feat: add coredns config

ci: deploy and validate coredns
2025-10-05 20:50:08 +02:00 · 2025-10-05 20:50:01 +02:00
10 changed files with 17 additions and 254 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -4,7 +4,6 @@ on:
  push:
    branches:
      - main
-  workflow_dispatch:

 jobs:
  check-changes:
@@ -12,30 +11,27 @@ jobs:
    outputs:
      node-labels: ${{ steps.filter.outputs.node-labels }}
      coredns: ${{ steps.filter.outputs.coredns }}
-      traefik: ${{ steps.filter.outputs.traefik }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
-            node-labels:
+            k8s:
              - 'node-labels/**'
            coredns:
              - 'coredns/**'
-            traefik:
-              - 'traefik/**'

  deploy-node-labels:
    runs-on: ubuntu-latest
    needs: check-changes
-    if: ${{ needs.check-changes.outputs.node-labels == 'true' || github.event_name == 'workflow_dispatch' }}
+    if: ${{ needs.check-changes.outputs.node-labels == 'true' }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: actions/checkout@v5
+      - uses: azure/setup-kubectl@v4
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -46,79 +42,14 @@ jobs:
  deploy-coredns:
    runs-on: ubuntu-latest
    needs: check-changes
-    if: ${{ needs.check-changes.outputs.coredns == 'true' || github.event_name == 'workflow_dispatch' }}
+    if: ${{ needs.check-changes.outputs.coredns == 'true' }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: actions/checkout@v5
+      - uses: azure/setup-kubectl@v4
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Deploy
        run: |
          kubectl apply -n kube-system -f coredns
-      - name: Restart coredns
-        run: |
-          kubectl -n kube-system rollout restart deployment coredns
-
-  deploy-traefik:
-    runs-on: ubuntu-latest
-    needs: check-changes
-    if: ${{ needs.check-changes.outputs.traefik == 'true' || github.event_name == 'workflow_dispatch' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Set ionos api credentials
-        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
-        with:
-          namespace: kube-system
-          secret-name: ionos-api-credentials
-          secret-type: generic
-          data: |
-            {
-              "apiKey": "${{ secrets.IONOS_API_KEY }}"
-            }
-      - name: Set admin basic auth credentials
-        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
-        with:
-          namespace: kube-system
-          secret-name: admin-basic-auth-credentials
-          secret-type: Opaque
-          data: |
-            {
-              "auth": "${{ secrets.ADMIN_BASIC_AUTH_CREDENTIALS }}"
-            }
-      - name: Deploy
-        uses: azure/k8s-deploy@c8cfec839dc09896b3b8cc40cd13d04792680771 # v5.1.0
-        with:
-          action: deploy
-          manifests: "traefik/"
-          strategy: basic
-          namespace: kube-system
-
-  deploy-docker-registry-secret:
-    runs-on: ubuntu-latest
-    needs: check-changes
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Set docker registry credentials
-        run: |
-          kubectl create secret docker-registry regcred-dockerhub \
-            --docker-server=https://index.docker.io/v1/ \
-            --docker-username="${{ secrets.DOCKER_USERNAME }}" \
-            --docker-password="${{ secrets.DOCKER_PASSWORD }}" \
-            --docker-email="${{ secrets.DOCKER_EMAIL }}" \
-            --namespace=default \
-            --dry-run=client -o yaml | kubectl apply -f -
-      - name: Configure image pull secret globally
-        run: |
-          kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred-dockerhub"}]}'
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -9,9 +9,9 @@ jobs:
  validate-node-lables:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: actions/checkout@v5
+      - uses: azure/setup-kubectl@v4
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -22,28 +22,12 @@ jobs:
  validate-coredns:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: actions/checkout@v5
+      - uses: azure/setup-kubectl@v4
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Validate
        run: |
          kubectl apply -n kube-system -f coredns
-
-  validate-traefik:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Validate
-        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v3.0.1
-        with:
-          namespace: kube-system
-          lintType: dryrun
-          manifests: "traefik/"
--- a/README.md
+++ b/README.md
@@ -18,8 +18,6 @@ All labels use the `de.t000-n.` prefix.

 - `drive.mnt-{name}`: Indicates a mounted drive under `/mnt/{name}`
  - Example: `drive.mnt-syncthing` → `/mnt/syncthing` is mounted
- `service.vol-{name}`: Indicates a local volume under `/opt/svc/{name}
-  - Example: `service.vol-jallyfin` -> `/opt/svc/jellyfin` is available on host

 ### System Configuration Labels

--- a/node-labels/14_labels_k3sh3.yaml
+++ b/node-labels/14_labels_k3sh3.yaml
@@ -5,4 +5,3 @@ metadata:
  labels:
    de.t000-n.net.class: "medium"
    de.t000-n.net.bw: "2.5g"
-    de.t000-n.service.vol-jellyfin: ""
--- a/renovate.json
+++ b/renovate.json
@@ -1,19 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "local>t.behrendt/renovate-configs:common",
-    "local>t.behrendt/renovate-configs:k8s",
-    "local>t.behrendt/renovate-configs:action",
-    "local>t.behrendt/renovate-configs:helm"
-  ],
-  "kubernetes": {
-    "managerFilePatterns": [
-      "/^node-labels/.*\\.yaml$/",
-      "/^coredns/.*\\.yaml$/",
-      "/^traefik/.*\\.yaml$/"
-    ]
-  },
-  "helm-values": {
-    "managerFilePatterns": ["/(^|/)crowdsec/values.ya?ml$/"]
-  }
-}
--- a/traefik/middleware-adminbasicauth.yaml
+++ b/traefik/middleware-adminbasicauth.yaml
@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: adminbasicauth
-  namespace: kube-system
-spec:
-  basicAuth:
-    secret: admin-basic-auth-credentials
--- a/traefik/middleware-crowdsec-bouncher.yaml
+++ b/traefik/middleware-crowdsec-bouncher.yaml
@@ -1,13 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-    name: crowdsec-bouncer
-    namespace: kube-system
-spec:
-    plugin:
-        crowdsec-bouncer-traefik-plugin:
-            Enabled: true
-            CrowdsecMode: live
-            CrowdsecLapiUrl: "http://crowdsec-service.kube-system.svc.cluster.local:8080"
-            CrowdsecLapiKey: "${CROWDSEC_BOUNCER_API_KEY}"
-            UpdateIntervalSeconds: 10
--- a/traefik/middleware-local-ip-filter.yaml
+++ b/traefik/middleware-local-ip-filter.yaml
@@ -1,11 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: localipfilter
-  namespace: kube-system
-spec:
-  ipWhiteList:
-    sourceRange:
-      - 192.168.0.0/24
-      - 172.16.0.0/16
-      - 10.0.0.0/8
--- a/traefik/pvc.yaml
+++ b/traefik/pvc.yaml
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: pv-traefik-hostpath-static
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: traefik-certificates
-  local:
-    path: /mnt/longhorn1/svc/kube-system/main/traefik/data
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - k3sh0
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: pvc-traefik
-  namespace: kube-system
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: traefik-certificates
-  resources:
-    requests:
-      storage: 10Gi
--- a/traefik/traefik-config.yaml
+++ b/traefik/traefik-config.yaml
@@ -1,64 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChartConfig
-metadata:
-  name: traefik
-  namespace: kube-system
-spec:
-  valuesContent: |-
-    nodeSelector:
-      kubernetes.io/hostname: k3sh0
-    providers:
-      kubernetesCRD:
-        allowCrossNamespace: true
-    certResolvers:
-      letsencrypt:
-        email: admin@t00n.de
-        dnsChallenge:
-          provider: ionos
-          delayBeforeCheck: 60
-          resolvers:
-            - 1.1.1.1
-        storage: /data/acme-ionos.json
-    ingressRoute:
-      dashboard:
-         enabled: true
-         matchRule: Host(`traefik.monitor.k8s.t000-n.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-         middlewares:
-           - name: localipfilter
-         entryPoints: ["websecure"]
-    env:
-      - name: IONOS_API_KEY
-        valueFrom:
-          secretKeyRef:
-            key: apiKey
-            name: ionos-api-credentials
-    ports:
-      web:
-        port: 8000
-        expose: true
-        exposedPort: 80
-        nodePort: 32080
-      websecure:
-        port: 8443
-        expose: true
-        exposedPort: 443
-        nodePort: 32443
-        tls:
-          enabled: true
-          certResolver: "letsencrypt"
-    service:
-      enabled: true
-      single: true
-      type: LoadBalancer
-      spec:
-        externalTrafficPolicy: Local
-      externalIPs:
-        - 192.168.0.50
-        - 192.168.0.51
-        - 192.168.0.52
-        - 192.168.0.53
-    persistence:
-      enabled: true
-      name: data
-      existingClaim: pvc-traefik
-      path: /data
Author	SHA1	Message	Date
Timo Behrendt	0a1e5d1411	feat: add coredns config All checks were successful Validate / validate-node-lables (push) Successful in 7s Details Validate / validate-coredns (push) Successful in 21s Details	2025-10-05 20:50:08 +02:00
Timo Behrendt	56571771e8	ci: deploy and validate coredns	2025-10-05 20:50:01 +02:00