diff --git a/.envrc b/.envrc index e0a5845d..48f62a73 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,11 @@ #shellcheck disable=SC2148,SC2155 -export KUBECONFIG=$(expand_path ./provision/kubeconfig) -export ANSIBLE_CONFIG=$(expand_path ./ansible.cfg) -export ANSIBLE_HOST_KEY_CHECKING="False" -export SOPS_AGE_KEY_FILE=$(expand_path ~/.config/sops/age/keys.txt) +export KUBECONFIG="$(expand_path ./kubeconfig)" +export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" +# Venv +PATH_add "$(expand_path ./.venv/bin)" +export VIRTUAL_ENV="$(expand_path ./.venv)" +export PYTHONDONTWRITEBYTECODE="1" +# Talos +export TALOSCONFIG="$(expand_path ./kubernetes/bootstrap/talos/clusterconfig/talosconfig)" +# Bin +PATH_add "$(expand_path ./.bin)" diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d373eeba..8e5f1a51 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1 @@ -# https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners * @paulkiernan diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md deleted file mode 100644 index 45a023ce..00000000 --- a/.github/ISSUE_TEMPLATE/bug-report.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: '' -labels: kind/bug -assignees: '' - ---- - -# Details - -**What steps did you take and what happened:** - - - -**What did you expect to happen:** - -**Anything else you would like to add:** - - - -**Additional Information:** - - diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index 20705b23..00000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,5 +0,0 @@ -blank_issues_enabled: false -contact_links: - - name: Discuss on Discord - url: https://discord.com/invite/sTMX7Vh - about: Join our Discord community diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md deleted file mode 100644 index cdafcbe6..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: kind/enhancement -assignees: '' - ---- - -# Details - -**Describe the solution you'd like:** - - - -**Anything else you would like to add:** - - - -**Additional Information:** - - diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index d5561aef..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: Question -about: Ask a question to the maintainer -title: '' -labels: kind/question -assignees: '' - ---- - -# Details - -**Ask your question:** - - - - - - - diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index 49fca846..00000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,20 +0,0 @@ -**Description of the change** - - - -**Benefits** - - - -**Possible drawbacks** - - - -**Applicable issues** - - -- fixes # - -**Additional information** - - diff --git a/.github/workflows/flux-schedule.yaml b/.github/workflows/flux-schedule.yaml deleted file mode 100644 index 9de4a715..00000000 --- a/.github/workflows/flux-schedule.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -name: Schedule - Update Flux - -on: # yamllint disable-line rule:truthy - workflow_dispatch: - schedule: - - cron: "0 12 * * *" - -jobs: - flux-upgrade: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 1 - - - name: Setup Flux CLI - uses: fluxcd/flux2/action@main - - - name: Upgrade Flux - id: upgrade - run: | - CLI_VERSION="$(flux -v)" - VERSION="v${CLI_VERSION#*flux version }" - flux install --version="${VERSION}" \ - --network-policy=false \ - --export > ./cluster/base/flux-system/gotk-components.yaml - echo "::set-output name=flux_version::$VERSION" - - - name: Create pull request for Flux upgrade - uses: peter-evans/create-pull-request@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - branch: "flux/upgrade-${{ steps.upgrade.outputs.flux_version }}" - delete-branch: true - title: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}" - signoff: false - committer: GitHub - author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> - commit-message: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}" - body: | - Release notes: https://github.com/fluxcd/flux2/releases/tag/${{ steps.upgrade.outputs.flux_version }} - labels: flux/upgrade diff --git a/.github/workflows/invalid-template.yaml b/.github/workflows/invalid-template.yaml deleted file mode 100644 index 0d1bc6b6..00000000 --- a/.github/workflows/invalid-template.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -name: Invalid Template - -on: - issues: - types: - - labeled - - unlabeled - - reopened - -jobs: - support: - runs-on: ubuntu-20.04 - steps: - - uses: dessant/support-requests@v3 - with: - github-token: ${{ github.token }} - support-label: "template-incomplete" - issue-comment: > - :wave: @{issue-author}, please follow the template provided. - close-issue: true - lock-issue: true - issue-lock-reason: "resolved" diff --git a/.github/workflows/support.yaml b/.github/workflows/support.yaml deleted file mode 100644 index 7ddc68eb..00000000 --- a/.github/workflows/support.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -name: "Support requests" - -on: - issues: - types: - - labeled - - unlabeled - - reopened - -jobs: - support: - runs-on: ubuntu-20.04 - steps: - - uses: dessant/support-requests@v3 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - support-label: "support" - issue-comment: > - :wave: @{issue-author}, we use the issue tracker exclusively - for bug reports and feature requests. However, this issue appears - to be a support request. Please use our support channels - to get help with. - - [Discord](https://discord.gg/sTMX7Vh) - close-issue: true - lock-issue: false - issue-lock-reason: "off-topic" diff --git a/.gitignore b/.gitignore index 5f9a65ca..8d60c235 100644 --- a/.gitignore +++ b/.gitignore @@ -1,19 +1,19 @@ -# Trash +*.agekey* +*.key +*.pub .DS_Store -Thumbs.db - -# k8s -kubeconfig* - -# vscode-sops -.decrypted~*.yaml +.bin .config.env -*.agekey - -# Ansible -xanmanning.k3s* - -# Terraform +.decrypted~*.yaml +.idea +.private +.task .terraform -.terraform.tfstate* +.venv* +/config.yaml +Brewfile.lock.json +Thumbs.db +kubeconfig* +talosconfig terraform.tfstate* +wiki diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 34e3afef..00000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -fail_fast: false -repos: - - repo: https://github.com/adrienverge/yamllint - rev: v1.26.3 - hooks: - - args: - - --config-file - - .github/lint/.yamllint.yaml - id: yamllint - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 - hooks: - - id: trailing-whitespace - args: [--markdown-linebreak-ext=md] - - id: end-of-file-fixer - - id: mixed-line-ending - - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.1.10 - hooks: - - id: remove-crlf - - id: remove-tabs - - repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 - hooks: - - id: fix-smartquotes - - repo: https://github.com/k8s-at-home/sops-pre-commit - rev: v2.1.0 - hooks: - - id: forbid-secrets - - repo: https://github.com/zricethezav/gitleaks - rev: v8.2.7 - hooks: - - id: gitleaks diff --git a/.python-version b/.python-version deleted file mode 100644 index c96e95ee..00000000 --- a/.python-version +++ /dev/null @@ -1 +0,0 @@ -homelab diff --git a/.sops.yaml b/.sops.yaml index f4bb2d1b..c8e91f03 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,10 +1,12 @@ --- creation_rules: - - path_regex: provision/.*\.sops\.ya?ml - unencrypted_regex: "^(kind)$" - age: >- - age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj - - path_regex: cluster/.*\.ya?ml + - # IMPORTANT: This rule MUST be above the others + path_regex: talos/.*\.sops\.ya?ml + key_groups: + - age: + - "age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n" + - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData)$" - age: >- - age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj + key_groups: + - age: + - "age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n" diff --git a/.taskfiles/ansible.yml b/.taskfiles/ansible.yml deleted file mode 100644 index d7f197a3..00000000 --- a/.taskfiles/ansible.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -version: "3" - -env: - ANSIBLE_CONFIG: "{{.PROJECT_DIR}}/ansible.cfg" - -vars: - ANSIBLE_PLAYBOOK_DIR: "{{.ANSIBLE_DIR}}/playbooks" - ANSIBLE_INVENTORY_DIR: "{{.ANSIBLE_DIR}}/inventory" - -tasks: - deps: - desc: Upgrade Ansible galaxy deps - dir: provision/ansible - cmds: - - "ansible-galaxy install -r requirements.yml --force" - - list: - desc: List all the hosts - dir: provision/ansible - cmds: - - "ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml --list-hosts" - - playbook:ubuntu-prepare: - desc: Prepare all the k8s nodes for running k3s - dir: provision/ansible - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/ubuntu-prepare.yml" - - playbook:ubuntu-upgrade: - desc: Upgrade all the k8s nodes operating system - dir: provision/ansible - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/ubuntu-upgrade.yml" - - playbook:k3s-install: - desc: Install Kubernetes on the nodes - dir: provision/ansible - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/k3s-install.yml" - - playbook:k3s-nuke: - desc: Uninstall Kubernetes on the nodes - dir: provision/ansible - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/k3s-nuke.yml" - - adhoc:ping: - desc: Ping all the hosts - dir: provision/ansible - cmds: - - "ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml --one-line -m 'ping'" - - adhoc:uptime: - desc: Uptime of all the hosts - dir: provision/ansible - cmds: - - ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml --one-line -a 'uptime' - - adhoc:reboot: - desc: Reboot all the k8s nodes - dir: provision/ansible - cmds: - - "ansible kubernetes -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml -a '/usr/bin/systemctl reboot' --become" - - adhoc:poweroff: - desc: Shutdown all the k8s nodes - dir: provision/ansible - cmds: - - "ansible kubernetes -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml -a '/usr/bin/systemctl poweroff' --become" diff --git a/.taskfiles/flux.yml b/.taskfiles/flux.yml deleted file mode 100644 index 3fd741f5..00000000 --- a/.taskfiles/flux.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -version: "3" - -tasks: - sync: - desc: Sync flux-system with the Git Repository - cmds: - - flux reconcile source git flux-system - silent: true - - get-all: - desc: Print the statuses of all Flux resources - cmds: - - flux get all -A - silent: true diff --git a/.taskfiles/format.yml b/.taskfiles/format.yml deleted file mode 100644 index b6e04ad8..00000000 --- a/.taskfiles/format.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -version: "3" - -tasks: - all: - - task: markdown - - task: yaml - - task: json - markdown: - desc: Format Markdown - cmds: - - >- - prettier - --ignore-path '.github/lint/.prettierignore' - --config '.github/lint/.prettierrc.yaml' - --list-different - --ignore-unknown - --parser=markdown - --write '*.md' '**/*.md' - ignore_error: false - yaml: - desc: Format YAML - cmds: - - >- - prettier - --ignore-path '.github/lint/.prettierignore' - --config - '.github/lint/.prettierrc.yaml' - --list-different - --ignore-unknown - --parser=yaml - --write '*.y*ml' - '**/*.y*ml' - ignore_error: false - json: - desc: Format YAML - cmds: - - >- - prettier - --ignore-path '.github/lint/.prettierignore' - --config - '.github/lint/.prettierrc.yaml' - --list-different - --ignore-unknown - --parser=json - --write - '**/*.json' - - >- - prettier - --ignore-path '.github/lint/.prettierignore' - --config - '.github/lint/.prettierrc.yaml' - --list-different - --ignore-unknown - --parser=json5 - --write - '**/*.json5' - ignore_error: false diff --git a/.taskfiles/kubernetes/Taskfile.yaml b/.taskfiles/kubernetes/Taskfile.yaml new file mode 100644 index 00000000..872746e6 --- /dev/null +++ b/.taskfiles/kubernetes/Taskfile.yaml @@ -0,0 +1,36 @@ +--- +# yaml-language-server: $schema=https://taskfile.dev/schema.json +version: "3" + +vars: + KUBECONFORM_SCRIPT: "{{.SCRIPTS_DIR}}/kubeconform.sh" + +tasks: + + resources: + desc: Gather common resources in your cluster, useful when asking for support + cmds: + - for: { var: resource } + cmd: kubectl get {{.ITEM}} {{.CLI_ARGS | default "-A"}} + vars: + resource: >- + nodes + gitrepositories + kustomizations + helmrepositories + helmreleases + certificates + certificaterequests + ingresses + pods + + kubeconform: + desc: Validate Kubernetes manifests with kubeconform + cmd: bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}} + preconditions: + - msg: Missing kubeconform script + sh: test -f {{.KUBECONFORM_SCRIPT}} + + .reset: + internal: true + cmd: rm -rf {{.KUBERNETES_DIR}} diff --git a/.taskfiles/lint.yml b/.taskfiles/lint.yml deleted file mode 100644 index c949d447..00000000 --- a/.taskfiles/lint.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -version: "3" - -tasks: - all: - - task: markdown - - task: yaml - - task: format - - markdown: - desc: Lint Markdown - cmds: - - markdownlint -c '.github/lint/.markdownlint.yaml' *.md **/*.md - ignore_errors: true - - yaml: - desc: Lint YAML - cmds: - - yamllint -c '.github/lint/.yamllint.yaml' . - ignore_errors: true - - format: - desc: Lint general formatting - cmds: - - prettier --ignore-path '.github/lint/.prettierignore' --config '.github/lint/.prettierrc.yaml' --check . - ignore_errors: true diff --git a/.taskfiles/pre-commit.yml b/.taskfiles/pre-commit.yml deleted file mode 100644 index 22d53b15..00000000 --- a/.taskfiles/pre-commit.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -version: "3" - -tasks: - init: - desc: Initialize pre-commit hooks - cmds: - - pre-commit install --install-hooks - run: - desc: Run pre-commit - cmds: - - pre-commit run --all-files diff --git a/.taskfiles/rook.yml b/.taskfiles/rook.yml deleted file mode 100644 index 6e3a1d82..00000000 --- a/.taskfiles/rook.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -version: "3" - -tasks: - status: - desc: Show ceph cluster status - cmds: - - kubectl -n rook-ceph exec -it deployment.apps/rook-ceph-tools -- ceph status - silent: true diff --git a/.taskfiles/sops/Taskfile.yaml b/.taskfiles/sops/Taskfile.yaml new file mode 100644 index 00000000..7880a005 --- /dev/null +++ b/.taskfiles/sops/Taskfile.yaml @@ -0,0 +1,36 @@ +--- +# yaml-language-server: $schema=https://taskfile.dev/schema.json +version: "3" + +tasks: + + age-keygen: + desc: Initialize Age Key for Sops + cmd: age-keygen --output {{.AGE_FILE}} + status: ["test -f {{.AGE_FILE}}"] + + encrypt: + desc: Encrypt all Kubernetes SOPS secrets + cmds: + - for: { var: file } + task: .encrypt-file + vars: + file: "{{.ITEM}}" + vars: + file: + sh: find "{{.KUBERNETES_DIR}}" -type f -name "*.sops.*" -exec grep -L "ENC\[AES256_GCM" {} \; + + .encrypt-file: + internal: true + cmd: sops --encrypt --in-place {{.file}} + requires: + vars: ["file"] + preconditions: + - msg: Missing Sops config file + sh: test -f {{.SOPS_CONFIG_FILE}} + - msg: Missing Sops Age key file + sh: test -f {{.AGE_FILE}} + + .reset: + internal: true + cmd: rm -rf {{.SOPS_CONFIG_FILE}} diff --git a/.taskfiles/talos/Taskfile.yaml b/.taskfiles/talos/Taskfile.yaml new file mode 100644 index 00000000..2b88e5df --- /dev/null +++ b/.taskfiles/talos/Taskfile.yaml @@ -0,0 +1,101 @@ +--- +# yaml-language-server: $schema=https://taskfile.dev/schema.json +version: "3" + +vars: + TALHELPER_CLUSTER_DIR: "{{.KUBERNETES_DIR}}/bootstrap/talos/clusterconfig" + TALHELPER_SECRET_FILE: "{{.KUBERNETES_DIR}}/bootstrap/talos/talsecret.sops.yaml" + TALHELPER_CONFIG_FILE: "{{.KUBERNETES_DIR}}/bootstrap/talos/talconfig.yaml" + HELMFILE_FILE: "{{.KUBERNETES_DIR}}/bootstrap/helmfile.yaml" + TALOSCONFIG_FILE: "{{.TALHELPER_CLUSTER_DIR}}/talosconfig" + +env: + TALOSCONFIG: "{{.TALOSCONFIG_FILE}}" + +tasks: + + bootstrap: + desc: Bootstrap the Talos cluster + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" + cmds: + - | + if [ ! -f "{{.TALHELPER_SECRET_FILE}}" ]; then + talhelper gensecret > {{.TALHELPER_SECRET_FILE}} + sops --encrypt --in-place {{.TALHELPER_SECRET_FILE}} + fi + - talhelper genconfig --config-file {{.TALHELPER_CONFIG_FILE}} --secret-file {{.TALHELPER_SECRET_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} + - talhelper gencommand apply --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} | bash + - until talhelper gencommand bootstrap --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} | bash; do sleep 10; done + - task: fetch-kubeconfig + - task: install-helm-apps + - talosctl health --server=false + preconditions: + - msg: Missing talhelper config file + sh: test -f {{.TALHELPER_CONFIG_FILE}} + - msg: Missing Sops config file + sh: test -f {{.SOPS_CONFIG_FILE}} + - msg: Missing Sops Age key file + sh: test -f {{.AGE_FILE}} + + fetch-kubeconfig: + desc: Fetch kubeconfig + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" + cmd: until talhelper gencommand kubeconfig --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="{{.ROOT_DIR}} --force" | bash; do sleep 10; done + preconditions: + - msg: Missing talhelper config file + sh: test -f {{.TALHELPER_CONFIG_FILE}} + + install-helm-apps: + desc: Bootstrap core apps needed for Talos + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" + cmds: + - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done + - helmfile --kubeconfig {{.KUBECONFIG_FILE}} --file {{.HELMFILE_FILE}} apply --skip-diff-on-install --suppress-diff + - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done + preconditions: + - msg: Missing kubeconfig + sh: test -f {{.KUBECONFIG_FILE}} + - msg: Missing helmfile + sh: test -f {{.HELMFILE_FILE}} + + upgrade: + desc: Upgrade Talos on a node + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" + cmds: + - talosctl --nodes {{.node}} upgrade --image {{.image}} --wait=true --timeout=10m --preserve=true --reboot-mode={{.mode}} + - talosctl --nodes {{.node}} health --wait-timeout=10m --server=false + vars: + mode: '{{.mode | default "default"}}' + requires: + vars: ["node", "image"] + preconditions: + - msg: Missing talosconfig + sh: test -f {{.TALOSCONFIG_FILE}} + - msg: Unable to retrieve Talos config + sh: talosctl config info >/dev/null 2>&1 + - msg: Node not found + sh: talosctl --nodes {{.node}} get machineconfig >/dev/null 2>&1 + + upgrade-k8s: + desc: Upgrade Kubernetes across the cluster + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" + cmd: talosctl --nodes {{.controller}} upgrade-k8s --to {{.to}} + requires: + vars: ["controller", "to"] + preconditions: + - msg: Missing talosconfig + sh: test -f {{.TALOSCONFIG_FILE}} + - msg: Unable to retrieve Talos config + sh: talosctl config info >/dev/null 2>&1 + - msg: Node not found + sh: talosctl --nodes {{.controller}} get machineconfig >/dev/null 2>&1 + + nuke: + desc: Resets nodes back to maintenance mode + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" + prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue? + cmd: talhelper gencommand reset --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash + + .reset: + internal: true + cmd: rm -rf {{.TALHELPER_CLUSTER_DIR}} {{.TALHELPER_SECRET_FILE}} {{.TALHELPER_CONFIG_FILE}} diff --git a/.taskfiles/workstation/Taskfile.yaml b/.taskfiles/workstation/Taskfile.yaml new file mode 100644 index 00000000..f7306d25 --- /dev/null +++ b/.taskfiles/workstation/Taskfile.yaml @@ -0,0 +1,42 @@ +--- +# yaml-language-server: $schema=https://taskfile.dev/schema.json +version: "3" + +vars: + ARCHFILE: "{{.ROOT_DIR}}/.taskfiles/workstation/archfile" + BREWFILE: "{{.ROOT_DIR}}/.taskfiles/workstation/brewfile" + +tasks: + + direnv: + desc: Run direnv hooks + cmd: direnv allow . + status: + - "[[ $(direnv status --json | jq '.state.foundRC.allowed') == 0 ]]" + - "[[ $(direnv status --json | jq '.state.loadedRC.allowed') == 0 ]]" + + venv: + desc: Set up virtual environment + cmds: + - "{{.PYTHON_BIN}} -m venv {{.VIRTUAL_ENV}}" + - '{{.VIRTUAL_ENV}}/bin/python3 -m pip install --upgrade pip setuptools wheel' + - '{{.VIRTUAL_ENV}}/bin/python3 -m pip install --upgrade --requirement "{{.PIP_REQUIREMENTS_FILE}}"' + sources: + - "{{.PIP_REQUIREMENTS_FILE}}" + generates: + - "{{.VIRTUAL_ENV}}/pyvenv.cfg" + preconditions: + - { msg: "Missing Pip requirements file", sh: "test -f {{.PIP_REQUIREMENTS_FILE}}" } + + brew: + desc: Install workstation dependencies with Brew + cmd: brew bundle --file {{.BREWFILE}} + preconditions: + - { msg: "Missing Homebrew", sh: "command -v brew" } + - { msg: "Missing Brewfile", sh: "test -f {{.BREWFILE}}" } + + arch: + desc: Install Arch workstation dependencies with Paru Or Yay + cmd: "yay -Syu --needed --noconfirm --noprogressbar $(cat {{.ARCHFILE}} | xargs)" + preconditions: + - { msg: "Missing Archfile", sh: "test -f {{.ARCHFILE}}" } diff --git a/.taskfiles/workstation/archfile b/.taskfiles/workstation/archfile new file mode 100644 index 00000000..b1ad3160 --- /dev/null +++ b/.taskfiles/workstation/archfile @@ -0,0 +1,17 @@ +age +cloudflared-bin +direnv +flux-bin +go-task +go-yq +helm +helmfile +jq +kubeconform +kubectl-bin +kustomize +moreutils +sops +stern-bin +talhelper-bin +talosctl diff --git a/.taskfiles/workstation/brewfile b/.taskfiles/workstation/brewfile new file mode 100644 index 00000000..03e6ebb0 --- /dev/null +++ b/.taskfiles/workstation/brewfile @@ -0,0 +1,18 @@ +tap "go-task/tap" +tap "siderolabs/tap" +brew "age" +brew "cloudflared" +brew "direnv" +brew "go-task/tap/go-task" +brew "helm" +brew "helmfile" +brew "jq" +brew "kubeconform" +brew "kubernetes-cli" +brew "kustomize" +brew "moreutils" +brew "sops" +brew "stern" +brew "talhelper" +brew "talosctl" +brew "yq" diff --git a/.tool-versions b/.tool-versions index 734bdeb1..999b4bd3 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,6 +1,6 @@ -kubectl 1.22.5 -helm 3.12.1 -nodejs 18.16.1 -poetry 1.1.13 -terraform 1.5.2 -flux2 2.0.1 +talosctl 1.7.6 +talhelper 3.0.5 +task 3.38.0 +helmfile 0.167.1 +helm 3.15.4 +github-cli 2.55.0 diff --git a/INSTALL.md b/INSTALL.md deleted file mode 100644 index fdf42609..00000000 --- a/INSTALL.md +++ /dev/null @@ -1,24 +0,0 @@ -# Arch Installation Pre-reqs - -The following packages need to be installed before these script will work. - -## Arch Linux - -```bash -yay -S \ - aur/flux-bin \ - community/age \ - community/direnv \ - community/ipcalc -``` - -## MacOS - -```bash -brew install \ - age \ - direnv \ - fluxcd/tap/flux \ - go-task/tap/go-task \ - ipcalc -``` diff --git a/README.md b/README.md index e2d9bdee..1399d804 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,5 @@ # Le Paulynomial Homelab -This project has been forked from -[template-cluster-k3s](https://github.com/k8s-at-home/template-cluster-k3s). -Thank y'all for for the inspiration. - ## Publishing arm64 images This cluster runs on the arm64 instruction set. Some of the deployments in it diff --git a/Taskfile.yml b/Taskfile.yml index 11813014..5831218d 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -1,21 +1,91 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" vars: - PROJECT_DIR: - sh: "git rev-parse --show-toplevel" - CLUSTER_DIR: "{{.PROJECT_DIR}}/cluster" - ANSIBLE_DIR: "{{.PROJECT_DIR}}/provision/ansible" - TERRAFORM_DIR: "{{.PROJECT_DIR}}/provision/terraform" + # Directories + BOOTSTRAP_DIR: "{{.ROOT_DIR}}/bootstrap" + KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes" + PRIVATE_DIR: "{{.ROOT_DIR}}/.private" + SCRIPTS_DIR: "{{.ROOT_DIR}}/scripts" + # Files + AGE_FILE: "{{.ROOT_DIR}}/age.key" + BOOTSTRAP_CONFIG_FILE: "{{.ROOT_DIR}}/config.yaml" + KUBECONFIG_FILE: "{{.ROOT_DIR}}/kubeconfig" + MAKEJINJA_CONFIG_FILE: "{{.ROOT_DIR}}/makejinja.toml" + PIP_REQUIREMENTS_FILE: "{{.ROOT_DIR}}/requirements.txt" + SOPS_CONFIG_FILE: "{{.ROOT_DIR}}/.sops.yaml" + # Binaries + PYTHON_BIN: python3 env: - KUBECONFIG: "{{.PROJECT_DIR}}/provision/kubeconfig" + KUBECONFIG: "{{.KUBECONFIG_FILE}}" + PYTHONDONTWRITEBYTECODE: "1" + SOPS_AGE_KEY_FILE: "{{.AGE_FILE}}" + VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv" includes: - ansible: .taskfiles/ansible.yml - flux: .taskfiles/flux.yml - format: .taskfiles/format.yml - lint: .taskfiles/lint.yml - pre-commit: .taskfiles/pre-commit.yml - terraform: .taskfiles/terraform.yml - rook: .taskfiles/rook.yml + kubernetes: .taskfiles/kubernetes + repository: .taskfiles/repository + talos: .taskfiles/talos + sops: .taskfiles/sops + workstation: .taskfiles/workstation + user: + taskfile: .taskfiles/user + optional: true + +tasks: + + default: task --list + + init: + desc: Initialize configuration files + cmds: + - cp -n {{.BOOTSTRAP_CONFIG_FILE | replace ".yaml" ".sample.yaml"}} {{.BOOTSTRAP_CONFIG_FILE}} + - cmd: echo === Configuration file copied === + - cmd: echo Proceed with updating the configuration files... + - cmd: echo {{.BOOTSTRAP_CONFIG_FILE}} + status: + - test -f {{.BOOTSTRAP_CONFIG_FILE}} + silent: true + + configure: + desc: Configure repository from bootstrap vars + prompt: Any conflicting config in the kubernetes directory will be overwritten... continue? + deps: ["workstation:direnv", "workstation:venv", "sops:age-keygen", "init"] + cmds: + - task: .template + - task: sops:encrypt + - task: .validate + + .template: + internal: true + cmd: "{{.VIRTUAL_ENV}}/bin/makejinja" + preconditions: + - msg: Missing virtual environment + sh: test -d {{.VIRTUAL_ENV}} + - msg: Missing Makejinja config file + sh: test -f {{.MAKEJINJA_CONFIG_FILE}} + - msg: Missing Makejinja plugin file + sh: test -f {{.BOOTSTRAP_DIR}}/scripts/plugin.py + - msg: Missing bootstrap config file + sh: test -f {{.BOOTSTRAP_CONFIG_FILE}} + + .validate: + internal: true + cmds: + - task: kubernetes:kubeconform + - cmd: echo === Done rendering and validating YAML === + - cmd: | + if [[ $KUBECONFIG != "{{.KUBECONFIG_FILE}}" ]]; then + echo WARNING: KUBECONFIG is not set to the expected value, this may cause conflicts. + fi + - cmd: | + if [[ $SOPS_AGE_KEY_FILE != "{{.AGE_FILE}}" ]]; then + echo WARNING: SOPS_AGE_KEY_FILE is not set to the expected value, this may cause conflicts. + fi + - cmd: | + if test -f ~/.config/sops/age/keys.txt; then + echo WARNING: SOPS Age key found in home directory, this may cause conflicts. + fi + silent: true diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index 36575e6c..00000000 --- a/ansible.cfg +++ /dev/null @@ -1,57 +0,0 @@ -[defaults] - -#--- General settings -nocows = True -forks = 8 -module_name = command -deprecation_warnings = True -executable = /bin/bash -stdout_callback = yaml - -#--- Files/Directory settings -log_path = ~/ansible.log -inventory = ./provision/ansible/inventory -library = /usr/share/my_modules -remote_tmp = /tmp/.ansible/tmp -local_tmp = /tmp/.ansible/tmp -roles_path = ./provision/ansible/roles -retry_files_enabled = False - -#--- Fact Caching settings -fact_caching = jsonfile -fact_caching_connection = ~/.ansible/facts_cache -fact_caching_timeout = 7200 - -#--- SSH settings -remote_port = 22 -timeout = 60 -host_key_checking = False -ssh_executable = /usr/bin/ssh -private_key_file = ~/.ssh/homelab_id_rsa - -force_valid_group_names = ignore - -#--- Speed -callback_enabled = true -internal_poll_interval = 0.001 - -#--- Plugin settings -vars_plugins_enabled = host_group_vars,community.sops.sops - -[inventory] -unparsed_is_failed = true - -[privilege_escalation] -become = True -become_method = sudo -become_user = root -become_ask_pass = False - -[ssh_connection] -scp_if_ssh = smart -transfer_method = smart -retries = 3 -timeout = 10 -ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o Compression=yes -o ServerAliveInterval=15s -pipelining = True -control_path = %(directory)s/%%h-%%r diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml new file mode 100644 index 00000000..3238cc82 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager +spec: + interval: 30m + chart: + spec: + chart: cert-manager + version: v1.15.3 + sourceRef: + kind: HelmRepository + name: jetstack + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + installCRDs: true + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query + dns01RecursiveNameserversOnly: true + prometheus: + enabled: true + servicemonitor: + enabled: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml new file mode 100644 index 00000000..1cf7148a --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml @@ -0,0 +1,39 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_DOMAIN}" +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "${SECRET_ACME_EMAIL}" + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cert-manager-secret + key: api-token + selector: + dnsZones: + - "${SECRET_DOMAIN}" diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml new file mode 100644 index 00000000..17754be6 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./issuers.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml new file mode 100644 index 00000000..8fa6b813 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-secret +stringData: + api-token: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqek5iUys5SE1jZjYrZ2g1 + TzNrbjBjT21paEJyYURGM1I1azZYYTk1cW5JCmJ6NGswL1J3aTYvdEhmZm5JWUtK + MHFJcmhNalRORC80dTVNUHczWmhsckkKLS0tIFFVUUd3aUVRU3N5UU9iVU82aUd5 + WVFKbTRZQnJLMWhWdG5TNnhuRVJ0bmsKs8Zy1GYHJVohTlTyuHh8Yv21oPFJeQ8+ + O2bX5BPg9zBjiQQRUsROy7xUDDjVgkyxDhHhgjgldUS6xJ1knWdV+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-22T07:06:26Z" + mac: ENC[AES256_GCM,data:GhvDpA88kBy6QJDwJugngGC2vqNKMhicdBTsViJbjXWJY6/M2EiIeQLJriLruM8n48ZCcEi1Xy0qONL82ZvQqHVx5YUjh3WRnh16t7yEuBTXAs85lNs/2X8SNQaVIj1tdzwqU32b/h3fXGcIQDSxon+CZzwVhgb+1bChISr72CA=,iv:q47dB4XiNwX5hQ/O5c1ilJ/Rhhe4egEar8nzrZPSBh0=,tag:JiQAfuUK35u5zpvMW6J84w==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml new file mode 100644 index 00000000..ea0d2af9 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager + namespace: flux-system +spec: + targetNamespace: cert-manager + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/cert-manager/cert-manager/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cert-manager-issuers + namespace: flux-system +spec: + targetNamespace: cert-manager + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager + path: ./kubernetes/apps/cert-manager/cert-manager/issuers + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/cert-manager/kustomization.yaml b/kubernetes/apps/cert-manager/kustomization.yaml new file mode 100644 index 00000000..a0a3e5ed --- /dev/null +++ b/kubernetes/apps/cert-manager/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cert-manager/ks.yaml diff --git a/kubernetes/apps/cert-manager/namespace.yaml b/kubernetes/apps/cert-manager/namespace.yaml new file mode 100644 index 00000000..ed788350 --- /dev/null +++ b/kubernetes/apps/cert-manager/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/flux-system/kustomization.yaml b/kubernetes/apps/flux-system/kustomization.yaml new file mode 100644 index 00000000..10587f8c --- /dev/null +++ b/kubernetes/apps/flux-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./webhooks/ks.yaml diff --git a/kubernetes/apps/flux-system/namespace.yaml b/kubernetes/apps/flux-system/namespace.yaml new file mode 100644 index 00000000..b48db452 --- /dev/null +++ b/kubernetes/apps/flux-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml b/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml new file mode 100644 index 00000000..e20604f0 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: flux-webhook + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" +spec: + ingressClassName: external + rules: + - host: "flux-webhook.${SECRET_DOMAIN}" + http: + paths: + - path: /hook/ + pathType: Prefix + backend: + service: + name: webhook-receiver + port: + number: 80 diff --git a/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml b/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml new file mode 100644 index 00000000..786e654a --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./ingress.yaml + - ./receiver.yaml diff --git a/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml b/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml new file mode 100644 index 00000000..cca5931b --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: notification.toolkit.fluxcd.io/v1 +kind: Receiver +metadata: + name: github-receiver +spec: + type: github + events: + - ping + - push + secretRef: + name: github-webhook-token-secret + resources: + - apiVersion: source.toolkit.fluxcd.io/v1 + kind: GitRepository + name: home-kubernetes + namespace: flux-system + - apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + name: cluster + namespace: flux-system + - apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + name: cluster-apps + namespace: flux-system diff --git a/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml new file mode 100644 index 00000000..94f69057 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: github-webhook-token-secret +stringData: + token: ENC[AES256_GCM,data:XGZr/uBh4hHKfMrOTGNDEg+rWxnnFUmTDBLOK9WdlHI=,iv:OHzUbk8D65nbZ2LdZeEZEWeDS6PJY8fMq1HmkxgLzYU=,tag:yg7lIcq8a6eXzunAigSHGg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcHE2VE9ydTRGTGNudmZO + dStKS3drRlhzZTlxRmNyL2JvMHllTzZyU2x3CjRGRmRkN2tyWVJhYmlCNnFYb2d1 + RnpCUEVZNWJaMkFlYitzL3lBZGJXQXMKLS0tIFhHdTZ1SHlLVkR6NWdsSVBydFIw + dU1VY1BNSTExVnlzOVo4aDhtanpFb2sKaMf+DorGCEHtcRTh07Qqegp8BaranxHw + pK7ZCSYmpfLaCvb9c93sDsn67BnkIp771zNa8wvjwmZY/fjcXkPxDw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-22T07:06:26Z" + mac: ENC[AES256_GCM,data:DGkzdmk55aBvREJ35RvKj6rRuLIav0hDrTh2kdDgJzadlDrUneVT5HFoWR34rRFcE5Ghb2Ktp1gMmNnWKjToe7suVfxrc+a5qBc3jszD75n27Wphj99T+NvqjSqSY/+QDBI5NIFyeCt/hT2leiQMDdW4VWCZxgXmEtgJgz6dvwI=,iv:b9k3CjNga2Z5K2HcrxqAd1klU/vSMzyWvI3SyPekNqw=,tag:pp4oMc6+nh7sq5MZSmGVKg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml b/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml new file mode 100644 index 00000000..ccd8b3eb --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./github diff --git a/kubernetes/apps/flux-system/webhooks/ks.yaml b/kubernetes/apps/flux-system/webhooks/ks.yaml new file mode 100644 index 00000000..e80c50b2 --- /dev/null +++ b/kubernetes/apps/flux-system/webhooks/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app flux-webhooks + namespace: flux-system +spec: + targetNamespace: flux-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/flux-system/webhooks/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml new file mode 100644 index 00000000..cc6d50d2 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml @@ -0,0 +1,57 @@ +--- +autoDirectNodeRoutes: true +bpf: + masquerade: false # Required for Talos `.machine.features.hostDNS.forwardKubeDNSToHost` +cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup +cluster: + id: 1 + name: "paulynomial" +cni: + exclusive: false +# NOTE: devices might need to be set if you have more than one active NIC on your hosts +# devices: eno+ eth+ +endpointRoutes: + enabled: true +envoy: + enabled: false +hubble: + enabled: false +ipam: + mode: kubernetes +ipv4NativeRoutingCIDR: "10.69.0.0/16" +k8sServiceHost: 127.0.0.1 +k8sServicePort: 7445 +kubeProxyReplacement: true +kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 +l2announcements: + enabled: true +loadBalancer: + algorithm: maglev + mode: snat +localRedirectPolicy: true +operator: + replicas: 1 + rollOutPods: true +rollOutCiliumPods: true +routingMode: native +securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 00000000..eb5f30e8 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.16.1 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: cilium-helm-values + values: + hubble: + enabled: true + metrics: + enabled: + - dns:query + - drop + - tcp + - flow + - port-distribution + - icmp + - http + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + relay: + enabled: true + rollOutPods: true + prometheus: + serviceMonitor: + enabled: true + ui: + enabled: true + rollOutPods: true + ingress: + enabled: true + className: internal + hosts: ["hubble.${SECRET_DOMAIN}"] + operator: + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 00000000..b4f3860b --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: cilium-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml b/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml new file mode 100644 index 00000000..156d32ee --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml @@ -0,0 +1,24 @@ +--- +# https://docs.cilium.io/en/latest/network/l2-announcements +apiVersion: cilium.io/v2alpha1 +kind: CiliumL2AnnouncementPolicy +metadata: + name: l2-policy +spec: + loadBalancerIPs: true + # NOTE: interfaces might need to be set if you have more than one active NIC on your hosts + # interfaces: + # - ^eno[0-9]+ + # - ^eth[0-9]+ + nodeSelector: + matchLabels: + kubernetes.io/os: linux +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: l2-pool +spec: + allowFirstLastIPs: "Yes" + blocks: + - cidr: "192.168.1.0/24" diff --git a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml new file mode 100644 index 00000000..f6899653 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cilium-l2.yaml diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml new file mode 100644 index 00000000..2522f1df --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/cilium/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium-config + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cilium + path: ./kubernetes/apps/kube-system/cilium/config + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/coredns/app/helm-values.yaml b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml new file mode 100644 index 00000000..22da0298 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml @@ -0,0 +1,50 @@ +--- +fullnameOverride: coredns +k8sAppLabelOverride: kube-dns +serviceAccount: + create: true +service: + name: kube-dns + clusterIP: "10.96.0.10" +servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: log + configBlock: |- + class error + - name: prometheus + parameters: 0.0.0.0:9153 + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists +tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml new file mode 100644 index 00000000..9e6a8aeb --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns +spec: + interval: 30m + chart: + spec: + chart: coredns + version: 1.32.0 + sourceRef: + kind: HelmRepository + name: coredns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + valuesFrom: + - kind: ConfigMap + name: coredns-helm-values diff --git a/kubernetes/apps/kube-system/coredns/app/kustomization.yaml b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml new file mode 100644 index 00000000..691355b5 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: coredns-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/coredns/ks.yaml b/kubernetes/apps/kube-system/coredns/ks.yaml new file mode 100644 index 00000000..bf2a537e --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app coredns + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/coredns/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml new file mode 100644 index 00000000..b74ddb20 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml @@ -0,0 +1,3 @@ +--- +providerRegex: ^(k8s-leader-01|k8s-leader-02|k8s-leader-03|k8s-worker-01|k8s-worker-02)$ +bypassDnsResolution: true diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml new file mode 100644 index 00000000..4710855b --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kubelet-csr-approver +spec: + interval: 30m + chart: + spec: + chart: kubelet-csr-approver + version: 1.2.2 + sourceRef: + kind: HelmRepository + name: postfinance + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: kubelet-csr-approver-helm-values + values: + metrics: + enable: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml new file mode 100644 index 00000000..30dddafc --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: kubelet-csr-approver-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml new file mode 100644 index 00000000..adfb4940 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kubelet-csr-approver + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/kubelet-csr-approver/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml new file mode 100644 index 00000000..7a71f70f --- /dev/null +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cilium/ks.yaml + - ./coredns/ks.yaml + - ./metrics-server/ks.yaml + - ./reloader/ks.yaml + - ./kubelet-csr-approver/ks.yaml + - ./spegel/ks.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml new file mode 100644 index 00000000..60298df6 --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: metrics-server +spec: + interval: 30m + chart: + spec: + chart: metrics-server + version: 3.12.1 + sourceRef: + kind: HelmRepository + name: metrics-server + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + args: + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml new file mode 100644 index 00000000..244f53c1 --- /dev/null +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app metrics-server + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/metrics-server/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/namespace.yaml b/kubernetes/apps/kube-system/namespace.yaml new file mode 100644 index 00000000..5eeb2c91 --- /dev/null +++ b/kubernetes/apps/kube-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml new file mode 100644 index 00000000..133b60d0 --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: reloader +spec: + interval: 30m + chart: + spec: + chart: reloader + version: 1.0.121 + sourceRef: + kind: HelmRepository + name: stakater + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: reloader + reloader: + readOnlyRootFileSystem: true + podMonitor: + enabled: true + namespace: "{{ .Release.Namespace }}" diff --git a/kubernetes/apps/kube-system/reloader/app/kustomization.yaml b/kubernetes/apps/kube-system/reloader/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/reloader/ks.yaml b/kubernetes/apps/kube-system/reloader/ks.yaml new file mode 100644 index 00000000..9aa42993 --- /dev/null +++ b/kubernetes/apps/kube-system/reloader/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app reloader + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/reloader/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/spegel/app/helm-values.yaml b/kubernetes/apps/kube-system/spegel/app/helm-values.yaml new file mode 100644 index 00000000..a4185ae3 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helm-values.yaml @@ -0,0 +1,7 @@ +--- +spegel: + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts +service: + registry: + hostPort: 29999 diff --git a/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml new file mode 100644 index 00000000..05d3eeed --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: spegel +spec: + interval: 30m + chart: + spec: + chart: spegel + version: v0.0.23 + sourceRef: + kind: HelmRepository + name: spegel + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: spegel-helm-values + values: + grafanaDashboard: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/spegel/app/kustomization.yaml b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml new file mode 100644 index 00000000..1e1aa1d1 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml +configMapGenerator: + - name: spegel-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml new file mode 100644 index 00000000..58f92ba1 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/spegel/ks.yaml b/kubernetes/apps/kube-system/spegel/ks.yaml new file mode 100644 index 00000000..83c730b0 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app spegel + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/spegel/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/cloudflared/app/configs/config.yaml b/kubernetes/apps/network/cloudflared/app/configs/config.yaml new file mode 100644 index 00000000..05bcef5c --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/configs/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + originServerName: "external.${SECRET_DOMAIN}" + +ingress: + - hostname: "${SECRET_DOMAIN}" + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 + - hostname: "*.${SECRET_DOMAIN}" + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 00000000..43d7d7b2 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared +spec: + endpoints: + - dnsName: "external.${SECRET_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml new file mode 100644 index 00000000..3a0b299c --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.3.2 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + cloudflared: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/cloudflare/cloudflared + tag: 2024.8.2 + env: + NO_AUTOUPDATE: true + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_ORIGIN_ENABLE_HTTP2: true + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + TUNNEL_ID: + valueFrom: + secretKeyRef: + name: cloudflared-secret + key: TUNNEL_ID + args: + - tunnel + - --config + - /etc/cloudflared/config/config.yaml + - run + - "$(TUNNEL_ID)" + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ready + port: &port 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 256Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: cloudflared + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: cloudflared + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + persistence: + config: + type: configMap + name: cloudflared-configmap + globalMounts: + - path: /etc/cloudflared/config/config.yaml + subPath: config.yaml + readOnly: true + creds: + type: secret + name: cloudflared-secret + globalMounts: + - path: /etc/cloudflared/creds/credentials.json + subPath: credentials.json + readOnly: true diff --git a/kubernetes/apps/network/cloudflared/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml new file mode 100644 index 00000000..891a864a --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./dnsendpoint.yaml + - ./secret.sops.yaml + - ./helmrelease.yaml +configMapGenerator: + - name: cloudflared-configmap + files: + - ./configs/config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000..42f1e8e8 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret +stringData: + TUNNEL_ID: "" + credentials.json: ENC[AES256_GCM,data:1aqVOZjAw0ODZbUZpD77aCn4xVKNFfzmG31AH/fs2Yv+Rh+90+NP2Qx3GyAv/5R7Y4I9YJtZTsraKm10DKVF,iv:uEzcnCc4Xu3Am3s+qAxIA7YtsXxerTaeXloKEZrokgo=,tag:eoIALAAV+DFZBcKrY8FW0w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZjgzRFlRSjRSeU1xMUpY + eXZxY29rQ1FNSko0ZGhJdVJadkV5OS9XcURNCjRod0ZmTzZXaXdZekFuemtnVUVk + NGpHb0NNNFI1YUdSdG1oY21LMEpZK3MKLS0tIGY2ZUMvVlczUGU3MTZjUzhFeUJQ + cnMyU2NQejBoZysrNkx4V2hQOGIzZW8KXynYIZnZuvEMgRAI5stS2uWUd5ZTzfNl + fVNfnEahWtbI32m1KNOwOiSGnKBPIRuVNnQCYQ1W5HnYMbjMsreoUA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-22T07:06:26Z" + mac: ENC[AES256_GCM,data:aaBJyUUtLx9S1IuiVSWl668/DHtTr2WhtDColgENUKIMjenazu77951tiBZeVJRD5iWuFdAfksW+7pgo/Yx0uYieYIatm+y6SEV3wuKRcufCEAjX+D0qeEG9edugGvA30wldAZ8uXZM3DNiRujfFQ6+w1pQv7hLe+yvUbaTMBdM=,iv:S+OuZTSTYRqJ2necKfU7WMPYRMsuYXlArtZ0XgoddT8=,tag:XxQP/GwDD+n8gbDz+tTu3Q==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/apps/network/cloudflared/ks.yaml b/kubernetes/apps/network/cloudflared/ks.yaml new file mode 100644 index 00000000..eb8d8da0 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/ks.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudflared + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: external-dns + path: ./kubernetes/apps/network/cloudflared/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/echo-server/app/helmrelease.yaml b/kubernetes/apps/network/echo-server/app/helmrelease.yaml new file mode 100644 index 00000000..d1c492df --- /dev/null +++ b/kubernetes/apps/network/echo-server/app/helmrelease.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: echo-server +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.3.2 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + controllers: + echo-server: + strategy: RollingUpdate + containers: + app: + image: + repository: ghcr.io/mendhak/http-https-echo + tag: 34 + env: + HTTP_PORT: &port 8080 + LOG_WITHOUT_NEWLINE: true + LOG_IGNORE_PATH: /healthz + PROMETHEUS_ENABLED: true + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /healthz + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 64Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: echo-server + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: echo-server + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + ingress: + app: + className: external + annotations: + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" + hosts: + - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/apps/network/echo-server/app/kustomization.yaml b/kubernetes/apps/network/echo-server/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/network/echo-server/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/echo-server/ks.yaml b/kubernetes/apps/network/echo-server/ks.yaml new file mode 100644 index 00000000..2984f219 --- /dev/null +++ b/kubernetes/apps/network/echo-server/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app echo-server + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/echo-server/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/external-dns/app/helmrelease.yaml b/kubernetes/apps/network/external-dns/app/helmrelease.yaml new file mode 100644 index 00000000..5b7dee10 --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/helmrelease.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.14.5 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + provider: cloudflare + env: + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: external-dns-secret + key: api-token + extraArgs: + - --ingress-class=external + - --cloudflare-proxied + - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 + - --crd-source-kind=DNSEndpoint + policy: sync + sources: ["crd", "ingress"] + txtPrefix: k8s. + txtOwnerId: default + domainFilters: ["${SECRET_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: external-dns-secret diff --git a/kubernetes/apps/network/external-dns/app/kustomization.yaml b/kubernetes/apps/network/external-dns/app/kustomization.yaml new file mode 100644 index 00000000..95bf4747 --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/external-dns/app/secret.sops.yaml b/kubernetes/apps/network/external-dns/app/secret.sops.yaml new file mode 100644 index 00000000..e6a535e3 --- /dev/null +++ b/kubernetes/apps/network/external-dns/app/secret.sops.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret +stringData: + api-token: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxd05YRi9YUlE1OG9JdmI0 + WkJrTVFGTGpnWUlaNDNSTWRLNG5DMEhqcWdzCk9IaEd3eWsvSWpRRXY1elJsSHJi + Z252enZ6NWtiS1Y0T3dTM3R3cjZhSlUKLS0tIGd2SytYdW82QzdJSEFLajJyTE14 + Wk9VMUtPNTVwdk8wbjh1QjV4d2NPMFUKEKf6HSebkHXkvCuSpnge1yIKmqsSXicO + //y+uBo/uKLE3BTv3V4VqBy6/CmaATblbIMwFIRub6dfYxDfT+1Idg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-22T07:06:26Z" + mac: ENC[AES256_GCM,data:XBM6eOER4lBw0W4K0nf2MRHbLgUJS9taYS6j1CZF39WxGyVKjYLHPfvT/qLgE9fvw3miH3a/juag1/w7Pe8o8Xt3I/j7HrZ3xT0w3U8hiMwlftxdtGIr2LYNyfXREoNG//01OjSv2fcLspxNanJqXSlh9S1mFhRoDtPOIKlhtAI=,iv:283lFCZFEPm6VtAukiiy+O6Gc/rp3mxFEELTyRa3e8M=,tag:YcNFUpAk4KaIiTJ6PqBDBA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/apps/network/external-dns/ks.yaml b/kubernetes/apps/network/external-dns/ks.yaml new file mode 100644 index 00000000..eaed4b56 --- /dev/null +++ b/kubernetes/apps/network/external-dns/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-dns + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/external-dns/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml new file mode 100644 index 00000000..e7892580 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./staging.yaml diff --git a/kubernetes/apps/network/ingress-nginx/certificates/production.yaml b/kubernetes/apps/network/ingress-nginx/certificates/production.yaml new file mode 100644 index 00000000..b5afdf41 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/certificates/production.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-production" +spec: + secretName: "${SECRET_DOMAIN/./-}-production-tls" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml b/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml new file mode 100644 index 00000000..9c869425 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "${SECRET_DOMAIN/./-}-staging" +spec: + secretName: "${SECRET_DOMAIN/./-}-staging-tls" + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: "${SECRET_DOMAIN}" + dnsNames: + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml new file mode 100644 index 00000000..8f73b86b --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-external +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + dependsOn: + - name: cloudflared + namespace: network + values: + fullnameOverride: ingress-nginx-external + controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" + io.cilium/lb-ipam-ips: "" + externalTrafficPolicy: Cluster + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["external"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml new file mode 100644 index 00000000..793cae3d --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-internal + namespace: network +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.11.2 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: ingress-nginx-internal + controller: + service: + annotations: + io.cilium/lb-ipam-ips: "" + externalTrafficPolicy: Cluster + ingressClassResource: + name: internal + default: true + controllerValue: k8s.io/internal + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: ["internal"] + config: + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + enable-brotli: "true" + enable-real-ip: "true" + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" + resources: + requests: + cpu: 100m + limits: + memory: 500Mi diff --git a/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/ingress-nginx/ks.yaml b/kubernetes/apps/network/ingress-nginx/ks.yaml new file mode 100644 index 00000000..99b1abb5 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/ks.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-certificates + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager-issuers + path: ./kubernetes/apps/network/ingress-nginx/certificates + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-internal + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: ingress-nginx-certificates + path: ./kubernetes/apps/network/ingress-nginx/internal + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app ingress-nginx-external + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: ingress-nginx-certificates + path: ./kubernetes/apps/network/ingress-nginx/external + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml new file mode 100644 index 00000000..7f0083c8 --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: k8s-gateway +spec: + interval: 30m + chart: + spec: + chart: k8s-gateway + version: 2.4.0 + sourceRef: + kind: HelmRepository + name: k8s-gateway + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: k8s-gateway + domain: "${SECRET_DOMAIN}" + ttl: 1 + service: + type: LoadBalancer + port: 53 + annotations: + io.cilium/lb-ipam-ips: "" + externalTrafficPolicy: Cluster + watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml b/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/k8s-gateway/ks.yaml b/kubernetes/apps/network/k8s-gateway/ks.yaml new file mode 100644 index 00000000..06f44255 --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app k8s-gateway + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/k8s-gateway/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml new file mode 100644 index 00000000..e6f8ddc1 --- /dev/null +++ b/kubernetes/apps/network/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./cloudflared/ks.yaml + - ./echo-server/ks.yaml + - ./external-dns/ks.yaml + - ./ingress-nginx/ks.yaml + - ./k8s-gateway/ks.yaml diff --git a/kubernetes/apps/network/namespace.yaml b/kubernetes/apps/network/namespace.yaml new file mode 100644 index 00000000..4d78d7b1 --- /dev/null +++ b/kubernetes/apps/network/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: network + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml new file mode 100644 index 00000000..b213c83e --- /dev/null +++ b/kubernetes/apps/observability/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./prometheus-operator-crds/ks.yaml diff --git a/kubernetes/apps/observability/namespace.yaml b/kubernetes/apps/observability/namespace.yaml new file mode 100644 index 00000000..ce3a5bd2 --- /dev/null +++ b/kubernetes/apps/observability/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: observability + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml b/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml new file mode 100644 index 00000000..3913edf0 --- /dev/null +++ b/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: prometheus-operator-crds +spec: + interval: 30m + chart: + spec: + chart: prometheus-operator-crds + version: 13.0.2 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 diff --git a/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml b/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml b/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml new file mode 100644 index 00000000..ffbb5dcb --- /dev/null +++ b/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app prometheus-operator-crds + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/observability/prometheus-operator-crds/app + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/openebs-system/kustomization.yaml b/kubernetes/apps/openebs-system/kustomization.yaml new file mode 100644 index 00000000..9cd8d4e4 --- /dev/null +++ b/kubernetes/apps/openebs-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./openebs/ks.yaml diff --git a/kubernetes/apps/openebs-system/namespace.yaml b/kubernetes/apps/openebs-system/namespace.yaml new file mode 100644 index 00000000..f173c6c9 --- /dev/null +++ b/kubernetes/apps/openebs-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openebs-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml new file mode 100644 index 00000000..00cb1449 --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: openebs +spec: + interval: 30m + chart: + spec: + chart: openebs + version: 4.1.0 + sourceRef: + kind: HelmRepository + name: openebs + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + engines: + local: + lvm: + enabled: false + zfs: + enabled: false + replicated: + mayastor: + enabled: false + openebs-crds: + csi: + volumeSnapshots: + enabled: false + localpv-provisioner: + localpv: + image: + registry: quay.io/ + helperPod: + image: + registry: quay.io/ + hostpathClass: + enabled: true + name: openebs-hostpath + isDefaultClass: false + basePath: /var/openebs/local diff --git a/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml new file mode 100644 index 00000000..5dd7baca --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/openebs-system/openebs/ks.yaml b/kubernetes/apps/openebs-system/openebs/ks.yaml new file mode 100644 index 00000000..170feca9 --- /dev/null +++ b/kubernetes/apps/openebs-system/openebs/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app openebs + namespace: flux-system +spec: + targetNamespace: openebs-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/openebs-system/openebs/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/bootstrap/flux/kustomization.yaml b/kubernetes/bootstrap/flux/kustomization.yaml new file mode 100644 index 00000000..4a669d63 --- /dev/null +++ b/kubernetes/bootstrap/flux/kustomization.yaml @@ -0,0 +1,61 @@ +# IMPORTANT: This file is not tracked by flux and should never be. Its +# purpose is to only install the Flux components and CRDs into your cluster. +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - github.com/fluxcd/flux2/manifests/install?ref=v2.3.0 +patches: + # Remove the default network policies + - patch: |- + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests + - target: + kind: ResourceQuota + name: critical-pods + patch: | + - op: replace + path: /metadata/name + value: critical-pods-flux-system + - target: + kind: ClusterRoleBinding + name: cluster-reconciler + patch: | + - op: replace + path: /metadata/name + value: cluster-reconciler-flux-system + - target: + kind: ClusterRoleBinding + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: flux-edit + patch: | + - op: replace + path: /metadata/name + value: flux-edit-flux-system + - target: + kind: ClusterRole + name: flux-view + patch: | + - op: replace + path: /metadata/name + value: flux-view-flux-system diff --git a/kubernetes/bootstrap/helmfile.yaml b/kubernetes/bootstrap/helmfile.yaml new file mode 100644 index 00000000..df9068c3 --- /dev/null +++ b/kubernetes/bootstrap/helmfile.yaml @@ -0,0 +1,59 @@ +--- +helmDefaults: + wait: true + waitForJobs: true + timeout: 600 + recreatePods: true + force: true + +repositories: + - name: cilium + url: https://helm.cilium.io + - name: coredns + url: https://coredns.github.io/helm + - name: postfinance + url: https://postfinance.github.io/kubelet-csr-approver + +releases: + - name: prometheus-operator-crds + namespace: observability + chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds + version: 13.0.2 + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.16.1 + values: + - ../apps/kube-system/cilium/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - name: coredns + namespace: kube-system + chart: coredns/coredns + version: 1.32.0 + values: + - ../apps/kube-system/coredns/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - name: kubelet-csr-approver + namespace: kube-system + chart: postfinance/kubelet-csr-approver + version: 1.2.2 + values: + - ../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - name: spegel + namespace: kube-system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: v0.0.23 + values: + - ../apps/kube-system/spegel/app/helm-values.yaml + needs: + - observability/prometheus-operator-crds + - kube-system/cilium + - kube-system/coredns + - kube-system/kubelet-csr-approver diff --git a/kubernetes/bootstrap/talos/clusterconfig/.gitignore b/kubernetes/bootstrap/talos/clusterconfig/.gitignore new file mode 100644 index 00000000..12f01ed5 --- /dev/null +++ b/kubernetes/bootstrap/talos/clusterconfig/.gitignore @@ -0,0 +1,8 @@ +paulynomial-k8s-leader-01.yaml +paulynomial-k8s-leader-02.yaml +paulynomial-k8s-leader-03.yaml +paulynomial-k8s-worker-01.yaml +paulynomial-k8s-worker-02.yaml +talosconfig +paulynomial-k8s-worker-04.yaml +paulynomial-k8s-worker-03.yaml diff --git a/kubernetes/bootstrap/talos/patches/README.md b/kubernetes/bootstrap/talos/patches/README.md new file mode 100644 index 00000000..b9681888 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/README.md @@ -0,0 +1,15 @@ +# Talos Patching + +This directory contains Kustomization patches that are added to the talhelper configuration file. + + + +## Patch Directories + +Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. +Each directory is optional and therefore might not created by default. + +- `global/`: patches that are applied to both the controller and worker configurations +- `controller/`: patches that are applied to the controller configurations +- `worker/`: patches that are applied to the worker configurations +- `${node-hostname}/`: patches that are applied to the node with the specified name diff --git a/kubernetes/bootstrap/talos/patches/controller/api-access.yaml b/kubernetes/bootstrap/talos/patches/controller/api-access.yaml new file mode 100644 index 00000000..77232844 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/api-access.yaml @@ -0,0 +1,8 @@ +machine: + features: + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade diff --git a/kubernetes/bootstrap/talos/patches/controller/cluster.yaml b/kubernetes/bootstrap/talos/patches/controller/cluster.yaml new file mode 100644 index 00000000..aa3a9f22 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/cluster.yaml @@ -0,0 +1,12 @@ +cluster: + allowSchedulingOnControlPlanes: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + coreDNS: + disabled: true + proxy: + disabled: true + scheduler: + extraArgs: + bind-address: 0.0.0.0 diff --git a/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml b/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml new file mode 100644 index 00000000..e311789f --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml @@ -0,0 +1,2 @@ +- op: remove + path: /cluster/apiServer/admissionControl diff --git a/kubernetes/bootstrap/talos/patches/controller/etcd.yaml b/kubernetes/bootstrap/talos/patches/controller/etcd.yaml new file mode 100644 index 00000000..bd2c8114 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/controller/etcd.yaml @@ -0,0 +1,6 @@ +cluster: + etcd: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + advertisedSubnets: + - 192.168.1.0/24 diff --git a/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml b/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml new file mode 100644 index 00000000..586a07ab --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml @@ -0,0 +1,7 @@ +cluster: + discovery: + registries: + kubernetes: + disabled: false + service: + disabled: false diff --git a/kubernetes/bootstrap/talos/patches/global/containerd.yaml b/kubernetes/bootstrap/talos/patches/global/containerd.yaml new file mode 100644 index 00000000..2952d6b4 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/containerd.yaml @@ -0,0 +1,12 @@ +machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: |- + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false diff --git a/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml b/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml new file mode 100644 index 00000000..8ba647c4 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml @@ -0,0 +1,3 @@ +machine: + network: + disableSearchDomain: true diff --git a/kubernetes/bootstrap/talos/patches/global/hostdns.yaml b/kubernetes/bootstrap/talos/patches/global/hostdns.yaml new file mode 100644 index 00000000..6033ccd2 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/hostdns.yaml @@ -0,0 +1,6 @@ +machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` diff --git a/kubernetes/bootstrap/talos/patches/global/kubelet.yaml b/kubernetes/bootstrap/talos/patches/global/kubelet.yaml new file mode 100644 index 00000000..80a2b38b --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/kubelet.yaml @@ -0,0 +1,7 @@ +machine: + kubelet: + extraArgs: + rotate-server-certificates: true + nodeIP: + validSubnets: + - 192.168.1.0/24 diff --git a/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml b/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml new file mode 100644 index 00000000..e4095d17 --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml @@ -0,0 +1,10 @@ +machine: + kubelet: + extraMounts: + - destination: /var/openebs/local + type: bind + source: /var/openebs/local + options: + - bind + - rshared + - rw diff --git a/kubernetes/bootstrap/talos/patches/global/sysctl.yaml b/kubernetes/bootstrap/talos/patches/global/sysctl.yaml new file mode 100644 index 00000000..90361d7b --- /dev/null +++ b/kubernetes/bootstrap/talos/patches/global/sysctl.yaml @@ -0,0 +1,7 @@ +machine: + sysctls: + fs.inotify.max_queued_events: "65536" + fs.inotify.max_user_watches: "524288" + fs.inotify.max_user_instances: "8192" + net.core.rmem_max: "2500000" + net.core.wmem_max: "2500000" diff --git a/kubernetes/bootstrap/talos/talconfig.yaml b/kubernetes/bootstrap/talos/talconfig.yaml new file mode 100644 index 00000000..489b714c --- /dev/null +++ b/kubernetes/bootstrap/talos/talconfig.yaml @@ -0,0 +1,118 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json +--- +# renovate: datasource=docker depName=ghcr.io/siderolabs/installer +talosVersion: v1.7.6 +# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet +kubernetesVersion: v1.30.3 + +clusterName: "paulynomial" +endpoint: "https://192.168.1.200:6443" +clusterPodNets: + - "10.69.0.0/16" +clusterSvcNets: + - "10.96.0.0/16" +additionalApiServerCertSans: &sans + - "" + - 127.0.0.1 # KubePrism +additionalMachineCertSans: *sans + +# Disable built-in Flannel to use Cilium +cniConfig: + name: none + +nodes: + - hostname: "k8s-leader-01" + ipAddress: "192.168.1.200" + installDisk: "/dev/sdc" + talosImageURL: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + controlPlane: true + networkInterfaces: + - deviceSelector: + hardwareAddr: "1c:69:7a:69:c3:98" + dhcp: false + addresses: + - "192.168.1.200/24" + routes: + - network: 0.0.0.0/0 + gateway: "192.168.1.1" + mtu: 1500 + vip: + ip: "192.168.1.3" + - hostname: "k8s-worker-01" + ipAddress: "192.168.1.201" + installDisk: "/dev/mmcblk0" + talosImageURL: factory.talos.dev/installer/cbaa6c853fa55bda75d863ac9c950d94c9d09c5764845f1fe2eba1479c089647 + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "dc:a6:32:c5:15:ab" + dhcp: false + addresses: + - "192.168.1.201/24" + routes: + - network: 0.0.0.0/0 + gateway: "192.168.1.1" + mtu: 1500 + - hostname: "k8s-worker-02" + ipAddress: "192.168.1.202" + installDisk: "/dev/mmcblk0" + talosImageURL: factory.talos.dev/installer/cbaa6c853fa55bda75d863ac9c950d94c9d09c5764845f1fe2eba1479c089647 + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "dc:a6:32:c5:15:a8" + dhcp: false + addresses: + - "192.168.1.202/24" + routes: + - network: 0.0.0.0/0 + gateway: "192.168.1.1" + mtu: 1500 + - hostname: "k8s-worker-03" + ipAddress: "192.168.1.203" + installDisk: "/dev/mmcblk0" + talosImageURL: factory.talos.dev/installer/cbaa6c853fa55bda75d863ac9c950d94c9d09c5764845f1fe2eba1479c089647 + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "e4:5f:01:0a:07:f1" + dhcp: false + addresses: + - "192.168.1.203/24" + routes: + - network: 0.0.0.0/0 + gateway: "192.168.1.1" + mtu: 1500 + - hostname: "k8s-worker-04" + ipAddress: "192.168.1.204" + installDisk: "/dev/mmcblk0" + talosImageURL: factory.talos.dev/installer/cbaa6c853fa55bda75d863ac9c950d94c9d09c5764845f1fe2eba1479c089647 + controlPlane: false + networkInterfaces: + - deviceSelector: + hardwareAddr: "dc:a6:32:27:dd:5a" + dhcp: false + addresses: + - "192.168.1.204/24" + routes: + - network: 0.0.0.0/0 + gateway: "192.168.1.1" + mtu: 1500 + +# Global patches +patches: + - "@./patches/global/cluster-discovery.yaml" + - "@./patches/global/containerd.yaml" + - "@./patches/global/disable-search-domain.yaml" + - "@./patches/global/hostdns.yaml" + - "@./patches/global/kubelet.yaml" + - "@./patches/global/openebs-local.yaml" + - "@./patches/global/sysctl.yaml" + +# Controller patches +controlPlane: + patches: + - "@./patches/controller/api-access.yaml" + - "@./patches/controller/cluster.yaml" + - "@./patches/controller/disable-admission-controller.yaml" + - "@./patches/controller/etcd.yaml" diff --git a/kubernetes/bootstrap/talos/talsecret.sops.yaml b/kubernetes/bootstrap/talos/talsecret.sops.yaml new file mode 100644 index 00000000..34a7195d --- /dev/null +++ b/kubernetes/bootstrap/talos/talsecret.sops.yaml @@ -0,0 +1,43 @@ +cluster: + id: ENC[AES256_GCM,data:MHaTCq6JOtjyA/EAe0ErIZ5lp2Ock2zuWy+6F9iMJ4BAxZwOCGSS+D8tk68=,iv:Ovx2wi5m5yHD2bWLduE9F8BiWaDimchbXfMKck5g1pI=,tag:strnE9FtlwHzDDzUqkFhJg==,type:str] + secret: ENC[AES256_GCM,data:9H1zB8YANGF8nb6UW7dct9xEV7kXncbLaf4S2zUuMsYljbinCRR0Yox9J/g=,iv:BlYi9+7zSz8dAEQz6OCROE8Qi4aD8whIW9CuO2mqcWg=,tag:/p74PtMNO5GOSB3TmifxCw==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:RD/VLDLe5YN7ChflY55W2k9BOxNiRYc=,iv:oqEiErSU4lLJIR/xfVt/2hEZONqbwTh9yLXqHvohyDg=,tag:x6zfjUGpNRKQAt+RlVdAmg==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:HInVYswP/iR/DkdgCXA46RBOj6XmaHIV36a6JICw7/1++lOxcNV+GBIuN0c=,iv:12of1QJuSGdaTuGRCq6W5ibkENxyN+r2favypgh92ko=,tag:po/cS5alp2AxBcXqTujYbw==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:gah3EOo6qSONXqYJVigsCFb2krH91bc=,iv:1DuDSbhvi8Ka7i+Vv1HQtovuSLWzdu0eM+xCHNTw6AE=,tag:G9v56z28tC6KMj3H0c4Wmg==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:Jt+afRkYKnpvtXXwlJExVrs4M+/cf9U3q2VaK/zAM2OVmPcHKoLaO7m7VlA7WrMfc8VoUiW/LnialOJNecHxrqQLNZ1QuCOU0cvuKK6IDrHGmdk6xZFddtMiHjr/xULxoA38y+iNGIXpIbJMiBuBMY7uIjGvzbzDlW+dFjDXIFTW6FTRc/c5LNWHo9rWdlf7atGyBgfc9nAQfOnSRQHfqE3xvaQB8mqXqua7vShfo0Qa9tbVT5Dq8Gr8EuHVlRsIn777J32NfKyeGYLoT/YHAtTDcAuf7aG/caGjqJDu4NJrGNzZc3l2Vg37xc6pgPhgu2PyxCCzauh44RP/OLLp5QJRntTzFy4Jqus2ByFEe8jirAbQGyoPX8oW4tLjaFIjbgER0rxGrgIXSOBdSParoLmBJN0kZF73PUrmxOuByj/Vlup0koylj2ygGQ04bf5ieTCUF/ywa/DrhuEAT2GToFIsB3HL9WypX5onj26rGTXnxt7oTtfWbSaSjZ9SAYXaQE6xZ1e1ufUfLQ+cvRkGJV+VTktFCYrWhKX7nbWgF74binTAMnj3ZenYuWGOajp8F/4gGkk86xAfYaknZpU+ZrKlnNoIoqwRgHOoGCtJIFY1NvTK12F1p3nvfBYZgFgvshgz+oXzKtxjzDYpO1Qt0Pgjmg9n6whpTcbZg/1y1zJrwgsXLtcX6rZyfTP0ecTsuMnV2Np6iR3qcU++fepaT88iI3B5P81+4/Fzk6o5c5CC3p2WoYt4eFrrtG7E9pxAGQ+g1X1oWYpe1TcPOSwrA/GrNtfbpZsyN+Jc6gzeMBPKNMV+VP4o4Y1QkwZ7QfZyaybUqiXN0/tspVYdiNh/RIXviBHS8QDvRi3J7vFpy3PCjquIsS46hfWs2j8j3R/UtNCnGQZmC4p5bkjBydqFcLJ05sSVwCF2EgC1ASdAbkKaxDjo84cXeWiCPAXCkMwDSUaD1EDI/4NCj4ruEBOph1pJCGW9NOeW9tC4jQYW/qR30mujnZsXU7k5Gyk87K9BGacUqw==,iv:A5SSrC0vXmkaPAmjUHuJMVVNCrsOJHjqQc4LoHvCqts=,tag:WaadTgzvVBuVJqlfF98r7w==,type:str] + key: ENC[AES256_GCM,data:f3QyU+dAdFsh0QKdEY44DV2NJ4m6DWTrSZb8+DirJFDg2/IKVxxzi/fsXIu+AACuFxV9azqr4ayaavziS7CItn0xX4kXQIJqForW+mWEWTuj67B+Y87cEgMLmIDqpUs6Q1EwWYffA9YnpXdC1nXqYzJsE40W9I1owPv2eOQaTF/hL2z53o+yxm7I4yLZmmxhXPcNTupoMJg/t8dCieDcWmRr6H0BGwxu6W2n/WQNoxBKdMSGCrC1LrUFj6ca6FS4vkOHef5XpLsfalmqVM4reec8iiHEoU6EmXqznFzhKSmRJo58cSjJ+2S+03+MtkaRoGLwy9pjIrnJ+g9hHdEDwg6EBLUR3PJp16WdUkzTqMw0FVg1YuoNxH0i8ad2DkzpYCgDIKTHgdSAOlr9848yIA==,iv:rutPF+k5F24Ct7j+eFSOT12WLUQbXTdXhUXloJVtBio=,tag:Y+sVt8N7LFkH2W5aekKOuw==,type:str] + k8s: + crt: ENC[AES256_GCM,data:110yyySrrXbFC3JKdaN60IPosVho5G3lpKGAFJ0Qa25OQjn0IszmqQ8GahaLKI5BIKpzR6jIGMMk7D2VXgD44ADK9voZ0qk+sAm7dIFtAwCkSwvcZc3uYJ+f1U57lSgrzG3BqrhRtUmXCCafi4o8gsiGTOJYYQ8msU6L4wnWebQ6oIEifTU9glHNelfMX+3ZWdCNNC4MOk72lvWL385ShVrmPjn0nXIuxpxvtaySuI43zAVtOQysyAdFUg2NrwvuTvTEooETUvhQphSf5DT90C9Lo4BL9zTeHsxeyGdRgBI2PRHAfcMHN/eMSL78JJrWJcsj+ASUPUD6Yj7bHp/XOjmaB7/0nYBOX1KupI4EXCtAFolDW1iSNDtjhnP8tYCQys0BnUpMRH77hFaxUjq93Uc6XODAsGMfrDfDGhcg/Kd11VtwwFgbmroYz0WwJQPGhUaNpOwS0rOQOxJf6O+NeSCiRsou4HUqRy3pXSqIYEvPIwmAbC2XsGdQcxQZjS7r37ldho6RnF47cbaMB5LMYr7ydAZM+hy149zqPouF/1pD1uDSjCCjfnP8UtNeAQEJnFCqdh4yt60iXzARnF/FKfVZ/1DvJbH2/7R3XLTpXtzMbv69FaVGTxg4/lvtc9UMX8Sl5tShcEQ3v0wOWin/gYsWylfY4yJx/kyzHdOlKJfqAn7RPluuosDH9tyRNrf8NMGnS9S9QqQjVv7JJaaHysWlJ9OwHFg88rp/erMs9eM1KRcY8d/bKpvB+Dv84Iz7etuVefQmdDU0XqcZg2EK6skbyJrkmyYgRU4kdgov2C2G9SBRB1jFobZLvXcHOaHCJYg5M7Z6HqnInrNqgyeUj7ai6StpJVP3uTtuOd1Sbc48rEjjuAZfaQAbYhcmoawN01cLj56/lvaMXcrAs3dgiU9nIP6e7ENJkGc0uqKC2eF56VEHWzJz/9UZJVSy3s1jbhDs5vwMYm5T807RwbYEgj+Fop94fP4BPDOCoZZFmiGSjGD6d813hfc/uYspFvtAXhePJatBAcIc8Z3Bm2ImkGG+lYE5ScfJLGeXzQ==,iv:v8Ls7f6hz1HDDVYc2ZRdRmalTK6ClZdbPPX3TZ4w9Js=,tag:/KDAoArd/h4sEwu2qqT49w==,type:str] + key: ENC[AES256_GCM,data:gSqJ2g3wKCzOq1tJjzbLc9tb2dY9LmcP+cO47ceWwCgLrDcwO+vvDqMCtFoR0X4wNGtIcFUXAB5S1oddFbj3UE15S7Mrar622BJHfCM1voKk0+7hXZUYRjW5E16vkq94I2f1rdG6FXknJfYzHTO6nsOtKYZtpk0fXgqeHFX01yYGah2xs5Kai0jZMQvATaBJLG4VsOPxdsRvoFY0AqSsuy7RjPvYqOlKFnG++bhRSsM64LsWEE2M87n90DY1Z14sIKX9otJbs5MXnWmFLdZp2y22uQfaiSI19jr+lNNN8V3nPuLoo9t5MZu68hYN7lLsIwjjA6B+XdbHLcWdb3mnnBUTUSbHEA59zdhQ7CkIaVXoiOYO2mv3qmOjrPUsSF54Nv0+4bXeEtM97iZROkK0cQ==,iv:KUS0pugFiw7/tz1weloecSXYCk3L5Vl9Nugb5bCJVrI=,tag:bfDTgShF+bvRGKi7njngDA==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:UDCrk6p5mu/VzQ4BhGgZozcP24KUsnQfJ+Dkt8U9rZf5aXnHUWoDLvz7G6kvKnSCnan+QEwqoyoXZnRLi7pGzAdzy3K372huZOl6WjQeqkUfcZOUeDvy85DttCQOZ3Sk6tB3GaUBH6nq3u+4jrWHSS5DAn+RXkspU0TPrN5x9UrPB5jYOl3dR5r2uIvdC7T+UcX2xX3HoLTNnUAAeRvs5BeH14BXYwFuOG+ePn7im3qiUZ5opIvbElcTnXgZomddwqT6r+BWEXO2G2hInGI+FU8PqREtjt0r5ACcnisTOVmBLo5d6f1JUncleKvtBZMuO6dirrpUndPN5wM2AgF/1XwMfqX7gzcaXOO0repABxbUgvA8hwlg7UKonyS54bFLLcy/XFQU1E/tf1+jn3UBc/7PwEBYUOax6ewYMfPQ0hDy8jAT1aJLnQNtNI6I0znpZtK4MjoLVUxL8/Lk66sGTRQmvpdMeDwPA0H6U4EzByIku8I4kAIYm1iFzN3zoTbYm84TkWNbWXu6GDZEZmBCmNgrZrq0mOtGQSUtq1cVhH/t7aVg9bC5cH083/JvkuM6jOy8Z7TP1/dudoUYU7NJZcOd0sset3xLi5UJGUZKVO1+H1IKjyo6FOnfz2ssRE2aOrEceMF3rwhI9AAtG5okPlS845d9WRFl5b/otGOKa/Ighim46jKGiJraogBuiS2yfnYuXmTo7VFHvS9msuZJzA4F27SQ5ikJ6nRkjlD516x95JB+nQhuUY+CzJ84iqNobVA6ryeD7gd3laGjwd9/2XhfUgBreM62WRuiGGp8u8ykpStVTKjaWVzr37AZi+SXk6GXfGvjGz75Q1/xDIEhNb8IUmBlcFSCr4HEuHCN4mvtdXEfWGKoCUjESmr70YPDh2rdduKT4OVW+lUtOG8dm9lErrZmbijJFPGzN/ZkkVpHIEh/ZehAj17xZKAGbpez,iv:ft1elyXypcUwNeE/fJDaFh4JqJXYNYSs/ekhZ9QqNxg=,tag:+iHLXhPqANf5cilVgUNCgA==,type:str] + key: ENC[AES256_GCM,data:R5KpkVc5PPXjMMWUaln3TqzHBA6mUPXpVZA1hDn6vBj8IuwXQIAlhO9x3eTp7G04oJJxlERhvAkKIl9p9vqlLZgfzKW9d5yiqcpMWA+Xq8KZy3FeZLeEi00XvsoJncgLKXHIeadJ2scUyKKtzcJR8g7Jz13nCz9NOBqt5COH7TfyktXtfMLOMJvbjyq+o4dCLuh8i17houICGhbWCF2A3hRVfQioEUBA+FN4gvjXbq9zYjo8/HwQeQDVBJ1FX5XuA5XeN/OI7/L1uU6/qqrRB6jyIVWZKPpuSEP603QsoEKaJHkRaQaXHskdtgfsT+zF7GWFbGMXDmFQFxeJrr9EjIWEUiucgjrACFlLxSSaygruZTv2sEQcXZecKWVr25iDrDjH3YW0XBBqLKBZ68XWEQ==,iv:b20ziD8d7ybQngOonPKhbLBVorzWuw0WHS9s4djnTPo=,tag:ust6RuEII8HE13aGLbwW5A==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:X5khg0Hp0AYH/sbdeE+w+6ZUmE5Hv35mVZb6kVrdaVdVifembLARlIEZzu1NyO25jylseKs+ImUmRAk+kgZiwnQDJGRB0MJ3e9BXlSiBr+lGR43pkcQfFR7cKRBd/BOl1i09NMsxprUb4aYJx8YmdN+tWOwy+E2AQySvivaT2KaUI1h2yGN8QzGGamYWsC9LEEUNBpBtqOVtAZzJKGAzAMfh6iBd4NsHxlaoBNlaXSsEejjMETMI+ospa8kH51oUWzc7f9zBpMQY9AEBur4IQnJAYLZl8EjNgttas0A4e3pDD4CID81t8dJXV8+wil9SPuOKTy92VRFCOsFiltWKIZpsMrP+O3njVbJA310pyEoOfx7xCCJiaItBf922qRHfwQAF5oFD7RU9Z5jhPvQ45MXUznF1jrA/V9nPFb16f8FDCY+sS0Fj2lEg6Ey2k7s1YwF7TbkQ3Ouky10RIOaoo9h7jNzu1+5SRRXCEp1RNvA5/zCHtfOGFFIQAqIK4c2b8fzVlg4BbpAWwB/O+7Z7aNBgWUOQydPCaTy/DwO4wxLbE4yvd1MMMUZTVPDHCWm1itk6nfEMwmpxYmZta8Apn/EsWAwdCwq2/wtPCnsQQmRXj0ir1wg+n8AivQDbayCOFlYba0W0z5pQ/F+XNERZhckupecqveFNUd8IRTNrRNfha0TiEdIB9a38fIPmSZWkiXLhuM3T0gBtE3/GIWC/BMbaabM0HZfoUW6qd+VbWhXZ0nVuxcAFocIq5hiK1A06Nld17hgGqIih1Hp7kSr6+GDt3+hvZNJcLqMXcoEba75zY2Bmqcd37D17bir1JZ3/WL6z0y48PUxeyjZBbFfoCvK14nb/UYvyjeApnSmMd+XIIQywcbbQzPtn+NtGf+x1rwR/jkJGwPMX/FX7pmi09lRT8fo3sCrZwV/HcZ/syEdRl8fJfaHo5IOAjklI6HE1mWMkm/2FpROT1FxFIxA3EcrQ04uc9DiQIE1xG4tTwPhaS3OPC66FsDrjZSN8rVlojfp4Peq/4gYYaDrt6lgy8IRWnvtU7wyM319IJZ7kMWme+2FN88j1QKY7bRMK4oOjXN1XKjTaSlwSKZhXnE1qK1EKfdGpO8LsyWAxiiFN8Di5vhBilZnauagtnX7+Rkee1UHCdhwHmE+O8g3WYUvn4O18aNnBoSHB9uNFdJkB60ByBpUhX6Hli4F0bTAe+t8W5pFU6D2sVEI1liv3aHzoJ0fVcf8YX/+vu4iDN7Y7+8s+CaGyEi3GYlYrZzzERrpqaLoofC1yhkkZl3o0RyyEODZA58eTqm0qYUgp6wfp8F/ea9oJu6OX7RooBZZx1xrN9Do6mCMab4J/s1sZIRbBu4Fx4fZCpWT9EEOx4IFb781/VG1tRvgxKf7xjJr+SAbgHnBeRainz6weFBBs3oPQWN8OcYzhy/u0dRXtr+Bjy1Vj5Lr68fq+yftudK8uQk5/ergxgh2bp3nEuynR0MP0fXyftw8NpJ77jEYUVLx9p5Idj+e4dmj/BObkqwcJ64gJTcw6pQTOU79IJmWWfd0gbsjxkC7EKBzIE59WJJYh461Yy4nsQtrZ/5JUTCqah11YBkEOV2ezTOXcrHo5yzmXZnCLB+UuDSlI7sJ/AiXXiACuhDfKICJqmc4YHiVtkNitV+D2pWlLfoaAJvzED3GkJa9btAdFom8Cbw1h9MjrMh7oraB7Fwrd5WSq+F+YcMNx1GJTee+4aXGpxj8yK08+QAjhV6QYnfKnue/8BjRb5G81zqdkyMg30QCUmx4RN6mbJnOCMJj8vYcszlD4ffISimsdUM9ta1r2grNWHywYCaZFjPbBptB1TUtZfvUK9su2oYNxT2eOmCYMdT4IboSVCIr37fh3p4wk6fjZQU+cikDTC8/gZ8JuBx88iE3WK2cIxnKIUZ1IOjv4BLmfTpLrkkwqxr8J3erwguvk8fiPUfgNi+3J2RrQSiZrp6LTL1UsV9++YaecXyk23WkqSMV/vTt/t8O0J7/PuObzm+aM9DI2KcvvshFLWWbugmcvd16KDWnFtojvCnXEJYA1f6+P8PVcds0FZCF/oghxlzmIEpQeQ4e3VtXZQA6y4zJeGZaZDLCmokyxvzld6v1TKwO1IIkb4CoG0DhH2ByHfUKNJ3IQGxDgpfRXg6HR4YnOdDCp/4e2LTZg7T8DCu1Qt6XVvjITjTAzBLsNu08gqRV2bO92wG2Mq74aQIZ9gOxbJtLDf6XZRw9SeNw00U4JKWubq4uIaLTBIOC97UhY88E0lMoGO66rzTCzhjzs9J6tiM0bkYEiLnC4gql1v9/PFhY5G7N6nqEKioiQIVkwX0gaEgZRmb4R27JCdmT6jpx99l7UvFTSgPDvnJcBiDJUruNBtE26EpHKf6+/hUj1fhngc/eVrUWXWiXiJqfE2FCSMgk2ZdZ/yF4ft2ODQoh888EaryiQVZKPXc7l7rxl2Q52Dbwo9BJWG0fdahYZynBxmTUn12x+fXMzaq+PMtWg31VaD2/kfR6yXfpW6BCyEIwDjLnsR4sBAyRqpgaqrQZYbo1cxpdzaM8VVJwyaSS9JivI1C5u+F1xn+ZN8Vcxxf+5+CXlKeH7xlXnmzm8qve2sjkTN9M3BFcu4hdE3KPKod3XXNTs9jRvEwEJt0VvmHgtHQLBgQYnRtC5rkGweM1WreM9m9dcME5BOM8T/608YVEEWCw5fVsXXxlc5Tr/6q6IkB3Yz9MiwU6VeOgB4SHPIJMQzqdt5WkoS7umHpVNL69fgNKhIfruqDcR86/iNgnUHQFaPlR1Xy7YtxXYP9IgUPxzZLzwbeTOLak6cjhs8/joBGkuyDXEdqTOQN3r4GPl2tTtBHPFn5mYiuThV3Z5UlEYV61l8BsV1qMTM7XKAtOlwhmPuZl+R3UJMGKeJcmZhZWjMbzQrs23ymrgsQ7ONAYg9l7UGfrl2NNtR2TT0os8PglEI27RxTQXHFGpKraYJCjp7DW5GKhseqLAngrBcJj4aVwT8LS1iJ6lFnsuwBGjvuI+Vm287QlS70XzrNAwaK5SC468ABv+hrhTCojRDfg3kMNDy5NTeirFWMYy+ydegrPdfCqoRyXf7+KVvkEDzWQWgg7fwU1KAelNjL5TC8oW+9axzM/tzO0zcGBpE4u37FVoNysWnu5rOwk/GrUKIFJQ4anevQohfXkTO0xJ7WDNzKlT8402i/K5gjgKu5R4WlOABcTj0VdP32jsZLUyHDy7dfdClYmSDYCM99TXb//1JH7S3w12YsvuezLpTo25oHjY3FtVp39Oo6aiDPZ6gjIsRfw5ZREbCHNzvVEIpPjO+Yi3ZOh0z9m+QszROV24mKx9pXeheCsPkoKjFmFXY9cl3jwwRhTo5cDjtxw/OodEE9dJ5mejHnmheXfh3f08uQf6aQKO8DOjHh9mlheT6dWHp3U59CVJBphAejSC4bWdUsBMxadZazzMF/4w0PO1UKBzQL1/oeG/GxHETDA4HflE0zyi6pby+qRH0QHAMhZJv5N6En79Zks/wMf3kGqugPgSeFIbe/459o5EyIu+F6XYEE2FEyRz7LItsAPdfjwR2yfYNcm4PJ9wHq0CBQ92t0k6m0ySHcg2NMgw5FNaj6/RkdtryC2DAJBUeJz6Ct077PSUmGECL+A9ui/2dtdox+5A7JhaSTz5Q6WCFIUM2UJ7bFCVRClZNi/TzBGukQoRLjYRAt6rfhY3+scOnx/JAJ/LQRlQZBWmaL9zTdY6OeZLk/DZLfE/63yf6N/izHwJI8quoE+JHww6JM/p8PBX9cytE5f7J1YNSh6OPeqOi0r4vwTj5a8dB2pGsO0El8VH2m/9HzAurs38YHFhjBc+wu9KTieih/rUdKYZ5sFZ3kJRzCKARUBHRyvUsoJOsdPwxoMv4VZdQuuMHsBwbVkXocqzGK54yWZHGn40Ge6zhdQDJsBGjDQKWQq7ExKZT9B3kTCLdlvZWstRpsygpRbT1/lhOxSB3LC2Sunym+h+ewhskAAPOA59crBUREqbcKPCqKfznJC8jSY+N9zzCNA9P1FmwfK5ZE1M0Fi2FN2yWCrZzpZKVpMAiVsYgdZmqWPTcxN2OLbiYyh/apJurc/x5oGwr0UvoNC9NLHBRYoIoj50c0f2KzgSujh79k9dsBOnWtvpMHVqDpnZundinQgtw1M3PAyNtkZOKYGBwG2ENLRlqKgKhA4YRpLmdrvRDgPZV34sFqv1OeqBgu4iDGvqpoJ7D7TbsuMvgMJSfP4Kq7v8Th7RckYn+KoSTDvehZI9P8flzRemm+cpfUk+yE7gwcpAuVHfCKmPlG4BgqfjtsV2iovNm8RTG4WKfTnsPfbXAIZzbgMuk690f75aL7RY7LswkYkjr0HwFF1+neRJ3Dm7bskPd0i65bmhxnAnPUMDC6eBkEjvZZXNLsO2dsI+lvPdOWGN0d5quVhspo9gHD0j0NV3BGgi/0p1dp9IVH0+XOVV6aPuqNFMvOal6hh4f3zRL0kMBUDCCx+OWXUH++fyImgFiN9QHUDD5UK3JbF0rqSBQSKcbzi4wlrFtnlQUZND2obS3/2Jn6EoZ5ZG6oSDT3+0zcUwyUP7aZyb33oZJuxlchDEr1042PFaPFyaCs8s2HLHmAIaD2YGEk7bnsI778SPxiM0pIHo0WbJ6wEnvvs1fYjBI89sikkUg+t0rG1K8hnnJgI/Dyls9jOjC7BXAqvFuyZdAWVl7krjE/mPlp4oBhP5QLPaNI3ic4vP84jpIS5gM+j5k+LGneqD3Y1ukyoCq6wfnKVrkzGfNyFb1GC4QoW84kC9u9LE8zQwjFNNQqFTS4OB2DAeW/A5zggY5tbKJGo6e7+Nu6YU2HOig/DqXUHqNwjdM1YYYn6MFc0J5PBFpi6iolwbRMGUBAMEu0VOS031es1fMN0Sxf1ni2LmtPM5wWXv49FUcmlGA6/0EVc6OODewgKvwax+EjNPCIeP7s0/NZvFeKSgnHKimivomoEcHf9YDbg+V4CilG1RcnpyhPJ19isBRSVx8wP5cXq50MYhSqc7Dx449Rc1dGDzBmjrIEZtWQCQ99BVzoIRmNp55H1Uzmz4rMRugO+addNM7aXYrCi5aTrxH5aYRJ+I5xw9Otx7gTC+bqlPBWkeuySnuVoZX36symyc73ifgxvSPyt+eGqOXfdmBEBhR26fE0cVjtkGZLAUcVeIX3rD4aPlk7MKMyA7MVMXrKjuPjOQY3+YIw/3V7xOBfgHL9njdr+g4rx+Qt8WRml5v8tiA8BO0DfbTXnCGE3WQo0MlvRgn8+YNzerZ7L9jG3rmd59XRcvs3Y7S+lCJLuDFooY59S123GbMVNy9tzUhumPtF8qwI88n9KRQmnSmCTLdNUb76OCbR6c2YFB6uLbgyRgfHHaWPZcOeIdzImBmv9TiizFOXA2bDNHeDfHNkCIchGO/IP/H++MdrrEDKhMS60vBBFX/f0RsHp3pv1EfbIsdowJGxXRvE3JRRHlBffZnvO4klrRVsqKUKJtuwoBdIa7WJS2hAljTJ2Ok6+xsve30RbAn3voAXe2n5iJuTBdxmQx6EPN0Z2iD3hdZ4EOtyShRTBjvum2yypSCMLw3BWqgFx1h6puDESb914aFObpLjbETQRVS93D01rcj8vaQsybjvXvFVZngHQTiW39pyTP2ppv3ENYFCnhgwvOn3eIY+5Suu1k3TUxGR/k97x0WNR3vsgZl5OFWyoXZv7V1jPvvk5nv145QYjNGx7KGFjQ+GN0NQ==,iv:G7fh1+ejigAt/J96PpmZmfOd4OK1ua2Y1719xWwcSrc=,tag:24ySdvY0BHFPbJF3Viw5Mw==,type:str] + os: + crt: ENC[AES256_GCM,data:uHmhU0px1RnZ1lF8cCsi2QDXeupIog2ReH+wAK8OYP+E891e02I2alRazSDajU1bChyjxl8eZ79BrjumQgSv3i6yK04QEAtm0iPc6a1u5kJIUAFdqWvxz1Y40ywtJC5ld4ee/w2ioox/tJEGIC1rNea5g4Hkj6NiWQ/QHjZlwl8PXJ1BFJ9ie1dsslSlB8+G7x//beZx5mD7A7N/LyS/xpls1Q/pOFQfh6rRLL/7hKrXVamNikNDOKfI0Yw0Iv00fUTF/zkroTIk2GGLA6+AyVjaYpCZAR5f86YJ+4Bw3Zpy5Ud6FMA3s/RqjMpa1i/GriaP8g/EPTjAE9RouZY7TDe0HH0W4BMIU6IjishTEeANTvkEBQjR+5lRttCcU8OdqDO2mlEP1CRWHlEhZBwtUfWStGIqPxGk9MRUi+Vwv/L3+OmTfUAaC0u8sJfpDFwwwkF9/XmP4oGF7ZoMaTjBSGeQN19Mi82oNVwhMaEH5Mxs9h37JCGtftxCIYAxKIeWO+Bbccb/2xGcxuDT+TEO+aanea0Yx47t88jFEacFxeFwo7bkbE7FIOr4gEqldVLawqoWmkE6Z39VKAeHLWLYESTg2ET4q0wWPxPxH2V8NjMsNBjpXMmsRHqapXhLcohzKjqGHEbA3GFLElyJpEi2j1CGRtFwPK4DHdJ5ihELthe9GUTSt0qUgJ8uH+KgmuPZAUmhqxzZ5YX7Q2jZdzBim2zkjdZAK+Uvr3vCEn560f86nkfzUZdBfYJReH4BOx1eYphhB3+65gDl1MiBz2IB08sTBETNJgm9KIJT5vZpmge383XkA0jSQllMp42DcUsKzOoD6d66ZOBAE54jwkJp6e0WHzeikxNy4Xp4DMYQtOkcnU4H,iv:y9qfUiu4WFKNj/A1FdqxX+NTpU7ky1Qguk62qEZQB6U=,tag:gNCBERnGX8lCmwc0NvRmew==,type:str] + key: ENC[AES256_GCM,data:g3sWCTmRacmrvRJImvVx8kmQXU+Y2ytY0HAhNur9ZMQWKYe/CwYqxDlKZvj+uzKMqtF3qaPQTe1IbztfjsuRKANBtcoPJpRzr3AS0YXgh2dtF4FKpUmFMqytduhO32ey43G1ul9GcGyJNmaPDxlkrKrRe5+lj5Xhe+eaYKn/ru3OZIUuygTYwbc4G8V7rLf6Or9LMCPh214IQ641Al8ZMMimPtLsoyTtesiv0zbFELay8HKr,iv:2KC9S/JloJUXttkdSc/waJs+/BPDrp42FLH2A7BuJO4=,tag:3LksoswEReighbHN+gSuqA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOGN2THhad2M2S0F0MWc0 + cElqT3BKQlpJM2JzaEhpTUNnOUFSUVErUnhBCmw2ejA3UEgyTWh4dXQyTlBNZXRa + aFBaUHFjT3lvQ0tyT1ZGRS9rMTQzdEEKLS0tIGlyMXRzUGZSallFZ2h6NXAvTVNt + UW9OZGhJYXJHN2VWMnJubldtVGFMTkkKmKi+u4AvQObtdxJSLJiVQyZlNtJZJyP4 + kfp/mNq1RCxw55efv9ubvrEy2FXyN6Tl7snzxYZgwJW7P8hf5XQguQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-22T07:03:57Z" + mac: ENC[AES256_GCM,data:lL3Rs8E4bA4tzizso7sFiQ60mCW0Y63U+O6ojcST1IYtNNMk2LkCo9/c/bT7Is6yhNXSdZM3Qo0vlBgeufsQ9uWpt2SaX0opI2+amg5diUfSqEr/X6mxpwXsu4MNluMacVh92175srmHTr5yeRxbPNYWexkl7T/sablOsWbPnPQ=,iv:ReDdFtmS8xFJcYAIG+h+21EQtfnJyI+JeIPr3hNE+k8=,tag:3b6tVlV4UdzHJvexa2CchQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/kubernetes/flux/apps.yaml b/kubernetes/flux/apps.yaml new file mode 100644 index 00000000..c4ebba99 --- /dev/null +++ b/kubernetes/flux/apps.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps + namespace: flux-system +spec: + interval: 30m + path: ./kubernetes/apps + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets + - kind: ConfigMap + name: cluster-user-settings + optional: true + - kind: Secret + name: cluster-user-secrets + optional: true + patches: + - patch: |- + apiVersion: kustomize.toolkit.fluxcd.io/v1 + kind: Kustomization + metadata: + name: not-used + spec: + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets + - kind: ConfigMap + name: cluster-user-settings + optional: true + - kind: Secret + name: cluster-user-secrets + optional: true + target: + group: kustomize.toolkit.fluxcd.io + kind: Kustomization + labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/flux/config/cluster.yaml new file mode 100644 index 00000000..50e2a17a --- /dev/null +++ b/kubernetes/flux/config/cluster.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: home-kubernetes + namespace: flux-system +spec: + interval: 30m + url: "https://github.com/paulkiernan/homelab" + ref: + branch: "main" + ignore: | + # exclude all + /* + # include kubernetes directory + !/kubernetes +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster + namespace: flux-system +spec: + interval: 30m + path: ./kubernetes/flux + prune: true + wait: false + sourceRef: + kind: GitRepository + name: home-kubernetes + decryption: + provider: sops + secretRef: + name: sops-age + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets diff --git a/kubernetes/flux/config/flux.yaml b/kubernetes/flux/config/flux.yaml new file mode 100644 index 00000000..4f9bb975 --- /dev/null +++ b/kubernetes/flux/config/flux.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: flux-manifests + namespace: flux-system +spec: + interval: 10m + url: oci://ghcr.io/fluxcd/flux-manifests + ref: + tag: v2.3.0 +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux + namespace: flux-system +spec: + interval: 10m + path: ./ + prune: true + wait: true + sourceRef: + kind: OCIRepository + name: flux-manifests + patches: + # Remove the network policies + - patch: | + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Increase the number of reconciliations that can be performed in parallel and bump the resources limits + # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=8 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-qps=500 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-burst=1000 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + cpu: 2000m + memory: 2Gi + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + # Enable Helm near OOM detection + # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller diff --git a/kubernetes/flux/config/kustomization.yaml b/kubernetes/flux/config/kustomization.yaml new file mode 100644 index 00000000..ef231746 --- /dev/null +++ b/kubernetes/flux/config/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./flux.yaml + - ./cluster.yaml diff --git a/kubernetes/flux/repositories/git/kustomization.yaml b/kubernetes/flux/repositories/git/kustomization.yaml new file mode 100644 index 00000000..fe0f332a --- /dev/null +++ b/kubernetes/flux/repositories/git/kustomization.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/flux/repositories/helm/bjw-s.yaml b/kubernetes/flux/repositories/helm/bjw-s.yaml new file mode 100644 index 00000000..a40b5d77 --- /dev/null +++ b/kubernetes/flux/repositories/helm/bjw-s.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: bjw-s + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/flux/repositories/helm/cilium.yaml b/kubernetes/flux/repositories/helm/cilium.yaml new file mode 100644 index 00000000..3aee3678 --- /dev/null +++ b/kubernetes/flux/repositories/helm/cilium.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cilium + namespace: flux-system +spec: + interval: 1h + url: https://helm.cilium.io diff --git a/kubernetes/flux/repositories/helm/coredns.yaml b/kubernetes/flux/repositories/helm/coredns.yaml new file mode 100644 index 00000000..3bdbbafb --- /dev/null +++ b/kubernetes/flux/repositories/helm/coredns.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: coredns + namespace: flux-system +spec: + interval: 1h + url: https://coredns.github.io/helm diff --git a/kubernetes/flux/repositories/helm/external-dns.yaml b/kubernetes/flux/repositories/helm/external-dns.yaml new file mode 100644 index 00000000..a4451266 --- /dev/null +++ b/kubernetes/flux/repositories/helm/external-dns.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: external-dns + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/flux/repositories/helm/ingress-nginx.yaml b/kubernetes/flux/repositories/helm/ingress-nginx.yaml new file mode 100644 index 00000000..82a0d0ff --- /dev/null +++ b/kubernetes/flux/repositories/helm/ingress-nginx.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes.github.io/ingress-nginx diff --git a/kubernetes/flux/repositories/helm/jetstack.yaml b/kubernetes/flux/repositories/helm/jetstack.yaml new file mode 100644 index 00000000..737e06af --- /dev/null +++ b/kubernetes/flux/repositories/helm/jetstack.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: jetstack + namespace: flux-system +spec: + interval: 1h + url: https://charts.jetstack.io diff --git a/kubernetes/flux/repositories/helm/k8s-gateway.yaml b/kubernetes/flux/repositories/helm/k8s-gateway.yaml new file mode 100644 index 00000000..63a90615 --- /dev/null +++ b/kubernetes/flux/repositories/helm/k8s-gateway.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: k8s-gateway + namespace: flux-system +spec: + interval: 1h + url: https://ori-edge.github.io/k8s_gateway diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml new file mode 100644 index 00000000..004f10de --- /dev/null +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./bjw-s.yaml + - ./cilium.yaml + - ./coredns.yaml + - ./jetstack.yaml + - ./metrics-server.yaml + - ./openebs.yaml + - ./postfinance.yaml + - ./prometheus-community.yaml + - ./spegel.yaml + - ./stakater.yaml + - ./external-dns.yaml + - ./ingress-nginx.yaml + - ./k8s-gateway.yaml diff --git a/kubernetes/flux/repositories/helm/metrics-server.yaml b/kubernetes/flux/repositories/helm/metrics-server.yaml new file mode 100644 index 00000000..27a44828 --- /dev/null +++ b/kubernetes/flux/repositories/helm/metrics-server.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: metrics-server + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/metrics-server diff --git a/kubernetes/flux/repositories/helm/openebs.yaml b/kubernetes/flux/repositories/helm/openebs.yaml new file mode 100644 index 00000000..4f48013e --- /dev/null +++ b/kubernetes/flux/repositories/helm/openebs.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 1h + url: https://openebs.github.io/openebs diff --git a/kubernetes/flux/repositories/helm/postfinance.yaml b/kubernetes/flux/repositories/helm/postfinance.yaml new file mode 100644 index 00000000..b14a64d8 --- /dev/null +++ b/kubernetes/flux/repositories/helm/postfinance.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: postfinance + namespace: flux-system +spec: + interval: 1h + url: https://postfinance.github.io/kubelet-csr-approver diff --git a/kubernetes/flux/repositories/helm/prometheus-community.yaml b/kubernetes/flux/repositories/helm/prometheus-community.yaml new file mode 100644 index 00000000..318a1a51 --- /dev/null +++ b/kubernetes/flux/repositories/helm/prometheus-community.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/prometheus-community/charts diff --git a/kubernetes/flux/repositories/helm/spegel.yaml b/kubernetes/flux/repositories/helm/spegel.yaml new file mode 100644 index 00000000..d9a8b2cd --- /dev/null +++ b/kubernetes/flux/repositories/helm/spegel.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: spegel + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/spegel-org/helm-charts diff --git a/kubernetes/flux/repositories/helm/stakater.yaml b/kubernetes/flux/repositories/helm/stakater.yaml new file mode 100644 index 00000000..c727f37f --- /dev/null +++ b/kubernetes/flux/repositories/helm/stakater.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: stakater + namespace: flux-system +spec: + type: oci + interval: 5m + url: oci://ghcr.io/stakater/charts diff --git a/kubernetes/flux/repositories/kustomization.yaml b/kubernetes/flux/repositories/kustomization.yaml new file mode 100644 index 00000000..d158d426 --- /dev/null +++ b/kubernetes/flux/repositories/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./git + - ./helm + - ./oci diff --git a/kubernetes/flux/repositories/oci/kustomization.yaml b/kubernetes/flux/repositories/oci/kustomization.yaml new file mode 100644 index 00000000..fe0f332a --- /dev/null +++ b/kubernetes/flux/repositories/oci/kustomization.yaml @@ -0,0 +1,4 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml new file mode 100644 index 00000000..81dc2970 --- /dev/null +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets + namespace: flux-system +stringData: + SECRET_DOMAIN: "" + SECRET_ACME_EMAIL: "" + SECRET_CLOUDFLARE_TUNNEL_ID: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16vnesw9pd7l556h9lmgv4lyya03xsu2akc5hukhgua8mffukmsms46665n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3d0JzOWFVbXRFOGtXdCti + MDNRZGZEajFJRGdKLzZIK2F5Y0tSb3luQ0hjCjBWNDlOODJVNVhqYUNDSFliUWV0 + bkRUWmxTdFAwOWpFdVBTbDI1VWhsT2sKLS0tIGNvaDN4cmhJOVloMHBnQkFXRTZw + UGwvNDBOTWNlaW0vOThrelgzdE9wVVUKKNanAVd+8oqjQTQSjWTGnrnz8uj4SNRu + KtIcsw+VXsLTya44qKz3cTvi/S5phAFNDU1Kd/XQupsIPc1FBq1W4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-22T07:06:26Z" + mac: ENC[AES256_GCM,data:Pzig5LCekDQUFDVjWjrMvXfgFgTM1cUXUpWN0u36aSeUc5IR/uMDR2XQ9ruJGoBy6hm+tSyBqZo1n1Hsr+rMY/GDm3yrcRZrNaomQKgBTrG9UiC/eRJuThd/RNqz83SlcrG0LDXAeYwqBZQRTlVNb0k13T1sf0gvhS9bwhdbrvc=,iv:qsjK9UXOJtcl5q1uIyhaAUPEU+inJS6i3cKhKD0binM=,tag:DYHlcjMHvdauK20GUjXBvw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml new file mode 100644 index 00000000..b64f194e --- /dev/null +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-settings + namespace: flux-system +data: + SETTING_EXAMPLE: Global settings for your cluster go in this file, this file is NOT encrypted diff --git a/kubernetes/flux/vars/kustomization.yaml b/kubernetes/flux/vars/kustomization.yaml new file mode 100644 index 00000000..8db2fe91 --- /dev/null +++ b/kubernetes/flux/vars/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cluster-settings.yaml + - ./cluster-secrets.sops.yaml diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index 6bee75d8..00000000 --- a/poetry.lock +++ /dev/null @@ -1,541 +0,0 @@ -# This file is automatically @generated by Poetry 1.5.1 and should not be changed by hand. - -[[package]] -name = "ansible" -version = "7.0.0" -description = "Radically simple IT automation" -optional = false -python-versions = ">=3.9" -files = [ - {file = "ansible-7.0.0-py3-none-any.whl", hash = "sha256:2e9f519441780595ab173ac017210efc94c58633c9bc6e55917745d214cb4332"}, - {file = "ansible-7.0.0.tar.gz", hash = "sha256:73144e7e602715fab623005d2e71e503dddae86185e061fed861b2449c5618ea"}, -] - -[package.dependencies] -ansible-core = ">=2.14.0,<2.15.0" - -[[package]] -name = "ansible-core" -version = "2.14.7" -description = "Radically simple IT automation" -optional = false -python-versions = ">=3.9" -files = [ - {file = "ansible-core-2.14.7.tar.gz", hash = "sha256:2be26d617483b2b1621ec93ca57f2e24faace90cb9f07d8dca3f68a8428d9cd6"}, - {file = "ansible_core-2.14.7-py3-none-any.whl", hash = "sha256:a909b8cbdd8652796aa3e161d60d65bb18f210bdde27664f3e489e239950ad85"}, -] - -[package.dependencies] -cryptography = "*" -jinja2 = ">=3.0.0" -packaging = "*" -PyYAML = ">=5.1" -resolvelib = ">=0.5.3,<0.9.0" - -[[package]] -name = "attrs" -version = "21.4.0" -description = "Classes Without Boilerplate" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -files = [ - {file = "attrs-21.4.0-py2.py3-none-any.whl", hash = "sha256:2d27e3784d7a565d36ab851fe94887c5eccd6a463168875832a1be79c82828b4"}, - {file = "attrs-21.4.0.tar.gz", hash = "sha256:626ba8234211db98e869df76230a137c4c40a12d72445c45d5f5b716f076e2fd"}, -] - -[package.extras] -dev = ["cloudpickle", "coverage[toml] (>=5.0.2)", "furo", "hypothesis", "mypy", "pre-commit", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "six", "sphinx", "sphinx-notfound-page", "zope.interface"] -docs = ["furo", "sphinx", "sphinx-notfound-page", "zope.interface"] -tests = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "six", "zope.interface"] -tests-no-zope = ["cloudpickle", "coverage[toml] (>=5.0.2)", "hypothesis", "mypy", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "six"] - -[[package]] -name = "cffi" -version = "1.15.0" -description = "Foreign Function Interface for Python calling C code." -optional = false -python-versions = "*" -files = [ - {file = "cffi-1.15.0-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:c2502a1a03b6312837279c8c1bd3ebedf6c12c4228ddbad40912d671ccc8a962"}, - {file = "cffi-1.15.0-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:23cfe892bd5dd8941608f93348c0737e369e51c100d03718f108bf1add7bd6d0"}, - {file = "cffi-1.15.0-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:41d45de54cd277a7878919867c0f08b0cf817605e4eb94093e7516505d3c8d14"}, - {file = "cffi-1.15.0-cp27-cp27m-win32.whl", hash = "sha256:4a306fa632e8f0928956a41fa8e1d6243c71e7eb59ffbd165fc0b41e316b2474"}, - {file = "cffi-1.15.0-cp27-cp27m-win_amd64.whl", hash = "sha256:e7022a66d9b55e93e1a845d8c9eba2a1bebd4966cd8bfc25d9cd07d515b33fa6"}, - {file = "cffi-1.15.0-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:14cd121ea63ecdae71efa69c15c5543a4b5fbcd0bbe2aad864baca0063cecf27"}, - {file = "cffi-1.15.0-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:d4d692a89c5cf08a8557fdeb329b82e7bf609aadfaed6c0d79f5a449a3c7c023"}, - {file = "cffi-1.15.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0104fb5ae2391d46a4cb082abdd5c69ea4eab79d8d44eaaf79f1b1fd806ee4c2"}, - {file = "cffi-1.15.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:91ec59c33514b7c7559a6acda53bbfe1b283949c34fe7440bcf917f96ac0723e"}, - {file = "cffi-1.15.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:f5c7150ad32ba43a07c4479f40241756145a1f03b43480e058cfd862bf5041c7"}, - {file = "cffi-1.15.0-cp310-cp310-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:00c878c90cb53ccfaae6b8bc18ad05d2036553e6d9d1d9dbcf323bbe83854ca3"}, - {file = "cffi-1.15.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:abb9a20a72ac4e0fdb50dae135ba5e77880518e742077ced47eb1499e29a443c"}, - {file = "cffi-1.15.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a5263e363c27b653a90078143adb3d076c1a748ec9ecc78ea2fb916f9b861962"}, - {file = "cffi-1.15.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f54a64f8b0c8ff0b64d18aa76675262e1700f3995182267998c31ae974fbc382"}, - {file = "cffi-1.15.0-cp310-cp310-win32.whl", hash = "sha256:c21c9e3896c23007803a875460fb786118f0cdd4434359577ea25eb556e34c55"}, - {file = "cffi-1.15.0-cp310-cp310-win_amd64.whl", hash = "sha256:5e069f72d497312b24fcc02073d70cb989045d1c91cbd53979366077959933e0"}, - {file = "cffi-1.15.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:64d4ec9f448dfe041705426000cc13e34e6e5bb13736e9fd62e34a0b0c41566e"}, - {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2756c88cbb94231c7a147402476be2c4df2f6078099a6f4a480d239a8817ae39"}, - {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3b96a311ac60a3f6be21d2572e46ce67f09abcf4d09344c49274eb9e0bf345fc"}, - {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:75e4024375654472cc27e91cbe9eaa08567f7fbdf822638be2814ce059f58032"}, - {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:59888172256cac5629e60e72e86598027aca6bf01fa2465bdb676d37636573e8"}, - {file = "cffi-1.15.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:27c219baf94952ae9d50ec19651a687b826792055353d07648a5695413e0c605"}, - {file = "cffi-1.15.0-cp36-cp36m-win32.whl", hash = "sha256:4958391dbd6249d7ad855b9ca88fae690783a6be9e86df65865058ed81fc860e"}, - {file = "cffi-1.15.0-cp36-cp36m-win_amd64.whl", hash = "sha256:f6f824dc3bce0edab5f427efcfb1d63ee75b6fcb7282900ccaf925be84efb0fc"}, - {file = "cffi-1.15.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:06c48159c1abed75c2e721b1715c379fa3200c7784271b3c46df01383b593636"}, - {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:c2051981a968d7de9dd2d7b87bcb9c939c74a34626a6e2f8181455dd49ed69e4"}, - {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:fd8a250edc26254fe5b33be00402e6d287f562b6a5b2152dec302fa15bb3e997"}, - {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:91d77d2a782be4274da750752bb1650a97bfd8f291022b379bb8e01c66b4e96b"}, - {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:45db3a33139e9c8f7c09234b5784a5e33d31fd6907800b316decad50af323ff2"}, - {file = "cffi-1.15.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:263cc3d821c4ab2213cbe8cd8b355a7f72a8324577dc865ef98487c1aeee2bc7"}, - {file = "cffi-1.15.0-cp37-cp37m-win32.whl", hash = "sha256:17771976e82e9f94976180f76468546834d22a7cc404b17c22df2a2c81db0c66"}, - {file = "cffi-1.15.0-cp37-cp37m-win_amd64.whl", hash = "sha256:3415c89f9204ee60cd09b235810be700e993e343a408693e80ce7f6a40108029"}, - {file = "cffi-1.15.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:4238e6dab5d6a8ba812de994bbb0a79bddbdf80994e4ce802b6f6f3142fcc880"}, - {file = "cffi-1.15.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:0808014eb713677ec1292301ea4c81ad277b6cdf2fdd90fd540af98c0b101d20"}, - {file = "cffi-1.15.0-cp38-cp38-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:57e9ac9ccc3101fac9d6014fba037473e4358ef4e89f8e181f8951a2c0162024"}, - {file = "cffi-1.15.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8b6c2ea03845c9f501ed1313e78de148cd3f6cad741a75d43a29b43da27f2e1e"}, - {file = "cffi-1.15.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:10dffb601ccfb65262a27233ac273d552ddc4d8ae1bf93b21c94b8511bffe728"}, - {file = "cffi-1.15.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:786902fb9ba7433aae840e0ed609f45c7bcd4e225ebb9c753aa39725bb3e6ad6"}, - {file = "cffi-1.15.0-cp38-cp38-win32.whl", hash = "sha256:da5db4e883f1ce37f55c667e5c0de439df76ac4cb55964655906306918e7363c"}, - {file = "cffi-1.15.0-cp38-cp38-win_amd64.whl", hash = "sha256:181dee03b1170ff1969489acf1c26533710231c58f95534e3edac87fff06c443"}, - {file = "cffi-1.15.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:45e8636704eacc432a206ac7345a5d3d2c62d95a507ec70d62f23cd91770482a"}, - {file = "cffi-1.15.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:31fb708d9d7c3f49a60f04cf5b119aeefe5644daba1cd2a0fe389b674fd1de37"}, - {file = "cffi-1.15.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:6dc2737a3674b3e344847c8686cf29e500584ccad76204efea14f451d4cc669a"}, - {file = "cffi-1.15.0-cp39-cp39-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:74fdfdbfdc48d3f47148976f49fab3251e550a8720bebc99bf1483f5bfb5db3e"}, - {file = "cffi-1.15.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffaa5c925128e29efbde7301d8ecaf35c8c60ffbcd6a1ffd3a552177c8e5e796"}, - {file = "cffi-1.15.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3f7d084648d77af029acb79a0ff49a0ad7e9d09057a9bf46596dac9514dc07df"}, - {file = "cffi-1.15.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ef1f279350da2c586a69d32fc8733092fd32cc8ac95139a00377841f59a3f8d8"}, - {file = "cffi-1.15.0-cp39-cp39-win32.whl", hash = "sha256:2a23af14f408d53d5e6cd4e3d9a24ff9e05906ad574822a10563efcef137979a"}, - {file = "cffi-1.15.0-cp39-cp39-win_amd64.whl", hash = "sha256:3773c4d81e6e818df2efbc7dd77325ca0dcb688116050fb2b3011218eda36139"}, - {file = "cffi-1.15.0.tar.gz", hash = "sha256:920f0d66a896c2d99f0adbb391f990a84091179542c205fa53ce5787aff87954"}, -] - -[package.dependencies] -pycparser = "*" - -[[package]] -name = "cfgv" -version = "3.3.1" -description = "Validate configuration and produce human readable error messages." -optional = false -python-versions = ">=3.6.1" -files = [ - {file = "cfgv-3.3.1-py2.py3-none-any.whl", hash = "sha256:c6a0883f3917a037485059700b9e75da2464e6c27051014ad85ba6aaa5884426"}, - {file = "cfgv-3.3.1.tar.gz", hash = "sha256:f5a830efb9ce7a445376bb66ec94c638a9787422f96264c98edc6bdeed8ab736"}, -] - -[[package]] -name = "colorama" -version = "0.4.4" -description = "Cross-platform colored terminal text." -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -files = [ - {file = "colorama-0.4.4-py2.py3-none-any.whl", hash = "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"}, - {file = "colorama-0.4.4.tar.gz", hash = "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b"}, -] - -[[package]] -name = "cryptography" -version = "37.0.2" -description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." -optional = false -python-versions = ">=3.6" -files = [ - {file = "cryptography-37.0.2-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:ef15c2df7656763b4ff20a9bc4381d8352e6640cfeb95c2972c38ef508e75181"}, - {file = "cryptography-37.0.2-cp36-abi3-macosx_10_10_x86_64.whl", hash = "sha256:3c81599befb4d4f3d7648ed3217e00d21a9341a9a688ecdd615ff72ffbed7336"}, - {file = "cryptography-37.0.2-cp36-abi3-manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:2bd1096476aaac820426239ab534b636c77d71af66c547b9ddcd76eb9c79e004"}, - {file = "cryptography-37.0.2-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:31fe38d14d2e5f787e0aecef831457da6cec68e0bb09a35835b0b44ae8b988fe"}, - {file = "cryptography-37.0.2-cp36-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:093cb351031656d3ee2f4fa1be579a8c69c754cf874206be1d4cf3b542042804"}, - {file = "cryptography-37.0.2-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:59b281eab51e1b6b6afa525af2bd93c16d49358404f814fe2c2410058623928c"}, - {file = "cryptography-37.0.2-cp36-abi3-manylinux_2_24_x86_64.whl", hash = "sha256:0cc20f655157d4cfc7bada909dc5cc228211b075ba8407c46467f63597c78178"}, - {file = "cryptography-37.0.2-cp36-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:f8ec91983e638a9bcd75b39f1396e5c0dc2330cbd9ce4accefe68717e6779e0a"}, - {file = "cryptography-37.0.2-cp36-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:46f4c544f6557a2fefa7ac8ac7d1b17bf9b647bd20b16decc8fbcab7117fbc15"}, - {file = "cryptography-37.0.2-cp36-abi3-win32.whl", hash = "sha256:731c8abd27693323b348518ed0e0705713a36d79fdbd969ad968fbef0979a7e0"}, - {file = "cryptography-37.0.2-cp36-abi3-win_amd64.whl", hash = "sha256:471e0d70201c069f74c837983189949aa0d24bb2d751b57e26e3761f2f782b8d"}, - {file = "cryptography-37.0.2-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a68254dd88021f24a68b613d8c51d5c5e74d735878b9e32cc0adf19d1f10aaf9"}, - {file = "cryptography-37.0.2-pp37-pypy37_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:a7d5137e556cc0ea418dca6186deabe9129cee318618eb1ffecbd35bee55ddc1"}, - {file = "cryptography-37.0.2-pp38-pypy38_pp73-macosx_10_10_x86_64.whl", hash = "sha256:aeaba7b5e756ea52c8861c133c596afe93dd716cbcacae23b80bc238202dc023"}, - {file = "cryptography-37.0.2-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:95e590dd70642eb2079d280420a888190aa040ad20f19ec8c6e097e38aa29e06"}, - {file = "cryptography-37.0.2-pp38-pypy38_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:1b9362d34363f2c71b7853f6251219298124aa4cc2075ae2932e64c91a3e2717"}, - {file = "cryptography-37.0.2-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:e53258e69874a306fcecb88b7534d61820db8a98655662a3dd2ec7f1afd9132f"}, - {file = "cryptography-37.0.2-pp39-pypy39_pp73-macosx_10_10_x86_64.whl", hash = "sha256:1f3bfbd611db5cb58ca82f3deb35e83af34bb8cf06043fa61500157d50a70982"}, - {file = "cryptography-37.0.2-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:419c57d7b63f5ec38b1199a9521d77d7d1754eb97827bbb773162073ccd8c8d4"}, - {file = "cryptography-37.0.2-pp39-pypy39_pp73-manylinux_2_24_x86_64.whl", hash = "sha256:dc26bb134452081859aa21d4990474ddb7e863aa39e60d1592800a8865a702de"}, - {file = "cryptography-37.0.2-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:3b8398b3d0efc420e777c40c16764d6870bcef2eb383df9c6dbb9ffe12c64452"}, - {file = "cryptography-37.0.2.tar.gz", hash = "sha256:f224ad253cc9cea7568f49077007d2263efa57396a2f2f78114066fd54b5c68e"}, -] - -[package.dependencies] -cffi = ">=1.12" - -[package.extras] -docs = ["sphinx (>=1.6.5,!=1.8.0,!=3.1.0,!=3.1.1)", "sphinx-rtd-theme"] -docstest = ["pyenchant (>=1.6.11)", "sphinxcontrib-spelling (>=4.0.1)", "twine (>=1.12.0)"] -pep8test = ["black", "flake8", "flake8-import-order", "pep8-naming"] -sdist = ["setuptools-rust (>=0.11.4)"] -ssh = ["bcrypt (>=3.1.5)"] -test = ["hypothesis (>=1.11.4,!=3.79.2)", "iso8601", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-subtests", "pytest-xdist", "pytz"] - -[[package]] -name = "distlib" -version = "0.3.4" -description = "Distribution utilities" -optional = false -python-versions = "*" -files = [ - {file = "distlib-0.3.4-py2.py3-none-any.whl", hash = "sha256:6564fe0a8f51e734df6333d08b8b94d4ea8ee6b99b5ed50613f731fd4089f34b"}, - {file = "distlib-0.3.4.zip", hash = "sha256:e4b58818180336dc9c529bfb9a0b58728ffc09ad92027a3f30b7cd91e3458579"}, -] - -[[package]] -name = "exceptiongroup" -version = "1.1.1" -description = "Backport of PEP 654 (exception groups)" -optional = false -python-versions = ">=3.7" -files = [ - {file = "exceptiongroup-1.1.1-py3-none-any.whl", hash = "sha256:232c37c63e4f682982c8b6459f33a8981039e5fb8756b2074364e5055c498c9e"}, - {file = "exceptiongroup-1.1.1.tar.gz", hash = "sha256:d484c3090ba2889ae2928419117447a14daf3c1231d5e30d0aae34f354f01785"}, -] - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "filelock" -version = "3.7.1" -description = "A platform independent file lock." -optional = false -python-versions = ">=3.7" -files = [ - {file = "filelock-3.7.1-py3-none-any.whl", hash = "sha256:37def7b658813cda163b56fc564cdc75e86d338246458c4c28ae84cabefa2404"}, - {file = "filelock-3.7.1.tar.gz", hash = "sha256:3a0fd85166ad9dbab54c9aec96737b744106dc5f15c0b09a6744a445299fcf04"}, -] - -[package.extras] -docs = ["furo (>=2021.8.17b43)", "sphinx (>=4.1)", "sphinx-autodoc-typehints (>=1.12)"] -testing = ["covdefaults (>=1.2.0)", "coverage (>=4)", "pytest (>=4)", "pytest-cov", "pytest-timeout (>=1.4.2)"] - -[[package]] -name = "identify" -version = "2.5.1" -description = "File identification library for Python" -optional = false -python-versions = ">=3.7" -files = [ - {file = "identify-2.5.1-py2.py3-none-any.whl", hash = "sha256:0dca2ea3e4381c435ef9c33ba100a78a9b40c0bab11189c7cf121f75815efeaa"}, - {file = "identify-2.5.1.tar.gz", hash = "sha256:3d11b16f3fe19f52039fb7e39c9c884b21cb1b586988114fbe42671f03de3e82"}, -] - -[package.extras] -license = ["ukkonen"] - -[[package]] -name = "iniconfig" -version = "2.0.0" -description = "brain-dead simple config-ini parsing" -optional = false -python-versions = ">=3.7" -files = [ - {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, - {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, -] - -[[package]] -name = "jinja2" -version = "3.1.2" -description = "A very fast and expressive template engine." -optional = false -python-versions = ">=3.7" -files = [ - {file = "Jinja2-3.1.2-py3-none-any.whl", hash = "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"}, - {file = "Jinja2-3.1.2.tar.gz", hash = "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852"}, -] - -[package.dependencies] -MarkupSafe = ">=2.0" - -[package.extras] -i18n = ["Babel (>=2.7)"] - -[[package]] -name = "markupsafe" -version = "2.1.1" -description = "Safely add untrusted strings to HTML/XML markup." -optional = false -python-versions = ">=3.7" -files = [ - {file = "MarkupSafe-2.1.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:86b1f75c4e7c2ac2ccdaec2b9022845dbb81880ca318bb7a0a01fbf7813e3812"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f121a1420d4e173a5d96e47e9a0c0dcff965afdf1626d28de1460815f7c4ee7a"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a49907dd8420c5685cfa064a1335b6754b74541bbb3706c259c02ed65b644b3e"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:10c1bfff05d95783da83491be968e8fe789263689c02724e0c691933c52994f5"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b7bd98b796e2b6553da7225aeb61f447f80a1ca64f41d83612e6139ca5213aa4"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:b09bf97215625a311f669476f44b8b318b075847b49316d3e28c08e41a7a573f"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:694deca8d702d5db21ec83983ce0bb4b26a578e71fbdbd4fdcd387daa90e4d5e"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:efc1913fd2ca4f334418481c7e595c00aad186563bbc1ec76067848c7ca0a933"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-win32.whl", hash = "sha256:4a33dea2b688b3190ee12bd7cfa29d39c9ed176bda40bfa11099a3ce5d3a7ac6"}, - {file = "MarkupSafe-2.1.1-cp310-cp310-win_amd64.whl", hash = "sha256:dda30ba7e87fbbb7eab1ec9f58678558fd9a6b8b853530e176eabd064da81417"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:671cd1187ed5e62818414afe79ed29da836dde67166a9fac6d435873c44fdd02"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3799351e2336dc91ea70b034983ee71cf2f9533cdff7c14c90ea126bfd95d65a"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e72591e9ecd94d7feb70c1cbd7be7b3ebea3f548870aa91e2732960fa4d57a37"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6fbf47b5d3728c6aea2abb0589b5d30459e369baa772e0f37a0320185e87c980"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:d5ee4f386140395a2c818d149221149c54849dfcfcb9f1debfe07a8b8bd63f9a"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:bcb3ed405ed3222f9904899563d6fc492ff75cce56cba05e32eff40e6acbeaa3"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:e1c0b87e09fa55a220f058d1d49d3fb8df88fbfab58558f1198e08c1e1de842a"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-win32.whl", hash = "sha256:8dc1c72a69aa7e082593c4a203dcf94ddb74bb5c8a731e4e1eb68d031e8498ff"}, - {file = "MarkupSafe-2.1.1-cp37-cp37m-win_amd64.whl", hash = "sha256:97a68e6ada378df82bc9f16b800ab77cbf4b2fada0081794318520138c088e4a"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:e8c843bbcda3a2f1e3c2ab25913c80a3c5376cd00c6e8c4a86a89a28c8dc5452"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0212a68688482dc52b2d45013df70d169f542b7394fc744c02a57374a4207003"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8e576a51ad59e4bfaac456023a78f6b5e6e7651dcd383bcc3e18d06f9b55d6d1"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4b9fe39a2ccc108a4accc2676e77da025ce383c108593d65cc909add5c3bd601"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:96e37a3dc86e80bf81758c152fe66dbf60ed5eca3d26305edf01892257049925"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:6d0072fea50feec76a4c418096652f2c3238eaa014b2f94aeb1d56a66b41403f"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:089cf3dbf0cd6c100f02945abeb18484bd1ee57a079aefd52cffd17fba910b88"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:6a074d34ee7a5ce3effbc526b7083ec9731bb3cbf921bbe1d3005d4d2bdb3a63"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-win32.whl", hash = "sha256:421be9fbf0ffe9ffd7a378aafebbf6f4602d564d34be190fc19a193232fd12b1"}, - {file = "MarkupSafe-2.1.1-cp38-cp38-win_amd64.whl", hash = "sha256:fc7b548b17d238737688817ab67deebb30e8073c95749d55538ed473130ec0c7"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:e04e26803c9c3851c931eac40c695602c6295b8d432cbe78609649ad9bd2da8a"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b87db4360013327109564f0e591bd2a3b318547bcef31b468a92ee504d07ae4f"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:99a2a507ed3ac881b975a2976d59f38c19386d128e7a9a18b7df6fff1fd4c1d6"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:56442863ed2b06d19c37f94d999035e15ee982988920e12a5b4ba29b62ad1f77"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3ce11ee3f23f79dbd06fb3d63e2f6af7b12db1d46932fe7bd8afa259a5996603"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:33b74d289bd2f5e527beadcaa3f401e0df0a89927c1559c8566c066fa4248ab7"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:43093fb83d8343aac0b1baa75516da6092f58f41200907ef92448ecab8825135"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:8e3dcf21f367459434c18e71b2a9532d96547aef8a871872a5bd69a715c15f96"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-win32.whl", hash = "sha256:d4306c36ca495956b6d568d276ac11fdd9c30a36f1b6eb928070dc5360b22e1c"}, - {file = "MarkupSafe-2.1.1-cp39-cp39-win_amd64.whl", hash = "sha256:46d00d6cfecdde84d40e572d63735ef81423ad31184100411e6e3388d405e247"}, - {file = "MarkupSafe-2.1.1.tar.gz", hash = "sha256:7f91197cc9e48f989d12e4e6fbc46495c446636dfc81b9ccf50bb0ec74b91d4b"}, -] - -[[package]] -name = "nodeenv" -version = "1.6.0" -description = "Node.js virtual environment builder" -optional = false -python-versions = "*" -files = [ - {file = "nodeenv-1.6.0-py2.py3-none-any.whl", hash = "sha256:621e6b7076565ddcacd2db0294c0381e01fd28945ab36bcf00f41c5daf63bef7"}, - {file = "nodeenv-1.6.0.tar.gz", hash = "sha256:3ef13ff90291ba2a4a7a4ff9a979b63ffdd00a464dbe04acf0ea6471517a4c2b"}, -] - -[[package]] -name = "packaging" -version = "21.3" -description = "Core utilities for Python packages" -optional = false -python-versions = ">=3.6" -files = [ - {file = "packaging-21.3-py3-none-any.whl", hash = "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"}, - {file = "packaging-21.3.tar.gz", hash = "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb"}, -] - -[package.dependencies] -pyparsing = ">=2.0.2,<3.0.5 || >3.0.5" - -[[package]] -name = "platformdirs" -version = "2.5.2" -description = "A small Python module for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." -optional = false -python-versions = ">=3.7" -files = [ - {file = "platformdirs-2.5.2-py3-none-any.whl", hash = "sha256:027d8e83a2d7de06bbac4e5ef7e023c02b863d7ea5d079477e722bb41ab25788"}, - {file = "platformdirs-2.5.2.tar.gz", hash = "sha256:58c8abb07dcb441e6ee4b11d8df0ac856038f944ab98b7be6b27b2a3c7feef19"}, -] - -[package.extras] -docs = ["furo (>=2021.7.5b38)", "proselint (>=0.10.2)", "sphinx (>=4)", "sphinx-autodoc-typehints (>=1.12)"] -test = ["appdirs (==1.4.4)", "pytest (>=6)", "pytest-cov (>=2.7)", "pytest-mock (>=3.6)"] - -[[package]] -name = "pluggy" -version = "0.13.1" -description = "plugin and hook calling mechanisms for python" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -files = [ - {file = "pluggy-0.13.1-py2.py3-none-any.whl", hash = "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"}, - {file = "pluggy-0.13.1.tar.gz", hash = "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0"}, -] - -[package.extras] -dev = ["pre-commit", "tox"] - -[[package]] -name = "pre-commit" -version = "3.3.3" -description = "A framework for managing and maintaining multi-language pre-commit hooks." -optional = false -python-versions = ">=3.8" -files = [ - {file = "pre_commit-3.3.3-py2.py3-none-any.whl", hash = "sha256:10badb65d6a38caff29703362271d7dca483d01da88f9d7e05d0b97171c136cb"}, - {file = "pre_commit-3.3.3.tar.gz", hash = "sha256:a2256f489cd913d575c145132ae196fe335da32d91a8294b7afe6622335dd023"}, -] - -[package.dependencies] -cfgv = ">=2.0.0" -identify = ">=1.0.0" -nodeenv = ">=0.11.1" -pyyaml = ">=5.1" -virtualenv = ">=20.10.0" - -[[package]] -name = "pycparser" -version = "2.21" -description = "C parser in Python" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -files = [ - {file = "pycparser-2.21-py2.py3-none-any.whl", hash = "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9"}, - {file = "pycparser-2.21.tar.gz", hash = "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"}, -] - -[[package]] -name = "pyparsing" -version = "3.0.9" -description = "pyparsing module - Classes and methods to define and execute parsing grammars" -optional = false -python-versions = ">=3.6.8" -files = [ - {file = "pyparsing-3.0.9-py3-none-any.whl", hash = "sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc"}, - {file = "pyparsing-3.0.9.tar.gz", hash = "sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb"}, -] - -[package.extras] -diagrams = ["jinja2", "railroad-diagrams"] - -[[package]] -name = "pytest" -version = "7.2.2" -description = "pytest: simple powerful testing with Python" -optional = false -python-versions = ">=3.7" -files = [ - {file = "pytest-7.2.2-py3-none-any.whl", hash = "sha256:130328f552dcfac0b1cec75c12e3f005619dc5f874f0a06e8ff7263f0ee6225e"}, - {file = "pytest-7.2.2.tar.gz", hash = "sha256:c99ab0c73aceb050f68929bc93af19ab6db0558791c6a0715723abe9d0ade9d4"}, -] - -[package.dependencies] -attrs = ">=19.2.0" -colorama = {version = "*", markers = "sys_platform == \"win32\""} -exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=0.12,<2.0" -tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} - -[package.extras] -testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] - -[[package]] -name = "pyyaml" -version = "6.0" -description = "YAML parser and emitter for Python" -optional = false -python-versions = ">=3.6" -files = [ - {file = "PyYAML-6.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53"}, - {file = "PyYAML-6.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c"}, - {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc"}, - {file = "PyYAML-6.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b"}, - {file = "PyYAML-6.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"}, - {file = "PyYAML-6.0-cp310-cp310-win32.whl", hash = "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513"}, - {file = "PyYAML-6.0-cp310-cp310-win_amd64.whl", hash = "sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a"}, - {file = "PyYAML-6.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d4b0ba9512519522b118090257be113b9468d804b19d63c71dbcf4a48fa32358"}, - {file = "PyYAML-6.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:81957921f441d50af23654aa6c5e5eaf9b06aba7f0a19c18a538dc7ef291c5a1"}, - {file = "PyYAML-6.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:afa17f5bc4d1b10afd4466fd3a44dc0e245382deca5b3c353d8b757f9e3ecb8d"}, - {file = "PyYAML-6.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:dbad0e9d368bb989f4515da330b88a057617d16b6a8245084f1b05400f24609f"}, - {file = "PyYAML-6.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:432557aa2c09802be39460360ddffd48156e30721f5e8d917f01d31694216782"}, - {file = "PyYAML-6.0-cp311-cp311-win32.whl", hash = "sha256:bfaef573a63ba8923503d27530362590ff4f576c626d86a9fed95822a8255fd7"}, - {file = "PyYAML-6.0-cp311-cp311-win_amd64.whl", hash = "sha256:01b45c0191e6d66c470b6cf1b9531a771a83c1c4208272ead47a3ae4f2f603bf"}, - {file = "PyYAML-6.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86"}, - {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f"}, - {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92"}, - {file = "PyYAML-6.0-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4"}, - {file = "PyYAML-6.0-cp36-cp36m-win32.whl", hash = "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293"}, - {file = "PyYAML-6.0-cp36-cp36m-win_amd64.whl", hash = "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57"}, - {file = "PyYAML-6.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c"}, - {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0"}, - {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4"}, - {file = "PyYAML-6.0-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9"}, - {file = "PyYAML-6.0-cp37-cp37m-win32.whl", hash = "sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737"}, - {file = "PyYAML-6.0-cp37-cp37m-win_amd64.whl", hash = "sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d"}, - {file = "PyYAML-6.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b"}, - {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba"}, - {file = "PyYAML-6.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34"}, - {file = "PyYAML-6.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287"}, - {file = "PyYAML-6.0-cp38-cp38-win32.whl", hash = "sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78"}, - {file = "PyYAML-6.0-cp38-cp38-win_amd64.whl", hash = "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07"}, - {file = "PyYAML-6.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b"}, - {file = "PyYAML-6.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174"}, - {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803"}, - {file = "PyYAML-6.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3"}, - {file = "PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0"}, - {file = "PyYAML-6.0-cp39-cp39-win32.whl", hash = "sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb"}, - {file = "PyYAML-6.0-cp39-cp39-win_amd64.whl", hash = "sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c"}, - {file = "PyYAML-6.0.tar.gz", hash = "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2"}, -] - -[[package]] -name = "resolvelib" -version = "0.5.5" -description = "Resolve abstract dependencies into concrete ones" -optional = false -python-versions = "*" -files = [ - {file = "resolvelib-0.5.5-py2.py3-none-any.whl", hash = "sha256:b0143b9d074550a6c5163a0f587e49c49017434e3cdfe853941725f5455dd29c"}, - {file = "resolvelib-0.5.5.tar.gz", hash = "sha256:123de56548c90df85137425a3f51eb93df89e2ba719aeb6a8023c032758be950"}, -] - -[package.extras] -examples = ["html5lib", "packaging", "pygraphviz", "requests"] -lint = ["black", "flake8"] -release = ["setl", "towncrier"] -test = ["commentjson", "packaging", "pytest"] - -[[package]] -name = "six" -version = "1.16.0" -description = "Python 2 and 3 compatibility utilities" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" -files = [ - {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"}, - {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, -] - -[[package]] -name = "tomli" -version = "2.0.1" -description = "A lil' TOML parser" -optional = false -python-versions = ">=3.7" -files = [ - {file = "tomli-2.0.1-py3-none-any.whl", hash = "sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc"}, - {file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"}, -] - -[[package]] -name = "virtualenv" -version = "20.14.1" -description = "Virtual Python Environment builder" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" -files = [ - {file = "virtualenv-20.14.1-py2.py3-none-any.whl", hash = "sha256:e617f16e25b42eb4f6e74096b9c9e37713cf10bf30168fb4a739f3fa8f898a3a"}, - {file = "virtualenv-20.14.1.tar.gz", hash = "sha256:ef589a79795589aada0c1c5b319486797c03b67ac3984c48c669c0e4f50df3a5"}, -] - -[package.dependencies] -distlib = ">=0.3.1,<1" -filelock = ">=3.2,<4" -platformdirs = ">=2,<3" -six = ">=1.9.0,<2" - -[package.extras] -docs = ["proselint (>=0.10.2)", "sphinx (>=3)", "sphinx-argparse (>=0.2.5)", "sphinx-rtd-theme (>=0.4.3)", "towncrier (>=21.3)"] -testing = ["coverage (>=4)", "coverage-enable-subprocess (>=1)", "flaky (>=3)", "packaging (>=20.0)", "pytest (>=4)", "pytest-env (>=0.6.2)", "pytest-freezegun (>=0.4.1)", "pytest-mock (>=2)", "pytest-randomly (>=1)", "pytest-timeout (>=1)"] - -[metadata] -lock-version = "2.0" -python-versions = "^3.10" -content-hash = "d2e755393170220d4258ac85b706a88c74b66b01c1dcd74c7cdbf1bbfc686d43" diff --git a/provision/ansible/inventory/group_vars/kubernetes/k3s.yml b/provision/ansible/inventory/group_vars/kubernetes/k3s.yml deleted file mode 100644 index a40781a0..00000000 --- a/provision/ansible/inventory/group_vars/kubernetes/k3s.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -# -# Below vars are for the xanmanning.k3s role -# ...see https://github.com/PyratLabs/ansible-role-k3s -# - -# (string) Use a specific version of k3s -k3s_release_version: "v1.22.6+k3s1" - -# (bool) Install using hard links rather than symbolic links. -k3s_install_hard_links: true - -# (bool) Escalate user privileges for all tasks -k3s_become: true - -# (bool) Enable debug logging on the k3s service -k3s_debug: false - -# (bool) Enable etcd embedded datastore -k3s_etcd_datastore: true - -# (bool) Allow the use of unsupported configurations in k3s -k3s_use_unsupported_config: false - -# (string) Control Plane registration address -k3s_registration_address: "{{ kubevip_address }}" - -# (list) A list of URLs to deploy on the primary control plane. Read notes below. -k3s_server_manifests_urls: - - url: https://docs.projectcalico.org/archive/v3.21/manifests/tigera-operator.yaml - filename: tigera-operator.yaml - - url: https://kube-vip.io/manifests/rbac.yaml - filename: kube-vip-rbac.yaml - -# (list) A flat list of templates to deploy on the primary control plane -# /var/lib/rancher/k3s/server/manifests -k3s_server_manifests_templates: - - "calico-installation.yaml.j2" - - "kube-vip-daemonset.yaml.j2" diff --git a/provision/ansible/inventory/group_vars/kubernetes/kube-vip.yml b/provision/ansible/inventory/group_vars/kubernetes/kube-vip.yml deleted file mode 100644 index 2f44653c..00000000 --- a/provision/ansible/inventory/group_vars/kubernetes/kube-vip.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# (string) The interface on the host kube-vip should attach to -kubevip_interface: "eth0" -# (string) The ARP address kube-vip broadcasts -kubevip_address: "192.168.1.250" diff --git a/provision/ansible/inventory/group_vars/kubernetes/ubuntu.yml b/provision/ansible/inventory/group_vars/kubernetes/ubuntu.yml deleted file mode 100644 index 188d1300..00000000 --- a/provision/ansible/inventory/group_vars/kubernetes/ubuntu.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# (string) Timezone for the servers -# timezone: "America/New_York" - -# (list) Additional ssh public keys to add to the nodes -# ssh_authorized_keys: diff --git a/provision/ansible/inventory/group_vars/master/k3s.yml b/provision/ansible/inventory/group_vars/master/k3s.yml deleted file mode 100644 index 3a1fe166..00000000 --- a/provision/ansible/inventory/group_vars/master/k3s.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/ -# https://github.com/PyratLabs/ansible-role-k3s - -# (bool) Specify if a host (or host group) are part of the control plane -k3s_control_node: true - -# (dict) k3s settings for all control-plane nodes -k3s_server: - node-ip: "{{ ansible_host }}" - tls-san: - # kube-vip - - "{{ kubevip_address }}" - # Disable Docker - this will use the default containerd CRI - docker: false - flannel-backend: "none" # This needs to be in quotes - disable: - # Disable flannel - replaced with Calico - - flannel - # Disable traefik - installed with Flux - - traefik - # Disable servicelb - replaced with metallb and install with Flux - - servicelb - # Disable metrics-server - installed with Flux - - metrics-server - disable-network-policy: true - disable-cloud-controller: true - write-kubeconfig-mode: "644" - # Network CIDR to use for pod IPs - cluster-cidr: "10.42.0.0/16" - # Network CIDR to use for service IPs - service-cidr: "10.43.0.0/16" - kubelet-arg: - # Enables the kubelet to gracefully evict pods during a node shutdown - - "feature-gates=GracefulNodeShutdown=true" - # Allow k8s services to contain TCP and UDP on the same port - - "feature-gates=MixedProtocolLBService=true" - # Required to monitor kube-controller-manager with kube-prometheus-stack - kube-controller-manager-arg: - - "bind-address=0.0.0.0" - # Required to monitor kube-proxy with kube-prometheus-stack - kube-proxy-arg: - - "metrics-bind-address=0.0.0.0" - # Required to monitor kube-scheduler with kube-prometheus-stack - kube-scheduler-arg: - - "bind-address=0.0.0.0" - # Required to monitor etcd with kube-prometheus-stack - etcd-expose-metrics: true - # Required for HAProxy health-checks - kube-apiserver-arg: - - "anonymous-auth=true" diff --git a/provision/ansible/inventory/group_vars/worker/k3s.yml b/provision/ansible/inventory/group_vars/worker/k3s.yml deleted file mode 100644 index 232f4259..00000000 --- a/provision/ansible/inventory/group_vars/worker/k3s.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# https://rancher.com/docs/k3s/latest/en/installation/install-options/agent-config/ -# https://github.com/PyratLabs/ansible-role-k3s - -# (bool) Specify if a host (or host group) are part of the control plane -k3s_control_node: false - -# (dict) k3s settings for all worker nodes -k3s_agent: - node-ip: "{{ ansible_host }}" - kubelet-arg: - # Enables the kubelet to gracefully evict pods during a node shutdown - - "feature-gates=GracefulNodeShutdown=true" - # Allow k8s services to contain TCP and UDP on the same port - - "feature-gates=MixedProtocolLBService=true" diff --git a/provision/ansible/inventory/host_vars/k8s-controller-0.sops.yml b/provision/ansible/inventory/host_vars/k8s-controller-0.sops.yml deleted file mode 100644 index df1edf22..00000000 --- a/provision/ansible/inventory/host_vars/k8s-controller-0.sops.yml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Secret -ansible_user: ENC[AES256_GCM,data:8Nl9Q7nK,iv:fJsiicNY4RJpL5/yrro1AA70H9DagRZTlcTmx5rYEqM=,tag:DunLxKJuPERdLXA0Rj9bQA==,type:str] -ansible_become_pass: ENC[AES256_GCM,data:uReNFhSX19AvDw==,iv:5TLItcNNHMYMbupjudb1BAywWn3l8N7+DE9b4KKcoTw=,tag:GihzhTtsUVlgqru6c8G6rQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZalVsZ0xYYXRNcXlROHpl - Nnc3R1NoS0dCSWxUUEdGKzgyYkdwY3NLYlVvClZMdmtBZGIxSC96Tm9XSEZ6aCta - dG1aY1FLeUVIeVRsTVR2ckFOU2xwZTQKLS0tIGV1MERoNWtDTTFTaGdOSnFhaHh4 - YmppczdhbXp5WXRqTVQ5Yi84YkJ0Q2MKUKbqlMSC5y9Ta0nXhBZom2QpWEa04gg6 - VrZK8YqcQ33mB5KDidlFwPgAfzPFw48Slq4o94WWfwHp5q0gsOAEXA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-01-23T03:25:03Z" - mac: ENC[AES256_GCM,data:qDFpfjZBtfF9aGE0dhjpPB5JY0uIV/SL/kQC0lSRdjM+fjM2vs/5FhKKx0S0w2mba/bWzXnf07CXX4vZxVv/7H7pZgj9aX5XMbCr0H4EG9MT5SXXS0bEWQu+vgHXtecpy0grNch9Rdl2JT5hMqio3facFglEWMY5Q0FecB8hQZc=,iv:ESScAb7yvRMNWB8KoIikiIRs5XA+A3Sv9ntNfqcRuaE=,tag:TPQ7bIFdMDZlMppSG/uTmA==,type:str] - pgp: [] - unencrypted_regex: ^(kind)$ - version: 3.7.1 diff --git a/provision/ansible/inventory/host_vars/k8s-controller-1.sops.yml b/provision/ansible/inventory/host_vars/k8s-controller-1.sops.yml deleted file mode 100644 index 37ab6816..00000000 --- a/provision/ansible/inventory/host_vars/k8s-controller-1.sops.yml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Secret -ansible_user: ENC[AES256_GCM,data:5SeLSiL7,iv:+x+dG4jUKwN5eSYKvVn+gwGTM4XoSolJCKj9/L+1/jU=,tag:LSkrmb1J8QWCOEsfujLQ9g==,type:str] -ansible_become_pass: ENC[AES256_GCM,data:8FGrgLFE3C4Now==,iv:EsR9+RRUsbTvnN5QAPJFS614AFFw4dzweTPZSAZP8/o=,tag:HInqH8Bv+bc9B9smOi3u0g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1eFBORVNabkJ4TCtCZEpC - MEVxeUlObTU1YmdzUkN1enBrdWVqWHlrWENjCkFFYnNXOFMybjJHTUZYU3krdEZz - L1FrYnRudHM1L1NwYTBMVkpoRUdmMHcKLS0tIDdwSWhuVklHQmFCL0VETytOc2FF - dFROT0cvZzZxSWJDc1hMWGVxNUhhSkEKsOmpRBqPXRJ0RWwiPI/g+YgBkacfKWNm - ITvsSzQyEZE9h/A+JTqGmyE6GXtzTZ56RuoRnroK47MaQz+YLHBEYA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-01-23T03:25:03Z" - mac: ENC[AES256_GCM,data:2G6tzXBeO0mlreOiSxjvTQvBfr7ma3fptHQEzayi7MZKncAdtMWNWM6mKLSGqPTwhTYDsTRDTpTPZ6bToZvG4DRt2L0PJokF4EZNIrW75JrNPi0af48+E+J7pll5soe/VybXkZcbtLNaL0HLPl1Mh98oaEYSf3KXLu73L2UnfaU=,iv:45OmUd9Mwq6uNidmgOJs7BU/yWEmPzMY1WYXiWQTQkA=,tag:qpLGRZQuVFZLRm3KDy8OfA==,type:str] - pgp: [] - unencrypted_regex: ^(kind)$ - version: 3.7.1 diff --git a/provision/ansible/inventory/host_vars/k8s-controller-2.sops.yml b/provision/ansible/inventory/host_vars/k8s-controller-2.sops.yml deleted file mode 100644 index 2b5cc6f5..00000000 --- a/provision/ansible/inventory/host_vars/k8s-controller-2.sops.yml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Secret -ansible_user: ENC[AES256_GCM,data:EMbpsJBq,iv:QAgoptYVwpcDfMADIQDJ2m13XFhc8m2QEDyvD5aBzWQ=,tag:G+OJHUL3rzr0l+pmFdy5Tw==,type:str] -ansible_become_pass: ENC[AES256_GCM,data:QYKW/2JxKSSe8g==,iv:1vZ92YzrdyDdCYxa6BUCMj/nkcpyfi7Q8G8BhBvY48Q=,tag:9rtHg8xVHO3p4R32Y6lwMw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSalhIdTdsK2RlYi92RlF2 - ZHByRnk1Wi9hYjU3VkVMUVZKMjlLL1BtMTFzCkxjbmFtQjZRbmlHYk9WWnB4MkJl - OXMyaHErVS9ETTdJZktSU0I2STJ1S2cKLS0tIEJlQ1ZtL3NmVThCOWhtSFZiaDlk - akZ1K09TVHBwSEZlU05kdjNxS0JMVm8KdmHuETTYHortI2MTg7hKNutC+atPqqhd - dI0Iolm/j1uI/cMd3oTzvyA+6AVsvhjChNi9vuP6f9uizNTZb9m1Eg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-01-23T04:09:04Z" - mac: ENC[AES256_GCM,data:/L/siAoq4NlB/s9WO4ubwk/38866aNINZwyavbTL65a+XoBCABP6sTeH8UKTjwiBVGk99/dgPwFgEWuO+IcdKcNY4aHRC1EJU+/WoxjZ8EZTr1WUAErPG+Vxf7cmUh5L3AsEoWi9BxRqyHkTpwwlTQvkKzyDDPUrFlaEMwusyNg=,iv:2OJFigF0cxVlnaV2UmWYH9bABkWBKbqR5gJR30QL6MI=,tag:t2/7UQdV3cdfEBapXlK65Q==,type:str] - pgp: [] - unencrypted_regex: ^(kind)$ - version: 3.7.1 diff --git a/provision/ansible/inventory/host_vars/k8s-worker-3.sops.yml b/provision/ansible/inventory/host_vars/k8s-worker-3.sops.yml deleted file mode 100644 index dcf660df..00000000 --- a/provision/ansible/inventory/host_vars/k8s-worker-3.sops.yml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Secret -ansible_user: ENC[AES256_GCM,data:9P7EGZui,iv:z4wVtQWE0Yl7+6mXuTj74ijgEA945k1g2SDaPxNsbTM=,tag:MszIXMkJXt+/obdycqC/Sg==,type:str] -ansible_become_pass: ENC[AES256_GCM,data:VS7Ivi3QOVVmWQ==,iv:55F67Ies1Lyrtlm8HS7cOkrnyifHIbVNJ1Uow2v20f4=,tag:Ltb4mm4MC/UxPql8r4x07Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTUtJOTBSK1BjQlA3bWdE - bEdhS3h2enJrS2ViK2drYUhNYS96V1hBOG1nCk5KWXo1ZjlxbU13Mm1VaFpjYzdn - NExRYkpVVDcyWjVFYWhtL0sxWndUYmMKLS0tIFRYeEJEMmRnTFpYMWVrcGlOa0c3 - dVZJWnZKZlFTYm84aXdGTkd3TU1HL00KnpnUGGUxbpPUPKx3Y+IZLXuQQtKZKHWs - iNSbsnA2FhMReHu/ma8YWoQ6c4reTo/BLHBn8IghGdtizWTFkdi7Rg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-01-23T04:09:04Z" - mac: ENC[AES256_GCM,data:vU6gQjOx1CVJTadlNsm+FqKudonfi6kDGr+uEkPckQsJCVy0N4xEZOiTbUKRHCwwh9b5twqjAYLSr0iWLBDYsnkbBH4Cp68jFqVb5BlXtoC+s319jyamDHOU4vdrkrETVWNrhzIkCYxNTpk6y2Zi+vzDa3Xu+4jQJFRPGu4kEVI=,iv:+X0b0JPmhPwHtgU1YQ4jJ8aVsiUgENde3x2UU8I04Yo=,tag:/bKlL2VLkgfEhntiw9Bs5Q==,type:str] - pgp: [] - unencrypted_regex: ^(kind)$ - version: 3.7.1 diff --git a/provision/ansible/inventory/host_vars/k8s-worker-4.sops.yml b/provision/ansible/inventory/host_vars/k8s-worker-4.sops.yml deleted file mode 100644 index 46910161..00000000 --- a/provision/ansible/inventory/host_vars/k8s-worker-4.sops.yml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Secret -ansible_user: ENC[AES256_GCM,data:9P7EGZui,iv:z4wVtQWE0Yl7+6mXuTj74ijgEA945k1g2SDaPxNsbTM=,tag:MszIXMkJXt+/obdycqC/Sg==,type:str] -ansible_become_pass: ENC[AES256_GCM,data:VS7Ivi3QOVVmWQ==,iv:55F67Ies1Lyrtlm8HS7cOkrnyifHIbVNJ1Uow2v20f4=,tag:Ltb4mm4MC/UxPql8r4x07Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cxqfxy46kp8p007857c6cnk4j2ypuc0pw04utqr58uraxn0dz3ystslpxj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQTUtJOTBSK1BjQlA3bWdE - bEdhS3h2enJrS2ViK2drYUhNYS96V1hBOG1nCk5KWXo1ZjlxbU13Mm1VaFpjYzdn - NExRYkpVVDcyWjVFYWhtL0sxWndUYmMKLS0tIFRYeEJEMmRnTFpYMWVrcGlOa0c3 - dVZJWnZKZlFTYm84aXdGTkd3TU1HL00KnpnUGGUxbpPUPKx3Y+IZLXuQQtKZKHWs - iNSbsnA2FhMReHu/ma8YWoQ6c4reTo/BLHBn8IghGdtizWTFkdi7Rg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-02-24T02:16:48Z" - mac: ENC[AES256_GCM,data:aJ8uDvWed3b/DKAjBPq8sUao9Qr7/XU4rNuTbQi01Wnuj7865pgyoHNnBzzt+rh1qId47I8fV9Iz+IPuCvjGuL0ustFw9zkSUjM4iHGnZcTCKH78vdjt4gbid6Zz7mIAXdQ1Ry7NTJh7fNw0WQthJpHq3OyYEPERoYV+vrc5gpo=,iv:eTt+0wh7wL2drJqhmY3pRoAfdiVvHmIZGzEW1Bao/AI=,tag:aVOX5BhGPQzftIiKhLib0g==,type:str] - pgp: [] - unencrypted_regex: ^(kind)$ - version: 3.7.1 diff --git a/provision/ansible/inventory/hosts.yml b/provision/ansible/inventory/hosts.yml deleted file mode 100644 index 9032999f..00000000 --- a/provision/ansible/inventory/hosts.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -kubernetes: - children: - master: - hosts: - k8s-controller-0: - ansible_host: 192.168.1.200 - k8s-controller-1: - ansible_host: 192.168.1.201 - k8s-controller-2: - ansible_host: 192.168.1.202 - worker: - hosts: - k8s-worker-3: - ansible_host: 192.168.1.203 - k8s-worker-4: - ansible_host: 192.168.1.204 diff --git a/provision/ansible/playbooks/k3s-install.yml b/provision/ansible/playbooks/k3s-install.yml deleted file mode 100644 index 7d2b71d3..00000000 --- a/provision/ansible/playbooks/k3s-install.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -- hosts: - - master - - worker - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - tasks: - - name: Check if cluster is installed - ansible.builtin.stat: - path: "/etc/rancher/k3s/config.yaml" - register: k3s_check_installed - check_mode: false - - - name: Set manifest facts - ansible.builtin.set_fact: - k3s_server_manifests_templates: [] - k3s_server_manifests_urls: [] - when: k3s_check_installed.stat.exists - - - name: Install Kubernetes - include_role: - name: xanmanning.k3s - public: true - - - name: Get absolute path to this Git repository - delegate_to: localhost - become: false - run_once: true - ansible.builtin.command: "git rev-parse --show-toplevel" - register: repo_abs_path - - - name: Copy kubeconfig to provision folder - run_once: true - ansible.builtin.fetch: - src: "/etc/rancher/k3s/k3s.yaml" - dest: "{{ repo_abs_path.stdout }}/provision/kubeconfig" - flat: true - when: - - k3s_control_node is defined - - k3s_control_node - - - name: Update kubeconfig with the right IPv4 address - delegate_to: localhost - become: false - run_once: true - ansible.builtin.replace: - path: "{{ repo_abs_path.stdout }}/provision/kubeconfig" - regexp: "https://127.0.0.1:6443" - replace: "https://{{ k3s_registration_address }}:6443" - - - name: Remove deployed manifest templates - ansible.builtin.file: - path: "{{ k3s_server_manifests_dir }}/{{ item | basename | regex_replace('\\.j2$', '') }}" - state: absent - loop: "{{ k3s_server_manifests_templates }}" - when: - - k3s_server_manifests_templates - - k3s_server_manifests_templates | length > 0 - - - name: Remove deployed manifest urls - ansible.builtin.file: - path: "{{ k3s_server_manifests_dir }}/{{ item.filename }}" - state: absent - loop: "{{ k3s_server_manifests_urls }}" - when: - - k3s_server_manifests_urls - - k3s_server_manifests_urls | length > 0 diff --git a/provision/ansible/playbooks/k3s-nuke.yml b/provision/ansible/playbooks/k3s-nuke.yml deleted file mode 100644 index a320a2e7..00000000 --- a/provision/ansible/playbooks/k3s-nuke.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- hosts: - - master - - worker - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - tasks: - - name: Kill k3s - ansible.builtin.command: /usr/local/bin/k3s-killall.sh - - name: Uninstall k3s - ansible.builtin.command: - cmd: /usr/local/bin/k3s-uninstall.sh - removes: /usr/local/bin/k3s-uninstall.sh - - name: Uninstall k3s agent - ansible.builtin.command: - cmd: /usr/local/bin/k3s-agent-uninstall.sh - removes: /usr/local/bin/k3s-agent-uninstall.sh - - name: Gather list of CNI files to delete - find: - paths: /etc/cni/net.d - patterns: "*" - register: files_to_delete - - name: Delete CNI files - ansible.builtin.file: - path: "{{ item.path }}" - state: absent - loop: "{{ files_to_delete.files }}" diff --git a/provision/ansible/playbooks/templates/calico-installation.yaml.j2 b/provision/ansible/playbooks/templates/calico-installation.yaml.j2 deleted file mode 100644 index 38ef26d7..00000000 --- a/provision/ansible/playbooks/templates/calico-installation.yaml.j2 +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: operator.tigera.io/v1 -kind: Installation -metadata: - name: default -spec: - calicoNetwork: - # Note: The ipPools section cannot be modified post-install. - ipPools: - - blockSize: 26 - cidr: "{{ k3s_server['cluster-cidr'] }}" - encapsulation: "VXLANCrossSubnet" - natOutgoing: Enabled - nodeSelector: all() - nodeMetricsPort: 9091 - typhaMetricsPort: 9093 diff --git a/provision/ansible/playbooks/templates/kube-vip-daemonset.yaml.j2 b/provision/ansible/playbooks/templates/kube-vip-daemonset.yaml.j2 deleted file mode 100644 index 10bdd3b3..00000000 --- a/provision/ansible/playbooks/templates/kube-vip-daemonset.yaml.j2 +++ /dev/null @@ -1,71 +0,0 @@ ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kube-vip - namespace: kube-system - labels: - app.kubernetes.io/instance: kube-vip - app.kubernetes.io/name: kube-vip -spec: - selector: - matchLabels: - app.kubernetes.io/instance: kube-vip - app.kubernetes.io/name: kube-vip - template: - metadata: - labels: - app.kubernetes.io/instance: kube-vip - app.kubernetes.io/name: kube-vip - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - containers: - - name: kube-vip - image: ghcr.io/kube-vip/kube-vip:v0.4.1 - imagePullPolicy: IfNotPresent - args: - - manager - env: - - name: vip_arp - value: "true" - - name: vip_interface - value: "{{ kubevip_interface }}" - - name: port - value: "6443" - - name: vip_cidr - value: "32" - - name: cp_enable - value: "true" - - name: cp_namespace - value: kube-system - - name: svc_enable - value: "false" - - name: vip_ddns - value: "false" - - name: address - value: "{{ k3s_registration_address }}" - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - hostAliases: - - hostnames: - - kubernetes - ip: 127.0.0.1 - hostNetwork: true - serviceAccountName: kube-vip - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists diff --git a/provision/ansible/playbooks/ubuntu-prepare.yml b/provision/ansible/playbooks/ubuntu-prepare.yml deleted file mode 100644 index a5160a4c..00000000 --- a/provision/ansible/playbooks/ubuntu-prepare.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- hosts: - - master - - worker - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - roles: - - ubuntu - - devsec.hardening.ssh_hardening - - devsec.hardening.os_hardening - post_tasks: - - name: Reboot - reboot: - reboot_timeout: 3600 - - name: Wait for the reboot to complete - wait_for_connection: - connect_timeout: 10 - sleep: 5 - delay: 5 - timeout: 300 diff --git a/provision/ansible/playbooks/ubuntu-upgrade.yml b/provision/ansible/playbooks/ubuntu-upgrade.yml deleted file mode 100644 index 88701b5d..00000000 --- a/provision/ansible/playbooks/ubuntu-upgrade.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- hosts: - - master - - worker - become: true - gather_facts: true - any_errors_fatal: true - tasks: - - name: upgrade - ansible.builtin.apt: - upgrade: full - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_upgrade - retries: 5 - until: apt_upgrade is success diff --git a/provision/ansible/requirements.yml b/provision/ansible/requirements.yml deleted file mode 100644 index 56377813..00000000 --- a/provision/ansible/requirements.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -collections: - - name: community.general - version: 5.8.10 - - name: community.sops - version: 1.6.7 - - name: ansible.posix - version: 1.5.4 - - name: devsec.hardening - version: 8.8.0 -roles: - - src: xanmanning.k3s - version: v3.4.4 diff --git a/provision/ansible/roles/ubuntu/tasks/filesystem.yml b/provision/ansible/roles/ubuntu/tasks/filesystem.yml deleted file mode 100644 index d9e155ba..00000000 --- a/provision/ansible/roles/ubuntu/tasks/filesystem.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Update max_user_watches - ansible.posix.sysctl: - name: fs.inotify.max_user_watches - value: "65536" - state: present - sysctl_file: /etc/sysctl.d/98-kubernetes-fs.conf - -- name: Disable swap at runtime - ansible.builtin.command: swapoff -a - when: ansible_swaptotal_mb > 0 - -- name: Disable swap on boot - ansible.posix.mount: - name: "{{ item }}" - fstype: swap - state: absent - loop: - - swap - - none diff --git a/provision/ansible/roles/ubuntu/tasks/locale.yml b/provision/ansible/roles/ubuntu/tasks/locale.yml deleted file mode 100644 index bbef8b0f..00000000 --- a/provision/ansible/roles/ubuntu/tasks/locale.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Set timezone - community.general.timezone: - name: "{{ timezone }}" - when: - - timezone is defined diff --git a/provision/ansible/roles/ubuntu/tasks/main.yml b/provision/ansible/roles/ubuntu/tasks/main.yml deleted file mode 100644 index 78d18ce4..00000000 --- a/provision/ansible/roles/ubuntu/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- include: locale.yml - tags: - - locale - -- include: packages.yml - tags: - - packages - -- include: network.yml - tags: - - network - -- include: filesystem.yml - tags: - - filesystem - -- include: user.yml - tags: - - user - -- include: settings.yml - tags: - - settings diff --git a/provision/ansible/roles/ubuntu/tasks/network.yml b/provision/ansible/roles/ubuntu/tasks/network.yml deleted file mode 100644 index a097fc9d..00000000 --- a/provision/ansible/roles/ubuntu/tasks/network.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -- name: Set hostname to inventory hostname - ansible.builtin.hostname: - name: "{{ inventory_hostname }}" - when: - - ansible_hostname != inventory_hostname - -- name: Update /etc/hosts to include hostname - ansible.builtin.blockinfile: - path: /etc/hosts - create: true - block: | - 127.0.0.1 localhost - 127.0.1.1 {{ inventory_hostname }} - - # The following lines are desirable for IPv6 capable hosts - ::1 ip6-localhost ip6-loopback - fe00::0 ip6-localnet - ff00::0 ip6-mcastprefix - ff02::1 ip6-allnodes - ff02::2 ip6-allrouters - ff02::3 ip6-allhosts - -- name: Check for bridge-nf-call-iptables - ansible.builtin.stat: - path: /proc/sys/net/bridge/bridge-nf-call-iptables - register: bridge_nf_call_iptables_result - -- name: Set Kubernetes network configuration - ansible.builtin.blockinfile: - path: /etc/sysctl.d/99-kubernetes-cri.conf - mode: 0644 - create: true - block: | - net.ipv4.ip_forward = 1 - net.bridge.bridge-nf-call-iptables = 1 - net.ipv6.conf.all.forwarding = 1 - net.bridge.bridge-nf-call-ip6tables = 1 - when: - - bridge_nf_call_iptables_result.stat.exists - register: sysctl_network - -- name: Reload Kubernetes network configuration - ansible.builtin.shell: sysctl -p /etc/sysctl.d/99-kubernetes-cri.conf - when: - - sysctl_network.changed - - bridge_nf_call_iptables_result.stat.exists diff --git a/provision/ansible/roles/ubuntu/tasks/packages.yml b/provision/ansible/roles/ubuntu/tasks/packages.yml deleted file mode 100644 index f6459a36..00000000 --- a/provision/ansible/roles/ubuntu/tasks/packages.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -- name: Upgrade all system packages - ansible.builtin.apt: - upgrade: full - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_upgrade - retries: 5 - until: apt_upgrade is success - -- name: Install common packages - ansible.builtin.apt: - name: - - apt-transport-https - - arptables - - ca-certificates - - curl - - ebtables - - iputils-ping - - ipvsadm - - lvm2 - - net-tools - - nfs-common - - open-iscsi - - psmisc - - smartmontools - - software-properties-common - - unattended-upgrades - install_recommends: false - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_install_common - retries: 5 - until: apt_install_common is success - -- name: Check if Raspberry Pi - command: grep -q "Raspberry Pi" /proc/cpuinfo - ignore_errors: true - register: is_raspberry - -- name: Install raspberry specific packages for Ubuntu 21 or greater - ansible.builtin.apt: - name: - - linux-modules-extra-raspi - install_recommends: false - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_install_raspberry - retries: 5 - until: apt_install_raspberry is success - when: is_raspberry and (ansible_lsb.major_release|int >= 21) - -- name: Copy 20auto-upgrades unattended-upgrades config - ansible.builtin.blockinfile: - path: /etc/apt/apt.conf.d/20auto-upgrades - mode: 0644 - create: true - block: | - APT::Periodic::Update-Package-Lists "1"; - APT::Periodic::Download-Upgradeable-Packages "1"; - APT::Periodic::AutocleanInterval "7"; - APT::Periodic::Unattended-Upgrade "1"; - -- name: Copy 50unattended-upgrades unattended-upgrades config - ansible.builtin.blockinfile: - path: /etc/apt/apt.conf.d/50unattended-upgrades - mode: 0644 - create: true - block: | - Unattended-Upgrade::Automatic-Reboot "false"; - Unattended-Upgrade::Remove-Unused-Dependencies "true"; - Unattended-Upgrade::Allowed-Origins { - "${distro_id} stable"; - "${distro_id} ${distro_codename}-security"; - "${distro_id} ${distro_codename}-updates"; - }; - -- name: Start unattended-upgrades service - ansible.builtin.systemd: - name: unattended-upgrades - enabled: true - state: started - -- name: Restart unattended-upgrades service - ansible.builtin.service: - name: unattended-upgrades.service - daemon_reload: true - enabled: true - state: restarted diff --git a/provision/ansible/roles/ubuntu/tasks/settings.yml b/provision/ansible/roles/ubuntu/tasks/settings.yml deleted file mode 100644 index a79b0549..00000000 --- a/provision/ansible/roles/ubuntu/tasks/settings.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: Check if Raspberry Pi - command: grep -q "Raspberry Pi" /proc/cpuinfo - ignore_errors: true - register: is_raspberry - -- name: Enable cgroups - lineinfile: - path: /boot/firmware/cmdline.txt - regexp: "(?=.*root)(?!.*cgroup_memory=1 cgroup_enable=memory)(.+)" - backrefs: yes - line: '\1 cgroup_memory=1 cgroup_enable=memory' - when: is_raspberry and (ansible_lsb.major_release|int >= 21) diff --git a/provision/ansible/roles/ubuntu/tasks/user.yml b/provision/ansible/roles/ubuntu/tasks/user.yml deleted file mode 100644 index 9b5766ff..00000000 --- a/provision/ansible/roles/ubuntu/tasks/user.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Add user to sudoers - ansible.builtin.copy: - content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL" - dest: "/etc/sudoers.d/{{ ansible_user }}_nopasswd" - mode: "0440" - -- name: Add additional user SSH public keys - ansible.posix.authorized_key: - user: "{{ ansible_user }}" - key: "{{ item }}" - loop: "{{ ssh_authorized_keys }}" - when: - - ssh_authorized_keys is defined - - ssh_authorized_keys is iterable - - ssh_authorized_keys | length > 0 diff --git a/pyproject.toml b/pyproject.toml deleted file mode 100644 index 78fd2ea8..00000000 --- a/pyproject.toml +++ /dev/null @@ -1,17 +0,0 @@ -[tool.poetry] -name = "homelab" -version = "1.0.0" -description = "" -authors = ["Paul Kiernan "] - -[tool.poetry.dependencies] -python = "^3.10" -ansible = "^7.0.0" -pre-commit = "^3.0.0" - -[tool.poetry.dev-dependencies] -pytest = "^7.0.0" - -[build-system] -requires = ["poetry-core>=1.0.0"] -build-backend = "poetry.core.masonry.api" diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 00000000..011ff37e --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +cloudflare==3.1.0 +email-validator==2.2.0 +makejinja==2.6.2 +netaddr==1.3.0 diff --git a/scripts/kubeconform.sh b/scripts/kubeconform.sh new file mode 100755 index 00000000..a69308b1 --- /dev/null +++ b/scripts/kubeconform.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +set -o errexit +set -o pipefail + +KUBERNETES_DIR=$1 + +[[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1 + +kustomize_args=("--load-restrictor=LoadRestrictionsNone") +kustomize_config="kustomization.yaml" +kubeconform_args=( + "-strict" + "-ignore-missing-schemas" + "-skip" + "Secret" + "-schema-location" + "default" + "-schema-location" + "https://kubernetes-schemas.pages.dev/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" + "-verbose" +) + +echo "=== Validating standalone manifests in ${KUBERNETES_DIR}/flux ===" +find "${KUBERNETES_DIR}/flux" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; + do + kubeconform "${kubeconform_args[@]}" "${file}" + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done + +echo "=== Validating kustomizations in ${KUBERNETES_DIR}/flux ===" +find "${KUBERNETES_DIR}/flux" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; + do + echo "=== Validating kustomizations in ${file/%$kustomize_config} ===" + kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \ + kubeconform "${kubeconform_args[@]}" + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done + +echo "=== Validating kustomizations in ${KUBERNETES_DIR}/apps ===" +find "${KUBERNETES_DIR}/apps" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; + do + echo "=== Validating kustomizations in ${file/%$kustomize_config} ===" + kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \ + kubeconform "${kubeconform_args[@]}" + if [[ ${PIPESTATUS[0]} != 0 ]]; then + exit 1 + fi +done