feat: add coredns config

ci: deploy and validate coredns
2025-10-05 20:50:08 +02:00 · 2025-10-05 20:50:01 +02:00
10 changed files with 17 additions and 254 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -4,7 +4,6 @@ on:
  push:
    branches:
      - main
  workflow_dispatch:
 jobs:
  check-changes:
@@ -12,30 +11,27 @@ jobs:
    outputs:
      node-labels: ${{ steps.filter.outputs.node-labels }}
      coredns: ${{ steps.filter.outputs.coredns }}
      traefik: ${{ steps.filter.outputs.traefik }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
-            node-labels:
+            k8s:
              - 'node-labels/**'
            coredns:
              - 'coredns/**'
            traefik:
              - 'traefik/**'
  deploy-node-labels:
    runs-on: ubuntu-latest
    needs: check-changes
-    if: ${{ needs.check-changes.outputs.node-labels == 'true' || github.event_name == 'workflow_dispatch' }}
+    if: ${{ needs.check-changes.outputs.node-labels == 'true' }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
+      - uses: azure/setup-kubectl@v4
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -46,79 +42,14 @@ jobs:
  deploy-coredns:
    runs-on: ubuntu-latest
    needs: check-changes
-    if: ${{ needs.check-changes.outputs.coredns == 'true' || github.event_name == 'workflow_dispatch' }}
+    if: ${{ needs.check-changes.outputs.coredns == 'true' }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
+      - uses: azure/setup-kubectl@v4
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Deploy
        run: |
          kubectl apply -n kube-system -f coredns
      - name: Restart coredns
        run: |
          kubectl -n kube-system rollout restart deployment coredns
  deploy-traefik:
    runs-on: ubuntu-latest
    needs: check-changes
    if: ${{ needs.check-changes.outputs.traefik == 'true' || github.event_name == 'workflow_dispatch' }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Set ionos api credentials
        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
        with:
          namespace: kube-system
          secret-name: ionos-api-credentials
          secret-type: generic
          data: |
            {
              "apiKey": "${{ secrets.IONOS_API_KEY }}"
            }
      - name: Set admin basic auth credentials
        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
        with:
          namespace: kube-system
          secret-name: admin-basic-auth-credentials
          secret-type: Opaque
          data: |
            {
              "auth": "${{ secrets.ADMIN_BASIC_AUTH_CREDENTIALS }}"
            }
      - name: Deploy
        uses: azure/k8s-deploy@c8cfec839dc09896b3b8cc40cd13d04792680771 # v5.1.0
        with:
          action: deploy
          manifests: "traefik/"
          strategy: basic
          namespace: kube-system
  deploy-docker-registry-secret:
    runs-on: ubuntu-latest
    needs: check-changes
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Set docker registry credentials
        run: |
          kubectl create secret docker-registry regcred-dockerhub \
            --docker-server=https://index.docker.io/v1/ \
            --docker-username="${{ secrets.DOCKER_USERNAME }}" \
            --docker-password="${{ secrets.DOCKER_PASSWORD }}" \
            --docker-email="${{ secrets.DOCKER_EMAIL }}" \
            --namespace=default \
            --dry-run=client -o yaml | kubectl apply -f -
      - name: Configure image pull secret globally
        run: |
          kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred-dockerhub"}]}'
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -9,9 +9,9 @@ jobs:
  validate-node-lables:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
+      - uses: azure/setup-kubectl@v4
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -22,28 +22,12 @@ jobs:
  validate-coredns:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
+      - uses: azure/setup-kubectl@v4
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Validate
        run: |
          kubectl apply -n kube-system -f coredns
  validate-traefik:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Validate
        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v3.0.1
        with:
          namespace: kube-system
          lintType: dryrun
          manifests: "traefik/"
--- a/README.md
+++ b/README.md
@@ -18,8 +18,6 @@ All labels use the `de.t000-n.` prefix.
 - `drive.mnt-{name}`: Indicates a mounted drive under `/mnt/{name}`
  - Example: `drive.mnt-syncthing` → `/mnt/syncthing` is mounted
 - `service.vol-{name}`: Indicates a local volume under `/opt/svc/{name}
  - Example: `service.vol-jallyfin` -> `/opt/svc/jellyfin` is available on host
 ### System Configuration Labels
--- a/node-labels/14_labels_k3sh3.yaml
+++ b/node-labels/14_labels_k3sh3.yaml
@@ -5,4 +5,3 @@ metadata:
  labels:
    de.t000-n.net.class: "medium"
    de.t000-n.net.bw: "2.5g"
    de.t000-n.service.vol-jellyfin: ""
--- a/renovate.json
+++ b/renovate.json
@@ -1,19 +0,0 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "local>t.behrendt/renovate-configs:common",
    "local>t.behrendt/renovate-configs:k8s",
    "local>t.behrendt/renovate-configs:action",
    "local>t.behrendt/renovate-configs:helm"
  ],
  "kubernetes": {
    "managerFilePatterns": [
      "/^node-labels/.*\\.yaml$/",
      "/^coredns/.*\\.yaml$/",
      "/^traefik/.*\\.yaml$/"
    ]
  },
  "helm-values": {
    "managerFilePatterns": ["/(^|/)crowdsec/values.ya?ml$/"]
  }
 }
--- a/traefik/middleware-adminbasicauth.yaml
+++ b/traefik/middleware-adminbasicauth.yaml
@@ -1,8 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: adminbasicauth
  namespace: kube-system
 spec:
  basicAuth:
    secret: admin-basic-auth-credentials
--- a/traefik/middleware-crowdsec-bouncher.yaml
+++ b/traefik/middleware-crowdsec-bouncher.yaml
@@ -1,13 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
    name: crowdsec-bouncer
    namespace: kube-system
 spec:
    plugin:
        crowdsec-bouncer-traefik-plugin:
            Enabled: true
            CrowdsecMode: live
            CrowdsecLapiUrl: "http://crowdsec-service.kube-system.svc.cluster.local:8080"
            CrowdsecLapiKey: "${CROWDSEC_BOUNCER_API_KEY}"
            UpdateIntervalSeconds: 10
--- a/traefik/middleware-local-ip-filter.yaml
+++ b/traefik/middleware-local-ip-filter.yaml
@@ -1,11 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: localipfilter
  namespace: kube-system
 spec:
  ipWhiteList:
    sourceRange:
      - 192.168.0.0/24
      - 172.16.0.0/16
      - 10.0.0.0/8
--- a/traefik/pvc.yaml
+++ b/traefik/pvc.yaml
@@ -1,34 +0,0 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: pv-traefik-hostpath-static
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: traefik-certificates
  local:
    path: /mnt/longhorn1/svc/kube-system/main/traefik/data
  nodeAffinity:
    required:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/hostname
              operator: In
              values:
                - k3sh0
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: pvc-traefik
  namespace: kube-system
 spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: traefik-certificates
  resources:
    requests:
      storage: 10Gi
--- a/traefik/traefik-config.yaml
+++ b/traefik/traefik-config.yaml
@@ -1,64 +0,0 @@
 apiVersion: helm.cattle.io/v1
 kind: HelmChartConfig
 metadata:
  name: traefik
  namespace: kube-system
 spec:
  valuesContent: |-
    nodeSelector:
      kubernetes.io/hostname: k3sh0
    providers:
      kubernetesCRD:
        allowCrossNamespace: true
    certResolvers:
      letsencrypt:
        email: admin@t00n.de
        dnsChallenge:
          provider: ionos
          delayBeforeCheck: 60
          resolvers:
            - 1.1.1.1
        storage: /data/acme-ionos.json
    ingressRoute:
      dashboard:
         enabled: true
         matchRule: Host(`traefik.monitor.k8s.t000-n.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
         middlewares:
           - name: localipfilter
         entryPoints: ["websecure"]
    env:
      - name: IONOS_API_KEY
        valueFrom:
          secretKeyRef:
            key: apiKey
            name: ionos-api-credentials
    ports:
      web:
        port: 8000
        expose: true
        exposedPort: 80
        nodePort: 32080
      websecure:
        port: 8443
        expose: true
        exposedPort: 443
        nodePort: 32443
        tls:
          enabled: true
          certResolver: "letsencrypt"
    service:
      enabled: true
      single: true
      type: LoadBalancer
      spec:
        externalTrafficPolicy: Local
      externalIPs:
        - 192.168.0.50
        - 192.168.0.51
        - 192.168.0.52
        - 192.168.0.53
    persistence:
      enabled: true
      name: data
      existingClaim: pvc-traefik
      path: /data
Author	SHA1	Message	Date
Timo Behrendt	0a1e5d1411	feat: add coredns config All checks were successful Validate / validate-node-lables (push) Successful in 7s Details Validate / validate-coredns (push) Successful in 21s Details	2025-10-05 20:50:08 +02:00
Timo Behrendt	56571771e8	ci: deploy and validate coredns	2025-10-05 20:50:01 +02:00