GitLab

MarcusVRP pushed to branch main at Root / Kubernetes / FluxCD

Commits:

baa6d3e8
by marcusvrp at 2025-08-08T05:04:21-03:00
```
revert(nextcloud): waste of time
```

3 changed files:

apps/base/nextcloud/helmrelease.yaml
− infrastructure/base/controllers/ingress-nginx.yaml
infrastructure/stage/kustomization.yaml

Changes:

apps/base/nextcloud/helmrelease.yaml

@@ -16,33 +16,9 @@ spec:
        flavor: fpm-alpine
      ingress:
        enabled: true
 -      className: nginx
 +      className: cilium
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-dns01
 -        nginx.ingress.kubernetes.io/server-snippet: |-
 -          server_tokens off;
 -          proxy_hide_header X-Powered-By;
 -          rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
 -          rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
 -          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
 -          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
 -          location = /.well-known/carddav {
 -            return 301 $scheme://$host/remote.php/dav;
 -          }
 -          location = /.well-known/caldav {
 -            return 301 $scheme://$host/remote.php/dav;
 -          }
 -          location = /robots.txt {
 -            allow all;
 -            log_not_found off;
 -            access_log off;
 -          }
 -          location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
 -            deny all;
 -          }
 -          location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
 -            deny all;
 -          }
        tls:
          - secretName: nextcloud-tls
            hosts:

infrastructure/base/controllers/ingress-nginx.yaml deleted

 -apiVersion: v1
 -kind: Namespace
 -metadata:
 -  labels:
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -  name: ingress-nginx
 ----
 -apiVersion: v1
 -automountServiceAccountToken: true
 -kind: ServiceAccount
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx
 -  namespace: ingress-nginx
 ----
 -apiVersion: v1
 -automountServiceAccountToken: true
 -kind: ServiceAccount
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission
 -  namespace: ingress-nginx
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: Role
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx
 -  namespace: ingress-nginx
 -rules:
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - namespaces
 -    verbs:
 -      - get
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - configmaps
 -      - pods
 -      - secrets
 -      - endpoints
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - services
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - networking.k8s.io
 -    resources:
 -      - ingresses
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - networking.k8s.io
 -    resources:
 -      - ingresses/status
 -    verbs:
 -      - update
 -  - apiGroups:
 -      - networking.k8s.io
 -    resources:
 -      - ingressclasses
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - coordination.k8s.io
 -    resourceNames:
 -      - ingress-nginx-leader
 -    resources:
 -      - leases
 -    verbs:
 -      - get
 -      - update
 -  - apiGroups:
 -      - coordination.k8s.io
 -    resources:
 -      - leases
 -    verbs:
 -      - create
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - events
 -    verbs:
 -      - create
 -      - patch
 -  - apiGroups:
 -      - discovery.k8s.io
 -    resources:
 -      - endpointslices
 -    verbs:
 -      - list
 -      - watch
 -      - get
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: Role
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission
 -  namespace: ingress-nginx
 -rules:
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - secrets
 -    verbs:
 -      - get
 -      - create
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: ClusterRole
 -metadata:
 -  labels:
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx
 -rules:
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - configmaps
 -      - endpoints
 -      - nodes
 -      - pods
 -      - secrets
 -      - namespaces
 -    verbs:
 -      - list
 -      - watch
 -  - apiGroups:
 -      - coordination.k8s.io
 -    resources:
 -      - leases
 -    verbs:
 -      - list
 -      - watch
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - nodes
 -    verbs:
 -      - get
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - services
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - networking.k8s.io
 -    resources:
 -      - ingresses
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - ""
 -    resources:
 -      - events
 -    verbs:
 -      - create
 -      - patch
 -  - apiGroups:
 -      - networking.k8s.io
 -    resources:
 -      - ingresses/status
 -    verbs:
 -      - update
 -  - apiGroups:
 -      - networking.k8s.io
 -    resources:
 -      - ingressclasses
 -    verbs:
 -      - get
 -      - list
 -      - watch
 -  - apiGroups:
 -      - discovery.k8s.io
 -    resources:
 -      - endpointslices
 -    verbs:
 -      - list
 -      - watch
 -      - get
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: ClusterRole
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission
 -rules:
 -  - apiGroups:
 -      - admissionregistration.k8s.io
 -    resources:
 -      - validatingwebhookconfigurations
 -    verbs:
 -      - get
 -      - update
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: RoleBinding
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx
 -  namespace: ingress-nginx
 -roleRef:
 -  apiGroup: rbac.authorization.k8s.io
 -  kind: Role
 -  name: ingress-nginx
 -subjects:
 -  - kind: ServiceAccount
 -    name: ingress-nginx
 -    namespace: ingress-nginx
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: RoleBinding
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission
 -  namespace: ingress-nginx
 -roleRef:
 -  apiGroup: rbac.authorization.k8s.io
 -  kind: Role
 -  name: ingress-nginx-admission
 -subjects:
 -  - kind: ServiceAccount
 -    name: ingress-nginx-admission
 -    namespace: ingress-nginx
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: ClusterRoleBinding
 -metadata:
 -  labels:
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx
 -roleRef:
 -  apiGroup: rbac.authorization.k8s.io
 -  kind: ClusterRole
 -  name: ingress-nginx
 -subjects:
 -  - kind: ServiceAccount
 -    name: ingress-nginx
 -    namespace: ingress-nginx
 ----
 -apiVersion: rbac.authorization.k8s.io/v1
 -kind: ClusterRoleBinding
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission
 -roleRef:
 -  apiGroup: rbac.authorization.k8s.io
 -  kind: ClusterRole
 -  name: ingress-nginx-admission
 -subjects:
 -  - kind: ServiceAccount
 -    name: ingress-nginx-admission
 -    namespace: ingress-nginx
 ----
 -apiVersion: v1
 -data: null
 -kind: ConfigMap
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-controller
 -  namespace: ingress-nginx
 ----
 -apiVersion: v1
 -kind: Service
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-controller
 -  namespace: ingress-nginx
 -spec:
 -  ipFamilies:
 -    - IPv4
 -  ipFamilyPolicy: SingleStack
 -  ports:
 -    - appProtocol: http
 -      name: http
 -      port: 80
 -      protocol: TCP
 -      targetPort: http
 -    - appProtocol: https
 -      name: https
 -      port: 443
 -      protocol: TCP
 -      targetPort: https
 -  selector:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -  type: LoadBalancer
 ----
 -apiVersion: v1
 -kind: Service
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-controller-admission
 -  namespace: ingress-nginx
 -spec:
 -  ports:
 -    - appProtocol: https
 -      name: https-webhook
 -      port: 443
 -      targetPort: webhook
 -  selector:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -  type: ClusterIP
 ----
 -apiVersion: apps/v1
 -kind: Deployment
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-controller
 -  namespace: ingress-nginx
 -spec:
 -  replicas: 3
 -  minReadySeconds: 0
 -  revisionHistoryLimit: 10
 -  selector:
 -    matchLabels:
 -      app.kubernetes.io/component: controller
 -      app.kubernetes.io/instance: ingress-nginx
 -      app.kubernetes.io/name: ingress-nginx
 -  strategy:
 -    rollingUpdate:
 -      maxUnavailable: 1
 -    type: RollingUpdate
 -  template:
 -    metadata:
 -      labels:
 -        app.kubernetes.io/component: controller
 -        app.kubernetes.io/instance: ingress-nginx
 -        app.kubernetes.io/name: ingress-nginx
 -        app.kubernetes.io/part-of: ingress-nginx
 -        app.kubernetes.io/version: 1.12.0
 -    spec:
 -      containers:
 -        - args:
 -            - /nginx-ingress-controller
 -            - --election-id=ingress-nginx-leader
 -            - --controller-class=k8s.io/ingress-nginx
 -            - --ingress-class=nginx
 -            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
 -            - --validating-webhook=:8443
