goplayground
+          servicePort: 80
+

manifests/harbor_chart/harbor_chart.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     repository: https://helm.goharbor.io
     name: harbor
-    version: 1.3.2
+    version: 1.5.3
   maxHistory: 4
   skipCRDs: false
   valuesFrom:
@@ -33,6 +33,8 @@ spec:
       key: values.yaml
       optional: false
   values:
+    updateStrategy:
+      type: Recreate
     portal:
       resources:
         requests:
@@ -54,4 +56,3 @@ spec:
         resources:
           requests:
             memory: 64Mi
-

manifests/inlets/inlets.yaml

@@ -49,7 +49,7 @@ spec:
     spec:
       containers:
       - name: inlets
-        image: inlets/inlets:2.7.0
+        image: inlets/inlets:2.7.6
         imagePullPolicy: Always
         command: ["inlets"]
         args:
@@ -81,7 +81,7 @@ spec:
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: pyload
+  name: home-assistant
   namespace: inlets
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
@@ -91,10 +91,50 @@ metadata:
 spec:
   tls:
   - hosts:
-    - pyload.cluster.fun
-    secretName: pyload-ingress
+    - home.cluster.fun
+    secretName: home-assistant-ingress
   rules:
-  - host: pyload.cluster.fun
+  - host: home.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: inlets
+          servicePort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: downloads-rpc
+  namespace: inlets
+  labels:
+    app: inlets
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      protocol: TCP
+      targetPort: 8000
+  selector:
+    app: inlets
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: vpn-check
+  namespace: inlets
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - vpn-check.cluster.fun
+    secretName: vpn-check-ingress
+  rules:
+  - host: vpn-check.cluster.fun
     http:
       paths:
       - path: /

manifests/jackett/jackett.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: jackett-auth
+  namespace: inlets
+  labels:
+    app: jackett-auth
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - jackett.cluster.fun
+    secretName: jackett-ingress
+  rules:
+  - host: jackett.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/kube-janitor/kube-janitor.yaml

@@ -88,7 +88,7 @@ spec:
           - --interval=15
           - --rules-file=/config/rules.yaml
           - --include-namespaces=tekton-pipelines
-          - --include-resources=pods
+          - --include-resources=pods,pipelineruns,taskruns
         resources:
           limits:
             memory: 100Mi

manifests/linx-server.yaml

@@ -1,114 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: linx-server
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: linx-server
-  namespace: linx-server
-data:
-  linx-server.conf: |-
-    sitename = share
-    maxsize = 524288000
-    maxexpiry = 0
-    selifpath = f
-    nologs = false
-    force-random-filename = false
-    s3-endpoint = https://s3.fr-par.scw.cloud
-    s3-region = fr-par
-    s3-bucket = cluster.fun-linx
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: linx-server-s3
-  namespace: linx-server
-  annotations:
-    kube-1password: d5dgclm3qrxd4fntivv26ec3ee
-    kube-1password/vault: Kubernetes
-type: Opaque
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: linx-server
-  namespace: linx-server
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: web
-    name: web
-  selector:
-    app: linx-server
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: linx-server
-  namespace: linx-server
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: linx-server
-  template:
-    metadata:
-      labels:
-        app: linx-server
-    spec:
-      containers:
-      - name: web
-        image: andreimarcu/linx-server:version-2.3.5
-        imagePullPolicy: Always
-        args:
-          - -config
-          - /config/linx-server.conf
-        ports:
-        - containerPort: 8080
-          name: web
-        env:
-          - name: AWS_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: linx-server-s3
-                key: username
-          - name: AWS_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: linx-server-s3
-                key: password
-        volumeMounts:
-          - name: config
-            mountPath: /config
-      volumes:
-        - name: config
-          configMap:
-            name: linx-server
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: linx-server
-  namespace: linx-server
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - share.cluster.fun
-    secretName: linx-server-ingress
-  rules:
-  - host: share.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: linx-server
-          servicePort: 80

manifests/loki_chart.yaml

@@ -1,175 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: logging
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-credentials
-  namespace: logging
-  annotations:
-    kube-1password: wpynfxkdipeeacyfxkvtdsuj54
-    kube-1password/vault: Kubernetes
-type: Opaque
----
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: loki
-  namespace: logging
-spec:
-  chart:
-    repository: https://grafana.github.io/loki/charts
-    name: loki-stack
-    version: 0.36.2
-  maxHistory: 4
-  skipCRDs: false
-  values:
-    fluent-bit:
-      enabled: "true"
-    promtail:
-      enabled: "true"
-    loki:
-      persistence:
-        enabled: "true"
-        size: 10Gi
-
----
-apiVersion: helm.fluxcd.io/v1
-kind: HelmRelease
-metadata:
-  name: grafana
-  namespace: logging
-spec:
-  chart:
-    repository: https://kubernetes-charts.storage.googleapis.com
-    name: grafana
-    version: 5.0.22
-  maxHistory: 4
-  skipCRDs: false
-  values:
-    image:
-      tag: 7.0.0
-    admin:
-      existingSecret: "grafana-credentials"
-      userKey: username
-      passwordKey: password
-    persistence:
-      enabled: "false"
-    datasources:
-      datasources.yaml:
-        apiVersion: 1
-        datasources:
-        - name: Loki
-          type: loki
-          url: http://logging-loki.logging:3100
-          access: proxy
-          jsonData:
-            maxLines: 1000
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-auth
-  namespace: logging
-  annotations:
-    kube-1password: mr6spkkx7n3memkbute6ojaarm
-    kube-1password/vault: Kubernetes
-type: Opaque
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: grafana-auth
-  template:
-    metadata:
-      labels:
-        app: grafana-auth
-    spec:
-      containers:
-      - args:
-        - --cookie-secure=false
-        - --provider=oidc
-        - --provider-display-name=Auth0
-        - --upstream=http://logging-grafana.logging.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://grafana.cluster.fun/oauth2/callback
-        - --email-domain=marcusnoble.co.uk
-        - --pass-basic-auth=false
-        - --pass-access-token=false
-        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
-        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQN
-        env:
-        - name: HOST_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        - name: OAUTH2_PROXY_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              key: username
-              name: grafana-auth
-        - name: OAUTH2_PROXY_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              key: password
-              name: grafana-auth
-        image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
-        name: oauth-proxy
-        ports:
-        - containerPort: 8080
-          protocol: TCP
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: grafana-auth
-  type: ClusterIP
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: grafana-auth
-  namespace: logging
-  labels:
-    app: grafana-auth
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - grafana.cluster.fun
-    secretName: grafana-ingress
-  rules:
-  - host: grafana.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: grafana-auth
-          servicePort: 80

manifests/matrix_chart/matrix_chart.yaml

@@ -21,13 +21,13 @@ spec:
       serverName: "matrix.cluster.fun"
       telemetry: false
       hostname: "matrix.cluster.fun"
-      presence: true
+      presence: "true"
       blockNonAdminInvites: false
-      search: true
+      enableSearch: "true"
       adminEmail: "matrix@marcusnoble.co.uk"
       uploads:
-        maxSize: 100M
-        maxPixels: 32M
+        maxSize: 500M
+        maxPixels: 64M
       federation:
         enabled: false
         allowPublicRooms: false
@@ -47,7 +47,7 @@ spec:
       urlPreviews:
         enabled: true
         rules:
-          maxSize: 4M
+          maxSize: 10M
           ip:
             blacklist:
               - '127.0.0.0/8'
@@ -74,7 +74,7 @@ spec:
     synapse:
       image:
         repository: "matrixdotorg/synapse"
-        tag: v1.12.4
+        tag: v1.16.1
         pullPolicy: IfNotPresent
       service:
         type: ClusterIP
@@ -111,7 +111,7 @@ spec:
       permalinkPrefix: "https://chat.cluster.fun"
       image:
         repository: "vectorim/riot-web"
-        tag: v1.6.0
+        tag: v1.7.18
         pullPolicy: IfNotPresent
       service:
         type: ClusterIP

