diff --git a/apps/k8s01/unpoller/deployment.yaml b/apps/k8s01/unpoller/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0c0d2730d43b15d9a97bbbbb6f8b46f24f712396 --- /dev/null +++ b/apps/k8s01/unpoller/deployment.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: unpoller + namespace: unpoller + labels: + app.kubernetes.io/name: unpoller +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: unpoller + template: + metadata: + labels: + app.kubernetes.io/name: unpoller + spec: + containers: + - name: unpoller + image: ghcr.io/unpoller/unpoller:v2.9.4 + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: "1" + memory: 128Mi + envFrom: + - secretRef: unpoller + optional: false + ports: + - name: exporter + containerPort: 9130 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 7067 + runAsGroup: 7067 + fsGroup: 7067 + seccompProfile: + type: "RuntimeDefault" \ No newline at end of file diff --git a/apps/k8s01/unpoller/kustomization.yaml b/apps/k8s01/unpoller/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..df8224ca032a53cc3f73581b3001727088eff531 --- /dev/null +++ b/apps/k8s01/unpoller/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: unpoller +resources: + - namespace.yaml + - deployment.yaml + - podmonitor.yaml + - secret.yaml + - ../../../shared/resourcequotas/default.yaml + - ../../../shared/networkpolicies/allow-from-monitoring.yaml +patchesStrategicMerge: + - networkpolicy.yaml \ No newline at end of file diff --git a/apps/k8s01/unpoller/namespace.yaml b/apps/k8s01/unpoller/namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..642282663b5a4868035e0c3b867ec1d08dfb372a --- /dev/null +++ b/apps/k8s01/unpoller/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: unpoller + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit-version: v1.27 + pod-security.kubernetes.io/enforce-version: v1.26 + pod-security.kubernetes.io/warn-version: v1.27 diff --git a/apps/k8s01/unpoller/networkpolicy.yaml b/apps/k8s01/unpoller/networkpolicy.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f5f5bdedbff1293cbf84ad466dd7384bd955c6eb --- /dev/null +++ b/apps/k8s01/unpoller/networkpolicy.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-monitoring +spec: + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - unpoller diff --git a/apps/k8s01/unpoller/podmonitor.yaml b/apps/k8s01/unpoller/podmonitor.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fc805a3f18d26de8c84f52c90b4bef3357bba9fe --- /dev/null +++ b/apps/k8s01/unpoller/podmonitor.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: unpoller + namespace: unpoller + labels: + app.kubernetes.io/name: unpoller +spec: + selector: + matchLabels: + app.kubernetes.io/name: unpoller + podMetricsEndpoints: + - port: exporter \ No newline at end of file diff --git a/apps/k8s01/unpoller/secret.yaml b/apps/k8s01/unpoller/secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6698e264730b6e13cfa3b66fe6140320512db6d1 --- /dev/null +++ b/apps/k8s01/unpoller/secret.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: Secret +metadata: + name: unpoller + namespace: unpoller + labels: + app.kubernetes.io/name: unpoller +stringData: + UP_INFLUXDB_DISABLE: ENC[AES256_GCM,data:GrtLpg==,iv:V2Oyf5/goHmXzraMq1jW02ILexmIiLuWb7I2Vs120Yg=,tag:NUkALMSphJeiKXgYJrx8ow==,type:str] + UP_UNIFI_DEFAULT_VERIFY_SSL: ENC[AES256_GCM,data:7IjaZw==,iv:D+bK8OJDnpLm9UqJM3dShy3NjKz7gJXELEETRSQ0ML4=,tag:pXePhFmaEgZV6pjzkfijLA==,type:str] + UP_UNIFI_DEFAULT_URL: ENC[AES256_GCM,data:lwXt9gezxmMXVIV4hhHb+fAAUcCMQxl2ukah75i3AKXeFKjQzuo1,iv:BTp5QzuY4BcaSHDInS4cK/fkUBxLjfcAHxvKOHO3tUM=,tag:fanjdhFnbYJ+PjGNLAGSLw==,type:str] + UP_UNIFI_DEFAULT_USER: ENC[AES256_GCM,data:qlGyV2H4Puw=,iv:RPJ6QhKfcKfcLp1JJOCrRS2ZgY4iTnMEN+Xz7X6ZlRA=,tag:oO6YZTYXiQimHyT1bV+YNA==,type:str] + UP_UNIFI_DEFAULT_PASS: ENC[AES256_GCM,data:BTxto5YthceS4JHRhYHpAjS6JRGvoq1QCoc9Uhbbdykbl3+bchwn7Q==,iv:Rvw4E9JXpY9gz6WK20fe82Xpt3qhygmGYj0KHjmSrhI=,tag:ca44+V1qPj+2pRWsUcP+Rw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-12-14T23:06:10Z" + mac: ENC[AES256_GCM,data:Jy22qBWdn9UPleoxff2LEdXSzS0UBRWTafir9Sohb+cyiAgCQ2AUHkdoee1eBc6J1A6QEOGWkLrTPYZSF+f3FoPNQFnxEA5qHe0JdLspeO2mARBYCwh3Fj6aVTKwUtaa7wUgfJOnJUrdJmrxANcx5hc2zKlTf3Wz7nbYDS5vP04=,iv:0RabEjNsF3xUEFl/zAdfhm25cXViq2ZLbbufxHRgH0U=,tag:bAKb2gjl3w5nDW/OJEhOdQ==,type:str] + pgp: + - created_at: "2023-12-14T23:06:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcAQ//ZTChXz3XiVHA+PTtmYJWQX7b4Tu4DBlr53XRldUkxLJ1 + Qbo45jCfKnjjdeKFTbZ1D8sIh1Nx61GatUQZUCIZJ67zJnXmYyG3pSZ5bg95zIEF + lK+qN4nI0OevQblH9bZrO9DvRxxYP1s2F/C+fToq9FqbzmzrdL4CTn0gV52PMVGK + MgtwOhskjvDCjZzWkHPMYrn1QEDXlF+LRdrSNBSjveExWmyJbU6l46Vsi58F9DSM + M2puHE97zX0Wil4MZ5Tu8wsTqv6RGtAeHabAqFP+2+0wpEX3s2E+4FbfDXEWQaWC + WPM2NlWQMNFK9vPzFF5rzlMEG0dZ+ldUYFhcGqfKrRthf9D42JsK2vgaPzQcj01J + HxCmvoFQcVTn+6RqxrOhG0GS9Wn0HDE4fT/WaRTgqxhMTvR9fzXAR73KewZAXJjk + 8A/3lQSTzRM70RiDPNT7EuuOioEBrMs0Ma0oLa5ozr3bEd0zeq4DCer1rgMDT+1C + gAcfahg9fA7s+3bR2yu9ZqI4NIMsaHXV/IxJ7u0wSxusy3Lwm0/U3ccjYT+bW0it + yQeJr+4cxi2pBeT8SdgXnSTQtVWWk5lV3DGgrZwC6rnethSguCakO7iuotDwHDCe + y+BX/X4j+LebxZ/yh+yAWQmg3WwSRSTgeBPRZev+7GWuxpeNXOQUc6f+SnNUNfnS + UQFZp2cJhke+FzS7qt4HAsxxJpWRl259hN4zKhfhKauyhOsnKMZDhZqvQSLJO1fD + sqOrrFhg1lIHTKlHPPHHImJj2PgA4+4Lx4QyuPnFRc0j9w== + =sqer + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2023-12-14T23:06:09Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAArkN/49Xrq0PPuBZf09rp33veB3/BtMd2rPdHClLhtVBi + Zq7s3txTf1fGp4fxXWWn0/yLHzUH5E46BC5gyX+ciyaeQ0rVrXDg76JtGo6r8Eo9 + 4y9IzUGN4GEE/bGhQAOt2Ci86WPGnJjdUkCGUB8tyR5pBp1e8po0LDqzg6FIing9 + YDIrh+ek86niVemqHOomPDQpRds5joqDIkkpnfihWvp+y7Mig0oh/Gug18UCjB1q + p40YFc2nb7s90oDuKKf+W9in45OQIbnneXgTkgxWORKQ3hRSBUYdqcVQH65h4KZJ + 9AcXSmVnAiNoXJRJ5ZzGnJRs4Aj12g78nMnCG60p2uHC2ya5gCg9gCpDrcP+H+Qe + Up0T5+yj7IHmjUIt+sZRR3CijAwAwnPC782eoj0FHCfhDSWc+hFya/WHdV/o1CQG + qtLwI02pLSeHlKjnSQw/T8hrmfxl1XX+UVtJ/0kCjJn5OTp5XCiWiRUc7nWNJx18 + 9vUSMRXS8k7WqSZOLon++07tBF9jfrWl/iuOOdHKTVexcs0HJCEPyB1oqeM2sVt3 + qYgW0k4gkVB1NW/W1ZcDoAcG5qqt4GfoTeWO12t3IFY3vQOiwRxn+1Poq4OHSufZ + rjZRhb7TA6BaIlWuBsyGhu9GNrRJPfjMjEWGnH8YqZ/I1fZZkam7Z6mud0A8EufU + aAEJAhAx/pV+k19CprasjNM12QfEdZvQ66KDr+v29u9er80FM7xN1yWyteeiZG2Q + wFfw+PMRHsWImVn+wTgP00hX67E8uyjuVVQgCW+t+e5JHWg5LVdyksM4rSaZSJmK + d+5XwUu9H5RS + =RQ6l + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3