From d4644d6bbf770af0807869ad5ed2940ef113adf2 Mon Sep 17 00:00:00 2001 From: Philip Haupt <“der.mad.mob@gmail.com”> Date: Mon, 20 Oct 2025 00:22:59 +0200 Subject: [PATCH] netbox initial --- netbox/kustomization.yaml | 6 + netbox/main.yaml | 991 ++++++++++++++++++++++++++++++++++ netbox/src/kustomization.yaml | 20 + netbox/src/values-cnpg.yaml | 503 +++++++++++++++++ netbox/src/values.yaml | 42 +- 5 files changed, 1541 insertions(+), 21 deletions(-) create mode 100644 netbox/kustomization.yaml create mode 100644 netbox/main.yaml create mode 100644 netbox/src/kustomization.yaml create mode 100644 netbox/src/values-cnpg.yaml diff --git a/netbox/kustomization.yaml b/netbox/kustomization.yaml new file mode 100644 index 0000000..b1d20b0 --- /dev/null +++ b/netbox/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - main.yaml diff --git a/netbox/main.yaml b/netbox/main.yaml new file mode 100644 index 0000000..af56eed --- /dev/null +++ b/netbox/main.yaml @@ -0,0 +1,991 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox + namespace: netbox +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox + namespace: netbox +rules: +- apiGroups: + - apps + resources: + - statefulsets + - deployments + - replicasets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox + namespace: netbox +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: netbox +subjects: +- kind: ServiceAccount + name: netbox + namespace: netbox +--- +apiVersion: v1 +data: + configuration.py: |2- + + """ + This file serves as a base configuration for Netbox + https://netboxlabs.com/docs/netbox/en/stable/configuration/ + """ + + import os + import re + from pathlib import Path + + import yaml + + + def _deep_merge(source, destination): + """Inspired by https://stackoverflow.com/a/20666342""" + for key, value in source.items(): + dst_value = destination.get(key) + + if isinstance(value, dict) and isinstance(dst_value, dict): + _deep_merge(value, dst_value) + else: + destination[key] = value + + return destination + + + def _load_yaml() -> None: + """Load YAML from files""" + extra_config_base = Path("/run/config/extra") + config_files = [Path("/run/config/netbox/netbox.yaml")] + + config_files.extend(sorted(extra_config_base.glob("*/*.yaml"))) + + for config_file in config_files: + with open(config_file, "r", encoding="utf-8") as f: + config = yaml.safe_load(f) + _deep_merge(config, globals()) + + + def _read_secret(secret_name: str, secret_key: str, default: str | None = None) -> str | None: + """Read secret from file""" + try: + secret = open( + f"/run/secrets/{secret_name}/{secret_key}", + "r", + encoding="utf-8", + ) + except EnvironmentError: + return default + with secret: + return secret.readline().strip() + + + CORS_ORIGIN_REGEX_WHITELIST = [] + DATABASES = {} + EMAIL = {} + REDIS = {} + + _load_yaml() + + provided_secret_name = os.getenv("SECRET_NAME", "netbox") + + DATABASES["default"]["PASSWORD"] = _read_secret(provided_secret_name, "db_password") + EMAIL["PASSWORD"] = _read_secret(provided_secret_name, "email_password") + REDIS["tasks"]["PASSWORD"] = _read_secret(provided_secret_name, "tasks_password") + REDIS["caching"]["PASSWORD"] = _read_secret(provided_secret_name, "cache_password") + SECRET_KEY = _read_secret(provided_secret_name, "secret_key") + + # Post-process certain values + CORS_ORIGIN_REGEX_WHITELIST = [re.compile(r) for r in CORS_ORIGIN_REGEX_WHITELIST] + if "SENTINELS" in REDIS["tasks"]: + REDIS["tasks"]["SENTINELS"] = [tuple(x.split(r":")) for x in REDIS["tasks"]["SENTINELS"]] + if "SENTINELS" in REDIS["caching"]: + REDIS["caching"]["SENTINELS"] = [tuple(x.split(r":")) for x in REDIS["caching"]["SENTINELS"]] + if ALLOWED_HOSTS_INCLUDES_POD_ID: + ALLOWED_HOSTS.append(os.getenv("POD_IP")) + netbox.yaml: |- + ALLOWED_HOSTS: ["*"] + ALLOWED_HOSTS_INCLUDES_POD_ID: true + + DATABASES: + default: + HOST: "cnpg-netbox-cluster-rw" + USER: "netbox" + NAME: "netbox" + PORT: 5432 + ENGINE: "django.db.backends.postgresql" + OPTIONS: + sslmode: prefer + target_session_attrs: read-write + CONN_MAX_AGE: 300 + DISABLE_SERVER_SIDE_CURSORS: false + + ADMINS: [] + ALLOW_TOKEN_RETRIEVAL: false + AUTH_PASSWORD_VALIDATORS: [] + ALLOWED_URL_SCHEMES: ["file","ftp","ftps","http","https","irc","mailto","sftp","ssh","tel","telnet","tftp","vnc","xmpp"] + BANNER_TOP: "" + BANNER_BOTTOM: "" + BANNER_LOGIN: "" + BASE_PATH: "" + CHANGELOG_RETENTION: 90 + CUSTOM_VALIDATORS: {} + DEFAULT_USER_PREFERENCES: {} + CORS_ORIGIN_ALLOW_ALL: false + CORS_ORIGIN_WHITELIST: [] + CORS_ORIGIN_REGEX_WHITELIST: [] + CSRF_TRUSTED_ORIGINS: [] + DATA_UPLOAD_MAX_MEMORY_SIZE: 2621440 + DEBUG: false + DEFAULT_LANGUAGE: "en-us" + + EMAIL: + SERVER: "localhost" + PORT: 25 + USERNAME: "" + USE_SSL: false + USE_TLS: false + SSL_CERTFILE: "" + SSL_KEYFILE: "" + TIMEOUT: 10 + FROM_EMAIL: "" + + ENFORCE_GLOBAL_UNIQUE: true + EXEMPT_VIEW_PERMISSIONS: [] + FIELD_CHOICES: {} + FILE_UPLOAD_MAX_MEMORY_SIZE: 2621440 + GRAPHQL_ENABLED: true + HTTP_PROXIES: {} + INTERNAL_IPS: ["127.0.0.1","::1"] + JOB_RETENTION: 90 + LOGGING: {} + LOGIN_PERSISTENCE: false + LOGIN_REQUIRED: false + LOGIN_TIMEOUT: 1209600 + LOGOUT_REDIRECT_URL: "home" + MAINTENANCE_MODE: false + MAPS_URL: "https://maps.google.com/?q=" + MAX_PAGE_SIZE: 1000 + MEDIA_ROOT: /opt/netbox/netbox/media + STORAGES: {} + METRICS_ENABLED: false + PAGINATE_COUNT: 50 + PLUGINS: [] + PLUGINS_CONFIG: {} + POWERFEED_DEFAULT_AMPERAGE: 15 + POWERFEED_DEFAULT_MAX_UTILIZATION: 80 + POWERFEED_DEFAULT_VOLTAGE: 120 + PREFER_IPV4: false + RACK_ELEVATION_DEFAULT_UNIT_HEIGHT: 22 + RACK_ELEVATION_DEFAULT_UNIT_WIDTH: 220 + REMOTE_AUTH_ENABLED: false + REMOTE_AUTH_BACKEND: ["netbox.authentication.RemoteUserBackend"] + REMOTE_AUTH_HEADER: "HTTP_REMOTE_USER" + REMOTE_AUTH_USER_FIRST_NAME: "HTTP_REMOTE_USER_FIRST_NAME" + REMOTE_AUTH_USER_LAST_NAME: "HTTP_REMOTE_USER_LAST_NAME" + REMOTE_AUTH_USER_EMAIL: "HTTP_REMOTE_USER_EMAIL" + REMOTE_AUTH_AUTO_CREATE_USER: false + REMOTE_AUTH_AUTO_CREATE_GROUPS: false + REMOTE_AUTH_DEFAULT_GROUPS: [] + REMOTE_AUTH_DEFAULT_PERMISSIONS: {} + REMOTE_AUTH_GROUP_SYNC_ENABLED: false + REMOTE_AUTH_GROUP_HEADER: "HTTP_REMOTE_USER_GROUP" + REMOTE_AUTH_SUPERUSER_GROUPS: [] + REMOTE_AUTH_SUPERUSERS: [] + REMOTE_AUTH_STAFF_GROUPS: [] + REMOTE_AUTH_STAFF_USERS: [] + REMOTE_AUTH_GROUP_SEPARATOR: "|" + RELEASE_CHECK_URL: "" + + REDIS: + tasks: + HOST: "valkey.valkey.svc.cluster.local" + PORT: 6379 + USERNAME: "" + DATABASE: 3 + SSL: false + INSECURE_SKIP_TLS_VERIFY: false + CA_CERT_PATH: "" + caching: + HOST: "valkey.valkey.svc.cluster.local" + PORT: 6379 + USERNAME: "" + DATABASE: 4 + SSL: false + INSECURE_SKIP_TLS_VERIFY: false + CA_CERT_PATH: "" + + REPORTS_ROOT: /opt/netbox/netbox/reports + RQ_DEFAULT_TIMEOUT: 300 + SCRIPTS_ROOT: /opt/netbox/netbox/scripts + CSRF_COOKIE_NAME: "csrftoken" + SESSION_COOKIE_NAME: sessionid + ENABLE_LOCALIZATION: false + TIME_ZONE: "UTC" + DATE_FORMAT: "N j, Y" + SHORT_DATE_FORMAT: "Y-m-d" + TIME_FORMAT: "g:i a" + SHORT_TIME_FORMAT: "H:i:s" + DATETIME_FORMAT: "N j, Y g:i a" + SHORT_DATETIME_FORMAT: "Y-m-d H:i" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox + namespace: netbox +--- +apiVersion: v1 +data: + email_password: "" + secret_key: Ym9JSkxAeXJYcW1YakxuMCIhK3JaclJqIScpM2RtS2kxTD4+VlIqXlg6OVtVMDQ9M2lrXHZLNWhbdDU3 +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-config + namespace: netbox +type: Opaque +--- +apiVersion: v1 +data: + cache_password: "" + tasks_password: Ymx1YmJlcg== +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-kv + namespace: netbox +type: Opaque +--- +apiVersion: v1 +data: + api_token: YjcwNzI5MGMtYmE3MC00MmMzLTg2MWYtMzUyMzU5YzIyNzc5 + email: YWRtaW5AZXhhbXBsZS5jb20= + password: a0FCT2JxUTFJUA== + username: YWRtaW4= +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-superuser + namespace: netbox +type: kubernetes.io/basic-auth +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox + namespace: netbox +spec: + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/component: netbox + app.kubernetes.io/instance: netbox + app.kubernetes.io/name: netbox + sessionAffinity: None + type: ClusterIP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-media + namespace: netbox +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: openebs-3-replicas +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: netbox + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox + namespace: netbox +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: netbox + app.kubernetes.io/instance: netbox + app.kubernetes.io/name: netbox + strategy: + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 700ca816c994c518b5ab4d10edb328a359017172480d4199d5860a4713b4c091 + checksum/secret: ac76943039914a3d7a2e7234a2fed36ba39dd6f42d379734eb6a6bc5a448944a + labels: + app.kubernetes.io/component: netbox + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + spec: + automountServiceAccountToken: false + containers: + - env: + - name: SUPERUSER_NAME + valueFrom: + secretKeyRef: + key: username + name: netbox-superuser + - name: SUPERUSER_EMAIL + valueFrom: + secretKeyRef: + key: email + name: netbox-superuser + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: ghcr.io/netbox-community/netbox:v4.4.