From 14216829c9a07a32f5c0699e77f8e56aad5701e8 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 6 Sep 2024 21:49:06 -0400 Subject: [PATCH 01/27] feat: add new cluster, create common directory --- .taskfiles/Flux/Taskfile.yaml | 8 +- Taskfile.yaml | 2 +- .../apps}/intel-gpu/files/gpu-plugin.yaml | 0 .../apps}/intel-gpu/files/helm-repos.yaml | 0 .../files/intel-device-plugins-operator.yaml | 0 .../apps}/intel-gpu/files/kustomization.yaml | 0 .../apps}/intel-gpu/files/namespace.yaml | 0 .../core => common/apps}/intel-gpu/ks.yaml | 0 .../apps}/metallb/helm-release.yaml | 0 .../apps}/metallb/kustomization.yaml | 0 .../apps}/metallb/metallb-static-ips.yaml | 0 .../apps}/metallb/namespace.yaml | 0 .../apps}/nfd/files/helm-repos.yaml | 0 .../apps}/nfd/files/kustomization.yaml | 0 .../core => common/apps}/nfd/files/nfd.yaml | 0 .../{main/core => common/apps}/nfd/ks.yaml | 0 .../apps}/openebs/helm-release.yaml | 0 .../apps}/openebs/helm-repository.yaml | 0 .../apps}/openebs/kustomization.yaml | 1 - .../openebs/monitoring-helm-release.yaml | 0 .../apps}/openebs/namespace.yaml | 0 .../apps}/traefik/dashboard-ingress.yaml | 0 .../apps}/traefik/default-tls-store.yaml | 0 .../apps}/traefik/helm-release.yaml | 0 .../apps}/traefik/helm-repository.yaml | 0 .../apps}/traefik/kustomization.yaml | 0 .../apps}/traefik/namespace.yaml | 0 .../flux/forgejo-deploy-key.sops.yaml | 0 .../bootstrap/flux/kustomization.yaml | 0 .../bootstrap/flux/sops-key.sops.yaml | 0 kubernetes/main/core/kustomization.yaml | 13 ++- .../core/{storage => }/longhorn/alerts.yaml | 0 .../{storage => }/longhorn/helm-release.yaml | 0 .../longhorn/helm-repository.yaml | 0 .../{storage => }/longhorn/kustomization.yaml | 0 .../{storage => }/longhorn/namespace.yaml | 0 .../longhorn/service-monitor.yaml | 0 .../{storage => openebs}/kustomization.yaml | 5 +- .../{storage => }/openebs/mainpool-sc.yaml | 0 .../storage/local-path-provisioner/helm.yaml | 82 ------------------- kubernetes/main/secrets/kustomization.yaml | 1 - .../secrets/orca-registry-puller.sops.yaml | 62 -------------- kubernetes/thin/apps/helm-repositories.yaml | 17 ++++ kubernetes/thin/apps/kustomization.yaml | 14 ++++ kubernetes/thin/flux/config/cluster.yaml | 62 ++++++++++++++ .../flux/config}/kustomization.yaml | 3 +- .../thin/secrets/cluster-secrets.sops.yaml | 79 ++++++++++++++++++ kubernetes/thin/secrets/cluster-settings.yaml | 10 +++ kubernetes/thin/secrets/kustomization.yaml | 5 ++ 49 files changed, 204 insertions(+), 160 deletions(-) rename kubernetes/{main/core => common/apps}/intel-gpu/files/gpu-plugin.yaml (100%) rename kubernetes/{main/core => common/apps}/intel-gpu/files/helm-repos.yaml (100%) rename kubernetes/{main/core => common/apps}/intel-gpu/files/intel-device-plugins-operator.yaml (100%) rename kubernetes/{main/core => common/apps}/intel-gpu/files/kustomization.yaml (100%) rename kubernetes/{main/core => common/apps}/intel-gpu/files/namespace.yaml (100%) rename kubernetes/{main/core => common/apps}/intel-gpu/ks.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/metallb/helm-release.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/metallb/kustomization.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/metallb/metallb-static-ips.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/metallb/namespace.yaml (100%) rename kubernetes/{main/core => common/apps}/nfd/files/helm-repos.yaml (100%) rename kubernetes/{main/core => common/apps}/nfd/files/kustomization.yaml (100%) rename kubernetes/{main/core => common/apps}/nfd/files/nfd.yaml (100%) rename kubernetes/{main/core => common/apps}/nfd/ks.yaml (100%) rename kubernetes/{main/core/storage => common/apps}/openebs/helm-release.yaml (100%) rename kubernetes/{main/core/storage => common/apps}/openebs/helm-repository.yaml (100%) rename kubernetes/{main/core/storage => common/apps}/openebs/kustomization.yaml (72%) rename kubernetes/{main/core/storage => common/apps}/openebs/monitoring-helm-release.yaml (100%) rename kubernetes/{main/core/storage => common/apps}/openebs/namespace.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/traefik/dashboard-ingress.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/traefik/default-tls-store.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/traefik/helm-release.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/traefik/helm-repository.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/traefik/kustomization.yaml (100%) rename kubernetes/{main/core/networking => common/apps}/traefik/namespace.yaml (100%) rename kubernetes/{main => common}/bootstrap/flux/forgejo-deploy-key.sops.yaml (100%) rename kubernetes/{main => common}/bootstrap/flux/kustomization.yaml (100%) rename kubernetes/{main => common}/bootstrap/flux/sops-key.sops.yaml (100%) rename kubernetes/main/core/{storage => }/longhorn/alerts.yaml (100%) rename kubernetes/main/core/{storage => }/longhorn/helm-release.yaml (100%) rename kubernetes/main/core/{storage => }/longhorn/helm-repository.yaml (100%) rename kubernetes/main/core/{storage => }/longhorn/kustomization.yaml (100%) rename kubernetes/main/core/{storage => }/longhorn/namespace.yaml (100%) rename kubernetes/main/core/{storage => }/longhorn/service-monitor.yaml (100%) rename kubernetes/main/core/{storage => openebs}/kustomization.yaml (59%) rename kubernetes/main/core/{storage => }/openebs/mainpool-sc.yaml (100%) delete mode 100644 kubernetes/main/core/storage/local-path-provisioner/helm.yaml delete mode 100644 kubernetes/main/secrets/orca-registry-puller.sops.yaml create mode 100644 kubernetes/thin/apps/helm-repositories.yaml create mode 100644 kubernetes/thin/apps/kustomization.yaml create mode 100644 kubernetes/thin/flux/config/cluster.yaml rename kubernetes/{main/core/networking => thin/flux/config}/kustomization.yaml (76%) create mode 100644 kubernetes/thin/secrets/cluster-secrets.sops.yaml create mode 100644 kubernetes/thin/secrets/cluster-settings.yaml create mode 100644 kubernetes/thin/secrets/kustomization.yaml diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml index 10a1392..0460846 100644 --- a/.taskfiles/Flux/Taskfile.yaml +++ b/.taskfiles/Flux/Taskfile.yaml @@ -3,17 +3,17 @@ version: "3" vars: - CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml" - GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml" + CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml" + GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml" tasks: bootstrap: desc: Bootstrap Flux into a Kubernetes cluster cmds: - - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux + - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename - - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename - - - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config + - kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config preconditions: - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" } diff --git a/Taskfile.yaml b/Taskfile.yaml index 32f674e..9002946 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -3,7 +3,7 @@ version: "3" vars: - CLUSTER_DIR: "{{.ROOT_DIR}}/cluster" + CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes" includes: flux: .taskfiles/Flux/Taskfile.yaml diff --git a/kubernetes/main/core/intel-gpu/files/gpu-plugin.yaml b/kubernetes/common/apps/intel-gpu/files/gpu-plugin.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/gpu-plugin.yaml rename to kubernetes/common/apps/intel-gpu/files/gpu-plugin.yaml diff --git a/kubernetes/main/core/intel-gpu/files/helm-repos.yaml b/kubernetes/common/apps/intel-gpu/files/helm-repos.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/helm-repos.yaml rename to kubernetes/common/apps/intel-gpu/files/helm-repos.yaml diff --git a/kubernetes/main/core/intel-gpu/files/intel-device-plugins-operator.yaml b/kubernetes/common/apps/intel-gpu/files/intel-device-plugins-operator.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/intel-device-plugins-operator.yaml rename to kubernetes/common/apps/intel-gpu/files/intel-device-plugins-operator.yaml diff --git a/kubernetes/main/core/intel-gpu/files/kustomization.yaml b/kubernetes/common/apps/intel-gpu/files/kustomization.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/kustomization.yaml rename to kubernetes/common/apps/intel-gpu/files/kustomization.yaml diff --git a/kubernetes/main/core/intel-gpu/files/namespace.yaml b/kubernetes/common/apps/intel-gpu/files/namespace.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/files/namespace.yaml rename to kubernetes/common/apps/intel-gpu/files/namespace.yaml diff --git a/kubernetes/main/core/intel-gpu/ks.yaml b/kubernetes/common/apps/intel-gpu/ks.yaml similarity index 100% rename from kubernetes/main/core/intel-gpu/ks.yaml rename to kubernetes/common/apps/intel-gpu/ks.yaml diff --git a/kubernetes/main/core/networking/metallb/helm-release.yaml b/kubernetes/common/apps/metallb/helm-release.yaml similarity index 100% rename from kubernetes/main/core/networking/metallb/helm-release.yaml rename to kubernetes/common/apps/metallb/helm-release.yaml diff --git a/kubernetes/main/core/networking/metallb/kustomization.yaml b/kubernetes/common/apps/metallb/kustomization.yaml similarity index 100% rename from kubernetes/main/core/networking/metallb/kustomization.yaml rename to kubernetes/common/apps/metallb/kustomization.yaml diff --git a/kubernetes/main/core/networking/metallb/metallb-static-ips.yaml b/kubernetes/common/apps/metallb/metallb-static-ips.yaml similarity index 100% rename from kubernetes/main/core/networking/metallb/metallb-static-ips.yaml rename to kubernetes/common/apps/metallb/metallb-static-ips.yaml diff --git a/kubernetes/main/core/networking/metallb/namespace.yaml b/kubernetes/common/apps/metallb/namespace.yaml similarity index 100% rename from kubernetes/main/core/networking/metallb/namespace.yaml rename to kubernetes/common/apps/metallb/namespace.yaml diff --git a/kubernetes/main/core/nfd/files/helm-repos.yaml b/kubernetes/common/apps/nfd/files/helm-repos.yaml similarity index 100% rename from kubernetes/main/core/nfd/files/helm-repos.yaml rename to kubernetes/common/apps/nfd/files/helm-repos.yaml diff --git a/kubernetes/main/core/nfd/files/kustomization.yaml b/kubernetes/common/apps/nfd/files/kustomization.yaml similarity index 100% rename from kubernetes/main/core/nfd/files/kustomization.yaml rename to kubernetes/common/apps/nfd/files/kustomization.yaml diff --git a/kubernetes/main/core/nfd/files/nfd.yaml b/kubernetes/common/apps/nfd/files/nfd.yaml similarity index 100% rename from kubernetes/main/core/nfd/files/nfd.yaml rename to kubernetes/common/apps/nfd/files/nfd.yaml diff --git a/kubernetes/main/core/nfd/ks.yaml b/kubernetes/common/apps/nfd/ks.yaml similarity index 100% rename from kubernetes/main/core/nfd/ks.yaml rename to kubernetes/common/apps/nfd/ks.yaml diff --git a/kubernetes/main/core/storage/openebs/helm-release.yaml b/kubernetes/common/apps/openebs/helm-release.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/helm-release.yaml rename to kubernetes/common/apps/openebs/helm-release.yaml diff --git a/kubernetes/main/core/storage/openebs/helm-repository.yaml b/kubernetes/common/apps/openebs/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/helm-repository.yaml rename to kubernetes/common/apps/openebs/helm-repository.yaml diff --git a/kubernetes/main/core/storage/openebs/kustomization.yaml b/kubernetes/common/apps/openebs/kustomization.yaml similarity index 72% rename from kubernetes/main/core/storage/openebs/kustomization.yaml rename to kubernetes/common/apps/openebs/kustomization.yaml index 3989888..dec9b5f 100644 --- a/kubernetes/main/core/storage/openebs/kustomization.yaml +++ b/kubernetes/common/apps/openebs/kustomization.yaml @@ -4,5 +4,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml -- ./mainpool-sc.yaml - ./monitoring-helm-release.yaml \ No newline at end of file diff --git a/kubernetes/main/core/storage/openebs/monitoring-helm-release.yaml b/kubernetes/common/apps/openebs/monitoring-helm-release.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/monitoring-helm-release.yaml rename to kubernetes/common/apps/openebs/monitoring-helm-release.yaml diff --git a/kubernetes/main/core/storage/openebs/namespace.yaml b/kubernetes/common/apps/openebs/namespace.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/namespace.yaml rename to kubernetes/common/apps/openebs/namespace.yaml diff --git a/kubernetes/main/core/networking/traefik/dashboard-ingress.yaml b/kubernetes/common/apps/traefik/dashboard-ingress.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/dashboard-ingress.yaml rename to kubernetes/common/apps/traefik/dashboard-ingress.yaml diff --git a/kubernetes/main/core/networking/traefik/default-tls-store.yaml b/kubernetes/common/apps/traefik/default-tls-store.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/default-tls-store.yaml rename to kubernetes/common/apps/traefik/default-tls-store.yaml diff --git a/kubernetes/main/core/networking/traefik/helm-release.yaml b/kubernetes/common/apps/traefik/helm-release.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/helm-release.yaml rename to kubernetes/common/apps/traefik/helm-release.yaml diff --git a/kubernetes/main/core/networking/traefik/helm-repository.yaml b/kubernetes/common/apps/traefik/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/helm-repository.yaml rename to kubernetes/common/apps/traefik/helm-repository.yaml diff --git a/kubernetes/main/core/networking/traefik/kustomization.yaml b/kubernetes/common/apps/traefik/kustomization.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/kustomization.yaml rename to kubernetes/common/apps/traefik/kustomization.yaml diff --git a/kubernetes/main/core/networking/traefik/namespace.yaml b/kubernetes/common/apps/traefik/namespace.yaml similarity index 100% rename from kubernetes/main/core/networking/traefik/namespace.yaml rename to kubernetes/common/apps/traefik/namespace.yaml diff --git a/kubernetes/main/bootstrap/flux/forgejo-deploy-key.sops.yaml b/kubernetes/common/bootstrap/flux/forgejo-deploy-key.sops.yaml similarity index 100% rename from kubernetes/main/bootstrap/flux/forgejo-deploy-key.sops.yaml rename to kubernetes/common/bootstrap/flux/forgejo-deploy-key.sops.yaml diff --git a/kubernetes/main/bootstrap/flux/kustomization.yaml b/kubernetes/common/bootstrap/flux/kustomization.yaml similarity index 100% rename from kubernetes/main/bootstrap/flux/kustomization.yaml rename to kubernetes/common/bootstrap/flux/kustomization.yaml diff --git a/kubernetes/main/bootstrap/flux/sops-key.sops.yaml b/kubernetes/common/bootstrap/flux/sops-key.sops.yaml similarity index 100% rename from kubernetes/main/bootstrap/flux/sops-key.sops.yaml rename to kubernetes/common/bootstrap/flux/sops-key.sops.yaml diff --git a/kubernetes/main/core/kustomization.yaml b/kubernetes/main/core/kustomization.yaml index c4557a3..991316d 100644 --- a/kubernetes/main/core/kustomization.yaml +++ b/kubernetes/main/core/kustomization.yaml @@ -4,8 +4,13 @@ resources: - ./kube-system - ./helm-repositories.yaml - ./cert-manager -- ./networking -- ./storage +- ../../common/apps/metallb +- ../../common/apps/traefik +# storage +- ./longhorn +- ./openebs + - ./kube-replicator -- ./nfd/ks.yaml -- ./intel-gpu/ks.yaml \ No newline at end of file + +- ../../common/apps/nfd/ks.yaml +- ../../common/apps/intel-gpu/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/core/storage/longhorn/alerts.yaml b/kubernetes/main/core/longhorn/alerts.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/alerts.yaml rename to kubernetes/main/core/longhorn/alerts.yaml diff --git a/kubernetes/main/core/storage/longhorn/helm-release.yaml b/kubernetes/main/core/longhorn/helm-release.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/helm-release.yaml rename to kubernetes/main/core/longhorn/helm-release.yaml diff --git a/kubernetes/main/core/storage/longhorn/helm-repository.yaml b/kubernetes/main/core/longhorn/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/helm-repository.yaml rename to kubernetes/main/core/longhorn/helm-repository.yaml diff --git a/kubernetes/main/core/storage/longhorn/kustomization.yaml b/kubernetes/main/core/longhorn/kustomization.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/kustomization.yaml rename to kubernetes/main/core/longhorn/kustomization.yaml diff --git a/kubernetes/main/core/storage/longhorn/namespace.yaml b/kubernetes/main/core/longhorn/namespace.