xavor/kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add repo

Browse Source
This commit is contained in:
Xavor
2025-09-04 00:13:39 +02:00
parent bb76fc67dc
commit 0bbc20ca14
23 changed files with 610 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
coredns/configmap-coredns.yaml
View File

@@ -35,6 +35,31 @@ data:
192.168.0.100 ceph.c2et.net
192.168.0.100 heimdall.c2et.net
# === dotcom ) ===
192.168.0.40 cockpit.c2et.com
192.168.0.40 git.c2et.com
192.168.0.40 harbor.c2et.com
192.168.0.40 wireguard.c2et.com
192.168.0.40 proxy.c2et.com
192.168.0.80 backend.apolo.c2et.com
192.168.0.80 portal.apolo.c2et.com
192.168.0.80 colossus.apolo.c2et.com
192.168.0.80 chat.apolo.c2et.com
192.168.0.80 muc.chat.apolo.c2et.com
192.168.0.81 streaming.apolo.c2et.com
192.168.0.81 meeting.apolo.c2et.com
# === dotnet ) ===
192.168.0.100 repo.c2et.net
192.168.0.100 git.c2et.net
192.168.0.100 wireguard.c2et.net
192.168.0.100 ceph.c2et.net
192.168.0.100 harbor.c2et.net
192.168.0.100 grafana.c2et.net
192.168.0.100 kubevirt.c2et.net
192.168.0.100 heimdall.c2et.net
192.168.0.100 argos.panel.c2et.net
192.168.0.100 vscode.c2et.net
fallthrough
}

1
coredns/kustomization.yaml
View File

@@ -8,3 +8,4 @@ resources:
- configmap-coredns.yaml
- deploy-coredns.yaml
- svc-coredns.yaml
- svc-coredns-admin.yaml

19
coredns/svc-coredns-admin.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Service
metadata:
name: coredns-custom-admin
namespace: coredns
spec:
type: LoadBalancer
loadBalancerIP: 192.168.0.110
selector:
app: coredns-custom
ports:
- name: dns-udp
port: 53
targetPort: 53
protocol: UDP
- name: dns-tcp
port: 53
targetPort: 53
protocol: TCP

40
external/configmaps/configmap.yaml vendored
View File

@@ -33,3 +33,43 @@ data:
proxy_ssl_verify off;
}
}
gitdotcom.conf: |
server {
listen 3001;
server_name git.c2et.com;
location / {
proxy_pass https://192.168.0.40;
proxy_ssl_verify off;
}
}
harbordotcom.conf: |
server {
listen 85;
server_name harbor.c2et.com;
location / {
proxy_pass https://192.168.0.40;
proxy_ssl_verify off;
}
}
wireguarddotcom.conf: |
server {
listen 51821;
server_name wireguard.c2et.com;
location / {
proxy_pass https://192.168.0.40;
proxy_ssl_verify off;
}
}
cockpitdotcom.conf: |
server {
listen 9090;
server_name cockpit.c2et.com;
location / {
proxy_pass https://192.168.0.40;
proxy_ssl_verify off;
}
}

37
external/configmaps/configmap.yaml.save vendored Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-router-config
namespace: external
data:
router.conf: |
server {
listen 80 default_server;
server_name admin.firewall.c2et.net;
location / {
proxy_pass https://192.168.0.1;
proxy_ssl_verify off;
}
}
powervault1.conf: |
server {
listen 80;
server_name admin.powervault1.c2et.net;
location / {
proxy_pass https://192.168.0.71;
proxy_ssl_verify off;
}
}
powervault2.conf: |
server {
listen 80;
server_name admin.powervault2.c2et.net;
location / {
proxy_pass https://192.168.0.74;
proxy_ssl_verify off;
}
}

27
external/ingress/cockpitdotcom.yaml vendored Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cockpitdotcom-ingress
namespace: external
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- cockpit.c2et.com
secretName: cockpitdotcom-tls
rules:
- host: cockpit.c2et.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: external-router-svc
port:
number: 80

27
external/ingress/gitdotcom.yaml vendored Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitdotcom-ingress
namespace: external
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- git.c2et.com
secretName: gitdotcom-tls
rules:
- host: git.c2et.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: external-router-svc
port:
number: 80

27
external/ingress/harbordotcom.yaml vendored Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: harbordotcom-ingress
namespace: external
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- harbor.c2et.com
secretName: harbordotcom-tls
rules:
- host: harbor.c2et.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: external-router-svc
port:
number: 80

27
external/ingress/wireguarddotcom.yaml vendored Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wireguarddotcom-ingress
namespace: external
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- wireguard.c2et.com
secretName: wireguarddotcom-tls
rules:
- host: wireguard.c2et.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: external-router-svc
port:
number: 80

28
grafana/kps-values.yaml Normal file
View File

@@ -0,0 +1,28 @@
grafana:
enabled: true
service:
type: ClusterIP
ingress:
enabled: true
ingressClassName: nginx # <- tu IngressClass
hosts:
- grafana.c2et.net
tls:
- secretName: grafana-tls
hosts:
- grafana.c2et.net
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod # o el que uses
adminPassword: "Pozuelo12345" # vacío = autogenera; o pon tu contraseña si quieres
# puedes forzar la password así:
# admin:
# existingSecret: grafana-admin
# userKey: admin-user
# passwordKey: admin-password
prometheus:
ingress:
enabled: false # <- mantenlo interno (recomendado)
alertmanager:
ingress:
enabled: false # <- interno

56
repo/configmap/repo-sources.yaml Normal file
View File

@@ -0,0 +1,56 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: repo-sources
namespace: repo
data:
sources.txt: |
repo-oss|http://download.opensuse.org/distribution/leap/15.6/repo/oss/|opensuse/leap/15.6/oss
repo-non-oss|http://download.opensuse.org/distribution/leap/15.6/repo/non-oss/|opensuse/leap/15.6/non-oss
update-oss|http://download.opensuse.org/update/leap/15.6/oss/|opensuse/leap/15.6/update/oss
update-non-oss|http://download.opensuse.org/update/leap/15.6/non-oss/|opensuse/leap/15.6/update/non-oss
update-sle|http://download.opensuse.org/update/leap/15.6/sle/|opensuse/leap/15.6/update/sle
backports|http://download.opensuse.org/update/leap/15.6/backports/|opensuse/leap/15.6/update/backports
openh264|http://codecs.opensuse.org/openh264/openSUSE_Leap/|opensuse/openh264
nvidia|https://download.nvidia.com/opensuse/leap/15.6/|thirdparty/nvidia/leap/15.6
k8s-stable|https://pkgs.k8s.io/core:/stable:/v1.33/rpm/|thirdparty/kubernetes/core/stable/v1.33/rpm
sync.sh: |
set -euo pipefail
SRC_LIST="/config/sources.txt"
DEST_ROOT="/mirror/repos"
mkdir -p "$DEST_ROOT"
command -v rsync >/dev/null 2>&1 || echo "Aviso: rsync no disponible; usaré wget para HTTP/HTTPS"
command -v wget >/dev/null 2>&1 || { echo "ERROR: wget requerido"; exit 1; }
while IFS='|' read -r NAME URL SUBDIR; do
[[ -z "${NAME:-}" || "${NAME:0:1}" == "#" ]] && continue
DEST="${DEST_ROOT}/${SUBDIR}"
mkdir -p "$DEST"
echo "==> Sync ${NAME} (${URL}) -> ${DEST}"
if [[ "$URL" == rsync://* ]]; then
rsync -aH --delete --partial --info=stats1,progress2 "${URL}" "${DEST}/"
else
TMP="${DEST}.tmp"
mkdir -p "$TMP"
wget -m -np -nH -e robots=off -P "$TMP" --no-verbose --show-progress "$URL"
shopt -s dotglob nullglob
SRC_CONTENT=("$TMP"/*)
if [[ ${#SRC_CONTENT[@]} -gt 0 ]]; then
rsync -a --delete "$TMP"/ "$DEST"/
fi
rm -rf "$TMP"
fi
chmod -R a+rX "$DEST"
done < "$SRC_LIST"
echo "Sync completado."

38
repo/cronjobs/repo-sync.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: repo-sync
namespace: repo
spec:
schedule: "15 2 * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 2
failedJobsHistoryLimit: 2
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: sync
image: alpine:latest
command: ["sh","-lc"]
args:
- |
set -e
apk add --no-cache rsync wget bash coreutils
chmod +x /config/sync.sh
/config/sync.sh
volumeMounts:
- name: repo-storage
mountPath: /mirror
- name: repo-config
mountPath: /config
volumes:
- name: repo-storage
persistentVolumeClaim:
claimName: repo-pvc
- name: repo-config
configMap:
name: repo-sources
defaultMode: 0755

59
repo/deployments/repo-server.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: repo-server
namespace: repo
spec:
replicas: 1
selector:
matchLabels:
app: repo-server
template:
metadata:
labels:
app: repo-server
spec:
initContainers:
- name: init-dirs
image: alpine:3.20
command: ["sh","-lc"]
args:
- |
mkdir -p /share/repos
chmod 755 /share /share/repos
volumeMounts:
- name: repo-storage
mountPath: /share
containers:
- name: httpd
image: httpd:2.4
ports:
- containerPort: 80
volumeMounts:
- name: repo-storage
mountPath: /usr/local/apache2/htdocs
subPath: repos
readinessProbe:
httpGet: { path: /, port: 80 }
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet: { path: /, port: 80 }
initialDelaySeconds: 15
periodSeconds: 20
- name: samba
image: dperson/samba
args: ["-p", "-s", "repos;/share/repos;yes;no"]
ports:
- containerPort: 445
securityContext:
runAsUser: 0
volumeMounts:
- name: repo-storage
mountPath: /share
volumes:
- name: repo-storage
persistentVolumeClaim:
claimName: repo-pvc

23
repo/ingress/ingress-repo.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: repo
namespace: repo
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts: [ "repo.c2et.net" ]
secretName: repo-c2et-net-tls
rules:
- host: repo.c2et.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: repo-http
port:
number: 80

26
repo/kustomization.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: repo
commonLabels:
app.kubernetes.io/name: repo-mirror
app.kubernetes.io/part-of: suse-repo
resources:
- namespace.yaml
- pvc.yaml
- configmap/repo-sources.yaml
- deployments/repo-server.yaml
- services/service-http.yaml
- services/service-samba.yaml
- ingress/ingress-repo.yaml
- cronjobs/repo-sync.yaml
images:
- name: httpd
newTag: "2.4"
- name: alpine
newTag: "latest"
- name: dperson/samba
newTag: "latest"

4
repo/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: repo

12
repo/pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: repo-pvc
namespace: repo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 2Ti
storageClassName: sc-me5-site-a

54
repo/readme.md Normal file
View File

@@ -0,0 +1,54 @@
## Cómo usarlo (rápido)
1. Ajusta **dominio** en el Ingress y (si quieres) IP fija en el Service de Samba.
2. Revisa tamaño de **PVC**.
3. (Opcional) Cambia o amplía la lista en `sources.txt`. Si tienes un mirror con **rsync**, usa `rsync://...` en la URL para más eficiencia.
4. Aplica en orden:
```bash
kubectl apply -f repo/namespace.yaml
kubectl apply -f repo/pvc.yaml
kubectl apply -f repo/configmap/repo-sources.yaml
kubectl apply -f repo/deployments/repo-server.yaml
kubectl apply -f repo/services/service-http.yaml
kubectl apply -f repo/services/service-samba.yaml # o NodePort
kubectl apply -f repo/ingress/ingress-repo.yaml
kubectl apply -f repo/cronjobs/repo-sync.yaml
```
5. Lanza una sync inicial **ad hoc** (sin esperar al cron) creando un Job manual:
```bash
kubectl create job --from=cronjob/repo-sync repo-sync-now -n repo
kubectl logs -f job/repo-sync-now -n repo
```
---
## Configuración en los clientes SUSE
En tus servidores, añade repos apuntando a tu repo interno, por ejemplo:
```bash
# HTTP (recomendado)
sudo zypper ar -f http://repo.c2et.net/opensuse/leap/15.6/oss repo-oss-local
sudo zypper ar -f http://repo.c2et.net/opensuse/leap/15.6/non-oss repo-non-oss-local
sudo zypper ar -f http://repo.c2et.net/opensuse/leap/15.6/update/oss update-oss-local
sudo zypper ar -f http://repo.c2et.net/opensuse/leap/15.6/update/non-oss update-non-oss-local
sudo zypper ar -f http://repo.c2et.net/opensuse/leap/15.6/update/sle update-sle-local
sudo zypper ar -f http://repo.c2et.net/opensuse/leap/15.6/update/backports update-backports-local
sudo zypper ar -f http://repo.c2et.net/opensuse/openh264 openh264-local
# Terceros (si los espejas):
sudo zypper ar -f http://repo.c2et.net/thirdparty/nvidia/leap/15.6 nvidia-local
sudo zypper ar -f http://repo.c2et.net/thirdparty/kubernetes/core/stable/v1.33/rpm k8s-stable-local
```
> Truco: deja tus repos “externos” deshabilitados (`zypper mr -d <alias>`) y activa solo los “-local”. Así fuerzan el uso del mirror interno.
---
## Sugerencias y mejoras
* **Mejor rsync**: si eliges un mirror con `rsync://`, cambia las URLs de `download.opensuse.org` a ese mirror (ej. `rsync://<mirror>/opensuse/distribution/leap/15.6/repo/oss/`) para acelerar y reducir ancho de banda (usa `--delete`).
* **Throttle nocturno**: añade `--bwlimit=MB` a `rsync` si tu ventana noc

14
repo/services/service-http.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: repo-http
namespace: repo
spec:
type: ClusterIP
selector:
app: repo-server
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

15
repo/services/service-samba.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: repo-samba
namespace: repo
spec:
type: LoadBalancer
loadBalancerIP: 192.168.0.106
selector:
app: repo-server
ports:
- name: samba
port: 445
targetPort: 445
protocol: TCP

13
velero/schedules/daily-gitea-a.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: daily-gitea-a
namespace: minio-velero
spec:
schedule: "30 2 * * *" # Diario 02:30
template:
includedNamespaces:
- gitea
defaultVolumesToFsBackup: true
storageLocation: bsl-incluster-a
ttl: 720h

19
velero/schedules/weekly-full-a.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: weekly-full-a
namespace: minio-velero
spec:
schedule: "0 3 * * 0" # Domingos 03:00
template:
includedNamespaces:
- apolo
- argos-core
- gitea
- guacamole
- harbor
- vscode
- wireguard
defaultVolumesToFsBackup: true
storageLocation: bsl-incluster-a
ttl: 720h

19
velero/values-velero.yaml
View File

@@ -26,3 +26,22 @@ initContainers:
volumeMounts:
- name: plugins
mountPath: /target
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: minio-velero
interval: 30s
additionalLabels:
release: monitoring # <- MUY IMPORTANTE: debe coincidir con tu Prometheus
nodeAgent:
metrics:
enabled: true
podMonitor:
enabled: true
namespace: minio-velero
interval: 30s
additionalLabels:
release: monitoring # <- igual que arriba