Compare commits
18 commits
d872244780
...
170be4a9e0
| Author | SHA1 | Date | |
|---|---|---|---|
| 170be4a9e0 | |||
efb553e50b
|
|||
|
487976e388
|
|||
|
7c8802e3bf
|
|||
| 7a67c2ddbf | |||
|
af2c995b76
|
|||
| 1d32d2de95 | |||
|
17c3e2f311
|
|||
|
be091afd25
|
|||
|
1cb15bfbfe
|
|||
| 0eaa4c65d0 | |||
|
623737f4e2
|
|||
| 0da719e372 | |||
| a54a7a3807 | |||
| b6636664d1 | |||
| 88179415ae | |||
|
4f2756bcd4
|
|||
|
2ca0b5805f
|
18 changed files with 517 additions and 30 deletions
|
|
@ -3,53 +3,55 @@
|
|||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app it-tools
|
||||
name: it-tools
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
interval: 30m
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
retries: 3
|
||||
strategy: rollback
|
||||
|
||||
values:
|
||||
controllers:
|
||||
it-tools:
|
||||
replicas: 1
|
||||
strategy: RollingUpdate
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
pod:
|
||||
securityContext:
|
||||
runAsUser: 101
|
||||
runAsGroup: 101
|
||||
fsGroup: 101
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: ghcr.io/corentinth/it-tools
|
||||
tag: 2024.5.13-a0bc346
|
||||
env:
|
||||
TZ: America/Chicago
|
||||
probes:
|
||||
liveness:
|
||||
enabled: true
|
||||
readiness:
|
||||
enabled: true
|
||||
repository: ghcr.io/bjw-s-labs/it-tools
|
||||
tag: 2024.5.13
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
cpu: 5m
|
||||
memory: 32Mi
|
||||
limits:
|
||||
memory: 500Mi
|
||||
memory: 256Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
service:
|
||||
app:
|
||||
controller: *app
|
||||
controller: it-tools
|
||||
ports:
|
||||
http:
|
||||
port: 80
|
||||
port: 8080
|
||||
ingress:
|
||||
app:
|
||||
enabled: true
|
||||
|
|
@ -68,3 +70,7 @@ spec:
|
|||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
|
||||
persistence:
|
||||
tmp:
|
||||
type: emptyDir
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ spec:
|
|||
app:
|
||||
image:
|
||||
repository: ghcr.io/bjw-s-labs/piped-frontend
|
||||
tag: latest@sha256:c4cb0cfbdf149cdb738fb9e41a5cc748a7ea53053f4c5e036b9f7578d9273328
|
||||
tag: latest@sha256:6b2aafc0432777f592f38eaba460b503b8ebc6fb520aa9cd9d4f7a68a435a3a7
|
||||
env:
|
||||
HTTP_PORT: 8080
|
||||
HTTP_WORKERS: 4
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ spec:
|
|||
chart:
|
||||
spec:
|
||||
chart: spegel
|
||||
version: v0.0.25
|
||||
version: v0.0.26
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: spegel-org
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@ spec:
|
|||
- ""
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
|
|
@ -78,3 +79,114 @@ spec:
|
|||
matchLabels:
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/component: kyverno
|
||||
config:
|
||||
# -- Resource types to be skipped by the Kyverno policy engine.
|
||||
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
|
||||
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
|
||||
# @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1)
|
||||
resourceFilters:
|
||||
- '[Event,*,*]'
|
||||
- '[*/*,kube-system,*]'
|
||||
- '[*/*,kube-public,*]'
|
||||
- '[*/*,kube-node-lease,*]'
|
||||
- '[Node,*,*]'
|
||||
- '[Node/*,*,*]'
|
||||
- '[APIService,*,*]'
|
||||
- '[APIService/*,*,*]'
|
||||
- '[TokenReview,*,*]'
|
||||
- '[SubjectAccessReview,*,*]'
|
||||
- '[SelfSubjectAccessReview,*,*]'
|
||||
# remove the following to allow for schematic-to-pod.yaml to work
|
||||
# - '[Binding,*,*]'
|
||||
# - '[Pod/binding,*,*]'
|
||||
- '[ReplicaSet,*,*]'
|
||||
- '[ReplicaSet/*,*,*]'
|
||||
- '[EphemeralReport,*,*]'
|
||||
- '[ClusterEphemeralReport,*,*]'
|
||||
# exclude resources from the chart
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
|
||||
- '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||
- '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||
- '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
|
||||
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||
- '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
|
||||
- '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
|
|
|
|||
|
|
@ -4,3 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
resources:
|
||||
- ./remove-cpu-limits.yaml
|
||||
- ./schematic-to-pod.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://ks.hsn.dev/kyverno.io/clusterpolicy_v1.json
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-pod-binding
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
policies.kyverno.io/title: Mutate Pod Add Schematic
|
||||
policies.kyverno.io/category: Other
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.10.0
|
||||
policies.kyverno.io/minversion: 1.10.0
|
||||
kyverno.io/kubernetes-version: "1.30"
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- name: project-foo
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod/binding
|
||||
names:
|
||||
- apply-talos*
|
||||
context:
|
||||
- name: node
|
||||
variable:
|
||||
jmesPath: request.object.target.name
|
||||
default: ""
|
||||
- name: schematic
|
||||
apiCall:
|
||||
urlPath: "/api/v1/nodes/{{node}}"
|
||||
jmesPath: 'metadata.annotations."extensions.talos.dev/schematic" || ''empty'''
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
extensions.talos.dev/schematic: "{{ schematic }}"
|
||||
|
|
@ -75,7 +75,7 @@ spec:
|
|||
"--exclude-category", "music",
|
||||
"--exclude-tag", "added:24h",
|
||||
"--include-tag", "unregistered",
|
||||
"--dry-run",
|
||||
# "--dry-run",
|
||||
"--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
|
||||
"--port", "80"
|
||||
]
|
||||
|
|
@ -87,7 +87,7 @@ spec:
|
|||
"--exclude-category", "music",
|
||||
"--include-tag", "expired", # defined in config.yaml
|
||||
"--include-tag", "added:7d",
|
||||
"--dry-run",
|
||||
# "--dry-run",
|
||||
"--server", "qbittorrent.$(POD_NAMESPACE).svc.cluster.local",
|
||||
"--port", "80"
|
||||
]
|
||||
|
|
|
|||
9
kubernetes/apps/system-upgrade/kustomization.yaml
Normal file
9
kubernetes/apps/system-upgrade/kustomization.yaml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
# Pre Flux-Kustomizations
|
||||
- ./namespace.yaml
|
||||
# Flux-Kustomizations
|
||||
- ./system-upgrade-controller/ks.yaml
|
||||
38
kubernetes/apps/system-upgrade/namespace.yaml
Normal file
38
kubernetes/apps/system-upgrade/namespace.yaml
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: system-upgrade
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/prune: disabled
|
||||
volsync.backube/privileged-movers: "true"
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
|
||||
apiVersion: notification.toolkit.fluxcd.io/v1beta3
|
||||
kind: Provider
|
||||
metadata:
|
||||
name: alert-manager
|
||||
namespace: system-upgrade
|
||||
spec:
|
||||
type: alertmanager
|
||||
address: http://alertmanager.observability.svc.cluster.local:9093/api/v2/alerts/
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
|
||||
apiVersion: notification.toolkit.fluxcd.io/v1beta3
|
||||
kind: Alert
|
||||
metadata:
|
||||
name: alert-manager
|
||||
namespace: system-upgrade
|
||||
spec:
|
||||
providerRef:
|
||||
name: alert-manager
|
||||
eventSeverity: error
|
||||
eventSources:
|
||||
- kind: HelmRelease
|
||||
name: "*"
|
||||
exclusionList:
|
||||
- "error.*lookup github\\.com"
|
||||
- "error.*lookup raw\\.githubusercontent\\.com"
|
||||
- "dial.*tcp.*timeout"
|
||||
- "waiting.*socket"
|
||||
suspend: false
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app system-upgrade-controller
|
||||
spec:
|
||||
interval: 30m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.5.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
remediation:
|
||||
retries: 3
|
||||
upgrade:
|
||||
cleanupOnFail: true
|
||||
remediation:
|
||||
strategy: rollback
|
||||
retries: 3
|
||||
values:
|
||||
controllers:
|
||||
system-upgrade-controller:
|
||||
strategy: RollingUpdate
|
||||
containers:
|
||||
app:
|
||||
image:
|
||||
repository: docker.io/rancher/system-upgrade-controller
|
||||
tag: v0.14.1@sha256:7e13a9b2b984f0c0fd6328439b575348723cc6954b91db3453057fcb784e2d29
|
||||
env:
|
||||
SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
|
||||
SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
|
||||
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
|
||||
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
|
||||
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
|
||||
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
|
||||
SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
|
||||
SYSTEM_UPGRADE_JOB_PRIVILEGED: true
|
||||
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
|
||||
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
|
||||
SYSTEM_UPGRADE_CONTROLLER_NAME: *app
|
||||
SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities: { drop: ["ALL"] }
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
defaultPodOptions:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65534
|
||||
runAsGroup: 65534
|
||||
seccompProfile: { type: RuntimeDefault }
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
serviceAccount:
|
||||
create: true
|
||||
name: system-upgrade
|
||||
persistence:
|
||||
tmp:
|
||||
type: emptyDir
|
||||
etc-ssl:
|
||||
type: hostPath
|
||||
hostPath: /etc/ssl
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
etc-pki:
|
||||
type: hostPath
|
||||
hostPath: /etc/pki
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
etc-ca-certificates:
|
||||
type: hostPath
|
||||
hostPath: /etc/ca-certificates
|
||||
hostPathType: DirectoryOrCreate
|
||||
globalMounts:
|
||||
- readOnly: true
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helmrelease.yaml
|
||||
- rbac.yaml
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system-upgrade
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: system-upgrade
|
||||
namespace: system-upgrade
|
||||
---
|
||||
apiVersion: talos.dev/v1alpha1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: talos
|
||||
spec:
|
||||
roles:
|
||||
- os:admin
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app system-upgrade-controller
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: system-upgrade
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: node-feature-discovery-rules
|
||||
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: true
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: &app system-upgrade-controller-plans
|
||||
namespace: flux-system
|
||||
spec:
|
||||
targetNamespace: system-upgrade
|
||||
commonMetadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: *app
|
||||
dependsOn:
|
||||
- name: system-upgrade-controller
|
||||
path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: theshire
|
||||
wait: false
|
||||
interval: 30m
|
||||
timeout: 5m
|
||||
postBuild:
|
||||
substitute:
|
||||
# renovate: datasource=docker depName=ghcr.io/siderolabs/installer
|
||||
TALOS_VERSION: v1.8.1
|
||||
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
|
||||
KUBERNETES_VERSION: v1.30.2
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
kind: Plan
|
||||
metadata:
|
||||
name: kubernetes
|
||||
spec:
|
||||
version: ${KUBERNETES_VERSION}
|
||||
serviceAccountName: system-upgrade
|
||||
secrets:
|
||||
- name: talos
|
||||
path: /var/run/secrets/talos.dev
|
||||
ignoreUpdates: true
|
||||
concurrency: 1
|
||||
exclusive: true
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/system-os_release.ID
|
||||
operator: In
|
||||
values: ["talos"]
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
prepare: &prepare
|
||||
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
|
||||
envs:
|
||||
- name: NODE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- health
|
||||
- --server=false
|
||||
upgrade:
|
||||
<<: *prepare
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- upgrade-k8s
|
||||
- --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./kubernetes.yaml
|
||||
- ./talos.yaml
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
kind: Plan
|
||||
metadata:
|
||||
name: talos
|
||||
spec:
|
||||
version: ${TALOS_VERSION}
|
||||
serviceAccountName: system-upgrade
|
||||
secrets:
|
||||
- name: talos
|
||||
path: /var/run/secrets/talos.dev
|
||||
ignoreUpdates: true
|
||||
concurrency: 1
|
||||
exclusive: true
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/system-os_release.ID
|
||||
operator: In
|
||||
values: ["talos"]
|
||||
- key: feature.node.kubernetes.io/system-os_release.VERSION_ID
|
||||
operator: NotIn
|
||||
values: ["${TALOS_VERSION}"]
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
prepare: &prepare
|
||||
image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
|
||||
envs:
|
||||
- name: NODE_IP
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: status.hostIP
|
||||
- name: TALOS_SCHEMATIC_ID
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.annotations['extensions.talos.dev/schematic']
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- health
|
||||
- --server=false
|
||||
upgrade:
|
||||
<<: *prepare
|
||||
args:
|
||||
- --nodes=$(NODE_IP)
|
||||
- upgrade
|
||||
- --image=factory.talos.dev/installer/$(TALOS_SCHEMATIC_ID):$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
|
||||
- --wait=false
|
||||
|
|
@ -50,7 +50,7 @@ releases:
|
|||
- name: spegel
|
||||
namespace: kube-system
|
||||
chart: oci://ghcr.io/spegel-org/helm-charts/spegel
|
||||
version: v0.0.25
|
||||
version: v0.0.26
|
||||
values:
|
||||
- ../apps/kube-system/spegel/app/helm-values.yml
|
||||
needs:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
# yaml-language-server: $schema=https://ks.hsn.dev/talconfig.json
|
||||
clusterName: theshire
|
||||
|
||||
talosVersion: v1.7.6
|
||||
talosVersion: v1.8.0
|
||||
kubernetesVersion: 1.30.2
|
||||
endpoint: "https://10.1.1.57:6444"
|
||||
|
||||
|
|
@ -107,8 +107,8 @@ nodes:
|
|||
systemExtensions:
|
||||
officialExtensions:
|
||||
- siderolabs/amd-ucode
|
||||
- siderolabs/nonfree-kmod-nvidia
|
||||
- siderolabs/nvidia-container-toolkit
|
||||
- siderolabs/nonfree-kmod-nvidia-production
|
||||
- siderolabs/nvidia-container-toolkit-production
|
||||
|
||||
worker:
|
||||
schematic:
|
||||
|
|
|
|||
Loading…
Reference in a new issue