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/namespace.yaml rename to kubernetes/main/core/longhorn/namespace.yaml diff --git a/kubernetes/main/core/storage/longhorn/service-monitor.yaml b/kubernetes/main/core/longhorn/service-monitor.yaml similarity index 100% rename from kubernetes/main/core/storage/longhorn/service-monitor.yaml rename to kubernetes/main/core/longhorn/service-monitor.yaml diff --git a/kubernetes/main/core/storage/kustomization.yaml b/kubernetes/main/core/openebs/kustomization.yaml similarity index 59% rename from kubernetes/main/core/storage/kustomization.yaml rename to kubernetes/main/core/openebs/kustomization.yaml index 56090e7..334016a 100644 --- a/kubernetes/main/core/storage/kustomization.yaml +++ b/kubernetes/main/core/openebs/kustomization.yaml @@ -1,6 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./longhorn -- ./openebs -#- ./local-path-provisioner \ No newline at end of file +- ../../../common/apps/openebs +- ./mainpool-sc.yaml \ No newline at end of file diff --git a/kubernetes/main/core/storage/openebs/mainpool-sc.yaml b/kubernetes/main/core/openebs/mainpool-sc.yaml similarity index 100% rename from kubernetes/main/core/storage/openebs/mainpool-sc.yaml rename to kubernetes/main/core/openebs/mainpool-sc.yaml diff --git a/kubernetes/main/core/storage/local-path-provisioner/helm.yaml b/kubernetes/main/core/storage/local-path-provisioner/helm.yaml deleted file mode 100644 index a6966ef..0000000 --- a/kubernetes/main/core/storage/local-path-provisioner/helm.yaml +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: GitRepository -metadata: - name: local-path-provisioner - namespace: flux-system -spec: - interval: 1m - url: https://github.com/rancher/local-path-provisioner.git - ref: - tag: v0.0.29 ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: local-path-provisioner - namespace: kube-system -spec: - interval: 15m - chart: - spec: - chart: ./deploy/chart/local-path-provisioner - sourceRef: - kind: GitRepository - name: local-path-provisioner - namespace: flux-system - maxHistory: 3 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - helperImage: - repository: public.ecr.aws/docker/library/busybox - tag: latest - storageClass: - defaultClass: false - nodePathMap: - - node: DEFAULT_PATH_FOR_NON_LISTED_NODES - paths: ["/var/lib/rancher/k3s/storage"] - # Note: Do not enable Flux variable substitution on this HelmRelease - configmap: - setup: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - mkdir -m 0777 -p ${absolutePath} - chmod 701 ${absolutePath}/.. - teardown: |- - #!/bin/sh - while getopts "m:s:p:" opt - do - case $opt in - p) - absolutePath=$OPTARG - ;; - s) - sizeInBytes=$OPTARG - ;; - m) - volMode=$OPTARG - ;; - esac - done - rm -rf ${absolutePath} \ No newline at end of file diff --git a/kubernetes/main/secrets/kustomization.yaml b/kubernetes/main/secrets/kustomization.yaml index 69c610d..970b3ed 100644 --- a/kubernetes/main/secrets/kustomization.yaml +++ b/kubernetes/main/secrets/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./cluster-secrets.sops.yaml -- ./orca-registry-puller.sops.yaml - ./cluster-settings.yaml \ No newline at end of file diff --git a/kubernetes/main/secrets/orca-registry-puller.sops.yaml b/kubernetes/main/secrets/orca-registry-puller.sops.yaml deleted file mode 100644 index c1af45f..0000000 --- a/kubernetes/main/secrets/orca-registry-puller.sops.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: orca-puller - namespace: default - annotations: - replicator.v1.mittwald.de/replication-allowed: "true" - replicator.v1.mittwald.de/replication-allowed-namespaces: '*' -data: - .dockerconfigjson: ENC[AES256_GCM,data:g58h5rYAEZu2W3CYnYHgajsp7wvnFdhyRCt1qWPHbVDC+nwD1TVqTGDga1b2/RTR5tdobqZ9FdP41/1dzZeNBe2lfXOsWhQYd87EhpchFYRgsb9u7ZL32sxERhAxSg+0/AaoIYSHbuBLgRwxqnHOojS7Hcg956L+6Kgh/uiaOGsUrKRjlMAI0aN4agx+n/nU,iv:ichMs+o/3ld90VVq/UatXpAtpD6qjrEIdt0ZRwyh0Gg=,tag:lxvZy9U6sGsndz3sAy3DTQ==,type:str] -type: kubernetes.io/dockerconfigjson -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-07-22T02:12:00Z" - mac: ENC[AES256_GCM,data:yFHVGwFdi2n4Ju6SqqxXDxqxZaHKROIsQZtF+AtJY52f0XJif9jP2fi05dnxULnQ+wWOq4FPwVXc/9GiCiYMItecEApS0+6C7sWxKCWzYYAiFyxSajECzNtr4/XN5yoZBJCgsgFAf42jy9Nr5xLHOAVomnNfmDheS/Pe+Uq9v9E=,iv:oFKca0hHR7ERNgJqDp3pOxzQDBlTCF9Fx1yIl3HCj2o=,tag:107vU6pOFE6Na4BO5C5tiA==,type:str] - pgp: - - created_at: "2023-07-22T02:12:00Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAzKleRwoSoixAQ//QEVgmHtcIVC1afYtQMgD3Kwb+n0nZid3d/enKN64D+fJ - bw0xXX9tjO4sy3To49k0EDETLW5paxcNApFYL+zajxNfa+EAZfdYxQqKWraQcxvL - /p8bNDyzYDrecWcIdcq4RqrVEA4Ga0K6MmPM0t5l+J/PgguDJWmAxEzlmTb/CdqI - MpUmO0RoLHb6m0vfAkEI0LT5E/37pTdqjAq4eMT9n7zxeHr3NmJBIetahENxTKDk - Ymw7DhBCLZBPvHyxw/kU7hS/yhJMxmLw9mjHuzWkYVYmZQDB/TwqWsL4cVLFNAVu - LqZBHtl2HmaeGefhDij4SfxCj3qTi1e3z1T5wch97XmFanabNizb2oezHYou4h5k - AVqWuxUd13am9YhmRMQ32TPPxyAWpV4W87C/XnIrMrfePH2xy54S2ISyL5lQ1I3K - 5/a4ZMU8hBdCw7FxX6OSAXUd5cCfelJEaRopvwgXF5ZfQjARjQ7iGCedqBQbOsZM - vsf5WQvYxp8uivj7gKxhn+KkqJoM225OQKlSwCQ2bj20WsZ3SrjBuK41iO88urej - SJLAqG42e+nUjHXn/ql794kCHHG59uRES1wWLvgQ6Siu8TxJK6B+fjOrHBMOeSiD - oMKyqWIvziXN5KczkIpOWFCJzHb+AGTUn/a/jCLAqAxAqkWHwwbLdMiUv1053vHS - XgHkdbFnWqSekHCdLXu6q1lJhY+VAyzI55Ex2HvdxzBxWQKZAD4c1fFN/88j/Fb4 - 6/IVZvSU45coCyUR3O+py0s6XvBjrJL6W4haNXMl6nVcTxHgby1JTX5vickv400= - =cqEc - -----END PGP MESSAGE----- - fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 - - created_at: "2023-07-22T02:12:00Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMAy5t8IMoPu4VAQ//RAyoi7oTNza3klhojjvUXum9iH3pOl1eqNu3qdJc9L4A - rGeo7Q9NTgywAaHQA4N0WPjJfFNkKSFLBxbtRpzlVCNrfontoGoFr5fGFWDh2Kfe - LydY3Zz9yUfcQYuGm8onVM6B6ImYUtM9ZPix808jxfiuz7rvqNmxqTdCa9o5oMHK - TqQ5u26MBR9cFf+W7bxKdDsqm4vEhxxWpEf5wgX+iZboA4O/J8LCVwrp6pb2pJ1q - nMA5ElKk/WZbsB6C20DYNXJRsdHjC1Huye6NDt1Em2XY9qcfWkQskVtohlYCdDCp - TciHgOF32rmN7h1i4j5Ae58AaSQmNRpKZFc192z8+dHdiSlzQEno6XXV11pezz/i - 0ALvy2Q+r7xFA8xXyrOf7xOU/j9T8XCEAeidtQoZzEcINtg93tKItakzqacxRa2C - 4Yj3Wic3LGSX13dZ5cpQNT6P3F6UMVAlVEEu1lHdsAjShbmuFWSFNXVo473O3Nwu - 1imHmfb1xnqbiWS0tKdUX9jMQg+xYPrsAXQESq/9PmPJxl4tsGPzzCu+rMKf9pmF - XqGBASdcf9WaB4Hojm6+4UKb7pPDKAC2vLnOV9ilGv/0z+DwxU0x9swPkAYBm9M9 - KkcaEh8petqyU2J8f91ESU3OafMo2h5OsJvzB2Zte2XIZIZV0h0y8mo6LKOJ1hzS - XgFiMVicO02DFcMkSJXA7ZVnV+1qfJl5vPW6Sa0vDikz/k8jYoRSv2skwZcpFIYf - Kr6LbZskq2QVBDS50HdpbOfyF+N8/mYuSfjKkuVH8oOq0KrZ38eJROiygPgpUYk= - =i9P2 - -----END PGP MESSAGE----- - fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kubernetes/thin/apps/helm-repositories.yaml b/kubernetes/thin/apps/helm-repositories.yaml new file mode 100644 index 0000000..20eac2d --- /dev/null +++ b/kubernetes/thin/apps/helm-repositories.yaml @@ -0,0 +1,17 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bitnami-charts + namespace: flux-system +spec: + interval: 1m + url: https://charts.bitnami.com/bitnami +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bjws-charts + namespace: flux-system +spec: + interval: 1m + url: https://bjw-s.github.io/helm-charts \ No newline at end of file diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml new file mode 100644 index 0000000..5d31a55 --- /dev/null +++ b/kubernetes/thin/apps/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-repositories.yaml +- ../../common/apps/metallb +- ../../common/apps/traefik +# storage +#- ./longhorn +#- ../../common/apps/openebs + +#- ./kube-replicator + +- ../../common/apps/nfd/ks.yaml +- ../../common/apps/intel-gpu/ks.yaml \ No newline at end of file diff --git a/kubernetes/thin/flux/config/cluster.yaml b/kubernetes/thin/flux/config/cluster.yaml new file mode 100644 index 0000000..aed7572 --- /dev/null +++ b/kubernetes/thin/flux/config/cluster.yaml @@ -0,0 +1,62 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: home-cluster + namespace: flux-system +spec: + interval: 1m0s + ref: + branch: feat/thin-cluster + secretRef: + name: forgejo-deploy-key + url: ssh://git@git.seanomik.net/seanomik/k3s-cluster +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-secrets + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/secrets + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps + namespace: flux-system +spec: + timeout: 5m + interval: 10m + dependsOn: + - name: cluster-secrets + - name: core + path: ./kubernetes/thin/apps + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/main/core/networking/kustomization.yaml b/kubernetes/thin/flux/config/kustomization.yaml similarity index 76% rename from kubernetes/main/core/networking/kustomization.yaml rename to kubernetes/thin/flux/config/kustomization.yaml index 37a9b9a..00ec3c9 100644 --- a/kubernetes/main/core/networking/kustomization.yaml +++ b/kubernetes/thin/flux/config/kustomization.yaml @@ -1,5 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./traefik -- ./metallb \ No newline at end of file + - ./cluster.yaml \ No newline at end of file diff --git a/kubernetes/thin/secrets/cluster-secrets.sops.yaml b/kubernetes/thin/secrets/cluster-secrets.sops.yaml new file mode 100644 index 0000000..3e3c2ca --- /dev/null +++ b/kubernetes/thin/secrets/cluster-secrets.sops.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets + namespace: flux-system +type: Opaque +stringData: + SECRET_MY_EMAIL: ENC[AES256_GCM,data:rNyzxxuVq/1dII5m8OKexQsH,iv:+i/h+iXhBNM7qxDyK7/3pQqp8l7hXDHhnZOwyuwcC3k=,tag:RM3svsBJXpFafRzoLp2NOg==,type:str] + SECRET_LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:uUinHshJ3aUNzJDRQNVNWwNJ,iv:s8kggffO33/E04aUdZvxmgNhoPVKh+HnjX+k0o0DTNc=,tag:qreqEiN28i26OpsagQP5hQ==,type:str] + SECRET_DOMAIN: ENC[AES256_GCM,data:3zCSigeMzhC4H2SDVjqV6Q==,iv:OtUj2mDzmv9afBf4NcDSwZgGdKLJY3WG8qqSbI/NNog=,tag:buWUYjBMtfAVQADN2EREvQ==,type:str] + SECRET_NEW_DOMAIN: ENC[AES256_GCM,data:BDuzEYN7KOlqDUbJyFwHWCQ=,iv:DHrkALxuuEiZhjdLeFArgaORR8ZlsUuW2BT/joEFQGo=,tag:u1zVa2SA4xpgjNcO9iXtiw==,type:str] + SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:A2S9VBNLw2m6IEEGunHo8T/4v0tp0RvByYc6FIJdx1Q=,iv:Mu+TbsN2Ci2/7LvKhb8XWm6SPJe5ZxS8Z8YWjLwdT1c=,tag:uoatWIMDRLT4XaP0f0kpiQ==,type:str] + SECRET_DATABASE_PGSQL_USER_PASS: ENC[AES256_GCM,data:A++t+kACJthb9w6yml5KJo9Eqc/wp/BFadLzwOQhkhc=,iv:7mA6zCaC360dyJkC5wybh3PnGWjr12q0R/aGKi2D5Rc=,tag:h3BVuMH8VvnSc8LEM85wlQ==,type:str] + SECRET_DATABASE_PGSQL_ADMIN_PASS: ENC[AES256_GCM,data:UyFKnNw20KiJZj/Y5Jba6uFhDU/N+Dijl1mJlCcBgJk=,iv:Il50aBOHREDCDYeXmZks9DVBkq1+z1ZLo2KfibbiWmk=,tag:y/DBhdWLToD30tqVGD3uRg==,type:str] + SECRET_DATABASE_REDIS_PASS: ENC[AES256_GCM,data:ePEMWYYpXF5lv4+RAScXxArlKXq8U21XUYsSWBf8TG0=,iv:Lr9qq1fVuyzleC3oU7izKP/YHoSrtXADl9efz3iWgEw=,tag:73XjcnTWr1wPYFEROznz+A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-09-07T01:46:20Z" + mac: ENC[AES256_GCM,data:vdG/QHWHQge+m6YCBqtAfRsXdWvMLiZQ6DOnaxgaUNpslPvQuHml1kWBsSKrmNmB79jxqB2M6HwEY7ljOMf6ZlTeMs7mW6i0oj368IS6gQGfOHSJ4d34shyXujO9JHEnmL7O0tnOs1bp4ZHxdd/t4Wmq/ii+W/Kbta3/VLtOj/A=,iv:aB8Y4Y0t4ncViBAvH2WAAGgzbrzUSvL3/RRY+VVUKlk=,tag:0BSFABPxUxgRG1fDrDHXug==,type:str] + pgp: + - created_at: "2024-09-07T01:46:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAyqlIeyoxYovAQ//XsBS23tIBniGlJAVG7gBJRclDr4ecXUH3LTkVPSaQ4r6 + gLPL19dZaYcs4hkvOOgm0u7tXXPMFHuIWvLLPKwAbZMOGcvhqgSWmVDIFRKOtAKt + mdNeVEWARwf2/3JsVSyh8pyxbdtC1dlY6BB8Cxd95n70ZQdrAbGewAK6sVWWAiRr + uSLiYO/HUdyoP38q77dwG4p8up1qchND92Ie04zowWbiquMq+V/2pgJ3dd51Z5Gn + oD1oNZZZeZaBJ+G3mea5QSzduE7x8R56YyGyBcDOn6gmMxJF8adDBsQfdH2bQCWQ + I2QstgQwXAvvwqexow8x/wEAkUXksB/dZKWOu3QhlFq7vLJ9RXGTaKCg0FCcu8/U + h7x4njNLA2/aidAVL4ufRohiONss2fjcDhpiJ7uyBM/horq2SmABzwoCtmRS/4du + oE/Ygfh+OPa6+SuQmwB+BH255HPsDNeikC/F3XJ/LXKO6460L7yQAdYnKAR3EqVL + KcfrVNIaFAIxLQ7SQ3DaU2ddc18pzPbBDnLwwFoO+mM2u6wwaKZkyjAK/1NlNs/O + WGXjPzBvpjWTQmSL4PhwGmtaolNpE9j3zpLHUs3TcKUKXyzV1f5p2pxXBBo/IYZy + rVkKm2zPR0rgkVjJMWiZ+uazGy3mVbsDj3y/5c+CRYTuNoHk/AuWz3x8KSEz/JCF + AgwDXjg0p2IN1X8BEADFHtP/WpUDejsej2gXlWYJkT6N9IiZqfMKbejk3yAQr9+L + 9J1c5UkDT6MeQpIFs04cZMAVmQRg+Q5D9ipgp8t4PMBNCT6xuQYIvfkdoESQG4Rt + 6FpQHkeKkooXWJJzCppexkKzXeHjfMFm7KPd0jea46uwh+Qx2MbDaoiGK+YCzb82 + mWCpgPfguOdbLaGI2aSYiWTrmMnNZv4cthv4Z/u1ph6NB2X/SbG3ot5O569epLpq + Al9bVUb2ZCEfrRUmqC9eWTr3p+GFRF77u7PVBwOjYItI4Paz+M7EKUmUqvMoj4EF + X+I9Oaac2t9nlIMLKNtq14LkncvdW+xuy83M2dN708ceo0+HxUeHCFyqbogKG8l9 + vQa9OFGleLyeoWlVlBqKco2cQe4xI8UkJryxsBC+36OaeqrCFAhbYpCn5QL/Ij/4 + 8ZPg1RCh9oeFvfripRpQ9G6UNtmvloK8LA/73uHnkztAYx2AFMaI6zQr75F7S8IH + tSGNEUA3MHOU7pIrCp9KnGjjfsChD6J9d0EoOOQfP1nDxVkXrL1afiuFtieJOiru + pyr1LJonGBdBxDDSrfPj6tc1moqIjgiZiDBcImEPv076Wro9EZdTi53CNj9rtEln + hUpFDcNMdwccumMslDl8qNdAKJgFGEORtRqFs+n7nywjAnxqd7gVGKDO4RrjsdRm + AQkCEFhM1Krfrf1RAJz/fnEeg21yvhg47SCgBiNGizLXgyCgK1kGuxB+SpJVMkAg + rdBo5t2UfXkVyJQ00K77you1N17NtPnyKr8xfItd7JRmDpJn40f9MFR2AOyVFC5B + lVleELeG + =bKFu + -----END PGP MESSAGE----- + fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD + - created_at: "2024-09-07T01:46:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VARAAo2y6IQJlsEAswykjpfDzvQw3TCyTiZWe6duhmnDoXKjK + 8A66oDpQcfl0ubjIj6/FJICLr2PGPb1bgKUEz+vBsp1bv+txUtLwUXJTqFKnCS1H + CRKfEmDSNaAtNEtpOGnCeMffB0ghLvs42mlTUUi7u240FJ6MgD7AvV4UlM5IYOLx + +yZyjzYzgNibyh7rOun2E/df2VhDX0Ns6n9ZPZ3TFSdqsXGJ4bqn8+0MhJYeOMNc + ap3dMMhUuUoH5krvocNymJ6WH8x4LwUJrlQsTdr0edA6BhNYC35a2JcAkOGblaCP + er845gN/iCRhl6i/XFYcz7mhMheYmiVf5TEuMvFsdjBl0yNi65wJz5EX3U01Y63+ + G+UeWCLt9+qDnAG3CN45Hgp46xIXocBvUhqdrg4Srtd+h/12Xlg8vV0jcdezWNm5 + pqWVeLDGjDFZNLvG/p+dWF+EDN/Zv9V3Axb1ChYeRCbue0POqr7X6OS5lWZmuUwa + oaiE2vYFkUCcdZtQANDDluh36Bk2pHAOELcttPa4OO4F0mCopAtg6uDp07WQUUwR + TkELlxQvOQYtTJZkTiiOe7ogr3jXWuz6hp80WN/ZVdh6UtO9cNem3d5+hECUA0LY + NuEPYAAyZxfpvRRIrkV768AS+USqA6VDjistIFc/qTG0L3WeDyP6h0plAJr9OKvU + ZgEJAhCQhjQZwIG7xvkuK2EzSePmMMUl+DEbq1GzgCuzh3Y+X/3pryvEjh+002pe + 55FSHnIZn+nD8Z1jAcRI+6mEZWfNYUXecF98+JBGIe73J/xjNUSWJZpSiYLIMnR6 + 6SKCYH9ORA== + =jqMe + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/thin/secrets/cluster-settings.yaml b/kubernetes/thin/secrets/cluster-settings.yaml new file mode 100644 index 0000000..cea7f5c --- /dev/null +++ b/kubernetes/thin/secrets/cluster-settings.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-settings + namespace: flux-system +data: + # MetalLB + METALLB_LB_RANGE: 192.168.1.60-192.168.1.70 + SERVER_TIMEZONE: America/New_York \ No newline at end of file diff --git a/kubernetes/thin/secrets/kustomization.yaml b/kubernetes/thin/secrets/kustomization.yaml new file mode 100644 index 0000000..970b3ed --- /dev/null +++ b/kubernetes/thin/secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./cluster-secrets.sops.yaml +- ./cluster-settings.yaml \ No newline at end of file From 9dcb7c6d904e1c6cafd11678aa9cb1a6c7e5afb6 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 6 Sep 2024 23:38:28 -0400 Subject: [PATCH 02/27] fix: remove dependsOn: core for thin cluster --- .taskfiles/Flux/Taskfile.yaml | 2 +- kubernetes/thin/flux/config/cluster.