diff --git a/README.md b/README.md index 2e20a12..67b9b2c 100644 --- a/README.md +++ b/README.md @@ -55,15 +55,14 @@ ### Databases -All services needing a database to function come with a sidecar pod running a crontab to automate individual database backups. -These backups are saved into a longhorn volume, to benefit from general snapshots later one. -Each sidecar pod can only mount the backup folder it has been linked with, and cannot see other services' backups. +// To complete ### Additional data All additional data needing to be backed up is mounted to a longhorn volume, to also benefit from scheduled backups. Example : + ``` longhorn └───backups @@ -74,13 +73,18 @@ longhorn └───.sql │ ... ``` + ## TODO + - ~~Add AntiAffinities to `outsider` nodes~~ - ~~Migrate Homeassistant to PostgreSQL instead of MariaDB~~ - ~~Move Prometheus connection management to ServiceMonitors instead of ConfigMap~~ +- ~~Configure Alertmanager with basic webhook (discord)~~ +- ~~Configure Prometheus alerts~~ - Schedule longhorn S3 backups - Schedule CloudNativePG S3 backups -- Restrict `metrics` endpoint on public services +- ~~Restrict `metrics` endpoint on public services~~ See Gitea repository for example +- Move from NFS to S3 mounts for NAS volumes - ~~Migrate Vaultwarden to PostgreSQL instead of MariaDB~~ - ~~Deploy PostgresQL cluster using operator for database HA and easy maintenance~~ - To be tested properly - Change host/deployment specific variables to use environment variables (using Kustomize) @@ -90,7 +94,7 @@ longhorn - ~~Setup DB container sidecars for automated backups to Longhorn volume~~ - ~~Setup secrets configuration through CI/CD variable injection (using Kustomize)~~ Environment modified by SOPS implementation - Figure out SOPS secret injection for absent namespaces -- Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain) +- ~~Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain)~~ Supposedly done - Setup default users for deployments - ~~Setup log and metric monitoring~~ - ~~Define namespaces through yaml files~~ @@ -103,25 +107,30 @@ longhorn - Migrate ingresses to traefik kind instead of k8s kind ## Notes + ### Cluster base setup + Setup the cluster's backbone + ``` make dev # Include SOPS master secret generation kubectl create secret generic age-key --from-file=~/.sops/key.txt -n sops ``` - NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs ### Convert helm chart to k3s manifest + `helm template chart stable/chart --output-dir ./chart` ### Gitlab backup process + Because gitlab does not offer the possibility to backup a container's data from an external container, a cronjob has been implemented in the custom image used for deployment. NOTE: This does not apply anymore, as a migration is planned to Gitea ### VPN configuration for Deluge + ~~Instead of adding an extra networking layer to the whole cluster, it seems like a better idea to just integrate a wireguard connection inside of the deluge image, and self-build everything within Gitlab registry. This image could utilize kubernetes secrets, including a "torrent-vpn" secret produces by the initial wireguard configuration done via Ansible. This ansible script could create one (or more) additional client(s) depending on the inventory configuration, and keep the "torrent-vpn" configuration file within a k3s formated file, inside of the auto-applied directory on CP.
@@ -129,18 +138,22 @@ Cf : https://docs.k3s.io/advanced#auto-deploying-manifests~~ After furhter reflection, it doesn't make sense to have Deluge being part of the cluster. It will be moved to the NAS, as it can run only when the NAS is running. This will also ease the whole VPN configuration. ### Development domains -To access a service publicly when developing, the domain name should be *.beta.halia.dev -To only expose a service internally, the domain name should be *.beta.entos + +To access a service publicly when developing, the domain name should be _.beta.halia.dev +To only expose a service internally, the domain name should be _.beta.entos ### Ingresses + To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation. `traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access. ### Secret management + All secrets are encrypted using SOPS and stored in a private secret repository. Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator. Inject the AGE key in the cluster to allow the operator to decrypt secrets : + ``` kubectl create secret generic age-key --from-file= -n sops ```