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status/applications/netbox/processes/running + port: nginx-status + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: netbox + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 8081 + name: nginx-status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /login/ + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 750m + ephemeral-storage: 2Gi + memory: 1536Mi + requests: + cpu: 500m + ephemeral-storage: 50Mi + memory: 1024Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 100 + httpGet: + path: /login/ + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /etc/netbox/config/configuration.py + name: config + readOnly: true + subPath: configuration.py + - mountPath: /run/config/netbox + name: config + readOnly: true + - mountPath: /run/secrets/netbox + name: secrets + readOnly: true + - mountPath: /tmp + name: netbox-tmp + - mountPath: /opt/netbox/netbox/media + name: media + subPath: "" + - mountPath: /opt/unit + name: optunit + - mountPath: /run/secrets/superuser_password + name: secrets + readOnly: true + subPath: superuser_password + - mountPath: /run/secrets/superuser_api_token + name: secrets + readOnly: true + subPath: superuser_api_token + initContainers: + - command: + - /bin/sh + - -c + - mkdir -p /opt/unit/state /opt/unit/tmp + image: docker.io/busybox:1.37.0 + imagePullPolicy: IfNotPresent + name: init-dirs + resources: + limits: + cpu: 150m + ephemeral-storage: 2Gi + memory: 192Mi + requests: + cpu: 100m + ephemeral-storage: 50Mi + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /opt/unit + name: optunit + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + serviceAccountName: netbox + volumes: + - configMap: + name: netbox + name: config + - name: secrets + projected: + sources: + - secret: + items: + - key: secret_key + path: secret_key + name: netbox-config + - secret: + items: + - key: email_password + path: email_password + name: netbox-config + - secret: + items: + - key: password + path: superuser_password + - key: api_token + path: superuser_api_token + name: netbox-superuser + - secret: + items: + - key: password + path: db_password + name: cnpg-netbox-cluster-app + - secret: + items: + - key: tasks_password + path: tasks_password + name: netbox-kv + - secret: + items: + - key: cache_password + path: cache_password + name: netbox-kv + - emptyDir: + medium: Memory + name: netbox-tmp + - emptyDir: + medium: Memory + name: optunit + - name: media + persistentVolumeClaim: + claimName: netbox-media +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: worker + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-worker + namespace: netbox +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: worker + app.kubernetes.io/instance: netbox + app.kubernetes.io/name: netbox + strategy: + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: b6611b66943044288475e05c9f4bf368a95203cd197dda8a35d9ed7498ac56b9 + checksum/secret: d20d6403cee6e39c20d0033c4fe21c5311f96719861582c79d7030e48bf17e41 + labels: + app.kubernetes.io/component: worker + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + spec: + automountServiceAccountToken: true + containers: + - command: + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - rqworker + image: ghcr.io/netbox-community/netbox:v4.4.4 + imagePullPolicy: IfNotPresent + name: netbox-worker + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/netbox/config/configuration.py + name: config + readOnly: true + subPath: configuration.py + - mountPath: /run/config/netbox + name: config + readOnly: true + - mountPath: /run/secrets/netbox + name: secrets + readOnly: true + - mountPath: /tmp + name: netbox-tmp + - mountPath: /opt/netbox/netbox/media + name: media + readOnly: false + subPath: "" + initContainers: + - args: + - rollout + - status + - deployment + - $(DEPLOYMENT_NAME) + command: + - /bin/kubectl + env: + - name: DEPLOYMENT_NAME + value: netbox + image: docker.io/rancher/kubectl:v1.34.1 + imagePullPolicy: IfNotPresent + name: wait-for-backend + resources: + limits: + cpu: 150m + ephemeral-storage: 2Gi + memory: 192Mi + requests: + cpu: 100m + ephemeral-storage: 50Mi + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + serviceAccountName: netbox + volumes: + - configMap: + name: netbox + name: config + - name: secrets + projected: + sources: + - secret: + items: + - key: secret_key + path: secret_key + name: netbox-config + - secret: + items: + - key: email_password + path: email_password + name: netbox-config + - secret: + items: + - key: password + path: superuser_password + - key: api_token + path: superuser_api_token + name: netbox-superuser + - secret: + items: + - key: password + path: db_password + name: cnpg-netbox-cluster-app + - secret: + items: + - key: tasks_password + path: tasks_password + name: netbox-kv + - secret: + items: + - key: cache_password + path: cache_password + name: netbox-kv + - emptyDir: + medium: Memory + name: netbox-tmp + - name: media + persistentVolumeClaim: + claimName: netbox-media + readOnly: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/component: housekeeping + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-housekeeping + namespace: netbox +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 5 + jobTemplate: + metadata: + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + spec: + template: + metadata: + labels: + app.kubernetes.io/component: housekeeping + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + spec: + automountServiceAccountToken: false + containers: + - command: + - /opt/netbox/venv/bin/python + - /opt/netbox/netbox/manage.py + - housekeeping + image: ghcr.io/netbox-community/netbox:v4.4.4 + imagePullPolicy: IfNotPresent + name: netbox-housekeeping + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/netbox/config/configuration.py + name: config + readOnly: true + subPath: configuration.py + - mountPath: /run/config/netbox + name: config + readOnly: true + - mountPath: /run/secrets/netbox + name: secrets + readOnly: true + - mountPath: /tmp + name: netbox-tmp + - mountPath: /opt/netbox/netbox/media + name: media + readOnly: false + subPath: "" + restartPolicy: OnFailure + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + serviceAccountName: netbox + volumes: + - configMap: + name: netbox + name: config + - name: secrets + projected: + sources: + - secret: + items: + - key: secret_key + path: secret_key + name: netbox-config + - secret: + items: + - key: email_password + path: email_password + name: netbox-config + - secret: + items: + - key: password + path: db_password + name: cnpg-netbox-cluster-app + - secret: + items: + - key: tasks_password + path: tasks_password + name: netbox-kv + - secret: + items: + - key: cache_password + path: cache_password + name: netbox-kv + - emptyDir: + medium: Memory + name: netbox-tmp + - name: media + persistentVolumeClaim: + claimName: netbox-media + readOnly: false + schedule: 0 0 * * * + successfulJobsHistoryLimit: 5 + suspend: false +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + app.kubernetes.io/component: database-ping-test + name: cnpg-netbox-cluster-ping-test + namespace: netbox +spec: + template: + metadata: + labels: + app.kubernetes.io/component: database-ping-test + name: cnpg-netbox-cluster-ping-test + spec: + containers: + - args: + - -c + - apk add postgresql-client && psql "postgresql://$PGUSER:$PGPASS@cnpg-netbox-cluster-rw.netbox.svc.cluster.local:5432/${PGDBNAME:-$PGUSER}" + -c 'SELECT 1' + command: + - sh + env: + - name: PGUSER + valueFrom: + secretKeyRef: + key: username + name: cnpg-netbox-cluster-app + - name: PGPASS + valueFrom: + secretKeyRef: + key: password + name: cnpg-netbox-cluster-app + - name: PGDBNAME + valueFrom: + secretKeyRef: + key: dbname + name: cnpg-netbox-cluster-app + optional: true + image: alpine:3.17 + name: alpine + restartPolicy: Never +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + labels: + app.kubernetes.io/instance: cnpg-netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cluster + app.kubernetes.io/part-of: cloudnative-pg + helm.sh/chart: cluster-0.3.1 + name: cnpg-netbox-cluster + namespace: netbox +spec: + affinity: + topologyKey: kubernetes.io/hostname + bootstrap: + initdb: + database: netbox + owner: netbox + enablePDB: true + enableSuperuserAccess: true + imageName: ghcr.io/cloudnative-pg/postgresql:17 + imagePullPolicy: IfNotPresent + instances: 3 + logLevel: info + monitoring: + disableDefaultQueries: false + enablePodMonitor: false + postgresGID: 26 + postgresUID: 26 + postgresql: null + primaryUpdateMethod: switchover + primaryUpdateStrategy: unsupervised + storage: + size: 10Gi + storageClass: openebs-hostpath + walStorage: + size: 1Gi + storageClass: openebs-hostpath +--- +apiVersion: v1 +kind: Pod +metadata: + annotations: + helm.sh/hook: test + labels: + app.kubernetes.io/instance: netbox + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: netbox + app.kubernetes.io/version: v4.4.4 + helm.sh/chart: netbox-7.1.11 + name: netbox-test-connection +spec: + containers: + - args: + - netbox:80 + command: + - wget + image: busybox:1.37.0 + imagePullPolicy: IfNotPresent + name: wget + resources: + limits: + cpu: 150m + ephemeral-storage: 2Gi + memory: 192Mi + requests: + cpu: 100m + ephemeral-storage: 50Mi + memory: 128Mi + restartPolicy: Never diff --git a/netbox/src/kustomization.yaml b/netbox/src/kustomization.yaml new file mode 100644 index 0000000..c6e45c9 --- /dev/null +++ b/netbox/src/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: netbox + repo: https://charts.netbox.oss.netboxlabs.com/ + version: 7.1.11 + releaseName: netbox + includeCRDs: true + namespace: netbox + valuesFile: values.yaml + + - name: cluster + repo: https://cloudnative-pg.github.io/charts + version: 0.3.1 + releaseName: cnpg-netbox + includeCRDs: true + namespace: netbox + valuesFile: values-cnpg.yaml diff --git