Compare commits
34 commits
6d3204c4ed
...
a894c9932b
| Author | SHA1 | Date | |
|---|---|---|---|
| a894c9932b | |||
52a4fc077b
|
|||
|
5051f5b6f4
|
|||
|
587565c0ed
|
|||
|
ba526c130b
|
|||
|
c7037694fa
|
|||
|
45d91c392d
|
|||
|
acba2f290f
|
|||
|
aa7119a6e4
|
|||
|
b56314020a
|
|||
|
d67ed006ca
|
|||
|
d0d86351c1
|
|||
|
efb553e50b
|
|||
|
487976e388
|
|||
|
7c8802e3bf
|
|||
| 7a67c2ddbf | |||
|
af2c995b76
|
|||
| 1d32d2de95 | |||
|
17c3e2f311
|
|||
|
be091afd25
|
|||
|
1cb15bfbfe
|
|||
| 0eaa4c65d0 | |||
|
623737f4e2
|
|||
| 0da719e372 | |||
| a54a7a3807 | |||
| b6636664d1 | |||
| 88179415ae | |||
|
4f2756bcd4
|
|||
|
2ca0b5805f
|
|||
| 3cfe1b6b51 | |||
|
26779c2d5c
|
|||
|
da23c6879b
|
|||
| e3e3cbb0d3 | |||
|
a85c7b58b8
|
80 changed files with 818 additions and 84 deletions
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
@ -8,4 +8,3 @@ resources:
|
|||
# Flux-Kustomizations
|
||||
- ./ollama/ks.yaml
|
||||
- ./open-webui/ks.yaml
|
||||
- ./stable-diffusion/ks.yaml
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,5 +20,4 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ kind: Dragonfly
|
|||
metadata:
|
||||
name: dragonfly
|
||||
spec:
|
||||
image: ghcr.io/dragonflydb/dragonfly:v1.23.1
|
||||
image: ghcr.io/dragonflydb/dragonfly:v1.23.2
|
||||
replicas: 3
|
||||
env:
|
||||
- name: MAX_MEMORY
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
|
|
@ -42,5 +41,4 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
|
|
@ -42,5 +41,4 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -3,53 +3,55 @@
|
|||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app it-tools
|
||||
name: it-tools
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
interval: 30m
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
|
||||
values:
|
||||
controllers:
|
||||
it-tools:
|
||||
replicas: 1
|
||||
strategy: RollingUpdate
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
pod:
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
runAsGroup: 101
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/corentinth/it-tools
|
||||
tag: 2024.5.13-a0bc346
|
||||
env:
|
||||
TZ: America/Chicago
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
repository: ghcr.io/bjw-s-labs/it-tools
|
||||
tag: 2024.5.13
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
cpu: 5m
|
||||
memory: 32Mi
|
||||
limits:
|
||||
memory: 500Mi
|
||||
memory: 256Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
service:
|
||||
app:
|
||||
controller: *app
|
||||
controller: it-tools
|
||||
ports:
|
||||
http:
|
||||
port: 80
|
||||
port: 8080
|
||||
ingress:
|
||||
app:
|
||||
enabled: true
|
||||
|
|
@ -68,3 +70,7 @@ spec:
|
|||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
|
||||
persistence:
|
||||
tmp:
|
||||
type: emptyDir
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false # no flux ks dependents
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ resources:
|
|||
- ./it-tools/ks.yaml
|
||||
- ./linkwarden/ks.yaml
|
||||
- ./maintainerr/ks.yaml
|
||||
- ./nicehash/ks.yaml
|
||||
- ./omegabrr/ks.yaml
|
||||
- ./overseerr/ks.yaml
|
||||
- ./piped/ks.yaml
|
||||
|
|
@ -23,6 +22,7 @@ resources:
|
|||
- ./recyclarr/ks.yaml
|
||||
- ./redlib/ks.yaml
|
||||
- ./sabnzbd/ks.yaml
|
||||
- ./scrypted/ks.yaml
|
||||
- ./searxng/ks.yaml
|
||||
- ./sonarr/ks.yaml
|
||||
- ./tautulli/ks.yaml
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false # no flux ks dependents
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
- name: volsync
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ spec:
|
|||
app:
|
||||
image:
|
||||
repository: ghcr.io/onedr0p/radarr-develop
|
||||
tag: 5.12.0.9255
|
||||
tag: 5.12.2.9335
|
||||
env:
|
||||
RADARR__APP__INSTANCENAME: Radarr
|
||||
RADARR__APP__THEME: dark
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
111
kubernetes/apps/default/scrypted/app/helmrelease.yaml
Normal file
111
kubernetes/apps/default/scrypted/app/helmrelease.yaml
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: scrypted
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
interval: 30m
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
|
||||
values:
|
||||
controllers:
|
||||
scrypted:
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
pod:
|
||||
nodeSelector:
|
||||
google.feature.node.kubernetes.io/coral: "true"
|
||||
nvidia.com/gpu.present: "true"
|
||||
securityContext:
|
||||
supplementalGroups:
|
||||
- 568
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/koush/scrypted
|
||||
tag: v0.119.1-jammy-nvidia
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
startup:
|
||||
enabled: true
|
||||
spec:
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
resources:
|
||||
requests:
|
||||
cpu: 136m
|
||||
memory: 1024Mi
|
||||
limits:
|
||||
nvidia.com/gpu: 1
|
||||
memory: 8192Mi
|
||||
securityContext:
|
||||
privileged: true
|
||||
service:
|
||||
app:
|
||||
controller: scrypted
|
||||
ports:
|
||||
http:
|
||||
port: 11080
|
||||
primary: true
|
||||
rebroadcast1: # driveway
|
||||
port: 39655
|
||||
rebroadcast2: # sideyard
|
||||
port: 46561
|
||||
rebroadcast3: # doorbell
|
||||
port: 44759
|
||||
|
||||
ingress:
|
||||
app:
|
||||
className: "internal-nginx"
|
||||
annotations:
|
||||
hosts:
|
||||
- host: &host scrypted.jahanson.tech
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
persistence:
|
||||
config:
|
||||
existingClaim: scrypted
|
||||
advancedMounts:
|
||||
scrypted:
|
||||
app:
|
||||
- path: /server/volume
|
||||
cache:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /.cache
|
||||
cache-npm:
|
||||
type: emptyDir
|
||||
globalMounts:
|
||||
- path: /.npm
|
||||
dev-bus-usb:
|
||||
type: hostPath
|
||||
hostPath: /dev/bus/usb
|
||||
hostPathType: Directory
|
||||
sys-bus-usb:
|
||||
type: hostPath
|
||||
hostPath: /sys/bus/usb
|
||||
hostPathType: Directory
|
||||
recordings:
|
||||
type: nfs
|
||||
server: shadowfax.jahanson.tech
|
||||
path: /nahar/scrypted
|
||||
globalMounts:
|
||||
- path: /recordings
|
||||
7
kubernetes/apps/default/scrypted/app/kustomization.yaml
Normal file
7
kubernetes/apps/default/scrypted/app/kustomization.yaml
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
||||
- ../../../../templates/volsync
|
||||
30
kubernetes/apps/default/scrypted/ks.yaml
Normal file
30
kubernetes/apps/default/scrypted/ks.yaml
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &appname scrypted
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: default
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *appname
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
path: "./kubernetes/apps/default/scrypted/app"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: false
|
||||
dependsOn:
|
||||
- name: rook-ceph-cluster
|
||||
- name: volsync
|
||||
- name: external-secrets-stores
|
||||
postBuild:
|
||||
substitute:
|
||||
APP: *appname
|
||||
APP_UID: "0"
|
||||
APP_GID: "0"
|
||||
VOLSYNC_CAPACITY: 5Gi
|
||||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
- name: volsync
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -19,5 +19,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
|
|
@ -40,5 +39,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json
|
||||
apiVersion: nfd.k8s-sigs.io/v1alpha1
|
||||
kind: NodeFeatureRule
|
||||
metadata:
|
||||
name: google-coral-device
|
||||
spec:
|
||||
rules:
|
||||
- # Google Coral USB Accelerator
|
||||
name: google.coral
|
||||
labels:
|
||||
google.feature.node.kubernetes.io/coral: "true"
|
||||
matchFeatures:
|
||||
- feature: usb.device
|
||||
matchExpressions:
|
||||
vendor: {op: In, value: ["1a6e", "18d1"]}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json
|
||||
apiVersion: nfd.k8s-sigs.io/v1alpha1
|
||||
kind: NodeFeatureRule
|
||||
metadata:
|
||||
|
|
|
|||
|
|
@ -4,13 +4,13 @@ metadata:
|
|||
name: rocky-nenya
|
||||
namespace: kube-system
|
||||
spec:
|
||||
# nodeName: nenya
|
||||
nodeName: shadowfax-01
|
||||
containers:
|
||||
- name: rocky
|
||||
image: rockylinux:9
|
||||
securityContext:
|
||||
privileged: true
|
||||
command: ["/bin/bash", "-c", "while true; do sleep 10; done"]
|
||||
command: ["/bin/bash", "-c", "dnf install -y iputils dnsutils && while true; do sleep 10; done"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ spec:
|
|||
chart:
|
||||
spec:
|
||||
chart: spegel
|
||||
version: v0.0.25
|
||||
version: v0.0.26
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: spegel-org
|
||||
|
|
|
|||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ spec:
|
|||
- ""
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
|
|
@ -78,3 +79,114 @@ spec:
|
|||
matchLabels:
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/component: kyverno
|
||||
config:
|
||||
# -- Resource types to be skipped by the Kyverno policy engine.
|
||||
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
|
||||
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
|
||||
# @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1)
|
||||
resourceFilters:
|
||||
- '[Event,*,*]'
|
||||
- '[*/*,kube-system,*]'
|
||||
- '[*/*,kube-public,*]'
|
||||
- '[*/*,kube-node-lease,*]'
|
||||
- '[Node,*,*]'
|
||||
- '[Node/*,*,*]'
|
||||
- '[APIService,*,*]'
|
||||
- '[APIService/*,*,*]'
|
||||
- '[TokenReview,*,*]'
|
||||
- '[SubjectAccessReview,*,*]'
|
||||
- '[SelfSubjectAccessReview,*,*]'
|
||||
# remove the following to allow for schematic-to-pod.yaml to work
|
||||
# - '[Binding,*,*]'
|
||||
# - '[Pod/binding,*,*]'
|
||||
- '[ReplicaSet,*,*]'
|
||||
- '[ReplicaSet/*,*,*]'
|
||||
- '[EphemeralReport,*,*]'
|
||||
- '[ClusterEphemeralReport,*,*]'
|
||||
# exclude resources from the chart
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||
|
|
@ -32,5 +31,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -4,3 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
resources:
|
||||
- ./remove-cpu-limits.yaml
|
||||
- ./schematic-to-pod.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kyverno.io/clusterpolicy_v1.json
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-pod-binding
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
policies.kyverno.io/title: Mutate Pod Add Schematic
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.10.0
|
||||
policies.kyverno.io/minversion: 1.10.0
|
||||
kyverno.io/kubernetes-version: "1.30"
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- name: project-foo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod/binding
|
||||
names:
|
||||
- apply-talos*
|
||||
context:
|
||||
- name: node
|
||||
variable:
|
||||
jmesPath: request.object.target.name
|
||||
default: ""
|
||||
- name: schematic
|
||||
apiCall:
|
||||
urlPath: "/api/v1/nodes/{{node}}"
|
||||
jmesPath: 'metadata.annotations."extensions.talos.dev/schematic" || ''empty'''
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
extensions.talos.dev/schematic: "{{ schematic }}"
|
||||
|
|
@ -22,5 +22,4 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
|
|
@ -21,3 +21,24 @@ spec:
|
|||
dependsOn:
|
||||
- name: external-secrets-stores
|
||||
- name: rook-ceph-cluster
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app alertmanager-silencer
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: observability
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
path: "./kubernetes/apps/observability/alertmanager/silencer"
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: alertmanager-silencer
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.0.4
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
dependsOn:
|
||||
- name: alertmanager
|
||||
namespace: observability
|
||||
values:
|
||||
controllers:
|
||||
alertmanager-silencer:
|
||||
type: cronjob
|
||||
cronjob:
|
||||
schedule: "@daily"
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/onedr0p/kubanetics
|
||||
tag: 2024.10.6
|
||||
env:
|
||||
SCRIPT_NAME: alertmanager-silencer.sh
|
||||
ALERTMANAGER_URL: http://alertmanager.observability.svc.cluster.local:9093
|
||||
MATCHERS_0: alertname=CephPGImbalance job=rook-ceph-exporter
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities: { drop: ["ALL"] }
|
||||
resources:
|
||||
requests:
|
||||
cpu: 25m
|
||||
limits:
|
||||
memory: 128Mi
|
||||
pod:
|
||||
securityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
runAsNonRoot: true
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helmrelease.yaml
|
||||
|
|
@ -20,7 +20,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -3,5 +3,6 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- vmagent.yaml
|
||||
- vmalert.yaml
|
||||
- vmsingle.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,47 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/operator.victoriametrics.com/vmagent_v1beta1.json
|
||||
apiVersion: operator.victoriametrics.com/v1beta1
|
||||
kind: VMAgent
|
||||
metadata:
|
||||
name: victoria
|
||||
spec:
|
||||
scrapeInterval: 60s
|
||||
selectAllByDefault: true
|
||||
statefulMode: true
|
||||
useStrictSecurity: true
|
||||
vmAgentExternalLabelName: prometheus
|
||||
externalLabels:
|
||||
cluster: theshire
|
||||
extraArgs:
|
||||
promscrape.maxScrapeSize: "33554432" # 32MiB
|
||||
promscrape.streamParse: "true"
|
||||
# Do not store original labels in vmagent's memory by default. This reduces the amount of memory used by vmagent
|
||||
# but makes vmagent debugging UI less informative. See: https://docs.victoriametrics.com/vmagent/#relabel-debug
|
||||
promscrape.dropOriginalLabels: "true"
|
||||
remoteWrite:
|
||||
- url: http://vmsingle-victoria.observability.svc:8429/api/v1/write
|
||||
resources:
|
||||
requests:
|
||||
cpu: 3m
|
||||
limits:
|
||||
memory: 512Mi
|
||||
statefulStorage:
|
||||
volumeClaimTemplate:
|
||||
spec:
|
||||
storageClassName: openebs-hostpath
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
securityContext:
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
runAsNonRoot: true
|
||||
fsGroup: 65534
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: stack
|
||||
app.kubernetes.io/name: vmagent
|
||||
|
|
@ -17,7 +17,6 @@ spec:
|
|||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
|
|
@ -40,4 +39,3 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
|
|
|
|||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -22,7 +22,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
|
|
|
|||
|
|
@ -47,5 +47,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ spec:
|
|||
"--exclude-category", "music",
|
||||
"--exclude-tag", "added:24h",
|
||||
"--include-tag", "unregistered",
|
||||
"--dry-run",
|
||||
# "--dry-run",
|
||||
"--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
|
||||
"--port", "80"
|
||||
]
|
||||
|
|
@ -87,7 +87,7 @@ spec:
|
|||
"--exclude-category", "music",
|
||||
"--include-tag", "expired", # defined in config.yaml
|
||||
"--include-tag", "added:7d",
|
||||
"--dry-run",
|
||||
# "--dry-run",
|
||||
"--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
|
||||
"--port", "80"
|
||||
]
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
|
|
@ -38,5 +37,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 15m
|
||||
|
|
|
|||
9
kubernetes/apps/system-upgrade/kustomization.yaml
Normal file
9
kubernetes/apps/system-upgrade/kustomization.yaml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./system-upgrade-controller/ks.yaml
|
||||
38
kubernetes/apps/system-upgrade/namespace.yaml
Normal file
38
kubernetes/apps/system-upgrade/namespace.yaml
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: system-upgrade
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
volsync.backube/privileged-movers: "true"
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
|
||||
apiVersion: notification.toolkit.fluxcd.io/v1beta3
|
||||
kind: Provider
|
||||
metadata:
|
||||
name: alert-manager
|
||||
namespace: system-upgrade
|
||||
spec:
|
||||
type: alertmanager
|
||||
address: http://alertmanager.observability.svc.cluster.local:9093/api/v2/alerts/
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
|
||||
apiVersion: notification.toolkit.fluxcd.io/v1beta3
|
||||
kind: Alert
|
||||
metadata:
|
||||
name: alert-manager
|
||||
namespace: system-upgrade
|
||||
spec:
|
||||
providerRef:
|
||||
name: alert-manager
|
||||
eventSeverity: error
|
||||
eventSources:
|
||||
- kind: HelmRelease
|
||||
name: "*"
|
||||
exclusionList:
|
||||
- "error.*lookup github\\.com"
|
||||
- "error.*lookup raw\\.githubusercontent\\.com"
|
||||
- "dial.*tcp.*timeout"
|
||||
- "waiting.*socket"
|
||||
suspend: false
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app system-upgrade-controller
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
controllers:
|
||||
system-upgrade-controller:
|
||||
strategy: RollingUpdate
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: docker.io/rancher/system-upgrade-controller
|
||||
tag: v0.14.1@sha256:7e13a9b2b984f0c0fd6328439b575348723cc6954b91db3453057fcb784e2d29
|
||||
env:
|
||||
SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
|
||||
SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
|
||||
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
|
||||
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
|
||||
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
|
||||
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
|
||||
SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
|
||||
SYSTEM_UPGRADE_JOB_PRIVILEGED: true
|
||||
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
|
||||
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
|
||||
SYSTEM_UPGRADE_CONTROLLER_NAME: *app
|
||||
SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities: { drop: ["ALL"] }
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
defaultPodOptions:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile: { type: RuntimeDefault }
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: system-upgrade
|
||||
persistence:
|
||||
tmp:
|
||||
type: emptyDir
|
||||
etc-ssl:
|
||||
type: hostPath
|
||||
hostPath: /etc/ssl
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
etc-pki:
|
||||
type: hostPath
|
||||
hostPath: /etc/pki
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
etc-ca-certificates:
|
||||
type: hostPath
|
||||
hostPath: /etc/ca-certificates
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helmrelease.yaml
|
||||
- rbac.yaml
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system-upgrade
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: system-upgrade
|
||||
namespace: system-upgrade
|
||||
---
|
||||
apiVersion: talos.dev/v1alpha1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos
|
||||
spec:
|
||||
roles:
|
||||
- os:admin
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app system-upgrade-controller
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: system-upgrade
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: node-feature-discovery-rules
|
||||
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app system-upgrade-controller-plans
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: system-upgrade
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: system-upgrade-controller
|
||||
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
# renovate: datasource=docker depName=ghcr.io/siderolabs/installer
|
||||
TALOS_VERSION: v1.8.1
|
||||
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
|
||||
KUBERNETES_VERSION: v1.30.2
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
kind: Plan
|
||||
metadata:
|
||||
name: kubernetes
|
||||
spec:
|
||||
version: ${KUBERNETES_VERSION}
|
||||
serviceAccountName: system-upgrade
|
||||
secrets:
|
||||
- name: talos
|
||||
path: /var/run/secrets/talos.dev
|
||||
ignoreUpdates: true
|
||||
concurrency: 1
|
||||
exclusive: true
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/system-os_release.ID
|
||||
operator: In
|
||||
values: ["talos"]
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
prepare: &prepare
|
||||
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
|
||||
envs:
|
||||
- name: NODE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- health
|
||||
- --server=false
|
||||
upgrade:
|
||||
<<: *prepare
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- upgrade-k8s
|
||||
- --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./kubernetes.yaml
|
||||
- ./talos.yaml
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
kind: Plan
|
||||
metadata:
|
||||
name: talos
|
||||
spec:
|
||||
version: ${TALOS_VERSION}
|
||||
serviceAccountName: system-upgrade
|
||||
secrets:
|
||||
- name: talos
|
||||
path: /var/run/secrets/talos.dev
|
||||
ignoreUpdates: true
|
||||
concurrency: 1
|
||||
exclusive: true
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/system-os_release.ID
|
||||
operator: In
|
||||
values: ["talos"]
|
||||
- key: feature.node.kubernetes.io/system-os_release.VERSION_ID
|
||||
operator: NotIn
|
||||
values: ["${TALOS_VERSION}"]
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
prepare: &prepare
|
||||
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
|
||||
envs:
|
||||
- name: NODE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: TALOS_SCHEMATIC_ID
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations['extensions.talos.dev/schematic']
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- health
|
||||
- --server=false
|
||||
upgrade:
|
||||
<<: *prepare
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- upgrade
|
||||
- --image=factory.talos.dev/installer/$(TALOS_SCHEMATIC_ID):$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
|
||||
- --wait=false
|
||||
|
|
@ -17,5 +17,4 @@ spec:
|
|||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
retryInterval: 1m
|
||||
timeout: 5m
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ releases:
|
|||
- name: spegel
|
||||
namespace: kube-system
|
||||
chart: oci://ghcr.io/spegel-org/helm-charts/spegel
|
||||
version: v0.0.25
|
||||
version: v0.0.26
|
||||
values:
|
||||
- ../apps/kube-system/spegel/app/helm-values.yml
|
||||
needs:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json
|
||||
clusterName: theshire
|
||||
|
||||
talosVersion: v1.7.6
|
||||
talosVersion: v1.8.1
|
||||
kubernetesVersion: 1.30.2
|
||||
endpoint: "https://10.1.1.57:6444"
|
||||
|
||||
|
|
@ -107,8 +107,8 @@ nodes:
|
|||
systemExtensions:
|
||||
officialExtensions:
|
||||
- siderolabs/amd-ucode
|
||||
- siderolabs/nonfree-kmod-nvidia
|
||||
- siderolabs/nvidia-container-toolkit
|
||||
- siderolabs/nonfree-kmod-nvidia-production
|
||||
- siderolabs/nvidia-container-toolkit-production
|
||||
|
||||
worker:
|
||||
schematic:
|
||||
|
|
|
|||
Loading…
Reference in a new issue