From 621d331c7bc21acb2d157a26c607e3c0014578d6 Mon Sep 17 00:00:00 2001 From: Oscar Romeu Date: Sun, 29 Sep 2024 15:29:36 +0000 Subject: [PATCH] feat: rollback to k3s --- .../rook-ceph/kustomization.yaml | 0 .../rook-ceph/namespace.yaml | 0 .../rook-ceph/rook-ceph/app/helmrelease.yaml | 0 .../rook-ceph/app/kustomization.yaml | 0 .../rook-ceph/cleanup/kustomization.yaml | 0 .../rook-ceph/rook-ceph/cleanup/lpkm1.yaml | 0 .../rook-ceph/rook-ceph/cleanup/lpkw1.yaml | 0 .../rook-ceph/rook-ceph/cleanup/lpkw2.yaml | 0 .../rook-ceph/cluster/helmrelease.yaml | 0 .../rook-ceph/cluster/kustomization.yaml | 0 .../rook-ceph/rook-ceph/ks.yaml | 0 .../csi-metrics-service-monitor.yaml | 0 .../monitoring/dashboards/ceph-cluster.json | 0 .../monitoring/dashboards/ceph-osd.json | 0 .../monitoring/dashboards/ceph-pools.json | 0 .../monitoring/dashboards/kustomization.yaml | 0 .../monitoring/exporter-service-monitor.yaml | 0 .../rook-ceph/monitoring/externalrules.yaml | 0 .../rook-ceph/monitoring/keda-rgw.yaml | 0 .../rook-ceph/monitoring/kustomization.yaml | 0 .../rook-ceph/monitoring/localrules.yaml | 0 .../rook-ceph/monitoring/service-monitor.yaml | 0 .../stable-diffusion/app/helmrelease.yaml | 0 .../stable-diffusion/app/kustomization.yaml | 0 .../stable-diffusion/ks.yaml | 0 .gitignore | 1 + .sops.yaml | 7 +- .taskfiles/Talos/Taskfile.yaml | 2 +- ansible/.ansible-lint | 9 ++ .../group_vars/controllers/main.yaml | 24 ++++ .../inventory/group_vars/kubernetes/main.yaml | 23 ++++ .../inventory/group_vars/workers/main.yaml | 4 + ansible/inventory/hosts.yaml | 23 ++++ ansible/playbooks/cluster-installation.yaml | 91 ++++++++++++++ ansible/playbooks/cluster-nuke.yaml | 105 ++++++++++++++++ ansible/playbooks/cluster-prepare.yaml | 112 +++++++++++++++++ ansible/playbooks/cluster-reboot.yaml | 15 +++ ansible/playbooks/cluster-rollout-update.yaml | 70 +++++++++++ ansible/playbooks/tasks/cilium.yaml | 56 +++++++++ ansible/playbooks/tasks/cruft.yaml | 31 +++++ ansible/playbooks/tasks/kubeconfig.yaml | 26 ++++ ansible/playbooks/tasks/version-check.yaml | 17 +++ .../templates/custom-cilium-helmchart.yaml | 75 ++++++++++++ .../templates/custom-kube-vip-ds.yaml | 75 ++++++++++++ .../templates/custom-kube-vip-rbac.yaml | 42 +++++++ ansible/requirements.txt | 4 + ansible/requirements.yaml | 14 +++ .../cert-manager/issuers/secret.sops.yaml | 25 +--- .../main/apps/default/kustomization.yaml | 3 +- .../default}/navidrome/app/helmrelease.yaml | 0 .../default}/navidrome/app/kustomization.yaml | 0 .../main/apps/default}/navidrome/app/pvc.yaml | 0 .../main/apps/default}/navidrome/ks.yaml | 0 .../default}/navidrome/monitoring/gatus.yaml | 0 .../navidrome/monitoring/servicemonitor.yaml | 0 .../webhooks/app/github/secret.sops.yaml | 25 +--- .../amd-device-plugin/app/kustomization.yaml | 7 -- .../app/labeller/helmrelease.yaml | 115 ------------------ .../app/labeller/kustomization.yaml | 7 -- .../amd-device-plugin/app/labeller/rbac.yaml | 39 ------ .../app/plugin/helmrelease.yaml | 92 -------------- .../app/plugin/kustomization.yaml | 6 - .../kube-system/amd-device-plugin/ks.yaml | 26 ---- .../kube-system/cilium/app/helmrelease.yaml | 7 +- .../app/exporter/helmrelease.yaml | 64 ---------- .../app/exporter/kustomization.yaml | 7 -- .../app/gpu/helmrelease.yaml | 33 ----- .../app/gpu/kustomization.yaml | 7 -- .../app/kustomization.yaml | 9 -- .../app/operator/helmrelease.yaml | 28 ----- .../app/operator/kustomization.yaml | 7 -- .../kube-system/kube-vip/app/daemonset.yaml | 75 ++++++++++++ .../app/kustomization.yaml | 4 +- .../apps/kube-system/kube-vip/app/rbac.yaml | 42 +++++++ .../{intel-device-plugin => kube-vip}/ks.yaml | 10 +- .../main/apps/kube-system/kustomization.yaml | 4 +- .../app/helmrelease.yaml | 1 + .../app/helmrelease.yaml | 48 -------- .../ingress-nginx/external/helmrelease.yaml | 2 +- .../ingress-nginx/internal/helmrelease.yaml | 2 +- .../network/k8s-gateway/app/helmrelease.yaml | 2 +- .../main/apps/network/kustomization.yaml | 2 +- .../system-upgrade/k3s/app/kustomization.yaml | 5 + .../apps/system-upgrade/k3s/app/plan.yaml | 50 ++++++++ .../main/apps/system-upgrade/k3s/ks.yaml | 26 ++++ .../apps/system-upgrade/kustomization.yaml | 7 ++ .../main/apps/system-upgrade/namespace.yaml | 7 ++ .../app/helmrelease.yaml | 101 +++++++++++++++ .../app/kustomization.yaml | 8 ++ .../system-upgrade-controller/app/rbac.yaml | 13 ++ .../system-upgrade-controller}/ks.yaml | 8 +- 91 files changed, 1188 insertions(+), 562 deletions(-) rename {kubernetes/main/apps => .archive}/rook-ceph/kustomization.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/namespace.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/app/helmrelease.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/app/kustomization.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/cleanup/kustomization.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/cleanup/lpkm1.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/cleanup/lpkw1.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/cleanup/lpkw2.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/cluster/helmrelease.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/cluster/kustomization.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/ks.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/csi-metrics-service-monitor.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/dashboards/ceph-cluster.json (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/dashboards/ceph-osd.json (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/dashboards/ceph-pools.json (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/dashboards/kustomization.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/exporter-service-monitor.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/externalrules.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/keda-rgw.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/kustomization.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/localrules.yaml (100%) rename {kubernetes/main/apps => .archive}/rook-ceph/rook-ceph/monitoring/service-monitor.yaml (100%) rename {kubernetes/main/apps/default => .archive}/stable-diffusion/app/helmrelease.yaml (100%) rename {kubernetes/main/apps/default => .archive}/stable-diffusion/app/kustomization.yaml (100%) rename {kubernetes/main/apps/default => .archive}/stable-diffusion/ks.yaml (100%) create mode 100644 ansible/.ansible-lint create mode 100644 ansible/inventory/group_vars/controllers/main.yaml create mode 100644 ansible/inventory/group_vars/kubernetes/main.yaml create mode 100644 ansible/inventory/group_vars/workers/main.yaml create mode 100644 ansible/inventory/hosts.yaml create mode 100644 ansible/playbooks/cluster-installation.yaml create mode 100644 ansible/playbooks/cluster-nuke.yaml create mode 100644 ansible/playbooks/cluster-prepare.yaml create mode 100644 ansible/playbooks/cluster-reboot.yaml create mode 100644 ansible/playbooks/cluster-rollout-update.yaml create mode 100644 ansible/playbooks/tasks/cilium.yaml create mode 100644 ansible/playbooks/tasks/cruft.yaml create mode 100644 ansible/playbooks/tasks/kubeconfig.yaml create mode 100644 ansible/playbooks/tasks/version-check.yaml create mode 100644 ansible/playbooks/templates/custom-cilium-helmchart.yaml create mode 100644 ansible/playbooks/templates/custom-kube-vip-ds.yaml create mode 100644 ansible/playbooks/templates/custom-kube-vip-rbac.yaml create mode 100644 ansible/requirements.txt create mode 100644 ansible/requirements.yaml rename {.archive => kubernetes/main/apps/default}/navidrome/app/helmrelease.yaml (100%) rename {.archive => kubernetes/main/apps/default}/navidrome/app/kustomization.yaml (100%) rename {.archive => kubernetes/main/apps/default}/navidrome/app/pvc.yaml (100%) rename {.archive => kubernetes/main/apps/default}/navidrome/ks.yaml (100%) rename {.archive => kubernetes/main/apps/default}/navidrome/monitoring/gatus.yaml (100%) rename {.archive => kubernetes/main/apps/default}/navidrome/monitoring/servicemonitor.yaml (100%) delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/helmrelease.yaml delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/kustomization.yaml delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/rbac.yaml delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/helmrelease.yaml delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/kustomization.yaml delete mode 100644 kubernetes/main/apps/kube-system/amd-device-plugin/ks.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/helmrelease.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/kustomization.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/helmrelease.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/kustomization.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/kustomization.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/helmrelease.yaml delete mode 100644 kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/kustomization.yaml create mode 100644 kubernetes/main/apps/kube-system/kube-vip/app/daemonset.yaml rename kubernetes/main/apps/kube-system/{node-feature-discovery => kube-vip}/app/kustomization.yaml (63%) create mode 100644 kubernetes/main/apps/kube-system/kube-vip/app/rbac.yaml rename kubernetes/main/apps/kube-system/{intel-device-plugin => kube-vip}/ks.yaml (55%) delete mode 100644 kubernetes/main/apps/kube-system/node-feature-discovery/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/system-upgrade/k3s/app/kustomization.yaml create mode 100644 kubernetes/main/apps/system-upgrade/k3s/app/plan.yaml create mode 100644 kubernetes/main/apps/system-upgrade/k3s/ks.yaml create mode 100644 kubernetes/main/apps/system-upgrade/kustomization.yaml create mode 100644 kubernetes/main/apps/system-upgrade/namespace.yaml create mode 100644 kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml create mode 100644 kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml rename kubernetes/main/apps/{kube-system/node-feature-discovery => system-upgrade/system-upgrade-controller}/ks.yaml (53%) diff --git a/kubernetes/main/apps/rook-ceph/kustomization.yaml b/.archive/rook-ceph/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/kustomization.yaml rename to .archive/rook-ceph/kustomization.yaml diff --git a/kubernetes/main/apps/rook-ceph/namespace.yaml b/.archive/rook-ceph/namespace.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/namespace.yaml rename to .archive/rook-ceph/namespace.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml b/.archive/rook-ceph/rook-ceph/app/helmrelease.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/app/helmrelease.yaml rename to .archive/rook-ceph/rook-ceph/app/helmrelease.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml b/.archive/rook-ceph/rook-ceph/app/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/app/kustomization.yaml rename to .archive/rook-ceph/rook-ceph/app/kustomization.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/kustomization.yaml b/.archive/rook-ceph/rook-ceph/cleanup/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/kustomization.yaml rename to .archive/rook-ceph/rook-ceph/cleanup/kustomization.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/lpkm1.yaml b/.archive/rook-ceph/rook-ceph/cleanup/lpkm1.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/lpkm1.yaml rename to .archive/rook-ceph/rook-ceph/cleanup/lpkm1.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/lpkw1.yaml b/.archive/rook-ceph/rook-ceph/cleanup/lpkw1.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/lpkw1.yaml rename to .archive/rook-ceph/rook-ceph/cleanup/lpkw1.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/lpkw2.yaml b/.archive/rook-ceph/rook-ceph/cleanup/lpkw2.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/cleanup/lpkw2.yaml rename to .archive/rook-ceph/rook-ceph/cleanup/lpkw2.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/.archive/rook-ceph/rook-ceph/cluster/helmrelease.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml rename to .archive/rook-ceph/rook-ceph/cluster/helmrelease.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml b/.archive/rook-ceph/rook-ceph/cluster/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml rename to .archive/rook-ceph/rook-ceph/cluster/kustomization.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml b/.archive/rook-ceph/rook-ceph/ks.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/ks.yaml rename to .archive/rook-ceph/rook-ceph/ks.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/csi-metrics-service-monitor.yaml b/.archive/rook-ceph/rook-ceph/monitoring/csi-metrics-service-monitor.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/csi-metrics-service-monitor.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/csi-metrics-service-monitor.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/ceph-cluster.json b/.archive/rook-ceph/rook-ceph/monitoring/dashboards/ceph-cluster.json similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/ceph-cluster.json rename to .archive/rook-ceph/rook-ceph/monitoring/dashboards/ceph-cluster.json diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/ceph-osd.json b/.archive/rook-ceph/rook-ceph/monitoring/dashboards/ceph-osd.json similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/ceph-osd.json rename to .archive/rook-ceph/rook-ceph/monitoring/dashboards/ceph-osd.json diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/ceph-pools.json b/.archive/rook-ceph/rook-ceph/monitoring/dashboards/ceph-pools.json similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/ceph-pools.json rename to .archive/rook-ceph/rook-ceph/monitoring/dashboards/ceph-pools.json diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/kustomization.yaml b/.archive/rook-ceph/rook-ceph/monitoring/dashboards/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/dashboards/kustomization.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/dashboards/kustomization.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/exporter-service-monitor.yaml b/.archive/rook-ceph/rook-ceph/monitoring/exporter-service-monitor.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/exporter-service-monitor.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/exporter-service-monitor.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/externalrules.yaml b/.archive/rook-ceph/rook-ceph/monitoring/externalrules.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/externalrules.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/externalrules.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/keda-rgw.yaml b/.archive/rook-ceph/rook-ceph/monitoring/keda-rgw.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/keda-rgw.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/keda-rgw.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/kustomization.yaml b/.archive/rook-ceph/rook-ceph/monitoring/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/kustomization.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/kustomization.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/localrules.yaml b/.archive/rook-ceph/rook-ceph/monitoring/localrules.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/localrules.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/localrules.yaml diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/service-monitor.yaml b/.archive/rook-ceph/rook-ceph/monitoring/service-monitor.yaml similarity index 100% rename from kubernetes/main/apps/rook-ceph/rook-ceph/monitoring/service-monitor.yaml rename to .archive/rook-ceph/rook-ceph/monitoring/service-monitor.yaml diff --git a/kubernetes/main/apps/default/stable-diffusion/app/helmrelease.yaml b/.archive/stable-diffusion/app/helmrelease.yaml similarity index 100% rename from kubernetes/main/apps/default/stable-diffusion/app/helmrelease.yaml rename to .archive/stable-diffusion/app/helmrelease.yaml diff --git a/kubernetes/main/apps/default/stable-diffusion/app/kustomization.yaml b/.archive/stable-diffusion/app/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/default/stable-diffusion/app/kustomization.yaml rename to .archive/stable-diffusion/app/kustomization.yaml diff --git a/kubernetes/main/apps/default/stable-diffusion/ks.yaml b/.archive/stable-diffusion/ks.yaml similarity index 100% rename from kubernetes/main/apps/default/stable-diffusion/ks.yaml rename to .archive/stable-diffusion/ks.yaml diff --git a/.gitignore b/.gitignore index 640721d69..17c7b900c 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,7 @@ talosconfig .bin # Ansible .venv* +authorized_keys # Taskfile .task # Brew diff --git a/.sops.yaml b/.sops.yaml index ebc5c9b1f..32ec709c5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,12 +1,11 @@ --- creation_rules: - - # IMPORTANT: This rule MUST be above the others - path_regex: talos/.*\.sops\.ya?ml + - path_regex: kubernetes/.*\.sops\.ya?ml + encrypted_regex: "^(data|stringData)$" key_groups: - age: - "age1ptththqpxnx0zuzmq0peq9x30vqgdedjsdlsuzxr5gfc36mnwqlsylrpr8" - - path_regex: kubernetes/.*\.sops\.ya?ml - encrypted_regex: "^(data|stringData)$" + - path_regex: ansible/.*\.sops\.ya?ml key_groups: - age: - "age1ptththqpxnx0zuzmq0peq9x30vqgdedjsdlsuzxr5gfc36mnwqlsylrpr8" diff --git a/.taskfiles/Talos/Taskfile.yaml b/.taskfiles/Talos/Taskfile.yaml index e601fc400..97133078e 100644 --- a/.taskfiles/Talos/Taskfile.yaml +++ b/.taskfiles/Talos/Taskfile.yaml @@ -3,7 +3,7 @@ version: "3" vars: - TALOS_DIR: "{{.KUBERNETES_DIR}}/main/bootstrap/talos" + TALOS_DIR: "{{.KUBERNETES_DIR}}/bootstrap/talos" TALHELPER_SECRET_FILE: "{{.TALOS_DIR}}/talsecret.sops.yaml" TALHELPER_CONFIG_FILE: "{{.TALOS_DIR}}/talconfig.yaml" diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint new file mode 100644 index 000000000..36f6b4414 --- /dev/null +++ b/ansible/.ansible-lint @@ -0,0 +1,9 @@ +skip_list: + - yaml[commas] + - yaml[line-length] + - var-naming +warn_list: + - command-instead-of-shell + - deprecated-command-syntax + - experimental + - no-changed-when diff --git a/ansible/inventory/group_vars/controllers/main.yaml b/ansible/inventory/group_vars/controllers/main.yaml new file mode 100644 index 000000000..f9686eca3 --- /dev/null +++ b/ansible/inventory/group_vars/controllers/main.yaml @@ -0,0 +1,24 @@ +--- +k3s_control_node: true +k3s_server: + cluster-cidr: "172.16.0.0/16" + service-cidr: "10.96.0.0/16" + disable: ["flannel", "local-storage", "metrics-server", "servicelb", "traefik"] + disable-cloud-controller: true + disable-kube-proxy: true + disable-network-policy: true + docker: false + embedded-registry: true + etcd-expose-metrics: true + flannel-backend: "none" + kube-apiserver-arg: + - "anonymous-auth=true" + kube-controller-manager-arg: + - "bind-address=0.0.0.0" + kube-scheduler-arg: + - "bind-address=0.0.0.0" + node-ip: "{{ ansible_host }}" + secrets-encryption: true + tls-san: + - "10.69.1.154" + write-kubeconfig-mode: "644" diff --git a/ansible/inventory/group_vars/kubernetes/main.yaml b/ansible/inventory/group_vars/kubernetes/main.yaml new file mode 100644 index 000000000..bc095f896 --- /dev/null +++ b/ansible/inventory/group_vars/kubernetes/main.yaml @@ -0,0 +1,23 @@ +--- +k3s_become: true +k3s_etcd_datastore: true +k3s_install_hard_links: true +k3s_registration_address: "10.69.1.154" +k3s_registries: + mirrors: + docker.io: + gcr.io: + ghcr.io: + k8s.gcr.io: + lscr.io: + mcr.microsoft.com: + public.ecr.aws: + quay.io: + registry.k8s.io: +# renovate: datasource=github-releases depName=k3s-io/k3s +k3s_release_version: v1.30.0+k3s1 +k3s_server_manifests_templates: + - custom-cilium-helmchart.yaml + - custom-kube-vip-ds.yaml + - custom-kube-vip-rbac.yaml +k3s_use_unsupported_config: true diff --git a/ansible/inventory/group_vars/workers/main.yaml b/ansible/inventory/group_vars/workers/main.yaml new file mode 100644 index 000000000..5fdb4638a --- /dev/null +++ b/ansible/inventory/group_vars/workers/main.yaml @@ -0,0 +1,4 @@ +--- +k3s_control_node: false +k3s_agent: + node-ip: "{{ ansible_host }}" diff --git a/ansible/inventory/hosts.yaml b/ansible/inventory/hosts.yaml new file mode 100644 index 000000000..5614a348f --- /dev/null +++ b/ansible/inventory/hosts.yaml @@ -0,0 +1,23 @@ +--- +kubernetes: + children: + controllers: + hosts: + "rkm1": + ansible_user: "oscar" + ansible_host: "10.69.1.30" + ansible_ssh_private_key_file: "./authorized_keys" + workers: + hosts: + "rkw1": + ansible_user: "oscar" + ansible_host: "10.69.1.31" + ansible_ssh_private_key_file: "./authorized_keys" + "rkw2": + ansible_user: "oscar" + ansible_host: "10.69.1.32" + ansible_ssh_private_key_file: "./authorized_keys" + "rkw3": + ansible_user: "oscar" + ansible_host: "10.69.1.33" + ansible_ssh_private_key_file: "./authorized_keys" diff --git a/ansible/playbooks/cluster-installation.yaml b/ansible/playbooks/cluster-installation.yaml new file mode 100644 index 000000000..507b7b295 --- /dev/null +++ b/ansible/playbooks/cluster-installation.yaml @@ -0,0 +1,91 @@ +--- +- name: Cluster Installation + hosts: kubernetes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + ansible.builtin.pause: + seconds: 5 + tasks: + - name: Check if cluster is installed + check_mode: false + ansible.builtin.stat: + path: /etc/rancher/k3s/config.yaml + register: k3s_installed + + - name: Ignore manifests templates and urls if the cluster is already installed + when: k3s_installed.stat.exists + ansible.builtin.set_fact: + k3s_server_manifests_templates: [] + k3s_server_manifests_urls: [] + + - name: Prevent downgrades + when: k3s_installed.stat.exists + ansible.builtin.include_tasks: tasks/version-check.yaml + + - name: Ensure that the /opt/cni directory exists + ansible.builtin.file: + path: /opt/cni + mode: '755' + state: directory + - name: Ensure that the /opt/cni/bin is a link to /var/lib/rancher/k3s/data/current/bin + ansible.builtin.file: + src: /var/lib/rancher/k3s/data/current/bin + dest: /opt/cni/bin + follow: false + force: true + state: link + + - name: Ensure that the /etc/cni directory exists + ansible.builtin.file: + path: /etc/cni + mode: '755' + state: directory + - name: Ensure that the /var/lib/rancher/k3s/agent/etc/cni/net.d directory exists + ansible.builtin.file: + path: /var/lib/rancher/k3s/agent/etc/cni/net.d + mode: '755' + state: directory + - name: Ensure that the /etc/cni/net.d is a link to /var/lib/rancher/k3s/agent/etc/cni/net.d + ansible.builtin.file: + src: /var/lib/rancher/k3s/agent/etc/cni/net.d + dest: /etc/cni/net.d + force: true + state: link + + - name: Install Kubernetes + ansible.builtin.include_role: + name: xanmanning.k3s + public: true + vars: + k3s_state: installed + + - name: Kubeconfig + ansible.builtin.include_tasks: tasks/kubeconfig.yaml + + - name: Wait for custom manifests to rollout + when: + - k3s_primary_control_node + - (k3s_server_manifests_templates | length > 0 + or k3s_server_manifests_urls | length > 0) + kubernetes.core.k8s_info: + kubeconfig: /etc/rancher/k3s/k3s.yaml + kind: "{{ item.kind }}" + name: "{{ item.name }}" + namespace: "{{ item.namespace | default('') }}" + wait: true + wait_sleep: 10 + wait_timeout: 360 + loop: + - { name: cilium, kind: HelmChart, namespace: kube-system } + - { name: kube-vip, kind: DaemonSet, namespace: kube-system } + + - name: Cilium + when: k3s_primary_control_node + ansible.builtin.include_tasks: tasks/cilium.yaml + + - name: Cruft + when: k3s_primary_control_node + ansible.builtin.include_tasks: tasks/cruft.yaml diff --git a/ansible/playbooks/cluster-nuke.yaml b/ansible/playbooks/cluster-nuke.yaml new file mode 100644 index 000000000..415e98ed0 --- /dev/null +++ b/ansible/playbooks/cluster-nuke.yaml @@ -0,0 +1,105 @@ +--- +- name: Cluster Nuke + hosts: kubernetes + become: true + gather_facts: true + any_errors_fatal: true + vars_prompt: + - name: nuke + prompt: |- + Are you sure you want to nuke this cluster? + Type 'YES I WANT TO DESTROY THIS CLUSTER' to proceed + default: "n" + private: false + pre_tasks: + - name: Check for confirmation + ansible.builtin.fail: + msg: Aborted nuking the cluster + when: nuke != 'YES I WANT TO DESTROY THIS CLUSTER' + + - name: Pausing for 5 seconds... + ansible.builtin.pause: + seconds: 5 + tasks: + - name: Stop Kubernetes # noqa: ignore-errors + ignore_errors: true + block: + - name: Stop Kubernetes + ansible.builtin.include_role: + name: xanmanning.k3s + public: true + vars: + k3s_state: stopped + + # https://github.com/k3s-io/docs/blob/main/docs/installation/network-options.md + - name: Networking + block: + - name: Networking | Delete Cilium links + ansible.builtin.command: + cmd: "ip link delete {{ item }}" + removes: "/sys/class/net/{{ item }}" + loop: ["cilium_host", "cilium_net", "cilium_vxlan"] + - name: Networking | Flush iptables + ansible.builtin.iptables: + table: "{{ item }}" + flush: true + loop: ["filter", "nat", "mangle", "raw"] + - name: Networking | Flush ip6tables + ansible.builtin.iptables: + table: "{{ item }}" + flush: true + ip_version: ipv6 + loop: ["filter", "nat", "mangle", "raw"] + - name: Networking | Delete CNI bin link + ansible.builtin.file: + path: /opt/cni/bin + state: absent + - name: Networking | Delete CNI conf link + ansible.builtin.file: + path: /etc/cni/net.d + state: absent + + - name: Check to see if k3s-killall.sh exits + ansible.builtin.stat: + path: /usr/local/bin/k3s-killall.sh + register: check_k3s_killall_script + + - name: Check to see if k3s-uninstall.sh exits + ansible.builtin.stat: + path: /usr/local/bin/k3s-uninstall.sh + register: check_k3s_uninstall_script + + - name: Run k3s-killall.sh + when: check_k3s_killall_script.stat.exists + ansible.builtin.command: + cmd: /usr/local/bin/k3s-killall.sh + register: k3s_killall + changed_when: k3s_killall.rc == 0 + + - name: Run k3s-uninstall.sh + when: check_k3s_uninstall_script.stat.exists + ansible.builtin.command: + cmd: /usr/local/bin/k3s-uninstall.sh + args: + removes: /usr/local/bin/k3s-uninstall.sh + register: k3s_uninstall + changed_when: k3s_uninstall.rc == 0 + + - name: Ensure hard links are removed + when: + - k3s_install_hard_links + - not ansible_check_mode + ansible.builtin.file: + path: "{{ k3s_install_dir }}/{{ item }}" + state: absent + loop: ["kubectl", "crictl", "ctr"] + + - name: Remove local storage path + ansible.builtin.file: + path: /var/openebs/local + state: absent + + - name: Reboot + ansible.builtin.reboot: + msg: Rebooting hosts + reboot_timeout: 3600 diff --git a/ansible/playbooks/cluster-prepare.yaml b/ansible/playbooks/cluster-prepare.yaml new file mode 100644 index 000000000..36cd76742 --- /dev/null +++ b/ansible/playbooks/cluster-prepare.yaml @@ -0,0 +1,112 @@ +--- +- name: Prepare System + hosts: kubernetes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + ansible.builtin.pause: + seconds: 5 + - name: Populate service facts + ansible.builtin.service_facts: + tasks: + - name: Locale + block: + - name: Locale | Set timezone + community.general.timezone: + name: "Europe/Madrid" + + - name: Packages + block: + - name: Packages | Install + ansible.builtin.apt: + name: apt-transport-https,ca-certificates,conntrack,curl,dirmngr,gdisk,gnupg,hdparm,htop, + iptables,iputils-ping,ipvsadm,libseccomp2,lm-sensors,net-tools,nfs-common, + nvme-cli,open-iscsi,parted,psmisc,python3,python3-apt,python3-kubernetes,python3-yaml, + smartmontools,socat,software-properties-common,unzip,util-linux + install_recommends: false + + - name: Network Configuration + notify: Reboot + block: + - name: Network Configuration | Set hostname + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + - name: Network Configuration | Update hosts + ansible.builtin.copy: + content: | + 127.0.0.1 localhost + 127.0.1.1 {{ inventory_hostname }} + + # The following lines are desirable for IPv6 capable hosts + ::1 localhost ip6-localhost ip6-loopback + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + dest: /etc/hosts + mode: preserve + # https://github.com/onedr0p/cluster-template/discussions/635 + - name: Network Configuration | Remove immutable flag from /etc/resolv.conf + ansible.builtin.file: + attributes: -i + path: /etc/resolv.conf + - name: Network Configuration | Remove /etc/resolv.conf + ansible.builtin.file: + attributes: -i + path: /etc/resolv.conf + state: absent + - name: Network Configuration | Add custom /etc/resolv.conf + ansible.builtin.copy: + attributes: +i + mode: '0644' + dest: /etc/resolv.conf + content: | + search . + + - name: System Configuration + notify: Reboot + block: + - name: System Configuration | Disable apparmor + when: ansible_facts.services['apparmor.service'] is defined + ansible.builtin.systemd: + name: apparmor + state: stopped + masked: true + - name: System Configuration | Disable swap + ansible.posix.mount: + name: "{{ item }}" + fstype: swap + state: absent + loop: ["none", "swap"] + - name: System Configuration | Create Kernel modules + ansible.builtin.copy: + dest: "/etc/modules-load.d/{{ item }}.conf" + mode: "0644" + content: "{{ item }}" + loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "iptable_mangle", "iptable_raw", "nbd", "overlay", "rbd", "xt_socket"] + register: modules_status + - name: System Configuration | Reload Kernel modules # noqa: no-changed-when no-handler + when: modules_status.changed + ansible.builtin.systemd: + name: systemd-modules-load + state: restarted + - name: System Configuration | Sysctl + ansible.posix.sysctl: + name: "{{ item.key }}" + value: "{{ item.value }}" + sysctl_file: /etc/sysctl.d/99-kubernetes.conf + reload: true + with_dict: "{{ sysctl_config }}" + vars: + sysctl_config: + fs.inotify.max_queued_events: 65536 + fs.inotify.max_user_watches: 524288 + fs.inotify.max_user_instances: 8192 + net.core.rmem_max: 2500000 + net.core.wmem_max: 2500000 + + handlers: + - name: Reboot + ansible.builtin.reboot: + msg: Rebooting hosts + reboot_timeout: 3600 diff --git a/ansible/playbooks/cluster-reboot.yaml b/ansible/playbooks/cluster-reboot.yaml new file mode 100644 index 000000000..6fe1fd0df --- /dev/null +++ b/ansible/playbooks/cluster-reboot.yaml @@ -0,0 +1,15 @@ +--- +- name: Reboot + hosts: kubernetes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + ansible.builtin.pause: + seconds: 5 + tasks: + - name: Reboot + ansible.builtin.reboot: + msg: Rebooting hosts + reboot_timeout: 3600 diff --git a/ansible/playbooks/cluster-rollout-update.yaml b/ansible/playbooks/cluster-rollout-update.yaml new file mode 100644 index 000000000..acad8fd60 --- /dev/null +++ b/ansible/playbooks/cluster-rollout-update.yaml @@ -0,0 +1,70 @@ +--- +- name: Cluster rollout update + hosts: kubernetes + become: true + gather_facts: true + any_errors_fatal: true + serial: 1 + pre_tasks: + - name: Pausing for 5 seconds... + ansible.builtin.pause: + seconds: 5 + tasks: + - name: Details + ansible.builtin.command: "k3s kubectl get node {{ inventory_hostname }} -o json" + register: kubectl_get_node + delegate_to: "{{ groups['controllers'][0] }}" + failed_when: false + changed_when: false + + - name: Update + when: + # When status.conditions[x].type == Ready then check stats.conditions[x].status for True|False + - kubectl_get_node['stdout'] | from_json | json_query("status.conditions[?type == 'Ready'].status") + # If spec.unschedulable is defined then the node is cordoned + - not (kubectl_get_node['stdout'] | from_json).spec.unschedulable is defined + block: + - name: Cordon + kubernetes.core.k8s_drain: + name: "{{ inventory_hostname }}" + kubeconfig: /etc/rancher/k3s/k3s.yaml + state: cordon + delegate_to: "{{ groups['controllers'][0] }}" + + - name: Drain + kubernetes.core.k8s_drain: + name: "{{ inventory_hostname }}" + kubeconfig: /etc/rancher/k3s/k3s.yaml + state: drain + delete_options: + delete_emptydir_data: true + ignore_daemonsets: true + terminate_grace_period: 600 + wait_timeout: 900 + pod_selectors: + - app!=rook-ceph-osd # Rook Ceph + delegate_to: "{{ groups['controllers'][0] }}" + + - name: Update + ansible.builtin.apt: + upgrade: dist + update_cache: true + + - name: Check if reboot is required + ansible.builtin.stat: + path: /var/run/reboot-required + register: reboot_required + + - name: Reboot + when: reboot_required.stat.exists + ansible.builtin.reboot: + msg: Rebooting node + post_reboot_delay: 60 + reboot_timeout: 3600 + + - name: Uncordon + kubernetes.core.k8s_drain: + name: "{{ inventory_hostname }}" + kubeconfig: /etc/rancher/k3s/k3s.yaml + state: uncordon + delegate_to: "{{ groups['controllers'][0] }}" diff --git a/ansible/playbooks/tasks/cilium.yaml b/ansible/playbooks/tasks/cilium.yaml new file mode 100644 index 000000000..ca242bb03 --- /dev/null +++ b/ansible/playbooks/tasks/cilium.yaml @@ -0,0 +1,56 @@ +--- +- name: Cilium + block: + - name: Cilium | Check if Cilium HelmChart exists + kubernetes.core.k8s_info: + kubeconfig: /etc/rancher/k3s/k3s.yaml + name: cilium + kind: HelmChart + namespace: kube-system + register: cilium_helmchart + + - name: Cilium | Wait for Cilium to rollout + when: cilium_helmchart.resources | count > 0 + kubernetes.core.k8s_info: + kubeconfig: /etc/rancher/k3s/k3s.yaml + name: helm-install-cilium + kind: Job + namespace: kube-system + wait: true + wait_condition: + type: Complete + status: true + wait_timeout: 360 + + - name: Cilium | Patch the Cilium HelmChart to unmanage it + when: cilium_helmchart.resources | count > 0 + kubernetes.core.k8s_json_patch: + kubeconfig: /etc/rancher/k3s/k3s.yaml + name: cilium + kind: HelmChart + namespace: kube-system + patch: + - op: add + path: /metadata/annotations/helmcharts.helm.cattle.io~1unmanaged + value: "true" + + - name: Cilium | Delete the Cilium HelmChart CR + when: cilium_helmchart.resources | count > 0 + kubernetes.core.k8s: + kubeconfig: /etc/rancher/k3s/k3s.yaml + name: cilium + kind: HelmChart + namespace: kube-system + state: absent + + - name: Cilium | Force delete the Cilium HelmChart + when: cilium_helmchart.resources | count > 0 + kubernetes.core.k8s: + kubeconfig: /etc/rancher/k3s/k3s.yaml + name: cilium + kind: HelmChart + namespace: kube-system + state: patched + definition: + metadata: + finalizers: [] diff --git a/ansible/playbooks/tasks/cruft.yaml b/ansible/playbooks/tasks/cruft.yaml new file mode 100644 index 000000000..736974763 --- /dev/null +++ b/ansible/playbooks/tasks/cruft.yaml @@ -0,0 +1,31 @@ +--- +- name: Cruft + block: + - name: Cruft | Get list of custom manifests + ansible.builtin.find: + paths: "{{ k3s_server_manifests_dir }}" + file_type: file + use_regex: true + patterns: ["^custom-.*"] + register: custom_manifest + + - name: Cruft | Delete custom manifests + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ custom_manifest.files }}" + + - name: Cruft | Get list of custom addons + kubernetes.core.k8s_info: + kubeconfig: /etc/rancher/k3s/k3s.yaml + kind: Addon + register: addons_list + + - name: Cruft | Delete addons + kubernetes.core.k8s: + kubeconfig: /etc/rancher/k3s/k3s.yaml + name: "{{ item.metadata.name }}" + kind: Addon + namespace: kube-system + state: absent + loop: "{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}" diff --git a/ansible/playbooks/tasks/kubeconfig.yaml b/ansible/playbooks/tasks/kubeconfig.yaml new file mode 100644 index 000000000..56bf684e5 --- /dev/null +++ b/ansible/playbooks/tasks/kubeconfig.yaml @@ -0,0 +1,26 @@ +--- +- name: Get absolute path to this Git repository # noqa: command-instead-of-module + ansible.builtin.command: git rev-parse --show-toplevel + delegate_to: localhost + become: false + run_once: true + register: repository_path + changed_when: false + check_mode: false + failed_when: repository_path.rc != 0 + +- name: Copy kubeconfig to the project directory + when: k3s_primary_control_node + ansible.builtin.fetch: + src: /etc/rancher/k3s/k3s.yaml + dest: "{{ repository_path.stdout }}/kubeconfig" + flat: true + +- name: Update kubeconfig with the correct load balancer address + delegate_to: localhost + become: false + run_once: true + ansible.builtin.replace: + path: "{{ repository_path.stdout }}/kubeconfig" + regexp: https://127.0.0.1:6443 + replace: "https://{{ k3s_registration_address }}:6443" diff --git a/ansible/playbooks/tasks/version-check.yaml b/ansible/playbooks/tasks/version-check.yaml new file mode 100644 index 000000000..56e567026 --- /dev/null +++ b/ansible/playbooks/tasks/version-check.yaml @@ -0,0 +1,17 @@ +--- +- name: Version Check + block: + - name: Get deployed k3s version + ansible.builtin.command: k3s --version + register: k3s_version + changed_when: false + failed_when: false + + - name: Extract k3s version + ansible.builtin.set_fact: + current_k3s_version: "{{ k3s_version.stdout | regex_replace('(?im)k3s version (?P[a-z0-9\\.\\+]+).*\n.*', '\\g') }}" + + - name: Check if upgrades are allowed + ansible.builtin.assert: + that: ["k3s_release_version is version(current_k3s_version, '>=')"] + fail_msg: "Unable to upgrade k3s because the deployed version is higher than the one specified in the configuration" diff --git a/ansible/playbooks/templates/custom-cilium-helmchart.yaml b/ansible/playbooks/templates/custom-cilium-helmchart.yaml new file mode 100644 index 000000000..fd3591753 --- /dev/null +++ b/ansible/playbooks/templates/custom-cilium-helmchart.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: cilium + namespace: kube-system +spec: + repo: https://helm.cilium.io/ + chart: cilium + # renovate: datasource=helm depName=cilium repository=https://helm.cilium.io + version: 1.15.5 + targetNamespace: kube-system + bootstrap: true + valuesContent: |- + autoDirectNodeRoutes: true + bgpControlPlane: + enabled: true + bpf: + masquerade: false + cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup + cluster: + id: 1 + name: main + cni: + exclusive: false + binPath: /var/lib/rancher/k3s/data/current/bin + confPath: /var/lib/rancher/k3s/agent/etc/cni/net.d + containerRuntime: + integration: containerd + socketPath: /var/run/k3s/containerd/containerd.sock + # NOTE: devices might need to be set if you have more than one active NIC on your hosts + # devices: eno+ eth+ + endpointRoutes: + enabled: true + hubble: + enabled: false + ipam: + mode: kubernetes + ipv4NativeRoutingCIDR: "172.16.0.0/16" + k8sServiceHost: 127.0.0.1 + k8sServicePort: 6444 + kubeProxyReplacement: true + kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + l2announcements: + enabled: true + loadBalancer: + algorithm: maglev + mode: snat + localRedirectPolicy: true + operator: + replicas: 1 + rollOutPods: true + rollOutCiliumPods: true + routingMode: native + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/ansible/playbooks/templates/custom-kube-vip-ds.yaml b/ansible/playbooks/templates/custom-kube-vip-ds.yaml new file mode 100644 index 000000000..becc10475 --- /dev/null +++ b/ansible/playbooks/templates/custom-kube-vip-ds.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-vip + namespace: kube-system + labels: + app.kubernetes.io/name: kube-vip +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-vip + template: + metadata: + labels: + app.kubernetes.io/name: kube-vip + spec: + containers: + - name: kube-vip + image: ghcr.io/kube-vip/kube-vip:v0.8.0 + imagePullPolicy: IfNotPresent + args: ["manager"] + env: + - name: address + value: "10.69.1.154" + - name: vip_arp + value: "true" + - name: lb_enable + value: "true" + - name: port + value: "6443" + - name: vip_cidr + value: "32" + - name: cp_enable + value: "true" + - name: cp_namespace + value: kube-system + - name: vip_ddns + value: "false" + - name: svc_enable + value: "false" + - name: vip_leaderelection + value: "true" + - name: vip_leaseduration + value: "15" + - name: vip_renewdeadline + value: "10" + - name: vip_retryperiod + value: "2" + - name: prometheus_server + value: :2112 + securityContext: + capabilities: + add: ["NET_ADMIN", "NET_RAW", "SYS_TIME"] + hostAliases: + - hostnames: + - kubernetes + ip: 127.0.0.1 + hostNetwork: true + serviceAccountName: kube-vip + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/master + operator: Exists + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists diff --git a/ansible/playbooks/templates/custom-kube-vip-rbac.yaml b/ansible/playbooks/templates/custom-kube-vip-rbac.yaml new file mode 100644 index 000000000..b3cc6d4d6 --- /dev/null +++ b/ansible/playbooks/templates/custom-kube-vip-rbac.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-vip + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: system:kube-vip-role +rules: + - apiGroups: [""] + resources: ["services/status"] + verbs: ["update"] + - apiGroups: [""] + resources: ["services", "endpoints"] + verbs: ["list","get","watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["list","get","watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["list", "get", "watch", "update", "create"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list","get","watch", "update"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:kube-vip-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kube-vip-role +subjects: +- kind: ServiceAccount + name: kube-vip + namespace: kube-system diff --git a/ansible/requirements.txt b/ansible/requirements.txt new file mode 100644 index 000000000..ef5a6fc3c --- /dev/null +++ b/ansible/requirements.txt @@ -0,0 +1,4 @@ +ansible-lint==24.5.0 +ansible==9.5.1 +jmespath==1.0.1 +openshift==0.13.2 diff --git a/ansible/requirements.yaml b/ansible/requirements.yaml new file mode 100644 index 000000000..91c6e5449 --- /dev/null +++ b/ansible/requirements.yaml @@ -0,0 +1,14 @@ +--- +collections: + - name: ansible.posix + version: 1.5.4 + - name: ansible.utils + version: 4.1.0 + - name: community.general + version: 8.6.0 + - name: kubernetes.core + version: 3.1.0 +roles: + - name: xanmanning.k3s + src: https://github.com/PyratLabs/ansible-role-k3s + version: v3.4.4 diff --git a/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml index 8bc7976c6..e6f4a4629 100644 --- a/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml +++ b/kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -1,26 +1,7 @@ +--- apiVersion: v1 kind: Secret metadata: - name: cert-manager-secret + name: cert-manager-secret stringData: - api-token: ENC[AES256_GCM,data:1XpKfJD0/n6fh0xlsEuX4BOxFbTIW3jnr9Zv2AV/P2F2KlqpYJTGWQ==,iv:AfqypHyzK/+4QupYT7BQBimGMqXwb6Ll66xVkBP9pgs=,tag:phTfBLR6N8bynqWgFWFmTw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ptththqpxnx0zuzmq0peq9x30vqgdedjsdlsuzxr5gfc36mnwqlsylrpr8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSlExYVl5R2hRWkNJUE11 - azk1MGFrNXh5MnhrbkN6Zzd4V2IzQU9LdW5BClZ5Qzh0MlJNL2dQUmZYTDRQcTY5 - Z2dySTNZQ3hhdHNaekdQNzRuaVplbnMKLS0tIDFWYUZaWEVTbW8rWnNkQU5kekoy - OVhweHBQdi9hQUYxQnNGdVhreHh3WW8K2BqW8Rtn6TBiVASC35Td6s9lq6eYxOrY - t3zt7zB7tPOmwPT+ok1nWGszkkl61YkC98ScUWpKgZ5cutI8CNKYZg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-19T16:36:26Z" - mac: ENC[AES256_GCM,data:gIs257sgIR3VonGJw6gP2Ygufg9mq4Rll0SN9qoi53kczIZnBUAjZ+r9ctU5y7WIIXEnN/b4MPccfT/alJF5ic+l0OrRBs4bfo/LneIrnUEI5c2vl9hayYzHBOaP3Kr0biB7i5/LLcn5fw8u21RFaGJwj4PYYQaL+Gg8XSrNaKw=,iv:XxZ7XpGie5/Bzbwsf/CxBXAElK9qlTtwocnWjK5MN6Y=,tag:XGtsy5oJ4GexaCbx2ySj3w==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 + api-token: "1p-q0EhjGMGlY0GqYbRRnpYSAXsNIRI9ED5gT4M0" diff --git a/kubernetes/main/apps/default/kustomization.yaml b/kubernetes/main/apps/default/kustomization.yaml index 05a85dd38..bff091375 100644 --- a/kubernetes/main/apps/default/kustomization.yaml +++ b/kubernetes/main/apps/default/kustomization.yaml @@ -6,5 +6,4 @@ resources: - ./excalidraw/ks.yaml - ./hajimari/ks.yaml - ./linkding/ks.yaml - - ./metube/ks.yaml - - ./stable-diffusion/ks.yaml + #- ./metube/ks.yaml diff --git a/.archive/navidrome/app/helmrelease.yaml b/kubernetes/main/apps/default/navidrome/app/helmrelease.yaml similarity index 100% rename from .archive/navidrome/app/helmrelease.yaml rename to kubernetes/main/apps/default/navidrome/app/helmrelease.yaml diff --git a/.archive/navidrome/app/kustomization.yaml b/kubernetes/main/apps/default/navidrome/app/kustomization.yaml similarity index 100% rename from .archive/navidrome/app/kustomization.yaml rename to kubernetes/main/apps/default/navidrome/app/kustomization.yaml diff --git a/.archive/navidrome/app/pvc.yaml b/kubernetes/main/apps/default/navidrome/app/pvc.yaml similarity index 100% rename from .archive/navidrome/app/pvc.yaml rename to kubernetes/main/apps/default/navidrome/app/pvc.yaml diff --git a/.archive/navidrome/ks.yaml b/kubernetes/main/apps/default/navidrome/ks.yaml similarity index 100% rename from .archive/navidrome/ks.yaml rename to kubernetes/main/apps/default/navidrome/ks.yaml diff --git a/.archive/navidrome/monitoring/gatus.yaml b/kubernetes/main/apps/default/navidrome/monitoring/gatus.yaml similarity index 100% rename from .archive/navidrome/monitoring/gatus.yaml rename to kubernetes/main/apps/default/navidrome/monitoring/gatus.yaml