diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml index 8d504a573cc9c..b8139dc800b5a 100644 --- a/.github/workflows/flux-diff.yaml +++ b/.github/workflows/flux-diff.yaml @@ -47,7 +47,7 @@ jobs: path: default - name: Diff Resources - uses: docker://ghcr.io/allenporter/flux-local:v6.1.1 + uses: docker://ghcr.io/allenporter/flux-local:v7.0.0@sha256:abf237e31d20de26f8a4b08e588cc927cb0a9f0ecf90d04bada00f393b919354 with: args: >- diff ${{ matrix.resources }} @@ -65,15 +65,15 @@ jobs: run: | cat diff.patch; { - echo 'diff<> "$GITHUB_OUTPUT"; { - echo "### Diff" - echo '```diff' - cat diff.patch - echo '```' + echo "### Diff" + echo '```diff' + cat diff.patch + echo '```' } >> "$GITHUB_STEP_SUMMARY" - if: ${{ steps.diff.outputs.diff != '' }} diff --git a/.github/workflows/helm-repository-sync.yaml b/.github/workflows/helm-repository-sync.yaml index 3c23d1211478e..cfa62b15ca684 100644 --- a/.github/workflows/helm-repository-sync.yaml +++ b/.github/workflows/helm-repository-sync.yaml @@ -16,6 +16,9 @@ on: branches: ["main"] paths: ["kubernetes/**/helmrelease.yaml"] +env: + HOMEBREW_NO_ANALYTICS: "1" + jobs: sync: name: Helm Repository Sync @@ -32,14 +35,12 @@ jobs: uses: actions/checkout@v4 with: token: "${{ steps.app-token.outputs.token }}" - fetch-depth: 0 - name: Setup Homebrew uses: Homebrew/actions/setup-homebrew@master - name: Setup Workflow Tools - shell: bash - run: brew install fluxcd/tap/flux yq + run: brew install fluxcd/tap/flux - if: ${{ github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }} name: Get Changed Files @@ -51,7 +52,6 @@ jobs: - if: ${{ github.event.inputs.helmRepoNamespace == '' && github.event.inputs.helmRepoName == '' }} name: Sync Helm Repository - shell: bash run: | declare -a repos=() for f in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}; do @@ -68,7 +68,6 @@ jobs: - if: ${{ github.event.inputs.helmRepoNamespace != '' && github.event.inputs.helmRepoName != '' }} name: Sync Helm Repository - shell: bash run: | flux --namespace ${{ github.event.inputs.helmRepoNamespace }} \ reconcile source helm ${{ github.event.inputs.helmRepoName }} || true diff --git a/.github/workflows/pre-pull-images.yaml b/.github/workflows/pre-pull-images.yaml index c89f2a851ee26..acbec1561ad9c 100644 --- a/.github/workflows/pre-pull-images.yaml +++ b/.github/workflows/pre-pull-images.yaml @@ -14,14 +14,20 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.number || github.ref }} cancel-in-progress: true +env: + HOMEBREW_NO_ANALYTICS: "1" + jobs: extract-images: name: Extract Images runs-on: ubuntu-latest - permissions: - pull-requests: write + strategy: + matrix: + branches: ["default", "pull"] + fail-fast: false outputs: - matrix: ${{ steps.extract-images.outputs.images }} + default: ${{ steps.extract-images.outputs.default }} + pull: ${{ steps.extract-images.outputs.pull }} steps: - name: Generate Token uses: actions/create-github-app-token@v1 @@ -30,76 +36,55 @@ jobs: app-id: "${{ secrets.BOT_APP_ID }}" private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" - - name: Setup Homebrew - uses: Homebrew/actions/setup-homebrew@master - - - name: Setup Workflow Tools - shell: bash - run: brew install jo yq - - - name: Checkout Default Branch + - name: Checkout uses: actions/checkout@v4 with: token: "${{ steps.app-token.outputs.token }}" - ref: "${{ github.event.repository.default_branch }}" - path: default - - - name: Checkout Pull Request Branch - uses: actions/checkout@v4 - with: - token: "${{ steps.app-token.outputs.token }}" - path: pull - - - name: Gather Images in Default Branch - uses: docker://ghcr.io/allenporter/flux-local:v6.1.1 - with: - args: >- - get cluster - --path /github/workspace/default/kubernetes/main/flux - --enable-images - --output yaml - --output-file default.yaml + ref: "${{ matrix.branches == 'default' && github.event.repository.default_branch || '' }}" - - name: Gather Images in Pull Request Branch - uses: docker://ghcr.io/allenporter/flux-local:v6.1.1 + - name: Gather Images + uses: docker://ghcr.io/allenporter/flux-local:v7.0.0 with: args: >- get cluster - --path /github/workspace/pull/kubernetes/main/flux + --path /github/workspace/kubernetes/main/flux --enable-images --output yaml - --output-file pull.yaml - - - name: Filter Default Branch Results - shell: bash - run: | - yq -r '[.. | .images? | select(. != null)] | flatten | sort | unique | .[]' \ - default.yaml > default.txt + --output-file images.yaml - - name: Filter Pull Request Branch Results - shell: bash + - name: Extract Images + id: extract-images run: | - yq -r '[.. | .images? | select(. != null)] | flatten | sort | unique | .[]' \ - pull.yaml > pull.txt + images=$(yq --indent=0 --output-format=json \ + '[.. | .images? | select(. != null)] | flatten | sort | unique' images.yaml \ + ) + echo "${{ matrix.branches }}=${images}" >> $GITHUB_OUTPUT - - name: Compare Default and Pull Request Images - id: extract-images - shell: bash + compare-images: + name: Compare Images + runs-on: ubuntu-latest + needs: ["extract-images"] + outputs: + images: ${{ steps.compare-images.outputs.images }} + steps: + - name: Compare Images + id: compare-images run: | - images=$(jo -a $(grep -vf default.txt pull.txt)) + images=$(jq --compact-output --null-input \ + --argjson f1 '${{ needs.extract-images.outputs.default }}' \ + --argjson f2 '${{ needs.extract-images.outputs.pull }}' \ + '$f2 - $f1' \ + ) echo "images=${images}" >> $GITHUB_OUTPUT - echo "${images}" - echo "### Images" >> $GITHUB_STEP_SUMMARY - echo "${images}" | jq --raw-output 'to_entries[] | "* \(.value)"' >> $GITHUB_STEP_SUMMARY pre-pull-images: - if: ${{ needs.extract-images.outputs.matrix != '[]' }} + if: ${{ needs.compare-images.outputs.images != '[]' }} name: Pre-pull Images runs-on: ["gha-runner-scale-set"] - needs: ["extract-images"] + needs: ["compare-images"] strategy: matrix: - images: ${{ fromJSON(needs.extract-images.outputs.matrix) }} + images: ${{ fromJSON(needs.compare-images.outputs.images) }} max-parallel: 4 fail-fast: false steps: @@ -107,7 +92,6 @@ jobs: uses: Homebrew/actions/setup-homebrew@master - name: Setup Workflow Tools - shell: bash run: brew install siderolabs/tap/talosctl - name: Pre-pull Image diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ab809acf3fe11..5f95dc7cf5c67 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,34 +19,44 @@ jobs: app-id: "${{ secrets.BOT_APP_ID }}" private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" - - name: Checkout - uses: actions/checkout@v4 + - name: Get Previous Release Tag and Determine Next Tag + id: determine-next-tag + uses: actions/github-script@v7 with: - token: "${{ steps.app-token.outputs.token }}" + github-token: "${{ steps.app-token.outputs.token }}" + result-encoding: string + script: | + const { data: releases } = await github.rest.repos.listReleases({ + owner: context.repo.owner, + repo: context.repo.repo, + per_page: 1, + }); + + let previousTag = "0.0.0"; // Default if no previous release exists + if (releases.length > 0) { + previousTag = releases[0].tag_name; + } + + const [previousMajor, previousMinor, previousPatch] = previousTag.split('.').map(Number); + const currentYear = new Date().getFullYear(); + const currentMonth = new Date().getMonth() + 1; // Months are 0-indexed in JavaScript + + const nextMajorMinor = `${currentYear}.${currentMonth}`; + let nextPatch; + + if (`${previousMajor}.${previousMinor}` === nextMajorMinor) { + console.log("Month release already exists for the year. Incrementing patch number by 1."); + nextPatch = previousPatch + 1; + } else { + console.log("Month release does not exist for the year. Starting with patch number 0."); + nextPatch = 0; + } + + return `${nextMajorMinor}.${nextPatch}`; - name: Create Release - shell: bash - env: - GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}" - run: | - # Retrieve previous release tag - previous_tag="$(gh release list --limit 1 | awk '{ print $1 }')" - previous_major="${previous_tag%%\.*}" - previous_minor="${previous_tag#*.}" - previous_minor="${previous_minor%.*}" - previous_patch="${previous_tag##*.}" - # Determine next release tag - next_major_minor="$(date +'%Y').$(date +'%-m')" - if [[ "${previous_major}.${previous_minor}" == "${next_major_minor}" ]]; then - echo "Month release already exists for year, incrementing patch number by 1" - next_patch="$((previous_patch + 1))" - else - echo "Month release does not exist for year, setting patch number to 0" - next_patch="0" - fi - # Create release - release_tag="${next_major_minor}.${next_patch}" - gh release create "${release_tag}" \ - --repo="${GITHUB_REPOSITORY}" \ - --title="${release_tag}" \ - --generate-notes + uses: ncipollo/release-action@v1 + with: + generateReleaseNotes: true + tag: "${{ steps.determine-next-tag.outputs.result }}" + token: "${{ steps.app-token.outputs.token }}" diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index abcf04dec9374..a1c84d99dbb55 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -56,7 +56,7 @@ jobs: token: "${{ steps.app-token.outputs.token }}" - name: Renovate - uses: renovatebot/github-action@v41.0.7 + uses: renovatebot/github-action@v41.0.8 with: configurationFile: .github/renovate.json5 token: "${{ steps.app-token.outputs.token }}" diff --git a/.github/workflows/schemas.yaml b/.github/workflows/schemas.yaml index 079d90d858ccf..3c301e4e55882 100644 --- a/.github/workflows/schemas.yaml +++ b/.github/workflows/schemas.yaml @@ -10,6 +10,10 @@ on: branches: ["main"] paths: [".github/workflows/schemas.yaml"] +env: + HOMEBREW_NO_ANALYTICS: "1" + UV_SYSTEM_PYTHON: "1" + jobs: publish: name: Schemas @@ -34,24 +38,22 @@ jobs: uses: Homebrew/actions/setup-homebrew@master - name: Setup Workflow Tools - shell: bash - run: brew install kubectl + run: brew install kubectl uv - name: Setup Python uses: actions/setup-python@v5 with: - python-version: 3.x + python-version: 3.13.x - name: Setup Node uses: actions/setup-node@v4 with: - node-version: 18.x + node-version: 22.x - name: Install Python Dependencies - run: pip install pyyaml + run: uv pip install pyyaml - name: Download and run crd-extractor - shell: bash run: | curl -fsSL -o $GITHUB_WORKSPACE/crd-extractor.sh \ https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/Utilities/crd-extractor.sh diff --git a/mise.toml b/.mise.toml similarity index 100% rename from mise.toml rename to .mise.toml diff --git a/.taskfiles/bootstrap/Taskfile.yaml b/.taskfiles/bootstrap/Taskfile.yaml index 33d8d23a3c8a6..00b82d6d49058 100644 --- a/.taskfiles/bootstrap/Taskfile.yaml +++ b/.taskfiles/bootstrap/Taskfile.yaml @@ -27,7 +27,7 @@ tasks: preconditions: - talosctl config info - test -f {{.CLUSTER_DIR}}/talosconfig - - which ls minijinja-cli sops talosctl + - which jq ls minijinja-cli sops talosctl apps: desc: Bootstrap Apps [CLUSTER=main] @@ -60,7 +60,7 @@ tasks: vars: [CLUSTER, MODEL] preconditions: - test -f {{.BOOTSTRAP_RESOURCES_DIR}}/wipe-rook.yaml.j2 - - which kubectl minijinja-cli stern talosctl + - which jq kubectl minijinja-cli stern talosctl flux: desc: Bootstrap Flux [CLUSTER=main] @@ -82,4 +82,4 @@ tasks: vars: [CLUSTER] preconditions: - op user get --me - - which curl flux kubectl ls op + - which curl flux jq kubectl ls op diff --git a/.taskfiles/kubernetes/Taskfile.yaml b/.taskfiles/kubernetes/Taskfile.yaml index 1cda160b6b6fa..ecf40d98f8b77 100644 --- a/.taskfiles/kubernetes/Taskfile.yaml +++ b/.taskfiles/kubernetes/Taskfile.yaml @@ -59,3 +59,17 @@ tasks: vars: [CLUSTER] preconditions: - which kubectl + + # https://docs.github.com/en/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#upgrading-arc + upgrade-arc: + desc: Upgrade the ARC [CLUSTER=main] + cmds: + - helm -n actions-runner-system uninstall gha-runner-scale-set + - helm -n actions-runner-system uninstall gha-runner-scale-set-controller + - sleep 5 + - flux -n actions-runner-system reconcile hr gha-runner-scale-set-controller + - flux -n actions-runner-system reconcile hr gha-runner-scale-set + requires: + vars: [CLUSTER] + preconditions: + - which flux helm diff --git a/.taskfiles/talos/Taskfile.yaml b/.taskfiles/talos/Taskfile.yaml index 78544b668e3ec..948179dc75e0d 100644 --- a/.taskfiles/talos/Taskfile.yaml +++ b/.taskfiles/talos/Taskfile.yaml @@ -10,7 +10,7 @@ tasks: cmds: - task: down - sops exec-file --input-type yaml --output-type yaml {{.CLUSTER_DIR}}/talos/{{.IP}}.sops.yaml.j2 "minijinja-cli {}" | talosctl --nodes {{.IP}} apply-config --mode={{.MODE}} --file /dev/stdin - - talosctl --nodes {{.IP}} health --wait-timeout=10m --server=false + - talosctl --nodes {{.IP}} health - task: up vars: MODE: '{{.MODE | default "auto"}}' @@ -28,14 +28,12 @@ tasks: dotenv: ['{{.CLUSTER_DIR}}/cluster.env'] cmds: - task: down - - talosctl --nodes {{.IP}} upgrade --image="factory.talos.dev/installer{{if eq .TALOS_SECUREBOOT "true"}}-secureboot{{end}}/{{.TALOS_SCHEMATIC_ID}}:$TALOS_VERSION" --timeout=10m - - talosctl --nodes {{.IP}} health --wait-timeout=10m --server=false + - talosctl --nodes {{.IP}} upgrade --image="factory.talos.dev/installer/{{.TALOS_SCHEMATIC_ID}}:$TALOS_VERSION" --timeout=10m + - talosctl --nodes {{.IP}} health - task: up vars: TALOS_SCHEMATIC_ID: sh: talosctl --nodes {{.IP}} get nodeannotationspecs --output json | jq --raw-output '.spec | select(.key == "extensions.talos.dev/schematic") | .value' - TALOS_SECUREBOOT: - sh: talosctl --nodes {{.IP}} get securitystate --output=jsonpath='{.spec.secureBoot}' requires: vars: [CLUSTER, IP] preconditions: @@ -52,7 +50,6 @@ tasks: cmds: - task: down - talosctl --nodes {{.TALOS_CONTROLLER}} upgrade-k8s --to $KUBERNETES_VERSION - - talosctl health --wait-timeout=10m --server=false - task: up vars: TALOS_CONTROLLER: @@ -72,7 +69,7 @@ tasks: cmds: - task: down - talosctl --nodes {{.IP}} reboot --mode={{.MODE}} - - talosctl --nodes {{.IP}} health --wait-timeout=10m --server=false + - talosctl --nodes {{.IP}} health - task: up vars: MODE: '{{.MODE | default "default"}}' diff --git a/kubernetes/main/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml b/kubernetes/main/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml index dd7eb1eceb62c..c7db923199d62 100644 --- a/kubernetes/main/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml +++ b/kubernetes/main/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml @@ -27,6 +27,8 @@ spec: dependsOn: - name: gha-runner-scale-set-controller namespace: actions-runner-system + - name: rook-ceph-cluster + namespace: rook-ceph valuesFrom: - targetPath: githubConfigSecret.github_app_id kind: Secret @@ -47,15 +49,22 @@ spec: minRunners: 1 maxRunners: 3 containerMode: - type: dind + type: kubernetes + kubernetesModeWorkVolumeClaim: + accessModes: ["ReadWriteOnce"] + storageClassName: openebs-hostpath + resources: + requests: + storage: 25Gi template: spec: - automountServiceAccountToken: true containers: - name: runner - image: ghcr.io/onedr0p/actions-runner:2.321.0@sha256:3665cbbcd2a3b7e1626e6100a6924d316d501650b9863a24b5639aee68bdb110 + image: ghcr.io/onedr0p/actions-runner:2.321.0@sha256:68a510e470e2c5b38ffc46e85823fdc36b721bf7af310f4d64fd93cd0e1e9184 command: ["/home/runner/run.sh"] env: + - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER + value: "false" - name: NODE_IP valueFrom: fieldRef: diff --git a/kubernetes/main/apps/default/autobrr/app/helmrelease.yaml b/kubernetes/main/apps/default/autobrr/app/helmrelease.yaml index 18a17fad87558..1d46180f766c2 100644 --- a/kubernetes/main/apps/default/autobrr/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/autobrr/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/autobrr/autobrr - tag: v1.56.1@sha256:ece84c7032c2afef04b145be8f99e6a1e46971dece62328541ac36990b5270f4 + tag: v1.57.0@sha256:fbc0fea58925c43357a2a43dad543dcda5b354a28a95a28e5d7289d34dc5edb9 env: AUTOBRR__CHECK_FOR_UPDATES: "false" AUTOBRR__HOST: 0.0.0.0 diff --git a/kubernetes/main/apps/default/bazarr/app/helmrelease.yaml b/kubernetes/main/apps/default/bazarr/app/helmrelease.yaml index c5ed23f164f48..f478b0663e295 100644 --- a/kubernetes/main/apps/default/bazarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/bazarr/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/onedr0p/bazarr - tag: 1.5.0@sha256:5eb3ff2384c470fa351ff486b1b61660914a2ba144e908258cf111555a583356 + tag: 1.5.1@sha256:4f3f5f42e552979d75cf2f168d9f053134eefa11e9e42b4878bded3bb69978d4 env: TZ: America/New_York envFrom: diff --git a/kubernetes/main/apps/default/cross-seed/app/helmrelease.yaml b/kubernetes/main/apps/default/cross-seed/app/helmrelease.yaml index 578fd9c5a75c6..1973b128b94ac 100644 --- a/kubernetes/main/apps/default/cross-seed/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/cross-seed/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/cross-seed/cross-seed - tag: 6.6.0@sha256:9c67a3dc12beb8c4699094fbc4cc2888ebd071712a99ff252dc28d5706fcee0a + tag: 6.8.4@sha256:996896878ab462ded031552824c4fd773a2cf484582829029eda323b3c01e1b4 env: CROSS_SEED_PORT: &port 80 TZ: America/New_York diff --git a/kubernetes/main/apps/default/go2rtc/app/helmrelease.yaml b/kubernetes/main/apps/default/go2rtc/app/helmrelease.yaml index 7c5d60a603536..a8e0e61502a76 100644 --- a/kubernetes/main/apps/default/go2rtc/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/go2rtc/app/helmrelease.yaml @@ -33,7 +33,7 @@ spec: app: image: repository: ghcr.io/alexxit/go2rtc - tag: 1.9.7@sha256:41fc2431fc3c867364ab7c8d935d2bddd9736597694afd3a983fe14c175347e8 + tag: 1.9.8@sha256:eafcc3bad6c24ebc6d349c8c98a72b5cd5145d8f580452aed9fec20da9e6c6dd probes: liveness: &probes enabled: true diff --git a/kubernetes/main/apps/default/home-assistant/app/helmrelease.yaml b/kubernetes/main/apps/default/home-assistant/app/helmrelease.yaml index a6a30c4e4d9bf..8c645c042be46 100644 --- a/kubernetes/main/apps/default/home-assistant/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/home-assistant/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/onedr0p/home-assistant - tag: 2024.12.5@sha256:638e519c874a06389ce6f03e435dd80a6697e8692eac88b459775839410f3439 + tag: 2025.1.0@sha256:a3e6b1301107c5ca4dd3e1e7fa25edd0618acc9f812c75674cce7481fb05c759 env: TZ: America/New_York HASS_HTTP_TRUSTED_PROXY_1: 192.168.42.0/24 @@ -119,3 +119,7 @@ spec: type: emptyDir globalMounts: - path: /tmp + venv: + type: emptyDir + globalMounts: + - path: /config/.venv diff --git a/kubernetes/main/apps/default/jellyseerr/app/helmrelease.yaml b/kubernetes/main/apps/default/jellyseerr/app/helmrelease.yaml index df0ecd7a44621..dfbfb19748a86 100644 --- a/kubernetes/main/apps/default/jellyseerr/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/jellyseerr/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: docker.io/fallenbagel/jellyseerr - tag: 2.1.0@sha256:af5563771964282e5bfb6a4f30b05c75c8d30661a920f0399086f575217d0573 + tag: 2.2.3@sha256:a324fa4d81cce73116801bee3c50b632f3457c0ca0ad31aa692c640e22f50dea env: TZ: America/New_York LOG_LEVEL: "info" diff --git a/kubernetes/main/apps/default/pinchflat/app/helmrelease.yaml b/kubernetes/main/apps/default/pinchflat/app/helmrelease.yaml index f2b850df73ea0..66b9c9e988d41 100644 --- a/kubernetes/main/apps/default/pinchflat/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/pinchflat/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/kieraneglin/pinchflat - tag: v2024.12.10@sha256:2ea6c9d0c17e97df9862406e5bbd99e448c967571155aaa44e9a37efbef878e8 + tag: v2025.1.3@sha256:76a7e717d9001563fffe36f58a590c4ba5797ec1f1d6ee6979a791d176553b40 env: TZ: America/New_York TZ_DATA_DIR: /tmp/elixir_tz_data diff --git a/kubernetes/main/apps/default/plex/app/helmrelease.yaml b/kubernetes/main/apps/default/plex/app/helmrelease.yaml index b599f903faa7b..e674590f9832e 100644 --- a/kubernetes/main/apps/default/plex/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/plex/app/helmrelease.yaml @@ -36,7 +36,7 @@ spec: app: image: repository: ghcr.io/onedr0p/plex - tag: 1.41.3.9314-a0bfb8370@sha256:38fcbef239341db591f8ff87f20777d9a783b79f757fc42e360041d7ba78eada + tag: 1.41.3.9314-a0bfb8370@sha256:4e004defdf450e5d86ce8c29f2dc62fa95fa12dfaae52fd36c948427eb186952 env: TZ: America/New_York PLEX_ADVERTISE_URL: https://plex.devbu.io:443,http://192.168.42.128:32400 diff --git a/kubernetes/main/apps/default/plex/ks.yaml b/kubernetes/main/apps/default/plex/ks.yaml index 1476d21df7ad3..bac9fd72717df 100644 --- a/kubernetes/main/apps/default/plex/ks.yaml +++ b/kubernetes/main/apps/default/plex/ks.yaml @@ -25,8 +25,8 @@ spec: substitute: APP: *app GATUS_PATH: /web/index.html - VOLSYNC_CAPACITY: 30Gi - VOLSYNC_CACHE_CAPACITY: 12Gi + VOLSYNC_CAPACITY: 50Gi + VOLSYNC_CACHE_CAPACITY: 25Gi --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 diff --git a/kubernetes/main/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/main/apps/default/prowlarr/app/helmrelease.yaml index f022a765998c5..f0b3471a53c6d 100644 --- a/kubernetes/main/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/prowlarr/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/onedr0p/prowlarr-develop - tag: 1.29.0.4897@sha256:7ce899a3aede6e505e395bcf0f7a6749b25b57b69e1a355bd39dc7f60a25985e + tag: 1.29.2.4915@sha256:b258cc8fe38a25af3742964a2d5a749c645562b3433ef79aa5e1748070ca99d3 env: PROWLARR__APP__INSTANCENAME: Prowlarr PROWLARR__APP__THEME: dark diff --git a/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml index e709cc3f2b735..9a2764f94979e 100644 --- a/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/qbittorrent/app/helmrelease.yaml @@ -33,8 +33,8 @@ spec: containers: app: image: - repository: ghcr.io/onedr0p/qbittorrent-beta - tag: 5.0.3@sha256:4b9de3356475bd97fda3fb4d98f213e8d139aef15e7bd20dab72973e661901dd + repository: ghcr.io/onedr0p/qbittorrent + tag: 5.0.3@sha256:3d62f065290ae77a10c7f7deaef7bc857068feff89503773707d2dae339b66c6 env: TZ: America/New_York QBT_WEBUI_PORT: &port 80 diff --git a/kubernetes/main/apps/default/qbittorrent/tools/helmrelease.yaml b/kubernetes/main/apps/default/qbittorrent/tools/helmrelease.yaml index ea6ff95d81c0d..0850e42b2a7b6 100644 --- a/kubernetes/main/apps/default/qbittorrent/tools/helmrelease.yaml +++ b/kubernetes/main/apps/default/qbittorrent/tools/helmrelease.yaml @@ -40,7 +40,7 @@ spec: tag: &container image: repository: ghcr.io/buroa/qbtools - tag: v0.19.12@sha256:4495217b2db28ed0209491419a17959cd463f521dd77b8dc9fa517fcefc40992 + tag: v0.19.14@sha256:905617dfc1a8aa1510381d8e177cc5581a49bfa9d56f3f05e0574f6c83987d3c env: QBITTORRENT_HOST: qbittorrent.default.svc.cluster.local QBITTORRENT_PORT: 80 diff --git a/kubernetes/main/apps/default/radarr/app/helmrelease.yaml b/kubernetes/main/apps/default/radarr/app/helmrelease.yaml index c0009da886acc..62ccdc88b2205 100644 --- a/kubernetes/main/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/radarr/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/onedr0p/radarr-develop - tag: 5.17.0.9555@sha256:d29684557a373f6efd8ac98f0b7b3007264599d3d83160bdaef9366a3b4f5d5a + tag: 5.17.2.9580@sha256:67f345c91d1e0eab27f73044702892b01228b2425562de6110777a7ea4712e34 env: RADARR__APP__INSTANCENAME: Radarr RADARR__APP__THEME: dark diff --git a/kubernetes/main/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/main/apps/default/sonarr/app/helmrelease.yaml index 7e722ca7bf32e..3d0bfc78f288b 100644 --- a/kubernetes/main/apps/default/sonarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/sonarr/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: app: image: repository: ghcr.io/onedr0p/sonarr-develop - tag: 4.0.11.2804@sha256:cb7d3b0cd6f465868df6b88bfa78d52899b9955ced2bf03720eccc3fba402635 + tag: 4.0.12.2825@sha256:ae7efba78efc1d4923578f97933e206dcdf43fb1fd2533cfa3be77ab6d0e74b1 env: SONARR__APP__INSTANCENAME: Sonarr SONARR__APP__THEME: dark diff --git a/kubernetes/main/apps/default/zigbee/app/helmrelease.yaml b/kubernetes/main/apps/default/zigbee/app/helmrelease.yaml index 76a453c219f6e..70cfd34cb96f1 100644 --- a/kubernetes/main/apps/default/zigbee/app/helmrelease.yaml +++ b/kubernetes/main/apps/default/zigbee/app/helmrelease.yaml @@ -34,27 +34,20 @@ spec: app: image: repository: ghcr.io/koenkk/zigbee2mqtt - tag: 1.42.0@sha256:732ae43d714610040bd049487b60af3b2dbcfdefb5f169897455b60d715e2131 + tag: 2.0.0@sha256:6105a3a01a66bbfb98909a7c309d0707ec7b41728ac15d399747077225231545 env: TZ: America/New_York ZIGBEE2MQTT_DATA: /config - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_DISCOVERY_TOPIC: homeassistant - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_LEGACY_ENTITY_ATTRIBUTES: "false" - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_LEGACY_TRIGGERS: "false" - ZIGBEE2MQTT_CONFIG_ADVANCED_HOMEASSISTANT_STATUS_TOPIC: homeassistant/status ZIGBEE2MQTT_CONFIG_ADVANCED_LAST_SEEN: ISO_8601 - ZIGBEE2MQTT_CONFIG_ADVANCED_LEGACY_API: "false" - ZIGBEE2MQTT_CONFIG_ADVANCED_LEGACY_AVAILABILITY_PAYLOAD: "false" ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_LEVEL: info # debug ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_OUTPUT: '["console"]' ZIGBEE2MQTT_CONFIG_AVAILABILITY_ACTIVE_TIMEOUT: 60 ZIGBEE2MQTT_CONFIG_AVAILABILITY_PASSIVE_TIMEOUT: 2000 - ZIGBEE2MQTT_CONFIG_DEVICE_OPTIONS_LEGACY: "false" ZIGBEE2MQTT_CONFIG_DEVICE_OPTIONS_RETAIN: "true" - ZIGBEE2MQTT_CONFIG_EXPERIMENTAL_NEW_API: "true" ZIGBEE2MQTT_CONFIG_FRONTEND_PORT: &port 80 ZIGBEE2MQTT_CONFIG_FRONTEND_URL: https://zigbee.devbu.io - ZIGBEE2MQTT_CONFIG_HOMEASSISTANT: "true" + ZIGBEE2MQTT_CONFIG_HOMEASSISTANT_DISCOVERY_TOPIC: homeassistant + ZIGBEE2MQTT_CONFIG_HOMEASSISTANT_STATUS_TOPIC: homeassistant/status ZIGBEE2MQTT_CONFIG_MQTT_INCLUDE_DEVICE_INFORMATION: "true" ZIGBEE2MQTT_CONFIG_MQTT_KEEPALIVE: 60 ZIGBEE2MQTT_CONFIG_MQTT_REJECT_UNAUTHORIZED: "true" @@ -64,6 +57,7 @@ spec: ZIGBEE2MQTT_CONFIG_SERIAL_BAUDRATE: 115200 ZIGBEE2MQTT_CONFIG_SERIAL_DISABLE_LED: "false" ZIGBEE2MQTT_CONFIG_SERIAL_PORT: tcp://192.168.1.90:6638 + ZIGBEE2MQTT_CONFIG_SERIAL_ADAPTER: zstack # DEBUG: "zigbee-herdsman*" envFrom: - secretRef: @@ -81,7 +75,9 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } + capabilities: + drop: ["ALL"] + add: ["NET_BIND_SERVICE"] resources: requests: cpu: 10m diff --git a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml index e99a32e68cfd5..0785bc4063320 100644 --- a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml +++ b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml @@ -35,7 +35,6 @@ kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: enabled: true loadBalancer: - acceleration: best-effort algorithm: maglev mode: dsr localRedirectPolicy: true diff --git a/kubernetes/main/apps/kube-system/descheduler/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/descheduler/app/helmrelease.yaml index cdaf203da5c09..11a02c5154e30 100644 --- a/kubernetes/main/apps/kube-system/descheduler/app/helmrelease.yaml +++ b/kubernetes/main/apps/kube-system/descheduler/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: descheduler - version: 0.31.0 + version: 0.32.1 sourceRef: kind: HelmRepository name: descheduler diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/helmrelease.yaml index 2b1231b513d33..57af12fe6c22a 100644 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/helmrelease.yaml +++ b/kubernetes/main/apps/kube-system/intel-device-plugin/app/helmrelease.yaml @@ -27,3 +27,6 @@ spec: dependsOn: - name: node-feature-discovery namespace: kube-system + values: + controllerExtraArgs: | + - --devices=gpu diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml deleted file mode 100644 index b03541bff2f9d..0000000000000 --- a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -replicas: 1 -providerRegex: ^k8s-\d$ -bypassDnsResolution: true -metrics: - enable: true - serviceMonitor: - enabled: true diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml deleted file mode 100644 index 30dddafcbad8e..0000000000000 --- a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml -configMapGenerator: - - name: kubelet-csr-approver-helm-values - files: - - values.yaml=./helm-values.yaml -configurations: - - kustomizeconfig.yaml diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba1530f1..0000000000000 --- a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml b/kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml deleted file mode 100644 index 5cd053bfe13ed..0000000000000 --- a/kubernetes/main/apps/kube-system/kubelet-csr-approver/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kubelet-csr-approver - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/kube-system/kubelet-csr-approver/app - prune: false # never should be deleted - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - timeout: 5m diff --git a/kubernetes/main/apps/kube-system/kustomization.yaml b/kubernetes/main/apps/kube-system/kustomization.yaml index 72c923a374fda..7970c52c36b74 100644 --- a/kubernetes/main/apps/kube-system/kustomization.yaml +++ b/kubernetes/main/apps/kube-system/kustomization.yaml @@ -12,7 +12,6 @@ resources: - ./descheduler/ks.yaml - ./fstrim/ks.yaml - ./intel-device-plugin/ks.yaml - - ./kubelet-csr-approver/ks.yaml - ./metrics-server/ks.yaml - ./node-feature-discovery/ks.yaml - ./reloader/ks.yaml diff --git a/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml index fb272c6a38452..59538154ec532 100644 --- a/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml +++ b/kubernetes/main/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -23,6 +23,12 @@ spec: strategy: rollback retries: 3 values: + args: + - --kubelet-insecure-tls + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=10s + - --kubelet-request-timeout=2s metrics: enabled: true serviceMonitor: diff --git a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml index 32a93bbc7c2d5..d801789396158 100644 --- a/kubernetes/main/apps/network/nginx/external/helmrelease.yaml +++ b/kubernetes/main/apps/network/nginx/external/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: ingress-nginx - version: 4.11.3 + version: 4.12.0 sourceRef: kind: HelmRepository name: ingress-nginx @@ -40,8 +40,9 @@ spec: - key: ingress-class operator: In values: ["external"] - allowSnippetAnnotations: true config: + allow-snippet-annotations: true + annotations-risk-level: Critical block-user-agents: "AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot," # taken from https://github.com/ai-robots-txt/ai.robots.txt client-body-buffer-size: 100M client-body-timeout: 120 @@ -66,7 +67,6 @@ spec: proxy-body-size: 0 proxy-buffer-size: 16k ssl-protocols: TLSv1.3 TLSv1.2 - use-geoip2: true use-forwarded-headers: "true" metrics: enabled: true diff --git a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml index bf4ae9b8d5b17..19e01c6f42495 100644 --- a/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml +++ b/kubernetes/main/apps/network/nginx/internal/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: ingress-nginx - version: 4.11.3 + version: 4.12.0 sourceRef: kind: HelmRepository name: ingress-nginx @@ -40,8 +40,9 @@ spec: - key: ingress-class operator: In values: ["internal"] - allowSnippetAnnotations: true config: + allow-snippet-annotations: true + annotations-risk-level: Critical block-user-agents: "AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot," # taken from https://github.com/ai-robots-txt/ai.robots.txt client-body-buffer-size: 100M client-body-timeout: 120 diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/alertmanagerconfig.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/alertmanagerconfig.yaml index 642cf0528daf0..518a7908ea5a1 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/alertmanagerconfig.yaml +++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/alertmanagerconfig.yaml @@ -76,7 +76,7 @@ spec: title: >- [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.alertname }} - ttl: 3600s + ttl: 86400s token: name: *secret key: ALERTMANAGER_PUSHOVER_TOKEN diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index e26114569e3af..b3ebfa18795dd 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: kube-prometheus-stack - version: 67.5.0 + version: 67.8.0 sourceRef: kind: HelmRepository name: prometheus-community @@ -25,7 +25,7 @@ spec: strategy: rollback retries: 3 dependsOn: - - name: prometheus-operator-crds + - name: kube-prometheus-stack-crds namespace: observability - name: rook-ceph-cluster namespace: rook-ceph diff --git a/kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml similarity index 93% rename from kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml rename to kubernetes/main/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml index da0f397aeda05..d426472c7665d 100644 --- a/kubernetes/main/apps/observability/prometheus-operator-crds/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: prometheus-operator-crds + name: kube-prometheus-stack-crds spec: interval: 30m chart: diff --git a/kubernetes/main/apps/observability/prometheus-operator-crds/app/kustomization.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/crds/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/observability/prometheus-operator-crds/app/kustomization.yaml rename to kubernetes/main/apps/observability/kube-prometheus-stack/crds/kustomization.yaml diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml index 1e119a5c34a46..4b8f4f0ddfdc3 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml +++ b/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml @@ -24,3 +24,23 @@ spec: substitute: APP: *app GATUS_SUBDOMAIN: prometheus +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-prometheus-stack-crds + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/observability/kube-prometheus-stack/crds + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/main/apps/observability/kustomization.yaml index 57cf477ea5720..d7959f650ade4 100644 --- a/kubernetes/main/apps/observability/kustomization.yaml +++ b/kubernetes/main/apps/observability/kustomization.yaml @@ -12,8 +12,8 @@ resources: - ./kromgo/ks.yaml - ./kube-prometheus-stack/ks.yaml - ./loki/ks.yaml - - ./prometheus-operator-crds/ks.yaml - ./promtail/ks.yaml + - ./silence-operator/ks.yaml - ./smartctl-exporter/ks.yaml - ./snmp-exporter/ks.yaml - ./unpoller/ks.yaml diff --git a/kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml b/kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml deleted file mode 100644 index 76d2ab43786d6..0000000000000 --- a/kubernetes/main/apps/observability/prometheus-operator-crds/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app prometheus-operator-crds - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/prometheus-operator-crds/app - prune: false # never should be deleted - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - timeout: 5m diff --git a/kubernetes/main/apps/observability/silence-operator/app/helmrelease.yaml b/kubernetes/main/apps/observability/silence-operator/app/helmrelease.yaml new file mode 100644 index 0000000000000..2e136ab9725a4 --- /dev/null +++ b/kubernetes/main/apps/observability/silence-operator/app/helmrelease.yaml @@ -0,0 +1,79 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: silence-operator +spec: + interval: 30m + chart: + spec: + chart: silence-operator + version: 0.0.7 + sourceRef: + kind: HelmRepository + name: wiremind + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + dependsOn: + - name: kube-prometheus-stack + namespace: observability + - name: silence-operator-crds + namespace: observability + values: + image: + name: quay.io/giantswarm/silence-operator + operator: + config: + alertmanager: + service: + address: http://kube-prometheus-stack-alertmanager:9093 + rbac: + create: true + extraDeploy: + - apiVersion: monitoring.giantswarm.io/v1alpha1 + kind: Silence + metadata: + name: ceph-node-nfsmount-diskspace-warning + namespace: observability + spec: + matchers: + - name: alertname + value: CephNodeDiskspaceWarning + isRegex: false + - name: mountpoint + value: /etc/nfsmount.conf + isRegex: false + - apiVersion: monitoring.giantswarm.io/v1alpha1 + kind: Silence + metadata: + name: ceph-node-local-diskspace-warning + namespace: observability + spec: + matchers: + - name: alertname + value: CephNodeDiskspaceWarning + isRegex: false + - name: device + value: /dev/sd.* + isRegex: true + - apiVersion: monitoring.giantswarm.io/v1alpha1 + kind: Silence + metadata: + name: expanse-memory-high-utilization + namespace: observability + spec: + matchers: + - name: alertname + value: NodeMemoryHighUtilization + isRegex: false + - name: instance + value: expanse.internal:9100 + isRegex: false diff --git a/kubernetes/main/apps/observability/silence-operator/app/kustomization.yaml b/kubernetes/main/apps/observability/silence-operator/app/kustomization.yaml new file mode 100644 index 0000000000000..17cbc72b25c80 --- /dev/null +++ b/kubernetes/main/apps/observability/silence-operator/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/main/apps/observability/silence-operator/crds/helmrelease.yaml similarity index 69% rename from kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml rename to kubernetes/main/apps/observability/silence-operator/crds/helmrelease.yaml index 7c04bc9f67abf..d8aaf5afc5d25 100644 --- a/kubernetes/main/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/silence-operator/crds/helmrelease.yaml @@ -3,16 +3,16 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: kubelet-csr-approver + name: silence-operator-crds spec: interval: 30m chart: spec: - chart: kubelet-csr-approver - version: 1.2.3 + chart: silence-operator-crds + version: 0.0.2 sourceRef: kind: HelmRepository - name: postfinance + name: wiremind namespace: flux-system install: remediation: @@ -22,6 +22,3 @@ spec: remediation: strategy: rollback retries: 3 - valuesFrom: - - kind: ConfigMap - name: kubelet-csr-approver-helm-values diff --git a/kubernetes/main/apps/observability/silence-operator/crds/kustomization.yaml b/kubernetes/main/apps/observability/silence-operator/crds/kustomization.yaml new file mode 100644 index 0000000000000..17cbc72b25c80 --- /dev/null +++ b/kubernetes/main/apps/observability/silence-operator/crds/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/observability/silence-operator/ks.yaml b/kubernetes/main/apps/observability/silence-operator/ks.yaml new file mode 100644 index 0000000000000..c7fc7b31157fd --- /dev/null +++ b/kubernetes/main/apps/observability/silence-operator/ks.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app silence-operator + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/observability/silence-operator/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 15m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app silence-operator-crds + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/observability/silence-operator/crds + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + timeout: 5m diff --git a/kubernetes/main/apps/observability/smartctl-exporter/app/helmrelease.yaml b/kubernetes/main/apps/observability/smartctl-exporter/app/helmrelease.yaml index 81a4eee9038fb..6b63596cbc1c6 100644 --- a/kubernetes/main/apps/observability/smartctl-exporter/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/smartctl-exporter/app/helmrelease.yaml @@ -27,12 +27,6 @@ spec: namespace: observability values: fullnameOverride: *app - config: - devices: - - /dev/sda - - /dev/sdb - - /dev/nvme0n1 - - /dev/nvme1n1 serviceMonitor: enabled: true prometheusRules: diff --git a/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml b/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml index 2561f3913537f..ce38bd0e66b2b 100644 --- a/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/unpoller/app/helmrelease.yaml @@ -32,7 +32,7 @@ spec: app: image: repository: ghcr.io/unpoller/unpoller - tag: v2.11.2@sha256:73b39c0b3b8fa92aa82a7613d3486253ffbd8c057833b4621402a268159bf2a2 + tag: v2.13.1@sha256:2376aff5e18b8f9fdd618becc2ef668ce31deb4c0e74acc5bea88e6c20c23a39 env: TZ: America/New_York UP_UNIFI_DEFAULT_ROLE: home-ops diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml index 1dcdda24d8f07..3be59ff6056e8 100644 --- a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml +++ b/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: rook-ceph - version: v1.15.7 + version: v1.16.1 sourceRef: kind: HelmRepository name: rook-ceph @@ -28,7 +28,6 @@ spec: namespace: volsync-system values: csi: - enableVolumeGroupSnapshot: false # TODO: enable this when v1beta1 CRDs are available cephFSKernelMountOptions: ms_mode=prefer-crc enableLiveness: true serviceMonitor: diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index eefddbe979633..7bd8ed2ba927a 100644 --- a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: rook-ceph-cluster - version: v1.15.7 + version: v1.16.1 sourceRef: kind: HelmRepository name: rook-ceph @@ -46,8 +46,6 @@ spec: bdev_async_discard = true osd_class_update_on_start = false cephClusterSpec: - cephVersion: - image: quay.io/ceph/ceph:v19.2.0 # TODO: Remove when Rook is updated >= v19.2.0 crashCollector: disable: false csi: @@ -76,19 +74,11 @@ spec: devicePathFilter: /dev/disk/by-id/nvme-Micron_7450_MTFDKBA800TFS_.* config: osdsPerDevice: "1" - placement: - mgr: &placement - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - mon: *placement cephBlockPools: - name: ceph-blockpool spec: failureDomain: host + enableRBDStats: true replicated: size: 3 storageClass: @@ -103,11 +93,11 @@ spec: imageFormat: "2" imageFeatures: layering,fast-diff,object-map,deep-flatten,exclusive-lock csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner - csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}" csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner - csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}" csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node - csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}" csi.storage.k8s.io/fstype: ext4 cephBlockPoolsVolumeSnapshotClass: enabled: true @@ -154,11 +144,11 @@ spec: volumeBindingMode: Immediate parameters: csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner - csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph + csi.storage.k8s.io/provisioner-secret-namespace: "{{ .Release.Namespace }}" csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner - csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph + csi.storage.k8s.io/controller-expand-secret-namespace: "{{ .Release.Namespace }}" csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node - csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph + csi.storage.k8s.io/node-stage-secret-namespace: "{{ .Release.Namespace }}" csi.storage.k8s.io/fstype: ext4 cephFileSystemVolumeSnapshotClass: enabled: true diff --git a/kubernetes/main/bootstrap/apps/helmfile.yaml b/kubernetes/main/bootstrap/apps/helmfile.yaml index 6ac962c49326a..2c792a8aa4bd7 100644 --- a/kubernetes/main/bootstrap/apps/helmfile.yaml +++ b/kubernetes/main/bootstrap/apps/helmfile.yaml @@ -18,42 +18,40 @@ repositories: - name: coredns url: https://coredns.github.io/helm - - name: postfinance - url: https://postfinance.github.io/kubelet-csr-approver - releases: - - name: prometheus-operator-crds + - name: kube-prometheus-stack-crds namespace: observability chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds version: 17.0.2 - - name: cilium - namespace: kube-system + - name: &name cilium + namespace: &namespace kube-system chart: cilium/cilium version: 1.16.5 - values: ["../../apps/kube-system/cilium/app/helm-values.yaml"] - needs: ["observability/prometheus-operator-crds"] - - - name: coredns - namespace: kube-system + values: + - ../../apps/kube-system/cilium/app/helm-values.yaml + - commonLabels: + helm.toolkit.fluxcd.io/name: *name + helm.toolkit.fluxcd.io/namespace: *namespace + needs: ["observability/kube-prometheus-stack-crds"] + + - name: &name coredns + namespace: &namespace kube-system chart: coredns/coredns version: 1.37.0 - values: ["../../apps/kube-system/coredns/app/helm-values.yaml"] + values: + - ../../apps/kube-system/coredns/app/helm-values.yaml + - customLabels: + helm.toolkit.fluxcd.io/name: *name + helm.toolkit.fluxcd.io/namespace: *namespace needs: ["kube-system/cilium"] - - name: kubelet-csr-approver - namespace: kube-system - chart: postfinance/kubelet-csr-approver - version: 1.2.3 - values: ["../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"] - needs: ["kube-system/coredns"] - - name: spegel namespace: kube-system chart: oci://ghcr.io/spegel-org/helm-charts/spegel version: v0.0.28 values: ["../../apps/kube-system/spegel/app/helm-values.yaml"] - needs: ["kube-system/kubelet-csr-approver"] + needs: ["kube-system/coredns"] - name: flux-operator namespace: flux-system diff --git a/kubernetes/main/talos/192.168.42.10.sops.yaml.j2 b/kubernetes/main/talos/192.168.42.10.sops.yaml.j2 index 6fece96b00695..a6e00dcb7da43 100644 --- a/kubernetes/main/talos/192.168.42.10.sops.yaml.j2 +++ b/kubernetes/main/talos/192.168.42.10.sops.yaml.j2 @@ -10,8 +10,6 @@ machine: certSANs: ["127.0.0.1", "192.168.42.120"] kubelet: image: ghcr.io/siderolabs/kubelet:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - rotate-server-certificates: "true" extraConfig: maxPods: 150 extraMounts: @@ -158,8 +156,6 @@ cluster: key: ENC[AES256_GCM,data:akOr7oagliAbfUX3mdd+D6Tn/7eME8v+3ls7/ja4zI0xltAdvh9pq4UL9PpAWiVOKE3jNC5vJHmMVCtJZRsIdt+kJbEBuRKX/bd6W4DXkd6Ri/cXikBkF0SSSrXME1L33UmrNcOT4jFGCsr3Qy10gIjalpmvI0bIHZxF0wFs2YWZneMbeLR+58GVUsFueEHSrnnVKkpd2ZPUM5w38RoQHfoWv8R7/T13dXofa9aSgPZ8HQ63NZF/8GslF6/82R22MWSLdXUHoUQhsSUmHbhDLQ5aSfGWMIiU2klmYI6kb48yTtm+9B5Xd0A4NtXTZQ8uBhkB/GGzmTJyx+vKmtPS2VFQGJpLh2IkaicVqr/GAc+r74Ahdxg4Vz5B0ueEFACew7plCAGUUz6UJ/tE++hy8w==,iv:3FbFJ09BPXA++YhtHbOuyR9tBziGFnKnazUX1sVklzM=,tag:bE6473jL29Xrx2I+MFvghA==,type:str] apiServer: image: registry.k8s.io/kube-apiserver:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - feature-gates: AuthorizeNodeWithSelectors=false certSANs: ["127.0.0.1", "192.168.42.120"] disablePodSecurityPolicy: true auditPolicy: @@ -182,6 +178,10 @@ cluster: kind: KubeSchedulerConfiguration profiles: - schedulerName: default-scheduler + plugins: + score: + disabled: + - name: ImageLocality pluginConfig: - name: PodTopologySpread args: @@ -190,13 +190,6 @@ cluster: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - discovery: - enabled: true - registries: - kubernetes: - disabled: false - service: - disabled: true etcd: ca: crt: ENC[AES256_GCM,data:CNnfhUYEwXqryrg/k6F9LCethTV5mC5u+6h5wR0VNJIpTEuQCLuSXnLGOyzwpb7Vh1ppQ9484vRISG1daIbUwuISnIZ8E840wxTaMFC8yGTQW3LszwgQ6P/DGznJXbEaEDxLLj7E3hpxVivV7RW5YFo4pybhCGah7VA47Z3GAIxszl3Qh5MZmCPB2V8GUnURIgxl60wiZUGoAriTFzIJWfB0SXIcwUM09vT0g0AQW1nCqisISKYT09+Q5fdKs2AhKRc8LD6I1CNoXnzuQc0BenFt6oKCbzMnickjpLf2JWbO5V5hFCdigtAWUFqKgAJHA1fds1ehVkoO2cORe4a6igmC1Y9fCFSjuaDM91dtb75uPYu0nRzblyT67qGdE5T/TWzdO5UStccUXHJJxwHTtdK8NLOhO5kgOcLp2zmT27v3SglLm//EvSYyMhph19tkH7grDn2bUbt2PkqUrg7bf3GR4NE2AQ8ehnJ791FFAx5buUgDbodJMb+B4212HF++BD8NXDZVozuDAiaGtkTnwDT3RWzcm1F2RsGUpZDrs/Vr97W1W64ektxO8eGSXujRO8LhaPhcDb1J8gnqKGFo9xas3Gy0cDwRo1NG2svPdmsSDs5glQuBy/bcw3BLIkZPBW9M2xA9YlfjYSQkhJSjXLtO3wPjoX2YsgnmEskinOMl7fKa16Qe4Wg3aKbbGyPDePw4ZBr3MLUVMODHWAtQhOKpHl2Q+PBDgcBsHde49jHLA3iIQb4ic9AGCtcOiBkwrmPfwGA6/3Kq3R0cfw4Kmb/Uf8+t9nJl0mQVcq593fLLUjdPgXKQYQKUDx7oAP3c/PTVbBtXFPU1VVnXYiaZnvCwOkU7NVAmOaJPdNK4BocEB3lPbjAQYPDsCi28vfYVexOsywPOrCP5ucs8xT5Y5SZESbVLUsWs/TGOUbLI4x0fySK0rcwOWNMIlh8/6bhLlVb9Tsxp9NbhaTzUBAI9ED39Spk98TRCI4zruKoRCaaZCGzTcYuuizvW/Gp3/lFYNjZBbQ==,iv:pAf/7pi0GxQJRPzJJxN4qrrHzOWwu8+YSOZH+JWJlqo=,tag:xTU2uxtrpTDDyiqkoVmkVw==,type:str] @@ -204,7 +197,7 @@ cluster: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 advertisedSubnets: ["192.168.42.0/24"] - allowSchedulingOnMasters: true + allowSchedulingOnControlPlanes: true sops: kms: [] gcp_kms: [] diff --git a/kubernetes/main/talos/192.168.42.11.sops.yaml.j2 b/kubernetes/main/talos/192.168.42.11.sops.yaml.j2 index 2f8e122261ac8..32fe1fcc70303 100644 --- a/kubernetes/main/talos/192.168.42.11.sops.yaml.j2 +++ b/kubernetes/main/talos/192.168.42.11.sops.yaml.j2 @@ -10,8 +10,6 @@ machine: certSANs: ["127.0.0.1", "192.168.42.120"] kubelet: image: ghcr.io/siderolabs/kubelet:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - rotate-server-certificates: "true" extraConfig: maxPods: 150 extraMounts: @@ -158,8 +156,6 @@ cluster: key: ENC[AES256_GCM,data:kZGwFVh9SyraDajIKpda6j4d+FE6nr0FhgL2HD7hezMk1DkkINqZ5BEARzviQfJuw1o2GB2AK7Du5sv5N48bUDp6w6KpGOoU7UL/tTABrOVw7VOye9gB1aBqb/sHRlX2osrAbdBHiepm9tk81OVpCwptBM6zmSoOXX84IWI37g08vfdGZjBXZ6dAD3vgHzSAsNFaEzhVTfsP1nw12FrxHh/Xu/OLSE5lPKI8xVyRvQ7pueyoLVjNbTNZg3akboh5h3FHT39sUu7rqn2N3iBMAGlIg3gWASOq/KA0uFH1cjWoikzMXqS/FMI466LaGuzNWDuQcg+0VRO0ZZ7NoroKgNbxqW2Lxlb/T2XDpj5hRgyHEh7cbpaVlC2WOdCSQxakctpQzCHj6iCovq0ZtTzGgQ==,iv:lEpxqom+Q6cMn7JfliqaQFwc1hizXN1f9pUXgvh456A=,tag:+5aXImcQSafJtSZtpsWkzQ==,type:str] apiServer: image: registry.k8s.io/kube-apiserver:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - feature-gates: AuthorizeNodeWithSelectors=false certSANs: ["127.0.0.1", "192.168.42.120"] disablePodSecurityPolicy: true auditPolicy: @@ -182,6 +178,10 @@ cluster: kind: KubeSchedulerConfiguration profiles: - schedulerName: default-scheduler + plugins: + score: + disabled: + - name: ImageLocality pluginConfig: - name: PodTopologySpread args: @@ -190,13 +190,6 @@ cluster: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - discovery: - enabled: true - registries: - kubernetes: - disabled: false - service: - disabled: true etcd: ca: crt: ENC[AES256_GCM,data:erPRg81zCtvLfmWTzCtaAtS5X7xk5EmKFM9+o8RFy2le4iJm4bbpiFWBuu/TWdEjJkFJbv454TsaBEwDvuX3q/mXFZrv50o1YMBH7COG5YNiq/Ppd9qUi3rfEPJD2ptsnYVgEdMkocRgBVyvF71a7pvMSG9KCpLPrt4IvctQgMylwsjtpBIWCfEjjyAGHS6JgnsUeVA7N3/01prApXbIhrGeReLWz5veM4Zvzr3Psi6Wib6AuGZXC+SxOFhDH3MWOSsKsZI57hMKeCyHQ/0i82EqzoDQQ5irxiL1e14hrZ8+lBVpkldamqY4h4z4hGa9tR3iAd1AdrNO9giujZmq6ANlpTzMCRD+OpUmzckifiAsDDiuBZMtY/nQvXIpDZ8APxuEo5ykbNxD00QFJ335ArICngygfUDivrTAF/dXlDOuaDVHuqfvtE31cg7BNhF6NOV46hc1Be55m9C0ZnoGpYkz/nmLYgGhFhAWoWNFnSKXMmU0foyyyJaUIPjC3DlN3lJyUYTUuEfE5aKx+omLdh5LbrnaJDBED9tk712i0jAJ5oDCRObgTPktSrkDEPQFMmzJthiaS9J8DJse3SWKWuhl4oANZNT0llIPG16e/psZ7ygnkYLMXprqckc1HBO+Y35Pap6fOwUHruS9VfUREs0bCT2iow8TLJn2Uy0+OWEXo1dRZQ3/vN7BVpACGrUc+jcjFjPLtYUlAiYpV8jzHOs8uGGmjEiMg4P4iNRK20ve3/70mlTuUKcvg3oOilDGkMxjYpN1jEaqBVgPv0VXjCWzSJlqWOVzoJCE0o9wZ329HJTZtHtqGT0OSsaHx/CyIV2txMUTGDcdPkkLy/l3zueoS6fi4d/CC+uCIylBF53z2Iael4iHpJTjTixdU79kUF4ig7fvK9WawEd/grlJqyLoFN/M69EaondVKXsmPAyYgLoIezpja/HBNp69oOl1g0lx//Q1fTo3YMc/rW1I8PfGMqBH4avUcpymm5FzTI3x7259IqDGn5iH+G6f16XpASpj9Q==,iv:2wHeRnSxM9J7Pv3s0U8BAL2MM8/UbYLBnBLRS0qHqgY=,tag:ST6UyC1VWNh2id9VMZ9KGg==,type:str] @@ -204,7 +197,7 @@ cluster: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 advertisedSubnets: ["192.168.42.0/24"] - allowSchedulingOnMasters: true + allowSchedulingOnControlPlanes: true sops: kms: [] gcp_kms: [] diff --git a/kubernetes/main/talos/192.168.42.12.sops.yaml.j2 b/kubernetes/main/talos/192.168.42.12.sops.yaml.j2 index 3f6ecda88ae5f..d88081a869343 100644 --- a/kubernetes/main/talos/192.168.42.12.sops.yaml.j2 +++ b/kubernetes/main/talos/192.168.42.12.sops.yaml.j2 @@ -10,8 +10,6 @@ machine: certSANs: ["127.0.0.1", "192.168.42.120"] kubelet: image: ghcr.io/siderolabs/kubelet:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - rotate-server-certificates: "true" extraConfig: maxPods: 150 extraMounts: @@ -158,8 +156,6 @@ cluster: key: ENC[AES256_GCM,data:h7iur1YK24hF9etfo6IvT7bXzfjMTuj/YMVIXn9N1YMfCX3KDig6FJrZxfUspz3vfbfUpFM9xeAdFoK5DtQ3nCv/ZqlZk9oP2kq3AMXPzhlMsENI+DyLx+BaK/GKvPCtmHC8DdjE7u9kx8zfKB4wDKKjrCXE4YMMQ2q6+7NEUMUnWhwPSGPzZQD6AZR1KC03Ip9N7n2C2lwzNy3DriVZu/m4cq0qw9AxHH4FlWznoHj+I6OgJ9/Sn+EyyCMkFuUD32dzAsmhtcK0BuL6uBwN5p++xG4GpQCAyOd1fjeXHCpFzG2FAZrkCzPv6FT4IgkAMswUu07G8IFpZVpqhaGONJDDg7xUHpLBKrEpOrC2JKk7x2pmYo6/QdJ9Maq+Rdh6khhbINJCrFWGiMq+/HfxRQ==,iv:PAS7TMVFiZ3WNZwp1boLDzSS79yttBYz/9p5gCUHCps=,tag:jip1CNc5W4UqOsayAi9ymw==,type:str] apiServer: image: registry.k8s.io/kube-apiserver:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - feature-gates: AuthorizeNodeWithSelectors=false certSANs: ["127.0.0.1", "192.168.42.120"] disablePodSecurityPolicy: true auditPolicy: @@ -182,6 +178,10 @@ cluster: kind: KubeSchedulerConfiguration profiles: - schedulerName: default-scheduler + plugins: + score: + disabled: + - name: ImageLocality pluginConfig: - name: PodTopologySpread args: @@ -190,13 +190,6 @@ cluster: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway - discovery: - enabled: true - registries: - kubernetes: - disabled: false - service: - disabled: true etcd: ca: crt: ENC[AES256_GCM,data:XMzaRa4h4Ynakf28Shxbc9ltXkb9jRaVmeJ5+M5bObjRp5xARsuY0frE1Q5EM3Y4ee6yEps6MkC1QirWIx/xVT47/NOu7kAw4S9cBwofnRxpeZf0rI1zIJQKervYam43CxczcyV/xUQ1HLdcSWuBEpuTvfEPY75eDR1YiozXs85KKN9soW2FI8vO/76iNFQIsI+gf3qULgXH57Be3VLCVUzRMUUQweAQEqv+6wuK5S+VflLMTjE8Ei3g1xn1TW7ClH0DQso+xlhuYFXoGf22mfwF4E7u2uX1IyxTtoxAgE6gRmqTbp68B2jq02EAfA4BCiGsRD+53JU0RD2Sg6blBGybPGZQz92+xSf1KdZJLg3seYm2sbhYhDcPgSV4+Le3PUJxvK3IwAUtS+Q/992h6vww9wGH0M18ZwQhiniWG68rEmJmTHNsqGVkJbJh0sVRIqh99v0ZlwKfgA8DWexHM/tBwZpYNpRaE+/HkNUTdktTLfQm3UF/jSFgOCIWx+3zg4VVDCxf0VvSuG/Dh6UQ1PfJLmNJDr2M3A9iyuOtF4E9ijeFJpiOQK1P/t9U1dk8m/JcNuGbJPevN/I4cuMQNtf/dSmJccA9rtzNJlV+po8+1HhNIaMH5tHiD5uboZn4tMyeHpj6/2jncAsNNkzg7rP286ACglDJUJ+2bK24nyE5l+eyRr+P6IIT3KoTIgEWJl2Ad/+RuY2DCMxg3IpndF5zONtfXGI/fSKBm5wLyPMYJcLDenaPZEf0qzTRTWQFfGQot3B7DeQB1IRE5e0RyqCvtUfdchtSxMlxYwW93zU1a2TJNqf+0Xk9KqXpJYGqi8KAkTksbEAcUpxXlwh9+twxfeeyk5AJ/u9HuY/5uG439xIzywAnXslyO4VFDDRCn3uFkJTcEjizQkfFBouo/HvBoMOc7Yg2swWI9OinlY8d5KJPSwzozmfTDJ7x2lR2nWdJdlXnpJ9zgJPUHdz4Rjnbk4+q8tEDSMkVjgrM5FXPTN95bq21zyYRxEQp5bgWvMHAtw==,iv:u4Yku38S8cbWrf/pm0W/f+KrFHs1v/Hy08vbi2nKrlg=,tag:EoeZbmB8ICJV08ewizPDYQ==,type:str] @@ -204,7 +197,7 @@ cluster: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 advertisedSubnets: ["192.168.42.0/24"] - allowSchedulingOnMasters: true + allowSchedulingOnControlPlanes: true sops: kms: [] gcp_kms: [] diff --git a/kubernetes/shared/repos/helm/kustomization.yaml b/kubernetes/shared/repos/helm/kustomization.yaml index 3b93405b990c7..6d2cf8b994f0b 100644 --- a/kubernetes/shared/repos/helm/kustomization.yaml +++ b/kubernetes/shared/repos/helm/kustomization.yaml @@ -28,9 +28,9 @@ resources: - ./node-feature-discovery.yaml - ./openebs.yaml - ./piraeus.yaml - - ./postfinance.yaml - ./prometheus-community.yaml - ./rook-ceph.yaml - ./spegel.yaml - ./stakater.yaml - - ./stevehipwell.yaml + # - ./stevehipwell.yaml + - ./wiremind.yaml diff --git a/kubernetes/shared/repos/helm/postfinance.yaml b/kubernetes/shared/repos/helm/wiremind.yaml similarity index 75% rename from kubernetes/shared/repos/helm/postfinance.yaml rename to kubernetes/shared/repos/helm/wiremind.yaml index 015568bfcf7e7..52b242595190c 100644 --- a/kubernetes/shared/repos/helm/postfinance.yaml +++ b/kubernetes/shared/repos/helm/wiremind.yaml @@ -3,8 +3,8 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: - name: postfinance + name: wiremind namespace: flux-system spec: interval: 2h - url: https://postfinance.github.io/kubelet-csr-approver + url: https://wiremind.github.io/wiremind-helm-charts/