 -            - --validating-webhook-certificate=/usr/local/certificates/cert
 -            - --validating-webhook-key=/usr/local/certificates/key
 -          env:
 -            - name: POD_NAME
 -              valueFrom:
 -                fieldRef:
 -                  fieldPath: metadata.name
 -            - name: POD_NAMESPACE
 -              valueFrom:
 -                fieldRef:
 -                  fieldPath: metadata.namespace
 -            - name: LD_PRELOAD
 -              value: /usr/local/lib/libmimalloc.so
 -          image: registry.k8s.io/ingress-nginx/controller:v1.11.5@sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb
 -          imagePullPolicy: IfNotPresent
 -          lifecycle:
 -            preStop:
 -              exec:
 -                command:
 -                  - /wait-shutdown
 -          livenessProbe:
 -            failureThreshold: 5
 -            httpGet:
 -              path: /healthz
 -              port: 10254
 -              scheme: HTTP
 -            initialDelaySeconds: 10
 -            periodSeconds: 10
 -            successThreshold: 1
 -            timeoutSeconds: 1
 -          name: controller
 -          ports:
 -            - containerPort: 80
 -              name: http
 -              protocol: TCP
 -            - containerPort: 443
 -              name: https
 -              protocol: TCP
 -            - containerPort: 8443
 -              name: webhook
 -              protocol: TCP
 -          readinessProbe:
 -            failureThreshold: 3
 -            httpGet:
 -              path: /healthz
 -              port: 10254
 -              scheme: HTTP
 -            initialDelaySeconds: 10
 -            periodSeconds: 10
 -            successThreshold: 1
 -            timeoutSeconds: 1
 -          resources:
 -            requests:
 -              cpu: 100m
 -              memory: 90Mi
 -          securityContext:
 -            allowPrivilegeEscalation: false
 -            capabilities:
 -              add:
 -                - NET_BIND_SERVICE
 -              drop:
 -                - ALL
 -            readOnlyRootFilesystem: false
 -            runAsGroup: 82
 -            runAsNonRoot: true
 -            runAsUser: 101
 -            seccompProfile:
 -              type: RuntimeDefault
 -          volumeMounts:
 -            - mountPath: /usr/local/certificates/
 -              name: webhook-cert
 -              readOnly: true
 -      dnsPolicy: ClusterFirst
 -      nodeSelector:
 -        kubernetes.io/os: linux
 -      serviceAccountName: ingress-nginx
 -      terminationGracePeriodSeconds: 300
 -      volumes:
 -        - name: webhook-cert
 -          secret:
 -            secretName: ingress-nginx-admission
 ----
 -apiVersion: batch/v1
 -kind: Job
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission-create
 -  namespace: ingress-nginx
 -spec:
 -  template:
 -    metadata:
 -      labels:
 -        app.kubernetes.io/component: admission-webhook
 -        app.kubernetes.io/instance: ingress-nginx
 -        app.kubernetes.io/name: ingress-nginx
 -        app.kubernetes.io/part-of: ingress-nginx
 -        app.kubernetes.io/version: 1.12.0
 -      name: ingress-nginx-admission-create
 -    spec:
 -      containers:
 -        - args:
 -            - create
 -            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
 -            - --namespace=$(POD_NAMESPACE)
 -            - --secret-name=ingress-nginx-admission
 -          env:
 -            - name: POD_NAMESPACE
 -              valueFrom:
 -                fieldRef:
 -                  fieldPath: metadata.namespace
 -          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
 -          imagePullPolicy: IfNotPresent
 -          name: create
 -          securityContext:
 -            allowPrivilegeEscalation: false
 -            capabilities:
 -              drop:
 -                - ALL
 -            readOnlyRootFilesystem: true
 -            runAsGroup: 65532
 -            runAsNonRoot: true
 -            runAsUser: 65532
 -            seccompProfile:
 -              type: RuntimeDefault
 -      nodeSelector:
 -        kubernetes.io/os: linux
 -      restartPolicy: OnFailure
 -      serviceAccountName: ingress-nginx-admission
 ----
 -apiVersion: batch/v1
 -kind: Job
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission-patch
 -  namespace: ingress-nginx
 -spec:
 -  template:
 -    metadata:
 -      labels:
 -        app.kubernetes.io/component: admission-webhook
 -        app.kubernetes.io/instance: ingress-nginx
 -        app.kubernetes.io/name: ingress-nginx
 -        app.kubernetes.io/part-of: ingress-nginx
 -        app.kubernetes.io/version: 1.12.0
 -      name: ingress-nginx-admission-patch
 -    spec:
 -      containers:
 -        - args:
 -            - patch
 -            - --webhook-name=ingress-nginx-admission
 -            - --namespace=$(POD_NAMESPACE)
 -            - --patch-mutating=false
 -            - --secret-name=ingress-nginx-admission
 -            - --patch-failure-policy=Fail
 -          env:
 -            - name: POD_NAMESPACE
 -              valueFrom:
 -                fieldRef:
 -                  fieldPath: metadata.namespace
 -          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
 -          imagePullPolicy: IfNotPresent
 -          name: patch
 -          securityContext:
 -            allowPrivilegeEscalation: false
 -            capabilities:
 -              drop:
 -                - ALL
 -            readOnlyRootFilesystem: true
 -            runAsGroup: 65532
 -            runAsNonRoot: true
 -            runAsUser: 65532
 -            seccompProfile:
 -              type: RuntimeDefault
 -      nodeSelector:
 -        kubernetes.io/os: linux
 -      restartPolicy: OnFailure
 -      serviceAccountName: ingress-nginx-admission
 ----
 -apiVersion: networking.k8s.io/v1
 -kind: IngressClass
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: controller
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: nginx
 -spec:
 -  controller: k8s.io/ingress-nginx
 ----
 -apiVersion: admissionregistration.k8s.io/v1
 -kind: ValidatingWebhookConfiguration
 -metadata:
 -  labels:
 -    app.kubernetes.io/component: admission-webhook
 -    app.kubernetes.io/instance: ingress-nginx
 -    app.kubernetes.io/name: ingress-nginx
 -    app.kubernetes.io/part-of: ingress-nginx
 -    app.kubernetes.io/version: 1.12.0
 -  name: ingress-nginx-admission
 -webhooks:
 -  - admissionReviewVersions:
 -      - v1
 -    clientConfig:
 -      service:
 -        name: ingress-nginx-controller-admission
 -        namespace: ingress-nginx
 -        path: /networking/v1/ingresses
 -        port: 443
 -    failurePolicy: Fail
 -    matchPolicy: Equivalent
 -    name: validate.nginx.ingress.kubernetes.io
 -    rules:
 -      - apiGroups:
 -          - networking.k8s.io
 -        apiVersions:
 -          - v1
 -        operations:
 -          - CREATE
 -          - UPDATE
 -        resources:
 -          - ingresses
 -    sideEffects: None

infrastructure/stage/kustomization.yaml

  apiVersion: kustomize.config.k8s.io/v1beta1
  kind: Kustomization
  resources:
 -  - ../base/cilium
 -  - ../base/controllers/ingress-nginx.yaml
    - ../base/cilium
    - ./cilium/ippool.yaml
    - ../base/ceph-csi