k8s/apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netbox initial

Browse Source
This commit is contained in:
Philip Haupt
2025-10-20 00:22:59 +02:00
parent 305097466b
commit d4644d6bbf
5 changed files with 1541 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
netbox/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- main.yaml

991
netbox/main.yaml Normal file
View File

@@ -0,0 +1,991 @@
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox
namespace: netbox
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox
namespace: netbox
rules:
- apiGroups:
- apps
resources:
- statefulsets
- deployments
- replicasets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox
namespace: netbox
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: netbox
subjects:
- kind: ServiceAccount
name: netbox
namespace: netbox
---
apiVersion: v1
data:
configuration.py: |2-
"""
This file serves as a base configuration for Netbox
https://netboxlabs.com/docs/netbox/en/stable/configuration/
"""
import os
import re
from pathlib import Path
import yaml
def _deep_merge(source, destination):
"""Inspired by https://stackoverflow.com/a/20666342"""
for key, value in source.items():
dst_value = destination.get(key)
if isinstance(value, dict) and isinstance(dst_value, dict):
_deep_merge(value, dst_value)
else:
destination[key] = value
return destination
def _load_yaml() -> None:
"""Load YAML from files"""
extra_config_base = Path("/run/config/extra")
config_files = [Path("/run/config/netbox/netbox.yaml")]
config_files.extend(sorted(extra_config_base.glob("*/*.yaml")))
for config_file in config_files:
with open(config_file, "r", encoding="utf-8") as f:
config = yaml.safe_load(f)
_deep_merge(config, globals())
def _read_secret(secret_name: str, secret_key: str, default: str | None = None) -> str | None:
"""Read secret from file"""
try:
secret = open(
f"/run/secrets/{secret_name}/{secret_key}",
"r",
encoding="utf-8",
)
except EnvironmentError:
return default
with secret:
return secret.readline().strip()
CORS_ORIGIN_REGEX_WHITELIST = []
DATABASES = {}
EMAIL = {}
REDIS = {}
_load_yaml()
provided_secret_name = os.getenv("SECRET_NAME", "netbox")
DATABASES["default"]["PASSWORD"] = _read_secret(provided_secret_name, "db_password")
EMAIL["PASSWORD"] = _read_secret(provided_secret_name, "email_password")
REDIS["tasks"]["PASSWORD"] = _read_secret(provided_secret_name, "tasks_password")
REDIS["caching"]["PASSWORD"] = _read_secret(provided_secret_name, "cache_password")
SECRET_KEY = _read_secret(provided_secret_name, "secret_key")
# Post-process certain values
CORS_ORIGIN_REGEX_WHITELIST = [re.compile(r) for r in CORS_ORIGIN_REGEX_WHITELIST]
if "SENTINELS" in REDIS["tasks"]:
REDIS["tasks"]["SENTINELS"] = [tuple(x.split(r":")) for x in REDIS["tasks"]["SENTINELS"]]
if "SENTINELS" in REDIS["caching"]:
REDIS["caching"]["SENTINELS"] = [tuple(x.split(r":")) for x in REDIS["caching"]["SENTINELS"]]
if ALLOWED_HOSTS_INCLUDES_POD_ID:
ALLOWED_HOSTS.append(os.getenv("POD_IP"))
netbox.yaml: |-
ALLOWED_HOSTS: ["*"]
ALLOWED_HOSTS_INCLUDES_POD_ID: true
DATABASES:
default:
HOST: "cnpg-netbox-cluster-rw"
USER: "netbox"
NAME: "netbox"
PORT: 5432
ENGINE: "django.db.backends.postgresql"
OPTIONS:
sslmode: prefer
target_session_attrs: read-write
CONN_MAX_AGE: 300
DISABLE_SERVER_SIDE_CURSORS: false
ADMINS: []
ALLOW_TOKEN_RETRIEVAL: false
AUTH_PASSWORD_VALIDATORS: []
ALLOWED_URL_SCHEMES: ["file","ftp","ftps","http","https","irc","mailto","sftp","ssh","tel","telnet","tftp","vnc","xmpp"]
BANNER_TOP: ""
BANNER_BOTTOM: ""
BANNER_LOGIN: ""
BASE_PATH: ""
CHANGELOG_RETENTION: 90
CUSTOM_VALIDATORS: {}
DEFAULT_USER_PREFERENCES: {}
CORS_ORIGIN_ALLOW_ALL: false
CORS_ORIGIN_WHITELIST: []
CORS_ORIGIN_REGEX_WHITELIST: []
CSRF_TRUSTED_ORIGINS: []
DATA_UPLOAD_MAX_MEMORY_SIZE: 2621440
DEBUG: false
DEFAULT_LANGUAGE: "en-us"
EMAIL:
SERVER: "localhost"
PORT: 25
USERNAME: ""
USE_SSL: false
USE_TLS: false
SSL_CERTFILE: ""
SSL_KEYFILE: ""
TIMEOUT: 10
FROM_EMAIL: ""
ENFORCE_GLOBAL_UNIQUE: true
EXEMPT_VIEW_PERMISSIONS: []
FIELD_CHOICES: {}
FILE_UPLOAD_MAX_MEMORY_SIZE: 2621440
GRAPHQL_ENABLED: true
HTTP_PROXIES: {}
INTERNAL_IPS: ["127.0.0.1","::1"]
JOB_RETENTION: 90
LOGGING: {}
LOGIN_PERSISTENCE: false
LOGIN_REQUIRED: false
LOGIN_TIMEOUT: 1209600
