talos #61

Merged
jahanson merged 5 commits from talos into main 2024-02-15 17:26:33 -06:00
22 changed files with 173 additions and 97 deletions

View file

@ -50,9 +50,13 @@ spec:
extraConfig:
allow-localhost: policy # enable policies for localhost
kubeProxyReplacement: true
k8sServiceHost: ${K8S_SERVICE_ENDPOINT}
k8sServicePort: 6443
k8sServiceHost: 127.0.0.1
k8sServicePort: 7445
rollOutCiliumPods: true
cgroup:
automount:
enabled: false
hostRoot: /sys/fs/cgroup
bgp:
enabled: false
announce:
@ -60,3 +64,21 @@ spec:
podCIDR: false
bgpControlPlane:
enabled: true
securityContext:
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cleanCiliumState:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE

View file

@ -0,0 +1,34 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: spegel
spec:
interval: 30m
chart:
spec:
chart: spegel
version: v0.0.18
sourceRef:
kind: HelmRepository
name: xenitab
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
spegel:
containerdSock: /run/containerd/containerd.sock
containerdRegistryConfigPath: /etc/cri/conf.d/hosts
service:
registry:
hostPort: 29999
serviceMonitor:
enabled: true

View file

@ -1,16 +1,16 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app local-path-provisioner
name: &app spegel
namespace: flux-system
spec:
targetNamespace: storage
targetNamespace: kube-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/storage/local-path-provisioner/app
path: ./kubernetes/apps/kube-system/spegel/app
prune: true
sourceRef:
kind: GitRepository

View file

@ -0,0 +1,9 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Pre Flux-Kustomizations
- ./namespace.yaml
# Flux-Kustomizations
- ./openebs/ks.yaml

View file

@ -0,0 +1,8 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: openebs-system
annotations:
kustomize.toolkit.fluxcd.io/prune: disabled
volsync.backube/privileged-movers: "true"

View file

@ -0,0 +1,32 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: openebs
spec:
interval: 30m
chart:
spec:
chart: openebs
version: 3.10.0
sourceRef:
kind: HelmRepository
name: openebs
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
localprovisioner:
hostpathClass:
enabled: true
name: openebs-hostpath
isDefaultClass: false
basePath: /var/openebs/local

View file

@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

View file

@ -0,0 +1,21 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app openebs
namespace: flux-system
spec:
targetNamespace: openebs-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/openebs-system/openebs/app
prune: true
sourceRef:
kind: GitRepository
name: homelab
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m

View file

@ -1,77 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: local-path-provisioner
spec:
interval: 30m
chart:
spec:
chart: democratic-csi
version: 0.14.5
sourceRef:
name: democratic-csi
kind: HelmRepository
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
fullnameOverride: local-path-provisioner
controller:
strategy: node
externalProvisioner:
image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0
extraArgs:
- --leader-election=false
- --node-deployment=true
- --node-deployment-immediate-binding=false
- --feature-gates=Topology=true
- --strict-topology=true
- --enable-capacity=true
- --capacity-ownerref-level=1
externalResizer:
enabled: false
externalAttacher:
enabled: false
externalSnapshotter:
enabled: false
csiDriver:
name: local-hostpath.cluster.local
storageCapacity: true
attachRequired: false
fsGroupPolicy: File
storageClasses:
- name: local-hostpath
defaultClass: false
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
driver:
config:
driver: local-hostpath
local-hostpath:
shareBasePath: &storagePath /var/lib/rancher/k3s/local-hostpath
controllerBasePath: *storagePath
dirPermissionsMode: "0770"
dirPermissionsUser: 0
dirPermissionsGroup: 0
node:
driver:
image: ghcr.io/democratic-csi/democratic-csi:v1.8.4
extraVolumeMounts:
- name: local-hostpath
mountPath: *storagePath
mountPropagation: Bidirectional
extraVolumes:
- name: local-hostpath
hostPath:
path: *storagePath
type: DirectoryOrCreate

View file

@ -6,6 +6,5 @@ resources:
# Pre Flux-Kustomizations
- ./namespace.yaml
# Flux-Kustomizations
- ./local-path-provisioner/ks.yaml
- ./snapshot-controller/ks.yaml
- ./volsync/ks.yaml

View file

@ -2,6 +2,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: storage
name: volsync-system
labels:
kustomize.toolkit.fluxcd.io/prune: disabled

View file

@ -10,7 +10,7 @@ spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/storage/snapshot-controller/app
path: ./kubernetes/apps/volsync-system/snapshot-controller/app
prune: true
sourceRef:
kind: GitRepository

View file

@ -11,7 +11,7 @@ spec:
labels:
app.kubernetes.io/name: *appname
interval: 10m
path: "./kubernetes/apps/storage/volsync/app"
path: "./kubernetes/apps/volsync-system/volsync/app"
prune: true
sourceRef:
kind: GitRepository

View file

@ -11,7 +11,7 @@ resources:
- cloudnative-pg.yaml
- crowdsec.yaml
- crunchydata.yaml
- democratic-csi.yaml
# - democratic-csi.yaml
- dragonflydb.yaml
- elastic.yaml
- external-secrets.yaml
@ -28,9 +28,10 @@ resources:
- kubernetes-sigs-metrics-server.yaml
- kubernetes-sigs-external-dns.yaml
- nvidia.yaml
- openebs.yaml
- piraeus.yaml
- postfinance.yaml
- prometheus-community.yaml
- rook-ceph.yaml
- stakater.yaml
# - weave-gitops.yaml
- xenitab.yaml

View file

@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: openebs
namespace: flux-system
spec:
interval: 2h
url: https://openebs.github.io/charts

View file

@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: xenitab
namespace: flux-system
spec:
type: oci
interval: 5m
url: oci://ghcr.io/xenitab/helm-charts

View file

@ -37,8 +37,8 @@ spec:
pruneIntervalDays: 7
repository: "${APP}-volsync-secret"
volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}"
cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-8Gi}"
cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-local-hostpath}"
cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}"
cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}"
cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"]
storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}"
accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"]
@ -63,9 +63,9 @@ spec:
repository: "${APP}-volsync-secret"
copyMethod: Snapshot # must be Snapshot
volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}"
cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-local-hostpath}"
cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}"
cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"]
cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-8Gi}"
cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}"
storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}"
accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"]
capacity: "${VOLSYNC_CAPACITY}"

View file

@ -37,8 +37,8 @@ spec:
pruneIntervalDays: 7
repository: "${APP}-volsync-r2-secret"
volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:-csi-ceph-blockpool}"
cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-8Gi}"
cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-local-hostpath}"
cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:-4Gi}"
cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:-openebs-hostpath}"
cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:-ReadWriteOnce}"]
storageClassName: "${VOLSYNC_STORAGECLASS:-ceph-block}"
accessModes: ["${VOLSYNC_ACCESSMODES:-ReadWriteOnce}"]