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml index 0460846..0995e78 100644 --- a/.taskfiles/Flux/Taskfile.yaml +++ b/.taskfiles/Flux/Taskfile.yaml @@ -18,5 +18,5 @@ tasks: - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" } reconcile: - desc: Force update Flux to pull in changes from your Git repository + desc: Force update Flux to pull in changes from the Git repository cmd: flux reconcile --namespace flux-system kustomization cluster --with-source \ No newline at end of file diff --git a/kubernetes/thin/flux/config/cluster.yaml b/kubernetes/thin/flux/config/cluster.yaml index aed7572..776a5f1 100644 --- a/kubernetes/thin/flux/config/cluster.yaml +++ b/kubernetes/thin/flux/config/cluster.yaml @@ -43,7 +43,6 @@ spec: interval: 10m dependsOn: - name: cluster-secrets - - name: core path: ./kubernetes/thin/apps prune: true sourceRef: From 9c3743714c4137190684f23845851a1fb8658c01 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 6 Sep 2024 23:44:00 -0400 Subject: [PATCH 03/27] fix: enable metallb crds --- kubernetes/common/apps/metallb/helm-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/common/apps/metallb/helm-release.yaml b/kubernetes/common/apps/metallb/helm-release.yaml index a36f740..e19d459 100644 --- a/kubernetes/common/apps/metallb/helm-release.yaml +++ b/kubernetes/common/apps/metallb/helm-release.yaml @@ -24,4 +24,4 @@ spec: namespace: flux-system values: crds: - enabled: false + enabled: true From d54748b32437e4f07080e248144cb21bcf2ee451 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 6 Sep 2024 23:50:07 -0400 Subject: [PATCH 04/27] chore: remove unused traefik entrypoint --- kubernetes/common/apps/traefik/helm-release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/common/apps/traefik/helm-release.yaml b/kubernetes/common/apps/traefik/helm-release.yaml index 17b2b7c..a0f74b7 100644 --- a/kubernetes/common/apps/traefik/helm-release.yaml +++ b/kubernetes/common/apps/traefik/helm-release.yaml @@ -17,7 +17,6 @@ spec: values: additionalArguments: - --api.insecure - - --entryPoints.factorio.address=:34197/udp logs: general: From ea0ba61a2641123f019ab1099760b339e8f4ecbb Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 6 Sep 2024 23:50:34 -0400 Subject: [PATCH 05/27] fix: remove metallb, use cilium load balancer ip pool instead --- kubernetes/thin/apps/kustomization.yaml | 3 ++- kubernetes/thin/apps/main-ip-pool.yaml | 8 ++++++++ kubernetes/thin/secrets/cluster-settings.yaml | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 kubernetes/thin/apps/main-ip-pool.yaml diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index 5d31a55..5982996 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helm-repositories.yaml -- ../../common/apps/metallb +#- ../../common/apps/metallb +- ./main-ip-pool.yaml - ../../common/apps/traefik # storage #- ./longhorn diff --git a/kubernetes/thin/apps/main-ip-pool.yaml b/kubernetes/thin/apps/main-ip-pool.yaml new file mode 100644 index 0000000..1dec48d --- /dev/null +++ b/kubernetes/thin/apps/main-ip-pool.yaml @@ -0,0 +1,8 @@ +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: "main-pool" +spec: + blocks: + - start: "192.168.1.50" + stop: "192.168.1.60" \ No newline at end of file diff --git a/kubernetes/thin/secrets/cluster-settings.yaml b/kubernetes/thin/secrets/cluster-settings.yaml index cea7f5c..a7a4291 100644 --- a/kubernetes/thin/secrets/cluster-settings.yaml +++ b/kubernetes/thin/secrets/cluster-settings.yaml @@ -6,5 +6,5 @@ metadata: namespace: flux-system data: # MetalLB - METALLB_LB_RANGE: 192.168.1.60-192.168.1.70 + METALLB_LB_RANGE: 192.168.1.50-192.168.1.60 SERVER_TIMEZONE: America/New_York \ No newline at end of file From 18c99ba347be00137832a31d402688445f0c887c Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 6 Sep 2024 23:58:15 -0400 Subject: [PATCH 06/27] fix: traefik crds race condition --- .../traefik/{ => app}/dashboard-ingress.yaml | 0 .../apps/traefik/{ => app}/helm-release.yaml | 0 .../traefik/{ => app}/helm-repository.yaml | 0 .../apps/traefik/{ => app}/kustomization.yaml | 1 - .../apps/traefik/{ => app}/namespace.yaml | 0 .../{ => extra}/default-tls-store.yaml | 0 .../apps/traefik/extra/kustomization.yaml | 4 ++ kubernetes/common/apps/traefik/ks.yaml | 40 +++++++++++++++++++ kubernetes/main/core/kustomization.yaml | 2 +- kubernetes/thin/apps/kustomization.yaml | 2 +- 10 files changed, 46 insertions(+), 3 deletions(-) rename kubernetes/common/apps/traefik/{ => app}/dashboard-ingress.yaml (100%) rename kubernetes/common/apps/traefik/{ => app}/helm-release.yaml (100%) rename kubernetes/common/apps/traefik/{ => app}/helm-repository.yaml (100%) rename kubernetes/common/apps/traefik/{ => app}/kustomization.yaml (72%) rename kubernetes/common/apps/traefik/{ => app}/namespace.yaml (100%) rename kubernetes/common/apps/traefik/{ => extra}/default-tls-store.yaml (100%) create mode 100644 kubernetes/common/apps/traefik/extra/kustomization.yaml create mode 100644 kubernetes/common/apps/traefik/ks.yaml diff --git a/kubernetes/common/apps/traefik/dashboard-ingress.yaml b/kubernetes/common/apps/traefik/app/dashboard-ingress.yaml similarity index 100% rename from kubernetes/common/apps/traefik/dashboard-ingress.yaml rename to kubernetes/common/apps/traefik/app/dashboard-ingress.yaml diff --git a/kubernetes/common/apps/traefik/helm-release.yaml b/kubernetes/common/apps/traefik/app/helm-release.yaml similarity index 100% rename from kubernetes/common/apps/traefik/helm-release.yaml rename to kubernetes/common/apps/traefik/app/helm-release.yaml diff --git a/kubernetes/common/apps/traefik/helm-repository.yaml b/kubernetes/common/apps/traefik/app/helm-repository.yaml similarity index 100% rename from kubernetes/common/apps/traefik/helm-repository.yaml rename to kubernetes/common/apps/traefik/app/helm-repository.yaml diff --git a/kubernetes/common/apps/traefik/kustomization.yaml b/kubernetes/common/apps/traefik/app/kustomization.yaml similarity index 72% rename from kubernetes/common/apps/traefik/kustomization.yaml rename to kubernetes/common/apps/traefik/app/kustomization.yaml index 835cd22..191a565 100644 --- a/kubernetes/common/apps/traefik/kustomization.yaml +++ b/kubernetes/common/apps/traefik/app/kustomization.yaml @@ -4,5 +4,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml -- ./default-tls-store.yaml - ./dashboard-ingress.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/namespace.yaml b/kubernetes/common/apps/traefik/app/namespace.yaml similarity index 100% rename from kubernetes/common/apps/traefik/namespace.yaml rename to kubernetes/common/apps/traefik/app/namespace.yaml diff --git a/kubernetes/common/apps/traefik/default-tls-store.yaml b/kubernetes/common/apps/traefik/extra/default-tls-store.yaml similarity index 100% rename from kubernetes/common/apps/traefik/default-tls-store.yaml rename to kubernetes/common/apps/traefik/extra/default-tls-store.yaml diff --git a/kubernetes/common/apps/traefik/extra/kustomization.yaml b/kubernetes/common/apps/traefik/extra/kustomization.yaml new file mode 100644 index 0000000..4dfa729 --- /dev/null +++ b/kubernetes/common/apps/traefik/extra/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./default-tls-store.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/ks.yaml b/kubernetes/common/apps/traefik/ks.yaml new file mode 100644 index 0000000..24dc76d --- /dev/null +++ b/kubernetes/common/apps/traefik/ks.yaml @@ -0,0 +1,40 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/app + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik-default-tls + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/extra + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: traefik + namespace: flux-system \ No newline at end of file diff --git a/kubernetes/main/core/kustomization.yaml b/kubernetes/main/core/kustomization.yaml index 991316d..e505ffa 100644 --- a/kubernetes/main/core/kustomization.yaml +++ b/kubernetes/main/core/kustomization.yaml @@ -5,7 +5,7 @@ resources: - ./helm-repositories.yaml - ./cert-manager - ../../common/apps/metallb -- ../../common/apps/traefik +- ../../common/apps/traefik/ks.yaml # storage - ./longhorn - ./openebs diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index 5982996..a2eaf7b 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -4,7 +4,7 @@ resources: - ./helm-repositories.yaml #- ../../common/apps/metallb - ./main-ip-pool.yaml -- ../../common/apps/traefik +- ../../common/apps/traefik/ks.yaml # storage #- ./longhorn #- ../../common/apps/openebs From 8c224b4464a8f1e22526d16606cfeac6335bbe02 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 00:01:46 -0400 Subject: [PATCH 07/27] fix(traefik): add substituteFrom config map and secrets --- kubernetes/common/apps/traefik/ks.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/kubernetes/common/apps/traefik/ks.yaml b/kubernetes/common/apps/traefik/ks.yaml index 24dc76d..ce392ff 100644 --- a/kubernetes/common/apps/traefik/ks.yaml +++ b/kubernetes/common/apps/traefik/ks.yaml @@ -16,6 +16,13 @@ spec: provider: sops secretRef: name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -37,4 +44,11 @@ spec: name: sops-gpg dependsOn: - name: traefik - namespace: flux-system \ No newline at end of file + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file From 2ec21aa75772d309d4930d3aa64c7283ad3daf91 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 00:05:39 -0400 Subject: [PATCH 08/27] fix(nfd, intel-gpu): use correct kustomization path --- kubernetes/common/apps/intel-gpu/ks.yaml | 2 +- kubernetes/common/apps/nfd/ks.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/common/apps/intel-gpu/ks.yaml b/kubernetes/common/apps/intel-gpu/ks.yaml index 96c36a9..6f0ac05 100644 --- a/kubernetes/common/apps/intel-gpu/ks.yaml +++ b/kubernetes/common/apps/intel-gpu/ks.yaml @@ -7,7 +7,7 @@ metadata: spec: timeout: 5m interval: 10m - path: ./kubernetes/main/core/intel-gpu/files + path: ./kubernetes/common/apps/intel-gpu/files prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/common/apps/nfd/ks.yaml b/kubernetes/common/apps/nfd/ks.yaml index b5184d0..397d133 100644 --- a/kubernetes/common/apps/nfd/ks.yaml +++ b/kubernetes/common/apps/nfd/ks.yaml @@ -7,7 +7,7 @@ metadata: spec: timeout: 5m interval: 10m - path: ./kubernetes/main/core/nfd/files + path: ./kubernetes/common/apps/nfd/files prune: true sourceRef: kind: GitRepository From 9134f887a703829e9da1e94700db77089f4197d5 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 00:14:50 -0400 Subject: [PATCH 09/27] feat: move cert-manager to common, add it to thin cluster --- .../apps}/cert-manager/cloudflare-cred.sops.yaml | 0 .../apps}/cert-manager/helm-release.yaml | 0 .../apps}/cert-manager/helm-repository.yaml | 0 .../apps}/cert-manager/kustomization.yaml | 0 .../apps}/cert-manager/letsencrypt-prod.yaml | 3 --- .../apps}/cert-manager/letsencrypt-stage.yaml | 3 --- .../core => common/apps}/cert-manager/namespace.yaml | 0 .../apps}/cert-manager/wildcard-cert.yaml | 11 ++--------- kubernetes/main/core/kustomization.yaml | 2 +- kubernetes/thin/apps/kustomization.yaml | 5 +---- 10 files changed, 4 insertions(+), 20 deletions(-) rename kubernetes/{main/core => common/apps}/cert-manager/cloudflare-cred.sops.yaml (100%) rename kubernetes/{main/core => common/apps}/cert-manager/helm-release.yaml (100%) rename kubernetes/{main/core => common/apps}/cert-manager/helm-repository.yaml (100%) rename kubernetes/{main/core => common/apps}/cert-manager/kustomization.yaml (100%) rename kubernetes/{main/core => common/apps}/cert-manager/letsencrypt-prod.yaml (83%) rename kubernetes/{main/core => common/apps}/cert-manager/letsencrypt-stage.yaml (83%) rename kubernetes/{main/core => common/apps}/cert-manager/namespace.yaml (100%) rename kubernetes/{main/core => common/apps}/cert-manager/wildcard-cert.yaml (51%) diff --git a/kubernetes/main/core/cert-manager/cloudflare-cred.sops.yaml b/kubernetes/common/apps/cert-manager/cloudflare-cred.sops.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/cloudflare-cred.sops.yaml rename to kubernetes/common/apps/cert-manager/cloudflare-cred.sops.yaml diff --git a/kubernetes/main/core/cert-manager/helm-release.yaml b/kubernetes/common/apps/cert-manager/helm-release.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/helm-release.yaml rename to kubernetes/common/apps/cert-manager/helm-release.yaml diff --git a/kubernetes/main/core/cert-manager/helm-repository.yaml b/kubernetes/common/apps/cert-manager/helm-repository.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/helm-repository.yaml rename to kubernetes/common/apps/cert-manager/helm-repository.yaml diff --git a/kubernetes/main/core/cert-manager/kustomization.yaml b/kubernetes/common/apps/cert-manager/kustomization.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/kustomization.yaml rename to kubernetes/common/apps/cert-manager/kustomization.yaml diff --git a/kubernetes/main/core/cert-manager/letsencrypt-prod.yaml b/kubernetes/common/apps/cert-manager/letsencrypt-prod.yaml similarity index 83% rename from kubernetes/main/core/cert-manager/letsencrypt-prod.yaml rename to kubernetes/common/apps/cert-manager/letsencrypt-prod.yaml index cff18c2..c882f1e 100644 --- a/kubernetes/main/core/cert-manager/letsencrypt-prod.yaml +++ b/kubernetes/common/apps/cert-manager/letsencrypt-prod.yaml @@ -10,9 +10,6 @@ spec: privateKeySecretRef: name: letsencrypt-production solvers: -# - http01: -# ingress: -# class: traefik - dns01: cloudflare: email: "${SECRET_MY_EMAIL}" diff --git a/kubernetes/main/core/cert-manager/letsencrypt-stage.yaml b/kubernetes/common/apps/cert-manager/letsencrypt-stage.yaml similarity index 83% rename from kubernetes/main/core/cert-manager/letsencrypt-stage.yaml rename to kubernetes/common/apps/cert-manager/letsencrypt-stage.yaml index 63b7f44..b5be2b3 100644 --- a/kubernetes/main/core/cert-manager/letsencrypt-stage.yaml +++ b/kubernetes/common/apps/cert-manager/letsencrypt-stage.yaml @@ -10,9 +10,6 @@ spec: privateKeySecretRef: name: letsencrypt-staging solvers: -# - http01: -# ingress: -# class: traefik - dns01: cloudflare: email: "${SECRET_MY_EMAIL}" diff --git a/kubernetes/main/core/cert-manager/namespace.yaml b/kubernetes/common/apps/cert-manager/namespace.yaml similarity index 100% rename from kubernetes/main/core/cert-manager/namespace.yaml rename to kubernetes/common/apps/cert-manager/namespace.yaml diff --git a/kubernetes/main/core/cert-manager/wildcard-cert.yaml b/kubernetes/common/apps/cert-manager/wildcard-cert.yaml similarity index 51% rename from kubernetes/main/core/cert-manager/wildcard-cert.yaml rename to kubernetes/common/apps/cert-manager/wildcard-cert.yaml index cc5b30f..2a8f2a9 100644 --- a/kubernetes/main/core/cert-manager/wildcard-cert.yaml +++ b/kubernetes/common/apps/cert-manager/wildcard-cert.yaml @@ -2,14 +2,10 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-main-cert - namespace: traefik #cert-manager + namespace: traefik spec: secretName: wildcard-main-tls -# secretTemplate: -# annotations: -# replicator.v1.mittwald.de/replicate-to: "traefik" - duration: 2160h # 90d renewBefore: 360h # 15d @@ -19,7 +15,4 @@ spec: dnsNames: - "${SECRET_NEW_DOMAIN}" - - "*.${SECRET_NEW_DOMAIN}" -# - "*.k3s.${SECRET_NEW_DOMAIN}" -# - "*.database.${SECRET_NEW_DOMAIN}" -# - "*.s3.${SECRET_NEW_DOMAIN}" \ No newline at end of file + - "*.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/main/core/kustomization.yaml b/kubernetes/main/core/kustomization.yaml index e505ffa..f5e016b 100644 --- a/kubernetes/main/core/kustomization.yaml +++ b/kubernetes/main/core/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization resources: - ./kube-system - ./helm-repositories.yaml -- ./cert-manager +- ../../common/apps/cert-manager - ../../common/apps/metallb - ../../common/apps/traefik/ks.yaml # storage diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index a2eaf7b..2df0834 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -2,14 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helm-repositories.yaml -#- ../../common/apps/metallb - ./main-ip-pool.yaml +- ../../common/apps/cert-manager - ../../common/apps/traefik/ks.yaml # storage -#- ./longhorn #- ../../common/apps/openebs -#- ./kube-replicator - - ../../common/apps/nfd/ks.yaml - ../../common/apps/intel-gpu/ks.yaml \ No newline at end of file From 3a8639f80d897fcaac3d1017d9688b4aa4457b4a Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 00:20:27 -0400 Subject: [PATCH 10/27] feat: reorganize cert-manager to avoid crds race condition --- .../{ => app/files}/helm-release.yaml | 0 .../{ => app/files}/helm-repository.yaml | 0 .../cert-manager/app/files/kustomization.yaml | 5 ++++ .../common/apps/cert-manager/app/ks.yaml | 25 +++++++++++++++++ .../files}/cloudflare-cred.sops.yaml | 0 .../certs/files/kustomization.yaml | 7 +++++ .../{ => certs/files}/letsencrypt-prod.yaml | 0 .../{ => certs/files}/letsencrypt-stage.yaml | 0 .../{ => certs/files}/wildcard-cert.yaml | 0 .../common/apps/cert-manager/certs/ks.yaml | 28 +++++++++++++++++++ .../apps/cert-manager/kustomization.yaml | 8 ++---- 11 files changed, 67 insertions(+), 6 deletions(-) rename kubernetes/common/apps/cert-manager/{ => app/files}/helm-release.yaml (100%) rename kubernetes/common/apps/cert-manager/{ => app/files}/helm-repository.yaml (100%) create mode 100644 kubernetes/common/apps/cert-manager/app/files/kustomization.yaml create mode 100644 kubernetes/common/apps/cert-manager/app/ks.yaml rename kubernetes/common/apps/cert-manager/{ => certs/files}/cloudflare-cred.sops.yaml (100%) create mode 100644 kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml rename kubernetes/common/apps/cert-manager/{ => certs/files}/letsencrypt-prod.yaml (100%) rename kubernetes/common/apps/cert-manager/{ => certs/files}/letsencrypt-stage.yaml (100%) rename kubernetes/common/apps/cert-manager/{ => certs/files}/wildcard-cert.yaml (100%) create mode 100644 kubernetes/common/apps/cert-manager/certs/ks.yaml diff --git a/kubernetes/common/apps/cert-manager/helm-release.yaml b/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/helm-release.yaml rename to kubernetes/common/apps/cert-manager/app/files/helm-release.yaml diff --git a/kubernetes/common/apps/cert-manager/helm-repository.yaml b/kubernetes/common/apps/cert-manager/app/files/helm-repository.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/helm-repository.yaml rename to kubernetes/common/apps/cert-manager/app/files/helm-repository.yaml diff --git a/kubernetes/common/apps/cert-manager/app/files/kustomization.yaml b/kubernetes/common/apps/cert-manager/app/files/kustomization.yaml new file mode 100644 index 0000000..14a2c31 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/app/files/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-repository.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/app/ks.yaml b/kubernetes/common/apps/cert-manager/app/ks.yaml new file mode 100644 index 0000000..471dbc2 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/cert-manager/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/cloudflare-cred.sops.yaml b/kubernetes/common/apps/cert-manager/certs/files/cloudflare-cred.sops.