LOGOUT_REDIRECT_URL: "home"
MAINTENANCE_MODE: false
MAPS_URL: "https://maps.google.com/?q="
MAX_PAGE_SIZE: 1000
MEDIA_ROOT: /opt/netbox/netbox/media
STORAGES: {}
METRICS_ENABLED: false
PAGINATE_COUNT: 50
PLUGINS: []
PLUGINS_CONFIG: {}
POWERFEED_DEFAULT_AMPERAGE: 15
POWERFEED_DEFAULT_MAX_UTILIZATION: 80
POWERFEED_DEFAULT_VOLTAGE: 120
PREFER_IPV4: false
RACK_ELEVATION_DEFAULT_UNIT_HEIGHT: 22
RACK_ELEVATION_DEFAULT_UNIT_WIDTH: 220
REMOTE_AUTH_ENABLED: false
REMOTE_AUTH_BACKEND: ["netbox.authentication.RemoteUserBackend"]
REMOTE_AUTH_HEADER: "HTTP_REMOTE_USER"
REMOTE_AUTH_USER_FIRST_NAME: "HTTP_REMOTE_USER_FIRST_NAME"
REMOTE_AUTH_USER_LAST_NAME: "HTTP_REMOTE_USER_LAST_NAME"
REMOTE_AUTH_USER_EMAIL: "HTTP_REMOTE_USER_EMAIL"
REMOTE_AUTH_AUTO_CREATE_USER: false
REMOTE_AUTH_AUTO_CREATE_GROUPS: false
REMOTE_AUTH_DEFAULT_GROUPS: []
REMOTE_AUTH_DEFAULT_PERMISSIONS: {}
REMOTE_AUTH_GROUP_SYNC_ENABLED: false
REMOTE_AUTH_GROUP_HEADER: "HTTP_REMOTE_USER_GROUP"
REMOTE_AUTH_SUPERUSER_GROUPS: []
REMOTE_AUTH_SUPERUSERS: []
REMOTE_AUTH_STAFF_GROUPS: []
REMOTE_AUTH_STAFF_USERS: []
REMOTE_AUTH_GROUP_SEPARATOR: "|"
RELEASE_CHECK_URL: ""
REDIS:
tasks:
HOST: "valkey.valkey.svc.cluster.local"
PORT: 6379
USERNAME: ""
DATABASE: 3
SSL: false
INSECURE_SKIP_TLS_VERIFY: false
CA_CERT_PATH: ""
caching:
HOST: "valkey.valkey.svc.cluster.local"
PORT: 6379
USERNAME: ""
DATABASE: 4
SSL: false
INSECURE_SKIP_TLS_VERIFY: false
CA_CERT_PATH: ""
REPORTS_ROOT: /opt/netbox/netbox/reports
RQ_DEFAULT_TIMEOUT: 300
SCRIPTS_ROOT: /opt/netbox/netbox/scripts
CSRF_COOKIE_NAME: "csrftoken"
SESSION_COOKIE_NAME: sessionid
ENABLE_LOCALIZATION: false
TIME_ZONE: "UTC"
DATE_FORMAT: "N j, Y"
SHORT_DATE_FORMAT: "Y-m-d"
TIME_FORMAT: "g:i a"
SHORT_TIME_FORMAT: "H:i:s"
DATETIME_FORMAT: "N j, Y g:i a"
SHORT_DATETIME_FORMAT: "Y-m-d H:i"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox
namespace: netbox
---
apiVersion: v1
data:
email_password: ""
secret_key: Ym9JSkxAeXJYcW1YakxuMCIhK3JaclJqIScpM2RtS2kxTD4+VlIqXlg6OVtVMDQ9M2lrXHZLNWhbdDU3
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-config
namespace: netbox
type: Opaque
---
apiVersion: v1
data:
cache_password: ""
tasks_password: Ymx1YmJlcg==
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-kv
namespace: netbox
type: Opaque
---
apiVersion: v1
data:
api_token: YjcwNzI5MGMtYmE3MC00MmMzLTg2MWYtMzUyMzU5YzIyNzc5
email: YWRtaW5AZXhhbXBsZS5jb20=
password: a0FCT2JxUTFJUA==
username: YWRtaW4=
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-superuser
namespace: netbox
type: kubernetes.io/basic-auth
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox
namespace: netbox
spec:
ports:
- name: http
nodePort: null
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/component: netbox
app.kubernetes.io/instance: netbox
app.kubernetes.io/name: netbox
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-media
namespace: netbox
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: openebs-3-replicas
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: netbox
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox
namespace: netbox
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: netbox
app.kubernetes.io/instance: netbox
app.kubernetes.io/name: netbox
strategy:
type: RollingUpdate
template:
metadata:
annotations:
checksum/config: 700ca816c994c518b5ab4d10edb328a359017172480d4199d5860a4713b4c091
checksum/secret: ac76943039914a3d7a2e7234a2fed36ba39dd6f42d379734eb6a6bc5a448944a
labels:
app.kubernetes.io/component: netbox
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
spec:
automountServiceAccountToken: false
containers:
- env:
- name: SUPERUSER_NAME
valueFrom:
secretKeyRef:
key: username
name: netbox-superuser
- name: SUPERUSER_EMAIL
valueFrom:
secretKeyRef:
key: email
name: netbox-superuser
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: ghcr.io/netbox-community/netbox:v4.4.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /status/applications/netbox/processes/running
port: nginx-status
initialDelaySeconds: 0
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: netbox
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8081
name: nginx-status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /login/
port: http
initialDelaySeconds: 0
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 750m
ephemeral-storage: 2Gi
memory: 1536Mi
requests:
cpu: 500m
ephemeral-storage: 50Mi
memory: 1024Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
startupProbe:
failureThreshold: 100
httpGet:
path: /login/
port: http
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/netbox/config/configuration.py
name: config
readOnly: true
subPath: configuration.py
- mountPath: /run/config/netbox
name: config
readOnly: true
- mountPath: /run/secrets/netbox
name: secrets
readOnly: true
- mountPath: /tmp
name: netbox-tmp
- mountPath: /opt/netbox/netbox/media
name: media
subPath: ""
- mountPath: /opt/unit
name: optunit
- mountPath: /run/secrets/superuser_password
name: secrets
readOnly: true
subPath: superuser_password
- mountPath: /run/secrets/superuser_api_token
name: secrets
readOnly: true
subPath: superuser_api_token
initContainers:
- command:
- /bin/sh
- -c
- mkdir -p /opt/unit/state /opt/unit/tmp
image: docker.io/busybox:1.37.0
imagePullPolicy: IfNotPresent
name: init-dirs
resources:
limits:
cpu: 150m
ephemeral-storage: 2Gi
memory: 192Mi
requests:
cpu: 100m
ephemeral-storage: 50Mi
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /opt/unit
name: optunit
securityContext:
fsGroup: 1000
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: netbox
volumes:
- configMap:
name: netbox
name: config
- name: secrets
projected:
sources:
- secret:
items:
- key: secret_key
path: secret_key
name: netbox-config
- secret:
items:
- key: email_password
path: email_password
name: netbox-config
- secret:
items:
- key: password
path: superuser_password
- key: api_token
path: superuser_api_token
name: netbox-superuser
- secret:
items:
- key: password
path: db_password
name: cnpg-netbox-cluster-app
- secret:
items:
- key: tasks_password
path: tasks_password
name: netbox-kv
- secret:
items:
- key: cache_password
path: cache_password
name: netbox-kv
- emptyDir:
medium: Memory
name: netbox-tmp
- emptyDir:
medium: Memory
name: optunit
- name: media
persistentVolumeClaim:
claimName: netbox-media
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: worker
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-worker
namespace: netbox
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: worker
app.kubernetes.io/instance: netbox
app.kubernetes.io/name: netbox
strategy:
type: RollingUpdate
template:
metadata:
annotations:
checksum/config: b6611b66943044288475e05c9f4bf368a95203cd197dda8a35d9ed7498ac56b9
checksum/secret: d20d6403cee6e39c20d0033c4fe21c5311f96719861582c79d7030e48bf17e41
labels:
app.kubernetes.io/component: worker
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
spec:
automountServiceAccountToken: true
containers:
- command:
- /opt/netbox/venv/bin/python
- /opt/netbox/netbox/manage.py
- rqworker
image: ghcr.io/netbox-community/netbox:v4.4.4
imagePullPolicy: IfNotPresent
name: netbox-worker
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/netbox/config/configuration.py
name: config
readOnly: true
subPath: configuration.py
- mountPath: /run/config/netbox
name: config
readOnly: true
- mountPath: /run/secrets/netbox
name: secrets
readOnly: true
- mountPath: /tmp
name: netbox-tmp
- mountPath: /opt/netbox/netbox/media
name: media
readOnly: false
subPath: ""
initContainers:
- args:
- rollout
- status
- deployment
- $(DEPLOYMENT_NAME)
command:
- /bin/kubectl
env:
- name: DEPLOYMENT_NAME
value: netbox
image: docker.io/rancher/kubectl:v1.34.1
imagePullPolicy: IfNotPresent
name: wait-for-backend
resources:
limits:
cpu: 150m
ephemeral-storage: 2Gi
memory: 192Mi
requests:
cpu: 100m
ephemeral-storage: 50Mi
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
securityContext:
fsGroup: 1000
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: netbox
volumes:
- configMap:
name: netbox
name: config
- name: secrets
projected:
sources:
- secret:
items:
- key: secret_key
path: secret_key
name: netbox-config
- secret:
items:
- key: email_password
path: email_password
name: netbox-config
- secret:
items:
- key: password
path: superuser_password
- key: api_token
path: superuser_api_token
name: netbox-superuser
- secret:
items:
- key: password
path: db_password
name: cnpg-netbox-cluster-app
- secret:
items:
- key: tasks_password
path: tasks_password
name: netbox-kv
- secret:
items:
- key: cache_password
path: cache_password
name: netbox-kv
- emptyDir:
medium: Memory
name: netbox-tmp
- name: media
persistentVolumeClaim:
claimName: netbox-media
readOnly: false
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: housekeeping
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-housekeeping
namespace: netbox
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 5
jobTemplate:
metadata:
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
spec:
template:
metadata:
labels:
app.kubernetes.io/component: housekeeping
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
spec:
automountServiceAccountToken: false
containers:
- command:
- /opt/netbox/venv/bin/python
- /opt/netbox/netbox/manage.py
- housekeeping
image: ghcr.io/netbox-community/netbox:v4.4.4
imagePullPolicy: IfNotPresent
name: netbox-housekeeping
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/netbox/config/configuration.py
name: config
readOnly: true
subPath: configuration.py
- mountPath: /run/config/netbox
name: config
readOnly: true
- mountPath: /run/secrets/netbox
name: secrets
readOnly: true
- mountPath: /tmp
name: netbox-tmp
- mountPath: /opt/netbox/netbox/media
name: media
readOnly: false
subPath: ""
restartPolicy: OnFailure
securityContext:
fsGroup: 1000
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: netbox
volumes:
- configMap:
name: netbox
name: config
- name: secrets
projected:
sources:
- secret:
items:
- key: secret_key
path: secret_key
name: netbox-config
- secret:
items:
- key: email_password
path: email_password
name: netbox-config
- secret:
items:
- key: password
path: db_password
name: cnpg-netbox-cluster-app
- secret:
items:
- key: tasks_password
path: tasks_password
name: netbox-kv
- secret:
items:
- key: cache_password
path: cache_password
name: netbox-kv
- emptyDir:
medium: Memory
name: netbox-tmp
- name: media
persistentVolumeClaim:
claimName: netbox-media
readOnly: false
schedule: 0 0 * * *
successfulJobsHistoryLimit: 5
suspend: false
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
labels:
app.kubernetes.io/component: database-ping-test
name: cnpg-netbox-cluster-ping-test
namespace: netbox
spec:
template:
metadata:
labels:
app.kubernetes.io/component: database-ping-test
name: cnpg-netbox-cluster-ping-test
spec:
containers:
- args:
- -c
- apk add postgresql-client && psql "postgresql://$PGUSER:$PGPASS@cnpg-netbox-cluster-rw.netbox.svc.cluster.local:5432/${PGDBNAME:-$PGUSER}"
-c 'SELECT 1'
command:
- sh
env:
- name: PGUSER
valueFrom:
secretKeyRef:
key: username
name: cnpg-netbox-cluster-app
- name: PGPASS
valueFrom:
secretKeyRef:
key: password
name: cnpg-netbox-cluster-app
- name: PGDBNAME
valueFrom:
secretKeyRef:
key: dbname
name: cnpg-netbox-cluster-app
optional: true
image: alpine:3.17
name: alpine
restartPolicy: Never
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
labels:
app.kubernetes.io/instance: cnpg-netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cluster
app.kubernetes.io/part-of: cloudnative-pg
helm.sh/chart: cluster-0.3.1
name: cnpg-netbox-cluster
namespace: netbox
spec:
affinity:
topologyKey: kubernetes.io/hostname
bootstrap:
initdb:
database: netbox
owner: netbox
enablePDB: true
enableSuperuserAccess: true
imageName: ghcr.io/cloudnative-pg/postgresql:17
imagePullPolicy: IfNotPresent
instances: 3
logLevel: info
monitoring:
disableDefaultQueries: false
enablePodMonitor: false
postgresGID: 26
postgresUID: 26
postgresql: null
primaryUpdateMethod: switchover
primaryUpdateStrategy: unsupervised
storage:
size: 10Gi
storageClass: openebs-hostpath
walStorage:
size: 1Gi
storageClass: openebs-hostpath
---
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test
labels:
app.kubernetes.io/instance: netbox
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: netbox
app.kubernetes.io/version: v4.4.4
helm.sh/chart: netbox-7.1.11
name: netbox-test-connection
spec:
containers:
- args:
- netbox:80
command:
- wget
image: busybox:1.37.0
imagePullPolicy: IfNotPresent
name: wget
resources:
limits:
cpu: 150m
ephemeral-storage: 2Gi
memory: 192Mi
requests:
cpu: 100m
ephemeral-storage: 50Mi
memory: 128Mi
restartPolicy: Never

20
netbox/src/kustomization.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: netbox
repo: https://charts.netbox.oss.netboxlabs.com/
version: 7.1.11
releaseName: netbox
includeCRDs: true
namespace: netbox
valuesFile: values.yaml
- name: cluster
repo: https://cloudnative-pg.github.io/charts
version: 0.3.1
releaseName: cnpg-netbox
includeCRDs: true
namespace: netbox
valuesFile: values-cnpg.yaml

503
netbox/src/values-cnpg.yaml Normal file
View File

@@ -0,0 +1,503 @@
# -- Override the name of the chart
nameOverride: ""
# -- Override the full name of the chart
fullnameOverride: ""
# -- Override the namespace of the chart
namespaceOverride: ""
###
# -- Type of the CNPG database. Available types:
# * `postgresql`
# * `postgis`
# * `timescaledb`
type: postgresql
version:
# -- PostgreSQL major version to use
postgresql: "17"
# -- If using TimescaleDB, specify the version
timescaledb: "2.15"
# -- If using PostGIS, specify the version
postgis: "3.4"
###
# -- Cluster mode of operation. Available modes:
# * `standalone` - default mode. Creates new or updates an existing CNPG cluster.
# * `replica` - Creates a replica cluster from an existing CNPG cluster. # TODO
# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup.
mode: standalone
recovery:
##
# -- Available recovery methods:
# * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace.
# * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported).
# * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to
# migrate databases to CloudNativePG, even from outside Kubernetes.
# * `import` - Import one or more databases from an existing Postgres cluster.
method: backup
## -- Point in time recovery target. Specify one of the following:
pitrTarget:
# -- Time in RFC3339 format
time: ""
##
# -- Backup Recovery Method
backupName: "" # Name of the backup to recover from. Required if method is `backup`.
##
# -- The original cluster name when used in backups. Also known as serverName.
clusterName: ""
# -- Name of the database used by the application. Default: `app`.
database: app
# -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
owner: ""
# -- Overrides the provider specific default endpoint. Defaults to:
# S3: https://s3.<region>.amazonaws.com"
# Leave empty if using the default S3 endpoint
endpointURL: ""
# -- Specifies a CA bundle to validate a privately signed certificate.
endpointCA:
# -- Creates a secret with the given value if true, otherwise uses an existing secret.
create: false
name: ""
key: ""
value: ""
# -- Overrides the provider specific default path. Defaults to:
# S3: s3://<bucket><path>
# Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
# Google: gs://<bucket><path>
destinationPath: ""
# -- One of `s3`, `azure` or `google`
provider: s3
s3:
region: ""
bucket: ""
path: "/"
accessKey: ""
secretKey: ""
# -- Use the role based authentication without providing explicitly the keys
inheritFromIAMRole: false
azure:
path: "/"
connectionString: ""
storageAccount: ""
storageKey: ""
storageSasToken: ""
containerName: ""
serviceName: blob
inheritFromAzureAD: false
google:
path: "/"
bucket: ""
gkeEnvironment: false
applicationCredentials: ""
secret:
# -- Whether to create a secret for the backup credentials
create: true
# -- Name of the backup credentials secret
name: ""
# See https://cloudnative-pg.io/documentation/1.22/bootstrap/#bootstrap-from-a-live-cluster-pg_basebackup
pgBaseBackup:
# -- Name of the database used by the application. Default: `app`.
database: app
# -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
secret: ""
# -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
owner: ""
source:
host: ""
port: 5432
username: ""
database: "app"
sslMode: "verify-full"
passwordSecret:
# -- Whether to create a secret for the password
create: false
# -- Name of the secret containing the password
name: ""
# -- The key in the secret containing the password
key: "password"
# -- The password value to use when creating the secret
value: ""
sslKeySecret:
name: ""
key: ""
sslCertSecret:
name: ""
key: ""
sslRootCertSecret:
name: ""
key: ""
# See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-Import
import:
# -- One of `microservice` or `monolith.`
# See: https://cloudnative-pg.io/documentation/current/database_import/#how-it-works
type: "microservice"
# -- Databases to import
databases: []
# -- Roles to import
roles: []
# -- List of SQL queries to be executed as a superuser in the application database right after is imported.
# To be used with extreme care. Only available in microservice type.
postImportApplicationSQL: []
# -- When set to true, only the pre-data and post-data sections of pg_restore are invoked, avoiding data import.
schemaOnly: false
# -- List of custom options to pass to the `pg_dump` command. IMPORTANT: Use these options with caution and at your
# own risk, as the operator does not validate their content. Be aware that certain options may conflict with the
# operator's intended functionality or design.
pgDumpExtraOptions: []
# -- List of custom options to pass to the `pg_restore` command. IMPORTANT: Use these options with caution and at
# your own risk, as the operator does not validate their content. Be aware that certain options may conflict with the
# operator's intended functionality or design.
pgRestoreExtraOptions: []
source:
host: ""
port: 5432
username: ""
database: ""
sslMode: "verify-full"
passwordSecret:
# -- Whether to create a secret for the password
create: false
# -- Name of the secret containing the password
name: ""
# -- The key in the secret containing the password
key: "password"
# -- The password value to use when creating the secret
value: ""
sslKeySecret:
name: ""
key: ""
sslCertSecret:
name: ""
key: ""
sslRootCertSecret:
name: ""
key: ""
cluster:
# -- Number of instances
instances: 3
# -- Name of the container image, supporting both tags (<image>:<tag>) and digests for deterministic and repeatable deployments:
# <image>:<tag>@sha256:<digestValue>
imageName: "" # Default value depends on type (postgresql/postgis/timescaledb)
# -- Reference to `ImageCatalog` of `ClusterImageCatalog`, if specified takes precedence over `cluster.imageName`
imageCatalogRef: {}
# kind: ImageCatalog
# name: postgresql
# -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated.
# More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
imagePullPolicy: IfNotPresent
# -- The list of pull secrets to be used to pull the images.
# See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference
imagePullSecrets: []
storage:
size: 10Gi
storageClass: "openebs-hostpath"
walStorage:
enabled: true
size: 1Gi
storageClass: "openebs-hostpath"
# -- The UID of the postgres user inside the image, defaults to 26
postgresUID: -1
# -- The GID of the postgres user inside the image, defaults to 26
postgresGID: -1
# -- Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/1.24/service_management/
services: {}
# -- Resources requirements of every generated Pod.
# Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information.
# We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS.
# See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/
resources: {}
# limits:
# cpu: 2000m
# memory: 8Gi
# requests:
# cpu: 2000m
# memory: 8Gi
priorityClassName: ""
# -- Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
# successfully updated. It can be switchover (default) or restart.
primaryUpdateMethod: switchover
# -- Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
# successfully updated: it can be automated (unsupervised - default) or manual (supervised)
primaryUpdateStrategy: unsupervised
# -- The instances' log level, one of the following values: error, warning, info (default), debug, trace
logLevel: "info"
# -- Affinity/Anti-affinity rules for Pods.
# See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration
affinity:
topologyKey: kubernetes.io/hostname
# -- The configuration for the CA and related certificates.
# See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration
certificates: {}
# -- When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password.
# If the secret is not present, the operator will automatically create one.
# When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created,
# and then blank the password of the postgres user by setting it to NULL.
enableSuperuserAccess: true
superuserSecret: ""
# -- Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes
# See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets
enablePDB: true
# -- This feature enables declarative management of existing roles, as well as the creation of new roles if they are not
# already present in the database.
# See: https://cloudnative-pg.io/documentation/current/declarative_role_management/
roles: []
# - name: dante
# ensure: present
# comment: Dante Alighieri
# login: true
# superuser: false
# inRoles:
# - pg_monitor
# - pg_signal_backend
monitoring:
# -- Whether to enable monitoring
enabled: false
podMonitor:
# -- Whether to enable the PodMonitor
enabled: true
# --The list of relabelings for the PodMonitor.
# Applied to samples before scraping.
relabelings: []
# -- The list of metric relabelings for the PodMonitor.
# Applied to samples before ingestion.
metricRelabelings: []
prometheusRule:
# -- Whether to enable the PrometheusRule automated alerts
enabled: true
# -- Exclude specified rules
excludeRules: []
# - CNPGClusterZoneSpreadWarning
# -- Whether the default queries should be injected.
# Set it to true if you don't want to inject default queries into the cluster.
disableDefaultQueries: false
# -- Custom Prometheus metrics
# Will be stored in the ConfigMap
customQueries: []
# - name: "pg_cache_hit_ratio"
# query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;"
# metrics:
# - datname:
# usage: "LABEL"
# description: "Name of the database"
# - ratio:
# usage: GAUGE
# description: "Cache hit ratio"
# -- The list of secrets containing the custom queries
customQueriesSecret: []
# - name: custom-queries-secret
# key: custom-queries
postgresql:
# -- PostgreSQL configuration options (postgresql.conf)
parameters: {}
# max_connections: 300
# -- Quorum-based Synchronous Replication
synchronous: {}
# method: any
# number: 1
# -- PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file)
pg_hba: []
# - host all all 10.244.0.0/16 md5
# -- PostgreSQL User Name Maps rules (lines to be appended to the pg_ident.conf file)
pg_ident: []
# - mymap /^(.*)@mydomain\.com$ \1
# -- Lists of shared preload libraries to add to the default ones
shared_preload_libraries: []
# - pgaudit
# -- PostgreSQL LDAP configuration (see https://cloudnative-pg.io/documentation/current/postgresql_conf/#ldap-configuration)
ldap: {}
# https://cloudnative-pg.io/documentation/1.24/postgresql_conf/#ldap-configuration
# server: 'openldap.default.svc.cluster.local'
# bindSearchAuth:
# baseDN: 'ou=org,dc=example,dc=com'
# bindDN: 'cn=admin,dc=example,dc=com'
# bindPassword:
# name: 'ldapBindPassword'
# key: 'data'
# searchAttribute: 'uid'
# -- BootstrapInitDB is the configuration of the bootstrap process when initdb is used.
# See: https://cloudnative-pg.io/documentation/current/bootstrap/
# See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb
initdb:
database: netbox
owner: netbox # Defaults to the database name
# secret:
# name: "" # Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
# options: []
# encoding: UTF8
# postInitSQL:
# - CREATE EXTENSION IF NOT EXISTS vector;
# postInitApplicationSQL: []
# postInitTemplateSQL: []
# -- Configure the metadata of the generated service account
serviceAccountTemplate: {}
additionalLabels: {}
annotations: {}
backups:
# -- You need to configure backups manually, so backups are disabled by default.
enabled: false
# -- Overrides the provider specific default endpoint. Defaults to:
# S3: https://s3.<region>.amazonaws.com"
endpointURL: "" # Leave empty if using the default S3 endpoint
# -- Specifies a CA bundle to validate a privately signed certificate.
endpointCA:
# -- Creates a secret with the given value if true, otherwise uses an existing secret.
create: false
name: ""
key: ""
value: ""
# -- Overrides the provider specific default path. Defaults to:
# S3: s3://<bucket><path>
# Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
# Google: gs://<bucket><path>
destinationPath: ""
# -- One of `s3`, `azure` or `google`
provider: s3
s3:
region: ""
bucket: ""
path: "/"
accessKey: ""
secretKey: ""
# -- Use the role based authentication without providing explicitly the keys
inheritFromIAMRole: false
azure:
path: "/"
connectionString: ""
storageAccount: ""
storageKey: ""
storageSasToken: ""
containerName: ""
serviceName: blob
inheritFromAzureAD: false
google:
path: "/"
bucket: ""
gkeEnvironment: false
applicationCredentials: ""
secret:
# -- Whether to create a secret for the backup credentials
create: true
# -- Name of the backup credentials secret
name: ""
wal:
# -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
compression: gzip
# -- Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
encryption: AES256
# -- Number of WAL files to be archived or restored in parallel.
maxParallel: 1
data:
# -- Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
compression: gzip
# -- Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
encryption: AES256
# -- Number of data files to be archived or restored in parallel.
jobs: 2
scheduledBackups:
-
# -- Scheduled backup name
name: daily-backup
# -- Schedule in cron format
schedule: "0 0 0 * * *"
# -- Backup owner reference
backupOwnerReference: self
# -- Backup method, can be `barmanObjectStore` (default) or `volumeSnapshot`
method: barmanObjectStore
# -- Retention policy for backups
retentionPolicy: "30d"
imageCatalog:
# -- Whether to provision an image catalog. If imageCatalog.images is empty this option will be ignored.
create: true
# -- List of images to be provisioned in an image catalog.
images: []
# - image: ghcr.io/your_repo/your_image:your_tag
# major: 16
# -- List of PgBouncer poolers
poolers: []
