fix: Traefik | remove ingress property from values.yaml

This reverts commit faa5a74702.

cache-infrastructure/go/values.yaml

@@ -1,4 +1,4 @@
-replicaCount: 3
+replicaCount: 1
 image:
   runAsNonRoot: true
 nodeSelector:

cache-infrastructure/nix/index.ts

@@ -73,7 +73,7 @@ export class NixCache extends Construct {
         namespace,
       },
       spec: {
-        replicas: "3",
+        replicas: "1",
         selector: {
           matchLabels: {
             app: name,

cache-infrastructure/npm/index.ts

@@ -70,7 +70,7 @@ export class NpmCache extends Construct {
         namespace,
       },
       spec: {
-        replicas: "3",
+        replicas: "1",
         selector: {
           matchLabels: {
             app: name,

core-services/cert-manager/values.yaml

@@ -6,3 +6,6 @@ prometheus:
 webhook:
   timeoutSeconds: 4
 enableCertificateOwnerRef: true
+extraArgs:
+  - "--dns01-recursive-nameservers-only"
+  - "--dns01-recursive-nameservers=1.1.1.1:53"

core-services/traefik/values.yaml

@@ -3,11 +3,6 @@ image:
 providers:
   kubernetesCRD:
     allowCrossNamespace: true
-ingress:
-  ingressClass:
-    enabled: false
-    isDefaultClass: true
-    name: traefik
 deployment:
   replicas: 1
   podLabels:
@@ -25,28 +20,11 @@ topologySpreadConstraints:
       matchLabels:
         app: traefik
 additionalArguments:
-  - "--entryPoints.ssh.address=:22/tcp"
+  - "--entryPoints.ssh.address=:2222/tcp"
-  - "--entryPoints.minecraft-gtnh.address=:25566/tcp"
-  - "--entryPoints.minecraft-tfg.address=:25567/tcp"
 ports:
   ssh:
-    name: ssh
+    port: 2222
-    port: 22
+    exposedPort: 2222
-    exposedPort: 22
-    expose:
-      default: true
-    protocol: TCP
-  minecraft-gtnh:
-    name: minecraft-gtnh
-    port: 25566
-    exposedPort: 25566
-    expose:
-      default: true
-    protocol: TCP
-  minecraft-tfg:
-    name: minecraft-tfg
-    port: 25567
-    exposedPort: 25567
     expose:
       default: true
     protocol: TCP

elasticsearch/cluster.yaml

@@ -1,23 +1,4 @@
 ---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: elasticsearch-cert
-  namespace: elastic-system
-spec:
-  secretName: elasticsearch-cert
-  privateKey:
-    algorithm: ECDSA
-    size: 384
-  usages:
-    - server auth
-  dnsNames:
-    - elastic.dogar.dev
-  issuerRef:
-    name: cloudflare-issuer
-    kind: ClusterIssuer
-    group: cert-manager.io
----
 apiVersion: elasticsearch.k8s.elastic.co/v1
 kind: Elasticsearch
 metadata:
@@ -26,18 +7,19 @@ metadata:
 spec:
   version: 8.15.2
   http:
-    service:
-      spec:
-        type: LoadBalancer
-      metadata:
-        annotations:
-          external-dns.alpha.kubernetes.io/hostname: elastic.dogar.dev
     tls:
       certificate:
-        secretName: elasticsearch-cert
+        secretName: elasticsearch-es-http-tls-internal
   nodeSets:
   - name: master
-    count: 1
+    count: 3
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          resources:
+            limits:
+              memory: 8Gi
     volumeClaimTemplates:
     - metadata:
         name: elasticsearch-data
@@ -47,6 +29,27 @@ spec:
         resources:
           requests:
             storage: 10Gi
-        storageClassName: longhorn-crypto
+        storageClassName: longhorn
     config:
-      node.roles: ["master", "data"]
+      node.roles: ["master"]
+  - name: data
+    count: 3
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          resources:
+            limits:
+              memory: 8Gi
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 50Gi
+        storageClassName: longhorn
+    config:
+      node.roles: ["data", "ingest"]

elasticsearch/kibana.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kibana.k8s.elastic.co/v1beta1
+kind: Kibana
+metadata:
+  name: kibana
+  namespace: elastic-system
+spec:
+  version: 8.15.2
+  count: 1
+  elasticsearchRef:
+    name: elasticsearch
+  http:
+    tls:
+      certificate:
+        secretName: kibana-kb-http-tls-internal
+

elasticsearch/operator.yaml

@@ -1,796 +0,0 @@
-# Source: eck-operator/templates/operator-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: elastic-system
-  labels:
-    name: elastic-system
----
-# Source: eck-operator/templates/service-account.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
-  name: elastic-operator
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
----
-# Source: eck-operator/templates/webhook.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: elastic-webhook-server-cert
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
----
-# Source: eck-operator/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: elastic-operator
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-data:
-  eck.yaml: |-
-    log-verbosity: 0
-    metrics-port: 0
-    container-registry: docker.elastic.co
-    max-concurrent-reconciles: 3
-    ca-cert-validity: 8760h
-    ca-cert-rotate-before: 24h
-    cert-validity: 8760h
-    cert-rotate-before: 24h
-    disable-config-watch: false
-    exposed-node-labels: [topology.kubernetes.io/.*,failure-domain.beta.kubernetes.io/.*]
-    set-default-security-context: auto-detect
-    kube-client-timeout: 60s
-    elasticsearch-client-timeout: 180s
-    disable-telemetry: false
-    distribution-channel: all-in-one
-    validate-storage-class: true
-    enable-webhook: true
-    webhook-name: elastic-webhook.k8s.elastic.co
-    webhook-port: 9443
-    operator-namespace: elastic-system
-    enable-leader-election: true
-    elasticsearch-observation-interval: 10s
-    ubi-only: false
----
-# Source: eck-operator/templates/cluster-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: elastic-operator
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-rules:
-- apiGroups:
-  - "authorization.k8s.io"
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  resourceNames:
-  - elastic-operator-leader
-  verbs:
-  - get
-  - watch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - events
-  - persistentvolumeclaims
-  - secrets
-  - services
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - statefulsets
-  - daemonsets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - elasticsearch.k8s.elastic.co
-  resources:
-  - elasticsearches
-  - elasticsearches/status
-  - elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - autoscaling.k8s.elastic.co
-  resources:
-  - elasticsearchautoscalers
-  - elasticsearchautoscalers/status
-  - elasticsearchautoscalers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - kibana.k8s.elastic.co
-  resources:
-  - kibanas
-  - kibanas/status
-  - kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - apm.k8s.elastic.co
-  resources:
-  - apmservers
-  - apmservers/status
-  - apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - enterprisesearch.k8s.elastic.co
-  resources:
-  - enterprisesearches
-  - enterprisesearches/status
-  - enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - beat.k8s.elastic.co
-  resources:
-  - beats
-  - beats/status
-  - beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - agent.k8s.elastic.co
-  resources:
-  - agents
-  - agents/status
-  - agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - maps.k8s.elastic.co
-  resources:
-  - elasticmapsservers
-  - elasticmapsservers/status
-  - elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - stackconfigpolicy.k8s.elastic.co
-  resources:
-  - stackconfigpolicies
-  - stackconfigpolicies/status
-  - stackconfigpolicies/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - logstash.k8s.elastic.co
-  resources:
-  - logstashes
-  - logstashes/status
-  - logstashes/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
----
-# Source: eck-operator/templates/cluster-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: "elastic-operator-view"
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-rules:
-- apiGroups: ["elasticsearch.k8s.elastic.co"]
-  resources: ["elasticsearches"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["autoscaling.k8s.elastic.co"]
-  resources: ["elasticsearchautoscalers"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["apm.k8s.elastic.co"]
-  resources: ["apmservers"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["kibana.k8s.elastic.co"]
-  resources: ["kibanas"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["enterprisesearch.k8s.elastic.co"]
-  resources: ["enterprisesearches"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["beat.k8s.elastic.co"]
-  resources: ["beats"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["agent.k8s.elastic.co"]
-  resources: ["agents"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["maps.k8s.elastic.co"]
-  resources: ["elasticmapsservers"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
-  resources: ["stackconfigpolicies"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["logstash.k8s.elastic.co"]
-  resources: ["logstashes"]
-  verbs: ["get", "list", "watch"]
----
-# Source: eck-operator/templates/cluster-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: "elastic-operator-edit"
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-rules:
-- apiGroups: ["elasticsearch.k8s.elastic.co"]
-  resources: ["elasticsearches"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["autoscaling.k8s.elastic.co"]
-  resources: ["elasticsearchautoscalers"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["apm.k8s.elastic.co"]
-  resources: ["apmservers"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["kibana.k8s.elastic.co"]
-  resources: ["kibanas"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["enterprisesearch.k8s.elastic.co"]
-  resources: ["enterprisesearches"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["beat.k8s.elastic.co"]
-  resources: ["beats"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["agent.k8s.elastic.co"]
-  resources: ["agents"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["maps.k8s.elastic.co"]
-  resources: ["elasticmapsservers"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
-  resources: ["stackconfigpolicies"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
-- apiGroups: ["logstash.k8s.elastic.co"]
-  resources: ["logstashes"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
----
-# Source: eck-operator/templates/role-bindings.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: elastic-operator
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: elastic-operator
-subjects:
-- kind: ServiceAccount
-  name: elastic-operator
-  namespace: elastic-system
----
-# Source: eck-operator/templates/webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: elastic-webhook-server
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: 9443
-  selector:
-    control-plane: elastic-operator
----
-# Source: eck-operator/templates/statefulset.yaml
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: elastic-operator
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-spec:
-  selector:
-    matchLabels:
-      control-plane: elastic-operator
-  serviceName: elastic-operator
-  replicas: 1
-  template:
-    metadata:
-      annotations:
-        # Rename the fields "error" to "error.message" and "source" to "event.source"
-        # This is to avoid a conflict with the ECS "error" and "source" documents.
-        "co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
-        "checksum/config": 882102069a9b11c3a4edfd77edcbbf9c3873f3dfc0d3f41676bd953ed4a3ce28
-      labels:
-        control-plane: elastic-operator
-    spec:
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: elastic-operator
-      automountServiceAccountToken: true
-      securityContext:
-        runAsNonRoot: true
-      containers:
-      - image: "docker.elastic.co/eck/eck-operator:2.14.0"
-        imagePullPolicy: IfNotPresent
-        name: manager
-        args:
-        - "manager"
-        - "--config=/conf/eck.yaml"
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        env:
-        - name: OPERATOR_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        - name: WEBHOOK_SECRET
-          value: elastic-webhook-server-cert
-        resources:
-          limits:
-            cpu: 1
-            memory: 1Gi
-          requests:
-            cpu: 100m
-            memory: 150Mi
-        ports:
-        - containerPort: 9443
-          name: https-webhook
-          protocol: TCP
-        volumeMounts:
-        - mountPath: "/conf"
-          name: conf
-          readOnly: true
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
-          readOnly: true
-      volumes:
-      - name: conf
-        configMap:
-          name: elastic-operator
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: elastic-webhook-server-cert
----
-# Source: eck-operator/templates/webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: elastic-webhook.k8s.elastic.co
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-webhooks:
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-agent-k8s-elastic-co-v1alpha1-agent
-  failurePolicy: Ignore
-  name: elastic-agent-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - agent.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - agents
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-apm-k8s-elastic-co-v1-apmserver
-  failurePolicy: Ignore
-  name: elastic-apm-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - apm.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - apmservers
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-apm-k8s-elastic-co-v1beta1-apmserver
-  failurePolicy: Ignore
-  name: elastic-apm-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - apm.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - apmservers
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-beat-k8s-elastic-co-v1beta1-beat
-  failurePolicy: Ignore
-  name: elastic-beat-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - beat.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - beats
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-enterprisesearch-k8s-elastic-co-v1-enterprisesearch
-  failurePolicy: Ignore
-  name: elastic-ent-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - enterprisesearch.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - enterprisesearches
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-enterprisesearch-k8s-elastic-co-v1beta1-enterprisesearch
-  failurePolicy: Ignore
-  name: elastic-ent-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - enterprisesearch.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - enterprisesearches
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
-  failurePolicy: Ignore
-  name: elastic-es-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - elasticsearch.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - elasticsearches
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch
-  failurePolicy: Ignore
-  name: elastic-es-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - elasticsearch.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - elasticsearches
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-ems-k8s-elastic-co-v1alpha1-mapsservers
-  failurePolicy: Ignore
-  name: elastic-ems-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - maps.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - mapsservers
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-kibana-k8s-elastic-co-v1-kibana
-  failurePolicy: Ignore
-  name: elastic-kb-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - kibana.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - kibanas
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-kibana-k8s-elastic-co-v1beta1-kibana
-  failurePolicy: Ignore
-  name: elastic-kb-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - kibana.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - kibanas
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-autoscaling-k8s-elastic-co-v1alpha1-elasticsearchautoscaler
-  failurePolicy: Ignore
-  name: elastic-esa-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - autoscaling.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - elasticsearchautoscalers
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-scp-k8s-elastic-co-v1alpha1-stackconfigpolicies
-  failurePolicy: Ignore
-  name: elastic-scp-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - stackconfigpolicy.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - stackconfigpolicies
-- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-logstash-k8s-elastic-co-v1alpha1-logstash
-  failurePolicy: Ignore
-  name: elastic-logstash-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - logstash.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - logstashes
-

gaming-services/minecraft/index.ts

@@ -3,8 +3,8 @@ import { TerraformStack } from "cdktf";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
 import { OnePasswordSecret } from "../../utils";
-import { TerraFirmaGreg } from "./tfg";
+// import { TerraFirmaGreg } from "./tfg";
-import { GTNH } from "./gtnh";
+// import { GTNH } from "./gtnh";
 
 export class GamingServices extends TerraformStack {
   constructor(scope: Construct, id: string) {
@@ -29,7 +29,7 @@ export class GamingServices extends TerraformStack {
       itemPath: "vaults/Lab/items/curseforge",
     });
 
-    new TerraFirmaGreg(this, "tfg", provider, namespace);
+    // new TerraFirmaGreg(this, "tfg", provider, namespace);
-    new GTNH(this, "gtnh", provider, namespace);
+    // new GTNH(this, "gtnh", provider, namespace);
   }
 }

gaming-services/minecraft/utils/index.ts

@@ -53,7 +53,7 @@ export class MinecraftServer extends Construct {
       },
       waitForRollout: false,
       spec: {
-        replicas: "1",
+        replicas: "0",
         serviceName: name,
         updateStrategy: [
           {
@@ -75,10 +75,6 @@ export class MinecraftServer extends Construct {
           {
             metadata: {
               name: `${name}-data`,
-              labels: {
-                "recurring-job.longhorn.io/source": "enabled",
-                "recurring-job.longhorn.io/daily-backup": "enabled",
-              },
             },
             spec: {
               accessModes: ["ReadWriteOnce"],

k8s-operators/index.ts

@@ -42,5 +42,14 @@ export class K8SOperators extends TerraformStack {
     });
 
     barman.node.addDependency(cnpg);
+
+    new Release(this, "elasticsearch", {
+      provider: helm,
+      repository: "https://helm.elastic.co",
+      chart: "eck-operator",
+      name: "elasticsearch",
+      namespace: "elastic-system",
+      createNamespace: true,
+    });
   }
 }

network-security/index.ts

@@ -7,6 +7,7 @@ import {
   RateLimitMiddleware,
   IpAllowListMiddleware,
   IpAllowListMiddlewareTCP,
+  TLSOptions,
 } from "./traefik";
 import { ValkeyCluster } from "./valkey";
 import { InternalIngressRoute, PrivateCertificate } from "../utils";
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
       name: "rate-limit",
     });
 