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/cloudflare-cred.sops.yaml rename to kubernetes/common/apps/cert-manager/certs/files/cloudflare-cred.sops.yaml diff --git a/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml b/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml new file mode 100644 index 0000000..d721975 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./cloudflare-cred.sops.yaml +- ./letsencrypt-prod.yaml +- ./letsencrypt-stage.yaml +- ./wildcard-cert.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/letsencrypt-prod.yaml b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/letsencrypt-prod.yaml rename to kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml diff --git a/kubernetes/common/apps/cert-manager/letsencrypt-stage.yaml b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/letsencrypt-stage.yaml rename to kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml diff --git a/kubernetes/common/apps/cert-manager/wildcard-cert.yaml b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml similarity index 100% rename from kubernetes/common/apps/cert-manager/wildcard-cert.yaml rename to kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml diff --git a/kubernetes/common/apps/cert-manager/certs/ks.yaml b/kubernetes/common/apps/cert-manager/certs/ks.yaml new file mode 100644 index 0000000..a24d477 --- /dev/null +++ b/kubernetes/common/apps/cert-manager/certs/ks.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cert-manager-certificates + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/cert-manager/certs/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: cert-manager + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/cert-manager/kustomization.yaml b/kubernetes/common/apps/cert-manager/kustomization.yaml index 7589521..d70fba6 100644 --- a/kubernetes/common/apps/cert-manager/kustomization.yaml +++ b/kubernetes/common/apps/cert-manager/kustomization.yaml @@ -2,9 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml -- ./cloudflare-cred.sops.yaml -- ./helm-repository.yaml -- ./helm-release.yaml -- ./letsencrypt-prod.yaml -- ./letsencrypt-stage.yaml -- ./wildcard-cert.yaml \ No newline at end of file +- ./app/ks.yaml +- ./certs/ks.yaml \ No newline at end of file From 63ad2c9c313c1848f4559cc92d36a35e9c82dc2b Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 14:39:48 -0400 Subject: [PATCH 11/27] feat: move metallb to common, install it in thin cluster --- .../cert-manager/app/files/helm-release.yaml | 12 +-- .../metallb/{ => app/files}/helm-release.yaml | 0 .../apps/metallb/app/files/kustomization.yaml | 4 + kubernetes/common/apps/metallb/app/ks.yaml | 25 ++++++ .../common/apps/metallb/kustomization.yaml | 4 +- .../metallb/pool/files/kustomization.yaml | 4 + .../{ => pool/files}/metallb-static-ips.yaml | 0 kubernetes/common/apps/metallb/pool/ks.yaml | 28 ++++++ .../app/{ => files}/dashboard-ingress.yaml | 0 .../traefik/app/{ => files}/helm-release.yaml | 0 .../app/{ => files}/helm-repository.yaml | 0 .../app/{ => files}/kustomization.yaml | 0 .../traefik/app/{ => files}/namespace.yaml | 0 kubernetes/common/apps/traefik/app/ks.yaml | 25 ++++++ .../extra/{ => files}/default-tls-store.yaml | 0 .../extra/{ => files}/kustomization.yaml | 0 kubernetes/common/apps/traefik/extra/ks.yaml | 30 +++++++ kubernetes/common/apps/traefik/ks.yaml | 54 ------------ .../common/apps/traefik/kustomization.yaml | 5 ++ kubernetes/main/core/kustomization.yaml | 2 +- kubernetes/thin/apps/kustomization.yaml | 5 +- kubernetes/thin/apps/main-ip-pool.yaml | 2 +- .../traefik/app/files/dashboard-ingress.yaml | 24 +++++ .../apps/traefik/app/files/helm-release.yaml | 87 +++++++++++++++++++ .../traefik/app/files/helm-repository.yaml | 8 ++ .../apps/traefik/app/files/kustomization.yaml | 7 ++ .../apps/traefik/app/files/namespace.yaml | 6 ++ kubernetes/thin/apps/traefik/app/ks.yaml | 25 ++++++ .../extra/files/default-tls-store.yaml | 9 ++ .../traefik/extra/files/kustomization.yaml | 4 + kubernetes/thin/apps/traefik/extra/ks.yaml | 30 +++++++ .../thin/apps/traefik/kustomization.yaml | 5 ++ 32 files changed, 339 insertions(+), 66 deletions(-) rename kubernetes/common/apps/metallb/{ => app/files}/helm-release.yaml (100%) create mode 100644 kubernetes/common/apps/metallb/app/files/kustomization.yaml create mode 100644 kubernetes/common/apps/metallb/app/ks.yaml create mode 100644 kubernetes/common/apps/metallb/pool/files/kustomization.yaml rename kubernetes/common/apps/metallb/{ => pool/files}/metallb-static-ips.yaml (100%) create mode 100644 kubernetes/common/apps/metallb/pool/ks.yaml rename kubernetes/common/apps/traefik/app/{ => files}/dashboard-ingress.yaml (100%) rename kubernetes/common/apps/traefik/app/{ => files}/helm-release.yaml (100%) rename kubernetes/common/apps/traefik/app/{ => files}/helm-repository.yaml (100%) rename kubernetes/common/apps/traefik/app/{ => files}/kustomization.yaml (100%) rename kubernetes/common/apps/traefik/app/{ => files}/namespace.yaml (100%) create mode 100644 kubernetes/common/apps/traefik/app/ks.yaml rename kubernetes/common/apps/traefik/extra/{ => files}/default-tls-store.yaml (100%) rename kubernetes/common/apps/traefik/extra/{ => files}/kustomization.yaml (100%) create mode 100644 kubernetes/common/apps/traefik/extra/ks.yaml delete mode 100644 kubernetes/common/apps/traefik/ks.yaml create mode 100644 kubernetes/common/apps/traefik/kustomization.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/helm-release.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/helm-repository.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/kustomization.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/namespace.yaml create mode 100644 kubernetes/thin/apps/traefik/app/ks.yaml create mode 100644 kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml create mode 100644 kubernetes/thin/apps/traefik/extra/files/kustomization.yaml create mode 100644 kubernetes/thin/apps/traefik/extra/ks.yaml create mode 100644 kubernetes/thin/apps/traefik/kustomization.yaml diff --git a/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml b/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml index c31b577..6712652 100644 --- a/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml +++ b/kubernetes/common/apps/cert-manager/app/files/helm-release.yaml @@ -14,7 +14,7 @@ spec: name: jetstack-charts namespace: flux-system values: - installCRDs: false + installCRDs: true webhook: enabled: true extraArgs: @@ -26,8 +26,8 @@ spec: nameservers: - "1.1.1.1" - "9.9.9.9" - prometheus: - servicemonitor: - enabled: true - labels: - release: kube-prometheus-stack \ No newline at end of file +# prometheus: +# servicemonitor: +# enabled: false +# labels: +# release: kube-prometheus-stack \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/helm-release.yaml b/kubernetes/common/apps/metallb/app/files/helm-release.yaml similarity index 100% rename from kubernetes/common/apps/metallb/helm-release.yaml rename to kubernetes/common/apps/metallb/app/files/helm-release.yaml diff --git a/kubernetes/common/apps/metallb/app/files/kustomization.yaml b/kubernetes/common/apps/metallb/app/files/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/common/apps/metallb/app/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/app/ks.yaml b/kubernetes/common/apps/metallb/app/ks.yaml new file mode 100644 index 0000000..cd1c37f --- /dev/null +++ b/kubernetes/common/apps/metallb/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: metallb + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/metallb/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/kustomization.yaml b/kubernetes/common/apps/metallb/kustomization.yaml index 046bf58..965ecd3 100644 --- a/kubernetes/common/apps/metallb/kustomization.yaml +++ b/kubernetes/common/apps/metallb/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml -- ./helm-release.yaml -- ./metallb-static-ips.yaml \ No newline at end of file +- ./app/ks.yaml +- ./pool/ks.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/pool/files/kustomization.yaml b/kubernetes/common/apps/metallb/pool/files/kustomization.yaml new file mode 100644 index 0000000..71361b8 --- /dev/null +++ b/kubernetes/common/apps/metallb/pool/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./metallb-static-ip \ No newline at end of file diff --git a/kubernetes/common/apps/metallb/metallb-static-ips.yaml b/kubernetes/common/apps/metallb/pool/files/metallb-static-ips.yaml similarity index 100% rename from kubernetes/common/apps/metallb/metallb-static-ips.yaml rename to kubernetes/common/apps/metallb/pool/files/metallb-static-ips.yaml diff --git a/kubernetes/common/apps/metallb/pool/ks.yaml b/kubernetes/common/apps/metallb/pool/ks.yaml new file mode 100644 index 0000000..d224748 --- /dev/null +++ b/kubernetes/common/apps/metallb/pool/ks.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: metallb-pool + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/metallb/pool/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: metallb + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/app/dashboard-ingress.yaml b/kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/dashboard-ingress.yaml rename to kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml diff --git a/kubernetes/common/apps/traefik/app/helm-release.yaml b/kubernetes/common/apps/traefik/app/files/helm-release.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/helm-release.yaml rename to kubernetes/common/apps/traefik/app/files/helm-release.yaml diff --git a/kubernetes/common/apps/traefik/app/helm-repository.yaml b/kubernetes/common/apps/traefik/app/files/helm-repository.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/helm-repository.yaml rename to kubernetes/common/apps/traefik/app/files/helm-repository.yaml diff --git a/kubernetes/common/apps/traefik/app/kustomization.yaml b/kubernetes/common/apps/traefik/app/files/kustomization.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/kustomization.yaml rename to kubernetes/common/apps/traefik/app/files/kustomization.yaml diff --git a/kubernetes/common/apps/traefik/app/namespace.yaml b/kubernetes/common/apps/traefik/app/files/namespace.yaml similarity index 100% rename from kubernetes/common/apps/traefik/app/namespace.yaml rename to kubernetes/common/apps/traefik/app/files/namespace.yaml diff --git a/kubernetes/common/apps/traefik/app/ks.yaml b/kubernetes/common/apps/traefik/app/ks.yaml new file mode 100644 index 0000000..d514965 --- /dev/null +++ b/kubernetes/common/apps/traefik/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/extra/default-tls-store.yaml b/kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml similarity index 100% rename from kubernetes/common/apps/traefik/extra/default-tls-store.yaml rename to kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml diff --git a/kubernetes/common/apps/traefik/extra/kustomization.yaml b/kubernetes/common/apps/traefik/extra/files/kustomization.yaml similarity index 100% rename from kubernetes/common/apps/traefik/extra/kustomization.yaml rename to kubernetes/common/apps/traefik/extra/files/kustomization.yaml diff --git a/kubernetes/common/apps/traefik/extra/ks.yaml b/kubernetes/common/apps/traefik/extra/ks.yaml new file mode 100644 index 0000000..53e157d --- /dev/null +++ b/kubernetes/common/apps/traefik/extra/ks.yaml @@ -0,0 +1,30 @@ + +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik-default-tls + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/extra/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: traefik + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/ks.yaml b/kubernetes/common/apps/traefik/ks.yaml deleted file mode 100644 index ce392ff..0000000 --- a/kubernetes/common/apps/traefik/ks.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: traefik - namespace: flux-system -spec: - timeout: 5m - interval: 10m - path: ./kubernetes/common/apps/traefik/app - prune: true - sourceRef: - kind: GitRepository - name: home-cluster - decryption: - provider: sops - secretRef: - name: sops-gpg - postBuild: - substitute: {} - substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: traefik-default-tls - namespace: flux-system -spec: - timeout: 5m - interval: 10m - path: ./kubernetes/common/apps/traefik/extra - prune: true - sourceRef: - kind: GitRepository - name: home-cluster - decryption: - provider: sops - secretRef: - name: sops-gpg - dependsOn: - - name: traefik - namespace: flux-system - postBuild: - substitute: {} - substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/traefik/kustomization.yaml b/kubernetes/common/apps/traefik/kustomization.yaml new file mode 100644 index 0000000..c2d4a00 --- /dev/null +++ b/kubernetes/common/apps/traefik/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./app/ks.yaml +- ./extra/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/core/kustomization.yaml b/kubernetes/main/core/kustomization.yaml index f5e016b..d929528 100644 --- a/kubernetes/main/core/kustomization.yaml +++ b/kubernetes/main/core/kustomization.yaml @@ -5,7 +5,7 @@ resources: - ./helm-repositories.yaml - ../../common/apps/cert-manager - ../../common/apps/metallb -- ../../common/apps/traefik/ks.yaml +- ../../common/apps/traefik # storage - ./longhorn - ./openebs diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index 2df0834..89920c5 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helm-repositories.yaml -- ./main-ip-pool.yaml +#- ./main-ip-pool.yaml - ../../common/apps/cert-manager -- ../../common/apps/traefik/ks.yaml +- ../../common/apps/metallb +- ../../common/apps/traefik # storage #- ../../common/apps/openebs diff --git a/kubernetes/thin/apps/main-ip-pool.yaml b/kubernetes/thin/apps/main-ip-pool.yaml index 1dec48d..bccf201 100644 --- a/kubernetes/thin/apps/main-ip-pool.yaml +++ b/kubernetes/thin/apps/main-ip-pool.yaml @@ -5,4 +5,4 @@ metadata: spec: blocks: - start: "192.168.1.50" - stop: "192.168.1.60" \ No newline at end of file + stop: "192.168.1.59" \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml b/kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml new file mode 100644 index 0000000..965ae98 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: traefik-dash-ingress + namespace: traefik + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd +spec: + rules: + - host: "traefik.${SECRET_DOMAIN}" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik + port: + number: 9000 + tls: + - hosts: + - "${SECRET_DOMAIN}" + - "traefik.${SECRET_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml new file mode 100644 index 0000000..6870c99 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -0,0 +1,87 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik + namespace: traefik +spec: + interval: 5m + chart: + spec: + chart: traefik + version: '30.1.0' + sourceRef: + kind: HelmRepository + name: traefik-charts + namespace: flux-system + interval: 1m + values: + additionalArguments: + - --api.insecure + + logs: + general: + level: DEBUG + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + publishedService: + enabled: false + + ports: + traefik: + port: 9000 + expose: + default: false + exposedPort: 9000 + protocol: TCP + + web: + port: 8000 + #nodePort: 30080 + expose: + default: true + redirectTo: + port: websecure + protocol: TCP + + websecure: + port: 8443 + #nodePort: 30443 + expose: + default: true + protocol: TCP + tls: + enabled: true + + metrics: + port: 9100 + expose: + default: false + protocol: TCP + + # Disable Dashboard + ingressRoute: + dashboard: + enabled: false + + # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes. + ingressClass: + enabled: true + isDefaultClass: true + + metrics: + prometheus: + entryPoint: metrics + + namespaceOverride: traefik diff --git a/kubernetes/thin/apps/traefik/app/files/helm-repository.yaml b/kubernetes/thin/apps/traefik/app/files/helm-repository.yaml new file mode 100644 index 0000000..cb2e806 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: traefik-charts + namespace: flux-system +spec: + interval: 1m + url: https://traefik.github.io/charts diff --git a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml new file mode 100644 index 0000000..191a565 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./helm-repository.yaml +- ./helm-release.yaml +- ./dashboard-ingress.