From d2d8efc00fb040ab08262ffbb5ffbdc191c0b767 Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Thu, 21 Nov 2024 20:50:06 +0100 Subject: [PATCH 01/10] refactor(cilium): disable envoy proxy (l7Proxy=false) --- CHANGELOG.md | 6 ++++++ apps/system/cilium.yaml | 3 +++ 2 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3260fb..ca16833 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [0.3.0] - 2024-11-21 + +### Changed + +- Disable Cilium Envoy (`l7Proxy=false`) + ## [0.2.0] - 2024-11-20 ### Changed diff --git a/apps/system/cilium.yaml b/apps/system/cilium.yaml index a3194ee..dce9867 100644 --- a/apps/system/cilium.yaml +++ b/apps/system/cilium.yaml @@ -31,3 +31,6 @@ spec: kubeProxyReplacement: true k8sServiceHost: "172.16.1.1" # internal IP (Hetzner Cloud Network) k8sServicePort: "6443" + + # Disable Envoy proxy + l7Proxy: false From d3b40c4621f70d15291f227f2e8307f0d943c394 Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Thu, 21 Nov 2024 21:27:57 +0100 Subject: [PATCH 02/10] feat(apps): add harbor --- apps/hq/harbor.yaml | 63 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 apps/hq/harbor.yaml diff --git a/apps/hq/harbor.yaml b/apps/hq/harbor.yaml new file mode 100644 index 0000000..a3e6ee9 --- /dev/null +++ b/apps/hq/harbor.yaml @@ -0,0 +1,63 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mareshq-registry + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "50" +spec: + project: hq + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + destination: + server: "https://kubernetes.default.svc" + namespace: hq-registry + source: + chart: harbor + repoURL: https://helm.goharbor.io + targetRevision: 1.16.0 + helm: + releaseName: harbor + valuesObject: + externalURL: https://registry.marespkg.com + expose: + type: ingress + tls: + enabled: true + certSource: secret + secret: + secretName: registry-marespkg-com-ingress-tls + ingress: + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-dns-production + external-dns.alpha.kubernetes.io/hostname: registry.marespkg.com + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + hosts: + core: registry.marespkg.com + database: + type: external + external: + host: postgres-rw.postgres.svc + port: 5432 + username: harbor + password: "YFC0tae.bpz2ncf!rye" + # existingSecret: harbor-user-credentials + coreDatabase: harbor + persistence: + enabled: false + imageChartStorage: + type: s3 + s3: + region: us-east-1 # see: https://developers.cloudflare.com/r2/api/s3/api/#bucket-region + bucket: marespkg-registry-storage + regionendpoint: https://f24333bb3c47d6db753e57e2a0c90082.r2.cloudflarestorage.com + accesskey: "e9d400c4f63375cc94f6f125724f3aa6" + secretkey: "5e1da29e9ab131c1c312add4bda82a4bdb75c4afe0f69c40dd384c5f0a6f8120" + + metrics: + enabled: false From 2ae71fd3f5a0285f567550660fa5a5e38426e332 Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Fri, 22 Nov 2024 23:40:29 +0100 Subject: [PATCH 03/10] refactor(harbor): change ingress url to oci.marespkg.com --- apps/hq/harbor.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/hq/harbor.yaml b/apps/hq/harbor.yaml index a3e6ee9..aef47dd 100644 --- a/apps/hq/harbor.yaml +++ b/apps/hq/harbor.yaml @@ -23,22 +23,22 @@ spec: helm: releaseName: harbor valuesObject: - externalURL: https://registry.marespkg.com + externalURL: https://oci.marespkg.com expose: type: ingress tls: enabled: true certSource: secret secret: - secretName: registry-marespkg-com-ingress-tls + secretName: oci-marespkg-com-ingress-tls ingress: className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-dns-production - external-dns.alpha.kubernetes.io/hostname: registry.marespkg.com + external-dns.alpha.kubernetes.io/hostname: oci.marespkg.com external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hosts: - core: registry.marespkg.com + core: oci.marespkg.com database: type: external external: From 77db56c406fb9f73b017b333a12254291dca3bfd Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Fri, 22 Nov 2024 23:45:10 +0100 Subject: [PATCH 04/10] refactor(harbor): add nodeSelectors to all Harbor components --- apps/hq/harbor.