diff --git a/kubernetes/apps/kube-system/cilium/app/helm-values.yml b/kubernetes/apps/kube-system/cilium/app/helm-values.yml index 7be684e3..a6788965 100644 --- a/kubernetes/apps/kube-system/cilium/app/helm-values.yml +++ b/kubernetes/apps/kube-system/cilium/app/helm-values.yml @@ -25,7 +25,7 @@ envoy: enable: false ipam: mode: kubernetes -ipv4NativeRoutingCIDR: 10.244.0.0/16 +ipv4NativeRoutingCIDR: 10.3.0.0/16 k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 kubeProxyReplacement: true diff --git a/kubernetes/apps/kube-system/cilium/config/l2.yaml b/kubernetes/apps/kube-system/cilium/config/l2.yaml index b76162d0..d01b6f2f 100644 --- a/kubernetes/apps/kube-system/cilium/config/l2.yaml +++ b/kubernetes/apps/kube-system/cilium/config/l2.yaml @@ -6,9 +6,7 @@ metadata: name: l2-policy spec: loadBalancerIPs: true - # interfaces: ["^enp.*|^eth.*|^ens.*|^eno.*"] interfaces: ["^eno+|^enp+|^bond+"] - # interfaces: ["^bond+"] nodeSelector: matchLabels: kubernetes.io/os: linux @@ -21,6 +19,4 @@ metadata: spec: allowFirstLastIPs: "Yes" blocks: - - # Controller VIP: 192.168.42.120 - start: 10.1.1.30 - stop: 10.1.1.49 + - cidr: "10.5.0.0/16" diff --git a/kubernetes/apps/network/external-dns/app/unifi/externalsecret.yaml b/kubernetes/apps/network/external-dns/app/unifi/externalsecret.yaml new file mode 100644 index 00000000..3973f2ed --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/unifi/externalsecret.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-dns-unifi +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: external-dns-unifi-secret + template: + engineVersion: v2 + data: + EXTERNAL_DNS_UNIFI_USER: "{{ .username }}" + EXTERNAL_DNS_UNIFI_PASS: "{{ .password }}" + dataFrom: + - extract: + key: external-dns-unifi diff --git a/kubernetes/apps/network/external-dns/app/unifi/helmrelease.yaml b/kubernetes/apps/network/external-dns/app/unifi/helmrelease.yaml new file mode 100644 index 00000000..19ff85b3 --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/unifi/helmrelease.yaml @@ -0,0 +1,72 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns-unifi +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.15.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + # logLevel: debug + provider: + name: webhook + webhook: + image: + repository: ghcr.io/kashalls/external-dns-unifi-webhook + tag: v0.3.4@sha256:28dc00c7a21f9571d43181fcc0dd3de59e291741f27bc075d7e06378876b2974 + env: + - name: UNIFI_HOST + value: https://10.33.44.1 + - name: UNIFI_USER + valueFrom: + secretKeyRef: + name: &secret external-dns-unifi-secret + key: EXTERNAL_DNS_UNIFI_USER + - name: UNIFI_PASS + valueFrom: + secretKeyRef: + name: *secret + key: EXTERNAL_DNS_UNIFI_PASS + - name: LOG_LEVEL + value: "debug" + livenessProbe: + httpGet: + path: /healthz + port: http-webhook + initialDelaySeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: http-webhook + initialDelaySeconds: 10 + timeoutSeconds: 5 + extraArgs: + - --ignore-ingress-tls-spec + triggerLoopOnEvent: true + policy: sync + sources: ["ingress", "service"] + txtOwnerId: theshire + txtPrefix: k8s.theshire. + domainFilters: ["theshire.internal"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: *secret diff --git a/kubernetes/apps/network/external-dns/app/unifi/kustomization.yaml b/kubernetes/apps/network/external-dns/app/unifi/kustomization.yaml new file mode 100644 index 00000000..4eed917b --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/unifi/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/external-dns/ks.yaml b/kubernetes/apps/network/external-dns/ks.yaml index 84240da4..cbc6c224 100644 --- a/kubernetes/apps/network/external-dns/ks.yaml +++ b/kubernetes/apps/network/external-dns/ks.yaml @@ -44,3 +44,25 @@ spec: wait: true dependsOn: - name: external-secrets-stores +--- +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns-unifi + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: external-secrets-stores + path: ./kubernetes/apps/network/external-dns/unifi + prune: false + sourceRef: + kind: GitRepository + name: theshire + wait: true + interval: 30m + timeout: 5m diff --git a/kubernetes/apps/tailscale/kustomization.yaml b/kubernetes/apps/tailscale/kustomization.yaml new file mode 100644 index 00000000..aaad1e60 --- /dev/null +++ b/kubernetes/apps/tailscale/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./tailscale/ks.yaml diff --git a/kubernetes/apps/tailscale/namespace.yaml b/kubernetes/apps/tailscale/namespace.yaml new file mode 