# -
# # -- Pooler name
# name: rw
# # -- PgBouncer type of service to forward traffic to.
# type: rw
# # -- PgBouncer pooling mode
# poolMode: transaction
# # -- Number of PgBouncer instances
# instances: 3
# # -- PgBouncer configuration parameters
# parameters:
# max_client_conn: "1000"
# default_pool_size: "25"
# monitoring:
# # -- Whether to enable monitoring
# enabled: false
# podMonitor:
# # -- Whether to enable the PodMonitor
# enabled: true
# # -- Custom PgBouncer deployment template.
# # Use to override image, specify resources, etc.
# template: {}
# -
# # -- Pooler name
# name: ro
# # -- PgBouncer type of service to forward traffic to.
# type: ro
# # -- PgBouncer pooling mode
# poolMode: transaction
# # -- Number of PgBouncer instances
# instances: 3
# # -- PgBouncer configuration parameters
# parameters:
# max_client_conn: "1000"
# default_pool_size: "25"
# monitoring:
# # -- Whether to enable monitoring
# enabled: false
# podMonitor:
# # -- Whether to enable the PodMonitor
# enabled: true
# # -- Custom PgBouncer deployment template.
# # Use to override image, specify resources, etc.
# template: {}

42
netbox/src/values.yaml
View File

@@ -18,7 +18,7 @@ global:
## - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: ""
storageClass: openebs-3-replicas
## @section Common parameters
@@ -211,18 +211,18 @@ dbWaitDebug: false
# Email settings
email:
server: localhost
port: 25
username: ""
server: mxe965.netcup.net
port: 587
username: philip.haupt@borninpain.de
password: ""
useSSL: false
useSSL: true
useTLS: false
sslCertFile: ""
sslKeyFile: ""
# Timeout in seconds
timeout: 10
from: ""
existingSecretName: ""
from: noreply@borninpain.de
existingSecretName: netbox
existingSecretKey: email-password
# Enforcement of unique IP space can be toggled on a per-VRF basis. To enforce
@@ -440,7 +440,7 @@ sessionCookieName: sessionid
enableLocalization: false
# Time zone (default: UTC)
timeZone: UTC
timeZone: CET
# Date/time formatting. See the following link for supported formats:
# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date
@@ -1047,7 +1047,7 @@ postgresql:
## @param postgresql.enabled Whether to deploy a PostgreSQL server to satisfy the applications database requirements
## To use an external database set this to false and configure the externalDatabase parameters
##
enabled: true
enabled: false
auth:
username: netbox
database: netbox
@@ -1062,13 +1062,13 @@ postgresql:
## @param externalDatabase.existingSecretKey Key of a secret containing the database credentials
##
externalDatabase:
host: localhost
host: cnpg-netbox-cluster-rw
port: 5432
database: netbox
username: netbox
password: ""
existingSecretName: ""
existingSecretKey: postgresql-password
existingSecretName: cnpg-netbox-cluster-app
existingSecretKey: password
# The following settings also apply when using the bundled PostgreSQL chart:
engine: django.db.backends.postgresql
@@ -1109,7 +1109,7 @@ additionalDatabases: {}
## @param valkey.enabled Whether to deploy a Valkey server to satisfy the applications database requirements
##
valkey:
enabled: true
enabled: false
sentinel:
enabled: false
primarySet: netbox-kv
@@ -1118,7 +1118,7 @@ valkey:
sentinel: false
tasksDatabase:
database: 0
database: 3
ssl: false
insecureSkipTlsVerify: false
# When defining caCertPath, make sure you mount the secret containing the CA certificate on all the necessary containers
@@ -1126,7 +1126,7 @@ tasksDatabase:
# Used only when valkey.enabled is false. host and port are not used if
# sentinels are given.
host: netbox-kv
host: valkey.valkey.svc.cluster.local
port: 6379
sentinels: []
# - mysentinel:26379
@@ -1134,11 +1134,11 @@ tasksDatabase:
sentinelTimeout: 300
username: ""
password: ""
existingSecretName: ""
existingSecretKey: tasks-password
existingSecretName: "netbox"
existingSecretKey: kv-password
cachingDatabase:
database: 1
database: 4
ssl: false
insecureSkipTlsVerify: false
# When defining caCertPath, make sure you mount the secret containing the CA certificate on all the necessary containers
@@ -1146,7 +1146,7 @@ cachingDatabase:
# Used only when valkey.enabled is false. host and port are not used if
# sentinels are given.
host: netbox-kv
host: valkey.valkey.svc.cluster.local
port: 6379
sentinels: []
# - mysentinel:26379
@@ -1154,8 +1154,8 @@ cachingDatabase:
sentinelTimeout: 300
username: ""
password: ""
existingSecretName: ""
existingSecretKey: cache-password
existingSecretName: "netbox"
existingSecretKey: kv-password
## @section Autoscaling parameters