chore(README): Update TODO list and general formatting

This commit is contained in:
Tanguy Herbron 2024-01-14 00:47:09 +01:00
parent 46ba4ad3d5
commit 6d3c8f068b

View File

@ -55,15 +55,14 @@
### Databases ### Databases
All services needing a database to function come with a sidecar pod running a crontab to automate individual database backups. // To complete
These backups are saved into a longhorn volume, to benefit from general snapshots later one.
Each sidecar pod can only mount the backup folder it has been linked with, and cannot see other services' backups.
### Additional data ### Additional data
All additional data needing to be backed up is mounted to a longhorn volume, to also benefit from scheduled backups. All additional data needing to be backed up is mounted to a longhorn volume, to also benefit from scheduled backups.
Example : Example :
``` ```
longhorn longhorn
└───backups └───backups
@ -74,13 +73,18 @@ longhorn
└───<backup_date>.sql └───<backup_date>.sql
│ ... │ ...
``` ```
## TODO ## TODO
- ~~Add AntiAffinities to `outsider` nodes~~ - ~~Add AntiAffinities to `outsider` nodes~~
- ~~Migrate Homeassistant to PostgreSQL instead of MariaDB~~ - ~~Migrate Homeassistant to PostgreSQL instead of MariaDB~~
- ~~Move Prometheus connection management to ServiceMonitors instead of ConfigMap~~ - ~~Move Prometheus connection management to ServiceMonitors instead of ConfigMap~~
- ~~Configure Alertmanager with basic webhook (discord)~~
- ~~Configure Prometheus alerts~~
- Schedule longhorn S3 backups - Schedule longhorn S3 backups
- Schedule CloudNativePG S3 backups - Schedule CloudNativePG S3 backups
- Restrict `metrics` endpoint on public services - ~~Restrict `metrics` endpoint on public services~~ See Gitea repository for example
- Move from NFS to S3 mounts for NAS volumes
- ~~Migrate Vaultwarden to PostgreSQL instead of MariaDB~~ - ~~Migrate Vaultwarden to PostgreSQL instead of MariaDB~~
- ~~Deploy PostgresQL cluster using operator for database HA and easy maintenance~~ - To be tested properly - ~~Deploy PostgresQL cluster using operator for database HA and easy maintenance~~ - To be tested properly
- Change host/deployment specific variables to use environment variables (using Kustomize) - Change host/deployment specific variables to use environment variables (using Kustomize)
@ -90,7 +94,7 @@ longhorn
- ~~Setup DB container sidecars for automated backups to Longhorn volume~~ - ~~Setup DB container sidecars for automated backups to Longhorn volume~~
- ~~Setup secrets configuration through CI/CD variable injection (using Kustomize)~~ Environment modified by SOPS implementation - ~~Setup secrets configuration through CI/CD variable injection (using Kustomize)~~ Environment modified by SOPS implementation
- Figure out SOPS secret injection for absent namespaces - Figure out SOPS secret injection for absent namespaces
- Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain) - ~~Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain)~~ Supposedly done
- Setup default users for deployments - Setup default users for deployments
- ~~Setup log and metric monitoring~~ - ~~Setup log and metric monitoring~~
- ~~Define namespaces through yaml files~~ - ~~Define namespaces through yaml files~~
@ -103,25 +107,30 @@ longhorn
- Migrate ingresses to traefik kind instead of k8s kind - Migrate ingresses to traefik kind instead of k8s kind
## Notes ## Notes
### Cluster base setup ### Cluster base setup
Setup the cluster's backbone Setup the cluster's backbone
``` ```
make dev make dev
# Include SOPS master secret generation # Include SOPS master secret generation
kubectl create secret generic age-key --from-file=~/.sops/key.txt -n sops kubectl create secret generic age-key --from-file=~/.sops/key.txt -n sops
``` ```
NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs NOTE: It might be required to update the metallb IP range as well as traefik LoadBalancerIPs
### Convert helm chart to k3s manifest ### Convert helm chart to k3s manifest
`helm template chart stable/chart --output-dir ./chart` `helm template chart stable/chart --output-dir ./chart`
### Gitlab backup process ### Gitlab backup process
Because gitlab does not offer the possibility to backup a container's data from an external container, a cronjob has been implemented in the custom image used for deployment. Because gitlab does not offer the possibility to backup a container's data from an external container, a cronjob has been implemented in the custom image used for deployment.
NOTE: This does not apply anymore, as a migration is planned to Gitea NOTE: This does not apply anymore, as a migration is planned to Gitea
### VPN configuration for Deluge ### VPN configuration for Deluge
~~Instead of adding an extra networking layer to the whole cluster, it seems like a better idea to just integrate a wireguard connection inside of the deluge image, and self-build everything within Gitlab registry. ~~Instead of adding an extra networking layer to the whole cluster, it seems like a better idea to just integrate a wireguard connection inside of the deluge image, and self-build everything within Gitlab registry.
This image could utilize kubernetes secrets, including a "torrent-vpn" secret produces by the initial wireguard configuration done via Ansible. This image could utilize kubernetes secrets, including a "torrent-vpn" secret produces by the initial wireguard configuration done via Ansible.
This ansible script could create one (or more) additional client(s) depending on the inventory configuration, and keep the "torrent-vpn" configuration file within a k3s formated file, inside of the auto-applied directory on CP.<br> This ansible script could create one (or more) additional client(s) depending on the inventory configuration, and keep the "torrent-vpn" configuration file within a k3s formated file, inside of the auto-applied directory on CP.<br>
@ -129,18 +138,22 @@ Cf : https://docs.k3s.io/advanced#auto-deploying-manifests~~
After furhter reflection, it doesn't make sense to have Deluge being part of the cluster. It will be moved to the NAS, as it can run only when the NAS is running. This will also ease the whole VPN configuration. After furhter reflection, it doesn't make sense to have Deluge being part of the cluster. It will be moved to the NAS, as it can run only when the NAS is running. This will also ease the whole VPN configuration.
### Development domains ### Development domains
To access a service publicly when developing, the domain name should be *.beta.halia.dev
To only expose a service internally, the domain name should be *.beta.entos To access a service publicly when developing, the domain name should be _.beta.halia.dev
To only expose a service internally, the domain name should be _.beta.entos
### Ingresses ### Ingresses
To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation. To split between external and internal services, two traefik ingresses are implemented through the `ingressclass` annotation.
`traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access. `traefik-external` will only allow external access to a given service, while `traefik-internal` restrict to an internal only access.
### Secret management ### Secret management
All secrets are encrypted using SOPS and stored in a private secret repository. All secrets are encrypted using SOPS and stored in a private secret repository.
Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator. Secrets are decrypted on the fly when applied to the kluster using the SOPS Operator.
Inject the AGE key in the cluster to allow the operator to decrypt secrets : Inject the AGE key in the cluster to allow the operator to decrypt secrets :
``` ```
kubectl create secret generic age-key --from-file=<path_to_file> -n sops kubectl create secret generic age-key --from-file=<path_to_file> -n sops
``` ```