100644 index 00000000..06feba09 --- /dev/null +++ b/kubernetes/apps/tailscale/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tailscale + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/tailscale/tailscale/cluster/connector.yaml b/kubernetes/apps/tailscale/tailscale/cluster/connector.yaml new file mode 100644 index 00000000..e69de29b diff --git a/kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml b/kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml new file mode 100644 index 00000000..de148d35 --- /dev/null +++ b/kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: tailscale.com/v1alpha1 +kind: ProxyClass +metadata: + name: kernel-org-tun +spec: + statefulSet: + pod: + tailscaleContainer: + resources: + limits: + kernel.org/tun: 1 + securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 + capabilities: + drop: ["ALL"] + add: ["NET_ADMIN", "NET_RAW"] + seccompProfile: { type: Unconfined } + tailscaleInitContainer: + securityContext: + privileged: true + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/kubernetes/apps/tailscale/tailscale/externalsecret.yaml b/kubernetes/apps/tailscale/tailscale/externalsecret.yaml new file mode 100644 index 00000000..06d91e70 --- /dev/null +++ b/kubernetes/apps/tailscale/tailscale/externalsecret.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: k8s-operator-oauth +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: k8s-operator-oauth-secret + dataFrom: + - extract: + key: k8s-operator-oauth diff --git a/kubernetes/apps/tailscale/tailscale/ks.yaml b/kubernetes/apps/tailscale/tailscale/ks.yaml new file mode 100644 index 00000000..f2e6427e --- /dev/null +++ b/kubernetes/apps/tailscale/tailscale/ks.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app tailscale-operator + namespace: flux-system +spec: + targetNamespace: tailscale + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/tailscale/tailscale/operator + prune: true + sourceRef: + kind: GitRepository + name: theshire + wait: false + interval: 30m +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app tailscale-cluster + namespace: flux-system +spec: + targetNamespace: tailscale + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: tailscale-operator + path: ./kubernetes/apps/tailscale/tailscale/cluster + prune: true + sourceRef: + kind: GitRepository + name: theshire + wait: false + interval: 30m diff --git a/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml b/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml new file mode 100644 index 00000000..e9c02958 --- /dev/null +++ b/kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml @@ -0,0 +1,35 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: tailscale-operator + namespace: tailscale +spec: + interval: 30m + chart: + spec: + chart: tailscale-operator + version: 1.78.3 + sourceRef: + kind: HelmRepository + name: tailscale + namespace: flux-system + interval: 30m + install: + crds: CreateReplace + upgrade: + crds: CreateReplace + values: + operatorConfig: + defaultTags: + - "tag:k8s-operator-theshire" + hostname: theshire + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + proxyConfig: + defaultTags: "tag:k8s-theshire" + apiServerProxyConfig: + mode: "true" diff --git a/kubernetes/bootstrap/talos/talconfig.yaml b/kubernetes/bootstrap/talos/talconfig.yaml index 2c98d88d..e05ec34d 100644 --- a/kubernetes/bootstrap/talos/talconfig.yaml +++ b/kubernetes/bootstrap/talos/talconfig.yaml @@ -6,13 +6,18 @@ clusterName: theshire talosVersion: v1.9.0 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet kubernetesVersion: 1.31.4 -endpoint: "https://10.1.1.57:6444" - -additionalApiServerCertSans: - - 10.1.1.57 - -additionalMachineCertSans: - - 10.1.1.57 +endpoint: "https://10.1.1.8:6443" +additionalApiServerCertSans: &sans + - 10.1.1.8 # VIP + - 10.1.1.57 # haproxy loadbalancer +additionalMachineCertSans: *sans +clusterPodNets: + # - "10.244.0.0/16" + - "10.3.0.0/16" +clusterSvcNets: + # - "10.96.0.0/12" + - "10.4.0.0/16" +## Cilium LBPool CIDR 10.1.1.30-49 --> 10.5.0.0/16 nodes: - hostname: bilbo @@ -24,6 +29,8 @@ nodes: networkInterfaces: - interface: eno1 dhcp: true + vip: + ip: 10.1.1.8 schematic: customization: extraKernelArgs: @@ -41,6 +48,8 @@ nodes: networkInterfaces: - interface: eno1 dhcp: true + vip: + ip: 10.1.1.8 schematic: customization: extraKernelArgs: @@ -58,6 +67,8 @@ nodes: networkInterfaces: - interface: eno1 dhcp: true + vip: + ip: 10.1.1.8 schematic: customization: extraKernelArgs: