diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index ca5999bf..04dcf1dc 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -50,9 +50,13 @@ spec: extraConfig: allow-localhost: policy # enable policies for localhost kubeProxyReplacement: true - k8sServiceHost: ${K8S_SERVICE_ENDPOINT} - k8sServicePort: 6443 + k8sServiceHost: 127.0.0.1 + k8sServicePort: 7445 rollOutCiliumPods: true + cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup bgp: enabled: false announce: @@ -60,3 +64,21 @@ spec: podCIDR: false bgpControlPlane: enabled: true + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml new file mode 100644 index 00000000..b2529378 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: spegel +spec: + interval: 30m + chart: + spec: + chart: spegel + version: v0.0.18 + sourceRef: + kind: HelmRepository + name: xenitab + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + spegel: + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts + service: + registry: + hostPort: 29999 + serviceMonitor: + enabled: true \ No newline at end of file diff --git a/kubernetes/apps/storage/local-path-provisioner/app/kustomization.yaml b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml similarity index 87% rename from kubernetes/apps/storage/local-path-provisioner/app/kustomization.yaml rename to kubernetes/apps/kube-system/spegel/app/kustomization.yaml index 17cbc72b..2d7deaca 100644 --- a/kubernetes/apps/storage/local-path-provisioner/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./helmrelease.yaml + - ./helmrelease.yaml \ No newline at end of file diff --git a/kubernetes/apps/storage/local-path-provisioner/ks.yaml b/kubernetes/apps/kube-system/spegel/ks.yaml similarity index 51% rename from kubernetes/apps/storage/local-path-provisioner/ks.yaml rename to kubernetes/apps/kube-system/spegel/ks.yaml index fa12d36f..e3723c48 100644 --- a/kubernetes/apps/storage/local-path-provisioner/ks.yaml +++ b/kubernetes/apps/kube-system/spegel/ks.yaml @@ -1,16 +1,16 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app local-path-provisioner + name: &app spegel namespace: flux-system spec: - targetNamespace: storage + targetNamespace: kube-system commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/storage/local-path-provisioner/app + path: ./kubernetes/apps/kube-system/spegel/app prune: true sourceRef: kind: GitRepository @@ -18,4 +18,4 @@ spec: wait: false interval: 30m retryInterval: 1m - timeout: 5m + timeout: 5m \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/kustomization.yaml b/kubernetes/apps/openebs-system/kustomization.yaml new file mode 100644 index 00000000..334dd681 --- /dev/null +++ b/kubernetes/apps/openebs-system/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # Pre Flux-Kustomizations + - ./namespace.yaml + # Flux-Kustomizations + - ./openebs/ks.yaml \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/namespace.yaml b/kubernetes/apps/openebs-system/namespace.yaml new file mode 100644 index 00000000..f79a5197 --- /dev/null +++ b/kubernetes/apps/openebs-system/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openebs-system + annotations: + kustomize.toolkit.fluxcd.io/prune: disabled + volsync.backube/privileged-movers: "true" \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml new file mode 100644 index 00000000..5a5e25cd --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml @@ -0,0 +1,32 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: openebs +spec: + interval: 30m + chart: + spec: + chart: openebs + version: 3.10.0 + sourceRef: + kind: HelmRepository + name: openebs + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + localprovisioner: + hostpathClass: + enabled: true + name: openebs-hostpath + isDefaultClass: false + basePath: /var/openebs/local \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml new file mode 100644 index 00000000..2d7deaca --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml \ No newline at end of file diff --git a/kubernetes/apps/openebs-system/openebs/ks.yaml b/kubernetes/apps/openebs-system/openebs/ks.yaml new file mode 100644 index 00000000..4bff98f1 --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/ks.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app openebs + namespace: flux-system +spec: + targetNamespace: openebs-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/openebs-system/openebs/app + prune: true + sourceRef: + kind: GitRepository + name: homelab + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m \ No newline at end of file diff --git a/kubernetes/apps/storage/local-path-provisioner/app/helmrelease.yaml b/kubernetes/apps/storage/local-path-provisioner/app/helmrelease.yaml deleted file mode 100644 index 2de77c71..00000000 --- a/kubernetes/apps/storage/local-path-provisioner/app/helmrelease.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: local-path-provisioner -spec: - interval: 30m - chart: - spec: - chart: democratic-csi - version: 0.14.5 - sourceRef: - name: democratic-csi - kind: HelmRepository - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - fullnameOverride: local-path-provisioner - controller: - strategy: node - externalProvisioner: - image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 - extraArgs: - - --leader-election=false - - --node-deployment=true - - --node-deployment-immediate-binding=false - - --feature-gates=Topology=true - - --strict-topology=true - - --enable-capacity=true - - --capacity-ownerref-level=1 - externalResizer: - enabled: false - externalAttacher: - enabled: false - externalSnapshotter: - enabled: false - csiDriver: - name: local-hostpath.cluster.local - storageCapacity: true - attachRequired: false - fsGroupPolicy: File - storageClasses: - - name: local-hostpath - defaultClass: false - reclaimPolicy: Delete - volumeBindingMode: WaitForFirstConsumer - allowVolumeExpansion: true - driver: - config: - driver: local-hostpath - local-hostpath: - shareBasePath: &storagePath /var/lib/rancher/k3s/local-hostpath - controllerBasePath: *storagePath - dirPermissionsMode: "0770" - dirPermissionsUser: 0 - dirPermissionsGroup: 0 - node: - driver: - image: ghcr.io/democratic-csi/democratic-csi:v1.8.4 - extraVolumeMounts: - - name: local-hostpath - mountPath: *storagePath - mountPropagation: Bidirectional - extraVolumes: - - name: local-hostpath - hostPath: - path: *storagePath - type: DirectoryOrCreate diff --git a/kubernetes/apps/storage/kustomization.yaml b/kubernetes/apps/volsync-system/kustomization.yaml similarity index 88% rename from kubernetes/apps/storage/kustomization.yaml rename to kubernetes/apps/volsync-system/kustomization.yaml index d3585c1c..5b5a44ea 100644 --- a/kubernetes/apps/storage/kustomization.yaml +++ b/kubernetes/apps/volsync-system/kustomization.yaml @@ -6,6 +6,5 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations - - ./local-path-provisioner/ks.yaml - ./snapshot-controller/ks.yaml - ./volsync/ks.yaml diff --git a/kubernetes/apps/storage/namespace.yaml b/kubernetes/apps/volsync-system/namespace.yaml similarity index 81% rename from kubernetes/apps/storage/namespace.yaml rename to kubernetes/apps/volsync-system/namespace.yaml index a8966521..10f3c084 100644 --- a/kubernetes/apps/storage/namespace.yaml +++ b/kubernetes/apps/volsync-system/namespace.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: Namespace metadata: - name: storage + name: volsync-system labels: kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/storage/snapshot-controller/app/helmrelease.yaml b/kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/storage/snapshot-controller/app/helmrelease.yaml rename to kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml diff --git a/kubernetes/apps/storage/snapshot-controller/ks.yaml b/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml similarity index 87% rename from kubernetes/apps/storage/snapshot-controller/ks.yaml rename to kubernetes/apps/volsync-system/snapshot-controller/ks.yaml index 1f8d59c9..001c6e5d 100644 --- a/kubernetes/apps/storage/snapshot-controller/ks.yaml +++ b/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml @@ -10,7 +10,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/storage/snapshot-controller/app + path: ./kubernetes/apps/volsync-system/snapshot-controller/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/storage/volsync/app/helmrelease.yaml b/kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/storage/volsync/app/helmrelease.yaml rename to kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml diff --git a/kubernetes/apps/storage/volsync/app/kustomization.yaml b/kubernetes/apps/volsync-system/volsync/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/storage/volsync/app/kustomization.yaml rename to kubernetes/apps/volsync-system/volsync/app/kustomization.yaml diff --git a/kubernetes/apps/storage/volsync/ks.yaml b/kubernetes/apps/volsync-system/volsync/ks.yaml similarity index 90% rename from kubernetes/apps/storage/volsync/ks.yaml rename to kubernetes/apps/volsync-system/volsync/ks.yaml index 1c834eb1..8a39bfb1 100644 --- a/kubernetes/apps/storage/volsync/ks.yaml +++ b/kubernetes/apps/volsync-system/volsync/ks.yaml @@ -11,7 +11,7 @@ spec: labels: app.kubernetes.io/name: *appname interval: 10m - path: "./kubernetes/apps/storage/volsync/app" + path: "./kubernetes/apps/volsync-system/volsync/app" prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index cd9a5e03..b320fa30 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -11,7 +11,7 @@ resources: - cloudnative-pg.yaml - crowdsec.yaml - crunchydata.yaml - - democratic-csi.yaml +# - democratic-csi.yaml - dragonflydb.yaml - elastic.yaml - external-secrets.yaml @@ -28,9 +28,10 @@ resources: - kubernetes-sigs-metrics-server.yaml - kubernetes-sigs-external-dns.yaml - nvidia.yaml + - openebs.yaml - piraeus.yaml - postfinance.yaml - prometheus-community.yaml - rook-ceph.yaml - stakater.yaml -# - weave-gitops.yaml + - xenitab.yaml \ No newline at end of file diff --git a/kubernetes/flux/repositories/helm/openebs.yaml b/kubernetes/flux/repositories/helm/openebs.yaml new file mode 100644 index 00000000..2b6b9a6f --- /dev/null +++ b/kubernetes/flux/repositories/helm/openebs.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 2h + url: https://openebs.github.io/charts \ No newline at end of file diff --git a/kubernetes/flux/repositories/helm/xenitab.yaml b/kubernetes/flux/repositories/helm/xenitab.yaml new file mode 100644 index 00000000..2825a8ef --- /dev/null +++ b/kubernetes/flux/repositories/helm/xenitab.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: xenitab + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/xenitab/helm-charts \ No newline at end of file diff --git a/kubernetes/templates/volsync/minio.yaml b/kubernetes/templates/volsync/minio.yaml index b1e0a005..e1f3710f 100644 --- a/kubernetes/templates/volsync/minio.yaml +++ b/kubernetes/templates/volsync/minio.yaml @@ -37,8 +37,8 @@ spec: pruneIntervalDays: 7 repository: "${APP}-volsync-secret" volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}" - cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-8Gi}" - cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-local-hostpath}" + cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}" + cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}" cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"] storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"] @@ -63,9 +63,9 @@ spec: repository: "${APP}-volsync-secret" copyMethod: Snapshot # must be Snapshot volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}" - cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-local-hostpath}" + cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}" cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"] - cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-8Gi}" + cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}" storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"] capacity: "${VOLSYNC_CAPACITY}" diff --git a/kubernetes/templates/volsync/r2.yaml b/kubernetes/templates/volsync/r2.yaml index e8eda2f9..051ebf7d 100644 --- a/kubernetes/templates/volsync/r2.yaml +++ b/kubernetes/templates/volsync/r2.yaml @@ -37,8 +37,8 @@ spec: pruneIntervalDays: 7 repository: "${APP}-volsync-r2-secret" volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}" - cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-8Gi}" - cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-local-hostpath}" + cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}" + cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}" cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"] storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}" accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"]