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/namespace.yaml b/kubernetes/thin/apps/traefik/app/files/namespace.yaml new file mode 100644 index 0000000..c30b28b --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: traefik + labels: + name: traefik \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/ks.yaml b/kubernetes/thin/apps/traefik/app/ks.yaml new file mode 100644 index 0000000..d514965 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/app/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml b/kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml new file mode 100644 index 0000000..9a38626 --- /dev/null +++ b/kubernetes/thin/apps/traefik/extra/files/default-tls-store.yaml @@ -0,0 +1,9 @@ +apiVersion: traefik.io/v1alpha1 +kind: TLSStore +metadata: + name: default + namespace: traefik + +spec: + defaultCertificate: + secretName: wildcard-main-tls \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/extra/files/kustomization.yaml b/kubernetes/thin/apps/traefik/extra/files/kustomization.yaml new file mode 100644 index 0000000..4dfa729 --- /dev/null +++ b/kubernetes/thin/apps/traefik/extra/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./default-tls-store.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/extra/ks.yaml b/kubernetes/thin/apps/traefik/extra/ks.yaml new file mode 100644 index 0000000..53e157d --- /dev/null +++ b/kubernetes/thin/apps/traefik/extra/ks.yaml @@ -0,0 +1,30 @@ + +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: traefik-default-tls + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/traefik/extra/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: traefik + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/kustomization.yaml b/kubernetes/thin/apps/traefik/kustomization.yaml new file mode 100644 index 0000000..c2d4a00 --- /dev/null +++ b/kubernetes/thin/apps/traefik/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./app/ks.yaml +- ./extra/ks.yaml \ No newline at end of file From 219b416fb4a27721441763e787868cbbaf9ff7d3 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 14:51:12 -0400 Subject: [PATCH 12/27] fix: use correct file path --- kubernetes/common/apps/metallb/pool/files/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/common/apps/metallb/pool/files/kustomization.yaml b/kubernetes/common/apps/metallb/pool/files/kustomization.yaml index 71361b8..1230a99 100644 --- a/kubernetes/common/apps/metallb/pool/files/kustomization.yaml +++ b/kubernetes/common/apps/metallb/pool/files/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./metallb-static-ip \ No newline at end of file +- ./metallb-static-ips.yaml \ No newline at end of file From 41a06897c3ecc8c1d5f1389fff1b6f681cc6e5d2 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 14:58:36 -0400 Subject: [PATCH 13/27] chore: remove metallb from thin cluster --- kubernetes/thin/apps/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index 89920c5..abaab00 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -4,7 +4,7 @@ resources: - ./helm-repositories.yaml #- ./main-ip-pool.yaml - ../../common/apps/cert-manager -- ../../common/apps/metallb +#- ../../common/apps/metallb - ../../common/apps/traefik # storage #- ../../common/apps/openebs From 6bb2b612a84f6f6b4fe9697b6485f9a1737ab875 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 22:05:05 -0400 Subject: [PATCH 14/27] feat: add internal ingress, generate internal certs, setup cilium bgp, create whoami deployment --- .../certs/files/letsencrypt-prod.yaml | 4 +- kubernetes/common/apps/intel-gpu/ks.yaml | 3 + kubernetes/thin/apps/cilium/bgp.yaml | 56 +++++++++++++ .../thin/apps/cilium/kustomization.yaml | 5 ++ kubernetes/thin/apps/cilium/main-ip-pool.yaml | 8 ++ .../home-assistant/files/helm-release.yaml | 48 +++++++++++ .../home-assistant/files/kustomization.yaml | 4 + .../thin/apps/default/home-assistant/ks.yaml | 25 ++++++ .../thin/apps/default/kustomization.yaml | 4 + .../default/whoami/files/helm-release.yaml | 48 +++++++++++ .../default/whoami/files/kustomization.yaml | 4 + kubernetes/thin/apps/default/whoami/ks.yaml | 25 ++++++ kubernetes/thin/apps/kustomization.yaml | 12 +-- .../apps/traefik/app/files/helm-release.yaml | 21 +++-- .../apps/traefik/app/files/internal-hr.yaml | 81 +++++++++++++++++++ .../apps/traefik/app/files/kustomization.yaml | 1 + .../thin/apps/traefik/kustomization.yaml | 2 +- 17 files changed, 336 insertions(+), 15 deletions(-) create mode 100644 kubernetes/thin/apps/cilium/bgp.yaml create mode 100644 kubernetes/thin/apps/cilium/kustomization.yaml create mode 100644 kubernetes/thin/apps/cilium/main-ip-pool.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/ks.yaml create mode 100644 kubernetes/thin/apps/default/kustomization.yaml create mode 100644 kubernetes/thin/apps/default/whoami/files/helm-release.yaml create mode 100644 kubernetes/thin/apps/default/whoami/files/kustomization.yaml create mode 100644 kubernetes/thin/apps/default/whoami/ks.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/internal-hr.yaml diff --git a/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml index c882f1e..7aae355 100644 --- a/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml @@ -18,4 +18,6 @@ spec: key: api-token selector: dnsZones: - - "${SECRET_NEW_DOMAIN}" \ No newline at end of file + - "${SECRET_NEW_DOMAIN}" + - "internal.${SECRET_NEW_DOMAIN}" + - "*.internal.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/common/apps/intel-gpu/ks.yaml b/kubernetes/common/apps/intel-gpu/ks.yaml index 6f0ac05..f02ec18 100644 --- a/kubernetes/common/apps/intel-gpu/ks.yaml +++ b/kubernetes/common/apps/intel-gpu/ks.yaml @@ -18,4 +18,7 @@ spec: name: sops-gpg dependsOn: - name: nfd + namespace: flux-system + # requires certificates for communications between plugins + - name: cert-manager namespace: flux-system \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/bgp.yaml b/kubernetes/thin/apps/cilium/bgp.yaml new file mode 100644 index 0000000..02b53bd --- /dev/null +++ b/kubernetes/thin/apps/cilium/bgp.yaml @@ -0,0 +1,56 @@ +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPClusterConfig +metadata: + name: cilium-bgp + namespace: kube-system +spec: + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + bgpInstances: + - name: "bgp-public" + localASN: 65552 + peers: + - name: "router" + peerASN: 65551 + peerAddress: 192.168.1.1 + peerConfigRef: + name: "cilium-peer-router" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeerConfig +metadata: + name: cilium-peer-router + namespace: kube-system +spec: + timers: + holdTimeSeconds: 9 + keepAliveTimeSeconds: 3 + gracefulRestart: + enabled: true + restartTimeSeconds: 15 + families: + - afi: ipv4 + safi: unicast + advertisements: + matchLabels: + advertise: "bgp-public" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPAdvertisement +metadata: + name: bgp-public-ad + namespace: kube-system + labels: + advertise: "bgp-public" +spec: + advertisements: + - advertisementType: "Service" + service: + addresses: + - ExternalIP + - LoadBalancerIP + selector: + matchLabels: + service-type: public \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/kustomization.yaml b/kubernetes/thin/apps/cilium/kustomization.yaml new file mode 100644 index 0000000..b436c3f --- /dev/null +++ b/kubernetes/thin/apps/cilium/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./main-ip-pool.yaml +- ./bgp.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/main-ip-pool.yaml b/kubernetes/thin/apps/cilium/main-ip-pool.yaml new file mode 100644 index 0000000..bccf201 --- /dev/null +++ b/kubernetes/thin/apps/cilium/main-ip-pool.yaml @@ -0,0 +1,8 @@ +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: "main-pool" +spec: + blocks: + - start: "192.168.1.50" + stop: "192.168.1.59" \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml new file mode 100644 index 0000000..8efa6d8 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: whoami + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + controllers: + main: + containers: + main: + image: + repository: containous/whoami + tag: latest + + service: + app: + controller: main + + ports: + http: + port: 80 + + ingress: + main: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + hosts: + - host: "whoami.${SECRET_NEW_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/ks.yaml b/kubernetes/thin/apps/default/home-assistant/ks.yaml new file mode 100644 index 0000000..a92aa63 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: whoami + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/default/whoami/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/default/kustomization.yaml b/kubernetes/thin/apps/default/kustomization.yaml new file mode 100644 index 0000000..c7dcc20 --- /dev/null +++ b/kubernetes/thin/apps/default/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./whoami/ks.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/whoami/files/helm-release.yaml b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml new file mode 100644 index 0000000..8efa6d8 --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: whoami + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + controllers: + main: + containers: + main: + image: + repository: containous/whoami + tag: latest + + service: + app: + controller: main + + ports: + http: + port: 80 + + ingress: + main: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + hosts: + - host: "whoami.${SECRET_NEW_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/thin/apps/default/whoami/files/kustomization.yaml b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/whoami/ks.yaml b/kubernetes/thin/apps/default/whoami/ks.yaml new file mode 100644 index 0000000..a92aa63 --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: whoami + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/default/whoami/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index abaab00..faa4846 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helm-repositories.yaml -#- ./main-ip-pool.yaml +# networking +- ./cilium +- ./traefik - ../../common/apps/cert-manager -#- ../../common/apps/metallb -- ../../common/apps/traefik # storage #- ../../common/apps/openebs - +# hardware - ../../common/apps/nfd/ks.yaml -- ../../common/apps/intel-gpu/ks.yaml \ No newline at end of file +- ../../common/apps/intel-gpu/ks.yaml + +- ./default \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml index 6870c99..5a93165 100644 --- a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -1,7 +1,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: traefik + name: traefik-external namespace: traefik spec: interval: 5m @@ -15,13 +15,13 @@ spec: namespace: flux-system interval: 1m values: + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.1.50 + additionalArguments: - --api.insecure - logs: - general: - level: DEBUG - providers: kubernetesCRD: enabled: true @@ -48,7 +48,7 @@ spec: web: port: 8000 - #nodePort: 30080 + nodePort: 30080 expose: default: true redirectTo: @@ -57,7 +57,7 @@ spec: websecure: port: 8443 - #nodePort: 30443 + nodePort: 30443 expose: default: true protocol: TCP @@ -79,9 +79,14 @@ spec: ingressClass: enabled: true isDefaultClass: true + name: traefik-external metrics: prometheus: entryPoint: metrics - namespaceOverride: traefik + # Set default certificate + tlsStore: + default: + defaultCertificate: + secretName: wildcard-main-tls diff --git a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml new file mode 100644 index 0000000..c270de5 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml @@ -0,0 +1,81 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik-internal + namespace: traefik +spec: + interval: 5m + chart: + spec: + chart: traefik + version: '30.1.0' + sourceRef: + kind: HelmRepository + name: traefik-charts + namespace: flux-system + interval: 1m + values: + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.1.51 + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + publishedService: + enabled: false + + ports: + web: + port: 8000 + nodePort: 30080 + expose: + default: true + redirectTo: + port: websecure + protocol: TCP + + websecure: + port: 8443 + nodePort: 30443 + expose: + default: true + protocol: TCP + tls: + enabled: true + + metrics: + port: 9100 + expose: + default: false + protocol: TCP + + # Disable Dashboard + ingressRoute: + dashboard: + enabled: false + + ingressClass: + enabled: true + isDefaultClass: false + name: traefik-internal + + metrics: + prometheus: + entryPoint: metrics + + # Set default certificate + tlsStore: + default: + defaultCertificate: + secretName: wildcard-main-tls \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml index 191a565..529ab34 100644 --- a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml +++ b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml @@ -4,4 +4,5 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml +- ./internal-hr.yaml - ./dashboard-ingress.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/kustomization.yaml b/kubernetes/thin/apps/traefik/kustomization.yaml index c2d4a00..3342dd8 100644 --- a/kubernetes/thin/apps/traefik/kustomization.yaml +++ b/kubernetes/thin/apps/traefik/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./app/ks.yaml -- ./extra/ks.yaml \ No newline at end of file +#- ./extra/ks.yaml \ No newline at end of file From d2be6e6cc94b9d2d85a519045bfe1a29facf84f6 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 22:41:10 -0400 Subject: [PATCH 15/27] fix: use correct path of thin cluster traefik --- kubernetes/thin/apps/main-ip-pool.yaml | 8 ------- .../traefik/app/files/dashboard-ingress.yaml | 24 ------------------- .../apps/traefik/app/files/helm-release.yaml | 13 +++++----- .../apps/traefik/app/files/internal-hr.yaml | 8 +++---- .../apps/traefik/app/files/kustomization.yaml | 3 +-- kubernetes/thin/apps/traefik/app/ks.yaml | 2 +- 6 files changed, 12 insertions(+), 46 deletions(-) delete mode 100644 kubernetes/thin/apps/main-ip-pool.yaml delete mode 100644 kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml diff --git a/kubernetes/thin/apps/main-ip-pool.yaml b/kubernetes/thin/apps/main-ip-pool.yaml deleted file mode 100644 index bccf201..0000000 --- a/kubernetes/thin/apps/main-ip-pool.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: "cilium.io/v2alpha1" -kind: CiliumLoadBalancerIPPool -metadata: - name: "main-pool" -spec: - blocks: - - start: "192.168.1.50" - stop: "192.168.1.59" \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml b/kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml deleted file mode 100644 index 965ae98..0000000 --- a/kubernetes/thin/apps/traefik/app/files/dashboard-ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: traefik-dash-ingress - namespace: traefik - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd -spec: - rules: - - host: "traefik.${SECRET_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: traefik - port: - number: 9000 - tls: - - hosts: - - "${SECRET_DOMAIN}" - - "traefik.${SECRET_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml index 5a93165..755e906 100644 --- a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -75,18 +75,17 @@ spec: dashboard: enabled: false - # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes. ingressClass: enabled: true - isDefaultClass: true - name: traefik-external + isDefaultClass: false + name: external metrics: prometheus: entryPoint: metrics # Set default certificate - tlsStore: - default: - defaultCertificate: - secretName: wildcard-main-tls +# tlsStore: +# default: +# defaultCertificate: +# secretName: wildcard-main-tls diff --git a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml index c270de5..3c9b7cc 100644 --- a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml +++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml @@ -38,7 +38,7 @@ spec: ports: web: port: 8000 - nodePort: 30080 + nodePort: 30081 expose: default: true redirectTo: @@ -47,7 +47,7 @@ spec: websecure: port: 8443 - nodePort: 30443 + nodePort: 30444 expose: default: true protocol: TCP @@ -67,8 +67,8 @@ spec: ingressClass: enabled: true - isDefaultClass: false - name: traefik-internal + isDefaultClass: true + name: internal metrics: prometheus: diff --git a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml index 529ab34..8f65359 100644 --- a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml +++ b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml @@ -4,5 +4,4 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml -- ./internal-hr.yaml -- ./dashboard-ingress.yaml \ No newline at end of file +- ./internal-hr.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/ks.yaml b/kubernetes/thin/apps/traefik/app/ks.yaml index d514965..39f2a0d 100644 --- a/kubernetes/thin/apps/traefik/app/ks.yaml +++ b/kubernetes/thin/apps/traefik/app/ks.yaml @@ -7,7 +7,7 @@ metadata: spec: timeout: 5m interval: 10m - path: ./kubernetes/common/apps/traefik/app/files + path: ./kubernetes/thin/apps/traefik/app/files prune: true sourceRef: kind: GitRepository From bed6a15588f0b876c4abc6d7dbf10bbb7a7c3052 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 22:44:13 -0400 Subject: [PATCH 16/27] fix: specify bgp label on traefik services --- kubernetes/thin/apps/cilium/bgp.yaml | 2 +- kubernetes/thin/apps/traefik/app/files/helm-release.yaml | 2 ++ kubernetes/thin/apps/traefik/app/files/internal-hr.yaml | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/kubernetes/thin/apps/cilium/bgp.yaml b/kubernetes/thin/apps/cilium/bgp.yaml index 02b53bd..7f1a736 100644 --- a/kubernetes/thin/apps/cilium/bgp.yaml +++ b/kubernetes/thin/apps/cilium/bgp.yaml @@ -53,4 +53,4 @@ spec: - LoadBalancerIP selector: matchLabels: - service-type: public \ No newline at end of file + bgp/service-type: public \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml index 755e906..636e80f 100644 --- a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -18,6 +18,8 @@ spec: service: annotations: io.cilium/lb-ipam-ips: 192.168.1.50 + labels: + bgp/service-type: public additionalArguments: - --api.insecure diff --git a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml index 3c9b7cc..8772581 100644 --- a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml +++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml @@ -18,6 +18,8 @@ spec: service: annotations: io.cilium/lb-ipam-ips: 192.168.1.51 + labels: + bgp/service-type: public providers: kubernetesCRD: From daa10b10e1445c78b081515c4f5251e18b3b30ec Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Thu, 12 Sep 2024 17:52:21 -0400 Subject: [PATCH 17/27] fix: change load balancer subnet, make certs valid for '*.internal' domains --- .../common/apps/cert-manager/certs/files/wildcard-cert.yaml | 3 ++- kubernetes/thin/apps/cilium/bgp.yaml | 4 +--- kubernetes/thin/apps/cilium/main-ip-pool.yaml | 4 ++-- kubernetes/thin/apps/traefik/app/files/helm-release.yaml | 2 +- kubernetes/thin/apps/traefik/app/files/internal-hr.yaml | 2 +- kubernetes/thin/secrets/cluster-settings.yaml | 2 +- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml index 2a8f2a9..dba312e 100644 --- a/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml @@ -15,4 +15,5 @@ spec: dnsNames: - "${SECRET_NEW_DOMAIN}" - - "*.${SECRET_NEW_DOMAIN}" \ No newline at end of file + - "*.${SECRET_NEW_DOMAIN}" + - "*.internal.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/bgp.yaml b/kubernetes/thin/apps/cilium/bgp.yaml index 7f1a736..4bc9b5c 100644 --- a/kubernetes/thin/apps/cilium/bgp.yaml +++ b/kubernetes/thin/apps/cilium/bgp.yaml @@ -2,7 +2,6 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumBGPClusterConfig metadata: name: cilium-bgp - namespace: kube-system spec: nodeSelector: matchExpressions: @@ -22,7 +21,6 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumBGPPeerConfig metadata: name: cilium-peer-router - namespace: kube-system spec: timers: holdTimeSeconds: 9 @@ -41,7 +39,6 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumBGPAdvertisement metadata: name: bgp-public-ad - namespace: kube-system labels: advertise: "bgp-public" spec: @@ -49,6 +46,7 @@ spec: - advertisementType: "Service" service: addresses: + #- ClusterIP - ExternalIP - LoadBalancerIP selector: diff --git a/kubernetes/thin/apps/cilium/main-ip-pool.yaml b/kubernetes/thin/apps/cilium/main-ip-pool.yaml index bccf201..2b9ae95 100644 --- a/kubernetes/thin/apps/cilium/main-ip-pool.yaml +++ b/kubernetes/thin/apps/cilium/main-ip-pool.yaml @@ -4,5 +4,5 @@ metadata: name: "main-pool" spec: blocks: - - start: "192.168.1.50" - stop: "192.168.1.59" \ No newline at end of file + - start: "192.168.2.50" + stop: "192.168.2.59" \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml index 636e80f..005ebee 100644 --- a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -17,7 +17,7 @@ spec: values: service: annotations: - io.cilium/lb-ipam-ips: 192.168.1.50 + io.cilium/lb-ipam-ips: 192.168.2.50 labels: bgp/service-type: public diff --git a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml index 8772581..796e449 100644 --- a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml +++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml @@ -17,7 +17,7 @@ spec: values: service: annotations: - io.cilium/lb-ipam-ips: 192.168.1.51 + io.cilium/lb-ipam-ips: 192.168.2.51 labels: bgp/service-type: public diff --git a/kubernetes/thin/secrets/cluster-settings.yaml b/kubernetes/thin/secrets/cluster-settings.yaml index a7a4291..f256e0f 100644 --- a/kubernetes/thin/secrets/cluster-settings.yaml +++ b/kubernetes/thin/secrets/cluster-settings.yaml @@ -6,5 +6,5 @@ metadata: namespace: flux-system data: # MetalLB - METALLB_LB_RANGE: 192.168.1.50-192.168.1.60 + METALLB_LB_RANGE: 192.168.2.50-192.168.2.59 SERVER_TIMEZONE: America/New_York \ No newline at end of file From 3209590082b2ba65e285ede874794c1672fda2c9 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 13 Sep 2024 22:38:01 -0400 Subject: [PATCH 18/27] feat: add snapshot-system and openebs mayastor --- kubernetes/thin/apps/kustomization.yaml | 3 +- .../thin/apps/openebs/app/helm-release.yaml | 70 +++++++++++++++++++ .../apps/openebs/app/helm-repository.yaml | 17 +++++ .../thin/apps/openebs/app/kustomization.yaml | 7 ++ .../openebs/app/monitoring-helm-release.yaml | 41 +++++++++++ .../thin/apps/openebs/app/namespace.yaml | 4 ++ kubernetes/thin/apps/openebs/ks.yaml | 59 ++++++++++++++++ .../storage-class/dual-replica-sc.yaml | 8 +++ .../openebs/storage-class/kustomization.yaml | 5 ++ .../thin/apps/openebs/storage-class/pool.yaml | 39 +++++++++++ .../snapshot-system/app/helm-release.yaml | 31 ++++++++ .../apps/snapshot-system/app/helm-repo.yaml | 8 +++ .../snapshot-system/app/kustomization.yaml | 6 ++ .../apps/snapshot-system/app/namespace.yaml | 4 ++ kubernetes/thin/apps/snapshot-system/ks.yaml | 18 +++++ 15 files changed, 319 insertions(+), 1 deletion(-) create mode 100644 kubernetes/thin/apps/openebs/app/helm-release.yaml create mode 100644 kubernetes/thin/apps/openebs/app/helm-repository.yaml create mode 100644 kubernetes/thin/apps/openebs/app/kustomization.yaml create mode 100644 kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml create mode 100644 kubernetes/thin/apps/openebs/app/namespace.yaml create mode 100644 kubernetes/thin/apps/openebs/ks.yaml create mode 100644 kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml create mode 100644 kubernetes/thin/apps/openebs/storage-class/kustomization.yaml create mode 100644 kubernetes/thin/apps/openebs/storage-class/pool.yaml create mode 100644 kubernetes/thin/apps/snapshot-system/app/helm-release.yaml create mode 100644 kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml create mode 100644 kubernetes/thin/apps/snapshot-system/app/kustomization.yaml create mode 100644 kubernetes/thin/apps/snapshot-system/app/namespace.yaml create mode 100644 kubernetes/thin/apps/snapshot-system/ks.yaml diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index faa4846..35ba11f 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -7,7 +7,8 @@ resources: - ./traefik - ../../common/apps/cert-manager # storage -#- ../../common/apps/openebs +- ./snapshot-system/ks.yaml +- ./openebs/ks.yaml # hardware - ../../common/apps/nfd/ks.yaml - ../../common/apps/intel-gpu/ks.yaml diff --git a/kubernetes/thin/apps/openebs/app/helm-release.yaml b/kubernetes/thin/apps/openebs/app/helm-release.yaml new file mode 100644 index 0000000..e0a9877 --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/helm-release.yaml @@ -0,0 +1,70 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs + namespace: openebs +spec: + interval: 5m + chart: + spec: + chart: openebs + version: 4.1.0 + sourceRef: + kind: HelmRepository + name: openebs + namespace: flux-system + + values: + openebs-crds: + csi: + volumeSnapshots: + enabled: false + keep: false + + # Refer to https://github.com/openebs/dynamic-localpv-provisioner/blob/HEAD/deploy/helm/charts/values.yaml for complete set of values. + localpv-provisioner: + rbac: + create: true + localpv: + enabled: true + hostpathClass: + enabled: true + + # Refer to https://github.com/openebs/mayastor-extensions/blob/v2.7.0/chart/values.yaml for complete set of values. + mayastor: + enabled: true + nodeSelector: + kubernetes.io/arch: amd64 + openebs.io/engine: mayastor + csi: + node: + initContainers: + enabled: true + etcd: + # -- Kubernetes Cluster Domain + clusterDomain: cluster.local + crds: + enabled: false + monitoring: + enabled: false + loki-stack: + enabled: false + storageClass: + nameSuffix: single + tolerations: + # tolerate control plane + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + + engines: + local: + lvm: + enabled: true + zfs: + enabled: true + replicated: + mayastor: + enabled: true + diff --git a/kubernetes/thin/apps/openebs/app/helm-repository.yaml b/kubernetes/thin/apps/openebs/app/helm-repository.yaml new file mode 100644 index 0000000..2bec563 --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/helm-repository.yaml @@ -0,0 +1,17 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 1m + url: https://openebs.github.io/openebs +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs-monitoring-charts + namespace: flux-system +spec: + interval: 1m + url: https://openebs.github.io/monitoring \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/kustomization.yaml b/kubernetes/thin/apps/openebs/app/kustomization.yaml new file mode 100644 index 0000000..4ee545a --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./helm-repository.yaml +- ./helm-release.yaml +#- ./monitoring-helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml b/kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml new file mode 100644 index 0000000..d8cb0cd --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/monitoring-helm-release.yaml @@ -0,0 +1,41 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs-monitoring + namespace: openebs +spec: + interval: 5m + chart: + spec: + chart: openebs-monitoring + version: 0.4.13 + sourceRef: + kind: HelmRepository + name: openebs-monitoring-charts + namespace: flux-system + dependsOn: + - name: openebs + values: + kube-prometheus-stack: + install: false + + openebsMonitoringAddon: + # this is the only provisioner enabled + localPV: + enabled: true + + cStore: + enabled: false + jiva: + enabled: false + ndm: + enabled: false + npd: + enabled: false + deviceLocalPV: + enabled: false + lvmLocalPV: + enabled: false + zfsLocalPV: + enabled: false \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/app/namespace.yaml b/kubernetes/thin/apps/openebs/app/namespace.yaml new file mode 100644 index 0000000..2175285 --- /dev/null +++ b/kubernetes/thin/apps/openebs/app/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openebs \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/ks.yaml b/kubernetes/thin/apps/openebs/ks.yaml new file mode 100644 index 0000000..682a73c --- /dev/null +++ b/kubernetes/thin/apps/openebs/ks.yaml @@ -0,0 +1,59 @@ + +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: openebs + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/openebs/app + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: snapshot-controller + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: openebs-sc + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/openebs/storage-class + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml b/kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml new file mode 100644 index 0000000..62dea56 --- /dev/null +++ b/kubernetes/thin/apps/openebs/storage-class/dual-replica-sc.yaml @@ -0,0 +1,8 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: openebs-dual +parameters: + protocol: nvmf + repl: "2" +provisioner: io.openebs.csi-mayastor \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/storage-class/kustomization.yaml b/kubernetes/thin/apps/openebs/storage-class/kustomization.yaml new file mode 100644 index 0000000..20cd2b1 --- /dev/null +++ b/kubernetes/thin/apps/openebs/storage-class/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pool.yaml +- ./dual-replica-sc.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/openebs/storage-class/pool.yaml b/kubernetes/thin/apps/openebs/storage-class/pool.yaml new file mode 100644 index 0000000..49e25e5 --- /dev/null +++ b/kubernetes/thin/apps/openebs/storage-class/pool.yaml @@ -0,0 +1,39 @@ +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-controller-d52ycbgv + namespace: openebs +spec: + node: dorm-controller-d52ycbgv + disks: + - /dev/disk/by-id/nvme-SAMSUNG_MZVLB256HAHQ-000H1_S425NX1MA23444 +--- +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-worker-3ssgwrlx + namespace: openebs +spec: + node: dorm-worker-3ssgwrlx + disks: + - /dev/disk/by-id/nvme-KXG60ZNV256G_TOSHIBA_69CA70CIK34N +--- +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-worker-hklqhcrv + namespace: openebs +spec: + node: dorm-worker-hklqhcrv + disks: + - /dev/disk/by-id/nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K125956 +--- +apiVersion: "openebs.io/v1beta2" +kind: DiskPool +metadata: + name: pool-dorm-worker-kgoutccb + namespace: openebs +spec: + node: dorm-worker-kgoutccb + disks: + - /dev/disk/by-id/nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K173346 \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/helm-release.yaml b/kubernetes/thin/apps/snapshot-system/app/helm-release.yaml new file mode 100644 index 0000000..6eb28ff --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/helm-release.yaml @@ -0,0 +1,31 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: snapshot-controller + namespace: snapshot-system +spec: + interval: 30m + timeout: 15m + chart: + spec: + chart: snapshot-controller + version: 3.0.6 + sourceRef: + kind: HelmRepository + name: piraeus + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controller: + serviceMonitor: + create: false # TODO + webhook: + enabled: false \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml b/kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml new file mode 100644 index 0000000..91c9108 --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/helm-repo.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: piraeus + namespace: flux-system +spec: + interval: 1m + url: https://piraeus.io/helm-charts/ \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/kustomization.yaml b/kubernetes/thin/apps/snapshot-system/app/kustomization.yaml new file mode 100644 index 0000000..524ef3c --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace.yaml +- ./helm-repo.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/app/namespace.yaml b/kubernetes/thin/apps/snapshot-system/app/namespace.yaml new file mode 100644 index 0000000..1409af9 --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/app/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: snapshot-system \ No newline at end of file diff --git a/kubernetes/thin/apps/snapshot-system/ks.yaml b/kubernetes/thin/apps/snapshot-system/ks.yaml new file mode 100644 index 0000000..50acd91 --- /dev/null +++ b/kubernetes/thin/apps/snapshot-system/ks.yaml @@ -0,0 +1,18 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: snapshot-controller + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/snapshot-controller/app + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg \ No newline at end of file From f02811f4f283ff338d8c6be07baa25bf5e7fb10f Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Fri, 13 Sep 2024 22:45:34 -0400 Subject: [PATCH 19/27] fix: use correct name and path of kustomization --- kubernetes/thin/apps/openebs/app/helm-release.yaml | 1 - kubernetes/thin/apps/openebs/ks.yaml | 2 +- kubernetes/thin/apps/snapshot-system/ks.yaml | 4 ++-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/kubernetes/thin/apps/openebs/app/helm-release.yaml b/kubernetes/thin/apps/openebs/app/helm-release.yaml index e0a9877..648c9e3 100644 --- a/kubernetes/thin/apps/openebs/app/helm-release.yaml +++ b/kubernetes/thin/apps/openebs/app/helm-release.yaml @@ -14,7 +14,6 @@ spec: kind: HelmRepository name: openebs namespace: flux-system - values: openebs-crds: csi: diff --git a/kubernetes/thin/apps/openebs/ks.yaml b/kubernetes/thin/apps/openebs/ks.yaml index 682a73c..b2fd926 100644 --- a/kubernetes/thin/apps/openebs/ks.yaml +++ b/kubernetes/thin/apps/openebs/ks.yaml @@ -19,7 +19,7 @@ spec: secretRef: name: sops-gpg dependsOn: - - name: snapshot-controller + - name: snapshot-system namespace: flux-system postBuild: substitute: {} diff --git a/kubernetes/thin/apps/snapshot-system/ks.yaml b/kubernetes/thin/apps/snapshot-system/ks.yaml index 50acd91..e89d772 100644 --- a/kubernetes/thin/apps/snapshot-system/ks.yaml +++ b/kubernetes/thin/apps/snapshot-system/ks.yaml @@ -2,12 +2,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: snapshot-controller + name: snapshot-system namespace: flux-system spec: timeout: 5m interval: 10m - path: ./kubernetes/thin/apps/snapshot-controller/app + path: ./kubernetes/thin/apps/snapshot-system/app prune: true sourceRef: kind: GitRepository From d7c85370749e3abb6aacb3a294059ec5567a9481 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 11:52:08 -0400 Subject: [PATCH 20/27] fix(whoami): specifiy internal ingress class --- kubernetes/thin/apps/default/whoami/files/helm-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/thin/apps/default/whoami/files/helm-release.yaml b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml index 8efa6d8..51c7db6 100644 --- a/kubernetes/thin/apps/default/whoami/files/helm-release.yaml +++ b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml @@ -39,6 +39,7 @@ spec: traefik.ingress.kubernetes.io/router.entrypoints: websecure #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + className: internal hosts: - host: "whoami.${SECRET_NEW_DOMAIN}" paths: From 4fd71c59d09e8b1df197dcba4a28154c53728a28 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 16:33:51 -0400 Subject: [PATCH 21/27] feat: add postgres --- kubernetes/common/apps/database/dbs/ks.yaml | 28 +++++++++ .../database/dbs/postgresql/helm-release.yaml | 42 +++++++++++++ .../dbs/postgresql/kustomization.yaml | 7 +++ .../dbs/postgresql/pgadmin4/helm-release.yaml | 47 ++++++++++++++ .../postgresql/pgadmin4/helm-repository.yaml | 8 +++ .../postgresql/pgadmin4/kustomization.yaml | 6 ++ .../database/dbs/postgresql/pgsql-pv.yaml | 12 ++++ .../database/dbs/postgresql/pgsql.sops.yaml | 62 +++++++++++++++++++ .../common/apps/database/kustomization.yaml | 5 ++ .../common/apps/database/namespace.yaml | 4 ++ kubernetes/thin/apps/kustomization.yaml | 1 + 11 files changed, 222 insertions(+) create mode 100644 kubernetes/common/apps/database/dbs/ks.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml create mode 100644 kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml create mode 100644 kubernetes/common/apps/database/kustomization.yaml create mode 100644 kubernetes/common/apps/database/namespace.yaml diff --git a/kubernetes/common/apps/database/dbs/ks.yaml b/kubernetes/common/apps/database/dbs/ks.yaml new file mode 100644 index 0000000..4eb472d --- /dev/null +++ b/kubernetes/common/apps/database/dbs/ks.yaml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: postgresql + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/common/apps/database/dbs/postgresql + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml b/kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml new file mode 100644 index 0000000..df00d37 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml @@ -0,0 +1,42 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: postgresql + namespace: database +spec: + interval: 5m + chart: + spec: + chart: postgresql + version: 14.3.x + sourceRef: + kind: HelmRepository + name: bitnami-charts + namespace: flux-system + values: + auth: + existingSecret: "pgsql-secrets" + secretKeys: + adminPasswordKey: "adminPassword" + replicationPasswordKey: "replicationPassword" + + serviceMonitor: + enabled: true + labels: + release: kube-prometheus-stack + + volumePermissions: + enabled: true + + primary: + persistence: + existingClaim: "postgresql-pvc" + + containerSecurityContext: + enabled: true + runAsUser: 655 + + readReplicas: + containerSecurityContext: + enabled: true + runAsUser: 655 \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml b/kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml new file mode 100644 index 0000000..b52eb49 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pgsql-pv.yaml +- ./pgsql.sops.yaml +- ./helm-release.yaml +#- ./pgadmin4 \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml new file mode 100644 index 0000000..6e347ba --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml @@ -0,0 +1,47 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: pgadmin4 + namespace: database +spec: + interval: 5m + chart: + spec: + chart: pgadmin4 + version: "1.28.0" + sourceRef: + kind: HelmRepository + name: runix-charts + namespace: flux-system + values: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: &host pgadm.${SECRET_NEW_DOMAIN} + paths: + - path: "/" + pathType: Prefix + tls: + - hosts: + - *host + +# securityContext: +# runAsUser: 10000 +# runAsGroup: 10000 +# fsGroup: 10000 +# +# containerSecurityContext: +# enabled: true +# allowPrivilegeEscalation: false + +# envVarsFromConfigMaps: +# - pgadmin4-secret + + persistentVolume: + enabled: false + + volumePermissions: + enabled: true \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml new file mode 100644 index 0000000..8348d74 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: runix-charts + namespace: flux-system +spec: + interval: 1m + url: https://helm.runix.net diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml new file mode 100644 index 0000000..a83bec5 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./pgadmin4.sops.yaml +- ./helm-repository.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml new file mode 100644 index 0000000..fa77932 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: postgresql-pvc + namespace: database +spec: + storageClassName: openebs-dual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi \ No newline at end of file diff --git a/kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml b/kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml new file mode 100644 index 0000000..9c1b403 --- /dev/null +++ b/kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pgsql-secrets + namespace: database +stringData: + adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str] + userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str] + replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-10-22T16:25:15Z" + mac: ENC[AES256_GCM,data:uWVPfKwPpR212js7f2RnCzEsMnxk2JpGPcf2L5i4gJCddJCrRJkdhjWGyVVpp/ociP3JLRTI95+WSEUH0KkPZpY1ptQevCVsUemRytOCtBlR0yR4qsBwEisSu8m4B5dbAYsqlXAndrBNL2WGB7uBv+ILgNxkhlN58unseSWJBDM=,iv:e7QyZSlhpyQ+A8OmV4p1848itIUxyam6CJOI9/N7DDY=,tag:N28mfrAjUTTYkly1hu0OhA==,type:str] + pgp: + - created_at: "2023-06-19T18:35:15Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ//aQdUERyq3G7V29F5rpY6LdDgo8+hqrrZvdI3JnON0VUM + Tj3AAYg+xvYh8aPQywF9fJvn6qNw8fqrb2GiuuNTa9ZPCFsD+WXbuYHmQ9z6tAtV + opXe3QLNBuo9zEtUfGPbaCp8EH7f1TxQsTJoe9iE/1B2S69cHNUdgXZtfQyhpmlG + iyAk/G04kPazweIuFNjOYaN/12J/s2Cf5AZUeROkMxg8/GTPO68LeEBz9v4vl/1z + JlxmZyXR/9IeoBlO63asDrR85fcvSDb31K4qE3WVkag20bXClv1lehLVKO4bxA/F + lW1tXDR3odC9Ozme884Znd05L0NWkzYKYRta198IV6JuSCeMdjTscGGlMM9wqqKz + SZgs81FHXT16YCVupfI22CqMiD0EzQXrGEtJ4NqaBvhZu+MDxszNRzIl73b0HANc + 8JQqQqOJh7ltrWnf39Xlv73yVC/pYbaV1LWGnMfqWvOcksa9QjOH9Ysfj/RxdaMw + VQhydU+21+xeuEQBL7OsiJQUzgJjFREnTRPXcorCtWxocCn5zwdct1SFchFzCOTp + H0ubpD+MP4RTWxuYbZRhE5ty6GJU9liRH7dUJtVaQiv8V+G1DungTqq36AbbnHzd + 9cy+4cM3wZx2VYElL7DBom8nqqm7Xhffr0UaaY8VFuV5bBry3BmM5rOr8vDYqf7U + aAEJAhC/4yiBMuhEB+fwXIq/dBjMzW+p8SotK2QK03yaTFQchnBDknwVdqcKQxIZ + di3kupnjB+KllWOZhl121tT9L35ymL53BUu1FKCTFdIS2wXxy6UlIS98n0bvWJYN + c5WTfk81xmbT + =UE14 + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-06-19T18:35:15Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VAQ/9G2JDsJw6YJMjstWPrv07tnU0ErWZx5WGcNUGhw6T5tOJ + kXCAuaZax8NxoTtZnQ9Cd+WgJr7R0FuVPEPTc4G2RsfntSZq5rBgCpT0fgwyASFX + 64b6YTbLcCL+G6sg/FwIi9SRqqCsaljATjoU685vrjaxYYfAdhyUoM3qSNjMMaMl + zVjn0kbWrQn4GqfuRMqcr+zCIQdHNTTJ12+c6UUo/zJp4zzjA68Yur9aiw1iHtR1 + rYCPHX2/ZmQjADTHXqwpuMdb5j0VDcd5JcZabdcJkhn/6MRJiN+XryZN/Neq9UbF + 5WrMaZz5v0iRnMUCr8HMw29P0ttu5Sma+RyCOZuWlpsXj+C84pJ8CjBbFhzSJzGP + cKI8Syn0CPLN3X6vKs+LJXEHg1jxJ9kuN+RgW+SQRctUX3A0JtFg2tWplkptNtLl + hN5rW+fWxk7BV9dP7wouwVJiKcW3Y/OMCF5H8YHwL/KVHvANBwNM+nmFPrHaqN2s + 0RghznmZMVG+9IYedSM6d8ZJLnO/QsNTE0QTGM/3dmBAn9jcndCLTgcgThAtvcmw + lFJYaMN3W455Cccaif93xnb44yn47actgEuM6GOuP15GGJaHD2iBQ2atHcaQhNQR + mxhIIouu+Kaa6g34MA/VGDNoN0eNYI5RZIUSSBl7bgaOXs9/3j1Uvap9yesCaOTU + aAEJAhDDqjX7RUazeEByAiKjv5TxpQzsi8gR4zyrhf6tTx34jHzQNoVjYEtLMEVl + ZlAJ06RoxOj8O6+8RGYd/ZUE+TQPQ4jx+PgWrZPUQx8TSxevuduw5XZ1lKytUSCZ + GFDjOxp0lMGV + =LHSB + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.8.0 diff --git a/kubernetes/common/apps/database/kustomization.yaml b/kubernetes/common/apps/database/kustomization.yaml new file mode 100644 index 0000000..1e1e858 --- /dev/null +++ b/kubernetes/common/apps/database/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./namespace +- ./dbs/ks.yaml \ No newline at end of file diff --git a/kubernetes/common/apps/database/namespace.yaml b/kubernetes/common/apps/database/namespace.yaml new file mode 100644 index 0000000..12a2a91 --- /dev/null +++ b/kubernetes/common/apps/database/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: database \ No newline at end of file diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index 35ba11f..ba010a8 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -13,4 +13,5 @@ resources: - ../../common/apps/nfd/ks.yaml - ../../common/apps/intel-gpu/ks.yaml +- ../../common/apps/database - ./default \ No newline at end of file From 3da1b8e693322450ba57cce19bb4b0795c33c4b5 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 16:37:23 -0400 Subject: [PATCH 22/27] fix(postgres): use correct file paths --- kubernetes/common/apps/database/dbs/ks.yaml | 2 +- kubernetes/common/apps/database/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/common/apps/database/dbs/ks.yaml b/kubernetes/common/apps/database/dbs/ks.yaml index 4eb472d..02f303e 100644 --- a/kubernetes/common/apps/database/dbs/ks.yaml +++ b/kubernetes/common/apps/database/dbs/ks.yaml @@ -17,7 +17,7 @@ spec: secretRef: name: sops-gpg dependsOn: - - name: openebs + - name: openebs-sc namespace: flux-system postBuild: substitute: {} diff --git a/kubernetes/common/apps/database/kustomization.yaml b/kubernetes/common/apps/database/kustomization.yaml index 1e1e858..f5c95bb 100644 --- a/kubernetes/common/apps/database/kustomization.yaml +++ b/kubernetes/common/apps/database/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./namespace +- ./namespace.yaml - ./dbs/ks.yaml \ No newline at end of file From 5a9e883b75199830e702387835ab6e7d9c14ef76 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 18:14:23 -0400 Subject: [PATCH 23/27] feat: switch from traefik to nginx-ingress --- .../certs/files/wildcard-cert.yaml | 2 +- kubernetes/thin/apps/helm-repositories.yaml | 11 +- kubernetes/thin/apps/kustomization.yaml | 2 +- .../apps/nginx/external/helm-release.yaml | 102 ++++++++++++++++++ .../apps/nginx/external/kustomization.yaml | 4 + .../apps/nginx/internal/helm-release.yaml | 102 ++++++++++++++++++ .../apps/nginx/internal/kustomization.yaml | 4 + kubernetes/thin/apps/nginx/ks.yaml | 53 +++++++++ 8 files changed, 277 insertions(+), 3 deletions(-) create mode 100644 kubernetes/thin/apps/nginx/external/helm-release.yaml create mode 100644 kubernetes/thin/apps/nginx/external/kustomization.yaml create mode 100644 kubernetes/thin/apps/nginx/internal/helm-release.yaml create mode 100644 kubernetes/thin/apps/nginx/internal/kustomization.yaml create mode 100644 kubernetes/thin/apps/nginx/ks.yaml diff --git a/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml index dba312e..1b4d80e 100644 --- a/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: wildcard-main-cert - namespace: traefik + namespace: nginx spec: secretName: wildcard-main-tls diff --git a/kubernetes/thin/apps/helm-repositories.yaml b/kubernetes/thin/apps/helm-repositories.yaml index 20eac2d..fc2b583 100644 --- a/kubernetes/thin/apps/helm-repositories.yaml +++ b/kubernetes/thin/apps/helm-repositories.yaml @@ -14,4 +14,13 @@ metadata: namespace: flux-system spec: interval: 1m - url: https://bjw-s.github.io/helm-charts \ No newline at end of file + url: https://bjw-s.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1m + url: https://kubernetes.github.io/ingress-nginx \ No newline at end of file diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index ba010a8..c4a6649 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -4,7 +4,7 @@ resources: - ./helm-repositories.yaml # networking - ./cilium -- ./traefik +- ./nginx - ../../common/apps/cert-manager # storage - ./snapshot-system/ks.yaml diff --git a/kubernetes/thin/apps/nginx/external/helm-release.yaml b/kubernetes/thin/apps/nginx/external/helm-release.yaml new file mode 100644 index 0000000..6271d8b --- /dev/null +++ b/kubernetes/thin/apps/nginx/external/helm-release.yaml @@ -0,0 +1,102 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: nginx-external +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: nginx-external + controller: + replicaCount: 2 + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.2.50 + labels: + bgp/service-type: public + + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["external"] + + allowSnippetAnnotations: true + config: + # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go + block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" + + metrics: + enabled: false # TODO + serviceMonitor: + enabled: true + namespaceSelector: + any: true + + extraArgs: + default-ssl-certificate: nginx/wildcard-main-tls + + terminationGracePeriodSeconds: 120 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: nginx-external + app.kubernetes.io/component: controller + + resources: + requests: + cpu: 100m + limits: + memory: 500Mi + + defaultBackend: + enabled: false diff --git a/kubernetes/thin/apps/nginx/external/kustomization.yaml b/kubernetes/thin/apps/nginx/external/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/nginx/external/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/nginx/internal/helm-release.yaml b/kubernetes/thin/apps/nginx/internal/helm-release.yaml new file mode 100644 index 0000000..3180bfd --- /dev/null +++ b/kubernetes/thin/apps/nginx/internal/helm-release.yaml @@ -0,0 +1,102 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: nginx-internal +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: nginx-internal + controller: + replicaCount: 2 + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.2.51 + labels: + bgp/service-type: public + + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + + allowSnippetAnnotations: true + config: + # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go + block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" + + metrics: + enabled: false # TODO + serviceMonitor: + enabled: true + namespaceSelector: + any: true + + extraArgs: + default-ssl-certificate: nginx/wildcard-main-tls + + terminationGracePeriodSeconds: 120 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: nginx-internal + app.kubernetes.io/component: controller + + resources: + requests: + cpu: 100m + limits: + memory: 500Mi + + defaultBackend: + enabled: false diff --git a/kubernetes/thin/apps/nginx/internal/kustomization.yaml b/kubernetes/thin/apps/nginx/internal/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/nginx/internal/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/nginx/ks.yaml b/kubernetes/thin/apps/nginx/ks.yaml new file mode 100644 index 0000000..889e45e --- /dev/null +++ b/kubernetes/thin/apps/nginx/ks.yaml @@ -0,0 +1,53 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: nginx-external + namespace: flux-system +spec: + targetNamespace: nginx + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/nginx/external + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: nginx-internal + namespace: flux-system +spec: + targetNamespace: nginx + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/nginx/internal + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file From 473ffdffc0502ba0059f17077a4ec9ba454ae3c1 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 18:36:05 -0400 Subject: [PATCH 24/27] fix: use correct file path --- kubernetes/thin/apps/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index c4a6649..b4a0f7a 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -4,7 +4,7 @@ resources: - ./helm-repositories.yaml # networking - ./cilium -- ./nginx +- ./nginx/ks.yaml - ../../common/apps/cert-manager # storage - ./snapshot-system/ks.yaml From 2b432acd327d045ab8e520dac3aa47accb01e190 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 20:35:30 -0400 Subject: [PATCH 25/27] feat: add home-assistant to thin cluster --- .../home-assistant/files/helm-release.yaml | 98 +++++++++++++++++-- .../home-assistant/files/kustomization.yaml | 2 + .../default/home-assistant/files/pvc.yaml | 12 +++ .../home-assistant/files/secret.sops.yaml | 75 ++++++++++++++ .../thin/apps/default/home-assistant/ks.yaml | 9 +- .../thin/apps/default/kustomization.yaml | 3 +- 6 files changed, 187 insertions(+), 12 deletions(-) create mode 100644 kubernetes/thin/apps/default/home-assistant/files/pvc.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml diff --git a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml index 8efa6d8..409959c 100644 --- a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml +++ b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml @@ -2,27 +2,72 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: whoami + name: home-assistant namespace: default spec: interval: 5m chart: spec: chart: app-template - version: 3.1.0 + version: 3.4.0 sourceRef: kind: HelmRepository name: bjws-charts namespace: flux-system - + dependsOn: + - name: openebs + namespace: openebs values: controllers: main: containers: - main: + app: image: - repository: containous/whoami - tag: latest + repository: ghcr.io/onedr0p/home-assistant + tag: 2024.9.1 + env: + TZ: America/New_York #${SERVER_TIMEZONE} + HASS_HTTP_TRUSTED_PROXY_1: 192.168.0.0/16 + HASS_HTTP_TRUSTED_PROXY_2: 10.0.0.0/8 + HASS_SECRET_URL: &hassHost "hass.thin.seanomik.net" #${SECRET_NEW_DOMAIN} + HOME_ASSISTANT__HACS_INSTALL: "true" + envFrom: + - secretRef: + name: home-assistant + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 2Gi + code-server: + image: + repository: ghcr.io/coder/code-server + tag: 4.92.2 + args: [ + "--auth", "none", + "--user-data-dir", "/config/.vscode", + "--extensions-dir", "/config/.vscode", + "--port", "12321", + "/config" + ] + resources: + requests: + cpu: 10m + limits: + memory: 512Mi + + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } service: app: @@ -30,19 +75,54 @@ spec: ports: http: - port: 80 + port: 8123 + code-server: + port: 12321 ingress: - main: + app: annotations: cert-manager.io/cluster-issuer: letsencrypt-production traefik.ingress.kubernetes.io/router.entrypoints: websecure #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + className: external hosts: - - host: "whoami.${SECRET_NEW_DOMAIN}" + - host: *hassHost paths: - path: / service: identifier: app port: http + code-server: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + className: internal + hosts: + - host: "hass-code.internal.thin.seanomik.net" + paths: + - path: / + service: + identifier: app + port: code-server + + persistence: + config: + existingClaim: home-assistant-config + globalMounts: + - path: /config + logs: + type: emptyDir + globalMounts: + - path: /config/logs + tts: + type: emptyDir + globalMounts: + - path: /config/tts + tmp: + type: emptyDir + globalMounts: + - path: /tmp diff --git a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml index ea3145d..7d3f7a7 100644 --- a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml +++ b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml @@ -1,4 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- ./pvc.yaml +- ./secret.sops.yaml - ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml b/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml new file mode 100644 index 0000000..11fc25a --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: home-assistant-config + namespace: default +spec: + accessModes: + - ReadWriteOnce + storageClassName: openebs-dual + resources: + requests: + storage: 6Gi \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml b/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml new file mode 100644 index 0000000..7c3abe3 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Secret +metadata: + name: home-assistant + namespace: default +type: Opaque +stringData: + HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:+dg6fw==,iv:8YPS3cD/qnZcQCwjdSVYJ5x/z0rSR8jplZfxr1EPqJk=,tag:2S0JTIYBvxN5tAnLMLMwtQ==,type:str] + HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:Kgq3N7fRG8Dn2g==,iv:7m7RQM1WcIKTLfMr1cjcFxqnYJ+7llKNY6Mdl9MdVmI=,tag:wtgsJsCov1BxN0LW3bn2cg==,type:str] + HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:fBTv0J7rNN6Tt5I=,iv:lU0J2Qd1rRzrIKhYUDeqcQfRidGvsBzby7a/9UiCKYU=,tag:Lyh1QS3WIpP0tl0g9NEQMg==,type:str] + HASS_SECRET_DB_URL: ENC[AES256_GCM,data:YXk+YKDlqnrn7hxGe4Q5cTaafK2ijRWf2NtAltdeJmQ3sAL3Z8N7yV3VwSUkL9Re181JRXeiIebEoIMx2DDlTaYMcnGPQyqjSWBMSt4/+WgmZ0Q=,iv:5N/dbYht2ts26GAh14BxNA3zq7US+s8WbmNWFJtO+jk=,tag:6sqa0kufUdkyMVdJ9rVCdA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-09-16T00:34:28Z" + mac: ENC[AES256_GCM,data:zoW6fr1LbCpxj+47BS7YSJtT8CF3QLdkYR+JsNmVNv+NZ5229TC+RGWbSwjyHtqb7Xxzhwzuna8kVR9Jg8dnJOZhEJM2uY7rTx0z0tpakdvUggxDiBH3W8nIc//DzxgbGZwtP9/LNpzE0ucvTKrqJsUW6/Idu815bLknNbeaPxo=,iv:KbbWZ17JQNsCuSI26nGKwKjoP4aULua3GBCJbQgNpyI=,tag:PvEhlwCpYMtJB8lx5vmVfQ==,type:str] + pgp: + - created_at: "2024-09-16T00:34:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAyqlIeyoxYovAQ//WFv9Y/YWKUUEV7ymMAqVpCdiVp1DiRBbsNVlBCi+x2lF + NO/AHTeTvJL+9uyavQsSQVuuIhCMG9R7uwTAQaLgZat8Q3ToC4ntEjoxQQfKsUTl + 1qfsFTTGW8PJbekkvZmufTMTzmJ+8j0TGnQeCcI9D/XmE/fDP+P551YLCXJm/MtC + xGo1Wz27n0YYseWRjO6hAOU0/z3tQxgEYU40uWt/Wego3XaXVIAOC7E+uxbVIGfW + DsQQQi3E5mKGdWB6VvzozstneZuDNU+GiNCCHsYYCCSMwT4z1FFPTl3T4Qr+yRbQ + Ylh5y7LQsVmHnwzC2eDatxL2v7chSoYWczZMKTmNCcppZ1Lvas14Cd9MdC/yt2yD + jDrXtyw1jPho+A688EvB7E/nCEXnchL0xqCcCqa7IE3+hhZzxLWysfz4QM0Mg2rv + j7QLP2/ssuB9K2dOrudkE0MUzQyf5tu9Av7YD+KR0SEcuQ/Y2yvnScLf4SS/NEgG + erB8e44M/NG/CN38YOxPGtK9FcxjJKyDfk5S//TPteZBgtKwf18H5SDonu3E6WUU + Z61U/Vw31xtIuFVRPAQc5qzfCVQ9N0zJx28F3QJXcgMzmEVHQKyJ+/u9ytfTQpg5 + CPfexvgNg9CR++p6MY0tie07iLkmoT23hq1A36Q+pnyqR1bZVu0vVIVtOIANG3qF + AgwDXjg0p2IN1X8BD/4oBsOiwYJYAPdsxtQyMoj92r6NUl+STRdvalSyweJqf9xK + RfQzlNtdN6ADTD7p6PKZxg/Bb9HGJe7eUto78Eqn9Uqu67pGPCUiaVk7JUUayGHd + Fay3OJYuLEgukEo1okq+yBDjj+dGwTJ17Cl8hYgNSyeGCAiXqUkktkRXkjvhI55X + lgOc3wiaRqcuLFG5h00qo3Wy4ESzuQSKFEimpSec8CSxuY/vTg8CFjekkmUerNmd + eKKW6q0IB2WUrxbvG4moF+4pK6F8zOgF1B94cFuFHoDQ1sOFkUI95v0/mEi6qIX4 + gTD6DAbgmZCyFWrfH1ogU7vpa2aDrFDHYLFyjESX6zhMVnQwetQsgdQ3C2Q5HpD5 + uWuzbVSOVpUzwOsgwP1bUn6Layxnk3cVtgLj5ODdUYSBJZ6/ReQ/aQjhUpNVQIUA + inqCuL6dSFDTKKwDpzdVTX105knBNP5pHaDVdFN+iUu9pbFGSqWAZQ/XtfznBSbl + QntMp70zVe5TlMtB7DCpkRcgI/oOLjciM+ITVW3mh7nX0tbBUZ/2T/KKPwFHNI/4 + wU/TH13RW0l92eJRXYarYsOqsDsYzlkOoPupNQFK8UVu44cVe/jPJNNi9yU8EN5r + 2VoKr2F7sYprbSunhFrOXFGngCs0pgk6lKcWKE6mP8b2AmmX0FHBjojTDRu3D9Rm + AQkCEHK/1D/N2aQA8WZBnz87r51MTQ+dqxTu9tAOjCGX2jP1NvQqnS2vL+iqsvlo + CxojBsFhFZXLpd/op2N+4nFMA0HAPl4pKj5hi6tUEzkXr9ltfvnIMdv0ZoZoM61r + B1xdW8jX + =HAf4 + -----END PGP MESSAGE----- + fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD + - created_at: "2024-09-16T00:34:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VAQ//S4pP46cksxK/sNjHKP8A8uY3KNewuTd9URB605mXlaAA + iTMnujsimRREiYoxkcgCIuxoYgpXoi30XrlrSbdKwSt1flGRjVBtW62uvgFRn/Ya + qmZimGRyhSr0NWMZdsCoOGECCd21lGOwGeTmZzcsvYtzT0fgpYoRtQv0L44eBuFy + uzNIvDw7SvvjM2nGWI6VAlAg6CnAz3Fo9JbccZINqgfRTNhtkHU5R6M0M6EjmN6M + xkcr280dOdV3dWKfAtZld2aPb9QLj2vxYxcSqaqQ3jLpmy5JrCT+E4fxt6THyg4R + x9EGds30zUOUwB5hOJGF+dPPdb3M1imZZymDYZ65WDt6nttRVz9p1Vxu8BiMzMef + CPcrArf5ic+TDp4QydwAb3UjkT+b8/iHGLrFLn7E7s9xaWN8Y8wHxhABjEMKia/8 + hhZozgapC7EIK10Qq4S+mce+pQrLdPrz++/jEL5enuh3vo8s6PSCAbM7sxjoNUV0 + Sjbl3lOlbvRLMRJoxMgeHCYKR8HBKYX3lbPSOl0+D2rwibdrbuk1N4NMq0z9YU3O + PCEDpGxzj469yss1XbpoANG7EpS9uMdTN+ONE1Xx7AvsADMrNvdJeLvku93bknZw + 6rD1aSBau98H/WGM1XGu0nOzQgxtfCoaFRnXf03lMldWlkQnwYuhZPs+3mwg8vfU + ZgEJAhD4mf23O6K9MUJFjoHABoZAQqX2UEc7TRjIc+YHGg8PekuK4yTWIKkHIvUL + WdiWaO8gB+QmoyHt6bg4+di1iqTujnKTPqPF6ehpoDlqWHXWs2mxl2UiC6DGUHlm + oIfC9MKtDA== + =uXt0 + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/thin/apps/default/home-assistant/ks.yaml b/kubernetes/thin/apps/default/home-assistant/ks.yaml index a92aa63..424c719 100644 --- a/kubernetes/thin/apps/default/home-assistant/ks.yaml +++ b/kubernetes/thin/apps/default/home-assistant/ks.yaml @@ -2,12 +2,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: whoami + name: home-assistant namespace: flux-system spec: timeout: 5m interval: 10m - path: ./kubernetes/thin/apps/default/whoami/files + path: ./kubernetes/thin/apps/default/home-assistant/files prune: true sourceRef: kind: GitRepository @@ -16,6 +16,11 @@ spec: provider: sops secretRef: name: sops-gpg + dependsOn: + - name: openebs-sc + namespace: flux-system + - name: postgresql + namespace: flux-system postBuild: substitute: {} substituteFrom: diff --git a/kubernetes/thin/apps/default/kustomization.yaml b/kubernetes/thin/apps/default/kustomization.yaml index c7dcc20..d037f75 100644 --- a/kubernetes/thin/apps/default/kustomization.yaml +++ b/kubernetes/thin/apps/default/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./whoami/ks.yaml \ No newline at end of file +- ./whoami/ks.yaml +- ./home-assistant/ks.yaml \ No newline at end of file From 9e58733a47984fc2e5173f1761caa98a595a2cb7 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Wed, 18 Sep 2024 18:29:57 -0400 Subject: [PATCH 26/27] feat: add kubevirt to thin cluster --- .../apps/kubevirt-cdi/cr/kustomization.yaml | 7 +++ kubernetes/thin/apps/kubevirt-cdi/ks.yaml | 62 +++++++++++++++++++ .../kubevirt-cdi/namespace-transformer.yaml | 11 ++++ .../kubevirt-cdi/operator/kustomization.yaml | 7 +++ kubernetes/thin/apps/kubevirt/ks.yaml | 30 +++++++++ .../kubevirt/operator/app/kustomization.yaml | 4 ++ .../kubevirt/operator/cr/kustomization.yaml | 4 ++ .../thin/apps/kubevirt/operator/ks.yaml | 60 ++++++++++++++++++ kubernetes/thin/apps/kustomization.yaml | 3 + 9 files changed, 188 insertions(+) create mode 100644 kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml create mode 100644 kubernetes/thin/apps/kubevirt-cdi/ks.yaml create mode 100644 kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml create mode 100644 kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml create mode 100644 kubernetes/thin/apps/kubevirt/ks.yaml create mode 100644 kubernetes/thin/apps/kubevirt/operator/app/kustomization.yaml create mode 100644 kubernetes/thin/apps/kubevirt/operator/cr/kustomization.yaml create mode 100644 kubernetes/thin/apps/kubevirt/operator/ks.yaml diff --git a/kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml b/kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml new file mode 100644 index 0000000..da2fdfc --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/containerized-data-importer/releases/download/v1.60.3/cdi-cr.yaml +# change namespace to kubevirt-cdi +transformers: +- ../namespace-transformer.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/ks.yaml b/kubernetes/thin/apps/kubevirt-cdi/ks.yaml new file mode 100644 index 0000000..3ef5620 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/ks.yaml @@ -0,0 +1,62 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-cdi-operator + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt-cdi/operator + prune: true + targetNamespace: kubevirt-cdi + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-operator + namespace: flux-system + - name: kubevirt-operator-cr + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-cdi-cr + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt-cdi/cr + prune: true + targetNamespace: kubevirt-cdi + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-cdi-operator + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml b/kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml new file mode 100644 index 0000000..9522f11 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml @@ -0,0 +1,11 @@ +apiVersion: builtin +kind: NamespaceTransformer +metadata: + name: change-cdi-namespace + namespace: kubevirt-cdi +setRoleBindingSubjects: none +unsetOnly: false +fieldSpecs: +- path: metadata/name + kind: Namespace + create: true \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml b/kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml new file mode 100644 index 0000000..1beca53 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/containerized-data-importer/releases/download/v1.60.3/cdi-operator.yaml +# change namespace to kubevirt-cdi +transformers: +- ../namespace-transformer.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt/ks.yaml b/kubernetes/thin/apps/kubevirt/ks.yaml new file mode 100644 index 0000000..a4b0510 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/ks.yaml @@ -0,0 +1,30 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-operator + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt/operator + prune: true + targetNamespace: kubevirt + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets diff --git a/kubernetes/thin/apps/kubevirt/operator/app/kustomization.yaml b/kubernetes/thin/apps/kubevirt/operator/app/kustomization.yaml new file mode 100644 index 0000000..e89fad7 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/operator/app/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/kubevirt/releases/download/v1.3.1/kubevirt-operator.yaml diff --git a/kubernetes/thin/apps/kubevirt/operator/cr/kustomization.yaml b/kubernetes/thin/apps/kubevirt/operator/cr/kustomization.yaml new file mode 100644 index 0000000..460bd3e --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/operator/cr/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/kubevirt/kubevirt/releases/download/v1.3.1/kubevirt-cr.yaml diff --git a/kubernetes/thin/apps/kubevirt/operator/ks.yaml b/kubernetes/thin/apps/kubevirt/operator/ks.yaml new file mode 100644 index 0000000..963f952 --- /dev/null +++ b/kubernetes/thin/apps/kubevirt/operator/ks.yaml @@ -0,0 +1,60 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-operator + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt/operator/app + prune: true + targetNamespace: kubevirt + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: openebs + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-operator-cr + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt/operator/cr + prune: true + targetNamespace: kubevirt + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-operator + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index b4a0f7a..339bda0 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -12,6 +12,9 @@ resources: # hardware - ../../common/apps/nfd/ks.yaml - ../../common/apps/intel-gpu/ks.yaml +# VMs +- ./kubevirt/ks.yaml +- ./kubevirt-cdi/ks.yaml - ../../common/apps/database - ./default \ No newline at end of file From dd70c87b368fcd1abcc15c5d34efd054eec84e24 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Wed, 18 Sep 2024 19:33:50 -0400 Subject: [PATCH 27/27] fix: use correct kustomize file paths --- .../{operator => }/cr/kustomization.yaml | 0 kubernetes/thin/apps/kubevirt/ks.yaml | 30 ++++++++++ .../thin/apps/kubevirt/operator/ks.yaml | 60 ------------------- .../operator/{app => }/kustomization.yaml | 0 4 files changed, 30 insertions(+), 60 deletions(-) rename kubernetes/thin/apps/kubevirt/{operator => }/cr/kustomization.yaml (100%) delete mode 100644 kubernetes/thin/apps/kubevirt/operator/ks.yaml rename kubernetes/thin/apps/kubevirt/operator/{app => }/kustomization.yaml (100%) diff --git a/kubernetes/thin/apps/kubevirt/operator/cr/kustomization.yaml b/kubernetes/thin/apps/kubevirt/cr/kustomization.yaml similarity index 100% rename from kubernetes/thin/apps/kubevirt/operator/cr/kustomization.yaml rename to kubernetes/thin/apps/kubevirt/cr/kustomization.yaml diff --git a/kubernetes/thin/apps/kubevirt/ks.yaml b/kubernetes/thin/apps/kubevirt/ks.yaml index a4b0510..41dda7d 100644 --- a/kubernetes/thin/apps/kubevirt/ks.yaml +++ b/kubernetes/thin/apps/kubevirt/ks.yaml @@ -28,3 +28,33 @@ spec: name: cluster-settings - kind: Secret name: cluster-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kubevirt-operator-cr + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/kubevirt/cr + prune: true + targetNamespace: kubevirt + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + dependsOn: + - name: kubevirt-operator + namespace: flux-system + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt/operator/ks.yaml b/kubernetes/thin/apps/kubevirt/operator/ks.yaml deleted file mode 100644 index 963f952..0000000 --- a/kubernetes/thin/apps/kubevirt/operator/ks.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: kubevirt-operator - namespace: flux-system -spec: - timeout: 5m - interval: 10m - path: ./kubernetes/thin/apps/kubevirt/operator/app - prune: true - targetNamespace: kubevirt - sourceRef: - kind: GitRepository - name: home-cluster - decryption: - provider: sops - secretRef: - name: sops-gpg - dependsOn: - - name: openebs - namespace: flux-system - postBuild: - substitute: {} - substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: kubevirt-operator-cr - namespace: flux-system -spec: - timeout: 5m - interval: 10m - path: ./kubernetes/thin/apps/kubevirt/operator/cr - prune: true - targetNamespace: kubevirt - sourceRef: - kind: GitRepository - name: home-cluster - decryption: - provider: sops - secretRef: - name: sops-gpg - dependsOn: - - name: kubevirt-operator - namespace: flux-system - postBuild: - substitute: {} - substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kubevirt/operator/app/kustomization.yaml b/kubernetes/thin/apps/kubevirt/operator/kustomization.yaml similarity index 100% rename from kubernetes/thin/apps/kubevirt/operator/app/kustomization.yaml rename to kubernetes/thin/apps/kubevirt/operator/kustomization.yaml