-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
feat!: Flux localhost bootstrap from 1P, add Sinon cluster
- installs Flux in hostNetwork mode binded to localhost to new clusters - rework Taskfiles for new bootstrap flow, including loading secrets direct from 1Password with no SOPS for secret zero - use 1Password for both talsecret and talenv for talhelper genconfig - remove SOPS secrets - add Sinon cluster, used as NAS - cleanup ExternalSecret and 1P Connect's Flux ks for smoother bootstrap - try out 1Password Connect as extraContainer in external-secrets deployment to avoid secrets going over network - general cleanup
Showing
56 changed files
with
1,818 additions
and
1,087 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,25 @@ | ||
[env] | ||
KUBECTL_INTERACTIVE_DELETE = "true" | ||
KUBECTL_COMMAND_HEADERS = "true" | ||
#SSH_AUTH_SOCK = $(gpgconf --list-dirs agent-ssh-socket) | ||
|
||
[tools] | ||
# kubectl = [""] | ||
# krew = [""] | ||
# kubectx = [""] | ||
kubectl = ["1.29.2"] | ||
krew = ["0.4.4"] | ||
kubectx = ["0.9.5"] | ||
fzf = ["0.52.1"] # used by kubectx interactive mode | ||
kustomize = ["5.3.0"] | ||
# kubecolor = [""] | ||
flux2 = ["2.2.3"] | ||
talosctl = ["1.5.4", "1.3.6"] | ||
flux2 = "2.2.3" | ||
talosctl = ["1.6.7", "1.5.4", "1.3.6"] | ||
talhelper = ["1.16.2"] | ||
cilium-cli= ["0.15.14"] | ||
1password-cli = ["2.24.0"] | ||
restic = ["0.16.4"] | ||
k9s = ["0.32.4"] | ||
|
||
soft-serve = ["0.7.4"] | ||
#pulumi = ["3.95.0"] | ||
python = ["3.11"] | ||
|
||
[env] | ||
KUBECTL_INTERACTIVE_DELETE = "true" | ||
KUBECTL_COMMAND_HEADERS = "true" | ||
#SSH_AUTH_SOCK = $(gpgconf --list-dirs agent-ssh-socket) | ||
_.python.venv = { path = ".venv", create = true } # create the venv if it doesn't exist | ||
|
||
[plugins] | ||
talhelper = "https://github.com/bjw-s/asdf-talhelper.git" |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
--- | ||
# Tasks related to multi-cluster or cluster-level management, e.g. bootstrap | ||
version: "3" | ||
|
||
includes: | ||
flux: | ||
internal: true | ||
taskfile: ../flux | ||
|
||
vars: | ||
C: '{{.C | default "biohazard"}}' | ||
# APPLY: '{{.APPLY | default "0"}}' | ||
|
||
tasks: | ||
1p-vars-env-yq: | ||
vars: | ||
C: &c '{{ or .C (fail "Missing C environment variable for cluster!") }}' | ||
OUT: &out '{{ .OUT | default "yaml" }}' | ||
cmds: | ||
- op item get --vault {{.C}} ".{{.C}}-vars" --format=json | yq --input-format json --output-format {{ .OUT | default "yaml" }} '.fields | with(.[]; (.label | key) = "key") | (.[] | select(has("value") | not) | .value) |= "" | from_entries' | ||
|
||
1p-vars-env-shell: | ||
aliases: [1penv, openv] | ||
vars: | ||
C: *c | ||
# OUT: *out | ||
PRE_ARGS: '{{.PRE_ARGS}}' | ||
POST_ARGS: '{{.POST_ARGS}}' | ||
cmds: | ||
- | | ||
{{.PRE_ARGS}}op item get --vault {{.C}} ".{{.C}}-vars" --format=json | yq --input-format json '.fields | with(.[]; (.label | key) = "key") | (.[] | select(has("value") | not) | .value) |= "" | map(.key + "=" + (.value | @sh)) | .[]'{{.POST_ARGS}} {{.CLI_ARGS}} | ||
1p-vars-env-run: | ||
dir: '{{.USER_WORKING_DIR}}' | ||
vars: | ||
C: &c '{{ or .C (fail "Missing C environment variable for cluster!") }}' | ||
# OUT: *out | ||
cmds: | ||
- export $(task --taskfile /{{.ROOT_DIR}}/Taskfile.dist.yaml 1p-vars-env-shell C={{.C}}); {{.CLI_ARGS}} | ||
|
||
k8s-1p-connect-load-credentials: | ||
vars: | ||
C: *c | ||
cmds: | ||
- kubectl get namespace external-secrets || kubectl create namespace external-secrets | ||
- kubectl get namespace onepassword-connect || kubectl create namespace onepassword-connect | ||
# - kubectl delete secret -n onepassword-connect onepassword-connect-secrets || true | ||
- op read "op://{{.C}}/$(op item get --vault {{.C}} '{{.C}} Credentials File' --format=json | yq '.id')/1password-credentials.json" | kubectl create secret -n external-secrets generic onepassword-connect-secrets --from-file=1password-credentials.json=/dev/stdin | ||
- op read "op://{{.C}}/$(op item get --vault {{.C}} '{{.C}} Credentials File' --format=json | yq '.id')/1password-credentials.json" | kubectl create secret -n onepassword-connect generic onepassword-connect-secrets --from-file=1password-credentials.json=/dev/stdin | ||
# - kubectl rollout restart -n onepassword-connect deploy/onepassword-connect || true | ||
|
||
bootstrap: | ||
aliases: [bs] | ||
desc: Bootstrap Kubernetes to a GitOps managed stage after OS install. | ||
vars: | ||
C: *c | ||
cmds: | ||
- | | ||
kubectx || kubectl config current-context; read -p "BOOTSTRAP | ||
Press ENTER to confirm the Kubernetes context to bootstrap, or Control+C to exit. | ||
> "; read -p "RECONFIRM: Press ENTER again to really confirm. | ||
> " | ||
- task: flux:install | ||
- task: k8s-1p-connect-load-credentials | ||
vars: | ||
C: *c | ||
- task: 1p-vars-env-shell | ||
vars: | ||
C: *c | ||
POST_ARGS: " | kubectl create secret generic -n flux-system sinon-vars --from-env-file=/dev/stdin" | ||
- kubectl create secret generic -n flux-system sinon-secrets # currently nothing hopefully maybe? | ||
- op read "op://{{.C}}/Flux/agekey" | kubectl create secret generic -n flux-system agekey --from-file=age.agekey=/dev/stdin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Bootstrap Kubernetes cluster | ||
|
||
1. Install Flux in hostNetwork mode binded to localhost | ||
2. Load `${CLUSTER_NAME}-vars` (including 1Password and Hubble Vars) and 1Password Connect secrets (Connect credentials and ESO client token) from 1Password | ||
3. Load root ks (flux-repo.yaml) which installs Cilium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name agekey | ||
namespace: flux-system | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
dataFrom: | ||
- extract: | ||
key: "Flux" | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: *name | ||
template: | ||
type: Opaque | ||
data: | ||
age.agekey: '{{ .agekey }}' | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name github-ssh | ||
namespace: flux-system | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
dataFrom: | ||
- extract: | ||
key: "Flux" | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: *name | ||
template: | ||
type: Opaque | ||
data: | ||
identity: '{{ .identity_b64 | b64dec }}' | ||
identity.pub: '{{ .identity_pub_b64 | b64dec }}' | ||
known_hosts: '{{ .known_hosts_b64 | b64dec }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
cluster: | ||
id: '${cluster_id}' | ||
secret: '${cluster_secret}' | ||
secrets: | ||
bootstraptoken: '${secrets_bootstraptoken}' | ||
secretboxencryptionsecret: '${secrets_secretboxencryptionsecret}' | ||
trustdinfo: | ||
token: '${trustdinfo_token}' | ||
certs: | ||
etcd: | ||
crt: '${certs_etcd_crt}' | ||
key: '${certs_etcd_key}' | ||
k8s: | ||
crt: '${certs_k8s_crt}' | ||
key: '${certs_k8s_key}' | ||
k8saggregator: | ||
crt: '${certs_k8saggregator_crt}' | ||
key: '${certs_k8saggregator_key}' | ||
k8sserviceaccount: | ||
key: '${certs_k8sserviceaccount_key}' | ||
os: | ||
crt: '${certs_os_crt}' | ||
key: '${certs_os_key}' |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/sh | ||
SSH_KNOWN_HOSTS=/dev/null ssh root@${IP} /bin/bash -c "\ | ||
curl -vLO 'https://github.com/siderolabs/talos/releases/download/v${TALOS_VERSION:=1.6.7}/metal-amd64.raw.xz'; | ||
fdisk -l ${DISK:=/dev/sdb}; | ||
sgdisk --zap-all ${DISK}; | ||
sgdisk --zap-all ${DISK}; | ||
wipefs --all --backup ${DISK}; | ||
wipefs --all --backup ${DISK}; | ||
fdisk -l ${DISK:=/dev/sdb}; | ||
xz -vv -d -c ./metal-amd64.raw.xz | dd of=${DISK} status=progress; | ||
sync; | ||
echo 3 > /proc/sys/vm/drop_caches; | ||
" |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Sinon NAS | ||
Single-node NAS, powered by Talos. | ||
|
||
## Hardware | ||
+ i7-6700k | ||
+ 32GB RAM | ||
+ Mellanox ConnectX 2 10GbE | ||
+ ASUS ROG MAXIMUS VIII HERO | ||
+ 480GB Intel DC S3500 SATA SSD | ||
+ 2x WD Red Plus 12TB |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name sinon-secrets | ||
namespace: flux-system | ||
spec: | ||
refreshInterval: "1m" | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
target: | ||
name: *name | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
dataFrom: | ||
- find: | ||
name: | ||
regexp: "^SECRET_*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name sinon-vars | ||
namespace: flux-system | ||
spec: | ||
refreshInterval: "1m" | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
target: | ||
name: *name | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
dataFrom: | ||
- extract: | ||
key: ".sinon-vars" | ||
- find: | ||
name: | ||
#regexp: "^(CLUSTER|DNS|IP|UID|PATH|VM|OSPF|ASN|APP_DNS|APP_IP|APP_UID|CONFIG|USERS|ADMIN)_*" | ||
regexp: "(^(?:CLUSTER|DNS|IP|UID|PATH|VM|OSPF|ASN|APP_DNS|APP_IP|APP_UID|CONFIG|USERS|ADMIN)_.*)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
--- | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- ./externalsecret-secrets.yaml | ||
- ./externalsecret-vars.yaml | ||
#secretGenerator: | ||
# - name: biohazard-secrets | ||
# namespace: flux-system | ||
# envs: | ||
# - ./secrets.sops.env | ||
# - name: biohazard-vars | ||
# namespace: flux-system | ||
# envs: | ||
# - ./vars.sops.env | ||
generatorOptions: | ||
disableNameSuffixHash: true | ||
labels: | ||
kustomize.toolkit.fluxcd.io/ssa: "merge" | ||
kustomize.toolkit.fluxcd.io/prune: "disabled" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name agekey | ||
namespace: flux-system | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
dataFrom: | ||
- extract: | ||
key: "Flux" | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: *name | ||
template: | ||
type: Opaque | ||
data: | ||
age.agekey: '{{ .agekey }}' | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name github-ssh | ||
namespace: flux-system | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
dataFrom: | ||
- extract: | ||
key: "Flux" | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: *name | ||
template: | ||
type: Opaque | ||
data: | ||
identity: '{{ .identity_b64 | b64dec }}' | ||
identity.pub: '{{ .identity_pub_b64 | b64dec }}' | ||
known_hosts: '{{ .known_hosts_b64 | b64dec }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,387 @@ | ||
--- | ||
apiVersion: source.toolkit.fluxcd.io/v1 | ||
kind: GitRepository | ||
metadata: | ||
name: flux-system | ||
namespace: flux-system | ||
spec: | ||
interval: 10m0s | ||
url: ssh://git@github.com/JJGadgets/Biohazard | ||
ref: | ||
branch: main | ||
#secretRef: | ||
# name: github-ssh | ||
ignore: | | ||
# exclude all to whitelist | ||
/* | ||
# include Kubernetes | ||
!/kube | ||
--- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: 0-sinon-config | ||
# I wanna see it on the top lol | ||
namespace: flux-system | ||
labels: | ||
kustomization.flux.home.arpa/name: "flux" | ||
kustomization.flux.home.arpa/default: "false" | ||
wait.flux.home.arpa/disabled: "true" | ||
kustomization.flux.home.arpa/helmpatches: "false" | ||
spec: | ||
interval: 5m0s | ||
path: ./kube/clusters/sinon/flux | ||
prune: false | ||
wait: false | ||
sourceRef: | ||
kind: GitRepository | ||
name: flux-system | ||
decryption: | ||
provider: sops | ||
secretRef: | ||
name: agekey | ||
postBuild: | ||
substitute: | ||
# renovate: datasource=docker depName=ghcr.io/fluxcd/flux-manifests | ||
FLUXCD_VERSION: "v2.2.3" | ||
substituteFrom: | ||
- kind: Secret | ||
name: sinon-vars | ||
optional: false | ||
- kind: Secret | ||
name: sinon-secrets | ||
optional: false | ||
# - kind: ConfigMap | ||
# name: sinon-versions | ||
# optional: false | ||
patches: | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
interval: 5m0s | ||
timeout: 10m0s | ||
decryption: | ||
provider: sops | ||
secretRef: | ||
name: agekey | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
sourceRef: | ||
kind: GitRepository | ||
name: flux-system | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/default notin (false) | ||
- patch: | | ||
- op: add | ||
path: /spec/dependsOn/- | ||
value: | ||
name: 0-sinon-config | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/default notin (false) | ||
- patch: | | ||
- op: add | ||
path: /spec/dependsOn/- | ||
value: | ||
name: 1-core-1-networking-cilium-app | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/name notin (cilium, flux, kubevirt) | ||
- patch: | | ||
- op: add | ||
path: /spec/dependsOn/- | ||
value: | ||
name: 1-core-kyverno-crds | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/default notin (false) | ||
- patch: | | ||
- op: add | ||
path: /spec/dependsOn/- | ||
value: | ||
name: 1-core-monitoring-prom-crds | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/default notin (false) | ||
- patch: | | ||
- op: add | ||
path: /spec/dependsOn/- | ||
value: | ||
name: zzz-flux-repos-helm | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/default notin (false) | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
postBuild: | ||
substituteFrom: | ||
- kind: Secret | ||
name: sinon-vars | ||
optional: false | ||
- kind: Secret | ||
name: sinon-secrets | ||
optional: false | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: substitution.flux.home.arpa/disabled notin (true) | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
prune: true | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: prune.flux.home.arpa/disabled notin (true) | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
prune: false | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: prune.flux.home.arpa/disabled=true | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
prune: true | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: prune.flux.home.arpa/enabled=true | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
wait: true | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: wait.flux.home.arpa/disabled notin (true) | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
wait: false | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: wait.flux.home.arpa/disabled=true | ||
- patch: |- | ||
apiVersion: kustomize.toolkit.fluxcd.io/v1 | ||
kind: Kustomization | ||
metadata: | ||
name: not-used | ||
spec: | ||
patches: | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta1 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
interval: 5m | ||
timeout: 15m | ||
maxHistory: 10 | ||
install: | ||
crds: CreateReplace | ||
createNamespace: true | ||
remediation: | ||
retries: 5 | ||
upgrade: | ||
crds: CreateReplace | ||
cleanupOnFail: true | ||
remediation: | ||
retries: 5 | ||
strategy: rollback | ||
rollback: | ||
recreate: true | ||
cleanupOnFail: true | ||
uninstall: | ||
keepHistory: false | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta1 | ||
kind: HelmRelease | ||
labelSelector: helm.flux.home.arpa/default notin (false) | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta1 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
chart: | ||
spec: | ||
chart: app-template | ||
version: 1.2.1 | ||
sourceRef: | ||
name: bjw-s | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta1 | ||
kind: HelmRelease | ||
labelSelector: helm.flux.home.arpa/app-template=true | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta1 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
values: | ||
ingress: | ||
main: | ||
annotations: | ||
nginx.ingress.kubernetes.io/auth-url: |- | ||
http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx | ||
nginx.ingress.kubernetes.io/auth-response-headers: |- | ||
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid | ||
nginx.ingress.kubernetes.io/auth-snippet: | | ||
proxy_set_header X-Forwarded-Host $http_host; | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta1 | ||
kind: HelmRelease | ||
labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta1 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
values: | ||
ingress: | ||
main: | ||
annotations: | ||
nginx.ingress.kubernetes.io/satisfy: "any" | ||
nginx.ingress.kubernetes.io/whitelist-source-range: | | ||
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta1 | ||
kind: HelmRelease | ||
labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta2 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
interval: 5m | ||
timeout: 15m | ||
maxHistory: 10 | ||
install: | ||
crds: CreateReplace | ||
createNamespace: true | ||
remediation: | ||
retries: 5 | ||
upgrade: | ||
crds: CreateReplace | ||
cleanupOnFail: true | ||
remediation: | ||
retries: 5 | ||
strategy: uninstall | ||
rollback: | ||
recreate: true | ||
cleanupOnFail: true | ||
uninstall: | ||
keepHistory: false | ||
driftDetection: | ||
mode: warn # TODO: verify all running apps don't have drift, and enable | ||
ignore: | ||
- paths: ["/spec/replicas"] # helpful for scaling things down during debugging/troubleshooting without Helm interfering | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta2 | ||
kind: HelmRelease | ||
labelSelector: helm.flux.home.arpa/default notin (false) | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta2 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
values: | ||
ingress: | ||
main: | ||
annotations: | ||
nginx.ingress.kubernetes.io/auth-url: |- | ||
http://authentik.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx | ||
nginx.ingress.kubernetes.io/auth-response-headers: |- | ||
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid | ||
nginx.ingress.kubernetes.io/auth-snippet: | | ||
proxy_set_header X-Forwarded-Host $http_host; | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta2 | ||
kind: HelmRelease | ||
labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) | ||
- patch: |- | ||
apiVersion: helm.toolkit.fluxcd.io/v2beta2 | ||
kind: HelmRelease | ||
metadata: | ||
name: not-used | ||
spec: | ||
values: | ||
ingress: | ||
main: | ||
annotations: | ||
nginx.ingress.kubernetes.io/satisfy: "any" | ||
nginx.ingress.kubernetes.io/whitelist-source-range: | | ||
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 | ||
target: | ||
group: helm.toolkit.fluxcd.io | ||
version: v2beta2 | ||
kind: HelmRelease | ||
labelSelector: nginx.ingress.home.arpa/type in (auth-external-only) | ||
target: | ||
group: kustomize.toolkit.fluxcd.io | ||
version: v1 | ||
kind: Kustomization | ||
labelSelector: kustomization.flux.home.arpa/helmpatches notin (false) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
--- | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- externalsecret.yaml | ||
- ../config/ | ||
#- flux-install.yaml | ||
- ../../../bootstrap/flux/flux-install-localhost.yaml | ||
- flux-repo.yaml | ||
- ../../../repos/flux/ | ||
- ../../../deploy/core/_networking/cilium/ | ||
#- ../../../deploy/core/_networking/multus/ | ||
#- ../../../deploy/core/_networking/tailscale/ | ||
# - ../../../deploy/core/_networking/frr/ | ||
#- ../../../deploy/core/_networking/bird/ | ||
- ../../../deploy/core/spegel/ | ||
- ../../../deploy/core/kyverno/_deps/ | ||
#- ../../../deploy/core/kyverno/ | ||
- ../../../deploy/core/monitoring/_deps/ | ||
- ../../../deploy/core/secrets/onepassword-connect/ | ||
- ../../../deploy/core/secrets/external-secrets/ | ||
- ../../../deploy/core/secrets/reflector/ | ||
- ../../../deploy/core/storage/fstrim/ | ||
##- ../../../deploy/core/storage/minio-nas/ | ||
#- ../../../deploy/core/storage/_external-snapshotter/ | ||
#- ../../../deploy/core/storage/_csi-addons/ | ||
#- ../../../deploy/core/storage/rook-ceph/ | ||
##- ../../../deploy/core/storage/rook-ceph/cluster/ | ||
#- ../../../deploy/core/storage/democratic-csi/_deps/ | ||
#- ../../../deploy/core/storage/democratic-csi/local-hostpath/ | ||
#- ../../../deploy/core/storage/democratic-csi/manual/ | ||
##- ../../../deploy/core/storage/csi-driver-nfs/ | ||
#- ../../../deploy/core/storage/volsync/ | ||
#- ../../../deploy/core/tls/cert-manager/ | ||
#- ../../../deploy/core/dns/internal/_deps/ | ||
#- ../../../deploy/core/dns/internal/k8s-gateway/ | ||
#- ../../../deploy/core/dns/external-dns/ | ||
#- ../../../deploy/core/ingress/_deps/ | ||
#- ../../../deploy/core/ingress/secrets-sync/ | ||
#- ../../../deploy/core/ingress/ingress-nginx/ | ||
#- ../../../deploy/core/ingress/cloudflare/ | ||
#- ../../../deploy/core/ingress/external-proxy-x/ | ||
##- ../../../deploy/core/db/pg/ | ||
##- ../../../deploy/core/db/pg/clusters/default/ | ||
##- ../../../deploy/core/db/pg/clusters/home/ | ||
#- ../../../deploy/core/monitoring/metrics-server/ | ||
#- ../../../deploy/core/monitoring/kps/ | ||
#- ../../../deploy/core/monitoring/victoria/ | ||
#- ../../../deploy/core/monitoring/grafana/ | ||
#- ../../../deploy/core/monitoring/alertmanager/ | ||
#- ../../../deploy/core/monitoring/karma/ | ||
#- ../../../deploy/core/monitoring/node-exporter/ | ||
#- ../../../deploy/core/monitoring/smartctl-exporter/ | ||
#- ../../../deploy/core/monitoring/intel-gpu-exporter/ | ||
#- ../../../deploy/core/hardware/node-feature-discovery/ | ||
#- ../../../deploy/core/hardware/intel-device-plugins/ | ||
#- ../../../deploy/core/flux-system/ | ||
- ../../../deploy/core/reloader/ | ||
##- ../../../deploy/core/system-upgrade-controller/ | ||
##- ../../../deploy/core/system-upgrade-controller/plans/talos/ | ||
- ../../../deploy/apps/ # for the namespace | ||
#- ../../../deploy/apps/tetragon/ | ||
## - ../../../deploy/apps/renovate/ | ||
## - ../../../deploy/apps/kubevirt/ | ||
#- ../../../deploy/apps/default/ | ||
##- ../../../deploy/apps/whoogle/ | ||
##- ../../../deploy/apps/searxng/ | ||
##- ../../../deploy/apps/cyberchef/ | ||
##- ../../../deploy/apps/gokapi/ | ||
##- ../../../deploy/apps/minecraft/ | ||
##- ../../../deploy/apps/minecraft2/ | ||
##- ../../../deploy/apps/sandstorm/ | ||
##- ../../../deploy/apps/jellyfin/ | ||
##- ../../../deploy/apps/kavita/ | ||
##- ../../../deploy/apps/authentik/ | ||
##- ../../../deploy/apps/kanidm/ | ||
###- ../../../deploy/apps/syncthing/ # TODO: re-add once fixed up | ||
##- ../../../deploy/apps/excalidraw/ | ||
##- ../../../deploy/apps/velociraptor/ | ||
##- ../../../deploy/apps/gotosocial/ | ||
##- ../../../deploy/apps/ntfy/ | ||
##- ../../../deploy/apps/satisfactory/ | ||
### - ../../../deploy/apps/headscale/ | ||
##- ../../../deploy/apps/zipline/ | ||
##- ../../../deploy/apps/kah/ | ||
##- ../../../deploy/apps/thelounge/ | ||
##- ../../../deploy/apps/atuin/ | ||
##- ../../../deploy/apps/miniflux/ | ||
##- ../../../deploy/apps/elk/ | ||
##- ../../../deploy/apps/firefly/ | ||
##- ../../../deploy/apps/libreddit/ | ||
###- ../../../deploy/apps/livestream/ | ||
###- ../../../deploy/apps/livestream/oven | ||
##- ../../../deploy/apps/soft-serve/ | ||
##- ../../../deploy/apps/neko/ | ||
##- ../../../deploy/apps/joplin/ | ||
##- ../../../deploy/apps/piped/ | ||
##- ../../../deploy/apps/phanpy/ | ||
###- ../../../deploy/apps/psono/ | ||
##- ../../../deploy/apps/audiobookshelf/ | ||
##- ../../../deploy/apps/paperless-ngx/ | ||
##- ../../../deploy/apps/grocy/ | ||
###- ../../../deploy/apps/nextcloud/ | ||
##- ../../../deploy/apps/nfs-web/ | ||
##- ../../../deploy/apps/readeck/ | ||
##- ../../../deploy/apps/k8s-schemas/ | ||
##- ../../../deploy/apps/restic-rest-nfs/ | ||
##- ../../../deploy/apps/home-assistant/ | ||
##- ../../../deploy/apps/go-discord-modtools/ | ||
##- ../../../deploy/apps/findmydeviceserver/ | ||
##- ../../../deploy/apps/redbot/ | ||
##- ../../../deploy/apps/code-server/ | ||
##- ../../../deploy/apps/media-edit/ | ||
##- ../../../deploy/apps/homebox/ | ||
##- ../../../deploy/apps/vikunja/ | ||
##- ../../../deploy/apps/reactive-resume/ | ||
##- ../../../deploy/apps/linkding/ | ||
##- ../../../deploy/apps/collabora/ | ||
##- ../../../deploy/apps/ocis/ | ||
##- ../../../deploy/apps/navidrome/ | ||
##- ../../../deploy/apps/goatcounter/ | ||
##- ../../../deploy/apps/ollama/ | ||
##- ../../../deploy/apps/davis/ | ||
##- ../../../deploy/apps/immich/ | ||
##- ../../../deploy/apps/kromgo/ | ||
##- ../../../deploy/vm/_kubevirt/ | ||
###- ../../../deploy/vm/_base/ | ||
##- ../../../deploy/vm/ad/ | ||
##- ../../../deploy/vm/jj/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
--- | ||
clusterName: sinon | ||
talosVersion: v1.6.4 | ||
kubernetesVersion: v1.29.2 | ||
endpoint: "https://sinon.${DNS_CLUSTER}:6443" | ||
allowSchedulingOnMasters: true | ||
allowSchedulingOnControlPlanes: true | ||
|
||
cniConfig: | ||
name: none | ||
#name: custom | ||
#urls: | ||
# - https://raw.githubusercontent.com/cloudnativelabs/kube-router/v2.1.1/daemonset/generic-kuberouter-all-features.yaml | ||
|
||
clusterPodNets: | ||
- "${IP_POD_CIDR_V4}" | ||
#- "${IP_POD_CIDR_V6}" | ||
clusterSvcNets: | ||
- "${IP_SVC_CIDR_V4}" | ||
#- "${IP_SVC_CIDR_V6}" | ||
|
||
additionalApiServerCertSans: &san | ||
- "127.0.0.1" # KubePrism | ||
additionalMachineCertSans: *san | ||
|
||
nodes: | ||
|
||
- &m720q | ||
hostname: "sinon.${DNS_CLUSTER}" # i7-6700k 4C8T, 32GB RAM, 480GB OS Intel DC S3500 SATA SSD | ||
ipAddress: "${IP_SINON}" | ||
controlPlane: true | ||
installDiskSelector: | ||
size: "<= 600GB" | ||
type: "ssd" | ||
nameservers: ["${IP_HOME_DNS}"] | ||
disableSearchDomain: true | ||
networkInterfaces: | ||
- interface: lo | ||
addresses: ["127.0.0.1/8", "127.0.0.31/8", "127.0.0.32/8", "127.0.0.33/8"] | ||
- &m720q-net | ||
mtu: 1500 | ||
dhcp: false | ||
deviceSelector: | ||
driver: "e1000e" | ||
vlans: | ||
- &m720q-v58 | ||
vlanId: 58 | ||
mtu: 1500 | ||
dhcp: false | ||
addresses: ["${IP_SINON}/28", "${IP_SINON_V6}/64"] | ||
routes: | ||
- network: "${IP_ROUTER_VLAN_K8S_CIDR}" | ||
metric: 1 | ||
- network: "0.0.0.0/0" | ||
gateway: "${IP_ROUTER_VLAN_K8S}" | ||
#machineFiles: | ||
# - &ts | ||
# op: create | ||
# path: /var/etc/tailscale/auth.env | ||
# permissions: 0o600 | ||
# content: | | ||
# TS_KUBE_SECRET="" | ||
# TS_STATE_DIR=/var/lib/tailscale | ||
# TS_USERSPACE=false | ||
# TS_ACCEPT_DNS=false | ||
# - &tsNode | ||
# op: append | ||
# path: /var/etc/tailscale/auth.env | ||
# permissions: 0o600 | ||
# content: | | ||
# TS_HOSTNAME=sinon | ||
# TS_EXTRA_ARGS=--accept-routes=false --netfilter-mode=off --snat-subnet-routes=false --advertise-tags=tag:talos,tag:sinon | ||
# TS_AUTHKEY=${SECRET_TAILSCALE_TALOS_AUTHKEY_SINON} | ||
# TS_ROUTES=${IP_SINON}/32 | ||
schematic: | ||
customization: | ||
systemExtensions: | ||
officialExtensions: | ||
- siderolabs/i915-ucode | ||
- siderolabs/intel-ucode | ||
- siderolabs/iscsi-tools | ||
#- siderolabs/tailscale | ||
|
||
patches: | ||
# set all disks to no scheduler | ||
- |- | ||
machine: | ||
udev: | ||
rules: | ||
- |- | ||
SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", ATTR{queue/scheduler}="none" | ||
- &kubeletExtraArgs |- | ||
- op: add | ||
path: /machine/kubelet/extraArgs | ||
value: | ||
feature-gates: GracefulNodeShutdown=true,ServerSideApply=true | ||
|
||
- &machinePatch |- | ||
machine: | ||
install: | ||
bootloader: true | ||
network: | ||
extraHostEntries: | ||
- ip: "${IP_SINON}" | ||
aliases: ["sinon.${DNS_CLUSTER}"] | ||
- ip: "${IP_BIOHAZARD_VIP}" | ||
aliases: ["c.${DNS_BIOHAZARD}"] | ||
- ip: "${IP_ROUTER_VLAN_K8S}" | ||
aliases: ["c.${DNS_BIOHAZARD}"] | ||
- ip: "${IP_ROUTER_VLAN_K8S_PREFIX}1" | ||
aliases: ["c.${DNS_BIOHAZARD}", "ange.${DNS_BIOHAZARD}", "biohazard.mesh.cilium.io"] | ||
- ip: "${IP_ROUTER_VLAN_K8S_PREFIX}2" | ||
aliases: ["c.${DNS_BIOHAZARD}", "charlotte.${DNS_BIOHAZARD}", "biohazard.mesh.cilium.io"] | ||
- ip: "${IP_ROUTER_VLAN_K8S_PREFIX}3" | ||
aliases: ["c.${DNS_BIOHAZARD}", "chise.${DNS_BIOHAZARD}", "biohazard.mesh.cilium.io"] | ||
- ip: "${IP_HERCULES}" | ||
aliases: ["hercules.mesh.cilium.io"] | ||
time: | ||
disabled: false | ||
servers: ["${IP_ROUTER_LAN}"] | ||
bootTimeout: 2m0s | ||
|
||
- &clusterPatch |- | ||
cluster: | ||
allowSchedulingOnMasters: true | ||
allowSchedulingOnControlPlanes: true | ||
discovery: | ||
enabled: true | ||
registries: | ||
kubernetes: | ||
disabled: false | ||
service: | ||
disabled: true | ||
proxy: | ||
disabled: true | ||
|
||
- &kubePrism |- | ||
machine: | ||
features: | ||
kubePrism: | ||
enabled: true | ||
port: 7445 | ||
|
||
- &kubeletSubnet |- | ||
machine: | ||
kubelet: | ||
nodeIP: | ||
validSubnets: | ||
- "${IP_ROUTER_VLAN_K8S_CIDR}" | ||
|
||
- &kubeletConfig |- | ||
machine: | ||
kubelet: | ||
extraConfig: | ||
maxPods: 200 | ||
|
||
# patch containerd for spegel (discard) | ||
- |- | ||
machine: | ||
files: | ||
- op: create | ||
path: /etc/cri/conf.d/20-customization.part | ||
permissions: 0o644 | ||
content: | | ||
[plugins."io.containerd.grpc.v1.cri"] | ||
enable_unprivileged_ports = true | ||
enable_unprivileged_icmp = true | ||
[plugins."io.containerd.grpc.v1.cri".containerd] | ||
discard_unpacked_layers = false | ||
controlPlane: | ||
patches: | ||
|
||
- &apiServerExtraArgs |- | ||
- op: add | ||
path: /cluster/apiServer/extraArgs | ||
value: | ||
feature-gates: GracefulNodeShutdown=true,ServerSideApply=true | ||
|
||
- &apiServerResources |- | ||
cluster: | ||
apiServer: | ||
resources: | ||
requests: | ||
cpu: 200m | ||
memory: 2Gi | ||
limits: | ||
memory: 8Gi | ||
|
||
- &nodeCidrSize |- | ||
- op: add | ||
path: /cluster/controllerManager/extraArgs | ||
value: | ||
node-cidr-mask-size: 24 | ||
|
||
- &etcdSubnetMetrics |- | ||
cluster: | ||
etcd: | ||
advertisedSubnets: | ||
- "${IP_ROUTER_VLAN_K8S_CIDR}" | ||
extraArgs: | ||
listen-metrics-urls: "http://0.0.0.0:2381" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
cluster: | ||
id: '${cluster_id}' | ||
secret: '${cluster_secret}' | ||
secrets: | ||
bootstraptoken: '${secrets_bootstraptoken}' | ||
secretboxencryptionsecret: '${secrets_secretboxencryptionsecret}' | ||
trustdinfo: | ||
token: '${trustdinfo_token}' | ||
certs: | ||
etcd: | ||
crt: '${certs_etcd_crt}' | ||
key: '${certs_etcd_key}' | ||
k8s: | ||
crt: '${certs_k8s_crt}' | ||
key: '${certs_k8s_key}' | ||
k8saggregator: | ||
crt: '${certs_k8saggregator_crt}' | ||
key: '${certs_k8saggregator_key}' | ||
k8sserviceaccount: | ||
key: '${certs_k8sserviceaccount_key}' | ||
os: | ||
crt: '${certs_os_crt}' | ||
key: '${certs_os_key}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
110 changes: 110 additions & 0 deletions
110
kube/deploy/core/_networking/cilium/app/config/sinon/helm-values.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
--- | ||
## NOTE: required for Talos | ||
securityContext: | ||
#privileged: true | ||
capabilities: | ||
ciliumAgent: [CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID] | ||
cleanCiliumState: [NET_ADMIN,SYS_ADMIN,SYS_RESOURCE] | ||
cgroup: | ||
autoMount: | ||
enabled: false | ||
hostRoot: "/sys/fs/cgroup" | ||
|
||
## NOTE: Cluster identification, mainly for ClusterMesh | ||
cluster: | ||
name: "sinon" | ||
id: "2" | ||
|
||
## NOTE: ClusterMesh, for connecting multiple clusters | ||
# clustermesh: | ||
# useAPIServer: true | ||
# apiserver: | ||
# replicas: 1 | ||
# service: | ||
# type: "NodePort" | ||
# nodePort: 32371 | ||
# # type: "LoadBalancer" | ||
# # annotations: | ||
# # "io.cilium/lb-ipam-ips": "${IP_CILIUM_CLUSTERMESH_BIOHAZARD}" | ||
# config: | ||
# enabled: true | ||
# clusters: | ||
# - name: "hercules" | ||
# port: 32372 | ||
# ips: ["${IP_HERCULES}"] | ||
|
||
## NOTE: Cilium's routing modes for inter-nodes pod traffic | ||
routingMode: native | ||
autoDirectNodeRoutes: true | ||
ipv4NativeRoutingCIDR: "${IP_POD_CIDR_V4}" | ||
loadBalancer: | ||
algorithm: maglev | ||
mode: dsr | ||
### using Geneve tunnel for simpler routing and easier ClusterMesh across WireGuard | ||
# routingMode: tunnel | ||
# tunnelProtocol: geneve | ||
# loadBalancer: | ||
# algorithm: maglev | ||
# mode: dsr | ||
# dsrDispatch: geneve | ||
# acceleration: best-effort | ||
|
||
## NOTE: Cilium's networking internals | ||
ipam: | ||
mode: kubernetes | ||
kubeProxyReplacement: strict | ||
### Talos 1.5 and above come with KubePrism which is an internal TCP load balancer for kube-apiserver. DO NOT COPY IF NOT ON TALOS OR A KUBEPRISM-SUPPORTED KUBERNETES DISTRIBUTION!!! | ||
k8sServiceHost: "127.0.0.1" | ||
k8sServicePort: "7445" | ||
kubeProxyReplacementHealthzBindAddr: "0.0.0.0:10256" | ||
|
||
## NOTE: Cilium can automatically kill and respawn pods upon ConfigMap updates or other resource changes | ||
rollOutCiliumPods: true | ||
operator: | ||
rollOutPods: true | ||
|
||
## NOTE: Cilium L2 LoadBalancer service IP announcements | ||
externalIPs: | ||
enabled: true | ||
l2announcements: | ||
enabled: true | ||
leaseDuration: "120s" | ||
leaseRenewDeadline: "60s" | ||
leaseRetryPeriod: "1s" | ||
k8sClientRateLimit: # I set this high so I don't have to think about it later LOL | ||
qps: 50 | ||
burst: 100 | ||
|
||
## NOTE: Cilium additional features and/or CRDs | ||
bpf: | ||
masquerade: false # not beneficial for homelab, and tends to conflict with other networking stuff | ||
tproxy: true # L7 netpols stuff | ||
l7Proxy: true # enables L7 netpols | ||
dnsProxy: | ||
enableTransparentMode: true | ||
socketLB: | ||
enabled: true # supposed to be default off, but it's enabled anyway, and looks fun lol | ||
hostNamespaceOnly: true # KubeVirt compatibility | ||
|
||
bgpControlPlane: | ||
enabled: true | ||
localRedirectPolicy: false | ||
nodePort: | ||
enabled: true | ||
range: "9993,32767" | ||
bandwidthManager: | ||
enabled: true | ||
bbr: false # enable after Talos kernel updated to >= 5.18 | ||
enableIPv6BIGTCP: false # cannot enable if routingMode=tunnel | ||
|
||
## NOTE: Hubble observability | ||
hubble: | ||
enabled: true | ||
peerService: | ||
clusterDomain: cluster.local | ||
relay: | ||
enabled: true | ||
rollOutPods: true | ||
ui: | ||
enabled: true | ||
rollOutPods: true |
16 changes: 16 additions & 0 deletions
16
kube/deploy/core/_networking/cilium/app/config/sinon/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
# this Kustomization is only for bootstrapping with `kustomize build --enable-helm` | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
helmCharts: | ||
- name: cilium | ||
repo: https://helm.cilium.io/ | ||
version: 1.15.3 | ||
releaseName: cilium | ||
namespace: kube-system | ||
valuesFile: helm-values.yaml | ||
commonAnnotations: | ||
meta.helm.sh/release-name: cilium | ||
meta.helm.sh/release-namespace: kube-system | ||
commonLabels: | ||
app.kubernetes.io/managed-by: Helm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
kube/deploy/core/secrets/external-secrets/app/externalsecret-1password-credentials.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name onepassword-connect-secrets | ||
namespace: external-secrets | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
data: | ||
- secretKey: "credentials" | ||
remoteRef: | ||
key: "${CLUSTER_NAME:=biohazard} Credentials File" | ||
property: "1password-credentials.json" | ||
# dataFrom: | ||
# - extract: | ||
# key: "${CLUSTER_NAME:=biohazard} Credentials File" | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: *name | ||
template: | ||
type: Opaque | ||
data: | ||
1password-credentials.json: '{{ .credentials }}' # Document type in 1Password saved directly from Connect Server web wizard | ||
# 1password-credentials.json: '{{ .1password-credentials.json }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/cilium.io/ciliumnetworkpolicy_v2.json | ||
apiVersion: cilium.io/v2 | ||
kind: CiliumNetworkPolicy | ||
metadata: | ||
name: &app external-secrets | ||
namespace: *app | ||
spec: | ||
endpointSelector: {} | ||
ingress: | ||
- fromEntities: | ||
- kube-apiserver | ||
- host | ||
- remote-node | ||
egress: | ||
- toEndpoints: | ||
- matchLabels: | ||
io.kubernetes.pod.namespace: *app | ||
- toEndpoints: | ||
- matchLabels: | ||
io.kubernetes.pod.namespace: onepassword-connect | ||
toPorts: | ||
- ports: | ||
- port: "8443" | ||
protocol: "TCP" | ||
- port: "8443" | ||
protocol: "UDP" | ||
- toEntities: | ||
- kube-apiserver | ||
- host | ||
toPorts: | ||
- ports: | ||
- port: "6443" | ||
protocol: "TCP" | ||
- port: "6443" | ||
protocol: "UDP" | ||
# 1Password Connect | ||
- toFQDNs: &dns | ||
- matchPattern: "1password.com" | ||
- matchPattern: "*.1password.com" | ||
- matchPattern: "1passwordusercontent.com" | ||
- matchPattern: "*.1passwordusercontent.com" | ||
toPorts: | ||
- ports: | ||
- port: "443" | ||
protocol: "ANY" | ||
- toEndpoints: | ||
- matchLabels: | ||
"k8s:io.kubernetes.pod.namespace": kube-system | ||
"k8s:k8s-app": kube-dns | ||
- matchLabels: | ||
io.kubernetes.pod.namespace: kube-system | ||
k8s-app: kube-dns | ||
toPorts: | ||
- ports: | ||
- port: "53" | ||
protocol: "ANY" | ||
rules: | ||
dns: *dns |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
kube/deploy/core/secrets/external-secrets/stores/1password/externalsecret-token.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: &name onepassword-connect-secrets | ||
namespace: external-secrets | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: ClusterSecretStore | ||
name: 1p | ||
dataFrom: | ||
- extract: | ||
key: "${CLUSTER_NAME:=biohazard} Access Token: ${CLUSTER_NAME:=biohazard}" | ||
target: | ||
creationPolicy: Owner | ||
deletionPolicy: Retain | ||
name: *name | ||
template: | ||
type: Opaque | ||
data: | ||
token: '{{ .credential }}' # JSON Web Token type in 1Password saved directly from Connect Server web wizard |
9 changes: 0 additions & 9 deletions
9
kube/deploy/core/secrets/external-secrets/stores/1password/secrets.yaml
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.