diff --git a/.github/workflows/flux-local.yaml b/.github/workflows/flux-local.yaml index d11d88687..7d001a450 100644 --- a/.github/workflows/flux-local.yaml +++ b/.github/workflows/flux-local.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Flux Local on: diff --git a/.github/workflows/image-pull.yaml b/.github/workflows/image-pull.yaml index 0b1af62a6..facdbbe1a 100644 --- a/.github/workflows/image-pull.yaml +++ b/.github/workflows/image-pull.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Image Pull on: diff --git a/.github/workflows/label-sync.yaml b/.github/workflows/label-sync.yaml index 8671380bf..b9e7e3ea1 100644 --- a/.github/workflows/label-sync.yaml +++ b/.github/workflows/label-sync.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Label Sync on: diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index a5e1034ef..7044496be 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Labeler on: diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 2fd3b9f15..73f62c9cc 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Renovate on: diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index 444ece9cd..c7f881c03 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Tag on: diff --git a/.renovate/allowedVersions.json5 b/.renovate/allowedVersions.json5 deleted file mode 100644 index 6b7e0ddd1..000000000 --- a/.renovate/allowedVersions.json5 +++ /dev/null @@ -1,10 +0,0 @@ -{ - $schema: "https://docs.renovatebot.com/renovate-schema.json", - packageRules: [ - { - matchDatasources: ["docker"], - matchPackageNames: ["/postgresql/"], - allowedVersions: "<=15", - }, - ], -} diff --git a/.renovate/groups.json5 b/.renovate/groups.json5 index 18a892584..96f829bf5 100644 --- a/.renovate/groups.json5 +++ b/.renovate/groups.json5 @@ -3,16 +3,17 @@ packageRules: [ { description: "1Password Connect Group", - groupName: "1Password Connnect", + groupName: "1password-connect", matchDatasources: ["docker"], matchPackageNames: ["/1password/"], group: { commitMessageTopic: "{{{groupName}}} group", }, + minimumGroupSize: 2, }, { description: "Actions Runner Controller Group", - groupName: "Actions Runner Controller", + groupName: "actions-runner-controller", matchDatasources: ["docker"], matchPackageNames: [ "/gha-runner-scale-set-controller/", @@ -21,63 +22,56 @@ group: { commitMessageTopic: "{{{groupName}}} group", }, + minimumGroupSize: 2, }, { - description: "Cert-Manager Group", - groupName: "Cert-Manager", - matchDatasources: ["docker"], - matchPackageNames: ["/cert-manager/"], - group: { - commitMessageTopic: "{{{groupName}}} group", - }, - }, - { - description: "Cilium Group", - groupName: "Cilium", - matchDatasources: ["docker"], - matchPackageNames: ["/cilium/"], - group: { - commitMessageTopic: "{{{groupName}}} group", - }, - }, - { - description: "CoreDNS Group", - groupName: "CoreDNS", + description: "Flux Operator Group", + groupName: "flux-operator", matchDatasources: ["docker"], - matchPackageNames: ["/coredns/"], + matchPackageNames: ["/flux-operator/", "/flux-instance/"], group: { commitMessageTopic: "{{{groupName}}} group", }, + minimumGroupSize: 2, }, { - description: "External Secrets Operator Group", - groupName: "External Secrets Operator", + description: "Intel Device Plugins Group", + groupName: "intel-device-plugins", matchDatasources: ["docker"], - matchPackageNames: ["/external-secrets/"], + matchPackageNames: [ + "/intel-device-plugins-operator/", + "/intel-device-plugins-gpu/", + ], group: { commitMessageTopic: "{{{groupName}}} group", }, + minimumGroupSize: 2, }, { - description: "Flux Operator Group", - groupName: "Flux Operator", + description: "Kubernetes Group", + groupName: "kubernetes", matchDatasources: ["docker"], - matchPackageNames: ["/flux-operator/", "/flux-instance/"], + matchPackageNames: [ + "/kube-apiserver/", + "/kube-controller-manager/", + "/kube-proxy/", + "/kube-scheduler/", + "/kubelet/", + ], group: { commitMessageTopic: "{{{groupName}}} group", }, + minimumGroupSize: 5, }, { - description: "Intel Device Plugins Group", - groupName: "Intel-Device-Plugins", + description: "Talos Group", + groupName: "talos", matchDatasources: ["docker"], - matchPackageNames: [ - "/intel-device-plugins-operator/", - "/intel-device-plugins-gpu/", - ], + matchPackageNames: ["/installer/", "/talosctl/"], group: { commitMessageTopic: "{{{groupName}}} group", }, + minimumGroupSize: 2, }, ], } diff --git a/.renovate/overrides.json5 b/.renovate/overrides.json5 new file mode 100644 index 000000000..61a7e9722 --- /dev/null +++ b/.renovate/overrides.json5 @@ -0,0 +1,17 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + packageRules: [ + { + description: "Override Helmfile Dependency Name", + matchDatasources: ["docker"], + matchManagers: ["helmfile"], + overrideDepName: "{{packageName}}", + }, + { + description: "Override Talos Installer Package Name", + matchDatasources: ["docker"], + matchPackageNames: ["/factory\\.talos\\.dev/"], + overridePackageName: "ghcr.io/siderolabs/installer", + }, + ], +} diff --git a/.renovaterc.json5 b/.renovaterc.json5 index c936a08d4..516c52c9a 100644 --- a/.renovaterc.json5 +++ b/.renovaterc.json5 @@ -4,12 +4,12 @@ "config:recommended", "docker:enableMajor", "helpers:pinGitHubActionDigests", - "github>dotcomscripts/k8s-gitops//.renovate/allowedVersions.json5", "github>dotcomscripts/k8s-gitops//.renovate/autoMerge.json5", "github>dotcomscripts/k8s-gitops//.renovate/customManagers.json5", "github>dotcomscripts/k8s-gitops//.renovate/grafanaDashboards.json5", "github>dotcomscripts/k8s-gitops//.renovate/groups.json5", "github>dotcomscripts/k8s-gitops//.renovate/labels.json5", + "github>dotcomscripts/k8s-gitops//.renovate/overrides.json5", "github>dotcomscripts/k8s-gitops//.renovate/semanticCommits.json5", ":automergeBranch", ":dependencyDashboard", @@ -22,12 +22,9 @@ suppressNotifications: ["prEditedNotification", "prIgnoreNotification"], ignorePaths: ["**/resources/**"], flux: { - managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"] - }, - "helm-values": { - managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"] + managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"], }, kubernetes: { - managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"] + managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"], }, } diff --git a/.taskfiles/bootstrap/Taskfile.yaml b/.taskfiles/bootstrap/Taskfile.yaml index f0955fcb1..4733bab63 100644 --- a/.taskfiles/bootstrap/Taskfile.yaml +++ b/.taskfiles/bootstrap/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: '3' tasks: @@ -25,7 +26,8 @@ tasks: - defer: talosctl kubeconfig --nodes {{.RANDOM_CONTROLLER}} --force {{.KUBERNETES_DIR}} - until kubectl wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done - op inject --in-file {{.BOOTSTRAP_DIR}}/secrets.yaml.tpl | kubectl apply --server-side --filename - - - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.yaml apply --skip-diff-on-install --suppress-diff + - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.d/00-crds.yaml template --quiet | kubectl apply --server-side --filename - + - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.d/01-apps.yaml sync --hide-notes vars: CONTEXT: sh: talosctl config info --output json | jq --raw-output '.context' @@ -35,6 +37,7 @@ tasks: - op user get --me - talosctl config info - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig - - test -f {{.BOOTSTRAP_DIR}}/helmfile.yaml + - test -f {{.BOOTSTRAP_DIR}}/helmfile.d/00-crds.yaml + - test -f {{.BOOTSTRAP_DIR}}/helmfile.d/01-apps.yaml - test -f {{.BOOTSTRAP_DIR}}/secrets.yaml.tpl - which helmfile jq kubectl op talosctl diff --git a/.taskfiles/kubernetes/Taskfile.yaml b/.taskfiles/kubernetes/Taskfile.yaml index fff988404..79f0c2020 100644 --- a/.taskfiles/kubernetes/Taskfile.yaml +++ b/.taskfiles/kubernetes/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: '3' tasks: @@ -49,15 +50,3 @@ tasks: cmd: kubectl delete pods --all-namespaces --field-selector status.phase={{.ITEM.PHASE}} --ignore-not-found=true preconditions: - which kubectl - - # https://docs.github.com/en/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#upgrading-arc - upgrade-arc: - desc: Upgrade the ARC - cmds: - - helm -n actions-runner-system uninstall k8s-gitops-runner - - helm -n actions-runner-system uninstall actions-runner-controller - - sleep 5 - - flux -n actions-runner-system reconcile hr actions-runner-controller - - flux -n actions-runner-system reconcile hr k8s-gitops-runner - preconditions: - - which flux helm diff --git a/.taskfiles/talos/Taskfile.yaml b/.taskfiles/talos/Taskfile.yaml index 4a2937fd1..ccfb22f54 100644 --- a/.taskfiles/talos/Taskfile.yaml +++ b/.taskfiles/talos/Taskfile.yaml @@ -1,21 +1,14 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: '3' -vars: - SYSTEM_UPGRADE_KS: '{{.KUBERNETES_DIR}}/apps/system-upgrade/system-upgrade-controller/ks.yaml' - -env: - KUBERNETES_VERSION: - sh: yq '.spec.postBuild.substitute.KUBERNETES_VERSION | select(.)' {{.SYSTEM_UPGRADE_KS}} - TALOS_VERSION: - sh: yq '.spec.postBuild.substitute.TALOS_VERSION | select(.)' {{.SYSTEM_UPGRADE_KS}} - tasks: apply-node: - desc: Apply Talos config to a node [NODE=required] [MODE=auto] - cmd: |- - minijinja-cli {{.TALOS_DIR}}/machineconfig.yaml.j2 | op inject \ + desc: Apply Talos config to a node [NODE=required] [MODE={{.MODE}}] + cmd: | + minijinja-cli --define "machinetype={{.MACHINE_TYPE}}" {{.TALOS_DIR}}/machineconfig.yaml.j2 \ + | op inject \ | talosctl --nodes {{.NODE}} apply-config \ --mode {{.MODE}} \ --config-patch @{{.TALOS_DIR}}/{{.MACHINE_TYPE}}/{{.NODE}}.yaml \ @@ -28,12 +21,6 @@ tasks: sh: |- talosctl --nodes {{.NODE}} get machinetypes --output=jsonpath='{.spec}' 2> /dev/null \ || basename $(find '{{.TALOS_DIR}}' -name '{{.NODE}}.yaml' -printf '%h') - env: - MACHINE_TYPE: '{{.MACHINE_TYPE}}' - TALOS_SCHEMATIC: - sh: |- - curl --silent -X POST --data-binary @{{.TALOS_DIR}}/schematic.yaml https://factory.talos.dev/schematics \ - | jq --raw-output '.id' requires: vars: [NODE] preconditions: @@ -41,8 +28,7 @@ tasks: - talosctl config info - test -f {{.TALOS_DIR}}/machineconfig.yaml.j2 - test -f {{.TALOS_DIR}}/{{.MACHINE_TYPE}}/{{.NODE}}.yaml - - test -f {{.TALOS_DIR}}/schematic.yaml - - which curl jq minijinja-cli op talosctl + - which minijinja-cli op talosctl upgrade-node: desc: Upgrade Talos on a single node [NODE=required] @@ -61,19 +47,8 @@ tasks: - talosctl --nodes {{.NODE}} get machineconfig - which minijinja-cli talosctl yq - upgrade-k8s: - desc: Upgrade Kubernetes across the whole cluster - cmd: talosctl --nodes {{.RANDOM_CONTROLLER}} upgrade-k8s --to $KUBERNETES_VERSION - vars: - RANDOM_CONTROLLER: - sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1 - preconditions: - - talosctl config info - - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig - - which jq talosctl - reboot-node: - desc: Reboot Talos on a single node [NODE=required] [MODE=default] + desc: Reboot Talos on a single node [NODE=required] [MODE={{.MODE}}] cmd: talosctl --nodes {{.NODE}} reboot --mode={{.MODE}} vars: MODE: '{{.MODE | default "default"}}' @@ -119,7 +94,7 @@ tasks: - talosctl --nodes {{.NODES}} get machineconfig - which jq talosctl - kubeconfig: + generate-kubeconfig: desc: Generate the kubeconfig for a Talos cluster cmd: talosctl kubeconfig --nodes {{.RANDOM_CONTROLLER}} --force {{.KUBERNETES_DIR}} vars: @@ -129,3 +104,26 @@ tasks: - talosctl config info - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig - which jq talosctl + + generate-iso: + desc: Generate a Talos ISO for a specific version [VERSION=required] + cmd: | + curl -L -o {{.TALOS_DIR}}/talos-{{.VERSION}}.iso \ + https://factory.talos.dev/image/{{.TALOS_SCHEMATIC}}/{{.VERSION}}/metal-amd64.iso + vars: + TALOS_SCHEMATIC: + sh: task --silent talos:generate-schematic + requires: + vars: [VERSION] + preconditions: + - which curl task + + generate-schematic: + desc: Generate a Talos schematic + cmd: | + minijinja-cli {{.TALOS_DIR}}/schematic.yaml.j2 \ + | curl --silent -X POST --data-binary @- https://factory.talos.dev/schematics \ + | jq --raw-output '.id' + preconditions: + - test -f {{.TALOS_DIR}}/schematic.yaml.j2 + - which curl jq minijinja-cli diff --git a/.taskfiles/volsync/Taskfile.yaml b/.taskfiles/volsync/Taskfile.yaml index c64ae15a1..cc9b72980 100644 --- a/.taskfiles/volsync/Taskfile.yaml +++ b/.taskfiles/volsync/Taskfile.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://taskfile.dev/schema.json version: '3' # Taskfile used to manage certain VolSync tasks for a given application, limitations are as followed. diff --git a/.taskfiles/workstation/Taskfile.yaml b/.taskfiles/workstation/Taskfile.yaml deleted file mode 100644 index af1f2d4b3..000000000 --- a/.taskfiles/workstation/Taskfile.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -version: '3' - -vars: - WORKSTATION_RESOURCES_DIR: '{{.ROOT_DIR}}/.taskfiles/workstation/resources' - -tasks: - - brew: - desc: Set up Homebrew tools - cmd: brew bundle --file {{.WORKSTATION_RESOURCES_DIR}}/Brewfile - sources: - - '{{.WORKSTATION_RESOURCES_DIR}}/Brewfile' - generates: - - '{{.WORKSTATION_RESOURCES_DIR}}/Brewfile.lock.json' - preconditions: - - which brew - - test -f {{.WORKSTATION_RESOURCES_DIR}}/Brewfile - - krew: - desc: Set up Krew tools - deps: [brew] - cmd: kubectl krew install cert-manager cnpg browse-pvc node-shell view-secret - preconditions: - - kubectl krew version - - which kubectl diff --git a/.taskfiles/workstation/resources/Brewfile b/.taskfiles/workstation/resources/Brewfile deleted file mode 100644 index 52ba87988..000000000 --- a/.taskfiles/workstation/resources/Brewfile +++ /dev/null @@ -1,26 +0,0 @@ -tap "fluxcd/tap" -tap "go-task/tap" -tap "siderolabs/tap" -brew "age" -brew "cloudflared" -brew "fluxcd/tap/flux" -brew "gh" -brew "go-task/tap/go-task" -brew "helm" -brew "helmfile" -brew "jq" -brew "k9s" -brew "krew" -brew "kubecolor" -brew "kubeconform" -brew "kubernetes-cli" -brew "kustomize" -brew "minijinja-cli" -brew "mise" -brew "moreutils" -brew "siderolabs/tap/talosctl" -brew "stern" -brew "viddy" -brew "yq" -cask "1password" -cask "1password-cli" diff --git a/.vscode/settings.json b/.vscode/settings.json index dbb68f9c2..8d923a1d4 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -10,11 +10,12 @@ "editor.stickyScroll.enabled": false, "explorer.autoReveal": false, "files.associations": { - "**/*.json5": "json5" + "**/*.json5": "json5", + "**/*.yaml.j2": "yaml" }, "files.trimTrailingWhitespace": true, "material-icon-theme.files.associations": { - "helmfile.yaml": "helm", + "*.gotmpl": "smarty", "kubeconfig": "kubernetes", "talosconfig": "kubernetes" }, @@ -23,19 +24,20 @@ ".github/workflows": "ci", ".renovate": "robot", "bootstrap": "seeders", + "bootstrap/helmfile.d": "helm", "flux": "pipe", "talos": "linux", // namespaces "actions-runner-system": "github", "cert-manager": "guard", - "democratic-csi": "dump", + "default": "home", + "democratic-csi": "base", "external-secrets": "secure", "flux-system": "pipe", "kube-system": "kubernetes", "media": "video", "observability": "event", "networking": "connection", - "openebs-system": "base", "system-upgrade": "update", "volsync-system": "aws" }, diff --git a/Taskfile.yaml b/Taskfile.yaml index 8f564c260..4da03a2bf 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -19,7 +19,6 @@ includes: kubernetes: .taskfiles/kubernetes talos: .taskfiles/talos volsync: .taskfiles/volsync - workstation: .taskfiles/workstation tasks: diff --git a/bootstrap/helmfile.d/00-crds.yaml b/bootstrap/helmfile.d/00-crds.yaml new file mode 100644 index 000000000..c0d3c6499 --- /dev/null +++ b/bootstrap/helmfile.d/00-crds.yaml @@ -0,0 +1,31 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/helmfile + +# This helmfile is for installing Custom Resource Definitions (CRDs) from Helm charts. +# It is not intended to be used with helmfile apply or sync. + +helmDefaults: + args: ['--include-crds', '--no-hooks'] # Prevent helmfile apply or sync + postRenderer: bash + postRendererArgs: [-c, "yq ea --exit-status 'select(.kind == \"CustomResourceDefinition\")'"] + +releases: + - name: external-secrets + namespace: external-secrets + chart: oci://ghcr.io/external-secrets/charts/external-secrets + version: 0.19.2 + + - name: gateway-api-crds + namespace: kube-system + chart: oci://ghcr.io/wiremind/wiremind-helm-charts/gateway-api-crds + version: 1.3.0 + + - name: keda + namespace: observability + chart: oci://ghcr.io/home-operations/charts-mirror/keda + version: 2.17.2 + + - name: kube-prometheus-stack + namespace: observability + chart: oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack + version: 77.2.1 diff --git a/bootstrap/helmfile.yaml b/bootstrap/helmfile.d/01-apps.yaml similarity index 51% rename from bootstrap/helmfile.yaml rename to bootstrap/helmfile.d/01-apps.yaml index 0550acc7e..b26ccf6c7 100644 --- a/bootstrap/helmfile.yaml +++ b/bootstrap/helmfile.d/01-apps.yaml @@ -1,4 +1,6 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/helmfile + helmDefaults: cleanupOnFail: true wait: true @@ -9,9 +11,10 @@ releases: namespace: kube-system chart: oci://ghcr.io/home-operations/charts-mirror/cilium version: 1.18.1 - values: ["../kubernetes/apps/kube-system/cilium/app/helm/values.yaml"] + values: ['./templates/values.yaml.gotmpl'] hooks: - - events: ["postsync"] + - # Advertise Kubernetes VIP + events: ['postsync'] command: kubectl args: - apply @@ -19,40 +22,33 @@ releases: - --namespace=kube-system - --field-manager=kustomize-controller - --kustomize - - ../kubernetes/apps/kube-system/cilium/config + - ../../kubernetes/apps/kube-system/cilium/config showlogs: true - name: coredns namespace: kube-system chart: oci://ghcr.io/coredns/charts/coredns version: 1.43.3 - values: ["../kubernetes/apps/kube-system/coredns/app/helm/values.yaml"] - needs: ["kube-system/cilium"] + values: ['./templates/values.yaml.gotmpl'] + needs: ['kube-system/cilium'] - name: cert-manager namespace: cert-manager chart: oci://quay.io/jetstack/charts/cert-manager version: v1.18.2 - values: ["../kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml"] - needs: ["kube-system/coredns"] - - - name: external-secrets - namespace: external-secrets - chart: oci://ghcr.io/external-secrets/charts/external-secrets - version: 0.19.2 - values: ["../kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml"] - needs: ["cert-manager/cert-manager"] + values: ['./templates/values.yaml.gotmpl'] + needs: ['kube-system/coredns'] - name: flux-operator namespace: flux-system chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator version: 0.28.0 - values: ["../kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml"] - needs: ["external-secrets/external-secrets"] + values: ['./templates/values.yaml.gotmpl'] + needs: ['cert-manager/cert-manager'] - name: flux-instance namespace: flux-system chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance version: 0.28.0 - values: ["../kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml"] - needs: ["flux-system/flux-operator"] + values: ['./templates/values.yaml.gotmpl'] + needs: ['flux-system/flux-operator'] diff --git a/bootstrap/helmfile.d/templates/values.yaml.gotmpl b/bootstrap/helmfile.d/templates/values.yaml.gotmpl new file mode 100644 index 000000000..a3408610b --- /dev/null +++ b/bootstrap/helmfile.d/templates/values.yaml.gotmpl @@ -0,0 +1 @@ +{{ exec "yq" (list "select(.kind == \"HelmRelease\").spec.values" (printf "../../../kubernetes/apps/%s/%s/app/helmrelease.yaml" .Release.Namespace .Release.Name)) }} diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml index 896395c9d..99c70103d 100644 --- a/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml +++ b/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/actions-runner-system/actions-runner-controller/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -34,8 +38,6 @@ spec: namespace: *namespace - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/actions-runner-system/actions-runner-controller/runners prune: true @@ -46,4 +48,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba15..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml deleted file mode 100644 index a722de7a0..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -crds: - enabled: true -replicaCount: 1 -dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query -dns01RecursiveNameserversOnly: true -prometheus: - enabled: true - servicemonitor: - enabled: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml index 04d0ea0e3..4e561b7d2 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -28,6 +28,13 @@ spec: cleanupOnFail: true remediation: retries: 3 - valuesFrom: - - kind: ConfigMap - name: cert-manager-values + values: + crds: + enabled: true + replicaCount: 1 + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query + dns01RecursiveNameserversOnly: true + prometheus: + enabled: true + servicemonitor: + enabled: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml index 3d071e1e4..8ae526670 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -4,9 +4,3 @@ kind: Kustomization resources: - ./helmrelease.yaml - ./prometheusrule.yaml -configMapGenerator: - - name: cert-manager-values - files: - - ./helm/values.yaml -configurations: - - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index 31fb6a086..5594395ba 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/cert-manager/cert-manager/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -32,8 +36,6 @@ spec: dependsOn: - name: cert-manager namespace: *namespace - - name: onepassword-store - namespace: external-secrets healthCheckExprs: - apiVersion: cert-manager.io/v1 kind: ClusterIssuer @@ -49,4 +51,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/databases/cloudnative-pg/app/helmrelease.yaml b/kubernetes/apps/databases/cloudnative-pg/app/helmrelease.yaml deleted file mode 100644 index 90d55efd1..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/app/helmrelease.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1 -kind: OCIRepository -metadata: - name: cloudnative-pg -spec: - interval: 5m - layerSelector: - mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip - operation: copy - ref: - tag: 0.26.0 - url: oci://ghcr.io/cloudnative-pg/charts/cloudnative-pg - verify: - provider: cosign ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cloudnative-pg -spec: - interval: 1h - chartRef: - kind: OCIRepository - name: cloudnative-pg - install: - remediation: - retries: -1 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - crds: - create: true - monitoring: - podMonitorEnabled: false - grafanaDashboard: - create: true diff --git a/kubernetes/apps/databases/cloudnative-pg/app/kustomization.yaml b/kubernetes/apps/databases/cloudnative-pg/app/kustomization.yaml deleted file mode 100644 index 5dd7baca7..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/certificate.yaml b/kubernetes/apps/databases/cloudnative-pg/barman-cloud/certificate.yaml deleted file mode 100644 index 31c2f5f6b..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/certificate.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: barman-cloud -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: barman-cloud-client -spec: - commonName: barman-cloud-client - duration: 2160h - isCA: false - issuerRef: - name: barman-cloud - kind: Issuer - group: cert-manager.io - renewBefore: 360h - secretName: barman-cloud-client-tls - usages: ["client auth"] ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: barman-cloud-server -spec: - commonName: barman-cloud - dnsNames: ["barman-cloud"] - duration: 2160h - isCA: false - issuerRef: - name: barman-cloud - kind: Issuer - group: cert-manager.io - renewBefore: 360h - secretName: barman-cloud-server-tls - usages: ["server auth"] diff --git a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/helmrelease.yaml b/kubernetes/apps/databases/cloudnative-pg/barman-cloud/helmrelease.yaml deleted file mode 100644 index b067c829a..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/helmrelease.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app barman-cloud -spec: - interval: 1h - chartRef: - kind: OCIRepository - name: app-template - namespace: flux-system - install: - remediation: - retries: -1 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - controllers: - barman-cloud: - containers: - app: - image: - repository: ghcr.io/cloudnative-pg/plugin-barman-cloud - tag: v0.6.0@sha256:2adabf02728307119a22c13abb9efc52371ad6d74106db6204c6dee5abe75fb8 - args: - - operator - - --leader-elect - - --server-cert=/server/tls.crt - - --server-key=/server/tls.key - - --client-cert=/client/tls.crt - - --server-address=:9090 - env: - SIDECAR_IMAGE: ghcr.io/cloudnative-pg/plugin-barman-cloud-sidecar:${SIDECAR_IMAGE_VERSION} - probes: - liveness: - enabled: true - custom: true - spec: - httpGet: - path: /healthz - port: &port 8081 - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: - enabled: true - custom: true - spec: - httpGet: - path: /readyz - port: *port - initialDelaySeconds: 0 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - resources: - requests: - cpu: 10m - limits: - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - serviceAccount: - name: *app - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - persistence: - client: - type: secret - name: &clientCert barman-cloud-client-tls - server: - type: secret - name: &serverCert barman-cloud-server-tls - service: - app: - annotations: - cnpg.io/pluginClientSecret: *clientCert - cnpg.io/pluginPort: "9090" - cnpg.io/pluginServerSecret: *serverCert - labels: - cnpg.io/pluginName: barman-cloud.cloudnative-pg.io - ports: - http: - port: 9090 diff --git a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/kustomization.yaml b/kubernetes/apps/databases/cloudnative-pg/barman-cloud/kustomization.yaml deleted file mode 100644 index ff6ca5d3e..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # renovate: datasource=github-releases depName=cloudnative-pg/plugin-barman-cloud - - https://raw.githubusercontent.com/cloudnative-pg/plugin-barman-cloud/refs/tags/v0.6.0/config/crd/bases/barmancloud.cnpg.io_objectstores.yaml - - ./certificate.yaml - - ./helmrelease.yaml - - ./rbac.yaml diff --git a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/rbac.yaml b/kubernetes/apps/databases/cloudnative-pg/barman-cloud/rbac.yaml deleted file mode 100644 index d5b63ba15..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/barman-cloud/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: barman-cloud ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: barman-cloud -rules: - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "delete", "get", "list", "watch"] - - apiGroups: ["barmancloud.cnpg.io"] - resources: ["objectstores"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["barmancloud.cnpg.io"] - resources: ["objectstores/finalizers"] - verbs: ["update"] - - apiGroups: ["barmancloud.cnpg.io"] - resources: ["objectstores/status"] - verbs: ["get", "patch", "update"] - - apiGroups: ["postgresql.cnpg.io"] - resources: ["backups"] - verbs: ["get", "list", "watch"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings", "roles"] - verbs: ["create", "get", "list", "patch", "update", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: barman-cloud -roleRef: - kind: ClusterRole - name: barman-cloud - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: barman-cloud - namespace: databases diff --git a/kubernetes/apps/databases/cloudnative-pg/cluster/cluster.yaml b/kubernetes/apps/databases/cloudnative-pg/cluster/cluster.yaml deleted file mode 100644 index cf34f3756..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/cluster/cluster.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: postgres - annotations: - cnpg.io/skipEmptyWalArchiveCheck: "enabled" -spec: - instances: 1 - imageName: ghcr.io/cloudnative-pg/postgresql:${POSTGRESQL_VERSION} - primaryUpdateStrategy: unsupervised - storage: - size: 20Gi - storageClass: democratic-csi-hostpath - superuserSecret: - name: cloudnative-pg-secret - enableSuperuserAccess: true - postgresql: - parameters: - max_connections: "200" - shared_buffers: 256MB - monitoring: - enablePodMonitor: true - plugins: - - name: barman-cloud.cloudnative-pg.io - isWALArchiver: true - parameters: ¶meters - barmanObjectName: r2 - serverName: postgres-v5 - bootstrap: - recovery: - source: source - externalClusters: - - name: source - plugin: - name: barman-cloud.cloudnative-pg.io - parameters: *parameters diff --git a/kubernetes/apps/databases/cloudnative-pg/cluster/externalsecret.yaml b/kubernetes/apps/databases/cloudnative-pg/cluster/externalsecret.yaml deleted file mode 100644 index a32e553c7..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/cluster/externalsecret.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: cloudnative-pg -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword - target: - name: cloudnative-pg-secret - creationPolicy: Owner - template: - data: - username: "{{ .POSTGRES_SUPER_USER }}" - password: "{{ .POSTGRES_SUPER_PASS }}" - AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" - AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" - metadata: - labels: - cnpg.io/reload: "true" - dataFrom: - - extract: - key: cloudflare - - extract: - key: cloudnative-pg diff --git a/kubernetes/apps/databases/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/apps/databases/cloudnative-pg/cluster/kustomization.yaml deleted file mode 100644 index e5d0ea13b..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/cluster/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./cluster.yaml - - ./externalsecret.yaml - - ./objectstore.yaml - - ./prometheusrule.yaml - - ./scheduledbackup.yaml diff --git a/kubernetes/apps/databases/cloudnative-pg/cluster/objectstore.yaml b/kubernetes/apps/databases/cloudnative-pg/cluster/objectstore.yaml deleted file mode 100644 index 166507a72..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/cluster/objectstore.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: barmancloud.cnpg.io/v1 -kind: ObjectStore -metadata: - name: r2 -spec: - configuration: - data: - compression: bzip2 - destinationPath: s3://barman-nnxw73pk/ - endpointURL: https://3cb7f302f39808f599c8266fce4ea8b8.r2.cloudflarestorage.com - s3Credentials: - accessKeyId: - name: cloudnative-pg-secret - key: AWS_ACCESS_KEY_ID - secretAccessKey: - name: cloudnative-pg-secret - key: AWS_SECRET_ACCESS_KEY - wal: - compression: bzip2 - maxParallel: 8 - retentionPolicy: 30d diff --git a/kubernetes/apps/databases/cloudnative-pg/cluster/prometheusrule.yaml b/kubernetes/apps/databases/cloudnative-pg/cluster/prometheusrule.yaml deleted file mode 100644 index a7769739f..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/cluster/prometheusrule.yaml +++ /dev/null @@ -1,78 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: cloudnative-pg -spec: - groups: - - name: cloudnative-pg.rules - rules: - - alert: LongRunningTransaction - expr: |- - cnpg_backends_max_tx_duration_seconds > 300 - for: 5m - annotations: - summary: >- - Pod {{ $labels.pod }} is taking more than {{ $value }} seconds for a query. - labels: - severity: critical - - - alert: BackendsWaiting - expr: |- - cnpg_backends_waiting_total > 300 - for: 5m - annotations: - summary: >- - Pod {{ $labels.pod }} has been waiting for longer than {{ $value }} seconds - labels: - severity: critical - - - alert: PGDatabase - expr: |- - cnpg_pg_database_xid_age > 300000000 - for: 5m - annotations: - summary: >- - Over {{ $value }} transactions from frozen xid on pod {{ $labels.pod }} - labels: - severity: critical - - - alert: PGReplication - expr: |- - cnpg_pg_replication_lag > 300 - for: 5m - annotations: - summary: >- - Standby is lagging behind by over {{ $value }} seconds - labels: - severity: critical - - - alert: LastFailedArchiveTime - expr: |- - (cnpg_pg_stat_archiver_last_failed_time - cnpg_pg_stat_archiver_last_archived_time) > 1 - for: 5m - annotations: - summary: >- - Archiving failed for {{ $labels.pod }} - labels: - severity: critical - - - alert: DatabaseDeadlockConflicts - expr: |- - cnpg_pg_stat_database_deadlocks > 10 - for: 5m - annotations: - summary: >- - There are over {{ $value }} deadlock conflicts in {{ $labels.pod }} - labels: - severity: critical - - - alert: ReplicaFailingReplication - expr: |- - cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up - for: 5m - annotations: - summary: >- - Replica {{ $labels.pod }} is failing to replicate - labels: - severity: critical diff --git a/kubernetes/apps/databases/cloudnative-pg/cluster/scheduledbackup.yaml b/kubernetes/apps/databases/cloudnative-pg/cluster/scheduledbackup.yaml deleted file mode 100644 index 56ba90872..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/cluster/scheduledbackup.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: postgres -spec: - backupOwnerReference: self - cluster: - name: postgres - immediate: true - method: plugin - pluginConfiguration: - name: barman-cloud.cloudnative-pg.io - schedule: "@daily" diff --git a/kubernetes/apps/databases/cloudnative-pg/ks.yaml b/kubernetes/apps/databases/cloudnative-pg/ks.yaml deleted file mode 100644 index 39a12222c..000000000 --- a/kubernetes/apps/databases/cloudnative-pg/ks.yaml +++ /dev/null @@ -1,90 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cloudnative-pg - namespace: &namespace databases -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 1h - path: ./kubernetes/apps/databases/cloudnative-pg/app - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: true ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cloudnative-pg-barman-cloud - namespace: &namespace databases -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager - namespace: cert-manager - - name: cloudnative-pg - namespace: *namespace - interval: 1h - path: ./kubernetes/apps/databases/cloudnative-pg/barman-cloud - postBuild: - substitute: - # renovate: datasource=docker depName=ghcr.io/cloudnative-pg/plugin-barman-cloud-sidecar - SIDECAR_IMAGE_VERSION: v0.6.0 - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: true ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cloudnative-pg-cluster - namespace: &namespace databases -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cloudnative-pg - namespace: *namespace - - name: cloudnative-pg-barman-cloud - namespace: *namespace - - name: democratic-csi - namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets - healthCheckExprs: - - apiVersion: postgresql.cnpg.io/v1 - kind: Cluster - failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False') - current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True') - interval: 1h - path: ./kubernetes/apps/databases/cloudnative-pg/cluster - postBuild: - substitute: - # renovate: datasource=docker depName=ghcr.io/cloudnative-pg/postgresql - POSTGRESQL_VERSION: 15.14-bookworm - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: true diff --git a/kubernetes/apps/databases/kustomization.yaml b/kubernetes/apps/databases/kustomization.yaml deleted file mode 100644 index 020586f6f..000000000 --- a/kubernetes/apps/databases/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: databases -components: - - ../../components/common -resources: - - ./cloudnative-pg/ks.yaml diff --git a/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml b/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml index bf4419a7b..eb9a5799d 100644 --- a/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml +++ b/kubernetes/apps/democratic-csi/democratic-csi/ks.yaml @@ -9,8 +9,13 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: - - name: snapshot-controller + - name: volsync namespace: volsync-system + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/democratic-csi/democratic-csi/app prune: true @@ -21,4 +26,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba15..000000000 --- a/kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml deleted file mode 100644 index 056ebc787..000000000 --- a/kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -installCRDs: true -replicaCount: 1 -leaderElect: true -image: - repository: ghcr.io/external-secrets/external-secrets -webhook: - image: - repository: ghcr.io/external-secrets/external-secrets - serviceMonitor: - enabled: true - interval: 1m -certController: - image: - repository: ghcr.io/external-secrets/external-secrets - serviceMonitor: - enabled: true - interval: 1m -serviceMonitor: - enabled: true - interval: 1m diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml index 829fd0ae8..8ba35b634 100644 --- a/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml +++ b/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml @@ -30,6 +30,23 @@ spec: cleanupOnFail: true remediation: retries: 3 - valuesFrom: - - kind: ConfigMap - name: external-secrets-values + values: + replicaCount: 1 + leaderElect: true + image: + repository: ghcr.io/external-secrets/external-secrets + webhook: + image: + repository: ghcr.io/external-secrets/external-secrets + serviceMonitor: + enabled: true + interval: 1m + certController: + image: + repository: ghcr.io/external-secrets/external-secrets + serviceMonitor: + enabled: true + interval: 1m + serviceMonitor: + enabled: true + interval: 1m diff --git a/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml b/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml index 344590f4c..5dd7baca7 100644 --- a/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml +++ b/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml @@ -3,9 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml -configMapGenerator: - - name: external-secrets-values - files: - - ./helm/values.yaml -configurations: - - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/external-secrets/external-secrets/ks.yaml b/kubernetes/apps/external-secrets/external-secrets/ks.yaml index 438f4e44c..9d2e7796f 100644 --- a/kubernetes/apps/external-secrets/external-secrets/ks.yaml +++ b/kubernetes/apps/external-secrets/external-secrets/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/external-secrets/onepassword/app/helmrelease.yaml b/kubernetes/apps/external-secrets/onepassword/app/helmrelease.yaml index 437a1abdd..cea7622a3 100644 --- a/kubernetes/apps/external-secrets/onepassword/app/helmrelease.yaml +++ b/kubernetes/apps/external-secrets/onepassword/app/helmrelease.yaml @@ -25,8 +25,8 @@ spec: containers: api: image: - repository: docker.io/1password/connect-api - tag: 1.7.4@sha256:f97189814239381e6dd88577f2b0b838a64e006a460608455b3127c15b174601 + repository: ghcr.io/1password/connect-api + tag: 1.7.4@sha256:7d2132985f2f05b7fe4cfaf76314adeeb5abb745f051685b1c561130ab22ade3 env: XDG_DATA_HOME: &configDir /config OP_HTTP_PORT: &apiPort 80 @@ -35,7 +35,7 @@ spec: OP_SESSION: valueFrom: secretKeyRef: - name: onepassword-secret + name: "{{ .Release.Name }}-secret" key: 1password-credentials.json probes: liveness: @@ -45,8 +45,9 @@ spec: httpGet: path: /heartbeat port: *apiPort - initialDelaySeconds: 15 - periodSeconds: 30 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 failureThreshold: 3 readiness: enabled: true @@ -55,15 +56,18 @@ spec: httpGet: path: /health port: *apiPort - initialDelaySeconds: 15 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 securityContext: &securityContext allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } sync: image: - repository: docker.io/1password/connect-sync - tag: 1.7.4@sha256:27e7ec47e1ad8eaa2f54764fa0736954a5119d0155dea3c923c481c89c5f964c + repository: ghcr.io/1password/connect-sync + tag: 1.7.4@sha256:b2b9beb06e40615c55f698e2efc06cad5bdb1f82e09e60d1aac6d7bf3d57ec43 env: XDG_DATA_HOME: *configDir OP_HTTP_PORT: &syncPort 8081 @@ -72,7 +76,7 @@ spec: OP_SESSION: valueFrom: secretKeyRef: - name: onepassword-secret + name: "{{ .Release.Name }}-secret" key: 1password-credentials.json probes: liveness: @@ -82,8 +86,9 @@ spec: httpGet: path: /heartbeat port: *syncPort - initialDelaySeconds: 15 - periodSeconds: 30 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 failureThreshold: 3 readiness: enabled: true @@ -92,9 +97,13 @@ spec: httpGet: path: /health port: *syncPort - initialDelaySeconds: 15 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 securityContext: *securityContext defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 999 diff --git a/kubernetes/apps/external-secrets/onepassword/ks.yaml b/kubernetes/apps/external-secrets/onepassword/ks.yaml index 8568aea30..6e47cd766 100644 --- a/kubernetes/apps/external-secrets/onepassword/ks.yaml +++ b/kubernetes/apps/external-secrets/onepassword/ks.yaml @@ -8,8 +8,10 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app namespace: *namespace interval: 1h path: ./kubernetes/apps/external-secrets/onepassword/app @@ -21,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -50,4 +51,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml b/kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba15..000000000 --- a/kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml b/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml deleted file mode 100644 index 9464ecaa5..000000000 --- a/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml +++ /dev/null @@ -1,101 +0,0 @@ ---- -instance: - distribution: - # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution - version: 2.6.4 - cluster: - networkPolicy: false - components: - - source-controller - - kustomize-controller - - helm-controller - - notification-controller - sync: - kind: GitRepository - url: https://github.com/dotcomscripts/k8s-gitops - ref: refs/heads/main - path: ./kubernetes/flux/cluster - interval: 1h - commonMetadata: - labels: - app.kubernetes.io/name: flux - kustomize: - patches: - - # Increase the number of workers - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=10 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --requeue-dependency=5s - target: - kind: Deployment - name: (kustomize-controller|helm-controller|source-controller) - - # Increase the memory limits - patch: | - apiVersion: apps/v1 - kind: Deployment - metadata: - name: all - spec: - template: - spec: - containers: - - name: manager - resources: - limits: - memory: 2Gi - target: - kind: Deployment - name: (kustomize-controller|helm-controller|source-controller) - - # Enable in-memory kustomize builds - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=20 - - op: replace - path: /spec/template/spec/volumes/0 - value: - name: temp - emptyDir: - medium: Memory - target: - kind: Deployment - name: kustomize-controller - - # Enable Helm repositories caching - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --helm-cache-max-size=10 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --helm-cache-ttl=60m - - op: add - path: /spec/template/spec/containers/0/args/- - value: --helm-cache-purge-interval=5m - target: - kind: Deployment - name: source-controller - - # Flux near OOM detection for Helm - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --feature-gates=OOMWatch=true - - op: add - path: /spec/template/spec/containers/0/args/- - value: --oom-watch-memory-threshold=95 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --oom-watch-interval=500ms - target: - kind: Deployment - name: helm-controller - - # Disable chart digest tracking - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --feature-gates=DisableChartDigestTracking=true - target: - kind: Deployment - name: helm-controller diff --git a/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml b/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml index 589815a00..44ddf961b 100644 --- a/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml @@ -30,6 +30,104 @@ spec: cleanupOnFail: true remediation: retries: 3 - valuesFrom: - - kind: ConfigMap - name: flux-instance-values + values: + instance: + distribution: + # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution + version: 2.6.4 + cluster: + networkPolicy: false + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + sync: + kind: GitRepository + url: https://github.com/dotcomscripts/k8s-gitops + ref: refs/heads/main + path: ./kubernetes/flux/cluster + interval: 1h + commonMetadata: + labels: + app.kubernetes.io/name: flux + kustomize: + patches: + - # Increase the number of workers + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - # Increase the memory limits + patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: all + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + memory: 2Gi + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - # Enable in-memory kustomize builds + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: temp + emptyDir: + medium: Memory + target: + kind: Deployment + name: kustomize-controller + - # Enable Helm repositories caching + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-max-size=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-ttl=60m + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-purge-interval=5m + target: + kind: Deployment + name: source-controller + - # Flux near OOM detection for Helm + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller + - # Disable chart digest tracking + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=DisableChartDigestTracking=true + target: + kind: Deployment + name: helm-controller diff --git a/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml b/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml index f80dc7ae5..93bffccf8 100644 --- a/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml @@ -5,9 +5,3 @@ resources: - ./receiver - ./helmrelease.yaml - ./prometheusrule.yaml -configMapGenerator: - - name: flux-instance-values - files: - - ./helm/values.yaml -configurations: - - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/flux-system/flux-instance/ks.yaml b/kubernetes/apps/flux-system/flux-instance/ks.yaml index 31f404b44..ee00dab4f 100644 --- a/kubernetes/apps/flux-system/flux-instance/ks.yaml +++ b/kubernetes/apps/flux-system/flux-instance/ks.yaml @@ -21,4 +21,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/flux-system/flux-operator/app/helm/kustomizeconfig.yaml b/kubernetes/apps/flux-system/flux-operator/app/helm/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba15..000000000 --- a/kubernetes/apps/flux-system/flux-operator/app/helm/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml b/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml deleted file mode 100644 index 8c63a5456..000000000 --- a/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -serviceMonitor: - create: true diff --git a/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml b/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml index 10fda2992..2dcc9e65e 100644 --- a/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml @@ -30,6 +30,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - valuesFrom: - - kind: ConfigMap - name: flux-operator-values + values: + serviceMonitor: + create: true diff --git a/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml b/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml index 8f967816e..5dd7baca7 100644 --- a/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml +++ b/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml @@ -3,9 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml -configMapGenerator: - - name: flux-operator-values - files: - - ./helm/values.yaml -configurations: - - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/flux-system/flux-operator/ks.yaml b/kubernetes/apps/flux-system/flux-operator/ks.yaml index 27a71e1f6..536f42c1f 100644 --- a/kubernetes/apps/flux-system/flux-operator/ks.yaml +++ b/kubernetes/apps/flux-system/flux-operator/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/flux-system/flux-operator/app prune: true @@ -15,7 +20,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - namespace: flux-system + namespace: *namespace targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/kube-system/cilium/app/helm/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/helm/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba15..000000000 --- a/kubernetes/apps/kube-system/cilium/app/helm/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/apps/kube-system/cilium/app/helm/values.yaml b/kubernetes/apps/kube-system/cilium/app/helm/values.yaml deleted file mode 100644 index adf5d3b85..000000000 --- a/kubernetes/apps/kube-system/cilium/app/helm/values.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -autoDirectNodeRoutes: true -bandwidthManager: - enabled: true - bbr: true -bpf: - datapathMode: netkit - masquerade: true - preallocateMaps: true - # tproxy: true -bgpControlPlane: - enabled: true -cgroup: - automount: - enabled: false - hostRoot: /sys/fs/cgroup -cluster: - id: 1 - name: main -cni: - exclusive: false -dashboards: - enabled: true -enableIPv4BIGTCP: true -endpointRoutes: - enabled: true -envoy: - rollOutPods: true -gatewayAPI: - enabled: true - enableAlpn: true - xffNumTrustedHops: 1 -hubble: - enabled: false -ipam: - mode: kubernetes -ipv4NativeRoutingCIDR: 10.244.0.0/16 -k8sServiceHost: 127.0.0.1 -k8sServicePort: 7445 -kubeProxyReplacement: true -kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 -l2announcements: - enabled: true -loadBalancer: - algorithm: maglev - mode: dsr -localRedirectPolicy: true -operator: - replicas: 1 - rollOutPods: true - prometheus: - enabled: true - serviceMonitor: - enabled: true - dashboards: - enabled: true -prometheus: - enabled: true - serviceMonitor: - enabled: true - trustCRDsExist: true -rollOutCiliumPods: true -routingMode: native -securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - PERFMON - - BPF - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index 66fa08441..b884818bb 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -28,6 +28,86 @@ spec: cleanupOnFail: true remediation: retries: 3 - valuesFrom: - - kind: ConfigMap - name: cilium-values + values: + autoDirectNodeRoutes: true + bandwidthManager: + enabled: true + bbr: true + bpf: + datapathMode: netkit + masquerade: true + preallocateMaps: true + # tproxy: true + bgpControlPlane: + enabled: true + cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup + cluster: + id: 1 + name: main + cni: + exclusive: false + dashboards: + enabled: true + enableIPv4BIGTCP: true + endpointRoutes: + enabled: true + envoy: + rollOutPods: true + gatewayAPI: + enabled: true + enableAlpn: true + xffNumTrustedHops: 1 + hubble: + enabled: false + ipam: + mode: kubernetes + ipv4NativeRoutingCIDR: 10.244.0.0/16 + k8sServiceHost: 127.0.0.1 + k8sServicePort: 7445 + kubeProxyReplacement: true + kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + l2announcements: + enabled: true + loadBalancer: + algorithm: maglev + mode: dsr + localRedirectPolicy: true + operator: + replicas: 1 + rollOutPods: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + rollOutCiliumPods: true + routingMode: native + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - PERFMON + - BPF + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml index 5ecf92e2d..5dd7baca7 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -3,9 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml -configMapGenerator: - - name: cilium-values - files: - - values.yaml=./helm/values.yaml -configurations: - - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index 3887d5dbb..e1e7c28b2 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/kube-system/cilium/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization diff --git a/kubernetes/apps/kube-system/coredns/app/helm/kustomizeconfig.yaml b/kubernetes/apps/kube-system/coredns/app/helm/kustomizeconfig.yaml deleted file mode 100644 index 58f92ba15..000000000 --- a/kubernetes/apps/kube-system/coredns/app/helm/kustomizeconfig.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -nameReference: - - kind: ConfigMap - version: v1 - fieldSpecs: - - path: spec/valuesFrom/name - kind: HelmRelease diff --git a/kubernetes/apps/kube-system/coredns/app/helm/values.yaml b/kubernetes/apps/kube-system/coredns/app/helm/values.yaml deleted file mode 100644 index a9a802a83..000000000 --- a/kubernetes/apps/kube-system/coredns/app/helm/values.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -fullnameOverride: coredns -image: - repository: mirror.gcr.io/coredns/coredns -replicaCount: 2 -k8sAppLabelOverride: kube-dns -serviceAccount: - create: true -service: - name: kube-dns - clusterIP: 10.245.0.10 -servers: - - zones: - - zone: . - scheme: dns:// - use_tcp: true - port: 53 - plugins: - - name: errors - - name: health - configBlock: |- - lameduck 5s - - name: ready - - name: kubernetes - parameters: cluster.local in-addr.arpa ip6.arpa - configBlock: |- - pods verified - fallthrough in-addr.arpa ip6.arpa - - name: autopath - parameters: "@kubernetes" - - name: forward - parameters: . /etc/resolv.conf - - name: cache - configBlock: |- - prefetch 20 - serve_stale - - name: loop - - name: reload - - name: loadbalance - - name: prometheus - parameters: 0.0.0.0:9153 - - name: log - configBlock: |- - class error -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists -tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule diff --git a/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml index 20b14e876..0acf96099 100644 --- a/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml @@ -30,6 +30,60 @@ spec: cleanupOnFail: true remediation: retries: 3 - valuesFrom: - - kind: ConfigMap - name: coredns-values + values: + fullnameOverride: coredns + image: + repository: mirror.gcr.io/coredns/coredns + replicaCount: 2 + k8sAppLabelOverride: kube-dns + serviceAccount: + create: true + service: + name: kube-dns + clusterIP: 10.245.0.10 + servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods verified + fallthrough in-addr.arpa ip6.arpa + - name: autopath + parameters: "@kubernetes" + - name: forward + parameters: . /etc/resolv.conf + - name: cache + configBlock: |- + prefetch 20 + serve_stale + - name: loop + - name: reload + - name: loadbalance + - name: prometheus + parameters: 0.0.0.0:9153 + - name: log + configBlock: |- + class error + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/kubernetes/apps/kube-system/coredns/app/kustomization.yaml b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml index a611ee656..5dd7baca7 100644 --- a/kubernetes/apps/kube-system/coredns/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml @@ -3,9 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml -configMapGenerator: - - name: coredns-values - files: - - ./helm/values.yaml -configurations: - - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/coredns/ks.yaml b/kubernetes/apps/kube-system/coredns/ks.yaml index 698c4bd60..79eae642b 100644 --- a/kubernetes/apps/kube-system/coredns/ks.yaml +++ b/kubernetes/apps/kube-system/coredns/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml b/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml index bcdf963da..6abe048af 100644 --- a/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml +++ b/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/kube-system/intel-device-plugin/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -42,4 +46,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml index 817ec2f87..aedcc258f 100644 --- a/kubernetes/apps/kube-system/metrics-server/ks.yaml +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/kube-system/reloader/ks.yaml b/kubernetes/apps/kube-system/reloader/ks.yaml index 5dc57b8e9..9a14ccb9f 100644 --- a/kubernetes/apps/kube-system/reloader/ks.yaml +++ b/kubernetes/apps/kube-system/reloader/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/autobrr/app/externalsecret.yaml b/kubernetes/apps/media/autobrr/app/externalsecret.yaml index 544594ee6..cd65ae455 100644 --- a/kubernetes/apps/media/autobrr/app/externalsecret.yaml +++ b/kubernetes/apps/media/autobrr/app/externalsecret.yaml @@ -9,23 +9,9 @@ spec: name: onepassword target: name: autobrr-secret - creationPolicy: Owner template: data: - AUTOBRR__DATABASE_TYPE: postgres - AUTOBRR__POSTGRES_DATABASE: &dbName autobrr - AUTOBRR__POSTGRES_HOST: &dbHost postgres-rw.databases.svc.cluster.local - AUTOBRR__POSTGRES_PORT: "5432" - AUTOBRR__POSTGRES_USER: &dbUser "{{ .AUTOBRR_POSTGRES_USER }}" - AUTOBRR__POSTGRES_PASS: &dbPass "{{ .AUTOBRR_POSTGRES_PASS }}" AUTOBRR__SESSION_SECRET: "{{ .AUTOBRR_SESSION_SECRET }}" - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: key: autobrr - - extract: - key: cloudnative-pg diff --git a/kubernetes/apps/media/autobrr/app/helmrelease.yaml b/kubernetes/apps/media/autobrr/app/helmrelease.yaml index c5f51862b..39e240a16 100644 --- a/kubernetes/apps/media/autobrr/app/helmrelease.yaml +++ b/kubernetes/apps/media/autobrr/app/helmrelease.yaml @@ -21,14 +21,6 @@ spec: autobrr: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/home-operations/postgres-init - tag: 17 - envFrom: &envFrom - - secretRef: - name: autobrr-secret containers: app: image: @@ -36,14 +28,16 @@ spec: tag: v1.65.0@sha256:494e821e7a9c9a1279d1541522a65ed06b03d0b66563e827e3d29b9a63e61ddc env: AUTOBRR__HOST: 0.0.0.0 - AUTOBRR__PORT: &port 7474 + AUTOBRR__PORT: &port 80 AUTOBRR__METRICS_ENABLED: true AUTOBRR__METRICS_HOST: 0.0.0.0 - AUTOBRR__METRICS_PORT: &metricsPort 9094 + AUTOBRR__METRICS_PORT: &metricsPort 8080 AUTOBRR__CHECK_FOR_UPDATES: false AUTOBRR__LOG_LEVEL: INFO TZ: America/New_York - envFrom: *envFrom + envFrom: + - secretRef: + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -62,11 +56,16 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch persistence: + config: + existingClaim: "{{ .Release.Name }}" tmpfs: type: emptyDir advancedMounts: @@ -84,6 +83,10 @@ spec: - name: internal namespace: kube-system sectionName: https + rules: + - backendRefs: + - identifier: app + port: *port service: app: ports: diff --git a/kubernetes/apps/media/autobrr/ks.yaml b/kubernetes/apps/media/autobrr/ks.yaml index 0f7949e38..2c5b5d199 100644 --- a/kubernetes/apps/media/autobrr/ks.yaml +++ b/kubernetes/apps/media/autobrr/ks.yaml @@ -8,13 +8,17 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + components: + - ../../../../components/volsync dependsOn: - - name: cloudnative-pg-cluster - namespace: databases - - name: onepassword-store - namespace: external-secrets + - name: democratic-csi + namespace: democratic-csi interval: 1h path: ./kubernetes/apps/media/autobrr/app + postBuild: + substitute: + APP: *app + VOLSYNC_CAPACITY: 5Gi prune: true retryInterval: 2m sourceRef: @@ -23,4 +27,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/cross-seed/app/helmrelease.yaml b/kubernetes/apps/media/cross-seed/app/helmrelease.yaml index 54382bfdf..dfff31f02 100644 --- a/kubernetes/apps/media/cross-seed/app/helmrelease.yaml +++ b/kubernetes/apps/media/cross-seed/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app cross-seed + name: cross-seed spec: interval: 1h chartRef: @@ -30,11 +30,11 @@ spec: - daemon - -v env: - CROSS_SEED_PORT: &port 2468 + CROSS_SEED_PORT: &port 80 TZ: America/New_York envFrom: - secretRef: - name: cross-seed-secret + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -62,10 +62,10 @@ spec: supplementalGroups: [65536] persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" config-file: type: configMap - name: cross-seed-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /config/config.js subPath: config.js diff --git a/kubernetes/apps/media/cross-seed/app/kustomization.yaml b/kubernetes/apps/media/cross-seed/app/kustomization.yaml index 787e01c30..70b3f24b9 100644 --- a/kubernetes/apps/media/cross-seed/app/kustomization.yaml +++ b/kubernetes/apps/media/cross-seed/app/kustomization.yaml @@ -16,5 +16,3 @@ configMapGenerator: loki_rule: "true" generatorOptions: disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/kubernetes/apps/media/cross-seed/app/resources/config.js b/kubernetes/apps/media/cross-seed/app/resources/config.js index 4fc22bae1..706640084 100644 --- a/kubernetes/apps/media/cross-seed/app/resources/config.js +++ b/kubernetes/apps/media/cross-seed/app/resources/config.js @@ -13,7 +13,7 @@ module.exports = { outputDir: null, port: Number(process.env.CROSS_SEED_PORT), skipRecheck: true, - torrentClients: ["qbittorrent:http://qbittorrent.media.svc.cluster.local:8080"], + torrentClients: ["qbittorrent:http://qbittorrent.media.svc.cluster.local"], torznab: [], useClientTorrents: true, }; diff --git a/kubernetes/apps/media/cross-seed/ks.yaml b/kubernetes/apps/media/cross-seed/ks.yaml index e97b84cf9..f0ce9aeb7 100644 --- a/kubernetes/apps/media/cross-seed/ks.yaml +++ b/kubernetes/apps/media/cross-seed/ks.yaml @@ -9,17 +9,11 @@ spec: labels: app.kubernetes.io/name: *app components: - - ../../../../components/nfs-scaler + - ../../../../components/keda/nfs-scaler - ../../../../components/volsync dependsOn: - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets - - name: qbittorrent - namespace: *namespace - - name: volsync - namespace: volsync-system interval: 1h path: ./kubernetes/apps/media/cross-seed/app postBuild: @@ -34,4 +28,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/jellyseerr/app/helmrelease.yaml b/kubernetes/apps/media/jellyseerr/app/helmrelease.yaml index 57f0cdce8..6796546d8 100644 --- a/kubernetes/apps/media/jellyseerr/app/helmrelease.yaml +++ b/kubernetes/apps/media/jellyseerr/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app jellyseerr + name: jellyseerr spec: interval: 1h chartRef: @@ -19,8 +19,6 @@ spec: values: controllers: jellyseerr: - annotations: - reloader.stakater.com/auto: "true" containers: app: image: @@ -28,11 +26,11 @@ spec: tag: 2.7.3@sha256:9cc9e9ee6cd5cf5a23feb45c37742ba34cfd6314d81d259cddb373a97ac92cdd env: LOG_LEVEL: info - PORT: &port 5055 + PORT: &port 80 TZ: America/New_York envFrom: - secretRef: - name: jellyseerr-secret + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -51,6 +49,7 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -59,11 +58,11 @@ spec: fsGroupChangePolicy: OnRootMismatch persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" globalMounts: - path: /app/config config-cache: - existingClaim: jellyseerr-cache + existingClaim: "{{ .Release.Name }}-cache" globalMounts: - path: /app/config/cache tmpfs: diff --git a/kubernetes/apps/media/jellyseerr/ks.yaml b/kubernetes/apps/media/jellyseerr/ks.yaml index d5665c01f..c78703bc6 100644 --- a/kubernetes/apps/media/jellyseerr/ks.yaml +++ b/kubernetes/apps/media/jellyseerr/ks.yaml @@ -14,10 +14,6 @@ spec: dependsOn: - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets - - name: volsync - namespace: volsync-system interval: 1h path: ./kubernetes/apps/media/jellyseerr/app postBuild: @@ -33,4 +29,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/plex/app/helmrelease.yaml b/kubernetes/apps/media/plex/app/helmrelease.yaml index c08ab3015..53abf1af3 100644 --- a/kubernetes/apps/media/plex/app/helmrelease.yaml +++ b/kubernetes/apps/media/plex/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app plex + name: plex spec: interval: 1h chartRef: @@ -60,12 +60,12 @@ spec: runAsGroup: 568 fsGroup: 568 fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [44, 65537] + supplementalGroups: [65537] persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" config-cache: - existingClaim: plex-cache + existingClaim: "{{ .Release.Name }}-cache" globalMounts: - path: /config/Library/Application Support/Plex Media Server/Cache media: diff --git a/kubernetes/apps/media/plex/ks.yaml b/kubernetes/apps/media/plex/ks.yaml index 9523a9ee8..747674b70 100644 --- a/kubernetes/apps/media/plex/ks.yaml +++ b/kubernetes/apps/media/plex/ks.yaml @@ -10,7 +10,7 @@ spec: app.kubernetes.io/name: *app components: - ../../../../components/gatus - - ../../../../components/nfs-scaler + - ../../../../components/keda/nfs-scaler - ../../../../components/volsync dependsOn: - name: democratic-csi @@ -35,4 +35,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/prowlarr/app/externalsecret.yaml b/kubernetes/apps/media/prowlarr/app/externalsecret.yaml index a60fca775..9bd5a0275 100644 --- a/kubernetes/apps/media/prowlarr/app/externalsecret.yaml +++ b/kubernetes/apps/media/prowlarr/app/externalsecret.yaml @@ -9,23 +9,9 @@ spec: name: onepassword target: name: prowlarr-secret - creationPolicy: Owner template: data: PROWLARR__AUTH__APIKEY: "{{ .PROWLARR_API_KEY }}" - PROWLARR__POSTGRES__HOST: &dbHost postgres-rw.databases.svc.cluster.local - PROWLARR__POSTGRES__PORT: "5432" - PROWLARR__POSTGRES__USER: &dbUser "{{ .PROWLARR_POSTGRES_USER }}" - PROWLARR__POSTGRES__PASSWORD: &dbPass "{{ .PROWLARR_POSTGRES_PASS }}" - PROWLARR__POSTGRES__MAINDB: prowlarr_main - PROWLARR__POSTGRES__LOGDB: prowlarr_log - INIT_POSTGRES_DBNAME: prowlarr_main prowlarr_log - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: prowlarr diff --git a/kubernetes/apps/media/prowlarr/app/helmrelease.yaml b/kubernetes/apps/media/prowlarr/app/helmrelease.yaml index e40914259..74d949de4 100644 --- a/kubernetes/apps/media/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/media/prowlarr/app/helmrelease.yaml @@ -21,14 +21,6 @@ spec: prowlarr: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/home-operations/postgres-init - tag: 17 - envFrom: &envFrom - - secretRef: - name: prowlarr-secret containers: app: image: @@ -40,10 +32,12 @@ spec: PROWLARR__AUTH__METHOD: External PROWLARR__AUTH__REQUIRED: DisabledForLocalAddresses PROWLARR__LOG__LEVEL: info - PROWLARR__SERVER__PORT: &port 9696 + PROWLARR__SERVER__PORT: &port 80 PROWLARR__UPDATE__BRANCH: develop TZ: America/New_York - envFrom: *envFrom + envFrom: + - secretRef: + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -62,18 +56,23 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch persistence: + config: + existingClaim: "{{ .Release.Name }}" tmpfs: type: emptyDir advancedMounts: prowlarr: app: - - path: /config - subPath: config + - path: /config/logs + subPath: logs - path: /tmp subPath: tmp route: diff --git a/kubernetes/apps/media/prowlarr/ks.yaml b/kubernetes/apps/media/prowlarr/ks.yaml index f69ba0e78..c75f2eaef 100644 --- a/kubernetes/apps/media/prowlarr/ks.yaml +++ b/kubernetes/apps/media/prowlarr/ks.yaml @@ -8,13 +8,17 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + components: + - ../../../../components/volsync dependsOn: - - name: cloudnative-pg-cluster - namespace: databases - - name: onepassword-store - namespace: external-secrets + - name: democratic-csi + namespace: democratic-csi interval: 1h path: ./kubernetes/apps/media/prowlarr/app + postBuild: + substitute: + APP: *app + VOLSYNC_CAPACITY: 2Gi prune: true retryInterval: 2m sourceRef: @@ -23,4 +27,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml index c1094524d..8b664f621 100644 --- a/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/media/qbittorrent/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app qbittorrent + name: qbittorrent spec: interval: 1h chartRef: @@ -26,7 +26,7 @@ spec: tag: 5.1.2@sha256:9dd0164cc23e9c937e0af27fd7c3f627d1df30c182cf62ed34d3f129c55dc0e8 env: QBT_TORRENTING_PORT: &bittorrentPort 50413 - QBT_WEBUI_PORT: &port 8080 + QBT_WEBUI_PORT: &port 80 TZ: America/New_York probes: liveness: &probes @@ -60,7 +60,7 @@ spec: supplementalGroups: [65536] persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" media: type: nfs server: nas.internal @@ -68,8 +68,20 @@ spec: globalMounts: - path: /media/downloads/torrents subPath: downloads/torrents - tmp: + qbrr: + type: image + image: ghcr.io/buroa/qbrr:0.1.1@sha256:fe4a1d100ba896999253a5122d9c77cc4920779d618c23f765458cb6ec7383ca + globalMounts: + - readOnly: true + tmpfs: type: emptyDir + advancedMounts: + qbittorrent: + app: + - path: /config/qBittorrent/logs + subPath: logs + - path: /tmp + subPath: tmp route: app: hostnames: @@ -85,7 +97,8 @@ spec: port: *port service: app: - forceRename: *app + forceRename: "{{ .Release.Name }}" + primary: true ports: http: port: *port diff --git a/kubernetes/apps/media/qbittorrent/ks.yaml b/kubernetes/apps/media/qbittorrent/ks.yaml index 0476e7929..98180ca0c 100644 --- a/kubernetes/apps/media/qbittorrent/ks.yaml +++ b/kubernetes/apps/media/qbittorrent/ks.yaml @@ -9,7 +9,7 @@ spec: labels: app.kubernetes.io/name: *app components: - - ../../../../components/nfs-scaler + - ../../../../components/keda/nfs-scaler - ../../../../components/volsync dependsOn: - name: democratic-csi @@ -30,4 +30,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/radarr/app/externalsecret.yaml b/kubernetes/apps/media/radarr/app/externalsecret.yaml index ae8081945..2507a9541 100644 --- a/kubernetes/apps/media/radarr/app/externalsecret.yaml +++ b/kubernetes/apps/media/radarr/app/externalsecret.yaml @@ -9,23 +9,9 @@ spec: name: onepassword target: name: radarr-secret - creationPolicy: Owner template: data: RADARR__AUTH__APIKEY: "{{ .RADARR_API_KEY }}" - RADARR__POSTGRES__HOST: &dbHost postgres-rw.databases.svc.cluster.local - RADARR__POSTGRES__PORT: "5432" - RADARR__POSTGRES__USER: &dbUser "{{ .RADARR_POSTGRES_USER }}" - RADARR__POSTGRES__PASSWORD: &dbPass "{{ .RADARR_POSTGRES_PASS }}" - RADARR__POSTGRES__MAINDB: radarr_main - RADARR__POSTGRES__LOGDB: radarr_log - INIT_POSTGRES_DBNAME: radarr_main radarr_log - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: radarr diff --git a/kubernetes/apps/media/radarr/app/helmrelease.yaml b/kubernetes/apps/media/radarr/app/helmrelease.yaml index b0f47cf23..3ca603162 100644 --- a/kubernetes/apps/media/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/media/radarr/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app radarr + name: radarr spec: interval: 1h chartRef: @@ -21,14 +21,6 @@ spec: radarr: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/home-operations/postgres-init - tag: 17 - envFrom: &envFrom - - secretRef: - name: radarr-secret containers: app: image: @@ -40,10 +32,12 @@ spec: RADARR__AUTH__METHOD: External RADARR__AUTH__REQUIRED: DisabledForLocalAddresses RADARR__LOG__LEVEL: info - RADARR__SERVER__PORT: &port 7878 + RADARR__SERVER__PORT: &port 80 RADARR__UPDATE__BRANCH: develop TZ: America/New_York - envFrom: *envFrom + envFrom: + - secretRef: + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -71,7 +65,11 @@ spec: supplementalGroups: [65536] persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" + config-cache: + existingClaim: "{{ .Release.Name }}-cache" + globalMounts: + - path: /config/MediaCover media: type: nfs server: nas.internal diff --git a/kubernetes/apps/media/radarr/app/pvc.yaml b/kubernetes/apps/media/radarr/app/pvc.yaml index 56065404d..522302313 100644 --- a/kubernetes/apps/media/radarr/app/pvc.yaml +++ b/kubernetes/apps/media/radarr/app/pvc.