a/netbox/src/values-cnpg.yaml b/netbox/src/values-cnpg.yaml new file mode 100644 index 0000000..ed94313 --- /dev/null +++ b/netbox/src/values-cnpg.yaml @@ -0,0 +1,503 @@ +# -- Override the name of the chart +nameOverride: "" +# -- Override the full name of the chart +fullnameOverride: "" +# -- Override the namespace of the chart +namespaceOverride: "" + +### +# -- Type of the CNPG database. Available types: +# * `postgresql` +# * `postgis` +# * `timescaledb` +type: postgresql + +version: + # -- PostgreSQL major version to use + postgresql: "17" + # -- If using TimescaleDB, specify the version + timescaledb: "2.15" + # -- If using PostGIS, specify the version + postgis: "3.4" + +### +# -- Cluster mode of operation. Available modes: +# * `standalone` - default mode. Creates new or updates an existing CNPG cluster. +# * `replica` - Creates a replica cluster from an existing CNPG cluster. # TODO +# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup. +mode: standalone + +recovery: + ## + # -- Available recovery methods: + # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. + # * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported). + # * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to + # migrate databases to CloudNativePG, even from outside Kubernetes. + # * `import` - Import one or more databases from an existing Postgres cluster. + method: backup + + ## -- Point in time recovery target. Specify one of the following: + pitrTarget: + # -- Time in RFC3339 format + time: "" + + ## + # -- Backup Recovery Method + backupName: "" # Name of the backup to recover from. Required if method is `backup`. + + ## + # -- The original cluster name when used in backups. Also known as serverName. + clusterName: "" + # -- Name of the database used by the application. Default: `app`. + database: app + # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. + owner: "" + # -- Overrides the provider specific default endpoint. Defaults to: + # S3: https://s3..amazonaws.com" + # Leave empty if using the default S3 endpoint + endpointURL: "" + # -- Specifies a CA bundle to validate a privately signed certificate. + endpointCA: + # -- Creates a secret with the given value if true, otherwise uses an existing secret. + create: false + name: "" + key: "" + value: "" + # -- Overrides the provider specific default path. Defaults to: + # S3: s3:// + # Azure: https://..core.windows.net/ + # Google: gs:// + destinationPath: "" + # -- One of `s3`, `azure` or `google` + provider: s3 + s3: + region: "" + bucket: "" + path: "/" + accessKey: "" + secretKey: "" + # -- Use the role based authentication without providing explicitly the keys + inheritFromIAMRole: false + azure: + path: "/" + connectionString: "" + storageAccount: "" + storageKey: "" + storageSasToken: "" + containerName: "" + serviceName: blob + inheritFromAzureAD: false + google: + path: "/" + bucket: "" + gkeEnvironment: false + applicationCredentials: "" + secret: + # -- Whether to create a secret for the backup credentials + create: true + # -- Name of the backup credentials secret + name: "" + + # See https://cloudnative-pg.io/documentation/1.22/bootstrap/#bootstrap-from-a-live-cluster-pg_basebackup + pgBaseBackup: + # -- Name of the database used by the application. Default: `app`. + database: app + # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch + secret: "" + # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. + owner: "" + source: + host: "" + port: 5432 + username: "" + database: "app" + sslMode: "verify-full" + passwordSecret: + # -- Whether to create a secret for the password + create: false + # -- Name of the secret containing the password + name: "" + # -- The key in the secret containing the password + key: "password" + # -- The password value to use when creating the secret + value: "" + sslKeySecret: + name: "" + key: "" + sslCertSecret: + name: "" + key: "" + sslRootCertSecret: + name: "" + key: "" + + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-Import + import: + # -- One of `microservice` or `monolith.` + # See: https://cloudnative-pg.io/documentation/current/database_import/#how-it-works + type: "microservice" + # -- Databases to import + databases: [] + # -- Roles to import + roles: [] + # -- List of SQL queries to be executed as a superuser in the application database right after is imported. + # To be used with extreme care. Only available in microservice type. + postImportApplicationSQL: [] + # -- When set to true, only the pre-data and post-data sections of pg_restore are invoked, avoiding data import. + schemaOnly: false + # -- List of custom options to pass to the `pg_dump` command. IMPORTANT: Use these options with caution and at your + # own risk, as the operator does not validate their content. Be