From d6245860cae09e18a96540b597998a376e80b673 Mon Sep 17 00:00:00 2001 From: shodan Date: Sat, 28 Mar 2026 13:20:19 +0000 Subject: [PATCH] more apps --- app-of-apps/authentik.yaml | 16 ++++++++ app-of-apps/checkmk.yaml | 16 ++++++++ app-of-apps/openbao.yaml | 16 ++++++++ app-of-apps/uptime-kuma.yaml | 16 ++++++++ authentik/README.md | 39 +++++++++++++++++++ checkmk/README.md | 18 +++++++++ homer/configmaps.yaml | 61 ++++++++++++++++++++--------- ingress-external-devices/ceph.yaml | 62 ++++++++++++++++++++++++++++++ kaniko/README.md | 21 +++++++++- netbox/README.md | 58 +++++++++++++++++++++++++++- openbao/README.md | 16 ++++++++ uptime-kuma/README.md | 16 ++++++++ 12 files changed, 333 insertions(+), 22 deletions(-) create mode 100644 app-of-apps/authentik.yaml create mode 100644 app-of-apps/checkmk.yaml create mode 100644 app-of-apps/openbao.yaml create mode 100644 app-of-apps/uptime-kuma.yaml create mode 100644 authentik/README.md create mode 100644 checkmk/README.md create mode 100644 ingress-external-devices/ceph.yaml create mode 100644 openbao/README.md create mode 100644 uptime-kuma/README.md diff --git a/app-of-apps/authentik.yaml b/app-of-apps/authentik.yaml new file mode 100644 index 0000000..592ea06 --- /dev/null +++ b/app-of-apps/authentik.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: authentik + server: https://kubernetes.default.svc + project: default + source: + path: authentik + repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git + targetRevision: HEAD \ No newline at end of file diff --git a/app-of-apps/checkmk.yaml b/app-of-apps/checkmk.yaml new file mode 100644 index 0000000..0319967 --- /dev/null +++ b/app-of-apps/checkmk.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ckeckmk + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: ckeckmk + server: https://kubernetes.default.svc + project: default + source: + path: ckeckmk + repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git + targetRevision: HEAD \ No newline at end of file diff --git a/app-of-apps/openbao.yaml b/app-of-apps/openbao.yaml new file mode 100644 index 0000000..d7c95fc --- /dev/null +++ b/app-of-apps/openbao.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: openbao + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: openbao + server: https://kubernetes.default.svc + project: default + source: + path: openbao + repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git + targetRevision: HEAD \ No newline at end of file diff --git a/app-of-apps/uptime-kuma.yaml b/app-of-apps/uptime-kuma.yaml new file mode 100644 index 0000000..0747d95 --- /dev/null +++ b/app-of-apps/uptime-kuma.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: uptime-kuma + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: uptime-kuma + server: https://kubernetes.default.svc + project: default + source: + path: uptime-kuma + repoURL: http://gitea.gitea.svc.k8s.undercloud.local:3000/Undercloud/k8s-apps.git + targetRevision: HEAD \ No newline at end of file diff --git a/authentik/README.md b/authentik/README.md new file mode 100644 index 0000000..1eaf170 --- /dev/null +++ b/authentik/README.md @@ -0,0 +1,39 @@ +# 🔐 authentik + +## Description +authentik is a **modern identity provider (IdP) and access management platform** that enables Single Sign-On (SSO), user management, and fine-grained access control for applications. +It supports OAuth2, OpenID Connect (OIDC), and SAML, and can integrate with existing directories like LDAP. + +authentik can also act as a **forward authentication gateway**, allowing protection of applications even if they do not natively support authentication. + +## Why authentik (instead of Keycloak) +authentik was chosen over Keycloak for the following reasons: + +- **Better suited for homelab / Kubernetes environments** +- **Simpler and more intuitive configuration model** (flow-based authentication) +- **Easier integration with ingress / reverse proxies** (forward auth) +- Built-in **policy engine** and flexible access rules +- Lighter operational overhead compared to Keycloak +- More convenient for protecting apps that **do not support OIDC/SAML** + +Keycloak is a powerful enterprise IAM solution, but it introduces more complexity (realms, clients, roles) and is less flexible for reverse-proxy-based access control. + +## Website +https://goauthentik.io + +## Kubernetes Notes +- Requires **persistent storage** (database + media) +- Typically deployed with: + - PostgreSQL (external or bundled) + - Redis (for caching / background tasks) +- Multiple components: + - server (API + web UI) + - worker (background jobs) +- Works best with **Ingress + forward auth integration** +- Configure **outposts** for proxy-based authentication +- Integrates with LDAP as a **user backend (optional)** +- Use **OIDC for most applications** instead of LDAP +- Enable **MFA (2FA)** for improved security +- Important to configure: + - external URL correctly + - trusted proxies (when behind ingress) \ No newline at end of file diff --git a/checkmk/README.md b/checkmk/README.md new file mode 100644 index 0000000..4939e4e --- /dev/null +++ b/checkmk/README.md @@ -0,0 +1,18 @@ +# 📊 Checkmk + +## Description +Checkmk is a **comprehensive infrastructure monitoring system** focused on servers, network devices, and hardware. +It provides agent-based monitoring, SNMP support, alerting, and detailed system insights. + +## Website +https://checkmk.com + +## Kubernetes Notes +- Runs as a **stateful monolithic application** +- Requires **persistent volume** (`/omd/sites`) +- Not horizontally scalable → use **1 replica only** +- Prefer running **outside Kubernetes** (VM or dedicated host) +- If deployed in K8s: + - Disable aggressive restarts (slow startup) + - Use **NodePort/Ingress** for web UI +- Best suited for **external infrastructure monitoring**, not cluster internals \ No newline at end of file diff --git a/homer/configmaps.yaml b/homer/configmaps.yaml index 1b94eb2..8fb3c63 100644 --- a/homer/configmaps.yaml +++ b/homer/configmaps.yaml @@ -194,6 +194,12 @@ data: tag: "polly" keywords: "doodle polly termine appointments" url: "https://polly.apps.undercloud.dev" + - name: "Authentik" + logo: "assets/logos/doodle.png" + subtitle: "SSO" + tag: "authentik" + keywords: "auth sso authentik" + url: "https://auth.apps.undercloud.dev" - name: "Communication" icon: "fas fa-cloud" @@ -244,6 +250,7 @@ data: tag: "netbox" keywords: "ip address" url: "https://netbox.apps.undercloud.dev" + - name: "Kubernetes" icon: "fas fa-cloud" items: @@ -271,6 +278,12 @@ data: tag: "harbor" keywords: "harbor docker repository" url: "https://docker-repo.apps.undercloud.dev" + - name: "openbao" + logo: "assets/logos/netbox.png" + subtitle: "secret management" + tag: "openbao" + keywords: "secrets openbao" + url: "https://openbao.apps.undercloud.dev" - name: "Communication Backend" icon: "fas fa-cloud" @@ -504,6 +517,18 @@ data: # tag: "kibana" # keywords: "kibana logging monitoring" # url: "https://kibana.apps.undercloud.dev" + - name: "checkmk" + logo: "assets/logos/netbox.png" + subtitle: "IP Address Management" + tag: "checkmk" + keywords: "checkmk monitoring" + url: "https://checkmk.apps.undercloud.dev" + - name: "uptime-kuma" + logo: "assets/logos/netbox.png" + subtitle: "monitoring" + tag: "uptime-kuma" + keywords: "monitoring uptime kuma" + url: "https://uptime-kuma.apps.undercloud.dev" - name: "Test" icon: "fas fa-cloud" items: @@ -530,25 +555,25 @@ data: items: - name: "Ceph" logo: "assets/logos/cockpit.png" - subtitle: "Ceph-hyper1" - tag: "hypervisor" - keywords: "hyper1 proxmox ceph" - url: "https://hyper1-ceph.apps.undercloud.dev" - #target: "_blank" # optional html a tag target attribute - - name: "Ceph" - logo: "assets/logos/cockpit.png" - subtitle: "Ceph-hyper2" - tag: "hypervisor" - keywords: "hyper2 proxmox ceph" - url: "https://hyper2-ceph.apps.undercloud.dev" - #target: "_blank" # optional html a tag target attribute - - name: "Ceph" - logo: "assets/logos/cockpit.png" - subtitle: "Ceph-hyper3" - tag: "hypervisor" - keywords: "hyper3 proxmox ceph" - url: "https://hyper3-ceph.apps.undercloud.dev" + subtitle: "Ceph-Dashboard" + tag: "ceph" + keywords: "storage proxmox ceph" + url: "https://ceph-dashboard.apps.undercloud.dev" #target: "_blank" # optional html a tag target attribute + #- name: "Ceph" + # logo: "assets/logos/cockpit.png" + # subtitle: "Ceph-hyper2" + # tag: "hypervisor" + # keywords: "hyper2 proxmox ceph" + # url: "https://hyper2-ceph.apps.undercloud.dev" + # #target: "_blank" # optional html a tag target attribute + #- name: "Ceph" + # logo: "assets/logos/cockpit.png" + # subtitle: "Ceph-hyper3" + # tag: "hypervisor" + # keywords: "hyper3 proxmox ceph" + # url: "https://hyper3-ceph.apps.undercloud.dev" + # #target: "_blank" # optional html a tag target attribute - name: "External Links" icon: "fas fa-cloud" items: diff --git a/ingress-external-devices/ceph.yaml b/ingress-external-devices/ceph.yaml new file mode 100644 index 0000000..3eabcc7 --- /dev/null +++ b/ingress-external-devices/ceph.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Service +metadata: + name: ceph-dashboard + namespace: ingress-external +spec: + ports: + - name: https + port: 8443 + targetPort: 8443 +--- +apiVersion: v1 +kind: Endpoints +metadata: + name: ceph-dashboard + namespace: ingress-external +subsets: + - addresses: + - ip: fd00:0:0:2::61 + - ip: fd00:0:0:2::62 + - ip: fd00:0:0:2::63 + # optional IPv4 too, but usually one family is enough: + # - ip: 10.0.2.61 + # - ip: 10.0.2.62 + # - ip: 10.0.2.63 + ports: + - port: 8443 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ceph-dashboard + namespace: ingress-external + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + + nginx.ingress.kubernetes.io/proxy-ssl-verify: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" + + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout http_500 http_502 http_503 http_504" + nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "3" +spec: + tls: + - hosts: + - ceph-dashboard.apps.undercloud.dev + secretName: ceph-dashboard-tls + rules: + - host: ceph-dashboard.apps.undercloud.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: ceph-dashboard + port: + number: 8443 \ No newline at end of file diff --git a/kaniko/README.md b/kaniko/README.md index 9c6fa7e..5c59477 100644 --- a/kaniko/README.md +++ b/kaniko/README.md @@ -1,2 +1,19 @@ -# Kaniko -## Kaniko can be used to automate docker image creation \ No newline at end of file +# 🏗️ Kaniko + +## Description +Kaniko is a **container image builder designed to run inside containers and Kubernetes**. +It allows building Docker images **without requiring a Docker daemon**, making it ideal for secure, cloud-native environments. + +Kaniko executes Dockerfile instructions in userspace and pushes the resulting image directly to a container registry. + +## Website +https://github.com/GoogleContainerTools/kaniko + +## Kubernetes Notes +- Does **not require privileged containers** (unlike Docker-in-Docker) +- Typically runs as: + - Kubernetes Job + - CI/CD pipeline step (e.g. ArgoCD, GitLab CI) +- Requires access to: + - build context (Git repo, PVC, or object storage) + - container registry (push credentials) diff --git a/netbox/README.md b/netbox/README.md index a247b36..ade3b6b 100644 --- a/netbox/README.md +++ b/netbox/README.md @@ -1,2 +1,56 @@ -# Netbox -## Ip Address Management \ No newline at end of file +# 📦 NetBox + +## Description +NetBox is a **network source of truth and IP address management (IPAM/DCIM) platform**. +It is used to model and document networks, including IP address space, VLANs, devices, racks, and connections. + +NetBox provides a clean web UI and API to manage infrastructure data and is often used as the **central inventory system** for network and infrastructure automation. + +## Website +https://netbox.dev + +## Kubernetes Notes +- Requires **persistent storage** for: + - database (PostgreSQL) + - media files (uploads, reports, scripts) +- Requires: + - PostgreSQL database + - Redis (cache + background jobs) +- Multiple components: + - web (Django app) + - worker (background jobs / rq) +- Needs proper **initialization (migrations + superuser)** +- Can be exposed via **Ingress with TLS** +- Environment variables are critical for configuration +- Use **readiness/liveness probes carefully** (startup can take time) +- Not horizontally scalable without careful tuning + +--- + +## 🔌 Custom Container with Plugins + +The official NetBox image does not include additional plugins by default. +To support required functionality, we **build a custom container image** with the desired plugins pre-installed. + +### Why +- Ensure **reproducible deployments** +- Avoid installing plugins at runtime +- Keep NetBox instances **immutable and version-controlled** +- Simplify upgrades and rollbacks + +### How it works +We extend the official NetBox image and install plugins during build time. + +Example: + +```Dockerfile +FROM ghcr.io/netbox-community/netbox:latest + +USER root + +# Install plugins +RUN pip install \ + netbox-topology-views \ + netbox-plugin-dns + +USER netbox \ No newline at end of file diff --git a/openbao/README.md b/openbao/README.md new file mode 100644 index 0000000..246c258 --- /dev/null +++ b/openbao/README.md @@ -0,0 +1,16 @@ +# 🔐 OpenBao + +## Description +OpenBao is a **centralized secrets management system** designed to securely store, manage, and distribute sensitive data such as passwords, API keys, and certificates. +It provides dynamic secrets, encryption-as-a-service, and fine-grained access control. + +## Website +https://openbao.org + +## Kubernetes Notes +- Requires **persistent storage** (data loss = secrets loss) +- Use **Kubernetes auth method** for pod access (service account tokens) +- Seal/unseal mechanism must be handled (auto-unseal recommended for production) +- Avoid storing root tokens in manifests → use external secret bootstrap +- Typically deployed via **Helm chart** +- Network policies recommended (restrict access to API) \ No newline at end of file diff --git a/uptime-kuma/README.md b/uptime-kuma/README.md new file mode 100644 index 0000000..b4ada1a --- /dev/null +++ b/uptime-kuma/README.md @@ -0,0 +1,16 @@ +# ⏱️ Uptime Kuma + +## Description +Uptime Kuma is a **self-hosted monitoring tool** for tracking service availability via HTTP, TCP, ping, and more. +It provides a clean UI, alerting, and optional public status pages. + +## Website +https://uptimekuma.org + +## Kubernetes Notes +- Lightweight and easy to containerize +- Requires **persistent storage** for history and configuration +- Single instance recommended (no clustering) +- Works well behind **Ingress with TLS** +- Can monitor both **internal cluster services and external endpoints** +- Complements Prometheus/Grafana rather than replacing them \ No newline at end of file