chore: change how flux is bootstrapped and configured in the cluster, use go-task for utility

2024-05-03 21:26:26 -04:00 · 2024-05-03 21:26:26 -04:00 · 42b9f3c530
parent 8999d90e00
commit 42b9f3c530
10 changed files with 268 additions and 9701 deletions
--- a/.taskfiles/Flux/Taskfile.yaml
+++ b/.taskfiles/Flux/Taskfile.yaml
@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+vars:
+  CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml"
+  GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml"
+
+tasks:
+  bootstrap:
+    desc: Bootstrap Flux into a Kubernetes cluster
+    cmds:
+      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux
+      - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -z
+      - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
+      - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config
+    preconditions:
+      - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
+
+  reconcile:
+    desc: Force update Flux to pull in changes from your Git repository
+    cmd: flux reconcile --namespace flux-system kustomization cluster --with-source
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+vars:
+  CLUSTER_DIR: "{{.ROOT_DIR}}/cluster"
+
+includes:
+  flux: .taskfiles/Flux/Taskfile.yaml
--- a/cluster/base/ks.yaml
+++ b/cluster/base/ks.yaml
@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@ -10,12 +11,13 @@ spec:
  prune: true
  sourceRef:
    kind: GitRepository
-    name: flux-system
+    name: home-cluster
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@ -28,8 +30,9 @@ spec:
  prune: true
  sourceRef:
    kind: GitRepository
-    name: flux-system
+    name: home-cluster
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@ -45,7 +48,7 @@ spec:
  prune: true
  sourceRef:
    kind: GitRepository
-    name: flux-system
+    name: home-cluster
  decryption:
    provider: sops
    secretRef:
@ -58,6 +61,7 @@ spec:
      - kind: Secret
        name: cluster-secrets
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@ -73,7 +77,7 @@ spec:
  prune: true
  sourceRef:
    kind: GitRepository
-    name: flux-system
+    name: home-cluster
  decryption:
    provider: sops
    secretRef:
--- a/cluster/base/flux-system/gotk-components.yaml
+++ b/cluster/base/flux-system/gotk-components.yaml
--- a/cluster/bootstrap/flux/forgejo-deploy-key.sops.yaml
+++ b/cluster/bootstrap/flux/forgejo-deploy-key.sops.yaml
@ -0,0 +1,76 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-deploy-key
+    namespace: flux-system
+type: Opaque
+stringData:
+    identity: ENC[AES256_GCM,data:vqTgMRcQehWBwW/PCA3eyMLrloMbEQgV4gDcNNGoumvVoAA7v7sSJvRhfajNx2hLhmIF+82TkeJBIJGuFQp+Kw9tvNAWXXu3pDmWN0ZlaOcIXndLnM39GeZpduoYfBVLaP2PUbINPMcaFDjmWCdRpz+DhQiNAHlWlbL5opvpjhPpIdOg2q2uyJl/s2Pc75H+zUr0Tj8TMnwmnBPwFvW90msT8FZeD/uGcQsP/EZiy7a7f2e3n/OmqF/vPfBx6UK3ZbixYxp4NuY9jioWjE38aRcwBAsZJgxGnlB9bsc9826ALrQf/rV5kEOid5vRLZvfH2F63UGM2lox0qiREcjeE2XqFhxJ5TpLEY7tOfITydi75ZJSsyG2qpO4WuoHkuArLlQFPZhXgNVEOVPBoU+wQxUFsDVZWu4DnOv6yozVgGNgUqTInOvsIqwOOZzEzUbDxOffBD57LniVFXimmvWyBjPH7vWxE/wQXwaigtVtk5RpI8EEqIO4h/DJ3kzr0TRRXWv6hN9+4gFjarNJ8tnYxzfGpSqdVR7PLbol,iv:3kkhD+oE9GSOvnIntmn4ewkvCvAMzxA+ng2KCtOiZ7w=,tag:zkSTh+9cI8grCRSuLmOmaw==,type:str]
+    identity.pub: ENC[AES256_GCM,data:SuhyB1aDkftiybkq7IM3vguavPrz7UKp65CzOlPUeQBdQ3fMoVnLlYDXPC3S10IIbYr2tCccMNZ4fU60ucTNM+AO8BxEw/L3fk5Zk9ZLjlY=,iv:r3rKFBPZQ9JaQYB2FT0n4yiQ4nVxy5rWJ4rOhpUV1XA=,tag:LpZ2sGBbme6UE1G5cLgqVw==,type:str]
+    known_hosts: ENC[AES256_GCM,data:XsDwDqIrBSpNx4E3gs9IF4ZBVHVWk752BgFZDCSlOf1yJe0nzIF7SxefaLuC2KhRNSQF084TLzYyNCkBOxjlZ+wCzvTWk7CmmgUWNuELESNLSSPZGnFeYtXdFVnyTJvHeJcJgOsQRvCThPtbszi1n7Ao/AVXDf+PuyGIUZACiPuSNMTnZJDo5L7qbzWX3NjCKcWYVERWHnOvYWWdeQJtmL+r+ZFKo/iFWFAbpOY8V0ly3w==,iv:24nAuDmNUcYKJO3R8F4+1DyVSBG3mYbsIaliBfWrW14=,tag:mGGMTTi+NTyssm/KuHKd/A==,type:str]
+    password: ENC[AES256_GCM,data:YNLtVulYnGMU9BlvvcX0hOt4jFItG3c1mWLh6q/57eRu3OWf7qdLFQ==,iv:hBIDKXVgJ68rA15+8MfeTasFTU6NSS//A10oh5SdO94=,tag:KgxbhN62bRVmmdM8XnvuEg==,type:str]
+    username: ENC[AES256_GCM,data:xmPA,iv:hrlDr7O4sDwc5GMgkxvbPyNzAEpElLQlaATbHL7wST8=,tag:1xEgwqaiJXe/lxO59Q6vDg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-05-04T01:22:43Z"
+    mac: ENC[AES256_GCM,data:S4+5EPXeqFFBEXoF9Y7doWRe+JBBhDeFMX6KrVnQNAxfpZBr4IQvAgrpOMRtWqbOHBrUoZZjq7E8ZFpGuklnqmI2q1jUdkO+xSlE2sP3dC6E+lEPTdBM5yi9lITv3edAQTdgaNckb092QcmTmHH0ENxTrO/a8YHNH4wJUeOXHx4=,iv:Uea9NRXFe31o+AySqHKuzMJgDt0roM/Ult1kipvzw3c=,tag:iQA+5q/CZirZOblntQ+AmA==,type:str]
+    pgp:
+        - created_at: "2024-05-04T01:22:43Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAyqlIeyoxYovARAA1BJyf5s6fto5y6EcsQ1G/ZicV4bbLZxhGDC5oRCP2xXC
+            541Zdp6kqEhLKyh8vZ8r8CF0C/sB4jY52aHR/FEwqu5VUERWOPO6kk5dvD7eUzgv
+            lVqaCvuoNkAb0FjQg6cSAMau+cHDYp3EqE1fW1HbfY/2AoqE4hs9az6yhne6b30y
+            SJ6H8k6fWGZ3K/inEQ/rcew6FTjxHcKx+dmbx6wY6y6lvoet38Zd2Mki4OqPI/57
+            tQj+YqFud/UsuGm3PhuTlkJQI+hO+Re+3O+UEUQ7itO7tPOEgEZ3w1Y8ll6Tuauj
+            QslcToqGeTEfswATeEX8CR/oaU9Jaoh2JZSSQg84I/et7H72Banegy5qdg0R+zdb
+            HH3BRWt96fqV1sH46LTl4f6cfgucZpfUqzVSEIOZNzeZ7V/41bbOQTcj9D9K+nfv
+            0ilrdAPywfH6hYvxNmE19MxOkz8BOWMcmFOeEUhzQ569TMYqziI9Y+LV86lmiehT
+            vxaG4gHDYQSLUFok6V2pv/ooc8nhMp0GjMVRZSgtkKeHfW32UtX0aH4hMt9GUYp2
+            84HzDabMCXCNpPSn5mXZcgOoTU9gw+eGD8M5Qk1lY4sbs76yyAc2R3za25OxfVYP
+            s2XaDLwnPU3rvkQ04OWmiEZ95/B/b+q4mV5dAdCTlFLV0Q7ycDtzMpBPGcqMtXiF
+            AgwDXjg0p2IN1X8BD/4tqDb4YPGBAtS0eNlrWSk5WC/np73gT2eWs5dAPkUF7KSX
+            icb9hkiJGEY1SIWct3i319SzGqYn3UyGDQ8n7aM6pTtbdRaHdZbBcn5QEWT3mP9+
+            T05gpfygroN8DuptRRyuQE+151nL1u4Zbts5SVjdxYzq3dLm3FdpsSp/ud1QHJfe
+            jHGnwKPMrTo1qvim7RR5Le3vKKw0IAP3eYPiAAp1Nv4rP9I1lr/QcYjtKQfGTtUc
+            0+oba3a4OWTtqV0vNOd5egz8PeOSTg/bk6fPetxc3ZpuVswEm7JtWHkfnPXLFiX8
+            xF0fUCWe9DVMTAM4AAHkunFgDVLnACh1/4rDUQ9ygarNRTxEw7uTwcTWLGGHnrRW
+            jBNIuiZIZMkc8fQM5pCkLMPCWvhbzG7VzDmAqt7Z5MaycoYc8nuKg3wtzIQBfFcH
+            YV/fSz6A+9dBNMsyXUom2Kr74o3kf5oL6GoWKt/7D5MFQrf12Y5qp+V5yuZcwix8
+            V/oYKQVZmnyKmOj7jd39Li4X+p9zdi1TDdcVBeoVMEr20I+faxX7+e8FjokQ0wzu
+            RywJsbXEX7GGPt5u5mx89lhxzEzVS4wyVHKxSydf6lmQhpGk3Hv5NAg+chQSEBSe
+            ruDMMgYa5Mldb2ljHAAzlWI0vH8j1teFP0wtaqDzCD9kWYxWMzdOadIsOup4OtRo
+            AQkCEKR6/tD1JqbFMXw39bKC4N/ZGJe5dVZvbixzXxAm+iCVGLvlIM9qhaMs0EUP
+            0tq3a3hQZ5r3TZpgRiQPvIn/rv3qXGP8yDbqC7rF5exlDyFkLEVtasridJ7yz1UK
+            ArD75fdvAcs=
+            =MGbl
+            -----END PGP MESSAGE-----
+          fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
+        - created_at: "2024-05-04T01:22:43Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAy5t8IMoPu4VAQ/+IWtWSm1PPS5DpZ/PpczUWJlKkuauUfALw8jWX2b7Tfs/
+            Me40dT7cC7rMnZRY0Ip1PjphDNSmQfR7OMO+Q/I/UFb2Z4JGlOHdsGPuuy2wJSfS
+            hsenvqxsuIQpO77FB/7/7enPVE3Szj+phbvKsqGeBIJEnEaalS9/F1h0J3ZlcwAU
+            PqjeiNgNbNZ8mgr1n6VMA0ziKE5MWIEgAnCrzQgv/w6QzLHIPl/JFHSf7eVetJ51
+            J+eah6RaIesNDJV1h+vtbcz6u2rqO7UILR16L1sf7BmIdgE7JTNRfv9IrMPscu0X
+            tmkQDjRX0pXtLdqUUMP2GNttT1JKwvfqh2kqo4BkHeyFyuvcChoRzpgOpanss7lF
+            IrnW3N+GHs1vl5olXFX34bK+mTgMisCbbC/9017hf3EAs73R/IGAdCb5rLSCm9ms
+            5LdWK7UPZUEazt6r0ARPceTbQ5jnTPsp81/SvAG+wjGxvfvmo69JetYJSLUy8R9k
+            8+7vuEjV2APayaWAxOng2etbmJwMMmMxSxB34GP8bD+xO2qcB7O8oMXNohQEo0P4
+            Si7FpwKzJQ+4iJp4LTxotR3PFrl/usk7/Bg9+RVYXEMVQj3ktW+/a4vPOLhnsPRr
+            5uMQdZiwvyt+K4P9EVOKzHG6Kk4NReO1VHUZ1Vvyf/Hr9OXOtq1yhGBSgkw7u6LU
+            aAEJAhAusrUFpMr7rPrc4Ki5xEAyM8PggY0RPdrJwOmUhWq8EmcAkneqSSWWv8mm
+            WXFHXcwnHWBOZOcBVceWqZFJ/e4PhIMReI0UB/ifvv3LyP6fmvGJSWCHcjabMXgY
+            7n2iDcmeWF0D
+            =L6I4
+            -----END PGP MESSAGE-----
+          fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
--- a/cluster/bootstrap/flux/kustomization.yaml
+++ b/cluster/bootstrap/flux/kustomization.yaml
@ -0,0 +1,52 @@
+# IMPORTANT: This file is not tracked by flux and should never be. Its
+# purpose is to only install the Flux components & CRDs into your cluster.
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - github.com/fluxcd/flux2/manifests/install?ref=v2.2.3
+patches:
+  # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests
+  - target:
+      kind: ResourceQuota
+      name: critical-pods
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: critical-pods-flux-system
+  - target:
+      kind: ClusterRoleBinding
+      name: cluster-reconciler
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: cluster-reconciler-flux-system
+  - target:
+      kind: ClusterRoleBinding
+      name: crd-controller
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: crd-controller-flux-system
+  - target:
+      kind: ClusterRole
+      name: crd-controller
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: crd-controller-flux-system
+  - target:
+      kind: ClusterRole
+      name: flux-edit
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: flux-edit-flux-system
+  - target:
+      kind: ClusterRole
+      name: flux-view
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: flux-view-flux-system
--- a/cluster/bootstrap/flux/sops-key.sops.yaml
+++ b/cluster/bootstrap/flux/sops-key.sops.yaml
--- a/cluster/base/flux-system/gotk-sync.yaml
+++ b/cluster/base/flux-system/gotk-sync.yaml
@ -1,30 +1,31 @@
-# This manifest was generated by flux. DO NOT EDIT.
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
-  name: flux-system
+  name: home-cluster
  namespace: flux-system
 spec:
  interval: 1m0s
  ref:
    branch: main
  secretRef:
-    name: flux-system
+    name: forgejo-deploy-key
  url: ssh://git@git.seanomik.net/seanomik/k3s-cluster
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: flux-system
+  name: cluster
  namespace: flux-system
 spec:
  interval: 10m0s
-  path: ./cluster/base
+  path: ./cluster/base.yaml
  prune: true
  sourceRef:
    kind: GitRepository
-    name: flux-system
+    name: home-cluster
  # Support decryption
  decryption:
    provider: sops
--- a/cluster/base/flux-system/kustomization.yaml
+++ b/cluster/base/flux-system/kustomization.yaml
@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ./gotk-components.yaml
- ./gotk-sync.yaml
+  - ./cluster.yaml
--- a/docs/setup.md
+++ b/docs/setup.md
@ -1,15 +1,28 @@
 # Cluster Setup
 This document goes over the process of installing the GitOps files into a cluster

+1. Install [cilium](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/#install-the-cilium-cli) in the cluster
+2. Install the [Flux CLI](https://fluxcd.io/flux/installation/#install-the-flux-cli)
+3. Install [go-task](https://taskfile.dev/installation/)
+4. Ensure you have a kubeconfig at `$HOME/.kube/config` and that you have the cluster sops GPG key imported.
+5. Bootstrap flux
+    ```sh
+    task flux:bootstrap
+    # namespace/flux-system configured
+    # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
+    # ...
+    ```
+6. Verify Flux components are running in the cluster

-Install [cilium](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/#install-the-cilium-cli)
-
-Now install the FluxCD stuff:\
-https://github.com/larivierec/home-cluster#installation
-
-1. Bootstrap FluxCD, this will likely fail
-2. After it fails, create the sops secret in the `flux-system` namespace
-3. Now trigger a reconcilation, or resume the fluxcd bootstrap
+    ```sh
+    kubectl -n flux-system get pods -o wide
+    # NAME                                       READY   STATUS    RESTARTS   AGE
+    # helm-controller-5bbd94c75-89sb4            1/1     Running   0          1h
+    # kustomize-controller-7b67b6b77d-nqc67      1/1     Running   0          1h
+    # notification-controller-7c46575844-k4bvr   1/1     Running   0          1h
+    # source-controller-7d6875bcb4-zqw9f         1/1     Running   0          1h
+    ```
+7. After a while all the services should start to come up

 # Uninstalling and removing all k3s data in NixOS
 ```shell