aware that certain options may conflict with the + # operator's intended functionality or design. + pgDumpExtraOptions: [] + # -- List of custom options to pass to the `pg_restore` command. IMPORTANT: Use these options with caution and at + # your own risk, as the operator does not validate their content. Be aware that certain options may conflict with the + # operator's intended functionality or design. + pgRestoreExtraOptions: [] + source: + host: "" + port: 5432 + username: "" + database: "" + sslMode: "verify-full" + passwordSecret: + # -- Whether to create a secret for the password + create: false + # -- Name of the secret containing the password + name: "" + # -- The key in the secret containing the password + key: "password" + # -- The password value to use when creating the secret + value: "" + sslKeySecret: + name: "" + key: "" + sslCertSecret: + name: "" + key: "" + sslRootCertSecret: + name: "" + key: "" + + +cluster: + # -- Number of instances + instances: 3 + + # -- Name of the container image, supporting both tags (:) and digests for deterministic and repeatable deployments: + # :@sha256: + imageName: "" # Default value depends on type (postgresql/postgis/timescaledb) + + # -- Reference to `ImageCatalog` of `ClusterImageCatalog`, if specified takes precedence over `cluster.imageName` + imageCatalogRef: {} + # kind: ImageCatalog + # name: postgresql + + # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated. + # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + imagePullPolicy: IfNotPresent + + # -- The list of pull secrets to be used to pull the images. + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference + imagePullSecrets: [] + + storage: + size: 10Gi + storageClass: "openebs-hostpath" + + walStorage: + enabled: true + size: 1Gi + storageClass: "openebs-hostpath" + + # -- The UID of the postgres user inside the image, defaults to 26 + postgresUID: -1 + + # -- The GID of the postgres user inside the image, defaults to 26 + postgresGID: -1 + + # -- Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/1.24/service_management/ + services: {} + + # -- Resources requirements of every generated Pod. + # Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. + # We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. + # See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ + resources: {} + # limits: + # cpu: 2000m + # memory: 8Gi + # requests: + # cpu: 2000m + # memory: 8Gi + + priorityClassName: "" + + # -- Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been + # successfully updated. It can be switchover (default) or restart. + primaryUpdateMethod: switchover + + # -- Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been + # successfully updated: it can be automated (unsupervised - default) or manual (supervised) + primaryUpdateStrategy: unsupervised + + # -- The instances' log level, one of the following values: error, warning, info (default), debug, trace + logLevel: "info" + + # -- Affinity/Anti-affinity rules for Pods. + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration + affinity: + topologyKey: kubernetes.io/hostname + + # -- The configuration for the CA and related certificates. + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration + certificates: {} + + # -- When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password. + # If the secret is not present, the operator will automatically create one. + # When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created, + # and then blank the password of the postgres user by setting it to NULL. + enableSuperuserAccess: true + superuserSecret: "" + + # -- Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes + # See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets + enablePDB: true + + # -- This feature enables declarative management of existing roles, as well as the creation of new roles if they are not + # already present in the database. + # See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ + roles: [] + # - name: dante + # ensure: present + # comment: Dante Alighieri + # login: true + # superuser: false + # inRoles: + # - pg_monitor + # - pg_signal_backend + + monitoring: + # -- Whether to enable monitoring + enabled: false + podMonitor: + # -- Whether to enable the PodMonitor + enabled: true + # --The list of relabelings for the PodMonitor. + # Applied to samples before scraping. + relabelings: [] + # -- The list of metric relabelings for the PodMonitor. + # Applied to samples before ingestion. + metricRelabelings: [] + prometheusRule: + # -- Whether to enable the PrometheusRule automated alerts + enabled: true + # -- Exclude specified rules + excludeRules: [] + # - CNPGClusterZoneSpreadWarning + # -- Whether the default queries should be injected. + # Set it to true if you don't want to inject default queries into the cluster. + disableDefaultQueries: false + # -- Custom Prometheus metrics + # Will be stored in the ConfigMap + customQueries: [] + # - name: "pg_cache_hit_ratio" + # query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;" + # metrics: + # - datname: + # usage: "LABEL" + # description: "Name of the database" + # - ratio: + # usage: GAUGE + # description: "Cache hit ratio" + # -- The list of secrets containing the custom queries + customQueriesSecret: [] + # - name: custom-queries-secret + # key: custom-queries + + postgresql: + # -- PostgreSQL configuration options (postgresql.conf) + parameters: {} + # max_connections: 300 + # -- Quorum-based Synchronous Replication + synchronous: {} + # method: any + # number: 1 + # -- PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file) + pg_hba: [] + # - host all all 10.244.0.0/16 md5 + # -- PostgreSQL User Name Maps rules (lines to be appended to the pg_ident.conf file) + pg_ident: [] + # - mymap /^(.*)@mydomain\.com$ \1 + # -- Lists of shared preload libraries to add to the default ones + shared_preload_libraries: [] + # - pgaudit + # -- PostgreSQL LDAP configuration (see https://cloudnative-pg.io/documentation/current/postgresql_conf/#ldap-configuration) + ldap: {} + # https://cloudnative-pg.io/documentation/1.24/postgresql_conf/#ldap-configuration + # server: 'openldap.default.svc.cluster.local' + # bindSearchAuth: + # baseDN: 'ou=org,dc=example,dc=com' + # bindDN: 'cn=admin,dc=example,dc=com' + # bindPassword: + # name: 'ldapBindPassword' + # key: 'data' + # searchAttribute: 'uid' + + + # -- BootstrapInitDB is the configuration of the bootstrap process when initdb is used. + # See: https://cloudnative-pg.io/documentation/current/bootstrap/ + # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb + initdb: + database: netbox + owner: netbox # Defaults to the database name + # secret: + # name: "" # Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch + # options: [] + # encoding: UTF8 + # postInitSQL: + # - CREATE EXTENSION IF NOT EXISTS vector; + # postInitApplicationSQL: [] + # postInitTemplateSQL: [] + + # -- Configure the metadata of the generated service account + serviceAccountTemplate: {} + + additionalLabels: {} + annotations: {} + + +backups: + # -- You need to configure backups manually, so backups are disabled by default. + enabled: false + + # -- Overrides the provider specific default endpoint. Defaults to: + # S3: https://s3..amazonaws.com" + endpointURL: "" # Leave empty if using the default S3 endpoint + # -- Specifies a CA bundle to validate a privately signed certificate. + endpointCA: + # -- Creates a secret with the given value if true, otherwise uses an existing secret. + create: false + name: "" + key: "" + value: "" + + # -- Overrides the provider specific default path. Defaults to: + # S3: s3:// + # Azure: https://..core.windows.net/ + # Google: gs:// + destinationPath: "" + # -- One of `s3`, `azure` or `google` + provider: s3 + s3: + region: "" + bucket: "" + path: "/" + accessKey: "" + secretKey: "" + # -- Use the role based authentication without providing explicitly the keys + inheritFromIAMRole: false + azure: + path: "/" + connectionString: "" + storageAccount: "" + storageKey: "" + storageSasToken: "" + containerName: "" + serviceName: blob + inheritFromAzureAD: false + google: + path: "/" + bucket: "" + gkeEnvironment: false + applicationCredentials: "" + secret: + # -- Whether to create a secret for the backup credentials + create: true + # -- Name of the backup credentials secret + name: "" + + wal: + # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. + compression: gzip + # -- Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. + encryption: AES256 + # -- Number of WAL files to be archived or restored in parallel. + maxParallel: 1 + data: + # -- Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. + compression: gzip + # -- Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. + encryption: AES256 + # -- Number of data files to be archived or restored in parallel. + jobs: 2 + + scheduledBackups: + - + # -- Scheduled backup name + name: daily-backup + # -- Schedule in cron format + schedule: "0 0 0 * * *" + # -- Backup owner reference + backupOwnerReference: self + # -- Backup method, can be `barmanObjectStore` (default) or `volumeSnapshot` + method: barmanObjectStore + + # -- Retention policy for backups + retentionPolicy: "30d" + +imageCatalog: + # -- Whether to provision an image catalog. If imageCatalog.images is empty this option will be ignored. + create: true + # -- List of images to be provisioned in an image catalog. + images: [] + # - image: ghcr.io/your_repo/your_image:your_tag + # major: 16 + +# -- List of PgBouncer poolers +poolers: [] + # - + # # -- Pooler name + # name: rw + # # -- PgBouncer type of service to forward traffic to. + # type: rw + # # -- PgBouncer pooling mode + # poolMode: transaction + # # -- Number of PgBouncer instances + # instances: 3 + # # -- PgBouncer configuration parameters + # parameters: + # max_client_conn: "1000" + # default_pool_size: "25" + # monitoring: + # # -- Whether to enable monitoring + # enabled: false + # podMonitor: + # # -- Whether to enable the PodMonitor + # enabled: true + # # -- Custom PgBouncer deployment template. + # # Use to override image, specify resources, etc. + # template: {} + # - + # # -- Pooler name + # name: ro + # # -- PgBouncer type of service to forward traffic to. + # type: ro + # # -- PgBouncer pooling mode + # poolMode: transaction + # # -- Number of PgBouncer instances + # instances: 3 + # # -- PgBouncer configuration parameters + # parameters: + # max_client_conn: "1000" + # default_pool_size: "25" + # monitoring: + # # -- Whether to enable monitoring + # enabled: false + # podMonitor: + # # -- Whether to enable the PodMonitor + # enabled: true + # # -- Custom PgBouncer deployment template. + # # Use to override image, specify resources, etc. + # template: {} + diff --git a/netbox/src/values.yaml b/netbox/src/values.yaml index 75acf6a..595830b 100644 --- a/netbox/src/values.yaml +++ b/netbox/src/values.yaml @@ -18,7 +18,7 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] - storageClass: "" + storageClass: openebs-3-replicas ## @section Common parameters @@ -211,18 +211,18 @@ dbWaitDebug: false # Email settings email: - server: localhost - port: 25 - username: "" + server: mxe965.netcup.net + port: 587 + username: philip.haupt@borninpain.de password: "" - useSSL: false + useSSL: true useTLS: false sslCertFile: "" sslKeyFile: "" # Timeout in seconds timeout: 10 - from: "" - existingSecretName: "" + from: noreply@borninpain.de + existingSecretName: netbox existingSecretKey: email-password # Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce @@ -440,7 +440,7 @@ sessionCookieName: sessionid enableLocalization: false # Time zone (default: UTC) -timeZone: UTC +timeZone: CET # Date/time formatting. See the following link for supported formats: # https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date @@ -1047,7 +1047,7 @@ postgresql: ## @param postgresql.enabled Whether to deploy a PostgreSQL server to satisfy the applications database requirements ## To use an external database set this to false and configure the externalDatabase parameters ## - enabled: true + enabled: false auth: username: netbox database: netbox @@ -1062,13 +1062,13 @@ postgresql: ## @param externalDatabase.existingSecretKey Key of a secret containing the database credentials ## externalDatabase: - host: localhost + host: cnpg-netbox-cluster-rw port: 5432 database: netbox username: netbox password: "" - existingSecretName: "" - existingSecretKey: postgresql-password + existingSecretName: cnpg-netbox-cluster-app + existingSecretKey: password # The following settings also apply when using the bundled PostgreSQL chart: engine: django.db.backends.postgresql @@ -1109,7 +1109,7 @@ additionalDatabases: {} ## @param valkey.enabled Whether to deploy a Valkey server to satisfy the applications database requirements ## valkey: - enabled: true + enabled: false sentinel: enabled: false primarySet: netbox-kv @@ -1118,7 +1118,7 @@ valkey: sentinel: false tasksDatabase: - database: 0 + database: 3 ssl: false insecureSkipTlsVerify: false # When defining caCertPath, make sure you mount the secret containing the CA certificate on all the necessary containers @@ -1126,7 +1126,7 @@ tasksDatabase: # Used only when valkey.enabled is false. host and port are not used if # sentinels are given. - host: netbox-kv + host: valkey.valkey.svc.cluster.local port: 6379 sentinels: [] # - mysentinel:26379 @@ -1134,11 +1134,11 @@ tasksDatabase: sentinelTimeout: 300 username: "" password: "" - existingSecretName: "" - existingSecretKey: tasks-password + existingSecretName: "netbox" + existingSecretKey: kv-password cachingDatabase: - database: 1 + database: 4 ssl: false insecureSkipTlsVerify: false # When defining caCertPath, make sure you mount the secret containing the CA certificate on all the necessary containers @@ -1146,7 +1146,7 @@ cachingDatabase: # Used only when valkey.enabled is false. host and port are not used if # sentinels are given. - host: netbox-kv + host: valkey.valkey.svc.cluster.local port: 6379 sentinels: [] # - mysentinel:26379 @@ -1154,8 +1154,8 @@ cachingDatabase: sentinelTimeout: 300 username: "" password: "" - existingSecretName: "" - existingSecretKey: cache-password + existingSecretName: "netbox" + existingSecretKey: kv-password ## @section Autoscaling parameters