+    new TLSOptions(this, "tls-options", {
+      provider: kubernetes,
+      namespace,
+    });
+
     new IpAllowListMiddleware(this, "internal-ip-allow-list", {
       provider: kubernetes,
       namespace,

network-security/traefik/index.ts

@@ -1,2 +1,3 @@
 export { RateLimitMiddleware } from "./rateLimit";
 export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
+export { TLSOptions } from "./tlsOpts";

network-security/traefik/tlsOpts.ts

@@ -0,0 +1,31 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+export class TLSOptions extends Construct {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: { provider: KubernetesProvider; namespace: string },
+  ) {
+    super(scope, id);
+
+    const { provider, namespace } = opts;
+
+    new Manifest(this, "traefik-tls-options", {
+      provider,
+      manifest: {
+        apiVersion: "traefik.io/v1alpha1",
+        kind: "TLSOption",
+        metadata: {
+          namespace,
+          name: "tls-options",
+        },
+        spec: {
+          minVersion: "VersionTLS13",
+          sniStrict: true,
+        },
+      },
+    });
+  }
+}

utility-services/gitea/server/index.ts

@@ -79,7 +79,7 @@ export class GiteaServer extends Construct {
       match: "HostSNI(`*`)",
       entryPoint: "ssh",
       serviceName: `${name}-ssh`,
-      servicePort: 22,
+      servicePort: 2222,
     });
 
     new PublicIngressRoute(this, "http-ingress", {

utility-services/gitea/server/values.yaml

@@ -12,6 +12,7 @@ service:
   ssh:
     annotations:
       metallb.universe.tf/allow-shared-ip: gitea
+    port: 2222
 ingress:
   enabled: false
 gitea:
@@ -40,7 +41,7 @@ gitea:
       SSH_DOMAIN: git.dogar.dev
       DISABLE_SSH: false
       SSH_LISTEN_PORT: 2222
-      SSH_PORT: 22
+      SSH_PORT: 2222
     database:
       DB_TYPE: postgres
       HOST: postgres-cluster-rw

utility-services/index.ts

@@ -8,6 +8,7 @@ import { GiteaRunner, GiteaServer } from "./gitea";
 import { AuthentikServer } from "./authentik";
 import { PostgresCluster } from "./postgres";
 import { DynamicDNS } from "./dynamic-dns";
+import { PublicIngressRoute } from "../utils";
 
 export class UtilityServices extends TerraformStack {
   constructor(scope: Construct, id: string) {
@@ -71,6 +72,8 @@ export class UtilityServices extends TerraformStack {
         "pip.dogar.dev",
         "npm.dogar.dev",
         "go.dogar.dev",
+        "elastic.dogar.dev",
+        "kibana.dogar.dev",
       ],
     });
 
@@ -114,5 +117,25 @@ export class UtilityServices extends TerraformStack {
       name: "gitea-runner",
       replicas: 3,
     });
+
+    new PublicIngressRoute(this, "elasticsearch", {
+      provider: kubernetes,
+      namespace: "elastic-system",
+      name: "elasticsearch",
+      host: "elastic.dogar.dev",
+      serviceName: "elasticsearch-es-http",
+      servicePort: 9200,
+      serviceProtocol: "https",
+    });
+
+    new PublicIngressRoute(this, "kibana", {
+      provider: kubernetes,
+      namespace: "elastic-system",
+      name: "kibana",
+      host: "kibana.dogar.dev",
+      serviceName: "kibana-kb-http",
+      servicePort: 5601,
+      serviceProtocol: "https",
+    });
   }
 }

utils/traefik/ingress/ingress.ts

@@ -110,6 +110,10 @@ export class IngressRoute extends Construct {
     if (opts.tlsSecretName) {
       spec.tls = {
         secretName: opts.tlsSecretName,
+        options: {
+          name: "tls-options",
+          namespace: "homelab",
+        },
       };
     }