diff --git a/.archive/navidrome/monitoring/servicemonitor.yaml b/kubernetes/main/apps/default/navidrome/monitoring/servicemonitor.yaml similarity index 100% rename from .archive/navidrome/monitoring/servicemonitor.yaml rename to kubernetes/main/apps/default/navidrome/monitoring/servicemonitor.yaml diff --git a/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml index bcf455ba2..600fd94ba 100644 --- a/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml +++ b/kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -1,26 +1,7 @@ +--- apiVersion: v1 kind: Secret metadata: - name: github-webhook-token-secret + name: github-webhook-token-secret stringData: - token: ENC[AES256_GCM,data:LVNMhZzVBoFf9gPIE3W0U3PDz39S/OSv,iv:K8xcyn1X5OK5BGHo4ii72qa5OAvXaS8EslrkEfj5wCQ=,tag:zI7xj2NIfjTgFp5ijIzEXw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ptththqpxnx0zuzmq0peq9x30vqgdedjsdlsuzxr5gfc36mnwqlsylrpr8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjV3B6aTNUYm9ZTXkwRUM2 - di9kV2s1N1RhcmpQMFQ1U3pSSUtlUXpIUjJvClFxWGNQa3Q1Y0tpVDlTM0pFNnVk - a1g4SlE1WWJrRll1RzBrclgvOGpJdzQKLS0tIGR6TE9BMk5abGFrM0d4L1Jjb05R - MW9SZS9qck5TQjZsVHBuQ3lENVhvOHcKP+tSYla8gt4Ye0UYSGwr/+Qadkxdq68S - knKaRFACHle3VsBBnWsf+cM/4sNRwvTG7XcIL/I+Ve3WjfNZwbe/2g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-19T16:36:26Z" - mac: ENC[AES256_GCM,data:b1Fd6UqCjDruSPT8YEw4jWkxeUwKRJc4p3jtdamiC8yxFw4k/T3SSSiFBpUaIhTcuoXECd0JJatsRgHXShJ9PbhTMzebEHjLjE4w4lX8F+ua1MKWsQKbndrp9BsKjHCQ5qBBES5dgN6NvvGlIMfdMVc3QzDk+taCjAKSomLhErg=,iv:apNCwd11SkEJzNimgG8icbJbEDpZjGZVzbZ3YR+u5Iw=,tag:D/r15/MroJP25++wpTE9Fw==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 + token: "bf80897317013edb408337de" diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/app/kustomization.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/app/kustomization.yaml deleted file mode 100644 index ff218a66d..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.dmfrey.com/kustomize.toolkit.fluxcd.io/kustomization_v1beta1.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./labeller - - ./plugin diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/helmrelease.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/helmrelease.yaml deleted file mode 100644 index f7427bd51..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/helmrelease.yaml +++ /dev/null @@ -1,115 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.dmfrey.com/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app amd-gpu-node-labeller - namespace: system - -spec: - - interval: 15m - - chart: - spec: - chart: app-template - version: 3.2.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - - maxHistory: 2 - - install: - remediation: - retries: 3 - - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - - uninstall: - keepHistory: false - - dependsOn: - - name: amd-device-plugin - namespace: system - - values: - - defaultPodOptions: - tolerations: - - key: CriticalAddonsOnly - operator: Exists - nodeSelector: - feature.node.kubernetes.io/pci-0300_1002.present: "true" - kubernetes.io/arch: amd64 - priorityClassName: system-node-critical - - controllers: - - amd-gpu-node-labeller: - type: daemonset - - containers: - app: - image: - repository: docker.io/rocm/k8s-device-plugin - tag: labeller-1.25.2.5@sha256:cd0decbe8e44ff8906fe9c3163b1ae102bcffc23e85edd6213f393beaa8ad78e - - workingDir: /root - - command: ["/root/k8s-node-labeller"] - - args: - [ - "-logtostderr=true", - "-stderrthreshold=INFO", - "-v=5", - "-vram", - "-cu-count", - "-simd-count", - "-device-id", - "-family", - ] - - env: - TZ: ${TIMEZONE} - DS_NODE_NAME: - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - resources: - requests: - cpu: 25m - memory: 10Mi - limits: - memory: 100Mi - - securityContext: - privileged: true - capabilities: - drop: ["ALL"] - - serviceAccount: - create: false - name: amd-gpu-node-labeller - - service: - app: - enabled: false - controller: amd-gpu-node-labeller - - persistence: - sys: - enabled: true - type: hostPath - hostPath: /sys - - dev: - enabled: true - type: hostPath - hostPath: /dev \ No newline at end of file diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/kustomization.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/kustomization.yaml deleted file mode 100644 index fd5465e03..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.dmfrey.com/kustomize.toolkit.fluxcd.io/kustomization_v1beta1.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml - - ./rbac.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/rbac.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/rbac.yaml deleted file mode 100644 index 7d167b253..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/app/labeller/rbac.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: amd-gpu-node-labeller - namespace: system -secrets: - - name: amd-gpu-node-labeller ---- -apiVersion: v1 -kind: Secret -type: kubernetes.io/service-account-token -metadata: - name: amd-gpu-node-labeller - namespace: system - annotations: - kubernetes.io/service-account.name: amd-gpu-node-labeller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: amd-gpu-node-labeller -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["watch", "get", "list", "update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: amd-gpu-node-labeller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: amd-gpu-node-labeller -subjects: - - kind: ServiceAccount - name: amd-gpu-node-labeller - namespace: system \ No newline at end of file diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/helmrelease.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/helmrelease.yaml deleted file mode 100644 index 6e9f73ec1..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/helmrelease.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.dmfrey.com/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app amd-device-plugin - namespace: system - -spec: - - interval: 15m - - chart: - spec: - chart: app-template - version: 3.2.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - - maxHistory: 2 - - install: - remediation: - retries: 3 - - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - - uninstall: - keepHistory: false - - values: - - defaultPodOptions: - tolerations: - - key: CriticalAddonsOnly - operator: Exists - nodeSelector: - feature.node.kubernetes.io/pci-0300_1002.present: "true" - kubernetes.io/arch: amd64 - priorityClassName: system-node-critical - - controllers: - amd-device-plugin: - type: daemonset - - containers: - app: - image: - repository: docker.io/rocm/k8s-device-plugin - tag: 1.25.2.8@sha256:f3835498cf2274e0a07c32b38c166c05a876f8eb776d756cc06805e599a3ba5f - - workingDir: /root - - command: ["./k8s-device-plugin"] - - args: ["-logtostderr=true", "-stderrthreshold=INFO", "-v=5"] - - env: - TZ: ${TIMEZONE} - - resources: - requests: - cpu: 10m - memory: 10Mi - limits: - memory: 100Mi - - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - - service: - app: - enabled: false - controller: amd-device-plugin - - persistence: - sys: - enabled: true - type: hostPath - hostPath: /sys - - device-plugins: - enabled: true - type: hostPath - hostPath: /var/lib/kubelet/device-plugins \ No newline at end of file diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/kustomization.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/kustomization.yaml deleted file mode 100644 index 2fb37ce04..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/app/plugin/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.dmfrey.com/kustomize.toolkit.fluxcd.io/kustomization_v1beta1.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/kube-system/amd-device-plugin/ks.yaml b/kubernetes/main/apps/kube-system/amd-device-plugin/ks.yaml deleted file mode 100644 index feaf63cc6..000000000 --- a/kubernetes/main/apps/kube-system/amd-device-plugin/ks.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cluster-apps-amd-device-plugin - namespace: flux-system -spec: - targetNamespace: system - commonMetadata: - labels: - app.kubernetes.io/name: &appname amd-device-plugin - path: ./kubernetes/apps/system/amd-device-plugin/app - prune: true - sourceRef: - kind: GitRepository - name: home-gitops - wait: false # no flux ks dependents - interval: 10m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *appname - substituteFrom: [] - dependsOn: - - name: cluster-apps-node-feature-discovery-rules diff --git a/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml index 76f16ec3a..c49988dd2 100644 --- a/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml @@ -32,11 +32,14 @@ spec: hostRoot: /sys/fs/cgroup cluster: id: 1 - name: apps + name: main cni: exclusive: false + binPath: /var/lib/rancher/k3s/data/current/bin + confPath: /var/lib/rancher/k3s/agent/etc/cni/net.d containerRuntime: integration: containerd + socketPath: /var/run/k3s/containerd/containerd.sock # NOTE: devices might need to be set if you have more than one active NIC on your hosts # devices: eno+ eth+ endpointRoutes: @@ -75,7 +78,7 @@ spec: mode: kubernetes ipv4NativeRoutingCIDR: "${CLUSTER_CIDR}" k8sServiceHost: 127.0.0.1 - k8sServicePort: 7445 + k8sServicePort: 6444 kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/helmrelease.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/helmrelease.yaml deleted file mode 100644 index aa86ef2b5..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/helmrelease.yaml +++ /dev/null @@ -1,64 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: intel-gpu-exporter - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 1.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 2 - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - dependsOn: - - name: intel-device-plugin-gpu - namespace: kube-system - values: - controller: - type: daemonset - image: - repository: ghcr.io/onedr0p/intel-gpu-exporter - tag: rolling@sha256:f5aea8755460eb2e6a61ad8cef85f88859d019a2a0213a99978205ef1d5148d7 - service: - main: - ports: - http: - port: 8080 - serviceMonitor: - main: - enabled: true - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - relabelings: - - sourceLabels: [__meta_kubernetes_pod_node_name] - targetLabel: node - securityContext: - privileged: true - nodeSelector: - intel.feature.node.kubernetes.io/gpu: "true" - resources: - requests: - gpu.intel.com/i915_monitoring: 1 - cpu: 100m - memory: 100Mi - limits: - gpu.intel.com/i915_monitoring: 1 - memory: 500Mi diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/kustomization.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/kustomization.yaml deleted file mode 100644 index a09cef314..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/exporter/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -resources: - - ./helmrelease.yaml diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/helmrelease.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/helmrelease.yaml deleted file mode 100644 index d4b6c2aec..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/helmrelease.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: intel-device-plugin-gpu - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: intel-device-plugins-gpu - version: 0.27.1 - sourceRef: - kind: HelmRepository - name: intel - namespace: flux-system - maxHistory: 2 - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - dependsOn: - - name: intel-device-plugin-operator - namespace: kube-system - values: - name: intel-gpu-plugin - sharedDevNum: 3 - nodeFeatureRule: true diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/kustomization.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/kustomization.yaml deleted file mode 100644 index a09cef314..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/gpu/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -resources: - - ./helmrelease.yaml diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/kustomization.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/kustomization.yaml deleted file mode 100644 index 3f31d9448..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -resources: - #- ./exporter - - ./gpu - - ./operator diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/helmrelease.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/helmrelease.yaml deleted file mode 100644 index 632ca9bc3..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/helmrelease.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: intel-device-plugin-operator - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: intel-device-plugins-operator - version: 0.27.1 - sourceRef: - kind: HelmRepository - name: intel - namespace: flux-system - maxHistory: 2 - install: - crds: CreateReplace - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - crds: CreateReplace - remediation: - retries: 3 - uninstall: - keepHistory: false diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/kustomization.yaml b/kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/kustomization.yaml deleted file mode 100644 index a09cef314..000000000 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/app/operator/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -resources: - - ./helmrelease.yaml diff --git a/kubernetes/main/apps/kube-system/kube-vip/app/daemonset.yaml b/kubernetes/main/apps/kube-system/kube-vip/app/daemonset.yaml new file mode 100644 index 000000000..becc10475 --- /dev/null +++ b/kubernetes/main/apps/kube-system/kube-vip/app/daemonset.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kube-vip + namespace: kube-system + labels: + app.kubernetes.io/name: kube-vip +spec: + selector: + matchLabels: + app.kubernetes.io/name: kube-vip + template: + metadata: + labels: + app.kubernetes.io/name: kube-vip + spec: + containers: + - name: kube-vip + image: ghcr.io/kube-vip/kube-vip:v0.8.0 + imagePullPolicy: IfNotPresent + args: ["manager"] + env: + - name: address + value: "10.69.1.154" + - name: vip_arp + value: "true" + - name: lb_enable + value: "true" + - name: port + value: "6443" + - name: vip_cidr + value: "32" + - name: cp_enable + value: "true" + - name: cp_namespace + value: kube-system + - name: vip_ddns + value: "false" + - name: svc_enable + value: "false" + - name: vip_leaderelection + value: "true" + - name: vip_leaseduration + value: "15" + - name: vip_renewdeadline + value: "10" + - name: vip_retryperiod + value: "2" + - name: prometheus_server + value: :2112 + securityContext: + capabilities: + add: ["NET_ADMIN", "NET_RAW", "SYS_TIME"] + hostAliases: + - hostnames: + - kubernetes + ip: 127.0.0.1 + hostNetwork: true + serviceAccountName: kube-vip + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/master + operator: Exists + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists diff --git a/kubernetes/main/apps/kube-system/node-feature-discovery/app/kustomization.yaml b/kubernetes/main/apps/kube-system/kube-vip/app/kustomization.yaml similarity index 63% rename from kubernetes/main/apps/kube-system/node-feature-discovery/app/kustomization.yaml rename to kubernetes/main/apps/kube-system/kube-vip/app/kustomization.yaml index 1c3fdb04d..cbede8284 100644 --- a/kubernetes/main/apps/kube-system/node-feature-discovery/app/kustomization.yaml +++ b/kubernetes/main/apps/kube-system/kube-vip/app/kustomization.yaml @@ -1,6 +1,6 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - - ./helmrelease.yaml + - ./rbac.yaml + - ./daemonset.yaml diff --git a/kubernetes/main/apps/kube-system/kube-vip/app/rbac.yaml b/kubernetes/main/apps/kube-system/kube-vip/app/rbac.yaml new file mode 100644 index 000000000..b3cc6d4d6 --- /dev/null +++ b/kubernetes/main/apps/kube-system/kube-vip/app/rbac.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-vip + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + name: system:kube-vip-role +rules: + - apiGroups: [""] + resources: ["services/status"] + verbs: ["update"] + - apiGroups: [""] + resources: ["services", "endpoints"] + verbs: ["list","get","watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["list","get","watch", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["list", "get", "watch", "update", "create"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list","get","watch", "update"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:kube-vip-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kube-vip-role +subjects: +- kind: ServiceAccount + name: kube-vip + namespace: kube-system diff --git a/kubernetes/main/apps/kube-system/intel-device-plugin/ks.yaml b/kubernetes/main/apps/kube-system/kube-vip/ks.yaml similarity index 55% rename from kubernetes/main/apps/kube-system/intel-device-plugin/ks.yaml rename to kubernetes/main/apps/kube-system/kube-vip/ks.yaml index 19f53be29..de0442423 100644 --- a/kubernetes/main/apps/kube-system/intel-device-plugin/ks.yaml +++ b/kubernetes/main/apps/kube-system/kube-vip/ks.yaml @@ -2,15 +2,19 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: intel-device-plugin + name: &app kube-vip namespace: flux-system spec: - path: ./kubernetes/main/apps/kube-system/intel-device-plugin/app + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/kube-system/kube-vip/app prune: true sourceRef: kind: GitRepository name: home-kubernetes - wait: true + wait: false interval: 30m retryInterval: 1m timeout: 5m diff --git a/kubernetes/main/apps/kube-system/kustomization.yaml b/kubernetes/main/apps/kube-system/kustomization.yaml index b92ba543b..3e9277829 100644 --- a/kubernetes/main/apps/kube-system/kustomization.yaml +++ b/kubernetes/main/apps/kube-system/kustomization.yaml @@ -7,11 +7,9 @@ resources: - ./cilium/ks.yaml - ./external-secrets/ks.yaml - ./glauth/ks.yaml - - ./intel-device-plugin/ks.yaml - ./kubelet-csr-approver/ks.yaml - ./metrics-server/ks.yaml - ./nfs-subdir-external-provisioner/ks.yaml - - ./node-feature-discovery/ks.yaml - ./reloader/ks.yaml - ./snapshot-controller/ks.yaml - - ./spegel/ks.yaml + #- ./spegel/ks.yaml diff --git a/kubernetes/main/apps/kube-system/nfs-subdir-external-provisioner/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/nfs-subdir-external-provisioner/app/helmrelease.yaml index 9c2b93933..2d4ead5c0 100644 --- a/kubernetes/main/apps/kube-system/nfs-subdir-external-provisioner/app/helmrelease.yaml +++ b/kubernetes/main/apps/kube-system/nfs-subdir-external-provisioner/app/helmrelease.yaml @@ -1,3 +1,4 @@ +--- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: diff --git a/kubernetes/main/apps/kube-system/node-feature-discovery/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/node-feature-discovery/app/helmrelease.yaml deleted file mode 100644 index e94560481..000000000 --- a/kubernetes/main/apps/kube-system/node-feature-discovery/app/helmrelease.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: node-feature-discovery - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: node-feature-discovery - version: 0.16.3 - sourceRef: - kind: HelmRepository - name: node-feature-discovery - namespace: flux-system - maxHistory: 2 - install: - crds: CreateReplace - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - crds: CreateReplace - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - prometheus: - enable: true - master: - resources: - requests: - cpu: 15m - memory: 64M - limits: - memory: 64M - worker: - config: - core: - sources: [custom, pci, usb] - resources: - requests: - cpu: 15m - memory: 64M - limits: - memory: 64M diff --git a/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml b/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml index 45d58d19a..99a55bb0e 100644 --- a/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml +++ b/kubernetes/main/apps/network/ingress-nginx/external/helmrelease.yaml @@ -30,7 +30,7 @@ spec: service: annotations: external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" - io.cilium/lb-ipam-ips: "10.69.3.121" + io.cilium/lb-ipam-ips: "10.69.1.121" externalTrafficPolicy: Cluster ingressClassResource: name: external diff --git a/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml b/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml index 96073019f..07dde60bc 100644 --- a/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml +++ b/kubernetes/main/apps/network/ingress-nginx/internal/helmrelease.yaml @@ -27,7 +27,7 @@ spec: replicaCount: 1 service: annotations: - io.cilium/lb-ipam-ips: "10.69.3.122" + io.cilium/lb-ipam-ips: "10.69.1.122" externalTrafficPolicy: Cluster ingressClassResource: name: internal diff --git a/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml b/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml index 0b334f52e..77f72f205 100644 --- a/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml +++ b/kubernetes/main/apps/network/k8s-gateway/app/helmrelease.yaml @@ -28,6 +28,6 @@ spec: type: LoadBalancer port: 53 annotations: - io.cilium/lb-ipam-ips: "10.69.3.120" + io.cilium/lb-ipam-ips: "10.69.1.120" externalTrafficPolicy: Cluster watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/main/apps/network/kustomization.yaml b/kubernetes/main/apps/network/kustomization.yaml index db7ef4d55..c6cdd24ef 100644 --- a/kubernetes/main/apps/network/kustomization.yaml +++ b/kubernetes/main/apps/network/kustomization.yaml @@ -8,4 +8,4 @@ resources: - ./external-dns/ks.yaml - ./ingress-nginx/ks.yaml - ./k8s-gateway/ks.yaml - - ./smtp-relay/ks.yaml + #- ./smtp-relay/ks.yaml diff --git a/kubernetes/main/apps/system-upgrade/k3s/app/kustomization.yaml b/kubernetes/main/apps/system-upgrade/k3s/app/kustomization.yaml new file mode 100644 index 000000000..c159f45bc --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/k3s/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./plan.yaml diff --git a/kubernetes/main/apps/system-upgrade/k3s/app/plan.yaml b/kubernetes/main/apps/system-upgrade/k3s/app/plan.yaml new file mode 100644 index 000000000..38784cd5a --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/k3s/app/plan.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: controllers +spec: + version: "${KUBE_VERSION}" + upgrade: + image: rancher/k3s-upgrade + serviceAccountName: system-upgrade + concurrency: 1 + cordon: true + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + operator: Exists + - key: node-role.kubernetes.io/etcd + effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: workers +spec: + version: "${KUBE_VERSION}" + serviceAccountName: system-upgrade + concurrency: 1 + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + prepare: + image: rancher/k3s-upgrade + args: ["prepare", "controllers"] + upgrade: + image: rancher/k3s-upgrade diff --git a/kubernetes/main/apps/system-upgrade/k3s/ks.yaml b/kubernetes/main/apps/system-upgrade/k3s/ks.yaml new file mode 100644 index 000000000..da42e7e0d --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/k3s/ks.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app system-upgrade-k3s + namespace: flux-system +spec: + targetNamespace: system-upgrade + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: system-upgrade-controller + path: ./kubernetes/main/apps/system-upgrade/k3s/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + # renovate: datasource=github-releases depName=k3s-io/k3s + KUBE_VERSION: v1.30.0+k3s1 diff --git a/kubernetes/main/apps/system-upgrade/kustomization.yaml b/kubernetes/main/apps/system-upgrade/kustomization.yaml new file mode 100644 index 000000000..e0b2bf29a --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./system-upgrade-controller/ks.yaml + - ./k3s/ks.yaml diff --git a/kubernetes/main/apps/system-upgrade/namespace.yaml b/kubernetes/main/apps/system-upgrade/namespace.yaml new file mode 100644 index 000000000..5ea024dde --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: system-upgrade + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml new file mode 100644 index 000000000..a9e48714a --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app system-upgrade-controller +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + system-upgrade-controller: + strategy: RollingUpdate + containers: + app: + image: + repository: docker.io/rancher/system-upgrade-controller + tag: v0.13.4 + env: + SYSTEM_UPGRADE_CONTROLLER_DEBUG: false + SYSTEM_UPGRADE_CONTROLLER_THREADS: 2 + SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900 + SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99 + SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent + SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.30.1 + SYSTEM_UPGRADE_JOB_PRIVILEGED: true + SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900 + SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m + SYSTEM_UPGRADE_CONTROLLER_NAME: *app + SYSTEM_UPGRADE_CONTROLLER_NAMESPACE: + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + serviceAccount: + create: true + name: system-upgrade + persistence: + tmp: + type: emptyDir + globalMounts: + - path: /tmp + etc-ssl: + type: hostPath + hostPath: /etc/ssl + hostPathType: DirectoryOrCreate + globalMounts: + - path: /etc/ssl + readOnly: true + etc-pki: + type: hostPath + hostPath: /etc/pki + hostPathType: DirectoryOrCreate + globalMounts: + - path: /etc/pki + readOnly: true + etc-ca-certificates: + type: hostPath + hostPath: /etc/ca-certificates + hostPathType: DirectoryOrCreate + globalMounts: + - path: /etc/ca-certificates + readOnly: true diff --git a/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml new file mode 100644 index 000000000..49f355119 --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # renovate: datasource=github-releases depName=rancher/system-upgrade-controller + - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.4/crd.yaml + - helmrelease.yaml + - rbac.yaml diff --git a/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml new file mode 100644 index 000000000..123677c2a --- /dev/null +++ b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system-upgrade +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: system-upgrade + namespace: system-upgrade diff --git a/kubernetes/main/apps/kube-system/node-feature-discovery/ks.yaml b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/ks.yaml similarity index 53% rename from kubernetes/main/apps/kube-system/node-feature-discovery/ks.yaml rename to kubernetes/main/apps/system-upgrade/system-upgrade-controller/ks.yaml index 2c4a22e26..f923859bd 100644 --- a/kubernetes/main/apps/kube-system/node-feature-discovery/ks.yaml +++ b/kubernetes/main/apps/system-upgrade/system-upgrade-controller/ks.yaml @@ -2,10 +2,14 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: node-feature-discovery + name: &app system-upgrade-controller namespace: flux-system spec: - path: ./kubernetes/main/apps/kube-system/node-feature-discovery/app + targetNamespace: system-upgrade + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/system-upgrade/system-upgrade-controller/app prune: true sourceRef: kind: GitRepository