docs: document labels

2025-10-03 18:52:04 +02:00
15 changed files with 23 additions and 338 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -4,121 +4,34 @@ on:
  push:
    branches:
      - main
-  workflow_dispatch:

 jobs:
  check-changes:
    runs-on: ubuntu-latest
    outputs:
-      node-labels: ${{ steps.filter.outputs.node-labels }}
-      coredns: ${{ steps.filter.outputs.coredns }}
-      traefik: ${{ steps.filter.outputs.traefik }}
+      changes: ${{ steps.filter.outputs.k8s }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
-            node-labels:
-              - 'node-labels/**'
-            coredns:
-              - 'coredns/**'
-            traefik:
-              - 'traefik/**'
+            k8s:
+              - 'k8s/**'

-  deploy-node-labels:
+  deploy:
    runs-on: ubuntu-latest
    needs: check-changes
-    if: ${{ needs.check-changes.outputs.node-labels == 'true' || github.event_name == 'workflow_dispatch' }}
+    if: ${{ needs.check-changes.outputs.changes == 'true' }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: actions/checkout@v5
+      - uses: azure/setup-kubectl@v4
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Deploy
        run: |
-          kubectl apply --server-side --field-manager=t000-n -f node-labels
-
-  deploy-coredns:
-    runs-on: ubuntu-latest
-    needs: check-changes
-    if: ${{ needs.check-changes.outputs.coredns == 'true' || github.event_name == 'workflow_dispatch' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Deploy
-        run: |
-          kubectl apply -n kube-system -f coredns
-      - name: Restart coredns
-        run: |
-          kubectl -n kube-system rollout restart deployment coredns
-
-  deploy-traefik:
-    runs-on: ubuntu-latest
-    needs: check-changes
-    if: ${{ needs.check-changes.outputs.traefik == 'true' || github.event_name == 'workflow_dispatch' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Set ionos api credentials
-        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
-        with:
-          namespace: kube-system
-          secret-name: ionos-api-credentials
-          secret-type: generic
-          data: |
-            {
-              "apiKey": "${{ secrets.IONOS_API_KEY }}"
-            }
-      - name: Set admin basic auth credentials
-        uses: azure/k8s-create-secret@6e0ba8047235646753f2a3a3b359b4d0006ff218 # v5.0.1
-        with:
-          namespace: kube-system
-          secret-name: admin-basic-auth-credentials
-          secret-type: Opaque
-          data: |
-            {
-              "auth": "${{ secrets.ADMIN_BASIC_AUTH_CREDENTIALS }}"
-            }
-      - name: Deploy
-        uses: azure/k8s-deploy@c8cfec839dc09896b3b8cc40cd13d04792680771 # v5.1.0
-        with:
-          action: deploy
-          manifests: "traefik/"
-          strategy: basic
-          namespace: kube-system
-
-  deploy-docker-registry-secret:
-    runs-on: ubuntu-latest
-    needs: check-changes
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Set docker registry credentials
-        run: |
-          kubectl create secret docker-registry regcred-dockerhub \
-            --docker-server=https://index.docker.io/v1/ \
-            --docker-username="${{ secrets.DOCKER_USERNAME }}" \
-            --docker-password="${{ secrets.DOCKER_PASSWORD }}" \
-            --docker-email="${{ secrets.DOCKER_EMAIL }}" \
-            --namespace=default \
-            --dry-run=client -o yaml | kubectl apply -f -
-      - name: Configure image pull secret globally
-        run: |
-          kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred-dockerhub"}]}'
+          kubectl apply --server-side --field-manager=t000-n -f k8s/
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -6,44 +6,15 @@ on:
      - main

 jobs:
-  validate-node-lables:
+  validate:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
+      - uses: actions/checkout@v5
+      - uses: azure/setup-kubectl@v4
+      - uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Validate
        run: |
-          kubectl apply --server-side --field-manager=t000-n --dry-run=server -f node-labels
-
-  validate-coredns:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Validate
-        run: |
-          kubectl apply -n kube-system -f coredns
-
-  validate-traefik:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
-      - uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5.0.0
-        with:
-          method: kubeconfig
-          kubeconfig: ${{ secrets.KUBECONFIG }}
-      - name: Validate
-        uses: azure/k8s-lint@6aefe5066f95e73d2b140d8835cc95583b886989 # v3.0.1
-        with:
-          namespace: kube-system
-          lintType: dryrun
-          manifests: "traefik/"
+          kubectl apply --server-side --field-manager=t000-n --dry-run=server -f k8s/
--- a/README.md
+++ b/README.md
@@ -18,8 +18,6 @@ All labels use the `de.t000-n.` prefix.

 - `drive.mnt-{name}`: Indicates a mounted drive under `/mnt/{name}`
  - Example: `drive.mnt-syncthing` → `/mnt/syncthing` is mounted
- `service.vol-{name}`: Indicates a local volume under `/opt/svc/{name}
-  - Example: `service.vol-jallyfin` -> `/opt/svc/jellyfin` is available on host

 ### System Configuration Labels

--- a/coredns/coredns-config.yaml
+++ b/coredns/coredns-config.yaml
@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: coredns
-  namespace: kube-system
-data:
-  Corefile: |
-    t00n.de:53 {
-      errors
-      forward . 192.168.0.1 192.168.0.9 192.168.0.10
-      cache 300
-      reload
-    }
-
-    t000-n.de:53 {
-        errors
-        forward . 192.168.0.1 192.168.0.9 192.168.0.10
-        cache 300
-        reload
-    }
-
-    .:53 {
-        errors
-        health
-        ready
-        kubernetes cluster.local in-addr.arpa ip6.arpa {
-          pods insecure
-          fallthrough in-addr.arpa ip6.arpa
-        }
-        hosts /etc/coredns/NodeHosts {
-          ttl 60
-          reload 15s
-          fallthrough
-        }
-        prometheus :9153
-        forward . /etc/resolv.conf
-        cache 30
-        loop
-        reload
-        loadbalance
-        import /etc/coredns/custom/*.override
-    }
-    import /etc/coredns/custom/*.server
-  NodeHosts: |
-    192.168.0.50 k3sh0
-    192.168.0.51 k3sh1
-    192.168.0.52 k3sh2
--- a/node-labels/11_labels_k3sh0.yaml
+++ b/node-labels/11_labels_k3sh0.yaml
--- a/node-labels/12_labels_k3sh1.yaml
+++ b/node-labels/12_labels_k3sh1.yaml
--- a/node-labels/13_labels_k3sh2.yaml
+++ b/node-labels/13_labels_k3sh2.yaml
--- a/k8s/14_labels_k3sh3.yaml
+++ b/k8s/14_labels_k3sh3.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Node
+metadata:
+  name: k3sh3
+  labels:
+    de.t000-n.net.class: "slow"
+    de.t000-n.net.bw: "1g"
--- a/node-labels/14_labels_k3sh3.yaml
+++ b/node-labels/14_labels_k3sh3.yaml
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Node
-metadata:
-  name: k3sh3
-  labels:
-    de.t000-n.net.class: "medium"
-    de.t000-n.net.bw: "2.5g"
-    de.t000-n.service.vol-jellyfin: ""
--- a/renovate.json
+++ b/renovate.json
@@ -1,19 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "local>t.behrendt/renovate-configs:common",
-    "local>t.behrendt/renovate-configs:k8s",
-    "local>t.behrendt/renovate-configs:action",
-    "local>t.behrendt/renovate-configs:helm"
-  ],
-  "kubernetes": {
-    "managerFilePatterns": [
-      "/^node-labels/.*\\.yaml$/",
-      "/^coredns/.*\\.yaml$/",
-      "/^traefik/.*\\.yaml$/"
-    ]
-  },
-  "helm-values": {
-    "managerFilePatterns": ["/(^|/)crowdsec/values.ya?ml$/"]
-  }
-}
--- a/traefik/middleware-adminbasicauth.yaml
+++ b/traefik/middleware-adminbasicauth.yaml
@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: adminbasicauth
-  namespace: kube-system
-spec:
-  basicAuth:
-    secret: admin-basic-auth-credentials
--- a/traefik/middleware-crowdsec-bouncher.yaml
+++ b/traefik/middleware-crowdsec-bouncher.yaml
@@ -1,13 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-    name: crowdsec-bouncer
-    namespace: kube-system
-spec:
-    plugin:
-        crowdsec-bouncer-traefik-plugin:
-            Enabled: true
-            CrowdsecMode: live
-            CrowdsecLapiUrl: "http://crowdsec-service.kube-system.svc.cluster.local:8080"
-            CrowdsecLapiKey: "${CROWDSEC_BOUNCER_API_KEY}"
-            UpdateIntervalSeconds: 10
--- a/traefik/middleware-local-ip-filter.yaml
+++ b/traefik/middleware-local-ip-filter.yaml
@@ -1,11 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: localipfilter
-  namespace: kube-system
-spec:
-  ipWhiteList:
-    sourceRange:
-      - 192.168.0.0/24
-      - 172.16.0.0/16
-      - 10.0.0.0/8
--- a/traefik/pvc.yaml
+++ b/traefik/pvc.yaml
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: pv-traefik-hostpath-static
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: traefik-certificates
-  local:
-    path: /mnt/longhorn1/svc/kube-system/main/traefik/data
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-        - matchExpressions:
-            - key: kubernetes.io/hostname
-              operator: In
-              values:
-                - k3sh0
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: pvc-traefik
-  namespace: kube-system
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: traefik-certificates
-  resources:
-    requests:
-      storage: 10Gi
--- a/traefik/traefik-config.yaml
+++ b/traefik/traefik-config.yaml
@@ -1,64 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChartConfig
-metadata:
-  name: traefik
-  namespace: kube-system
-spec:
-  valuesContent: |-
-    nodeSelector:
-      kubernetes.io/hostname: k3sh0
-    providers:
-      kubernetesCRD:
-        allowCrossNamespace: true
-    certResolvers:
-      letsencrypt:
-        email: admin@t00n.de
-        dnsChallenge:
-          provider: ionos
-          delayBeforeCheck: 60
-          resolvers:
-            - 1.1.1.1
-        storage: /data/acme-ionos.json
-    ingressRoute:
-      dashboard:
-         enabled: true
-         matchRule: Host(`traefik.monitor.k8s.t000-n.de`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
-         middlewares:
-           - name: localipfilter
-         entryPoints: ["websecure"]
-    env:
-      - name: IONOS_API_KEY
-        valueFrom:
-          secretKeyRef:
-            key: apiKey
-            name: ionos-api-credentials
-    ports:
-      web:
-        port: 8000
-        expose: true
-        exposedPort: 80
-        nodePort: 32080
-      websecure:
-        port: 8443
-        expose: true
-        exposedPort: 443
-        nodePort: 32443
-        tls:
-          enabled: true
-          certResolver: "letsencrypt"
-    service:
-      enabled: true
-      single: true
-      type: LoadBalancer
-      spec:
-        externalTrafficPolicy: Local
-      externalIPs:
-        - 192.168.0.50
-        - 192.168.0.51
-        - 192.168.0.52
-        - 192.168.0.53
-    persistence:
-      enabled: true
-      name: data
-      existingClaim: pvc-traefik
-      path: /data