fix: Traefik | remove ingress property from values.yaml

fix: ElasticSearch | fix invalid pod template
feat: Kibana | add ingress route for kibana
2026-02-04 21:31:10 +05:00 · 2026-02-04 20:48:51 +05:00 · 2026-02-04 20:36:48 +05:00 · 2026-02-04 20:36:38 +05:00 · 2026-02-04 20:36:21 +05:00 · 2026-01-25 14:52:42 +05:00
19 changed files with 139 additions and 11112 deletions
--- a/cache-infrastructure/go/values.yaml
+++ b/cache-infrastructure/go/values.yaml
@@ -1,4 +1,4 @@
-replicaCount: 3
+replicaCount: 1
 image:
  runAsNonRoot: true
 nodeSelector:
--- a/cache-infrastructure/nix/index.ts
+++ b/cache-infrastructure/nix/index.ts
@@ -73,7 +73,7 @@ export class NixCache extends Construct {
        namespace,
      },
      spec: {
-        replicas: "3",
+        replicas: "1",
        selector: {
          matchLabels: {
            app: name,
--- a/cache-infrastructure/npm/index.ts
+++ b/cache-infrastructure/npm/index.ts
@@ -70,7 +70,7 @@ export class NpmCache extends Construct {
        namespace,
      },
      spec: {
-        replicas: "3",
+        replicas: "1",
        selector: {
          matchLabels: {
            app: name,
--- a/core-services/cert-manager/values.yaml
+++ b/core-services/cert-manager/values.yaml
@@ -6,3 +6,6 @@ prometheus:
 webhook:
  timeoutSeconds: 4
 enableCertificateOwnerRef: true
+extraArgs:
+  - "--dns01-recursive-nameservers-only"
+  - "--dns01-recursive-nameservers=1.1.1.1:53"
--- a/core-services/traefik/values.yaml
+++ b/core-services/traefik/values.yaml
@@ -3,11 +3,6 @@ image:
 providers:
  kubernetesCRD:
    allowCrossNamespace: true
-ingress:
-  ingressClass:
-    enabled: false
-    isDefaultClass: true
-    name: traefik
 deployment:
  replicas: 1
  podLabels:
@@ -25,28 +20,11 @@ topologySpreadConstraints:
      matchLabels:
        app: traefik
 additionalArguments:
-  - "--entryPoints.ssh.address=:22/tcp"
-  - "--entryPoints.minecraft-gtnh.address=:25566/tcp"
-  - "--entryPoints.minecraft-tfg.address=:25567/tcp"
+  - "--entryPoints.ssh.address=:2222/tcp"
 ports:
  ssh:
-    name: ssh
-    port: 22
-    exposedPort: 22
-    expose:
-      default: true
-    protocol: TCP
-  minecraft-gtnh:
-    name: minecraft-gtnh
-    port: 25566
-    exposedPort: 25566
-    expose:
-      default: true
-    protocol: TCP
-  minecraft-tfg:
-    name: minecraft-tfg
-    port: 25567
-    exposedPort: 25567
+    port: 2222
+    exposedPort: 2222
    expose:
      default: true
    protocol: TCP
--- a/elasticsearch/cluster.yaml
+++ b/elasticsearch/cluster.yaml
@@ -1,23 +1,4 @@
 ---
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: elasticsearch-cert
-  namespace: elastic-system
-spec:
-  secretName: elasticsearch-cert
-  privateKey:
-    algorithm: ECDSA
-    size: 384
-  usages:
-    - server auth
-  dnsNames:
-    - elastic.dogar.dev
-  issuerRef:
-    name: cloudflare-issuer
-    kind: ClusterIssuer
-    group: cert-manager.io
---
 apiVersion: elasticsearch.k8s.elastic.co/v1
 kind: Elasticsearch
 metadata:
@@ -26,18 +7,19 @@ metadata:
 spec:
  version: 8.15.2
  http:
-    service:
-      spec:
-        type: LoadBalancer
-      metadata:
-        annotations:
-          external-dns.alpha.kubernetes.io/hostname: elastic.dogar.dev
    tls:
      certificate:
-        secretName: elasticsearch-cert
+        secretName: elasticsearch-es-http-tls-internal
  nodeSets:
  - name: master
-    count: 1
+    count: 3
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          resources:
+            limits:
+              memory: 8Gi
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
@@ -47,6 +29,27 @@ spec:
        resources:
          requests:
            storage: 10Gi
-        storageClassName: longhorn-crypto
+        storageClassName: longhorn
    config:
-      node.roles: ["master", "data"]
+      node.roles: ["master"]
+  - name: data
+    count: 3
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          resources:
+            limits:
+              memory: 8Gi
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 50Gi
+        storageClassName: longhorn
+    config:
+      node.roles: ["data", "ingest"]
--- a/elasticsearch/crds.yaml
+++ b/elasticsearch/crds.yaml
--- a/elasticsearch/kibana.yaml
+++ b/elasticsearch/kibana.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: kibana.k8s.elastic.co/v1beta1
+kind: Kibana
+metadata:
+  name: kibana
+  namespace: elastic-system
+spec:
+  version: 8.15.2
+  count: 1
+  elasticsearchRef:
+    name: elasticsearch
+  http:
+    tls:
+      certificate:
+        secretName: kibana-kb-http-tls-internal
+
--- a/elasticsearch/operator.yaml
+++ b/elasticsearch/operator.yaml
@@ -1,796 +0,0 @@
-# Source: eck-operator/templates/operator-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: elastic-system
-  labels:
-    name: elastic-system
---
-# Source: eck-operator/templates/service-account.yaml
-apiVersion: v1
-kind: ServiceAccount
-automountServiceAccountToken: true
-metadata:
-  name: elastic-operator
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
---
-# Source: eck-operator/templates/webhook.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: elastic-webhook-server-cert
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
---
-# Source: eck-operator/templates/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: elastic-operator
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-data:
-  eck.yaml: |-
-    log-verbosity: 0
-    metrics-port: 0
-    container-registry: docker.elastic.co
-    max-concurrent-reconciles: 3
-    ca-cert-validity: 8760h
-    ca-cert-rotate-before: 24h
-    cert-validity: 8760h
-    cert-rotate-before: 24h
-    disable-config-watch: false
-    exposed-node-labels: [topology.kubernetes.io/.*,failure-domain.beta.kubernetes.io/.*]
-    set-default-security-context: auto-detect
-    kube-client-timeout: 60s
-    elasticsearch-client-timeout: 180s
-    disable-telemetry: false
-    distribution-channel: all-in-one
-    validate-storage-class: true
-    enable-webhook: true
-    webhook-name: elastic-webhook.k8s.elastic.co
-    webhook-port: 9443
-    operator-namespace: elastic-system
-    enable-leader-election: true
-    elasticsearch-observation-interval: 10s
-    ubi-only: false
---
-# Source: eck-operator/templates/cluster-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: elastic-operator
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-rules:
- apiGroups:
-  - "authorization.k8s.io"
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  resourceNames:
-  - elastic-operator-leader
-  verbs:
-  - get
-  - watch
-  - update
- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - pods
-  - events
-  - persistentvolumeclaims
-  - secrets
-  - services
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - statefulsets
-  - daemonsets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - elasticsearch.k8s.elastic.co
-  resources:
-  - elasticsearches
-  - elasticsearches/status
-  - elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - autoscaling.k8s.elastic.co
-  resources:
-  - elasticsearchautoscalers
-  - elasticsearchautoscalers/status
-  - elasticsearchautoscalers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - kibana.k8s.elastic.co
-  resources:
-  - kibanas
-  - kibanas/status
-  - kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - apm.k8s.elastic.co
-  resources:
-  - apmservers
-  - apmservers/status
-  - apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - enterprisesearch.k8s.elastic.co
-  resources:
-  - enterprisesearches
-  - enterprisesearches/status
-  - enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - beat.k8s.elastic.co
-  resources:
-  - beats
-  - beats/status
-  - beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - agent.k8s.elastic.co
-  resources:
-  - agents
-  - agents/status
-  - agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - maps.k8s.elastic.co
-  resources:
-  - elasticmapsservers
-  - elasticmapsservers/status
-  - elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - stackconfigpolicy.k8s.elastic.co
-  resources:
-  - stackconfigpolicies
-  - stackconfigpolicies/status
-  - stackconfigpolicies/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - logstash.k8s.elastic.co
-  resources:
-  - logstashes
-  - logstashes/status
-  - logstashes/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
---
-# Source: eck-operator/templates/cluster-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: "elastic-operator-view"
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
-  resources: ["elasticsearches"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["autoscaling.k8s.elastic.co"]
-  resources: ["elasticsearchautoscalers"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["apm.k8s.elastic.co"]
