diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml index e436f61..7888e2b 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager - version: v1.12.3 + version: v1.13.1 sourceRef: kind: HelmRepository name: jetstack diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml index a62c0a5..a3cae95 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: cert-manager-webhook-dnsimple - version: 0.0.7 + version: 0.0.8 interval: 30m sourceRef: kind: HelmRepository @@ -33,3 +33,4 @@ spec: secretKeyRef: name: dnsimple-api-token key: letsencrypt-email + containerPort: 8443 diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 0000000..996604f --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,60 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.14.2 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + cluster: + name: valinor + id: 1 + ipam: + mode: kubernetes + kubeProxyReplacement: true + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + # Talos Kubeprism + k8sServiceHost: localhost + k8sServicePort: 7445 + rollOutCiliumPods: true diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml new file mode 100644 index 0000000..e2eadc5 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-cilium + namespace: flux-system +spec: + interval: 30m + retryInterval: 1m + timeout: 5m + path: "./kubernetes/apps/kube-system/cilium/app" + prune: true + sourceRef: + kind: GitRepository + name: valinor + wait: false diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml index f7dc4bf..8b2f500 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -18,3 +18,8 @@ spec: values: metrics: enabled: true + args: + - --kubelet-insecure-tls + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml index 4163148..85baa4f 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml @@ -201,7 +201,7 @@ spec: enableAdminAPI: true walCompression: true thanos: - image: quay.io/thanos/thanos:v0.32.3 + image: quay.io/thanos/thanos:v0.32.4 objectStorageConfig: name: thanos-s3-secret key: objstore.yml diff --git a/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml b/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml index 69ed9ef..b6017b8 100644 --- a/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/node-exporter/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: prometheus-node-exporter - version: 4.23.1 + version: 4.23.2 sourceRef: kind: HelmRepository name: prometheus-community diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml index d3fa3ea..c7cc918 100644 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ b/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml @@ -11,7 +11,7 @@ spec: chart: spec: chart: thanos - version: 12.13.5 + version: 12.13.6 sourceRef: kind: HelmRepository name: bitnami @@ -34,7 +34,7 @@ spec: image: registry: quay.io repository: thanos/thanos - tag: v0.32.3 + tag: v0.32.4 existingObjstoreSecret: thanos-s3-secret queryFrontend: enabled: true diff --git a/requirements.txt b/requirements.txt index 3b58068..0449c53 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ ansible==8.4.0 -ansible-lint==6.20.0 +ansible-lint==6.20.2 bcrypt==4.0.1 jmespath==1.0.1 netaddr==0.9.0 diff --git a/talos/clusterconfig/.gitignore b/talos/clusterconfig/.gitignore index 7568faf..41f8760 100644 --- a/talos/clusterconfig/.gitignore +++ b/talos/clusterconfig/.gitignore @@ -2,3 +2,6 @@ valinor-aule.hsn.dev.yaml valinor-eonwe.hsn.dev.yaml valinor-arlen.hsn.dev.yaml talosconfig +valinor-vaire.hsn.dev.yaml +valinor-nienna.hsn.dev.yaml +valinor-orome.hsn.dev.yaml diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 3947df4..a842645 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -63,6 +63,51 @@ nodes: - network: 10.2.0.0/16 gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). metric: 2048 + - hostname: vaire.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.8 + controlPlane: false + installDiskSelector: + busPath: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 + - hostname: nienna.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.9 + controlPlane: false + installDiskSelector: + busPath: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 + - hostname: orome.hsn.dev + disableSearchDomain: true + ipAddress: 10.2.0.10 + controlPlane: false + installDiskSelector: + busPath: /dev/sda + networkInterfaces: + - interface: eth0 + dhcp: true + - interface: eth1 + dhcp: true + routes: + - network: 10.2.0.0/16 + gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route). + metric: 2048 controlPlane: patches: