starting homelab RKE2 cluster

2026-01-13 14:42:19 +01:00
commit 9e5a1d7546
14 changed files with 464 additions and 0 deletions
@@ -0,0 +1,40 @@
+fullnameOverride: external-dns-unifi
+
+# Konfiguration des Webhook-Providers (der "Übersetzer" für UniFi)
+provider:
+  name: webhook
+  webhook:
+    image:
+      repository: ghcr.io/kashalls/external-dns-unifi-webhook
+      tag: main
+    env:
+      - name: UNIFI_HOST
+        value: https://192.168.1.1  # Deine Gateway IP
+      - name: UNIFI_API_KEY
+        value: "J5VRZY-rGrtdGTf-fj1mTdZeUpLGzDBH"
+      - name: UNIFI_EXTERNAL_CONTROLLER
+        value: "false"  # false, da der Controller auf dem Gateway selbst läuft
+      - name: LOG_LEVEL
+        value: info
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: http-webhook
+    readinessProbe:
+      httpGet:
+        path: /readyz
+        port: http-webhook
+
+# Allgemeine External-DNS Einstellungen
+policy: sync  # "sync" löscht auch Einträge, die nicht mehr in K8s sind. "upsert-only" ist sicherer.
+sources:
+  - service
+  - ingress
+  - gateway-httproute
+
+# WICHTIG: Nur diese Domain verwalten
+domainFilters:
+  - "k8s.hnrx.net"  # <--- ÄNDERE DIES auf deine Domain (muss im UniFi als Domain konfiguriert sein?)
+  - "hnrx.net"
+# Registry (verhindert, dass external-dns fremde Einträge überschreibt)
+txtOwnerId: "k8s-cluster"
@@ -0,0 +1,31 @@
+# Basic requirements
+
+In diesem Schritt installieren wir
+- phase-secrets-operator
+- cert-manager
+- external-DNS mit Webhook Provider für Unifi
+
+## Phase-Secrets-Operator
+
+helm repo add phase https://helm.phase.dev && helm repo update
+
+helm install phase-secrets-operator phase/phase-kubernetes-operator --set image.tag=v1.3.0
+
+kubectl create secret generic phase-service-token \
+  --from-literal=token=pss_service:v2:XXXXXXXXXXXXXXXXXXXXX \
+  --type=Opaque \
+  --namespace=default
+
+## Cert-Manager und Cluster-Issuer
+
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.2/cert-manager.yaml
+
+k apply -f manifests
+
+## External-DNS
+
+helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+
+kubectl create ns external-dns
+
+helm upgrade --install external-dns external-dns/external-dns --namespace external-dns --version 1.19.0 -f external-dns-values.yaml
@@ -0,0 +1,19 @@
+apiVersion: secrets.phase.dev/v1alpha1
+kind: PhaseSecret
+metadata:
+  name: cloudflare-api-key-phase-secret
+  namespace: cert-manager
+spec:
+  phaseApp: 'cert-manager' # The name of your Phase application
+  phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from
+  phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from
+  phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance
+  authentication:
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application
+        secretNamespace: 'default'
+  managedSecretReferences:
+    - secretName: 'cloudflare-api-key' # Name of the Kubernetes managed secret that Phase will sync
+      secretNamespace: 'cert-manager'
+
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-cluster-issuer
+spec:
+  acme:
+    email: matthias.hinrichs@me.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-key
+              key: CLOUDFLARE_API_KEY