-  resources: ["apmservers"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["kibana.k8s.elastic.co"]
-  resources: ["kibanas"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["enterprisesearch.k8s.elastic.co"]
-  resources: ["enterprisesearches"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["beat.k8s.elastic.co"]
-  resources: ["beats"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["agent.k8s.elastic.co"]
-  resources: ["agents"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["maps.k8s.elastic.co"]
-  resources: ["elasticmapsservers"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
-  resources: ["stackconfigpolicies"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["logstash.k8s.elastic.co"]
-  resources: ["logstashes"]
-  verbs: ["get", "list", "watch"]
---
-# Source: eck-operator/templates/cluster-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: "elastic-operator-edit"
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-rules:
- apiGroups: ["elasticsearch.k8s.elastic.co"]
-  resources: ["elasticsearches"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["autoscaling.k8s.elastic.co"]
-  resources: ["elasticsearchautoscalers"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["apm.k8s.elastic.co"]
-  resources: ["apmservers"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["kibana.k8s.elastic.co"]
-  resources: ["kibanas"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["enterprisesearch.k8s.elastic.co"]
-  resources: ["enterprisesearches"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["beat.k8s.elastic.co"]
-  resources: ["beats"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["agent.k8s.elastic.co"]
-  resources: ["agents"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["maps.k8s.elastic.co"]
-  resources: ["elasticmapsservers"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["stackconfigpolicy.k8s.elastic.co"]
-  resources: ["stackconfigpolicies"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
- apiGroups: ["logstash.k8s.elastic.co"]
-  resources: ["logstashes"]
-  verbs: ["create", "delete", "deletecollection", "patch", "update"]
---
-# Source: eck-operator/templates/role-bindings.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: elastic-operator
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: elastic-operator
-subjects:
- kind: ServiceAccount
-  name: elastic-operator
-  namespace: elastic-system
---
-# Source: eck-operator/templates/webhook.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: elastic-webhook-server
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: 9443
-  selector:
-    control-plane: elastic-operator
---
-# Source: eck-operator/templates/statefulset.yaml
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: elastic-operator
-  namespace: elastic-system
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-spec:
-  selector:
-    matchLabels:
-      control-plane: elastic-operator
-  serviceName: elastic-operator
-  replicas: 1
-  template:
-    metadata:
-      annotations:
-        # Rename the fields "error" to "error.message" and "source" to "event.source"
-        # This is to avoid a conflict with the ECS "error" and "source" documents.
-        "co.elastic.logs/raw": "[{\"type\":\"container\",\"json.keys_under_root\":true,\"paths\":[\"/var/log/containers/*${data.kubernetes.container.id}.log\"],\"processors\":[{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"error\",\"to\":\"_error\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_error\",\"to\":\"error.message\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"source\",\"to\":\"_source\"}]}},{\"convert\":{\"mode\":\"rename\",\"ignore_missing\":true,\"fields\":[{\"from\":\"_source\",\"to\":\"event.source\"}]}}]}]"
-        "checksum/config": 882102069a9b11c3a4edfd77edcbbf9c3873f3dfc0d3f41676bd953ed4a3ce28
-      labels:
-        control-plane: elastic-operator
-    spec:
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: elastic-operator
-      automountServiceAccountToken: true
-      securityContext:
-        runAsNonRoot: true
-      containers:
-      - image: "docker.elastic.co/eck/eck-operator:2.14.0"
-        imagePullPolicy: IfNotPresent
-        name: manager
-        args:
-        - "manager"
-        - "--config=/conf/eck.yaml"
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        env:
-        - name: OPERATOR_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        - name: WEBHOOK_SECRET
-          value: elastic-webhook-server-cert
-        resources:
-          limits:
-            cpu: 1
-            memory: 1Gi
-          requests:
-            cpu: 100m
-            memory: 150Mi
-        ports:
-        - containerPort: 9443
-          name: https-webhook
-          protocol: TCP
-        volumeMounts:
-        - mountPath: "/conf"
-          name: conf
-          readOnly: true
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
-          readOnly: true
-      volumes:
-      - name: conf
-        configMap:
-          name: elastic-operator
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: elastic-webhook-server-cert
---
-# Source: eck-operator/templates/webhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: elastic-webhook.k8s.elastic.co
-  labels:
-    control-plane: elastic-operator
-    app.kubernetes.io/version: "2.14.0"
-webhooks:
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-agent-k8s-elastic-co-v1alpha1-agent
-  failurePolicy: Ignore
-  name: elastic-agent-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - agent.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - agents
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-apm-k8s-elastic-co-v1-apmserver
-  failurePolicy: Ignore
-  name: elastic-apm-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - apm.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - apmservers
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-apm-k8s-elastic-co-v1beta1-apmserver
-  failurePolicy: Ignore
-  name: elastic-apm-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - apm.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - apmservers
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-beat-k8s-elastic-co-v1beta1-beat
-  failurePolicy: Ignore
-  name: elastic-beat-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - beat.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - beats
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-enterprisesearch-k8s-elastic-co-v1-enterprisesearch
-  failurePolicy: Ignore
-  name: elastic-ent-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - enterprisesearch.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - enterprisesearches
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-enterprisesearch-k8s-elastic-co-v1beta1-enterprisesearch
-  failurePolicy: Ignore
-  name: elastic-ent-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - enterprisesearch.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - enterprisesearches
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
-  failurePolicy: Ignore
-  name: elastic-es-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - elasticsearch.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - elasticsearches
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-elasticsearch-k8s-elastic-co-v1beta1-elasticsearch
-  failurePolicy: Ignore
-  name: elastic-es-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - elasticsearch.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - elasticsearches
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-ems-k8s-elastic-co-v1alpha1-mapsservers
-  failurePolicy: Ignore
-  name: elastic-ems-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - maps.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - mapsservers
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-kibana-k8s-elastic-co-v1-kibana
-  failurePolicy: Ignore
-  name: elastic-kb-validation-v1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - kibana.k8s.elastic.co
-    apiVersions:
-    - v1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - kibanas
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-kibana-k8s-elastic-co-v1beta1-kibana
-  failurePolicy: Ignore
-  name: elastic-kb-validation-v1beta1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - kibana.k8s.elastic.co
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - kibanas
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-autoscaling-k8s-elastic-co-v1alpha1-elasticsearchautoscaler
-  failurePolicy: Ignore
-  name: elastic-esa-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - autoscaling.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - elasticsearchautoscalers
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-scp-k8s-elastic-co-v1alpha1-stackconfigpolicies
-  failurePolicy: Ignore
-  name: elastic-scp-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - stackconfigpolicy.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - stackconfigpolicies
- clientConfig:
-    service:
-      name: elastic-webhook-server
-      namespace: elastic-system
-      path: /validate-logstash-k8s-elastic-co-v1alpha1-logstash
-  failurePolicy: Ignore
-  name: elastic-logstash-validation-v1alpha1.k8s.elastic.co
-  matchPolicy: Exact
-  admissionReviewVersions: [v1, v1beta1]
-  sideEffects: None
-  rules:
-  - apiGroups:
-    - logstash.k8s.elastic.co
-    apiVersions:
-    - v1alpha1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - logstashes
-
--- a/gaming-services/minecraft/index.ts
+++ b/gaming-services/minecraft/index.ts
@@ -3,8 +3,8 @@ import { TerraformStack } from "cdktf";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
 import { OnePasswordSecret } from "../../utils";
-import { TerraFirmaGreg } from "./tfg";
-import { GTNH } from "./gtnh";
+// import { TerraFirmaGreg } from "./tfg";
+// import { GTNH } from "./gtnh";

 export class GamingServices extends TerraformStack {
  constructor(scope: Construct, id: string) {
@@ -29,7 +29,7 @@ export class GamingServices extends TerraformStack {
      itemPath: "vaults/Lab/items/curseforge",
    });

-    new TerraFirmaGreg(this, "tfg", provider, namespace);
-    new GTNH(this, "gtnh", provider, namespace);
+    // new TerraFirmaGreg(this, "tfg", provider, namespace);
+    // new GTNH(this, "gtnh", provider, namespace);
  }
 }
--- a/gaming-services/minecraft/utils/index.ts
+++ b/gaming-services/minecraft/utils/index.ts
@@ -53,7 +53,7 @@ export class MinecraftServer extends Construct {
      },
      waitForRollout: false,
      spec: {
-        replicas: "1",
+        replicas: "0",
        serviceName: name,
        updateStrategy: [
          {
@@ -75,10 +75,6 @@ export class MinecraftServer extends Construct {
          {
            metadata: {
              name: `${name}-data`,
-              labels: {
-                "recurring-job.longhorn.io/source": "enabled",
-                "recurring-job.longhorn.io/daily-backup": "enabled",
-              },
            },
            spec: {
              accessModes: ["ReadWriteOnce"],
--- a/k8s-operators/index.ts
+++ b/k8s-operators/index.ts
@@ -42,5 +42,14 @@ export class K8SOperators extends TerraformStack {
    });

    barman.node.addDependency(cnpg);
+
+    new Release(this, "elasticsearch", {
+      provider: helm,
+      repository: "https://helm.elastic.co",
+      chart: "eck-operator",
+      name: "elasticsearch",
+      namespace: "elastic-system",
+      createNamespace: true,
+    });
  }
 }
--- a/network-security/index.ts
+++ b/network-security/index.ts
@@ -7,6 +7,7 @@ import {
  RateLimitMiddleware,
  IpAllowListMiddleware,
  IpAllowListMiddlewareTCP,
+  TLSOptions,
 } from "./traefik";
 import { ValkeyCluster } from "./valkey";
 import { InternalIngressRoute, PrivateCertificate } from "../utils";
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
      name: "rate-limit",
    });

+    new TLSOptions(this, "tls-options", {
+      provider: kubernetes,
+      namespace,
+    });
+
    new IpAllowListMiddleware(this, "internal-ip-allow-list", {
      provider: kubernetes,
      namespace,
--- a/network-security/traefik/index.ts
+++ b/network-security/traefik/index.ts
@@ -1,2 +1,3 @@
 export { RateLimitMiddleware } from "./rateLimit";
 export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
+export { TLSOptions } from "./tlsOpts";
--- a/network-security/traefik/tlsOpts.ts
+++ b/network-security/traefik/tlsOpts.ts
@@ -0,0 +1,31 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+export class TLSOptions extends Construct {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: { provider: KubernetesProvider; namespace: string },
+  ) {
+    super(scope, id);
+
+    const { provider, namespace } = opts;
+
+    new Manifest(this, "traefik-tls-options", {
+      provider,
+      manifest: {
+        apiVersion: "traefik.io/v1alpha1",
+        kind: "TLSOption",
+        metadata: {
+          namespace,
+          name: "tls-options",
+        },
+        spec: {
+          minVersion: "VersionTLS13",
+          sniStrict: true,
+        },
+      },
+    });
+  }
+}
--- a/utility-services/gitea/server/index.ts
+++ b/utility-services/gitea/server/index.ts
@@ -79,7 +79,7 @@ export class GiteaServer extends Construct {
      match: "HostSNI(`*`)",
      entryPoint: "ssh",
      serviceName: `${name}-ssh`,
-      servicePort: 22,
+      servicePort: 2222,
    });

    new PublicIngressRoute(this, "http-ingress", {
--- a/utility-services/gitea/server/values.yaml
+++ b/utility-services/gitea/server/values.yaml
@@ -12,6 +12,7 @@ service:
  ssh:
    annotations:
      metallb.universe.tf/allow-shared-ip: gitea
+    port: 2222
 ingress:
  enabled: false
 gitea:
@@ -40,7 +41,7 @@ gitea:
      SSH_DOMAIN: git.dogar.dev
      DISABLE_SSH: false
      SSH_LISTEN_PORT: 2222
-      SSH_PORT: 22
+      SSH_PORT: 2222
    database:
      DB_TYPE: postgres
      HOST: postgres-cluster-rw
--- a/utility-services/index.ts
+++ b/utility-services/index.ts
@@ -8,6 +8,7 @@ import { GiteaRunner, GiteaServer } from "./gitea";
 import { AuthentikServer } from "./authentik";
 import { PostgresCluster } from "./postgres";
 import { DynamicDNS } from "./dynamic-dns";
+import { PublicIngressRoute } from "../utils";

 export class UtilityServices extends TerraformStack {
  constructor(scope: Construct, id: string) {
@@ -71,6 +72,8 @@ export class UtilityServices extends TerraformStack {
        "pip.dogar.dev",
        "npm.dogar.dev",
        "go.dogar.dev",
+        "elastic.dogar.dev",
+        "kibana.dogar.dev",
      ],
    });

@@ -114,5 +117,25 @@ export class UtilityServices extends TerraformStack {
      name: "gitea-runner",
      replicas: 3,
    });
+
+    new PublicIngressRoute(this, "elasticsearch", {
+      provider: kubernetes,
+      namespace: "elastic-system",
+      name: "elasticsearch",
+      host: "elastic.dogar.dev",
+      serviceName: "elasticsearch-es-http",
+      servicePort: 9200,
+      serviceProtocol: "https",
+    });
+
+    new PublicIngressRoute(this, "kibana", {
+      provider: kubernetes,
+      namespace: "elastic-system",
+      name: "kibana",
+      host: "kibana.dogar.dev",
+      serviceName: "kibana-kb-http",
+      servicePort: 5601,
+      serviceProtocol: "https",
+    });
  }
 }
--- a/utils/traefik/ingress/ingress.ts
+++ b/utils/traefik/ingress/ingress.ts
@@ -110,6 +110,10 @@ export class IngressRoute extends Construct {
    if (opts.tlsSecretName) {
      spec.tls = {
        secretName: opts.tlsSecretName,
+        options: {
+          name: "tls-options",
+          namespace: "homelab",
+        },
      };
    }
Author	SHA1	Message	Date
Shahab Dogar	1548b2b29a	fix: Traefik \| remove ingress property from values.yaml	2026-02-04 21:31:10 +05:00
Shahab Dogar	5249c3f7ca	fix: ElasticSearch \| fix invalid pod template	2026-02-04 20:48:51 +05:00
Shahab Dogar	533a1e25ba	feat: Kibana \| add ingress route for kibana	2026-02-04 20:36:48 +05:00
Shahab Dogar	6ad73826d4	fix: Traekfik \| config cleanup	2026-02-04 20:36:38 +05:00
Shahab Dogar	cd5a40162c	feat: ElasticSearch \| add kibana instance	2026-02-04 20:36:21 +05:00
Shahab Dogar	daac7303ec	chore: remove minecraft servers	2026-01-25 14:52:42 +05:00
Shahab Dogar	438ebd06b5	fix: set up elasticsearch cluster	2026-01-25 14:52:28 +05:00
Shahab Dogar	49c16cd73f	fix: force cert manager to use cloudflare	2026-01-25 14:49:54 +05:00
Shahab Dogar	770a62f9e8	Revert "chore: delete elasticsearch" This reverts commit `faa5a74702`.	2026-01-19 22:15:13 +05:00
Shahab Dogar	8e6739a7c3	fix: move operator into elastic-system namespace and add DNS record	2026-01-19 22:09:31 +05:00
Shahab Dogar	65e40c02db	feat: deploy elasticsearch operator	2026-01-19 20:36:03 +05:00
Shahab Dogar	b4dfdd8c18	fix: move ssh port for gitea to 2222	2026-01-16 18:07:43 +05:00
Shahab Dogar	4c1b045bb7	chore: scale minecraft servers to 0	2026-01-16 16:52:33 +05:00
Shahab Dogar	13569f706d	fix: scale down cache servers to 1 instance each	2026-01-05 14:51:31 +05:00
Shahab Dogar	afb071bcbe	Revert "fix: Traefik \| remove custom tls option" This reverts commit `5b76226801`.	2025-12-11 21:03:39 +05:00
Shahab Dogar	8b206f005b	Revert "chore: remove importFrom calls" This reverts commit `9743cd3371`.	2025-12-11 21:03:36 +05:00
Shahab Dogar	9743cd3371	chore: remove importFrom calls	2025-12-11 09:21:46 +05:00
Shahab Dogar	faa5a74702	chore: delete elasticsearch	2025-12-11 09:21:41 +05:00