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/apps/hq/harbor.yaml b/apps/hq/harbor.yaml index aef47dd..93dce97 100644 --- a/apps/hq/harbor.yaml +++ b/apps/hq/harbor.yaml @@ -58,6 +58,27 @@ spec: regionendpoint: https://f24333bb3c47d6db753e57e2a0c90082.r2.cloudflarestorage.com accesskey: "e9d400c4f63375cc94f6f125724f3aa6" secretkey: "5e1da29e9ab131c1c312add4bda82a4bdb75c4afe0f69c40dd384c5f0a6f8120" - metrics: enabled: false + nginx: + nodeSelector: + kubernetes.io/arch: amd64 + portal: + nodeSelector: + kubernetes.io/arch: amd64 + core: + nodeSelector: + kubernetes.io/arch: amd64 + jobservice: + nodeSelector: + kubernetes.io/arch: amd64 + registry: + nodeSelector: + kubernetes.io/arch: amd64 + trivy: + nodeSelector: + kubernetes.io/arch: amd64 + redis: + internal: + nodeSelector: + kubernetes.io/arch: amd64 From 1c513794723803a5fab4ae169dbec6c062e1875a Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Sat, 23 Nov 2024 09:14:19 +0100 Subject: [PATCH 05/10] chore(ingress-nginx): bump helm chart to 4.11.3 --- apps/system/ingress-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/system/ingress-nginx.yaml b/apps/system/ingress-nginx.yaml index af3af93..a5ab8da 100644 --- a/apps/system/ingress-nginx.yaml +++ b/apps/system/ingress-nginx.yaml @@ -19,7 +19,7 @@ spec: source: chart: ingress-nginx repoURL: https://kubernetes.github.io/ingress-nginx - targetRevision: 4.11.2 + targetRevision: 4.11.3 helm: releaseName: ingress-nginx valuesObject: From 5fe4a973645bc4c03fcca8b409ea6edd2a7d0290 Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Sat, 23 Nov 2024 09:15:15 +0100 Subject: [PATCH 06/10] docs: bump changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ca16833..ae65704 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [0.4.0] - 2024-11-23 + +### Changed + +- Bump ingress-nginx Helm chart to version `4.11.3` + ## [0.3.0] - 2024-11-21 ### Changed From 03c5e3562e67c9c0fcffd54023e7756be5381e08 Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Sat, 23 Nov 2024 09:19:33 +0100 Subject: [PATCH 07/10] feat(ingress-nginx): enable gzip and brotli compression --- CHANGELOG.md | 8 ++++++++ apps/system/ingress-nginx.yaml | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae65704..964dd28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [0.5.0] - 2024-11-23 + +### Added + +- Enable gzip compression on Ingress-NGINX +- Enable brotli compression on Ingress-NGINX + - Set brotli level to `6` + ## [0.4.0] - 2024-11-23 ### Changed diff --git a/apps/system/ingress-nginx.yaml b/apps/system/ingress-nginx.yaml index a5ab8da..d0cd8ee 100644 --- a/apps/system/ingress-nginx.yaml +++ b/apps/system/ingress-nginx.yaml @@ -46,3 +46,7 @@ spec: use-proxy-protocol: "true" use-forwarded-headers: "true" enable-real-ip: "true" + use-gzip: "true" + enable-brotli: "true" + brotli-level: "6" + use-http2: "true" From 76d7aa4872b6f94beb46995258d883c6e9e13308 Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Sat, 23 Nov 2024 09:39:23 +0100 Subject: [PATCH 08/10] docs(CHANGELOG.md): change versions and how things are versioned --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 964dd28..477a3ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [0.5.0] - 2024-11-23 +## [0.2.0] - 2024-11-23 ### Added @@ -8,19 +8,19 @@ - Enable brotli compression on Ingress-NGINX - Set brotli level to `6` -## [0.4.0] - 2024-11-23 +## [0.1.3] - 2024-11-23 ### Changed - Bump ingress-nginx Helm chart to version `4.11.3` -## [0.3.0] - 2024-11-21 +## [0.1.2] - 2024-11-21 ### Changed - Disable Cilium Envoy (`l7Proxy=false`) -## [0.2.0] - 2024-11-20 +## [0.1.1] - 2024-11-20 ### Changed From 5d848a9bb41467d1bf8fe0f84d38837d96d6f3aa Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Sat, 23 Nov 2024 12:50:08 +0100 Subject: [PATCH 09/10] refactor(harbor): use oci.marespkg.com/library/trivy-db for trivy-db instead of ghcr.io --- apps/hq/harbor.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/hq/harbor.yaml b/apps/hq/harbor.yaml index 93dce97..9184dba 100644 --- a/apps/hq/harbor.yaml +++ b/apps/hq/harbor.yaml @@ -39,6 +39,10 @@ spec: external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hosts: core: oci.marespkg.com + trivy: + extraEnvVars: + - name: SCANNER_TRIVY_DB_REPOSITORY + value: "oci.marespkg.com/library/trivy-db:2" database: type: external external: From 23250c339ec2b96f25e75972f7a7e12bb1be852f Mon Sep 17 00:00:00 2001 From: Vojtech Mares Date: Sat, 23 Nov 2024 13:05:13 +0100 Subject: [PATCH 10/10] refactor(harbor): merge trivy sections --- apps/hq/harbor.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/hq/harbor.yaml b/apps/hq/harbor.yaml index 9184dba..2e332ce 100644 --- a/apps/hq/harbor.yaml +++ b/apps/hq/harbor.yaml @@ -39,10 +39,6 @@ spec: external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" hosts: core: oci.marespkg.com - trivy: - extraEnvVars: - - name: SCANNER_TRIVY_DB_REPOSITORY - value: "oci.marespkg.com/library/trivy-db:2" database: type: external external: @@ -82,6 +78,9 @@ spec: trivy: nodeSelector: kubernetes.io/arch: amd64 + extraEnvVars: + - name: SCANNER_TRIVY_DB_REPOSITORY + value: "oci.marespkg.com/library/trivy-db:2" redis: internal: nodeSelector: