SeanOMik
/
k3s-cluster
1
0
Fork 0
Code Issues 2 Pull Requests 32 Packages Projects Releases Wiki Activity

chore: change how flux is bootstrapped and configured in the cluster, use go-task for utility

This commit is contained in:
SeanOMik 2024-05-03 21:26:26 -04:00
parent 8999d90e00
commit 42b9f3c530
Signed by: SeanOMik
GPG Key ID: FEC9E2FC15235964
10 changed files with 268 additions and 9701 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
.taskfiles/Flux/Taskfile.yaml Normal file
View File

@ -0,0 +1,22 @@
---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3"
vars:
CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml"
GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml"
tasks:
bootstrap:
desc: Bootstrap Flux into a Kubernetes cluster
cmds:
- kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux
- sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -z
- sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
- kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config
preconditions:
- { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
reconcile:
desc: Force update Flux to pull in changes from your Git repository
cmd: flux reconcile --namespace flux-system kustomization cluster --with-source

9
Taskfile.yaml Normal file
View File

@ -0,0 +1,9 @@
---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3"
vars:
CLUSTER_DIR: "{{.ROOT_DIR}}/cluster"
includes:
flux: .taskfiles/Flux/Taskfile.yaml

12
cluster/base/ks.yaml → cluster/base.yaml
View File

@ -1,3 +1,4 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
@ -10,12 +11,13 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: flux-system name: home-cluster
decryption: decryption:
provider: sops provider: sops
secretRef: secretRef:
name: sops-gpg name: sops-gpg
--- ---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
@ -28,8 +30,9 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: flux-system name: home-cluster
--- ---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
@ -45,7 +48,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: flux-system name: home-cluster
decryption: decryption:
provider: sops provider: sops
secretRef: secretRef:
@ -58,6 +61,7 @@ spec:
- kind: Secret - kind: Secret
name: cluster-secrets name: cluster-secrets
--- ---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
@ -73,7 +77,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: flux-system name: home-cluster
decryption: decryption:
provider: sops provider: sops
secretRef: secretRef:

9681
cluster/base/flux-system/gotk-components.yaml
View File

File diff suppressed because it is too large Load Diff

76
cluster/bootstrap/flux/forgejo-deploy-key.sops.yaml Normal file
View File

@ -0,0 +1,76 @@
apiVersion: v1
kind: Secret
metadata:
name: forgejo-deploy-key
namespace: flux-system
type: Opaque
stringData:
identity: ENC[AES256_GCM,data:vqTgMRcQehWBwW/PCA3eyMLrloMbEQgV4gDcNNGoumvVoAA7v7sSJvRhfajNx2hLhmIF+82TkeJBIJGuFQp+Kw9tvNAWXXu3pDmWN0ZlaOcIXndLnM39GeZpduoYfBVLaP2PUbINPMcaFDjmWCdRpz+DhQiNAHlWlbL5opvpjhPpIdOg2q2uyJl/s2Pc75H+zUr0Tj8TMnwmnBPwFvW90msT8FZeD/uGcQsP/EZiy7a7f2e3n/OmqF/vPfBx6UK3ZbixYxp4NuY9jioWjE38aRcwBAsZJgxGnlB9bsc9826ALrQf/rV5kEOid5vRLZvfH2F63UGM2lox0qiREcjeE2XqFhxJ5TpLEY7tOfITydi75ZJSsyG2qpO4WuoHkuArLlQFPZhXgNVEOVPBoU+wQxUFsDVZWu4DnOv6yozVgGNgUqTInOvsIqwOOZzEzUbDxOffBD57LniVFXimmvWyBjPH7vWxE/wQXwaigtVtk5RpI8EEqIO4h/DJ3kzr0TRRXWv6hN9+4gFjarNJ8tnYxzfGpSqdVR7PLbol,iv:3kkhD+oE9GSOvnIntmn4ewkvCvAMzxA+ng2KCtOiZ7w=,tag:zkSTh+9cI8grCRSuLmOmaw==,type:str]
identity.pub: ENC[AES256_GCM,data:SuhyB1aDkftiybkq7IM3vguavPrz7UKp65CzOlPUeQBdQ3fMoVnLlYDXPC3S10IIbYr2tCccMNZ4fU60ucTNM+AO8BxEw/L3fk5Zk9ZLjlY=,iv:r3rKFBPZQ9JaQYB2FT0n4yiQ4nVxy5rWJ4rOhpUV1XA=,tag:LpZ2sGBbme6UE1G5cLgqVw==,type:str]
known_hosts: ENC[AES256_GCM,data:XsDwDqIrBSpNx4E3gs9IF4ZBVHVWk752BgFZDCSlOf1yJe0nzIF7SxefaLuC2KhRNSQF084TLzYyNCkBOxjlZ+wCzvTWk7CmmgUWNuELESNLSSPZGnFeYtXdFVnyTJvHeJcJgOsQRvCThPtbszi1n7Ao/AVXDf+PuyGIUZACiPuSNMTnZJDo5L7qbzWX3NjCKcWYVERWHnOvYWWdeQJtmL+r+ZFKo/iFWFAbpOY8V0ly3w==,iv:24nAuDmNUcYKJO3R8F4+1DyVSBG3mYbsIaliBfWrW14=,tag:mGGMTTi+NTyssm/KuHKd/A==,type:str]
password: ENC[AES256_GCM,data:YNLtVulYnGMU9BlvvcX0hOt4jFItG3c1mWLh6q/57eRu3OWf7qdLFQ==,iv:hBIDKXVgJ68rA15+8MfeTasFTU6NSS//A10oh5SdO94=,tag:KgxbhN62bRVmmdM8XnvuEg==,type:str]
username: ENC[AES256_GCM,data:xmPA,iv:hrlDr7O4sDwc5GMgkxvbPyNzAEpElLQlaATbHL7wST8=,tag:1xEgwqaiJXe/lxO59Q6vDg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-05-04T01:22:43Z"
mac: ENC[AES256_GCM,data:S4+5EPXeqFFBEXoF9Y7doWRe+JBBhDeFMX6KrVnQNAxfpZBr4IQvAgrpOMRtWqbOHBrUoZZjq7E8ZFpGuklnqmI2q1jUdkO+xSlE2sP3dC6E+lEPTdBM5yi9lITv3edAQTdgaNckb092QcmTmHH0ENxTrO/a8YHNH4wJUeOXHx4=,iv:Uea9NRXFe31o+AySqHKuzMJgDt0roM/Ult1kipvzw3c=,tag:iQA+5q/CZirZOblntQ+AmA==,type:str]
pgp:
- created_at: "2024-05-04T01:22:43Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAyqlIeyoxYovARAA1BJyf5s6fto5y6EcsQ1G/ZicV4bbLZxhGDC5oRCP2xXC
541Zdp6kqEhLKyh8vZ8r8CF0C/sB4jY52aHR/FEwqu5VUERWOPO6kk5dvD7eUzgv
lVqaCvuoNkAb0FjQg6cSAMau+cHDYp3EqE1fW1HbfY/2AoqE4hs9az6yhne6b30y
SJ6H8k6fWGZ3K/inEQ/rcew6FTjxHcKx+dmbx6wY6y6lvoet38Zd2Mki4OqPI/57
tQj+YqFud/UsuGm3PhuTlkJQI+hO+Re+3O+UEUQ7itO7tPOEgEZ3w1Y8ll6Tuauj
QslcToqGeTEfswATeEX8CR/oaU9Jaoh2JZSSQg84I/et7H72Banegy5qdg0R+zdb
HH3BRWt96fqV1sH46LTl4f6cfgucZpfUqzVSEIOZNzeZ7V/41bbOQTcj9D9K+nfv
0ilrdAPywfH6hYvxNmE19MxOkz8BOWMcmFOeEUhzQ569TMYqziI9Y+LV86lmiehT
vxaG4gHDYQSLUFok6V2pv/ooc8nhMp0GjMVRZSgtkKeHfW32UtX0aH4hMt9GUYp2
84HzDabMCXCNpPSn5mXZcgOoTU9gw+eGD8M5Qk1lY4sbs76yyAc2R3za25OxfVYP
s2XaDLwnPU3rvkQ04OWmiEZ95/B/b+q4mV5dAdCTlFLV0Q7ycDtzMpBPGcqMtXiF
AgwDXjg0p2IN1X8BD/4tqDb4YPGBAtS0eNlrWSk5WC/np73gT2eWs5dAPkUF7KSX
icb9hkiJGEY1SIWct3i319SzGqYn3UyGDQ8n7aM6pTtbdRaHdZbBcn5QEWT3mP9+
T05gpfygroN8DuptRRyuQE+151nL1u4Zbts5SVjdxYzq3dLm3FdpsSp/ud1QHJfe
jHGnwKPMrTo1qvim7RR5Le3vKKw0IAP3eYPiAAp1Nv4rP9I1lr/QcYjtKQfGTtUc
0+oba3a4OWTtqV0vNOd5egz8PeOSTg/bk6fPetxc3ZpuVswEm7JtWHkfnPXLFiX8
xF0fUCWe9DVMTAM4AAHkunFgDVLnACh1/4rDUQ9ygarNRTxEw7uTwcTWLGGHnrRW
jBNIuiZIZMkc8fQM5pCkLMPCWvhbzG7VzDmAqt7Z5MaycoYc8nuKg3wtzIQBfFcH
YV/fSz6A+9dBNMsyXUom2Kr74o3kf5oL6GoWKt/7D5MFQrf12Y5qp+V5yuZcwix8
V/oYKQVZmnyKmOj7jd39Li4X+p9zdi1TDdcVBeoVMEr20I+faxX7+e8FjokQ0wzu
RywJsbXEX7GGPt5u5mx89lhxzEzVS4wyVHKxSydf6lmQhpGk3Hv5NAg+chQSEBSe
ruDMMgYa5Mldb2ljHAAzlWI0vH8j1teFP0wtaqDzCD9kWYxWMzdOadIsOup4OtRo
AQkCEKR6/tD1JqbFMXw39bKC4N/ZGJe5dVZvbixzXxAm+iCVGLvlIM9qhaMs0EUP
0tq3a3hQZ5r3TZpgRiQPvIn/rv3qXGP8yDbqC7rF5exlDyFkLEVtasridJ7yz1UK
ArD75fdvAcs=
=MGbl
-----END PGP MESSAGE-----
fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
- created_at: "2024-05-04T01:22:43Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAy5t8IMoPu4VAQ/+IWtWSm1PPS5DpZ/PpczUWJlKkuauUfALw8jWX2b7Tfs/
Me40dT7cC7rMnZRY0Ip1PjphDNSmQfR7OMO+Q/I/UFb2Z4JGlOHdsGPuuy2wJSfS
hsenvqxsuIQpO77FB/7/7enPVE3Szj+phbvKsqGeBIJEnEaalS9/F1h0J3ZlcwAU
PqjeiNgNbNZ8mgr1n6VMA0ziKE5MWIEgAnCrzQgv/w6QzLHIPl/JFHSf7eVetJ51
J+eah6RaIesNDJV1h+vtbcz6u2rqO7UILR16L1sf7BmIdgE7JTNRfv9IrMPscu0X
tmkQDjRX0pXtLdqUUMP2GNttT1JKwvfqh2kqo4BkHeyFyuvcChoRzpgOpanss7lF
IrnW3N+GHs1vl5olXFX34bK+mTgMisCbbC/9017hf3EAs73R/IGAdCb5rLSCm9ms
5LdWK7UPZUEazt6r0ARPceTbQ5jnTPsp81/SvAG+wjGxvfvmo69JetYJSLUy8R9k
8+7vuEjV2APayaWAxOng2etbmJwMMmMxSxB34GP8bD+xO2qcB7O8oMXNohQEo0P4
Si7FpwKzJQ+4iJp4LTxotR3PFrl/usk7/Bg9+RVYXEMVQj3ktW+/a4vPOLhnsPRr
5uMQdZiwvyt+K4P9EVOKzHG6Kk4NReO1VHUZ1Vvyf/Hr9OXOtq1yhGBSgkw7u6LU
aAEJAhAusrUFpMr7rPrc4Ki5xEAyM8PggY0RPdrJwOmUhWq8EmcAkneqSSWWv8mm
WXFHXcwnHWBOZOcBVceWqZFJ/e4PhIMReI0UB/ifvv3LyP6fmvGJSWCHcjabMXgY
7n2iDcmeWF0D
=L6I4
-----END PGP MESSAGE-----
fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
encrypted_regex: ^(data|stringData)$
version: 3.8.1

52
cluster/bootstrap/flux/kustomization.yaml Normal file
View File

@ -0,0 +1,52 @@
# IMPORTANT: This file is not tracked by flux and should never be. Its
# purpose is to only install the Flux components & CRDs into your cluster.
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/fluxcd/flux2/manifests/install?ref=v2.2.3
patches:
# Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests
- target:
kind: ResourceQuota
name: critical-pods
patch: |
- op: replace
path: /metadata/name
value: critical-pods-flux-system
- target:
kind: ClusterRoleBinding
name: cluster-reconciler
patch: |
- op: replace
path: /metadata/name
value: cluster-reconciler-flux-system
- target:
kind: ClusterRoleBinding
name: crd-controller
patch: |
- op: replace
path: /metadata/name
value: crd-controller-flux-system
- target:
kind: ClusterRole
name: crd-controller
patch: |
- op: replace
path: /metadata/name
value: crd-controller-flux-system
- target:
kind: ClusterRole
name: flux-edit
patch: |
- op: replace
path: /metadata/name
value: flux-edit-flux-system
- target:
kind: ClusterRole
name: flux-view
patch: |
- op: replace
path: /metadata/name
value: flux-view-flux-system

72
cluster/bootstrap/flux/sops-key.sops.yaml Normal file
View File

File diff suppressed because one or more lines are too long

13
cluster/base/flux-system/gotk-sync.yaml → cluster/flux/config/cluster.yaml
View File

@ -1,30 +1,31 @@
# This manifest was generated by flux. DO NOT EDIT.
--- ---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1 apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository kind: GitRepository
metadata: metadata:
name: flux-system name: home-cluster
namespace: flux-system namespace: flux-system
spec: spec:
interval: 1m0s interval: 1m0s
ref: ref:
branch: main branch: main
secretRef: secretRef:
name: flux-system name: forgejo-deploy-key
url: ssh://git@git.seanomik.net/seanomik/k3s-cluster url: ssh://git@git.seanomik.net/seanomik/k3s-cluster
--- ---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
name: flux-system name: cluster
namespace: flux-system namespace: flux-system
spec: spec:
interval: 10m0s interval: 10m0s
path: ./cluster/base path: ./cluster/base.yaml
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: flux-system name: home-cluster
# Support decryption # Support decryption
decryption: decryption:
provider: sops provider: sops

3
cluster/base/flux-system/kustomization.yaml → cluster/flux/config/kustomization.yaml
View File

@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./gotk-components.yaml - ./cluster.yaml
- ./gotk-sync.yaml

29
docs/setup.md
View File

@ -1,15 +1,28 @@
# Cluster Setup # Cluster Setup
This document goes over the process of installing the GitOps files into a cluster This document goes over the process of installing the GitOps files into a cluster
1. Install [cilium](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/#install-the-cilium-cli) in the cluster
2. Install the [Flux CLI](https://fluxcd.io/flux/installation/#install-the-flux-cli)
3. Install [go-task](https://taskfile.dev/installation/)
4. Ensure you have a kubeconfig at `$HOME/.kube/config` and that you have the cluster sops GPG key imported.
5. Bootstrap flux
```sh
task flux:bootstrap
# namespace/flux-system configured
# customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
# ...
```
6. Verify Flux components are running in the cluster
Install [cilium](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/#install-the-cilium-cli) ```sh
kubectl -n flux-system get pods -o wide
Now install the FluxCD stuff:\ # NAME READY STATUS RESTARTS AGE
https://github.com/larivierec/home-cluster#installation # helm-controller-5bbd94c75-89sb4 1/1 Running 0 1h
# kustomize-controller-7b67b6b77d-nqc67 1/1 Running 0 1h
1. Bootstrap FluxCD, this will likely fail # notification-controller-7c46575844-k4bvr 1/1 Running 0 1h
2. After it fails, create the sops secret in the `flux-system` namespace # source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h
3. Now trigger a reconcilation, or resume the fluxcd bootstrap ```
7. After a while all the services should start to come up
# Uninstalling and removing all k3s data in NixOS # Uninstalling and removing all k3s data in NixOS
```shell ```shell