Merge branch 'main' into feat/crunchy-pgo

joryirving · Feb 13, 2024 · 51f00de · 51f00de
2 parents 2f37a28 + be2d0cd
commit 51f00de
Show file tree

Hide file tree

Showing 176 changed files with 1,647 additions and 3,019 deletions.
diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
@@ -99,8 +99,8 @@ jobs:
           args: >-
             diff ${{ matrix.resources }}
             --unified 6
-            --path /github/workspace/pull/${{ matrix.paths }}
-            --path-orig /github/workspace/default/${{ matrix.paths }}
+            --path /github/workspace/pull/${{ matrix.paths }}/flux
+            --path-orig /github/workspace/default/${{ matrix.paths }}/flux
             --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
             --limit-bytes 10000
             --all-namespaces

diff --git a/.github/workflows/flux-image-test.yaml b/.github/workflows/flux-image-test.yaml
@@ -106,7 +106,7 @@ jobs:
         with:
           args: >-
             get cluster
-            --path /github/workspace/default/${{ matrix.paths }}
+            --path /github/workspace/default/${{ matrix.paths }}/flux
             --enable-images
             --output yaml
             --output-file default.yaml
@@ -116,7 +116,7 @@ jobs:
         with:
           args: >-
             get cluster
-            --path /github/workspace/pull/${{ matrix.paths }}
+            --path /github/workspace/pull/${{ matrix.paths }}/flux
             --enable-images
             --output yaml
             --output-file pull.yaml

diff --git a/ansible/pi/playbooks/templates/kube-vip-static-pod.yaml.j2 b/ansible/pi/playbooks/templates/kube-vip-static-pod.yaml.j2
diff --git a/ansible/pi/playbooks/templates/kube-vip-static-pod.yaml.j2 b/ansible/pi/playbooks/templates/kube-vip-static-pod.yaml.j2
@@ -0,0 +1,59 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-vip
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/instance: kube-vip
+    app.kubernetes.io/name: kube-vip
+spec:
+  containers:
+    - name: kube-vip
+      image: ghcr.io/kube-vip/kube-vip:v0.7.0
+      imagePullPolicy: IfNotPresent
+      args: ["manager"]
+      env:
+        - name: address
+          value: "{{ kube_vip_addr }}"
+        - name: vip_arp
+          value: "true"
+        - name: lb_enable
+          value: "false"
+        - name: port
+          value: "6443"
+        - name: vip_cidr
+          value: "32"
+        - name: cp_enable
+          value: "true"
+        - name: cp_namespace
+          value: kube-system
+        - name: vip_ddns
+          value: "false"
+        - name: svc_enable
+          value: "false"
+        - name: vip_leaderelection
+          value: "true"
+        - name: vip_leaseduration
+          value: "15"
+        - name: vip_renewdeadline
+          value: "10"
+        - name: vip_retryperiod
+          value: "2"
+        - name: prometheus_server
+          value: :2112
+      securityContext:
+        capabilities:
+          add: ["NET_ADMIN", "NET_RAW"]
+      volumeMounts:
+        - mountPath: /etc/kubernetes/admin.conf
+          name: kubeconfig
+  hostAliases:
+    - hostnames:
+        - kubernetes
+      ip: 127.0.0.1
+  hostNetwork: true
+  volumes:
+    - name: kubeconfig
+      hostPath:
+        path: /etc/rancher/k3s/k3s.yaml
diff --git a/ansible/requirements.txt b/ansible/requirements.txt
@@ -2,6 +2,6 @@ ansible==9.2.0
 ansible-lint==24.2.0
 bcrypt==4.1.2
 jmespath==1.0.1
-netaddr==0.10.1
+netaddr==1.0.0
 openshift==0.13.2
 passlib==1.7.4
diff --git a/ansible/teyvat/inventory/hosts.yaml b/ansible/teyvat/inventory/hosts.yaml
@@ -22,7 +22,9 @@ kubernetes:
           ansible_host: 192.168.1.53
           ceph_drives:
             - /dev/disk/by-id/nvme-WD_BLACK_SN770_1TB_23026Y802292
+            - /dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0J107591J
         eula:
           ansible_host: 192.168.1.54
           ceph_drives:
             - /dev/disk/by-id/nvme-WD_BLACK_SN770_1TB_22501H800457
+            - /dev/disk/by-id/nvme-WDS500G3X0C-00SJG0_2021A2441108
diff --git a/hack/teyvat/node-labels.sh b/hack/teyvat/node-labels.sh
@@ -1,7 +1,7 @@
 # Label control planes
 
 ## NoSchedule
-kubectl taint nodes navia node-role.kubernetes.io/control-plane=true:PreferNoSchedule --context teyvat
+# kubectl taint nodes navia node-role.kubernetes.io/control-plane=true:PreferNoSchedule --context teyvat
 
 # Label workers
 kubectl label nodes ayaka eula ganyu hutao node-role.kubernetes.io/worker=true --context teyvat
diff --git a/kubernetes/pi/apps/actions-runner-system/actions-runner-controller/ks.yaml b/kubernetes/pi/apps/actions-runner-system/actions-runner-controller/ks.yaml
@@ -11,7 +11,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   # dependsOn:
-  #   - name: external-secrets-bitwarden
+  #   - name: external-secrets-bitwarden-secrets-manager
   path: ./kubernetes/pi/apps/actions-runner-system/actions-runner-controller/app
   prune: true
   sourceRef:

diff --git a/kubernetes/pi/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/pi/apps/cert-manager/cert-manager/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: v1.14.1
+      version: v1.14.2
       sourceRef:
         kind: HelmRepository
         name: jetstack

diff --git a/kubernetes/pi/apps/default/free-game-notifier/app/externalsecret.yaml b/kubernetes/pi/apps/default/free-game-notifier/app/externalsecret.yaml
@@ -1,23 +1,16 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: free-game-notifier
+  name: &name free-game-notifier
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
-    template:
-      engineVersion: v2
-      type: Opaque
-      data:
-        DISCORD_WEBHOOK: "{{ .DISCORD_WEBHOOK }}"
-  refreshInterval: 1h
+    name: *name
   data:
-    - secretKey: DISCORD_WEBHOOK
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: de1b453f-d386-47df-8fd4-ac6e00f706e3
-        property: DISCORD_WEBHOOK
+  - secretKey: DISCORD_WEBHOOK
+    remoteRef:
+      key: free-games
diff --git a/kubernetes/pi/apps/default/mosquitto/app/externalsecret.yaml b/kubernetes/pi/apps/default/mosquitto/app/externalsecret.yaml
@@ -1,34 +1,22 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: mosquitto
+  name: &name mosquitto
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
+    name: *name
     template:
       engineVersion: v2
-      type: Opaque
       data:
         username: "{{ .MQTT_USERNAME }}"
         password: "{{ .MQTT_PASSWORD }}"
         mosquitto_pwd: |
           {{ .MQTT_USERNAME }}:{{ .MQTT_PASSWORD }}
-  refreshInterval: 1h
-  data:
-    - secretKey: MQTT_USERNAME
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: username
-    - secretKey: MQTT_PASSWORD
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: password
+  dataFrom:
+  - extract:
+      key: mqtt
diff --git a/kubernetes/pi/apps/default/mosquitto/ks.yaml b/kubernetes/pi/apps/default/mosquitto/ks.yaml
@@ -11,7 +11,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   # dependsOn:
-  #   - name: external-secrets-bitwarden
+  #   - name: external-secrets-bitwarden-secrets-manager
   path: ./kubernetes/pi/apps/default/mosquitto/app
   prune: true
   sourceRef:
@@ -23,4 +23,4 @@ spec:
   timeout: 5m
   postBuild:
     substitute:
-      APP: *app
+      APP: *app
diff --git a/kubernetes/pi/apps/default/rss-forwarder/app/externalsecret.yaml b/kubernetes/pi/apps/default/rss-forwarder/app/externalsecret.yaml
@@ -1,14 +1,17 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: rss-forwarder
+  name: &name rss-forwarder
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
+    name: *name
     template:
       engineVersion: v2
-      type: Opaque
       data:
         config.toml: |-
             [feeds.github-template]
@@ -35,21 +38,6 @@ spec:
             retry_limit = 5
             sink.type = "discord"
             sink.url = "{{ .MM_DISCORD_WEBHOOK }}"
-  refreshInterval: 1h
-  data:
-    - secretKey: INFRA_DISCORD_WEBHOOK
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 01af241c-b129-4560-877a-ac6e00f706e3
-        property: INFRA_DISCORD_WEBHOOK
-    - secretKey: MM_DISCORD_WEBHOOK
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 01af241c-b129-4560-877a-ac6e00f706e3
-        property: MM_DISCORD_WEBHOOK
+  dataFrom:
+  - extract:
+      key: discord
diff --git a/kubernetes/pi/apps/default/zigbee2mqtt/app/externalsecret.yaml b/kubernetes/pi/apps/default/zigbee2mqtt/app/externalsecret.yaml
@@ -1,61 +1,27 @@
 ---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: zigbee2mqtt
+  name: &name zigbee2mqtt
 spec:
+  secretStoreRef:
+    name: bitwarden-secrets-manager
+    kind: ClusterSecretStore
   target:
-    deletionPolicy: Delete
+    name: *name
     template:
       engineVersion: v2
-      type: Opaque
       data:
         # App
-        ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID: "{{ .z2m_ext_pan_id }}"
-        ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID: "{{ .z2m_pan_id }}"
-        ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "{{ .z2m_network_key }}"
+        ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID }}"
+        ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID }}"
+        ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY }}"
         # Mosquitto
         ZIGBEE2MQTT_CONFIG_MQTT_USER: "{{ .MQTT_USERNAME }}"
         ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: "{{ .MQTT_PASSWORD }}"
-  refreshInterval: 1h
-  data:
-    - secretKey: z2m_ext_pan_id
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: z2m_ext_pan_id
-    - secretKey: z2m_pan_id
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: z2m_pan_id
-    - secretKey: z2m_network_key
-      sourceRef:
-        storeRef:
-          name: bitwarden-fields
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: z2m_network_key
-    - secretKey: MQTT_USERNAME
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: username
-    - secretKey: MQTT_PASSWORD
-      sourceRef:
-        storeRef:
-          name: bitwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        key: 2b8799c5-7d83-42aa-99c9-b072001ee0f3
-        property: password
+  dataFrom:
+    - extract:
+        key: mqtt
+    - extract:
+        key: zigbee2mqtt
diff --git a/kubernetes/pi/apps/default/zigbee2mqtt/ks.yaml b/kubernetes/pi/apps/default/zigbee2mqtt/ks.yaml
@@ -11,7 +11,7 @@ spec:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    # - name: external-secrets-bitwarden
+    # - name: external-secrets-bitwarden-secrets-manager
     - name: node-feature-discovery-features
   path: ./kubernetes/pi/apps/default/zigbee2mqtt/app
   prune: true

diff --git a/kubernetes/pi/apps/external-secrets/external-secrets/app/helmrelease.yaml b/kubernetes/pi/apps/external-secrets/external-secrets/app/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: external-secrets
-      version: 0.9.11
+      version: 0.9.12
       sourceRef:
         kind: HelmRepository
         name: external-secrets

diff --git a/.../apps/external-secrets/external-secrets/bitwarden-secrets-manager/clustersecretstore.yaml b/.../apps/external-secrets/external-secrets/bitwarden-secrets-manager/clustersecretstore.yaml
@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: bitwarden-secrets-manager
+spec:
+  provider:
+    webhook:
+      url: "http://bitwarden-secrets-manager.external-secrets.svc.cluster.local:5000/key/{{ .remoteRef.key }}"
+      headers:
+        Authorization: "Bearer {{ print .serviceaccount.token }}"
+      # result:
+      #   jsonPath: "$.value.{{ .remoteRef.property }}"
+      result:
+        jsonPath: "$.value"
+      secrets:
+      - name: serviceaccount
+        secretRef:
+          name: bws-secret
+          key: token
+          namespace: external-secrets