From e15bb1483a5e684db8d3d0975f9eab696cf84033 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Sat, 23 Sep 2023 17:00:16 +0000 Subject: [PATCH 01/54] Update Helm release grafana to v6.60.1 --- kubernetes/apps/monitoring/grafana/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index 82cc350..9b898af 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -14,7 +14,7 @@ spec: kind: HelmRepository name: grafana namespace: flux-system - version: 6.60.0 + version: 6.60.1 interval: 30m timeout: 20m maxHistory: 2 From 7b5cb8292f19b3fbd08552075d6e918fb94552f9 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Sun, 24 Sep 2023 00:00:43 +0000 Subject: [PATCH 02/54] Update kube-prometheus-stack Docker tag to v51.2.0 --- .../apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index a929b4f..c311cbe 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -11,7 +11,7 @@ spec: chart: spec: chart: kube-prometheus-stack - version: 51.1.1 + version: 51.2.0 sourceRef: kind: HelmRepository name: prometheus-community From 64127a58fec53bae83d9126f00a9dec94062b43f Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 25 Sep 2023 13:03:19 -0500 Subject: [PATCH 03/54] Updating cilium and coredns. --- .sops.yaml | 2 +- .../playbooks/templates/custom-cilium-helmchart.yaml.j2 | 2 +- .../playbooks/templates/custom-coredns-helmchart.yaml.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 4bf4993..363adda 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,7 +9,7 @@ creation_rules: # Valinor age: >- age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - - path_regex: (ansible|terraform)/.*\.sops\.ya?ml + - path_regex: (ansible|terraform|talos)/.*\.sops\.ya?ml # Valinor age: >- age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve diff --git a/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 b/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 index de6546d..09624f3 100644 --- a/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 +++ b/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 @@ -9,7 +9,7 @@ spec: # renovate: datasource=helm repo: https://helm.cilium.io/ chart: cilium - version: 1.14.0 + version: 1.14.2 targetNamespace: kube-system bootstrap: true valuesContent: |- diff --git a/ansible/kubernetes/playbooks/templates/custom-coredns-helmchart.yaml.j2 b/ansible/kubernetes/playbooks/templates/custom-coredns-helmchart.yaml.j2 index d0b3ce1..12f076d 100644 --- a/ansible/kubernetes/playbooks/templates/custom-coredns-helmchart.yaml.j2 +++ b/ansible/kubernetes/playbooks/templates/custom-coredns-helmchart.yaml.j2 @@ -9,7 +9,7 @@ spec: # renovate: datasource=helm repo: https://coredns.github.io/helm chart: coredns - version: 1.24.5 + version: 1.26.0 targetNamespace: kube-system bootstrap: true valuesContent: |- From b2a00c5fc7a496f7ad5a1c3ef0cd2eb0fbd37dc8 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 25 Sep 2023 13:13:01 -0500 Subject: [PATCH 04/54] Update k3s and cilium settings. --- ansible/kubernetes/inventory/group_vars/all/main.yaml | 2 +- .../playbooks/templates/custom-cilium-helmchart.yaml.j2 | 2 +- kubernetes/apps/kube-system/cilium/app/helmrelease.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/kubernetes/inventory/group_vars/all/main.yaml b/ansible/kubernetes/inventory/group_vars/all/main.yaml index 7def6ba..040f8b5 100644 --- a/ansible/kubernetes/inventory/group_vars/all/main.yaml +++ b/ansible/kubernetes/inventory/group_vars/all/main.yaml @@ -1,6 +1,6 @@ --- # renovate: datasource=github-releases depName=k3s-io/k3s -k3s_release_version: "v1.27.5+k3s1" +k3s_release_version: "v1.28.2+k3s1" k3s_install_hard_links: true k3s_become: true k3s_etcd_datastore: true diff --git a/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 b/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 index 09624f3..004daa2 100644 --- a/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 +++ b/ansible/kubernetes/playbooks/templates/custom-cilium-helmchart.yaml.j2 @@ -33,7 +33,7 @@ spec: ipv4NativeRoutingCIDR: "{{ k3s_server['cluster-cidr'] }}" k8sServiceHost: "{{ k3s_registration_address }}" k8sServicePort: 6443 - kubeProxyReplacement: strict + kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: enabled: true diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index 7cb572a..a032c66 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -78,7 +78,7 @@ spec: ipv4NativeRoutingCIDR: 10.32.0.0/16 k8sServiceHost: 10.2.0.6 k8sServicePort: 6443 - kubeProxyReplacement: strict + kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: enabled: true From 919121caa0874a85c69e5a3192bc53bc6fb9a6a0 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 25 Sep 2023 19:18:46 -0500 Subject: [PATCH 05/54] Updating hosts. --- ansible/kubernetes/inventory/hosts.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/kubernetes/inventory/hosts.yaml b/ansible/kubernetes/inventory/hosts.yaml index 63f318b..e9b6604 100644 --- a/ansible/kubernetes/inventory/hosts.yaml +++ b/ansible/kubernetes/inventory/hosts.yaml @@ -6,15 +6,15 @@ kubernetes: children: master: hosts: - valinor-1: + aule: ansible_host: 10.2.0.3 ceph_drives: - /dev/disk/by-id/scsi-0HC_Volume_37231496 - valinor-2: + eonwe: ansible_host: 10.2.0.4 ceph_drives: - /dev/disk/by-id/scsi-0HC_Volume_37231521 - valinor-3: + arlen: ansible_host: 10.2.0.5 ceph_drives: - /dev/disk/by-id/scsi-0HC_Volume_37231596 From 29fa134f1f685fd9936572c3cc8a46fba0f1d771 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 25 Sep 2023 19:21:40 -0500 Subject: [PATCH 06/54] Updating for talos infra. --- .../kubelet-csr-approver/app/helmrelease.yaml | 21 +++++ .../app/kustomization.yaml | 14 +++ .../app/kustomizeconfig.yaml | 7 ++ .../kubelet-csr-approver/app/values.yaml | 5 + .../apps/system/kubelet-csr-approver/ks.yaml | 15 +++ kubernetes/apps/system/kustomization.yaml | 1 + talos/clusterconfig/.gitignore | 4 + talos/integrations/cni/kustomiation.yaml | 18 ++++ .../kubelet-csr-approver/kustomization.yaml | 18 ++++ talos/talconfig.yaml | 93 +++++++++++++++++++ talos/talenv.sops.yaml | 22 +++++ talos/talsecret.sops.yaml | 43 +++++++++ 12 files changed, 261 insertions(+) create mode 100644 kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml create mode 100644 kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml create mode 100644 kubernetes/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/system/kubelet-csr-approver/app/values.yaml create mode 100644 kubernetes/apps/system/kubelet-csr-approver/ks.yaml create mode 100644 talos/clusterconfig/.gitignore create mode 100644 talos/integrations/cni/kustomiation.yaml create mode 100644 talos/integrations/kubelet-csr-approver/kustomization.yaml create mode 100644 talos/talconfig.yaml create mode 100644 talos/talenv.sops.yaml create mode 100644 talos/talsecret.sops.yaml diff --git a/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml new file mode 100644 index 0000000..1b6edd9 --- /dev/null +++ b/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kubelet-csr-approver + namespace: system-controllers +spec: + interval: 30m + chart: + spec: + chart: kubelet-csr-approver + version: 1.0.5 + sourceRef: + kind: HelmRepository + name: postfinance + namespace: flux-system + interval: 30m + valuesFrom: + - kind: ConfigMap + name: kubelet-csr-approver-values diff --git a/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml new file mode 100644 index 0000000..59dcf0e --- /dev/null +++ b/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: system-controllers +resources: + - ./helmrelease.yaml + +configMapGenerator: + - name: kubelet-csr-approver-values + files: + - values.yaml=./values.yaml + +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml new file mode 100644 index 0000000..58f92ba --- /dev/null +++ b/kubernetes/apps/system/kubelet-csr-approver/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/system/kubelet-csr-approver/app/values.yaml b/kubernetes/apps/system/kubelet-csr-approver/app/values.yaml new file mode 100644 index 0000000..3755b48 --- /dev/null +++ b/kubernetes/apps/system/kubelet-csr-approver/app/values.yaml @@ -0,0 +1,5 @@ +--- +providerRegex: | + ^(eonwe|aule|arlen)$ + +bypassDnsResolution: true diff --git a/kubernetes/apps/system/kubelet-csr-approver/ks.yaml b/kubernetes/apps/system/kubelet-csr-approver/ks.yaml new file mode 100644 index 0000000..b845586 --- /dev/null +++ b/kubernetes/apps/system/kubelet-csr-approver/ks.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-kubelet-csr-approver + namespace: flux-system +spec: + interval: 10m + path: "./kubernetes/apps/system-controllers/kubelet-csr-approver/app" + prune: true + sourceRef: + kind: GitRepository + name: valinor + wait: true diff --git a/kubernetes/apps/system/kustomization.yaml b/kubernetes/apps/system/kustomization.yaml index 5d93ed2..20ddf63 100644 --- a/kubernetes/apps/system/kustomization.yaml +++ b/kubernetes/apps/system/kustomization.yaml @@ -6,3 +6,4 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./reloader/ks.yaml + - ./kubelet-csr-approver/ks.yaml diff --git a/talos/clusterconfig/.gitignore b/talos/clusterconfig/.gitignore new file mode 100644 index 0000000..7568faf --- /dev/null +++ b/talos/clusterconfig/.gitignore @@ -0,0 +1,4 @@ +valinor-aule.hsn.dev.yaml +valinor-eonwe.hsn.dev.yaml +valinor-arlen.hsn.dev.yaml +talosconfig diff --git a/talos/integrations/cni/kustomiation.yaml b/talos/integrations/cni/kustomiation.yaml new file mode 100644 index 0000000..a13a60d --- /dev/null +++ b/talos/integrations/cni/kustomiation.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: cilium + repo: https://helm.cilium.io/ + version: 1.14.2 + releaseName: cilium + includeCRDs: true + namespace: kube-system + valuesFile: values.yaml + +commonAnnotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system +commonLabels: + app.kubernetes.io/managed-by: Helm diff --git a/talos/integrations/kubelet-csr-approver/kustomization.yaml b/talos/integrations/kubelet-csr-approver/kustomization.yaml new file mode 100644 index 0000000..39f025b --- /dev/null +++ b/talos/integrations/kubelet-csr-approver/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: kubelet-csr-approver + repo: https://postfinance.github.io/kubelet-csr-approver + version: 1.0.5 + releaseName: kubelet-csr-approver + includeCRDs: true + namespace: system-controllers + valuesFile: values.yaml + +commonAnnotations: + meta.helm.sh/release-name: kubelet-csr-approver + meta.helm.sh/release-namespace: system-controllers +commonLabels: + app.kubernetes.io/managed-by: Helm diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml new file mode 100644 index 0000000..5fb64db --- /dev/null +++ b/talos/talconfig.yaml @@ -0,0 +1,93 @@ +--- +clusterName: ${clusterName} + +talosVersion: v1.5.1 +kubernetesVersion: 1.28.1 +endpoint: "https://${clusterName}.hsn.dev:6443" + +cniConfig: + name: none + +additionalApiServerCertSans: + - ${clusterEndpointIP} + +additionalMachineCertSans: + - ${clusterEndpointIP} + - ${clusterName}.hsn.dev + +nodes: + - hostname: aule.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.3 + controlPlane: true + installDiskSelector: + busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145789 + networkInterfaces: + - interface: eth0 + dhcp: true + + - hostname: eonwe.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.4 + controlPlane: true + installDiskSelector: + busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145792 + networkInterfaces: + - interface: eth0 + dhcp: true + + - hostname: arlen.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.5 + controlPlane: true + installDiskSelector: + busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145790 + networkInterfaces: + - interface: eth0 + dhcp: true +controlPlane: + patches: + - |- + cluster: + allowSchedulingOnMasters: true + proxy: + disabled: true + etcd: + advertisedSubnets: + - 10.2.0.0/24 + + - |- + - op: remove + path: /cluster/apiServer/admissionControl + + - |- + machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + kubelet: + extraArgs: + feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,NewVolumeManagerReconstruction=false + rotate-server-certificates: "true" + extraConfig: + maxPods: 150 + nodeIP: + validSubnets: + - 10.2.0.0/24 + network: + extraHostEntries: + - ip: ${clusterEndpointIP} + aliases: + - ${clusterName}.hsn.dev + sysctls: + fs.inotify.max_user_watches: "1048576" + fs.inotify.max_user_instances: "8192" + time: + disabled: false + servers: + - ntp.hetzner.com diff --git a/talos/talenv.sops.yaml b/talos/talenv.sops.yaml new file mode 100644 index 0000000..bdec1f0 --- /dev/null +++ b/talos/talenv.sops.yaml @@ -0,0 +1,22 @@ +clusterName: ENC[AES256_GCM,data:iT5CwpMddw==,iv:st1ajjpRXQiHozpIJqUUwmRe542IiR2aWLEdqkk4W9k=,tag:KOCQ8x28kwNNDUXwOTpulg==,type:str] +clusterEndpointIP: ENC[AES256_GCM,data:5VXivET/uV4=,iv:SRhLmDfbSlhnb9DsaFXCqiP/Bx4Khi4GdXseyuhuYAw=,tag:BrP3OL/1FwrUyCMWRFB0BQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYkFFdkluSU5heUJLZ1hZ + NlVFR0RMdDN5QTU3UjhZQzFGbS83ZXRKOXpRCmJwZTlmQ2drbWp0aFZaZmFad2Nm + dkxZV1g0NUozY1laV2N4ellTaEJGVE0KLS0tIEptRWFJZVpYcWR6MGNzeU41Vnpi + MTFUZEplYVN5RGhhMGNEcDlGbTVQcjQKktwztZAHGUqoxbGHuAg0dX5Vap+wFVfx + ku6Hzg1ZU8Lvd8ODe+4p+RvHSKVll1akgpPVuymCUxl+I6EvH7gEDA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-25T17:08:14Z" + mac: ENC[AES256_GCM,data:WpwataAKsHlCIH6MN/lBBwBk5sKMCYlIptHXCnoqFCMdzPK8JR86XzeOPpJEN9aXu1wfdve+y1f7r4j7j+8V/eYjKDAYnv1ewsmZm9VfzfIcRAv2BGVANp52OASPCyoTwq9wpv7p/1d+f4C2vCZCarmurroxhGcvb17COFOs1SQ=,iv:2sSA+2NyqaSFA1v/Gp6XyTeaqBt5b5OLALmZ/b2TqJE=,tag:DxbiT2+bwjhOjZ38KQ26vQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.0 diff --git a/talos/talsecret.sops.yaml b/talos/talsecret.sops.yaml new file mode 100644 index 0000000..8f99df7 --- /dev/null +++ b/talos/talsecret.sops.yaml @@ -0,0 +1,43 @@ +cluster: + id: ENC[AES256_GCM,data:K+hrEJHwEkMvD7vP6Dl7g3VZ0LC9Ytxm4us4Dcj7kMz6n5mEUjO7AeK1ZXI=,iv:QwxLybEen4e06QrV2fXq7NZU523tly2QzvEERAO4PDY=,tag:NOrMociqIh+JNzPEpMRthg==,type:str] + secret: ENC[AES256_GCM,data:bS0TsqBwbjSZcaMnh/16ZLFmbihpTctaHJQPxfhjmPKL1W0pJ7ivdlk44jc=,iv:qfL7Q26+tNCyTRYxqVGcwNVY+nYrNkylqxv1fDVZIPM=,tag:AszrJ1/igGLHQWVKyGJsAA==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:P0ZbFPa8yMtDamH307VD5fJnTFgj38A=,iv:5rFtX93mSAhZdRZhV3/ZhUYZvjoEq7aHYbuSxMfsjWo=,tag:xYQakQbO1nVyA6oE0qVfZQ==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:HGcJPvrgpWFMTCf1Zo74ek7sZqm8dwa0+EbLcwB3P7/u6mTooOOskONQKA4=,iv:/iOLOaNxdOOv6bwvpJInhfs8sIzaIHsjErIlhTEReds=,tag:u3MdQnaE0+EnFOqSJtSYmw==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:tfYLX59Xy2Cp9t3GAhqeDus2moEEMns=,iv:xiQOuMWnGnJcr4zTqHOMFGeaVdQNZDg6FTgu9T9NrEU=,tag:A46+Hqq1n9x2WSLQqepIfA==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:ZXI0AWHjVzDiq3D+/txZX3hNsi8bNx/wO/JtVUQyXWbn0gPEpwQIQ/Ty+/juYeQoxot7Cq3QHWvmIn5A+EwBcercL0xg6mv4NNLWYpKiEGa37/lC5B1C2R2jG52GARVEbrfrTqTLZgaxJYltHpZE5GYahESAJihmh9F5t5/6pPnGn5yQUlv840ETfVQzn6F46dTp88dveokEZsNN9QGPySdJHJLRNIyVHcM/pJ57bqJdtCQlS/P3vBsamiL44WMYLfRDzsTqd/kJojGRfUbyB65J24uutX8h1W5BcaJgVlfSfFbs+WXPW6RQA+4495f+KPjMWQh3XoIIXcoQt1fsKo6ZQ783Z2H49ORkNArx1Io3GHhxSuzV7kI/losHZGr7Qxz4TcsV1/mJBKsCjRttQ6xI6Mps40j7PG8X1yuX3PFjy8rHrww3QZOpjs1dUin+mJ/YMvEEAIY9UdrqeORNByV4lQinLA5jnKGlxKcpVC2xESE3hULVwp+M5zah1XD0JM3hTzdd2ainn8h+RPF2RMULUopxlFnyPCOfyhk1KaXDGtzwZn3dlF1t86WRqZPsWvxe7k+F1g4pq/KCniaroAGn8ABpXW9xC653NvKPJJHk4vKV+PthalUANOao7WWHFTFSJI0ZpFeIUffGrSCwFeQH6q/vYNku+XNF4ujqDqNY7ZvUvP8k9p33HXs2ElBz+Yx9+a/NUFTW+OmIAd1yntggTVT/UFJ7WmVlNnZ7XchvupQmChef4KCgnukYkh10s5tYFQRvEhn5jUjPechRKRCAQZn40YzpcoAlxQcQbdjb53QUlDGleAb0vMBmZojcUXE2z+6dKejTsrs0pS2LXnp4dk+Lfsi0iS/VmGQhw6t94LrSEaP9tFioHJejkRMrNbiZMmU+I+6SsP1YFJd0RGHJsuRVychiGRAsYxXISO1ihlUEAlrSnV7wENhbtLpA/xw307ZemnIHJhDR1j4I00lx9tqqkTXaIc47OT+qD53KZTcW2mY5Qm1z+GlXVaXIjR1I4Q==,iv:35Ctm7TvpQHdDMqC4hOQZwWC0vZxDWwfI/GyrwCl85E=,tag:LI1CIl0tgUEUUqH8AU6flg==,type:str] + key: ENC[AES256_GCM,data:J5ocIosLtz1M2HpCdhzXYbxtOCrSaKbAAoBvzC3jazWY6G2SLP4T/z+pgxicYfvO1liiZg6Ehv+hz5/oDk9E9qNOn2BDR1b3Tn1GuQVvmvW0qPK8EFUht23nAARNTpct6binkq1zt4ei/yuFCWVIkPBnzooNb6jupaRML73JHpV24H7EXO6Qx+5z5SUUycmi8Tjb1oaOCp2sXY5dtzAp14qVlMcKh8SKIkCc2iO5sQvuGKnNZAEketHqatocY/24FMAK6TbRkEqJIPsugX56uc5XlcSqrCu2k4am97sprrSWcwgoRfAFHGG6CejquQXK/1RerwGh5R/RpZXX7I4aHcnN1Yeadr9xZpJlLLS8cj/X+wZd1yYbjac56ZMDRM3ihW/XLMi34K05Rz50WKI8Sw==,iv:dOAgaO+5MmXSsZ/75Gg4TG38c3Lp+bfP/g5z9ycmJrQ=,tag:saCtqLXcmWXoKfohRAH8iQ==,type:str] + k8s: + crt: ENC[AES256_GCM,data:i1r1OtMITZzP50t/5Fr32Q9P1NDhetE9sYmmH3vHCaiF0rELFqXLkB983KljHIE65jKvljDooOwpRy1fQwf1ssvOgOF+PYbb6LQdLlIpy69eygA9FLJvKbntZAcjuUzl7wAS/+80jq4Ra9+YHu7gzXlKsesBLF7Q9tbi72HAC89jVn8S5k8pMwTftdJlRtdkeqeXDahFLHBfCyyD8RmtNIRDzR8LBpQ80dk61WENY/Dn/WN8t8QQ2F0YUmgTYvwzGotGSA7w2q9RmSXiRspTGXwYF2Pi8VSVSJ1u01kFASjHpq94vN4Mt1B0+IayyM1/F5gnjfWIY2ax+bIF5h9lF7GvCmTdRuN0GuYh04OojnvtIXtr5gfoN7qB2GsWn1unpFud83AMdpcsYTEQJRISwR4+RFPWswwX0TU2uEx1gPwRZDgyb9yOPEPQUwnXDeJoJT6ToM+uku4Kka0fMRdtlm34BLOvDoOPFOCakONi3cjiYxOwOd8o9Wdm1ipfOUiApvbJzRY7KCpaH657rdpM8CKEmYJUH43wC5IqOmoIC7H4DS6uTlnovTt2IGK7Pk7npGJQ1vzs3jz/fCv/pBoIImhzZmwUwVfFE7W2BeZHPy3Ka1WyujBKMqtZve3acIKLwatpXxq/Aivdae4DavlsXMPn0L3KpTB2ySwCZ1dz7olzTAF5RzalttWeYdPxIDm+QYjxOVV/YLlFO1X7OwtWyJzr9gDxChk5cKXDkIO0lgVQ3DmoCpE4T95C7x4CxKuoPP94EWiobVgA2fINmrpuaas3qSAa5YB2oOyG7qQbLvJ+YV48btZzLaIWh2tR1KK0S6fE/ZQWLQapY1cbV7oEGPDxjqDalfvhqixPbbWNQRxblczoigjEoy9437inXJvbCnb92UUTrfDqxHdJ2FekpQ5pAo8Ioq9QCH2cnaiLTcixAsjKKVGUnqYtpO5bCes2aemlPjFurl19jRg4SqOW9xm7MjGzhzjp17b+VgfrgHpYrsBNYdNL/Fc5XVqMfRHwJLyWpMzs952eM2H/mmb0hEgSiqS96eJpr4tK5A==,iv:26IsGB31zf8Ml1rb7rdMHFj+8AjIrCwo/GDtOLYZHVw=,tag:AZQ1+wiT98i1MkLrMzXnKQ==,type:str] + key: ENC[AES256_GCM,data:R35atBogRh6eeQrm7xDrKT3/4heuVsY1bNcVqyopx7YRnjML7VU56ngfH5rmdHPum0+eabDb0IfukdPtqMti6psAwwlvQdS/epAYaA+sM7HxXZ5YDuaNT3F8tg+cBcNb7UEiD2BDASWdH/ayjuQ3KkDFmGldIIAWsS9EmVAGHvqSziSDgggVuHwkcUULGjFVtfmhuYlGkKaayOhHJO305iwt5xjkQSULMxay4X9k0dJ5WEf6NJNuT2kB60K9mSVdmqMadm3Q3maU4BODQ3RxcSbjhjfjBtLK9yE9zcV5U94mP8kIDwL4kcjUVc+4qjLGcLoOrvkbvRMZWhPIj1dJp9PSdmzhuH18chT3/DMykA7fcpBM9mK1SRKmhDCVGoyz96q9+jSJzNKtsDcB0eGv5Q==,iv:3Dwawk28ccYFO4+x8P3kF7vVnuksIFiwzsAWDpX4sB4=,tag:Sl5uDFN7V+K8NU3N44o1ew==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:s3hlp1K8dmIuyAFU2FGuovi6SUuH35ooFj/yCFtbllwzVuYT8QFwkdRqK1JF+mdrD9QfEO8ik0r0QrapJR87xvubyFt3pb3FRjCluAz/KuU4xTlCYynQ50yXqAkKWiLh7w5N3yaDVLtav8+aXq9j5asLSZJtUT2v6mjuDoH+mbnUD1Pn5kyNTDDvUIT5HPj94aj4YMR81Al7XFMlM0nhRxhOISBzu5nLQYeUDNrx1MVRIjg5pVTXLByHfFLEyfPwz7wmYv0GQ080NHnq0D4Ws3GAzkqnYxiFG7OrLbsu7GTcye2pQmaLSd8ihq/G5rCktggeTQLPWinR2gTVouqNhQWRjIVcVROtbtALGB8kuJAj3dlA26taPGfa8szYNKCOzgMY8V/RNXsbzjpORG8lLmW+C/046/IX+kQE+5s1FeZ7FUlcZOJXki0nsIQDdwYaOWlj9mkTRYxZYjaWQtcahJBZYXvrkLbVAR/aYWQq7pK+lZJc1aDk26tJhvEFc7vDQAlmhJWKfPPRITM3cBXkhu50FuXRbwyq6HmrW8Ht8ExnYDPWX70993W0mBOo/pRfExApMbQyZuRjUjaoHQ1lqAuW0rsTfXOjE/VKWO0jpJxfWzXWFLLAeVNkbl+skz0iophNhNq0vMrgVWMoR5Zat7N+PBsE6WvGsGcantk9ooYtBxNe1ogSmQqT9rygsNKFGn46NDDaUbn8N4MwLg05dfH8BeokXqax50KEGP6DeH8LyPUXgF7rindJgZ+7atLRkloABdpwkDk85uxvX3F3OS/8GKVsLl2VINpuy50F/MF7MXvCm5EVnw/B9pi1ScX3Iypgu1IG2vwaKbHxdvOtZLGYutvBI8YIgkU1GRZ78SXexUL5turG2dQVV5FBa6G5RYBAgLJRwSRAH/x73RABSLva416llwkbJc98TjhoFmTb2PfuyYMYR/ZYl2XCUpXl,iv:nGJR2zH+9v4aC936Y3yfNkVTCh6F1HZ1mNGWZ1e0Bp0=,tag:DdJP6Ytwa3ab7LXnZFXv5w==,type:str] + key: ENC[AES256_GCM,data:zSWKIdW1G5ytG7OeYpy/omYYHMvQM88DTgDjC5tXnwolH6JRHG68dNyJA/+9sOlz6Gzy7X2LLnA/+hCH3/lNfBy+H2q+9u8LsBfYIXzh1LtQC008rdygh0BnFF0wrBP6ge6bLyF61WUIGk3hLjj7bgsXOhxAyEgwN1dLIBsUR6MsRJfIlbXNZ2LCN7TgmU+NbhWUxWU2LnpsCpEWB4EJ75RaTseyDBdwGt9SZuC43GkUFUrwCWQpVusXNAtuAB9VvS9Rimtz4OuhuI30BneMyx7xH1XCzItIm+8Kt6ZPDehVKQqvsyq9wfOhUUf77raxUurmMBWz+qQDohVy3mP/4Z8CmybI1+vEXvedV3ncw9NlUQmqre56MOjPAA47shtqcvdOvgSRTDfdDcWRNdsmIg==,iv:zVrm4Rl4pR+qoE6/oESzT5gvaLH7sZPBKuYkm1pU9KM=,tag:aWq+/8orGZfrmUlH0hIf9w==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:9Kxsp7UMZ+WpRiRVtwS/qWt9wuWbazM1fx8uD7JPwUP6Pf9s1/KDtMjmHaR2VvXCPAG9QfxjyGCgltlrm6ytVFpP2i9FEEhkhQjdXY2H4ySG1/TjB3oBLkOnhFFXo/SDtSAbQb6AVgsqMMw9dJykL4p6GyqLoSw4FFATnWRAKGi3bRZ7ZxkhAkFCBr99N4FmSU5THVWmHH6e3Yy3eklfegIArgm2OMBxJCb5s3FfsIRFLd86Gw6IgsgVglCo+lRhajab4nxrhxE4nwffpszfSYq2Ux/ZRujEiLZmd+Qizy4j6Zib7t3NQ2ptmgZJr/cRiWKaniNQrhBLADpEXWSMoakVg1R6hE0Zom7YH2tgof+ghkUp939TpOqUKKG1qGqKenxn+iEgsN0vFDyUL7v4Zg==,iv:a5XN2Unipx5JrfpIYMiRzm5q1Nz2iWBlK4eCaVaBsg4=,tag:VsfZfdqeIPAhFk0clqCh/g==,type:str] + os: + crt: ENC[AES256_GCM,data:47Y6SogDWQygUOmFEbhmrdR7EPL/PnGH6spsH4IyVGJWP1BVBlHipUl3nxQ4yJwhiNbTRdfwqXGv25mIq4r59evNQWlmLxqe95MGua4326djYrBotuo9zp+m65bfstfdZ2OirHs8gdnlpQgfE+m86/y5Ez4rc3W3/QmDvw2cHU5WmFgHP6gxPy8Uv+RZ/5T3p6e0321mLLw0OVTJd14FED1Aw6gnmQ63E5J2WUDwKKqSALemar+DVBwc6HMoPw06i0oB5Mpt1+kwvPNfa0UvJhaoUXK9KYHIP28+pGBqgxqt6zC40xGOBV8DEpAXKDmEQZPsSaOq4cXsWQ33xO5Oj9qxR4HxZlhfD5bmGRBgxO8RE8LcXWJ4p9ecAgitZ1HTARMurAcqy/eYO1Zn7z8bNxzNUY6FT72CE5a/ujH2xDiiS6mJB0fDzD9f58J/P2s1cLC/1h4IE5WKXmsvy6QAXs3Q1m31D3g0CSTQoo6sNAV3s0kHl0ejDwjutZ5x0MIlemrtcN8WigSxRt7jxDpVxiCvb2KcporyGcCNSFzjpGA3HToThTHQ1IE3iES5CauKUHJlerMJ2tmYgRiAf/pVEaqoovjcRnGY5ZB/QaV8svDdM4u6rg2yEV8yhQ/V80jsDRMJ937CiJJiEJJPXC+mAEQYaPx1/REaGHeLWfyH/UtxRbG/jAZT7mnBW/gQXyZwKsbYhKRi9tEMIq0ur/R3rjw9IMBXoS0o6ZpvD69BW1zAou6Ep9CAhXtVXFqrIgagBKjzYf/H4bTmVZzTIfRhUAcjzWkBj9MzoyWOhP4ogLuAraHoD1t/yui8Y08OPDVCotrWPsHhVg/+exBzs654FqYyfzmpG/xthiQ9YbYIgztjI0d4,iv:7jKIr7PMK/k0uv/B/FAxJoW3mJREeENgTSCs80K1mcs=,tag:+ilIFyLKNfE9I3TardZk3Q==,type:str] + key: ENC[AES256_GCM,data:duo8abMvBl20XmCmVGEl3E8/f9/vYt9PxW1E7zGoyRA2JR/0FOmqA7lAGer0lJMvdCJE5pNPo4ltT5Naod259ww5z7vVM/XgGY+zPY2UslrjaFxOXd2HFY2t1VEv1fhr9xFHMQ/8aS07nF9vX5tVEnWI+uqDqbvyVL2ecQSOuR0gsADL4+lpyxDoqgqR2ynDTP5CJ96bfEowH9n6O/UeMNm8KAVd3sCN0K4Y4MvpU1AZN9/s,iv:Pw2hjuTWiDhIMeqpC4D050Ykqpd7FwQxH/jkxAn2wJQ=,tag:J/m8Cvko0V4dCx2Ap9pP8g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdk0yeUljL0N1eCtJUlNl + RUk0Y1V3M1F2WUhFZE9NRENjNDNQdUNSUXpRCk1KbmtlaEJkZnZHS2FaUDVCMVN6 + Y3lvSWdpaG9vOVRNdUxjS2dibFNXS00KLS0tIDJ4QTE2VXQ5L2JvTTZ5cFB0blZz + d1FDb25DWWVkRmJQdDJXRzlDYjI2b1EK88JtK5D39eJ0vFrHf5ba0dEiNcBIT0w0 + WGOqOa+LUDhZ10Sa2X/z2IewH1hF+qFceEcXTRBjjmHTTUjn1fdNgQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-25T21:31:24Z" + mac: ENC[AES256_GCM,data:XwvzArzbdT+S2txA2Cis3mIpn/ncWEo15yGch57vNDjRlw8ZGLrjneHcbWRThmq84gSbsBh2S2tpiROvT+e+iZ62d1rF2RXusDxY/8a7UXo9ckKY1YVcxQploXmbVadw9FFbaiZkCjGTirrf6SHzPDuN8wAKpfZuVPZG3l4CA8I=,iv:bFED8pWnuLRN4oY1/HvYwFEnAZgrAOp0zETn49XNx1A=,tag:dPUKw38HclNjoLEaPid63g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.0 From d66d040bdddfe9b535016d801caff8561fa51e61 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 25 Sep 2023 19:23:40 -0500 Subject: [PATCH 07/54] Deploy integrations and clusterconfig talos script. --- talos/deploy-integrations.sh | 18 ++++++++++++++++++ talos/generate-clusterconfig.sh | 4 ++++ 2 files changed, 22 insertions(+) create mode 100755 talos/deploy-integrations.sh create mode 100755 talos/generate-clusterconfig.sh diff --git a/talos/deploy-integrations.sh b/talos/deploy-integrations.sh new file mode 100755 index 0000000..17d6b7b --- /dev/null +++ b/talos/deploy-integrations.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +# shellcheck disable=2312 +pushd integrations >/dev/null 2>&1 || exit 1 + +rm -rf cni/charts +envsubst < ../../kubernetes/apps/kube-system/cilium/app/values.yaml > cni/values.yaml +kustomize build --enable-helm cni | kubectl apply -f - +rm cni/values.yaml +rm -rf cni/charts + +rm -rf kubelet-csr-approver/charts +envsubst < ../../kubernetes/apps/system/kubelet-csr-approver/app/values.yaml > kubelet-csr-approver/values.yaml +if ! kubectl get ns system >/dev/null 2>&1; then + kubectl create ns system +fi +kustomize build --enable-helm kubelet-csr-approver | kubectl apply -f - +rm kubelet-csr-approver/values.yaml +rm -rf kubelet-csr-approver/charts diff --git a/talos/generate-clusterconfig.sh b/talos/generate-clusterconfig.sh new file mode 100755 index 0000000..5136207 --- /dev/null +++ b/talos/generate-clusterconfig.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +# Generate a new config using talhelper +talhelper genconfig --env-file talenv.sops.yaml --secret-file talsecret.sops.yaml --config-file talconfig.yaml From 9e34a4c6cd2acc6bc2d99aaa00aefb86b1ccd630 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 09:31:31 -0500 Subject: [PATCH 08/54] Updating private ips. --- talos/talconfig.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 5fb64db..764e672 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -28,7 +28,7 @@ nodes: - hostname: eonwe.hsn.dev disableSearchDomain: true - ipAddress: 10.2.0.4 + ipAddress: 10.2.0.5 controlPlane: true installDiskSelector: busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145792 @@ -38,7 +38,7 @@ nodes: - hostname: arlen.hsn.dev disableSearchDomain: true - ipAddress: 10.2.0.5 + ipAddress: 10.2.0.4 controlPlane: true installDiskSelector: busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145790 From 3ac7d5a40dd85f75d3b8ad241b1666c616c6ed20 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 09:32:49 -0500 Subject: [PATCH 09/54] Add talosconfig. --- .envrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.envrc b/.envrc index 49bcb30..b7a8641 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,4 @@ #shellcheck disable=SC2148,SC2155 export KUBECONFIG="$(expand_path ./kubeconfig)" export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" +export TALOSCONFIG="$(expand_path ./talos/clusterconfig/talosconfig) \ No newline at end of file From 6906a340aa143a3fa2dedb40b9701487bb7ddd2d Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 09:34:36 -0500 Subject: [PATCH 10/54] Fix quotes. --- .envrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.envrc b/.envrc index b7a8641..1ec308d 100644 --- a/.envrc +++ b/.envrc @@ -1,4 +1,4 @@ #shellcheck disable=SC2148,SC2155 export KUBECONFIG="$(expand_path ./kubeconfig)" export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" -export TALOSCONFIG="$(expand_path ./talos/clusterconfig/talosconfig) \ No newline at end of file +export TALOSCONFIG="$(expand_path ./talos/clusterconfig/talosconfig)" \ No newline at end of file From c168760a0bcdaf8b344477595f750e3375ab58c3 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 10:15:35 -0500 Subject: [PATCH 11/54] Rename disk path. --- talos/talconfig.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 764e672..cc830ae 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -21,7 +21,7 @@ nodes: ipAddress: 10.2.0.3 controlPlane: true installDiskSelector: - busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145789 + busPath: /dev/sda networkInterfaces: - interface: eth0 dhcp: true @@ -31,7 +31,7 @@ nodes: ipAddress: 10.2.0.5 controlPlane: true installDiskSelector: - busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145792 + busPath: /dev/sda networkInterfaces: - interface: eth0 dhcp: true @@ -41,7 +41,7 @@ nodes: ipAddress: 10.2.0.4 controlPlane: true installDiskSelector: - busPath: /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_37145790 + busPath: /dev/sda networkInterfaces: - interface: eth0 dhcp: true From 8d106be46fab61692d750129f3b7c3ca73c3981c Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 11:08:16 -0500 Subject: [PATCH 12/54] Updating cilium config --- .../kube-system/cilium/app/kustomization.yaml | 8 + .../cilium/app/kustomizeconfig.yaml | 7 + .../apps/kube-system/cilium/app/values.yaml | 241 ++++++++++++++++++ 3 files changed, 256 insertions(+) create mode 100644 kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/cilium/app/values.yaml diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml index bb21fed..d5ca0be 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -1,7 +1,15 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kube-system resources: - ./helmrelease.yaml - ./cilium-l2.yaml +configMapGenerator: + - name: cilium-values + files: + - values.yaml=./values.yaml + +configurations: + - kustomizeconfig.yaml \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml new file mode 100644 index 0000000..1fcad09 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/app/values.yaml b/kubernetes/apps/kube-system/cilium/app/values.yaml new file mode 100644 index 0000000..e803c66 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/values.yaml @@ -0,0 +1,241 @@ +--- +# -- Enable installation of PodCIDR routes between worker +# nodes if worker nodes share a common L2 network segment. +autoDirectNodeRoutes: true + +# -- Configure BGP +bgp: + # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside + # cilium-agent and cilium-operator + enabled: false + announce: + # -- Enable allocation and announcement of service LoadBalancer IPs + loadbalancerIP: true + # -- Enable announcement of node pod CIDR + podCIDR: false + +# -- Configure cgroup related configuration +cgroup: + autoMount: + # -- Enable auto mount of cgroup2 filesystem. + # When `autoMount` is enabled, cgroup2 filesystem is mounted at + # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. + # If users disable `autoMount`, it's expected that users have mounted + # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the + # volume will be mounted inside the cilium agent pod at the same path. + enabled: false + # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) + hostRoot: /sys/fs/cgroup + +cluster: + # -- Name of the cluster. Only required for Cluster Mesh. + name: valinor + # -- (int) Unique ID of the cluster. Must be unique across all connected + # clusters and in the range of 1 to 255. Only required for Cluster Mesh, + # may be 0 if Cluster Mesh is not used. + id: 1 + +# -- Configure container runtime specific integration. +containerRuntime: + # -- Enables specific integrations for container runtimes. + # Supported values: + # - containerd + # - crio + # - docker + # - none + # - auto (automatically detect the container runtime) + integration: containerd + +endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: true + +hubble: + # -- Enable Hubble (true by default). + enabled: true + metrics: + # -- Configures the list of metrics to collect. If empty or null, metrics + # are disabled. + # Example: + # + # enabled: + # - dns:query;ignoreAAAA + # - drop + # - tcp + # - flow + # - icmp + # - http + # + # You can specify the list of metrics from the helm CLI: + # + # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" + # + enabled: + - dns:query;ignoreAAAA, + - drop + - tcp + - flow + - http + - icmp + - port-distribution + + relay: + # -- Enable Hubble Relay (requires hubble.enabled=true) + enabled: true + # -- Roll out Hubble Relay pods automatically when configmap is updated. + rollOutPods: true + + # serviceMonitor: + # # -- Create ServiceMonitor resources for Prometheus Operator. + # # This requires the prometheus CRDs to be available. + # # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # enabled: false + + ui: + # -- Whether to enable the Hubble UI. + enabled: true + + # -- hubble-ui ingress configuration. + ingress: + enabled: false + + # -- Roll out Hubble-ui pods automatically when configmap is updated. + rollOutPods: true + +ipam: + # -- Configure IP Address Management mode. + # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ + mode: kubernetes + +# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. +# When specified, Cilium assumes networking for this CIDR is preconfigured and +# hands traffic destined for that range to the Linux network stack without +# applying any SNAT. +# Generally speaking, specifying a native routing CIDR implies that Cilium can +# depend on the underlying networking stack to route packets to their +# destination. To offer a concrete example, if Cilium is configured to use +# direct routing and the Kubernetes CIDR is included in the native routing CIDR, +# the user must configure the routes to reach pods, either manually or by +# setting the auto-direct-node-routes flag. +ipv4NativeRoutingCIDR: 10.244.0.0/16 + +# -- (string) Kubernetes service host +k8sServiceHost: valinor.hsn.dev +# -- (string) Kubernetes service port +k8sServicePort: 6443 + +# -- Configure the kube-proxy replacement in Cilium BPF datapath +# Valid options are "disabled", "partial", "strict". +# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ +kubeProxyReplacement: strict + +# -- healthz server bind address for the kube-proxy replacement. +# To enable set the value to '0.0.0.0:10256' for all ipv4 +# addresses and this '[::]:10256' for all ipv6 addresses. +# By default it is disabled. +kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + +# -- Configure service load balancing +loadBalancer: + # -- algorithm is the name of the load balancing algorithm for backend + # selection e.g. random or maglev + algorithm: random + + # -- mode is the operation mode of load balancing for remote backends + # e.g. snat, dsr, hybrid + mode: snat + +# -- Enable Local Redirect Policy. +localRedirectPolicy: false + +operator: + # -- Enable the cilium-operator component (required). + enabled: true + + # -- Roll out cilium-operator pods automatically when configmap is updated. + rollOutPods: true + +# -- Roll out cilium agent pods automatically when configmap is updated. +rollOutCiliumPods: false + +securityContext: + # -- Run the pod with elevated privileges + privileged: false + + capabilities: + # -- Capabilities for the `cilium-agent` container + ciliumAgent: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + # - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + # Allow discretionary access control (e.g. required for package installation) + - DAC_OVERRIDE + # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) + - FOWNER + # Allow to execute program that changes GID (e.g. required for package installation) + - SETGID + # Allow to execute program that changes UID (e.g. required for package installation) + - SETUID + # -- Capabilities for the `mount-cgroup` init container + mountCgroup: + # Only used for 'mount' cgroup + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- capabilities for the `apply-sysctl-overwrites` init container + applySysctlOverwrites: + # Required in order to access host's /etc/sysctl.d dir + - SYS_ADMIN + # Used for nsenter + - SYS_CHROOT + - SYS_PTRACE + # -- Capabilities for the `clean-cilium-state` init container + cleanCiliumState: + # Most of the capabilities here are the same ones used in the + # cilium-agent's container because this container can be used to + # uninstall all Cilium resources, and therefore it is likely that + # will need the same capabilities. + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used in iptables. Consider removing once we are iptables-free + # - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + +# -- Configure the encapsulation configuration for communication between nodes. +# Possible values: +# - disabled +# - vxlan (default) +# - geneve +tunnel: "disabled" \ No newline at end of file From 66a8fb2499ceca26510e1f132e8dc272f1c31617 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 16:09:05 +0000 Subject: [PATCH 13/54] Correct name --- talos/integrations/cni/{kustomiation.yaml => kustomization.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename talos/integrations/cni/{kustomiation.yaml => kustomization.yaml} (100%) diff --git a/talos/integrations/cni/kustomiation.yaml b/talos/integrations/cni/kustomization.yaml similarity index 100% rename from talos/integrations/cni/kustomiation.yaml rename to talos/integrations/cni/kustomization.yaml From 5000f8889a358dff81cce4887f839b4f7e27f7f7 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 11:32:01 -0500 Subject: [PATCH 14/54] Update system namespace. --- .../apps/system/kubelet-csr-approver/app/helmrelease.yaml | 2 +- .../apps/system/kubelet-csr-approver/app/kustomization.yaml | 2 +- kubernetes/apps/system/kubelet-csr-approver/ks.yaml | 2 +- talos/integrations/kubelet-csr-approver/kustomization.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml index 1b6edd9..c24fa79 100644 --- a/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml +++ b/kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml @@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: kubelet-csr-approver - namespace: system-controllers + namespace: system spec: interval: 30m chart: diff --git a/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml index 59dcf0e..2bc0805 100644 --- a/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml +++ b/kubernetes/apps/system/kubelet-csr-approver/app/kustomization.yaml @@ -1,7 +1,7 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: system-controllers +namespace: system resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/system/kubelet-csr-approver/ks.yaml b/kubernetes/apps/system/kubelet-csr-approver/ks.yaml index b845586..979c1a5 100644 --- a/kubernetes/apps/system/kubelet-csr-approver/ks.yaml +++ b/kubernetes/apps/system/kubelet-csr-approver/ks.yaml @@ -7,7 +7,7 @@ metadata: namespace: flux-system spec: interval: 10m - path: "./kubernetes/apps/system-controllers/kubelet-csr-approver/app" + path: "./kubernetes/apps/system/kubelet-csr-approver/app" prune: true sourceRef: kind: GitRepository diff --git a/talos/integrations/kubelet-csr-approver/kustomization.yaml b/talos/integrations/kubelet-csr-approver/kustomization.yaml index 39f025b..7455ab4 100644 --- a/talos/integrations/kubelet-csr-approver/kustomization.yaml +++ b/talos/integrations/kubelet-csr-approver/kustomization.yaml @@ -8,11 +8,11 @@ helmCharts: version: 1.0.5 releaseName: kubelet-csr-approver includeCRDs: true - namespace: system-controllers + namespace: system valuesFile: values.yaml commonAnnotations: meta.helm.sh/release-name: kubelet-csr-approver - meta.helm.sh/release-namespace: system-controllers + meta.helm.sh/release-namespace: system commonLabels: app.kubernetes.io/managed-by: Helm From 1fad218deb88e0134460a397db623770a74a575b Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 14:10:55 -0500 Subject: [PATCH 15/54] Cleaning up cilium values --- .../apps/kube-system/cilium/app/values.yaml | 283 ++++-------------- 1 file changed, 65 insertions(+), 218 deletions(-) diff --git a/kubernetes/apps/kube-system/cilium/app/values.yaml b/kubernetes/apps/kube-system/cilium/app/values.yaml index e803c66..4d4fffd 100644 --- a/kubernetes/apps/kube-system/cilium/app/values.yaml +++ b/kubernetes/apps/kube-system/cilium/app/values.yaml @@ -1,241 +1,88 @@ ---- -# -- Enable installation of PodCIDR routes between worker -# nodes if worker nodes share a common L2 network segment. autoDirectNodeRoutes: true - -# -- Configure BGP -bgp: - # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside - # cilium-agent and cilium-operator - enabled: false - announce: - # -- Enable allocation and announcement of service LoadBalancer IPs - loadbalancerIP: true - # -- Enable announcement of node pod CIDR - podCIDR: false - -# -- Configure cgroup related configuration -cgroup: - autoMount: - # -- Enable auto mount of cgroup2 filesystem. - # When `autoMount` is enabled, cgroup2 filesystem is mounted at - # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod. - # If users disable `autoMount`, it's expected that users have mounted - # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the - # volume will be mounted inside the cilium agent pod at the same path. - enabled: false - # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`) - hostRoot: /sys/fs/cgroup - -cluster: - # -- Name of the cluster. Only required for Cluster Mesh. - name: valinor - # -- (int) Unique ID of the cluster. Must be unique across all connected - # clusters and in the range of 1 to 255. Only required for Cluster Mesh, - # may be 0 if Cluster Mesh is not used. - id: 1 - -# -- Configure container runtime specific integration. -containerRuntime: - # -- Enables specific integrations for container runtimes. - # Supported values: - # - containerd - # - crio - # - docker - # - none - # - auto (automatically detect the container runtime) - integration: containerd - -endpointRoutes: - # -- Enable use of per endpoint routes instead of routing via - # the cilium_host interface. +bandwidthManager: + enabled: true + bbr: true +bpf: + masquerade: true +bgp: + enabled: false +cluster: + name: valinor + id: 1 +containerRuntime: + integration: containerd +endpointRoutes: enabled: true - hubble: - # -- Enable Hubble (true by default). enabled: true metrics: - # -- Configures the list of metrics to collect. If empty or null, metrics - # are disabled. - # Example: - # - # enabled: - # - dns:query;ignoreAAAA - # - drop - # - tcp - # - flow - # - icmp - # - http - # - # You can specify the list of metrics from the helm CLI: - # - # --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}" - # enabled: - - dns:query;ignoreAAAA, + - dns:query - drop - tcp - flow - - http - - icmp - port-distribution - + - icmp + - http + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium relay: - # -- Enable Hubble Relay (requires hubble.enabled=true) enabled: true - # -- Roll out Hubble Relay pods automatically when configmap is updated. rollOutPods: true - - # serviceMonitor: - # # -- Create ServiceMonitor resources for Prometheus Operator. - # # This requires the prometheus CRDs to be available. - # # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) - # enabled: false - + prometheus: + serviceMonitor: + enabled: true ui: - # -- Whether to enable the Hubble UI. enabled: true - - # -- hubble-ui ingress configuration. - ingress: - enabled: false - - # -- Roll out Hubble-ui pods automatically when configmap is updated. rollOutPods: true - + ingress: + enabled: true + className: internal + hosts: + - &host hubble.hsn.dev + tls: + - hosts: + - *host ipam: - # -- Configure IP Address Management mode. - # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/ mode: kubernetes - -# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing. -# When specified, Cilium assumes networking for this CIDR is preconfigured and -# hands traffic destined for that range to the Linux network stack without -# applying any SNAT. -# Generally speaking, specifying a native routing CIDR implies that Cilium can -# depend on the underlying networking stack to route packets to their -# destination. To offer a concrete example, if Cilium is configured to use -# direct routing and the Kubernetes CIDR is included in the native routing CIDR, -# the user must configure the routes to reach pods, either manually or by -# setting the auto-direct-node-routes flag. -ipv4NativeRoutingCIDR: 10.244.0.0/16 - -# -- (string) Kubernetes service host -k8sServiceHost: valinor.hsn.dev -# -- (string) Kubernetes service port +ipv4NativeRoutingCIDR: 10.32.0.0/16 +k8sServiceHost: 10.2.0.6 k8sServicePort: 6443 - -# -- Configure the kube-proxy replacement in Cilium BPF datapath -# Valid options are "disabled", "partial", "strict". -# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/ -kubeProxyReplacement: strict - -# -- healthz server bind address for the kube-proxy replacement. -# To enable set the value to '0.0.0.0:10256' for all ipv4 -# addresses and this '[::]:10256' for all ipv6 addresses. -# By default it is disabled. +kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 - -# -- Configure service load balancing -loadBalancer: - # -- algorithm is the name of the load balancing algorithm for backend - # selection e.g. random or maglev - algorithm: random - - # -- mode is the operation mode of load balancing for remote backends - # e.g. snat, dsr, hybrid - mode: snat - -# -- Enable Local Redirect Policy. -localRedirectPolicy: false - -operator: - # -- Enable the cilium-operator component (required). +l2announcements: enabled: true - - # -- Roll out cilium-operator pods automatically when configmap is updated. + leaseDuration: 120s + leaseRenewDeadline: 60s + leaseRetryPeriod: 1s +loadBalancer: + algorithm: maglev + mode: dsr +localRedirectPolicy: true +operator: rollOutPods: true - -# -- Roll out cilium agent pods automatically when configmap is updated. -rollOutCiliumPods: false - + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium +prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true +dashboards: + enabled: true + annotations: + grafana_folder: Cilium +rollOutCiliumPods: true securityContext: - # -- Run the pod with elevated privileges - privileged: false - - capabilities: - # -- Capabilities for the `cilium-agent` container - ciliumAgent: - # Use to set socket permission - - CHOWN - # Used to terminate envoy child process - - KILL - # Used since cilium modifies routing tables, etc... - - NET_ADMIN - # Used since cilium creates raw sockets, etc... - - NET_RAW - # Used since cilium monitor uses mmap - - IPC_LOCK - # Used in iptables. Consider removing once we are iptables-free - # - SYS_MODULE - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC - - SYS_RESOURCE - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - # Allow discretionary access control (e.g. required for package installation) - - DAC_OVERRIDE - # Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation) - - FOWNER - # Allow to execute program that changes GID (e.g. required for package installation) - - SETGID - # Allow to execute program that changes UID (e.g. required for package installation) - - SETUID - # -- Capabilities for the `mount-cgroup` init container - mountCgroup: - # Only used for 'mount' cgroup - - SYS_ADMIN - # Used for nsenter - - SYS_CHROOT - - SYS_PTRACE - # -- capabilities for the `apply-sysctl-overwrites` init container - applySysctlOverwrites: - # Required in order to access host's /etc/sysctl.d dir - - SYS_ADMIN - # Used for nsenter - - SYS_CHROOT - - SYS_PTRACE - # -- Capabilities for the `clean-cilium-state` init container - cleanCiliumState: - # Most of the capabilities here are the same ones used in the - # cilium-agent's container because this container can be used to - # uninstall all Cilium resources, and therefore it is likely that - # will need the same capabilities. - # Used since cilium modifies routing tables, etc... - - NET_ADMIN - # Used in iptables. Consider removing once we are iptables-free - # - SYS_MODULE - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC - - SYS_RESOURCE - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - -# -- Configure the encapsulation configuration for communication between nodes. -# Possible values: -# - disabled -# - vxlan (default) -# - geneve -tunnel: "disabled" \ No newline at end of file + privileged: true +tunnel: disabled From a2ef5b478f61124417b01ee0692dc5125bcf48d8 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 14:31:30 -0500 Subject: [PATCH 16/54] Update device used. --- kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml b/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml index 2025fd8..6869ccd 100644 --- a/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml +++ b/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml @@ -6,7 +6,7 @@ metadata: spec: loadBalancerIPs: true interfaces: - - ^enp.* + - ^eth1$ nodeSelector: matchLabels: kubernetes.io/os: linux From 66ed521d0cdf5a37711178dc4cd81d4cd056f259 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 16:33:24 -0500 Subject: [PATCH 17/54] Enable kubeprism and disable flannel. --- talos/talconfig.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index cc830ae..d1528f9 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -50,6 +50,9 @@ controlPlane: - |- cluster: allowSchedulingOnMasters: true + network: + cni: + name: none proxy: disabled: true etcd: @@ -62,6 +65,11 @@ controlPlane: - |- machine: + features: + kubePrism: + enabled: true + port: 7445 + files: - op: create path: /etc/cri/conf.d/20-customization.part From 3dd36d25bc3930ea0e9df65ad0957817e5723901 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 16:58:38 -0500 Subject: [PATCH 18/54] Update cilium settings and enable kubeprism. --- .../apps/kube-system/cilium/app/values.yaml | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/kube-system/cilium/app/values.yaml b/kubernetes/apps/kube-system/cilium/app/values.yaml index 4d4fffd..00e10f0 100644 --- a/kubernetes/apps/kube-system/cilium/app/values.yaml +++ b/kubernetes/apps/kube-system/cilium/app/values.yaml @@ -13,6 +13,10 @@ containerRuntime: integration: containerd endpointRoutes: enabled: true +cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup hubble: enabled: true metrics: @@ -50,8 +54,8 @@ hubble: ipam: mode: kubernetes ipv4NativeRoutingCIDR: 10.32.0.0/16 -k8sServiceHost: 10.2.0.6 -k8sServicePort: 6443 +k8sServiceHost: localhost +k8sServicePort: 7445 kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: @@ -85,4 +89,21 @@ dashboards: rollOutCiliumPods: true securityContext: privileged: true + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE tunnel: disabled From b883aaf1032780b0bc10ae29420c045e25cb0834 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 26 Sep 2023 17:18:36 -0500 Subject: [PATCH 19/54] Adding static routes. --- talos/talconfig.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index d1528f9..3947df4 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -25,6 +25,12 @@ nodes: networkInterfaces: - interface: eth0 dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 - hostname: eonwe.hsn.dev disableSearchDomain: true @@ -35,6 +41,12 @@ nodes: networkInterfaces: - interface: eth0 dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 - hostname: arlen.hsn.dev disableSearchDomain: true @@ -45,6 +57,13 @@ nodes: networkInterfaces: - interface: eth0 dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 + controlPlane: patches: - |- From a6fa98315ac7e12a4e87459f1f2917b6990915d2 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Wed, 27 Sep 2023 09:00:17 +0000 Subject: [PATCH 20/54] Update Helm release cert-manager to v1.13.1 --- kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml index e436f61..7888e2b 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager - version: v1.12.3 + version: v1.13.1 sourceRef: kind: HelmRepository name: jetstack From 87d3776941afdb72ae02c322054e94c1b00dbbfb Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Thu, 28 Sep 2023 21:50:04 +0000 Subject: [PATCH 21/54] Removed incorrect hash. Signed-off-by: Joseph Hanson --- .../external-secrets/stores/onepassword/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml index 60a5e15..5e293d5 100644 --- a/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml +++ b/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml @@ -23,7 +23,7 @@ spec: image: repository: docker.io/1password/connect-api - tag: 1.7.2@sha256:6aa94cf713f99c0fa58c12ffdd1b160404b4c13a7f501a73a791aa84b608c5a1 + tag: 1.7.2 env: OP_BUS_PORT: "11220" From 29bd8096e025938cac471b28b5ec5edc7f022a02 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Thu, 28 Sep 2023 22:34:05 +0000 Subject: [PATCH 22/54] Added rook task. --- .taskfiles/_scripts/wait-for-k8s-job.sh | 14 ++++ .taskfiles/rook/Taskfile.yaml | 91 +++++++++++++++++++++++ .taskfiles/rook/WipeDiskJob.tmpl.yaml | 26 +++++++ .taskfiles/rook/WipeRookDataJob.tmpl.yaml | 29 ++++++++ Taskfile.yaml | 1 + 5 files changed, 161 insertions(+) create mode 100644 .taskfiles/_scripts/wait-for-k8s-job.sh create mode 100644 .taskfiles/rook/Taskfile.yaml create mode 100644 .taskfiles/rook/WipeDiskJob.tmpl.yaml create mode 100644 .taskfiles/rook/WipeRookDataJob.tmpl.yaml diff --git a/.taskfiles/_scripts/wait-for-k8s-job.sh b/.taskfiles/_scripts/wait-for-k8s-job.sh new file mode 100644 index 0000000..32feadd --- /dev/null +++ b/.taskfiles/_scripts/wait-for-k8s-job.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +JOB_NAME=$1 +NAMESPACE="${2:-default}" + +[[ -z "${JOB_NAME}" ]] && echo "Job name not specified" && exit 1 + +while true; do + STATUS="$(kubectl -n "${NAMESPACE}" get pod -l job-name="${JOB_NAME}" -o jsonpath='{.items[*].status.phase}')" + if [ "${STATUS}" == "Pending" ]; then + break + fi + sleep 1 +done diff --git a/.taskfiles/rook/Taskfile.yaml b/.taskfiles/rook/Taskfile.yaml new file mode 100644 index 0000000..5bbfb5c --- /dev/null +++ b/.taskfiles/rook/Taskfile.yaml @@ -0,0 +1,91 @@ +--- +version: "3" + +x-task-vars: &task-vars + node: "{{.node}}" + ceph_disk: "{{.ceph_disk}}" + ts: "{{.ts}}" + jobName: "{{.jobName}}" + +vars: + waitForJobScript: "../_scripts/wait-for-k8s-job.sh" + ts: '{{now | date "150405"}}' + +tasks: + wipe-node-aule: + desc: Trigger a wipe of Rook-Ceph data on node "aule" + cmds: + - task: wipe-disk + vars: + node: "{{.node}}" + ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460833" + - task: wipe-data + vars: + node: "{{.node}}" + vars: + node: aule + + wipe-node-eonwe: + desc: Trigger a wipe of Rook-Ceph data on node "eonwe" + cmds: + - task: wipe-disk + vars: + node: "{{.node}}" + ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460887" + - task: wipe-data + vars: + node: "{{.node}}" + vars: + node: eonwe + + wipe-node-arlen: + desc: Trigger a wipe of Rook-Ceph data on node "arlen" + cmds: + - task: wipe-disk + vars: + node: "{{.node}}" + ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460897" + - task: wipe-data + vars: + node: "{{.node}}" + vars: + node: arlen + + wipe-disk: + desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-disk node=aule ceph_disk="/dev/nvme0n1") + silent: true + internal: true + cmds: + - envsubst < <(cat {{.wipeRookDiskJobTemplate}}) | kubectl apply -f - + - bash {{.waitForJobScript}} {{.wipeCephDiskJobName}} default + - kubectl -n default wait job/{{.wipeCephDiskJobName}} --for condition=complete --timeout=1m + - kubectl -n default logs job/{{.wipeCephDiskJobName}} --container list + - kubectl -n default delete job {{.wipeCephDiskJobName}} + vars: + node: '{{ or .node (fail "`node` is required") }}' + ceph_disk: '{{ or .ceph_disk (fail "`ceph_disk` is required") }}' + jobName: 'wipe-disk-{{- .node -}}-{{- .ceph_disk | replace "/" "-" -}}-{{- .ts -}}' + wipeRookDiskJobTemplate: "WipeDiskJob.tmpl.yaml" + env: *task-vars + preconditions: + - sh: test -f {{.waitForJobScript}} + - sh: test -f {{.wipeRookDiskJobTemplate}} + + wipe-data: + desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-data node=aule) + silent: true + internal: true + cmds: + - envsubst < <(cat {{.wipeRookDataJobTemplate}}) | kubectl apply -f - + - bash {{.waitForJobScript}} {{.wipeRookDataJobName}} default + - kubectl -n default wait job/{{.wipeRookDataJobName}} --for condition=complete --timeout=1m + - kubectl -n default logs job/{{.wipeRookDataJobName}} --container list + - kubectl -n default delete job {{.wipeRookDataJobName}} + vars: + node: '{{ or .node (fail "`node` is required") }}' + jobName: "wipe-rook-data-{{- .node -}}-{{- .ts -}}" + wipeRookDataJobTemplate: "WipeRookDataJob.tmpl.yaml" + env: *task-vars + preconditions: + - sh: test -f {{.waitForJobScript}} + - sh: test -f {{.wipeRookDataJobTemplate}} diff --git a/.taskfiles/rook/WipeDiskJob.tmpl.yaml b/.taskfiles/rook/WipeDiskJob.tmpl.yaml new file mode 100644 index 0000000..13fa4f7 --- /dev/null +++ b/.taskfiles/rook/WipeDiskJob.tmpl.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "${jobName}" + namespace: "default" +spec: + ttlSecondsAfterFinished: 3600 + template: + spec: + automountServiceAccountToken: false + restartPolicy: Never + nodeName: ${node} + containers: + - name: disk-wipe + image: ghcr.io/onedr0p/alpine:3.17.3@sha256:999384960b6114496a5e4036e945141c205d064ce23b87326bd3f8d878c5a9d4 + securityContext: + privileged: true + resources: {} + command: ["/bin/sh", "-c"] + args: + - apk add --no-cache sgdisk util-linux parted; + sgdisk --zap-all ${ceph_disk}; + blkdiscard ${ceph_disk}; + dd if=/dev/zero bs=1M count=10000 oflag=direct of=${ceph_disk}; + partprobe ${ceph_disk}; diff --git a/.taskfiles/rook/WipeRookDataJob.tmpl.yaml b/.taskfiles/rook/WipeRookDataJob.tmpl.yaml new file mode 100644 index 0000000..e5e5eef --- /dev/null +++ b/.taskfiles/rook/WipeRookDataJob.tmpl.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: "${jobName}" + namespace: "default" +spec: + ttlSecondsAfterFinished: 3600 + template: + spec: + automountServiceAccountToken: false + restartPolicy: Never + nodeName: ${node} + containers: + - name: disk-wipe + image: ghcr.io/onedr0p/alpine:3.17.3@sha256:999384960b6114496a5e4036e945141c205d064ce23b87326bd3f8d878c5a9d4 + securityContext: + privileged: true + resources: {} + command: ["/bin/sh", "-c"] + args: + - rm -rf /mnt/host_var/lib/rook + volumeMounts: + - mountPath: /mnt/host_var + name: host-var + volumes: + - name: host-var + hostPath: + path: /var diff --git a/Taskfile.yaml b/Taskfile.yaml index 443e678..e533d85 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -21,6 +21,7 @@ env: includes: volsync: .taskfiles/VolSync/Tasks.yaml precommit: .taskfiles/PreCommit/Tasks.yaml + rook: .taskfiles/rook/Taskfile.yaml tasks: From 1fc12c300c166f00c0eb7f6f02b4607f748b3ec0 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 29 Sep 2023 13:03:48 +0000 Subject: [PATCH 23/54] Update thanos config and rook config. --- Taskfile.yaml | 4 ++- .../monitoring/thanos/app/externalsecret.yaml | 31 ++++++++++++++++++ .../monitoring/thanos/app/helmrelease.yaml | 32 +++---------------- .../monitoring/thanos/app/kustomization.yaml | 2 +- .../thanos/app/objectbucketclaim.yaml | 9 ------ .../rook-ceph/cluster/helmrelease.yaml | 12 +++---- talos/deploy-integrations.sh | 10 +++--- 7 files changed, 50 insertions(+), 50 deletions(-) create mode 100644 kubernetes/apps/monitoring/thanos/app/externalsecret.yaml delete mode 100644 kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml diff --git a/Taskfile.yaml b/Taskfile.yaml index e533d85..ef08fa5 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -21,7 +21,9 @@ env: includes: volsync: .taskfiles/VolSync/Tasks.yaml precommit: .taskfiles/PreCommit/Tasks.yaml - rook: .taskfiles/rook/Taskfile.yaml + rook: + taskfile: ".taskfiles/rook" + dir: .taskfiles/rook tasks: diff --git a/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml b/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml new file mode 100644 index 0000000..a9ecd49 --- /dev/null +++ b/kubernetes/apps/monitoring/thanos/app/externalsecret.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: thanos + namespace: monitoring +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: thanos-s3-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + objstore.yml: |- + type: s3 + config: + access_key: {{ .minio_thanos_access_key }} + bucket: thanos + endpoint: {{ .minio_s3_host }} + region: us-east-1 + secret_key: {{ .minio_thanos_secret_key }} + dataFrom: + - extract: + key: minio + rewrite: + - regexp: + source: "(.*)" + target: "minio_$1" diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml index 0b55404..d3fa3ea 100644 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml @@ -35,10 +35,7 @@ spec: registry: quay.io repository: thanos/thanos tag: v0.32.3 - objstoreConfig: - type: s3 - config: - insecure: true + existingObjstoreSecret: thanos-s3-secret queryFrontend: enabled: true replicaCount: 3 @@ -71,14 +68,14 @@ spec: persistence: enabled: true storageClass: ceph-block - size: 100Gi + size: 20Gi storegateway: enabled: true replicaCount: 3 persistence: enabled: true storageClass: ceph-block - size: 20Gi + size: 10Gi ruler: enabled: true replicaCount: 3 @@ -99,29 +96,8 @@ spec: persistence: enabled: true storageClass: ceph-block - size: 20Gi + size: 5Gi metrics: enabled: true serviceMonitor: enabled: true - valuesFrom: - - targetPath: objstoreConfig.config.bucket - kind: ConfigMap - name: thanos-bucket-v1 - valuesKey: BUCKET_NAME - - targetPath: objstoreConfig.config.endpoint - kind: ConfigMap - name: thanos-bucket-v1 - valuesKey: BUCKET_HOST - - targetPath: objstoreConfig.config.region - kind: ConfigMap - name: thanos-bucket-v1 - valuesKey: BUCKET_REGION - - targetPath: objstoreConfig.config.access_key - kind: Secret - name: thanos-bucket-v1 - valuesKey: AWS_ACCESS_KEY_ID - - targetPath: objstoreConfig.config.secret_key - kind: Secret - name: thanos-bucket-v1 - valuesKey: AWS_SECRET_ACCESS_KEY diff --git a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml b/kubernetes/apps/monitoring/thanos/app/kustomization.yaml index f5ab648..e4bccc4 100644 --- a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml +++ b/kubernetes/apps/monitoring/thanos/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: monitoring resources: - - ./objectbucketclaim.yaml + - ./externalsecret.yaml - ./helmrelease.yaml configMapGenerator: - name: thanos-bucket-replicate-dashboard diff --git a/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml b/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml deleted file mode 100644 index 080841c..0000000 --- a/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: thanos-bucket-v1 - namespace: monitoring -spec: - bucketName: thanos-v1 - storageClassName: ceph-bucket diff --git a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index 91bc6ff..2d0bd86 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -53,15 +53,15 @@ spec: config: osdsPerDevice: "1" nodes: - - name: "valinor-1" + - name: "aule" devices: - - name: /dev/disk/by-id/scsi-0HC_Volume_37231496 - - name: "valinor-2" + - name: /dev/disk/by-id/scsi-0HC_Volume_37460833 + - name: "eonwe" devices: - - name: /dev/disk/by-id/scsi-0HC_Volume_37231521 - - name: "valinor-3" + - name: /dev/disk/by-id/scsi-0HC_Volume_37460887 + - name: "arlen" devices: - - name: /dev/disk/by-id/scsi-0HC_Volume_37231596 + - name: /dev/disk/by-id/scsi-0HC_Volume_37460897 ingress: ingressClassName: "nginx" diff --git a/talos/deploy-integrations.sh b/talos/deploy-integrations.sh index 17d6b7b..cab2aff 100755 --- a/talos/deploy-integrations.sh +++ b/talos/deploy-integrations.sh @@ -2,11 +2,11 @@ # shellcheck disable=2312 pushd integrations >/dev/null 2>&1 || exit 1 -rm -rf cni/charts -envsubst < ../../kubernetes/apps/kube-system/cilium/app/values.yaml > cni/values.yaml -kustomize build --enable-helm cni | kubectl apply -f - -rm cni/values.yaml -rm -rf cni/charts +#rm -rf cni/charts +#envsubst < ../../kubernetes/apps/kube-system/cilium/app/values.yaml > cni/values.yaml +#kustomize build --enable-helm cni | kubectl apply -f - +#rm cni/values.yaml +#rm -rf cni/charts rm -rf kubelet-csr-approver/charts envsubst < ../../kubernetes/apps/system/kubelet-csr-approver/app/values.yaml > kubelet-csr-approver/values.yaml From 5af8b49ccff8680f0d5437a3c9af66dbf5a09bf0 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 29 Sep 2023 13:19:59 +0000 Subject: [PATCH 24/54] Update Cilium values. --- .../apps/kube-system/cilium/app/values.yaml | 62 ------------------- 1 file changed, 62 deletions(-) diff --git a/kubernetes/apps/kube-system/cilium/app/values.yaml b/kubernetes/apps/kube-system/cilium/app/values.yaml index 00e10f0..253e809 100644 --- a/kubernetes/apps/kube-system/cilium/app/values.yaml +++ b/kubernetes/apps/kube-system/cilium/app/values.yaml @@ -1,72 +1,12 @@ -autoDirectNodeRoutes: true -bandwidthManager: - enabled: true - bbr: true -bpf: - masquerade: true -bgp: - enabled: false -cluster: - name: valinor - id: 1 -containerRuntime: - integration: containerd -endpointRoutes: - enabled: true cgroup: autoMount: enabled: false hostRoot: /sys/fs/cgroup -hubble: - enabled: true - metrics: - enabled: - - dns:query - - drop - - tcp - - flow - - port-distribution - - icmp - - http - serviceMonitor: - enabled: true - dashboards: - enabled: true - annotations: - grafana_folder: Cilium - relay: - enabled: true - rollOutPods: true - prometheus: - serviceMonitor: - enabled: true - ui: - enabled: true - rollOutPods: true - ingress: - enabled: true - className: internal - hosts: - - &host hubble.hsn.dev - tls: - - hosts: - - *host ipam: mode: kubernetes -ipv4NativeRoutingCIDR: 10.32.0.0/16 k8sServiceHost: localhost k8sServicePort: 7445 kubeProxyReplacement: true -kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 -l2announcements: - enabled: true - leaseDuration: 120s - leaseRenewDeadline: 60s - leaseRetryPeriod: 1s -loadBalancer: - algorithm: maglev - mode: dsr -localRedirectPolicy: true operator: rollOutPods: true prometheus: @@ -88,7 +28,6 @@ dashboards: grafana_folder: Cilium rollOutCiliumPods: true securityContext: - privileged: true capabilities: ciliumAgent: - CHOWN @@ -106,4 +45,3 @@ securityContext: - NET_ADMIN - SYS_ADMIN - SYS_RESOURCE -tunnel: disabled From c2412b6e26035aa844538626662dc1431c11d5c8 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 29 Sep 2023 13:20:22 +0000 Subject: [PATCH 25/54] Added flux taskfile. --- .taskfiles/flux/Taskfile.yaml | 47 +++++++++++++++++++++++++++++++++++ Taskfile.yaml | 3 +++ 2 files changed, 50 insertions(+) create mode 100644 .taskfiles/flux/Taskfile.yaml diff --git a/.taskfiles/flux/Taskfile.yaml b/.taskfiles/flux/Taskfile.yaml new file mode 100644 index 0000000..2f3768a --- /dev/null +++ b/.taskfiles/flux/Taskfile.yaml @@ -0,0 +1,47 @@ +--- +version: "3" + +tasks: + gr-sync: + desc: Sync all Flux GitRepositories + cmds: + - | + kubectl get gitrepositories --all-namespaces --no-headers | awk '{print $1, $2}' \ + | xargs -P 4 -L 1 bash -c \ + 'kubectl -n $0 annotate gitrepository/$1 reconcile.fluxcd.io/requestedAt=$(date +%s) --field-manager=flux-client-side-apply --overwrite' + + ks-sync: + desc: Sync all Flux Kustomizations + cmds: + - | + kubectl get kustomization --all-namespaces --no-headers | awk '{print $1, $2}' \ + | xargs -P 4 -L 1 bash -c \ + 'kubectl -n $0 annotate kustomization/$1 reconcile.fluxcd.io/requestedAt="$(date +%s)" --field-manager=flux-client-side-apply --overwrite' + + hr-sync: + desc: Sync all Flux HelmReleases + cmds: + - | + kubectl get helmreleases --all-namespaces --no-headers | awk '{print $1, $2}' \ + | xargs -P 4 -L 1 bash -c \ + 'kubectl -n $0 annotate helmrelease/$1 reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite' + + tf-sync: + desc: Sync Flux Terraforms + cmds: + - | + kubectl get terraforms --all-namespaces --no-headers | awk '{print $1, $2}' \ + | xargs -P 4 -L 1 bash -c \ + 'kubectl -n $0 annotate terraform/$1 reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite' + hr-suspend: + desc: Suspend all Flux HelmReleases + cmds: + - | + flux get helmrelease --all-namespaces --no-header | awk '{print $1, $2}' \ + | xargs -L 1 bash -c 'flux -n $0 suspend helmrelease $1' + hr-resume: + desc: Resume all Flux HelmReleases + cmds: + - | + flux get helmrelease --all-namespaces --no-header | awk '{print $1, $2}' \ + | xargs -L 1 bash -c 'flux -n $0 resume helmrelease $1' diff --git a/Taskfile.yaml b/Taskfile.yaml index ef08fa5..e1caf3f 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -24,6 +24,9 @@ includes: rook: taskfile: ".taskfiles/rook" dir: .taskfiles/rook + flux: + dir: .taskfiles/flux + taskfile: .taskfiles/flux tasks: From 15a68f3238489d941b2972820f851c4185eccecc Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 29 Sep 2023 13:26:15 +0000 Subject: [PATCH 26/54] Remove cilium helm chart. --- .../kube-system/cilium/app/cilium-l2.yaml | 20 --- .../kube-system/cilium/app/helmrelease.yaml | 114 ------------------ .../kube-system/cilium/app/kustomization.yaml | 15 --- .../cilium/app/kustomizeconfig.yaml | 7 -- .../apps/kube-system/cilium/app/values.yaml | 47 -------- kubernetes/apps/kube-system/cilium/ks.yaml | 14 --- .../apps/kube-system/kustomization.yaml | 1 - 7 files changed, 218 deletions(-) delete mode 100644 kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml delete mode 100644 kubernetes/apps/kube-system/cilium/app/helmrelease.yaml delete mode 100644 kubernetes/apps/kube-system/cilium/app/kustomization.yaml delete mode 100644 kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml delete mode 100644 kubernetes/apps/kube-system/cilium/app/values.yaml delete mode 100644 kubernetes/apps/kube-system/cilium/ks.yaml diff --git a/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml b/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml deleted file mode 100644 index 6869ccd..0000000 --- a/kubernetes/apps/kube-system/cilium/app/cilium-l2.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: cilium.io/v2alpha1 -kind: CiliumL2AnnouncementPolicy -metadata: - name: policy -spec: - loadBalancerIPs: true - interfaces: - - ^eth1$ - nodeSelector: - matchLabels: - kubernetes.io/os: linux ---- -apiVersion: cilium.io/v2alpha1 -kind: CiliumLoadBalancerIPPool -metadata: - name: pool -spec: - cidrs: - - cidr: 10.2.42.0/24 diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml deleted file mode 100644 index a032c66..0000000 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ /dev/null @@ -1,114 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: cilium - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: cilium - version: 1.14.2 - sourceRef: - kind: HelmRepository - name: cilium - namespace: flux-system - maxHistory: 2 - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - autoDirectNodeRoutes: true - bpf: - masquerade: true - bgp: - enabled: false - cluster: - name: kubernetes - id: 1 - containerRuntime: - integration: containerd - socketPath: /var/run/k3s/containerd/containerd.sock - endpointRoutes: - enabled: true - hubble: - enabled: true - metrics: - enabled: - - dns:query - - drop - - tcp - - flow - - port-distribution - - icmp - - http - serviceMonitor: - enabled: true - dashboards: - enabled: true - annotations: - grafana_folder: Cilium - relay: - enabled: true - rollOutPods: true - prometheus: - serviceMonitor: - enabled: true - ui: - enabled: true - rollOutPods: true - ingress: - enabled: true - className: nginx - hosts: - - &host hubble.valinor.social - tls: - - hosts: - - *host - ipam: - mode: kubernetes - ipv4NativeRoutingCIDR: 10.32.0.0/16 - k8sServiceHost: 10.2.0.6 - k8sServicePort: 6443 - kubeProxyReplacement: true - kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 - l2announcements: - enabled: true - leaseDuration: 120s - leaseRenewDeadline: 60s - leaseRetryPeriod: 1s - loadBalancer: - algorithm: maglev - mode: dsr - localRedirectPolicy: true - operator: - rollOutPods: true - prometheus: - enabled: true - serviceMonitor: - enabled: true - dashboards: - enabled: true - annotations: - grafana_folder: Cilium - prometheus: - enabled: true - serviceMonitor: - enabled: true - trustCRDsExist: true - dashboards: - enabled: true - annotations: - grafana_folder: Cilium - rollOutCiliumPods: true - securityContext: - privileged: true - tunnel: disabled diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml deleted file mode 100644 index d5ca0be..0000000 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -resources: - - ./helmrelease.yaml - - ./cilium-l2.yaml -configMapGenerator: - - name: cilium-values - files: - - values.yaml=./values.yaml - -configurations: - - kustomizeconfig.yaml \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml deleted file mode 100644 index 1fcad09..0000000 --- a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/app/values.yaml b/kubernetes/apps/kube-system/cilium/app/values.yaml deleted file mode 100644 index 253e809..0000000 --- a/kubernetes/apps/kube-system/cilium/app/values.yaml +++ /dev/null @@ -1,47 +0,0 @@ -cgroup: - autoMount: - enabled: false - hostRoot: /sys/fs/cgroup -ipam: - mode: kubernetes -k8sServiceHost: localhost -k8sServicePort: 7445 -kubeProxyReplacement: true -operator: - rollOutPods: true - prometheus: - enabled: true - serviceMonitor: - enabled: true - dashboards: - enabled: true - annotations: - grafana_folder: Cilium -prometheus: - enabled: true - serviceMonitor: - enabled: true - trustCRDsExist: true -dashboards: - enabled: true - annotations: - grafana_folder: Cilium -rollOutCiliumPods: true -securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml deleted file mode 100644 index 3d994ab..0000000 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cluster-apps-cilium - namespace: flux-system -spec: - interval: 10m - path: "./kubernetes/apps/kube-system/cilium/app" - prune: true - sourceRef: - kind: GitRepository - name: valinor - wait: true diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index f269ea1..a8875ab 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -6,4 +6,3 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./metrics-server/ks.yaml - - ./cilium/ks.yaml From 05191c24781daf095356f111a14a44643b6cf112 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 29 Sep 2023 14:22:09 +0000 Subject: [PATCH 27/54] Update s3 bucket config --- .../monitoring/kube-prometheus-stack/app/helmrelease.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index c311cbe..4163148 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -203,7 +203,7 @@ spec: thanos: image: quay.io/thanos/thanos:v0.32.3 objectStorageConfig: - name: thanos-objstore-secret + name: thanos-s3-secret key: objstore.yml retention: 2d retentionSize: 15GB @@ -222,8 +222,3 @@ spec: resources: requests: storage: 20Gi - valuesFrom: - - targetPath: objstoreConfig.config.bucket - kind: ConfigMap - name: thanos-bucket-v1 - valuesKey: BUCKET_NAME From e9189d79f75ea8f8bb4cb285254770ef52b042d3 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 29 Sep 2023 14:47:19 +0000 Subject: [PATCH 28/54] Update rook config. --- .../rook-ceph/cluster/helmrelease.yaml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index 2d0bd86..83a35ad 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -101,3 +101,68 @@ spec: csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph csi.storage.k8s.io/fstype: ext4 + cephFileSystems: + - name: ceph-filesystem + spec: + metadataPool: + replicated: + size: 3 + dataPools: + - failureDomain: host + replicated: + size: 3 + metadataServer: + activeCount: 1 + activeStandby: true + resources: + requests: + cpu: "35m" + memory: "64M" + limits: + memory: "144M" + storageClass: + enabled: true + isDefault: false + name: ceph-filesystem + reclaimPolicy: Delete + allowVolumeExpansion: true + mountOptions: [] + parameters: + csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner + csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node + csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + csi.storage.k8s.io/fstype: ext4 + cephObjectStores: + - name: ceph-objectstore + spec: + metadataPool: + failureDomain: host + replicated: + size: 3 + dataPool: + failureDomain: host + erasureCoded: + dataChunks: 2 + codingChunks: 1 + preservePoolsOnDelete: true + gateway: + port: 80 + resources: + requests: + cpu: 100m + memory: 128M + limits: + memory: 2Gi + instances: 1 + healthCheck: + bucket: + interval: 60s + storageClass: + enabled: true + name: ceph-bucket + reclaimPolicy: Delete + parameters: + region: us-east-1 From 5598d3baafe18272a285dc7ce9077936766c9040 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 30 Sep 2023 14:25:46 +0000 Subject: [PATCH 29/54] Update DNSimple Issuer. --- .../apps/cert-manager/cert-manager/issuers/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index 7783bc2..a62c0a5 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager-webhook-dnsimple - version: 0.0.6 + version: 0.0.7 interval: 30m sourceRef: kind: HelmRepository From f9b96df17500809d869832aa96b04643ef906fef Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 30 Sep 2023 14:45:54 +0000 Subject: [PATCH 30/54] Image renderer has no arm64 binary. --- kubernetes/apps/monitoring/grafana/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml index 9b898af..4b27f9c 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml @@ -184,7 +184,7 @@ spec: root_url: https://grafana.valinor.social imageRenderer: - enabled: true + enabled: false ingress: enabled: true From 05e3d47245c38c4ddbf78cd08083d6df7c5e35a5 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Sat, 30 Sep 2023 16:00:16 +0000 Subject: [PATCH 31/54] Update dependency ansible-lint to v6.20.2 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3b58068..0449c53 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ ansible==8.4.0 -ansible-lint==6.20.0 +ansible-lint==6.20.2 bcrypt==4.0.1 jmespath==1.0.1 netaddr==0.9.0 From 7cb2ea263d4f3cb9fdb68a5b1188c7ea6994b202 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 1 Oct 2023 19:12:11 -0500 Subject: [PATCH 32/54] Adding hetzner cloud controller manager for hetzner cloud load balancers. --- .../kube-system/hccm/app/externalsecret.yaml | 18 ++++++++++++++++ .../kube-system/hccm/app/helmrelease.yaml | 21 +++++++++++++++++++ .../kube-system/hccm/app/kustomization.yaml | 7 +++++++ kubernetes/apps/kube-system/hccm/ks.yaml | 16 ++++++++++++++ .../apps/kube-system/kustomization.yaml | 1 + .../metrics-server/app/kustomization.yaml | 1 + .../flux/repositories/helm/hetzner.yaml | 10 +++++++++ .../flux/repositories/helm/kustomization.yaml | 2 ++ 8 files changed, 76 insertions(+) create mode 100644 kubernetes/apps/kube-system/hccm/app/externalsecret.yaml create mode 100644 kubernetes/apps/kube-system/hccm/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/hccm/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/hccm/ks.yaml create mode 100644 kubernetes/flux/repositories/helm/hetzner.yaml diff --git a/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml b/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml new file mode 100644 index 0000000..c629077 --- /dev/null +++ b/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: hcloud + namespace: kube-system +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: hcloud + creationPolicy: Owner + data: + - secretKey: network + remoteRef: + key: hetzner + property: cloud-api-token diff --git a/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml b/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml new file mode 100644 index 0000000..1d4d1ef --- /dev/null +++ b/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml @@ -0,0 +1,21 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: hccm + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: hcloud-cloud-controller-manager + version: v1.18.0 + sourceRef: + kind: HelmRepository + name: hetzner + namespace: flux-system + interval: 30m + values: + metrics: + enabled: true diff --git a/kubernetes/apps/kube-system/hccm/app/kustomization.yaml b/kubernetes/apps/kube-system/hccm/app/kustomization.yaml new file mode 100644 index 0000000..749cbd1 --- /dev/null +++ b/kubernetes/apps/kube-system/hccm/app/kustomization.yaml @@ -0,0 +1,7 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/hccm/ks.yaml b/kubernetes/apps/kube-system/hccm/ks.yaml new file mode 100644 index 0000000..916a824 --- /dev/null +++ b/kubernetes/apps/kube-system/hccm/ks.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-hetzner-hccm + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + interval: 10m + path: "./kubernetes/apps/kube-system/hccm/app" + prune: true + sourceRef: + kind: GitRepository + name: valinor + wait: true diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index a8875ab..2318d64 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml index 1c3fdb0..749cbd1 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/kubernetes/flux/repositories/helm/hetzner.yaml b/kubernetes/flux/repositories/helm/hetzner.yaml new file mode 100644 index 0000000..668285e --- /dev/null +++ b/kubernetes/flux/repositories/helm/hetzner.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: hetzner + namespace: flux-system +spec: + interval: 30m + url: https://charts.hetzner.cloud + timeout: 3m diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index deddf11..1ba2b62 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization @@ -12,6 +13,7 @@ resources: - external-secrets.yaml - fairwinds.yaml - grafana.yaml + - hetzner.yaml - ingress-nginx.yaml - jahanson.yaml - jetstack.yaml From 2b7279bb2821610a133f566ff435a46841fe5316 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 1 Oct 2023 19:17:40 -0500 Subject: [PATCH 33/54] Updated ks for hccm. --- kubernetes/apps/kube-system/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 2318d64..f2fee2c 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -7,3 +7,4 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./metrics-server/ks.yaml + - ./hccm/ks.yaml From 670f719a1578c40ce6261fd26998f98acbd0cc16 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 00:21:52 +0000 Subject: [PATCH 34/54] Adding external secret to ks. --- kubernetes/apps/kube-system/hccm/app/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/kube-system/hccm/app/kustomization.yaml b/kubernetes/apps/kube-system/hccm/app/kustomization.yaml index 749cbd1..d868f4a 100644 --- a/kubernetes/apps/kube-system/hccm/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/hccm/app/kustomization.yaml @@ -4,4 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kube-system resources: + - ./externalsecret.yaml - ./helmrelease.yaml From e1b9ae0268242a92fc98ba2fc710295638131ba4 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 00:36:02 +0000 Subject: [PATCH 35/54] Update secret for hccm. --- kubernetes/apps/kube-system/hccm/app/externalsecret.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml b/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml index c629077..6e9f3a4 100644 --- a/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml +++ b/kubernetes/apps/kube-system/hccm/app/externalsecret.yaml @@ -12,7 +12,11 @@ spec: name: hcloud creationPolicy: Owner data: - - secretKey: network + - secretKey: token remoteRef: key: hetzner property: cloud-api-token + - secretKey: network + remoteRef: + key: hetzner + property: cloud-network-name From a53db34ed3d91396b06cd6e6e67a7dd85311e2f4 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 00:53:28 +0000 Subject: [PATCH 36/54] Apply hetzner lb annotations. --- .../network/ingress-nginx/app/helmrelease.yaml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml index 7904581..848b278 100644 --- a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml @@ -18,11 +18,11 @@ spec: controller: replicaCount: 3 - hostPort: - enabled: true - ports: - http: 81 - https: 444 + # hostPort: + # enabled: true + # ports: + # http: 81 + # https: 444 updateStrategy: type: Recreate @@ -31,8 +31,9 @@ spec: enabled: true type: LoadBalancer annotations: - external-dns.alpha.kubernetes.io/hostname: "ingress.valinor.social" - io.cilium/lb-ipam-ips: "10.2.42.1" + load-balancer.hetzner.cloud/location: fsn1 + load-balancer.hetzner.cloud/use-private-ip: "true" + externalTrafficPolicy: Local publishService: From 26445021def6e4bc45b086482523a333a7b9b6be Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 02:32:49 +0000 Subject: [PATCH 37/54] Update nginx annotations. --- kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml index 848b278..bd6a98b 100644 --- a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml @@ -32,7 +32,10 @@ spec: type: LoadBalancer annotations: load-balancer.hetzner.cloud/location: fsn1 - load-balancer.hetzner.cloud/use-private-ip: "true" + load-balancer.hetzner.cloud/protocol: tcp + load-balancer.hetzner.cloud/name: valinor-nginx + load-balancer.hetzner.cloud/use-private-ip: true + load-balancer.hetzner.cloud/uses-proxyprotocol: true externalTrafficPolicy: Local From d1045d28a923396ce31ee727d18b8890b95e222d Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 03:02:41 +0000 Subject: [PATCH 38/54] Enabling hetzner networks --- kubernetes/apps/kube-system/hccm/app/helmrelease.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml b/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml index 1d4d1ef..09fc1ed 100644 --- a/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/hccm/app/helmrelease.yaml @@ -19,3 +19,6 @@ spec: values: metrics: enabled: true + networking: + enabled: true + clusterCIDR: 10.244.0.0/16 From 7bdbb3ae49fe7dea5559cf7563915c486724039d Mon Sep 17 00:00:00 2001 From: Smeagol Date: Mon, 2 Oct 2023 09:01:18 +0000 Subject: [PATCH 39/54] Update quay.io/prometheus/alertmanager:main Docker digest to 7c060ae --- kubernetes/apps/monitoring/alertmanager/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/monitoring/alertmanager/app/helmrelease.yaml b/kubernetes/apps/monitoring/alertmanager/app/helmrelease.yaml index 0b092a2..f2cfe7a 100644 --- a/kubernetes/apps/monitoring/alertmanager/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/alertmanager/app/helmrelease.yaml @@ -24,7 +24,7 @@ spec: image: repository: quay.io/prometheus/alertmanager - tag: main@sha256:32e432a57c8ba354f7b42c5a7784033225f86b8b029a29c1f77a8c785ea90ddb + tag: main@sha256:7c060ae2a86177fbb4106fddcdd9f2cd494d4415b67ccda71a9fdf11f52e825b podAnnotations: reloader.stakater.com/auto: "true" From 27a400ce3d4d33f67d9f2a50163bd14d66583925 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Mon, 2 Oct 2023 09:01:20 +0000 Subject: [PATCH 40/54] Update Thanos group --- .../monitoring/kube-prometheus-stack/app/helmrelease.yaml | 2 +- kubernetes/apps/monitoring/thanos/app/helmrelease.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index 4163148..85baa4f 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -201,7 +201,7 @@ spec: enableAdminAPI: true walCompression: true thanos: - image: quay.io/thanos/thanos:v0.32.3 + image: quay.io/thanos/thanos:v0.32.4 objectStorageConfig: name: thanos-s3-secret key: objstore.yml diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml index d3fa3ea..c7cc918 100644 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml @@ -11,7 +11,7 @@ spec: chart: spec: chart: thanos - version: 12.13.5 + version: 12.13.6 sourceRef: kind: HelmRepository name: bitnami @@ -34,7 +34,7 @@ spec: image: registry: quay.io repository: thanos/thanos - tag: v0.32.3 + tag: v0.32.4 existingObjstoreSecret: thanos-s3-secret queryFrontend: enabled: true From 0ae24aaf0366fc50fae125fc9ee42f8240386c6d Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 17:26:34 +0000 Subject: [PATCH 41/54] Fixes metrics server not serving stats from worker nodes. --- .../apps/kube-system/metrics-server/app/helmrelease.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml index f7dc4bf..8b2f500 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -18,3 +18,8 @@ spec: values: metrics: enabled: true + args: + - --kubelet-insecure-tls + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s From 745d9c64c6796fe7ae2f7a6bfa4ccc0a98d36f81 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 17:27:07 +0000 Subject: [PATCH 42/54] Added 3 worker nodes. --- talos/clusterconfig/.gitignore | 3 +++ talos/talconfig.yaml | 45 ++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/talos/clusterconfig/.gitignore b/talos/clusterconfig/.gitignore index 7568faf..41f8760 100644 --- a/talos/clusterconfig/.gitignore +++ b/talos/clusterconfig/.gitignore @@ -2,3 +2,6 @@ valinor-aule.hsn.dev.yaml valinor-eonwe.hsn.dev.yaml valinor-arlen.hsn.dev.yaml talosconfig +valinor-vaire.hsn.dev.yaml +valinor-nienna.hsn.dev.yaml +valinor-orome.hsn.dev.yaml diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 3947df4..a842645 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -63,6 +63,51 @@ nodes: - network: 10.2.0.0/16 gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). metric: 2048 + - hostname: vaire.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.8 + controlPlane: false + installDiskSelector: + busPath: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 + - hostname: nienna.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.9 + controlPlane: false + installDiskSelector: + busPath: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 + - hostname: orome.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.10 + controlPlane: false + installDiskSelector: + busPath: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 controlPlane: patches: From d792494249434c4ab899a64a83c4715b15bb64a3 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 18:41:45 +0000 Subject: [PATCH 43/54] Adding cilium to flux. --- .../kube-system/cilium/app/helmrelease.yaml | 60 +++++++++++++++++++ kubernetes/apps/kube-system/cilium/ks.yaml | 17 ++++++ 2 files changed, 77 insertions(+) create mode 100644 kubernetes/apps/kube-system/cilium/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/cilium/ks.yaml diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 0000000..996604f --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,60 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.14.2 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + cluster: + name: valinor + id: 1 + ipam: + mode: kubernetes + kubeProxyReplacement: true + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + # Talos Kubeprism + k8sServiceHost: localhost + k8sServicePort: 7445 + rollOutCiliumPods: true diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml new file mode 100644 index 0000000..e2eadc5 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-cilium + namespace: flux-system +spec: + interval: 30m + retryInterval: 1m + timeout: 5m + path: "./kubernetes/apps/kube-system/cilium/app" + prune: true + sourceRef: + kind: GitRepository + name: valinor + wait: false From c6508f9e665233b560d3d494bc6be1584bee0466 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Mon, 2 Oct 2023 19:00:17 +0000 Subject: [PATCH 44/54] Update Helm release cert-manager-webhook-dnsimple to v0.0.8 --- .../apps/cert-manager/cert-manager/issuers/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index a62c0a5..04a547a 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager-webhook-dnsimple - version: 0.0.7 + version: 0.0.8 interval: 30m sourceRef: kind: HelmRepository From b3d0634a0960dcebc4bcff710645dc81bdd6455c Mon Sep 17 00:00:00 2001 From: Smeagol Date: Mon, 2 Oct 2023 19:00:25 +0000 Subject: [PATCH 45/54] Update prometheus-node-exporter Docker tag to v4.23.2 --- kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml b/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml index 69ed9ef..b6017b8 100644 --- a/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: prometheus-node-exporter - version: 4.23.1 + version: 4.23.2 sourceRef: kind: HelmRepository name: prometheus-community From 26d159a4ccc2938b23ac5efb28f0d54fa1d665a8 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 19:41:03 +0000 Subject: [PATCH 46/54] Default value for container port. --- .../apps/cert-manager/cert-manager/issuers/helmrelease.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index 04a547a..a3cae95 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -33,3 +33,4 @@ spec: secretKeyRef: name: dnsimple-api-token key: letsencrypt-email + containerPort: 8443 From 8c3fb9103f52aa3bedd8447de01fc476ba9a83a0 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 20:06:04 +0000 Subject: [PATCH 47/54] Update to 0.0.9. --- .../apps/cert-manager/cert-manager/issuers/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index a3cae95..7057103 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager-webhook-dnsimple - version: 0.0.8 + version: 0.0.9 interval: 30m sourceRef: kind: HelmRepository From 7de48ecec750190c99eb0fda1691e996224b8b07 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Mon, 2 Oct 2023 21:02:18 +0000 Subject: [PATCH 48/54] Update Helm release cert-manager-webhook-dnsimple to v0.0.10 --- .../apps/cert-manager/cert-manager/issuers/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index 7057103..b676075 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager-webhook-dnsimple - version: 0.0.9 + version: 0.0.10 interval: 30m sourceRef: kind: HelmRepository From 38e56574e9393bf5321ed2a7dfa6d71120e055c7 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 21:22:49 +0000 Subject: [PATCH 49/54] Update values for port. --- .../apps/cert-manager/cert-manager/issuers/helmrelease.yaml | 2 +- kubernetes/apps/cert-manager/cert-manager/ks.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index b676075..8d4d76f 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -33,4 +33,4 @@ spec: secretKeyRef: name: dnsimple-api-token key: letsencrypt-email - containerPort: 8443 + containerport: 8443 diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index ce2e6f4..0597f29 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -27,6 +27,6 @@ spec: sourceRef: kind: GitRepository name: valinor - wait: true + wait: false dependsOn: - name: cluster-apps-cert-manager From 4a0efb7cee2a7259ec4939c4e8258966deeb8773 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 21:30:21 +0000 Subject: [PATCH 50/54] Add cilium to flux. --- kubernetes/apps/kube-system/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index f2fee2c..77119be 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -6,5 +6,6 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations + - ./cilium/ks.yaml - ./metrics-server/ks.yaml - ./hccm/ks.yaml From bb10849eab19c5dc032d167f9f4511faedc91893 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Mon, 2 Oct 2023 21:45:00 +0000 Subject: [PATCH 51/54] Kubeprism isn't on workers, we'll just stick with the regular LB for now. --- kubernetes/apps/kube-system/cilium/app/helmrelease.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index 996604f..ee4107e 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -54,7 +54,6 @@ spec: autoMount: enabled: false hostRoot: /sys/fs/cgroup - # Talos Kubeprism - k8sServiceHost: localhost - k8sServicePort: 7445 + k8sServiceHost: 10.2.0.6 + k8sServicePort: 6443 rollOutCiliumPods: true From e52a3b14e7130c22b03985f3c42a5a4bfb1d99b0 Mon Sep 17 00:00:00 2001 From: Smeagol Date: Mon, 2 Oct 2023 22:00:16 +0000 Subject: [PATCH 52/54] Update dependency ansible-lint to v6.20.3 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0449c53..52fec1d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ ansible==8.4.0 -ansible-lint==6.20.2 +ansible-lint==6.20.3 bcrypt==4.0.1 jmespath==1.0.1 netaddr==0.9.0 From e5519abd19f2419d08eac282fa32770cd049c5a4 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 3 Oct 2023 11:19:50 +0000 Subject: [PATCH 53/54] Remove statsd from prometheus. --- .../monitoring/kube-prometheus-stack/app/helmrelease.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index 85baa4f..811351c 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -207,14 +207,6 @@ spec: key: objstore.yml retention: 2d retentionSize: 15GB - additionalScrapeConfigs: - - job_name: statsd-exporter - scrape_interval: 1m - scrape_timeout: 10s - honor_timestamps: true - static_configs: - - targets: - - statsd-exporter.fediverse.svc.cluster.local:9102 # default zalando postgres cluster storageSpec: volumeClaimTemplate: spec: From ecce3067a6adb5b4312fe6e76b26cb34e7c2bf4f Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 3 Oct 2023 14:31:03 +0000 Subject: [PATCH 54/54] Solving bursty CPU alerts. --- .../apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index 83a35ad..0909e08 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -62,6 +62,14 @@ spec: - name: "arlen" devices: - name: /dev/disk/by-id/scsi-0HC_Volume_37460897 + resources: + mgr: + limits: + cpu: "1000m" + memory: "1Gi" + requests: + cpu: "1000m" + memory: "1Gi" ingress: ingressClassName: "nginx"