manifests/nextcloud_chart/nextcloud_chart.yaml

@@ -23,9 +23,9 @@ metadata:
   namespace: nextcloud
 spec:
   chart:
-    repository: https://kubernetes-charts.storage.googleapis.com
+    repository: https://nextcloud.github.io/helm/
     name: nextcloud
-    version: 1.10.0
+    version: 2.5.5
   maxHistory: 5
   valuesFrom:
   - secretKeyRef:
@@ -35,7 +35,8 @@ spec:
       optional: false
   values:
     image:
-      tag: 18-apache
+      tag: 19.0.8-apache
+      pullPolicy: Always
     ingress:
       enabled: true
       annotations:

manifests/nodered/nodered.yaml

@@ -73,7 +73,7 @@ spec:
             mountPath: /data
       containers:
       - name: web
-        image: nodered/node-red:latest-12
+        image: nodered/node-red:1.1.3-12
         imagePullPolicy: Always
         ports:
         - containerPort: 1880

manifests/outline/outline.yaml

@@ -0,0 +1,124 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: outline
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: outline
+  namespace: outline
+  annotations:
+    kube-1password: maouivotrbgydslnsukbjrwgja
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .env
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: outline
+  namespace: outline
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: outline
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: outline
+  namespace: outline
+spec:
+  selector:
+    matchLabels:
+      app: outline
+  serviceName: outline
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: outline
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:9-alpine
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 5432
+          name: db
+        env:
+        - name: POSTGRES_USER
+          value: user
+        - name: POSTGRES_PASSWORD
+          value: pass
+        - name: POSTGRES_DB
+          value: outline
+        - name: PGDATA
+          value: /var/lib/postgresql/data/outline
+        volumeMounts:
+        - name: data
+          mountPath: /var/lib/postgresql/data
+      - name: redis
+        image: redis:6
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 6379
+          name: redis
+      - name: outline
+        image: docker.cluster.fun/averagemarcus/outline:latest
+        imagePullPolicy: Always
+        command:
+          - sh
+          - -c
+          - |
+            sleep 10 && yarn sequelize db:migrate && yarn build && yarn start
+        ports:
+        - containerPort: 3000
+          name: web
+        volumeMounts:
+          - mountPath: /opt/outline/.env
+            subPath: .env
+            name: outline-env
+            readOnly: true
+      volumes:
+        - name: outline-env
+          secret:
+            secretName: outline
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 5Gi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: outline
+  namespace: outline
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - outline.cluster.fun
+    secretName: outline-ingress
+  rules:
+  - host: outline.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: outline
+          servicePort: 80

manifests/paradoxfox/paradoxfox.yaml

@@ -0,0 +1,128 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: paradoxfox
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: docker-config
+  namespace: paradoxfox
+  annotations:
+    kube-1password: i6ngbk5zf4k52xgwdwnfup5bby
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .dockerconfigjson
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: e30=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: etsy-token
+  namespace: paradoxfox
+  annotations:
+    kube-1password: akkchysgrvhawconx63plt3xgy
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: password
+stringData:
+  password: ""
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paradoxfox
+  namespace: paradoxfox
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 443
+    name: web
+  selector:
+    app: paradoxfox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paradoxfox
+  namespace: paradoxfox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: paradoxfox
+  template:
+    metadata:
+      labels:
+        app: paradoxfox
+    spec:
+      imagePullSecrets:
+        - name: docker-config
+      containers:
+      - name: web
+        image: docker.cluster.fun/private/paradoxfox:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 443
+          name: web
+        env:
+          - name: ETSY_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: etsy-token
+                key: password
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            memory: 200Mi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: paradoxfox
+  namespace: paradoxfox
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - paradoxfox.space
+    secretName: paradoxfox-ingress
+  rules:
+  - host: paradoxfox.space
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: paradoxfox
+          servicePort: 80
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: paradoxfox-www
+  namespace: paradoxfox
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - www.paradoxfox.space
+    secretName: paradoxfox-www-ingress
+  rules:
+  - host: www.paradoxfox.space
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: paradoxfox
+          servicePort: 80

manifests/printer/printer.yaml

@@ -0,0 +1,26 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: printer-auth
+  namespace: inlets
+  labels:
+    app: printer-auth
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - printer.cluster.fun
+    secretName: printer-ingress
+  rules:
+  - host: printer.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80
+

manifests/radarr/radarr.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: radarr
+  namespace: inlets
+  labels:
+    app: radarr
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - radarr.cluster.fun
+    secretName: radarr-ingress
+  rules:
+  - host: radarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/rss.yaml

@@ -1,105 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: rss
----
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: rss
-  namespace: rss
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: rss
-  namespace: rss
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: 8080
-    name: web
-  selector:
-    app: rss
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: rss
-  namespace: rss
-  labels:
-    app: rss
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: rss
-  template:
-    metadata:
-      labels:
-        app: rss
-    spec:
-      securityContext:
-        fsGroup: 1000
-      dnsConfig:
-        options:
-          - name: ndots
-            value: "2"
-      containers:
-      - name: web
-        image: mdswanson/stringer
-        env:
-        - name: SECRET_TOKEN
-          value: inward-popcorn-decamp-epsilon
-        - name: PORT
-          value: "8080"
-        - name: DATABASE_URL
-          value: sqlite3:/data/stringer.db
-        ports:
-        - containerPort: 8080
-          name: web
-        resources:
-          limits:
-            memory: 308Mi
-          requests:
-            memory: 308Mi
-        volumeMounts:
-          - mountPath: /data
-            name: storage
-      volumes:
-      - name: storage
-        persistentVolumeClaim:
-          claimName: rss
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: rss
-  namespace: rss
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
-    traefik.ingress.kubernetes.io/redirect-entry-point: https
-    traefik.ingress.kubernetes.io/redirect-permanent: "true"
-spec:
-  tls:
-  - hosts:
-    - rss.cluster.fun
-    secretName: rss-ingress
-  rules:
-  - host: rss.cluster.fun
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: rss
-          servicePort: 80
-
----

manifests/rss/rss.yaml

@@ -1,44 +1,76 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: downloads
+  name: rss
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: rss-db
+  namespace: rss
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: downloads-auth
-  namespace: downloads
+  name: rss-auth
+  namespace: rss
   annotations:
     kube-1password: mr6spkkx7n3memkbute6ojaarm
     kube-1password/vault: Kubernetes
 type: Opaque
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rss-new
+  namespace: rss
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 8000
+    name: web
+  selector:
+    app: rss
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: downloads-auth
-  namespace: downloads
+  name: rss
+  namespace: rss
   labels:
-    app: downloads-auth
+    app: rss
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
-      app: downloads-auth
+      app: rss
   template:
     metadata:
       labels:
-        app: downloads-auth
+        app: rss
     spec:
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "2"
       containers:
       - args:
         - --cookie-secure=false
         - --provider=oidc
         - --provider-display-name=Auth0
-        - --upstream=http://inlets.inlets.svc.cluster.local
-        - --http-address=$(HOST_IP):8080
-        - --redirect-url=https://downloads.cluster.fun/oauth2/callback
-        - --email-domain=*
+        - --upstream=http://localhost:8080
+        - --http-address=$(HOST_IP):8000
+        - --redirect-url=https://rss.cluster.fun/oauth2/callback
+        - --email-domain=marcusnoble.co.uk
         - --pass-basic-auth=false
         - --pass-access-token=false
         - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
@@ -53,47 +85,50 @@ spec:
           valueFrom:
             secretKeyRef:
               key: username
-              name: downloads-auth
+              name: rss-auth
         - name: OAUTH2_PROXY_CLIENT_SECRET
           valueFrom:
             secretKeyRef:
               key: password
-              name: downloads-auth
+              name: rss-auth
         image: quay.io/oauth2-proxy/oauth2-proxy:v5.1.1
         name: oauth-proxy
         ports:
-        - containerPort: 8080
+        - containerPort: 8000
           protocol: TCP
         resources:
           limits:
-            memory: 250Mi
+            memory: 125Mi
           requests:
-            memory: 250Mi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 8080
-  selector:
-    app: downloads-auth
-  type: ClusterIP
+            memory: 125Mi
+      - name: web
+        image: docker.cluster.fun/averagemarcus/gopherss:latest
+        env:
+        - name: PORT
+          value: "8080"
+        - name: DB_PATH
+          value: /data/feeds.db
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 308Mi
+          requests:
+            memory: 308Mi
+        volumeMounts:
+          - mountPath: /data
+            name: storage
+      volumes:
+      - name: storage
+        persistentVolumeClaim:
+          claimName: rss-db
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: downloads-auth
-  namespace: downloads
-  labels:
-    app: downloads-auth
+  name: rss
+  namespace: rss
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
     traefik.ingress.kubernetes.io/frontend-entry-points: http,https
@@ -102,14 +137,15 @@ metadata:
 spec:
   tls:
   - hosts:
-    - downloads.cluster.fun
-    secretName: downloads-ingress
+    - rss.cluster.fun
+    secretName: rss-ingress
   rules:
-  - host: downloads.cluster.fun
+  - host: rss.cluster.fun
     http:
       paths:
       - path: /
         backend:
-          serviceName: downloads-auth
+          serviceName: rss-new
           servicePort: 80
 
+---

manifests/sonarr/sonarr.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: sonarr
+  namespace: inlets
+  labels:
+    app: sonarr
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - sonarr.cluster.fun
+    secretName: sonarr-ingress
+  rules:
+  - host: sonarr.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/svg-to-dxf/svg-to-dxf.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: svg-to-dxf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svg-to-dxf
+  namespace: svg-to-dxf
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: svg-to-dxf
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: svg-to-dxf
+  namespace: svg-to-dxf
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: svg-to-dxf
+  template:
+    metadata:
+      labels:
+        app: svg-to-dxf
+    spec:
+      containers:
+      - name: web
+        image: docker.cluster.fun/averagemarcus/svg-to-dxf:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          requests:
+            memory: 100Mi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: svg-to-dxf
+  namespace: svg-to-dxf
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - svg-to-dxf.cluster.fun
+    secretName: svg-to-dxf-ingress
+  rules:
+  - host: svg-to-dxf.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: svg-to-dxf
+          servicePort: 80

manifests/talks/talks.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: talks
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: talks
+  namespace: talks
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: talks
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: talks
+  namespace: talks
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: talks
+  template:
+    metadata:
+      labels:
+        app: talks
+    spec:
+      containers:
+      - name: web
+        image: docker.cluster.fun/averagemarcus/talks:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 100Mi
+          requests:
+            memory: 100Mi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: talks
+  namespace: talks
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - talks.marcusnoble.co.uk
+    secretName: talks-ingress
+  rules:
+  - host: talks.marcusnoble.co.uk
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: talks
+            port:
+              number: 80
+

manifests/til/til.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: til
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: til
+  namespace: til
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: web
+    name: web
+  selector:
+    app: til
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: til
+  namespace: til
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: til
+  template:
+    metadata:
+      labels:
+        app: til
+    spec:
+      containers:
+      - name: web
+        image: docker.cluster.fun/averagemarcus/til:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: web
+        resources:
+          limits:
+            memory: 100Mi
+          requests:
+            memory: 100Mi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: til
+  namespace: til
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - til.marcusnoble.co.uk
+    secretName: til-ingress
+  rules:
+  - host: til.marcusnoble.co.uk
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: til
+          servicePort: 80
+

manifests/traefik-lb/traefik-lb.yaml

@@ -46,7 +46,7 @@ spec:
         - --defaultentrypoints=http,https
         - --entrypoints=Name:https Address::443 TLS
         - --entrypoints=Name:http Address::80
-        - --accesslog
+        - --accesslog=true
         - --accesslog.format=json
         image: docker.io/traefik:1.7
         imagePullPolicy: IfNotPresent

manifests/transmission/transmission.yaml

@@ -0,0 +1,25 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: transmission
+  namespace: inlets
+  labels:
+    app: transmission
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - transmission.cluster.fun
+    secretName: transmission-ingress
+  rules:
+  - host: transmission.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: auth-proxy
+          servicePort: 80

manifests/tweetsvg/tweetsvg.yaml

@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tweetsvg
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+  annotations:
+    kube-1password: dmjtjxrcpqtmeddq5x7zikj37i
+    kube-1password/vault: Kubernetes
+    kube-1password/secret-text-key: .env
+type: Opaque
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 8080
+    name: web
+  selector:
+    app: tweetsvg
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: tweetsvg
+  template:
+    metadata:
+      labels:
+        app: tweetsvg
+    spec:
+      containers:
+      - name: web
+        image: docker.cluster.fun/averagemarcus/tweetsvg:latest
+        imagePullPolicy: Always
+        # env:
+        # - name: DOTENV_DIR
+        #   value: /config/
+        ports:
+        - containerPort: 8080
+          name: web
+        resources:
+          limits:
+            memory: 100Mi
+          requests:
+            memory: 100Mi
+        volumeMounts:
+          - name: dotenv
+            mountPath: /app/.env
+            subPath: .env
+      volumes:
+      - name: dotenv
+        secret:
+          secretName: tweetsvg
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tweetsvg
+  namespace: tweetsvg
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - tweet.cluster.fun
+    secretName: tweetsvg-ingress
+  rules:
+  - host: tweet.cluster.fun
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: tweetsvg
+            port:
+              number: 80
+

manifests/twitter-profile-pic/twitter-profile-pic.yaml

@@ -111,3 +111,28 @@ spec:
         backend:
           serviceName: twitter-profile-pic
           servicePort: 80
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: twitter-profile-pic-cluster-fun
+  namespace: twitter-profile-pic
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/frontend-entry-points: http,https
+    traefik.ingress.kubernetes.io/redirect-entry-point: https
+    traefik.ingress.kubernetes.io/redirect-permanent: "true"
+spec:
+  tls:
+  - hosts:
+    - twitter-profile-pic.cluster.fun
+    secretName: twitter-profile-pic-cluster-fun-ingress
+  rules:
+  - host: twitter-profile-pic.cluster.fun
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: twitter-profile-pic
+          servicePort: 80

tekton/tasks/docker-build-and-publish.yaml

@@ -8,17 +8,13 @@ spec:
   - name: DOCKERFILE
     type: string
     description: The path to the dockerfile to build
-    default: /Dockerfile
+    default: Dockerfile
   - name: CONTEXT
     type: string
     description: The build context used by Docker.
-    default: ./
+    default: .
   - name: IMAGE
     type: string
-    description: Name (reference) of the image to build.
-  - name: EXTRA_ARGS
-    type: string
-    default: ""
   resources:
     inputs:
     - name: src
@@ -29,24 +25,35 @@ spec:
   steps:
   - name: build-and-push
     workingDir: /workspace/src
-    image: gcr.io/kaniko-project/executor:latest
+    image: moby/buildkit:latest
     env:
     - name: DOCKER_CONFIG
-      value: /kaniko/.docker
+      value: /root/.docker
     command:
-    - /kaniko/executor
-    - $(params.EXTRA_ARGS)
-    - --dockerfile=/workspace/src/$(params.DOCKERFILE)
-    - --context=/workspace/src/$(params.CONTEXT)
-    - --destination=$(params.IMAGE)
-    - --oci-layout-path=/workspace/src/image-digest
-    - --digest-file=/tekton/results/IMAGE_DIGEST
-    - --cache=true
+      - sh
+      - -c
+      - |
+        PLATFORMS=$(grep 'PLATFORMS ?= ' Makefile | sed -E 's/^PLATFORMS \?= (.+)$/\1/')
+        if [ -z $PLATFORMS ]; then
+          PLATFORMS=linux/amd64
+        fi
+
+        buildctl-daemonless.sh --debug \
+          build \
+          --progress=plain \
+          --frontend=dockerfile.v0 \
+          --opt filename=$(params.DOCKERFILE) \
+          --opt platform=${PLATFORMS} \
+          --local context=$(params.CONTEXT) \
+          --local dockerfile=. \
+          --output type=image,name=$(params.IMAGE),push=true \
+          --export-cache type=inline \
+          --import-cache type=registry,ref=$(params.IMAGE)
     securityContext:
-      runAsUser: 0
+      privileged: true
     volumeMounts:
       - name: docker-config
-        mountPath: /kaniko/.docker/config.json
+        mountPath: /root/.docker/config.json
         subPath: config.json
   volumes:
     - name: docker-config

terraform/bucket.tf

@@ -7,11 +7,11 @@ output "bucket_id" {
   value = scaleway_object_bucket.kubernetes.id
 }
 
-resource "scaleway_object_bucket" "linx" {
-  name = "cluster.fun-linx"
+resource "scaleway_object_bucket" "outline" {
+  name = "cluster.fun-outline"
   acl  = "private"
 }
 
-output "linx-bucket_id" {
-  value = scaleway_object_bucket.linx.id
+output "outline-bucket_id" {
+  value = scaleway_object_bucket.outline.id
 }

terraform/kubernetes-charts.tf

@@ -1,30 +1,9 @@
-provider "helm" {
-  kubernetes {
-    load_config_file = false
-    host             = scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].host
-    token            = scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].token
-    cluster_ca_certificate = base64decode(
-      scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].cluster_ca_certificate
-    )
-  }
-}
-
-data "helm_repository" "stable" {
-  name = "stable"
-  url  = "https://kubernetes-charts.storage.googleapis.com"
-}
-
-data "helm_repository" "fluxcd" {
-  name = "fluxcd"
-  url  = "https://charts.fluxcd.io"
-}
-
 resource "helm_release" "helm-operator" {
   name       = "helm-operator"
-  repository = data.helm_repository.fluxcd.metadata[0].name
+  repository = "https://charts.fluxcd.io"
   chart      = "helm-operator"
 
-  max_history = 4
+  max_history = 3
 
   set {
     name  = "helm.versions"

terraform/kubernetes-cluster.tf

@@ -1,7 +1,7 @@
 resource "scaleway_k8s_cluster_beta" "k8s-cluster" {
   name             = "cluster-fun"
   description      = ""
-  version          = "1.18.3"
+  version          = "1.20"
   cni              = "weave"
   enable_dashboard = false
   ingress          = "traefik"

terraform/kubernetes-manifests.tf

@@ -1,31 +0,0 @@
-provider "kubectl" {
-  load_config_file = false
-  host             = scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].host
-  token            = scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].token
-  cluster_ca_certificate = base64decode(
-    scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].cluster_ca_certificate
-  )
-}
-
-resource "kubectl_manifest" "manifests" {
-  for_each  = fileset(path.module, "../manifests/*")
-  yaml_body = file(each.key)
-}
-
-
-resource "kubectl_manifest" "tekton-install" {
-  for_each  = fileset(path.module, "../tekton/1-Install/*")
-  yaml_body = file(each.key)
-}
-
-resource "kubectl_manifest" "tekton-setup" {
-  for_each  = fileset(path.module, "../tekton/2-Setup/*")
-  yaml_body = file(each.key)
-}
-
-
-resource "kubectl_manifest" "tekton" {
-  for_each  = fileset(path.module, "../tekton/{bindings,conditions,eventlisteners,pipelines,tasks,triggertemplates}/*")
-  yaml_body = file(each.key)
-}
-

terraform/provider.tf

@@ -3,3 +3,14 @@ provider "scaleway" {
   region          = "fr-par"
   organization_id = "5c1e5e2a-a6cd-4eb3-907f-2a83a29668fc"
 }
+
+provider "helm" {
+  kubernetes {
+    load_config_file = false
+    host             = scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].host
+    token            = scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].token
+    cluster_ca_certificate = base64decode(
+      scaleway_k8s_cluster_beta.k8s-cluster.kubeconfig[0].cluster_ca_certificate
+    )
+  }
+}

terraform/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = "1.3.2"
+    }
+    scaleway = {
+      source  = "scaleway/scaleway"
+      version = "1.17.2"
+    }
+  }
+  required_version = ">= 0.13"
+}