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: radarr + name: radarr-cache spec: accessModes: ["ReadWriteOnce"] resources: diff --git a/kubernetes/apps/media/radarr/ks.yaml b/kubernetes/apps/media/radarr/ks.yaml index b7bedcf55..413e0bdaf 100644 --- a/kubernetes/apps/media/radarr/ks.yaml +++ b/kubernetes/apps/media/radarr/ks.yaml @@ -9,19 +9,17 @@ spec: labels: app.kubernetes.io/name: *app components: - - ../../../../components/nfs-scaler + - ../../../../components/keda/nfs-scaler + - ../../../../components/volsync dependsOn: - - name: cloudnative-pg-cluster - namespace: databases - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/media/radarr/app postBuild: substitute: APP: *app + VOLSYNC_CAPACITY: 5Gi prune: true retryInterval: 2m sourceRef: @@ -30,4 +28,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/recyclarr/app/helmrelease.yaml b/kubernetes/apps/media/recyclarr/app/helmrelease.yaml index 153365116..ef3dc06f8 100644 --- a/kubernetes/apps/media/recyclarr/app/helmrelease.yaml +++ b/kubernetes/apps/media/recyclarr/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app recyclarr + name: recyclarr spec: interval: 1h chartRef: @@ -37,12 +37,13 @@ spec: TZ: *timeZone envFrom: - secretRef: - name: recyclarr-secret + name: "{{ .Release.Name }}-secret" securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -51,10 +52,10 @@ spec: fsGroupChangePolicy: OnRootMismatch persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" config-file: type: configMap - name: recyclarr-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /config/recyclarr.yml subPath: recyclarr.yml @@ -68,3 +69,5 @@ spec: subPath: logs - path: /config/repositories subPath: repositories + - path: /tmp + subPath: tmp diff --git a/kubernetes/apps/media/recyclarr/app/resources/recyclarr.yml b/kubernetes/apps/media/recyclarr/app/resources/recyclarr.yml index a4ce6a44c..7678d1d04 100644 --- a/kubernetes/apps/media/recyclarr/app/resources/recyclarr.yml +++ b/kubernetes/apps/media/recyclarr/app/resources/recyclarr.yml @@ -1,20 +1,20 @@ --- sonarr: sonarr: - base_url: http://sonarr.media.svc.cluster.local:8989 + base_url: http://sonarr.media.svc.cluster.local api_key: !env_var SONARR_API_KEY delete_old_custom_formats: true replace_existing_custom_formats: true + quality_profiles: + - name: WEB-1080p + include: - template: sonarr-quality-definition-series - template: sonarr-v4-quality-profile-web-1080p - template: sonarr-v4-custom-formats-web-1080p - quality_profiles: - - name: WEB-1080p - custom_formats: - trash_ids: - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups @@ -27,7 +27,7 @@ sonarr: radarr: radarr: - base_url: http://radarr.media.svc.cluster.local:7878 + base_url: http://radarr.media.svc.cluster.local api_key: !env_var RADARR_API_KEY delete_old_custom_formats: true @@ -42,8 +42,15 @@ radarr: - template: radarr-custom-formats-sqp-1-2160p custom_formats: + - trash_ids: + - 839bea857ed2c0a8e084f3cbdbd65ecb # x265 (no HDR/DV) + assign_scores_to: + - name: SQP-1 (2160p) + score: 0 + - trash_ids: - b6832f586342ef70d9c128d40c07b872 # Bad Dual Groups + - cc444569854e9de0b084ab2b8b1532b2 # Black and White Editions - ae9b7c9ebde1f3bd336a8cbd1ec4c5e5 # No-RlsGroup - 7357cf5161efbf8c4d5d0c30b4815ee2 # Obfuscated - 5c44f52a8714fdd79bb4d98e2673be1f # Retags diff --git a/kubernetes/apps/media/recyclarr/ks.yaml b/kubernetes/apps/media/recyclarr/ks.yaml index 7eba973b8..0d7a704bc 100644 --- a/kubernetes/apps/media/recyclarr/ks.yaml +++ b/kubernetes/apps/media/recyclarr/ks.yaml @@ -13,10 +13,6 @@ spec: dependsOn: - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets - - name: volsync - namespace: volsync-system interval: 1h path: ./kubernetes/apps/media/recyclarr/app postBuild: @@ -31,4 +27,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/sonarr/app/externalsecret.yaml b/kubernetes/apps/media/sonarr/app/externalsecret.yaml index 4893fbfdc..26aed49f2 100644 --- a/kubernetes/apps/media/sonarr/app/externalsecret.yaml +++ b/kubernetes/apps/media/sonarr/app/externalsecret.yaml @@ -9,23 +9,9 @@ spec: name: onepassword target: name: sonarr-secret - creationPolicy: Owner template: data: SONARR__AUTH__APIKEY: "{{ .SONARR_API_KEY }}" - SONARR__POSTGRES__HOST: &dbHost postgres-rw.databases.svc.cluster.local - SONARR__POSTGRES__PORT: "5432" - SONARR__POSTGRES__USER: &dbUser "{{ .SONARR_POSTGRES_USER }}" - SONARR__POSTGRES__PASSWORD: &dbPass "{{ .SONARR_POSTGRES_PASS }}" - SONARR__POSTGRES__MAINDB: sonarr_main - SONARR__POSTGRES__LOGDB: sonarr_log - INIT_POSTGRES_DBNAME: sonarr_main sonarr_log - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: sonarr diff --git a/kubernetes/apps/media/sonarr/app/helmrelease.yaml b/kubernetes/apps/media/sonarr/app/helmrelease.yaml index 7614f3506..86ef72560 100644 --- a/kubernetes/apps/media/sonarr/app/helmrelease.yaml +++ b/kubernetes/apps/media/sonarr/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app sonarr + name: sonarr spec: interval: 1h chartRef: @@ -21,14 +21,6 @@ spec: sonarr: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/home-operations/postgres-init - tag: 17 - envFrom: &envFrom - - secretRef: - name: sonarr-secret containers: app: image: @@ -40,10 +32,12 @@ spec: SONARR__AUTH__METHOD: External SONARR__AUTH__REQUIRED: DisabledForLocalAddresses SONARR__LOG__LEVEL: info - SONARR__SERVER__PORT: &port 8989 + SONARR__SERVER__PORT: &port 80 SONARR__UPDATE__BRANCH: develop TZ: America/New_York - envFrom: *envFrom + envFrom: + - secretRef: + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -71,7 +65,11 @@ spec: supplementalGroups: [65536] persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" + config-cache: + existingClaim: "{{ .Release.Name }}-cache" + globalMounts: + - path: /config/MediaCover media: type: nfs server: nas.internal diff --git a/kubernetes/apps/media/sonarr/app/pvc.yaml b/kubernetes/apps/media/sonarr/app/pvc.yaml index 9e871a6c0..26d59ea8e 100644 --- a/kubernetes/apps/media/sonarr/app/pvc.yaml +++ b/kubernetes/apps/media/sonarr/app/pvc.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: sonarr + name: sonarr-cache spec: accessModes: ["ReadWriteOnce"] resources: diff --git a/kubernetes/apps/media/sonarr/ks.yaml b/kubernetes/apps/media/sonarr/ks.yaml index b8eb3ef17..e3013bf38 100644 --- a/kubernetes/apps/media/sonarr/ks.yaml +++ b/kubernetes/apps/media/sonarr/ks.yaml @@ -9,19 +9,17 @@ spec: labels: app.kubernetes.io/name: *app components: - - ../../../../components/nfs-scaler + - ../../../../components/keda/nfs-scaler + - ../../../../components/volsync dependsOn: - - name: cloudnative-pg-cluster - namespace: databases - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/media/sonarr/app postBuild: substitute: APP: *app + VOLSYNC_CAPACITY: 5Gi prune: true retryInterval: 2m sourceRef: @@ -30,4 +28,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/tautulli/app/externalsecret.yaml b/kubernetes/apps/media/tautulli/app/externalsecret.yaml new file mode 100644 index 000000000..c4e2ae355 --- /dev/null +++ b/kubernetes/apps/media/tautulli/app/externalsecret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: tautulli +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword + target: + name: tautulli-secret + template: + data: + TAUTULLI_API_KEY: "{{ .TAUTULLI_API_KEY }}" + dataFrom: + - extract: + key: tautulli diff --git a/kubernetes/apps/media/tautulli/app/helmrelease.yaml b/kubernetes/apps/media/tautulli/app/helmrelease.yaml index 9c2d9fe5e..0b1212276 100644 --- a/kubernetes/apps/media/tautulli/app/helmrelease.yaml +++ b/kubernetes/apps/media/tautulli/app/helmrelease.yaml @@ -2,7 +2,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app tautulli + name: tautulli spec: interval: 1h chartRef: @@ -19,14 +19,20 @@ spec: values: controllers: tautulli: + annotations: + reloader.stakater.com/auto: "true" containers: app: image: repository: ghcr.io/home-operations/tautulli tag: 2.15.3@sha256:3e0eaca8c082ebe121a0ae9125bea1b4e2d177fca34ac8df4ec14a28e62f63a4 env: - TAUTULLI__PORT: &port 8181 + TAUTULLI_HTTP_PORT: &port 80 + TAUTULLI_HTTP_BASE_URL: https://{{ .Release.Name }}.youmans.io TZ: America/New_York + envFrom: + - secretRef: + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -45,6 +51,7 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -53,9 +60,9 @@ spec: fsGroupChangePolicy: OnRootMismatch persistence: config: - existingClaim: *app + existingClaim: "{{ .Release.Name }}" config-cache: - existingClaim: tautulli-cache + existingClaim: "{{ .Release.Name }}-cache" globalMounts: - path: /config/cache tmpfs: diff --git a/kubernetes/apps/media/tautulli/app/kustomization.yaml b/kubernetes/apps/media/tautulli/app/kustomization.yaml index c82ceb8bc..bad014b1e 100644 --- a/kubernetes/apps/media/tautulli/app/kustomization.yaml +++ b/kubernetes/apps/media/tautulli/app/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./externalsecret.yaml - ./helmrelease.yaml - ./pvc.yaml diff --git a/kubernetes/apps/media/tautulli/ks.yaml b/kubernetes/apps/media/tautulli/ks.yaml index e6031c506..cdcaf5881 100644 --- a/kubernetes/apps/media/tautulli/ks.yaml +++ b/kubernetes/apps/media/tautulli/ks.yaml @@ -29,4 +29,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/media/tqm/app/helmrelease.yaml b/kubernetes/apps/media/tqm/app/helmrelease.yaml index 369b15596..8835a2a8e 100644 --- a/kubernetes/apps/media/tqm/app/helmrelease.yaml +++ b/kubernetes/apps/media/tqm/app/helmrelease.yaml @@ -64,7 +64,7 @@ spec: - path: /.config/tqm config-file: type: configMap - name: tqm-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /.config/tqm/config.yaml subPath: config.yaml diff --git a/kubernetes/apps/media/tqm/app/resources/config.yaml b/kubernetes/apps/media/tqm/app/resources/config.yaml index 18722d769..f6cdc597e 100644 --- a/kubernetes/apps/media/tqm/app/resources/config.yaml +++ b/kubernetes/apps/media/tqm/app/resources/config.yaml @@ -37,24 +37,29 @@ filters: - HasAnyTag("not-linked") && SeedingDays > 24 tag: - - { name: added:1d, mode: full, update: ['AddedDays < 7'] } - - { name: added:7d, mode: full, update: ['AddedDays >= 7 && AddedDays < 14'] } - - { name: added:14d, mode: full, update: ['AddedDays >= 14 && AddedDays < 30'] } - - { name: added:30d, mode: full, update: ['AddedDays >= 30 && AddedDays < 180'] } - - { name: added:180d, mode: full, update: ['AddedDays >= 180'] } - - { name: not-linked, mode: full, update: ['HardlinkedOutsideClient == false && Label in ["sonarr", "radarr"]'] } - - { name: site:ant, mode: full, update: ['TrackerName == "anthelion.me"'] } - - { name: site:ar, mode: full, update: ['TrackerName == "alpharatio.cc"'] } - - { name: site:at, mode: full, update: ['TrackerName == "animetorrents.me"'] } - - { name: site:blu, mode: full, update: ['TrackerName in ["blutopia.cc", "blutopia.xyz"]'] } - - { name: site:fl, mode: full, update: ['TrackerName in ["filelist.io", "thefl.org"]'] } - - { name: site:fnp, mode: full, update: ['TrackerName == "fearnopeer.com"'] } - - { name: site:hdt, mode: full, update: ['TrackerName == "hdts-announce.ru"'] } - - { name: site:ipt, mode: full, update: ['TrackerName in ["bgp.technology", "empirehost.me", "stackoverflow.tech"]'] } - - { name: site:mlk, mode: full, update: ['TrackerName == "milkie.cc"'] } - - { name: site:phd, mode: full, update: ['TrackerName == "privatehd.to"'] } - - { name: site:st, mode: full, update: ['TrackerName == "scenetime.com"'] } - - { name: site:td, mode: full, update: ['TrackerName in ["jumbohostpro.eu", "td-peers.com"]'] } - - { name: site:tl, mode: full, update: ['TrackerName in ["tleechreload.org", "torrentleech.org"]'] } - - { name: tracker-down, mode: full, update: ['IsTrackerDown()'] } - - { name: unregistered, mode: full, update: ['IsUnregistered()'] } + - { name: activity:1d, update: ['LastActivityDays < 7'] } + - { name: activity:7d, update: ['LastActivityDays >= 7 && LastActivityDays < 14'] } + - { name: activity:14d, update: ['LastActivityDays >= 14 && LastActivityDays < 30'] } + - { name: activity:30d, update: ['LastActivityDays >= 30 && LastActivityDays < 180'] } + - { name: activity:180d, update: ['LastActivityDays >= 180'] } + - { name: added:1d, update: ['AddedDays < 7'] } + - { name: added:7d, update: ['AddedDays >= 7 && AddedDays < 14'] } + - { name: added:14d, update: ['AddedDays >= 14 && AddedDays < 30'] } + - { name: added:30d, update: ['AddedDays >= 30 && AddedDays < 180'] } + - { name: added:180d, update: ['AddedDays >= 180'] } + - { name: not-linked, update: ['HardlinkedOutsideClient == false && Label in ["sonarr", "radarr"]'] } + - { name: site:ant, update: ['TrackerName == "anthelion.me"'] } + - { name: site:ar, update: ['TrackerName == "alpharatio.cc"'] } + - { name: site:at, update: ['TrackerName == "animetorrents.me"'] } + - { name: site:blu, update: ['TrackerName in ["blutopia.cc", "blutopia.xyz"]'] } + - { name: site:fl, update: ['TrackerName in ["filelist.io", "thefl.org"]'] } + - { name: site:fnp, update: ['TrackerName == "fearnopeer.com"'] } + - { name: site:hdt, update: ['TrackerName == "hdts-announce.ru"'] } + - { name: site:ipt, update: ['TrackerName in ["bgp.technology", "empirehost.me", "stackoverflow.tech"]'] } + - { name: site:mlk, update: ['TrackerName == "milkie.cc"'] } + - { name: site:phd, update: ['TrackerName == "privatehd.to"'] } + - { name: site:st, update: ['TrackerName == "scenetime.com"'] } + - { name: site:td, update: ['TrackerName in ["jumbohostpro.eu", "td-peers.com"]'] } + - { name: site:tl, update: ['TrackerName in ["tleechreload.org", "torrentleech.org"]'] } + - { name: tracker-down, update: ['IsTrackerDown()'] } + - { name: unregistered, update: ['IsUnregistered()'] } diff --git a/kubernetes/apps/media/tqm/ks.yaml b/kubernetes/apps/media/tqm/ks.yaml index a6c0e0693..8574c2402 100644 --- a/kubernetes/apps/media/tqm/ks.yaml +++ b/kubernetes/apps/media/tqm/ks.yaml @@ -21,4 +21,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml b/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml index 728bac4b2..a7be32c27 100644 --- a/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml +++ b/kubernetes/apps/networking/cloudflared/app/helmrelease.yaml @@ -33,13 +33,13 @@ spec: - run env: NO_AUTOUPDATE: true - TUNNEL_METRICS: 0.0.0.0:2000 + TUNNEL_METRICS: 0.0.0.0:8080 TUNNEL_ORIGIN_ENABLE_HTTP2: true TUNNEL_POST_QUANTUM: true TUNNEL_TRANSPORT_PROTOCOL: quic envFrom: - secretRef: - name: cloudflared-secret + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -47,7 +47,7 @@ spec: spec: httpGet: path: /ready - port: &port 2000 + port: &port 8080 initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 @@ -58,6 +58,7 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -65,7 +66,7 @@ spec: persistence: config: type: configMap - name: cloudflared-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /etc/cloudflared/config.yaml subPath: config.yaml diff --git a/kubernetes/apps/networking/cloudflared/ks.yaml b/kubernetes/apps/networking/cloudflared/ks.yaml index 7165f8d45..49add0b33 100644 --- a/kubernetes/apps/networking/cloudflared/ks.yaml +++ b/kubernetes/apps/networking/cloudflared/ks.yaml @@ -8,9 +8,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/networking/cloudflared/app prune: true @@ -21,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/networking/echo-server/app/helmrelease.yaml b/kubernetes/apps/networking/echo-server/app/helmrelease.yaml index 845d9c38d..aa35e1ca3 100644 --- a/kubernetes/apps/networking/echo-server/app/helmrelease.yaml +++ b/kubernetes/apps/networking/echo-server/app/helmrelease.yaml @@ -27,7 +27,7 @@ spec: repository: ghcr.io/mendhak/http-https-echo tag: 37@sha256:f55000d9196bd3c853d384af7315f509d21ffb85de315c26e9874033b9f83e15 env: - PORT: &port 8080 + HTTP_PORT: &port 80 LOG_WITHOUT_NEWLINE: true LOG_IGNORE_PATH: &path /healthz PROMETHEUS_ENABLED: true @@ -49,6 +49,7 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 diff --git a/kubernetes/apps/networking/echo-server/ks.yaml b/kubernetes/apps/networking/echo-server/ks.yaml index 97ab908d4..ba8f35651 100644 --- a/kubernetes/apps/networking/echo-server/ks.yaml +++ b/kubernetes/apps/networking/echo-server/ks.yaml @@ -24,4 +24,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/networking/external-dns/cloudflare/helmrelease.yaml b/kubernetes/apps/networking/external-dns/cloudflare/helmrelease.yaml index fd1aff6ee..15a9f66f8 100644 --- a/kubernetes/apps/networking/external-dns/cloudflare/helmrelease.yaml +++ b/kubernetes/apps/networking/external-dns/cloudflare/helmrelease.yaml @@ -25,7 +25,7 @@ spec: app: image: repository: registry.k8s.io/external-dns/external-dns - tag: v0.18.0@sha256:f90738b35be265d50141d5c21e6f6049c3da7cd761682c40214117a2951b80bc + tag: v0.19.0@sha256:f76114338104264f655b23138444481b20bb9d6125742c7240fac25936fe164e args: - --cloudflare-dns-records-per-page=1000 - --cloudflare-proxied @@ -44,7 +44,7 @@ spec: - --zone-id-filter=$(CF_ZONE_ID) envFrom: - secretRef: - name: external-dns-cloudflare-secret + name: "{{ .Release.Name }}-secret" probes: liveness: &probes enabled: true @@ -65,6 +65,7 @@ spec: serviceAccount: name: *app defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 diff --git a/kubernetes/apps/networking/external-dns/ks.yaml b/kubernetes/apps/networking/external-dns/ks.yaml index 385f105b3..1657c775b 100644 --- a/kubernetes/apps/networking/external-dns/ks.yaml +++ b/kubernetes/apps/networking/external-dns/ks.yaml @@ -8,9 +8,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/networking/external-dns/cloudflare prune: true @@ -21,7 +18,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -32,9 +28,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/networking/external-dns/unifi prune: true @@ -45,4 +38,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/networking/external-dns/unifi/helmrelease.yaml b/kubernetes/apps/networking/external-dns/unifi/helmrelease.yaml index 3a54f43b5..a3cddf3bf 100644 --- a/kubernetes/apps/networking/external-dns/unifi/helmrelease.yaml +++ b/kubernetes/apps/networking/external-dns/unifi/helmrelease.yaml @@ -30,7 +30,7 @@ spec: UNIFI_HOST: https://unifi.internal envFrom: - secretRef: - name: external-dns-unifi-secret + name: "{{ .Release.Name }}-secret" probes: liveness: enabled: true @@ -63,7 +63,7 @@ spec: app: image: repository: registry.k8s.io/external-dns/external-dns - tag: v0.18.0@sha256:f90738b35be265d50141d5c21e6f6049c3da7cd761682c40214117a2951b80bc + tag: v0.19.0@sha256:f76114338104264f655b23138444481b20bb9d6125742c7240fac25936fe164e args: - --domain-filter=youmans.io - --events @@ -94,6 +94,7 @@ spec: serviceAccount: name: *app defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 diff --git a/kubernetes/apps/networking/smtp-relay/app/helmrelease.yaml b/kubernetes/apps/networking/smtp-relay/app/helmrelease.yaml index bd7a45d96..50c4bebcd 100644 --- a/kubernetes/apps/networking/smtp-relay/app/helmrelease.yaml +++ b/kubernetes/apps/networking/smtp-relay/app/helmrelease.yaml @@ -34,7 +34,7 @@ spec: SMTP_RELAY_SERVER_PORT: 587 envFrom: - secretRef: - name: smtp-relay-secret + name: "{{ .Release.Name }}-secret" probes: liveness: enabled: true @@ -45,21 +45,22 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 runAsGroup: 568 persistence: + cache: + type: emptyDir + medium: Memory config: type: configMap - name: smtp-relay-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /data/maddy.conf subPath: maddy.conf readOnly: true - tmp: - type: emptyDir - medium: Memory service: app: ports: diff --git a/kubernetes/apps/networking/smtp-relay/app/resources/maddy.conf b/kubernetes/apps/networking/smtp-relay/app/resources/maddy.conf index 3d8fe110c..5e35b7ff7 100644 --- a/kubernetes/apps/networking/smtp-relay/app/resources/maddy.conf +++ b/kubernetes/apps/networking/smtp-relay/app/resources/maddy.conf @@ -1,5 +1,5 @@ -state_dir /tmp/state -runtime_dir /tmp/run +state_dir /cache/state +runtime_dir /cache/run openmetrics tcp://0.0.0.0:{env:SMTP_RELAY_METRICS_PORT} { } diff --git a/kubernetes/apps/networking/smtp-relay/ks.yaml b/kubernetes/apps/networking/smtp-relay/ks.yaml index b01089808..2e574ee7e 100644 --- a/kubernetes/apps/networking/smtp-relay/ks.yaml +++ b/kubernetes/apps/networking/smtp-relay/ks.yaml @@ -8,9 +8,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/networking/smtp-relay/app prune: true @@ -21,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/alloy/ks.yaml b/kubernetes/apps/observability/alloy/ks.yaml index 182cd903f..81552fc7f 100644 --- a/kubernetes/apps/observability/alloy/ks.yaml +++ b/kubernetes/apps/observability/alloy/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml index 263d53f0d..2f6477bf6 100644 --- a/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml @@ -40,16 +40,16 @@ spec: http: valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] follow_redirects: true - preferred_ip_protocol: ipv4 + preferred_ip_protocol: ip4 icmp: prober: icmp timeout: 5s icmp: - preferred_ip_protocol: ipv4 + preferred_ip_protocol: ip4 tcp_connect: prober: tcp timeout: 5s tcp: - preferred_ip_protocol: ipv4 + preferred_ip_protocol: ip4 serviceMonitor: enabled: true diff --git a/kubernetes/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/apps/observability/blackbox-exporter/ks.yaml index 2b3e523f6..feacac32f 100644 --- a/kubernetes/apps/observability/blackbox-exporter/ks.yaml +++ b/kubernetes/apps/observability/blackbox-exporter/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/observability/blackbox-exporter/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization diff --git a/kubernetes/apps/observability/gatus/app/externalsecret.yaml b/kubernetes/apps/observability/gatus/app/externalsecret.yaml deleted file mode 100644 index 237cd758f..000000000 --- a/kubernetes/apps/observability/gatus/app/externalsecret.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: gatus -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword - target: - name: gatus-secret - creationPolicy: Owner - template: - data: - INIT_POSTGRES_DBNAME: gatus - INIT_POSTGRES_HOST: postgres-rw.databases.svc.cluster.local - INIT_POSTGRES_USER: "{{ .GATUS_POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .GATUS_POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - dataFrom: - - extract: - key: cloudnative-pg - - extract: - key: gatus diff --git a/kubernetes/apps/observability/gatus/app/helmrelease.yaml b/kubernetes/apps/observability/gatus/app/helmrelease.yaml index a01be4295..01243d120 100644 --- a/kubernetes/apps/observability/gatus/app/helmrelease.yaml +++ b/kubernetes/apps/observability/gatus/app/helmrelease.yaml @@ -22,15 +22,7 @@ spec: annotations: reloader.stakater.com/auto: "true" initContainers: - init-db: - image: - repository: ghcr.io/home-operations/postgres-init - tag: 17 - envFrom: &envFrom - - secretRef: - name: gatus-secret init-config: - dependsOn: init-db image: repository: ghcr.io/home-operations/k8s-sidecar tag: 1.30.10@sha256:dd3b1f0c4e6b4512b2deb50c58acf65fd0f0927120a59a95eec854d32a6c9ce3 @@ -52,7 +44,6 @@ spec: GATUS_CONFIG_PATH: /config GATUS_DELAY_START_SECONDS: 5 TZ: America/New_York - envFrom: *envFrom probes: liveness: &probes enabled: true @@ -73,6 +64,7 @@ spec: serviceAccount: name: *app defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -82,7 +74,7 @@ spec: type: emptyDir config-file: type: configMap - name: gatus-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /config/config.yaml subPath: config.yaml diff --git a/kubernetes/apps/observability/gatus/app/kustomization.yaml b/kubernetes/apps/observability/gatus/app/kustomization.yaml index b469781ea..9cbf87ab0 100644 --- a/kubernetes/apps/observability/gatus/app/kustomization.yaml +++ b/kubernetes/apps/observability/gatus/app/kustomization.yaml @@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./externalsecret.yaml - ./helmrelease.yaml - ./prometheusrule.yaml - ./rbac.yaml diff --git a/kubernetes/apps/observability/gatus/app/resources/config.yaml b/kubernetes/apps/observability/gatus/app/resources/config.yaml index 9ab623775..da0bbc05a 100644 --- a/kubernetes/apps/observability/gatus/app/resources/config.yaml +++ b/kubernetes/apps/observability/gatus/app/resources/config.yaml @@ -15,11 +15,6 @@ endpoints: metrics: true -storage: - type: postgres - path: postgres://${INIT_POSTGRES_USER}:${INIT_POSTGRES_PASS}@${INIT_POSTGRES_HOST}:5432/${INIT_POSTGRES_DBNAME}?sslmode=disable - caching: true - ui: title: Status | Gatus header: Status diff --git a/kubernetes/apps/observability/gatus/ks.yaml b/kubernetes/apps/observability/gatus/ks.yaml index 90c3d68f4..51bec4e0f 100644 --- a/kubernetes/apps/observability/gatus/ks.yaml +++ b/kubernetes/apps/observability/gatus/ks.yaml @@ -8,19 +8,8 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - components: - - ../../../../components/gatus - dependsOn: - - name: cloudnative-pg-cluster - namespace: databases - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/observability/gatus/app - postBuild: - substitute: - APP: *app - GATUS_PATH: /health prune: true retryInterval: 2m sourceRef: @@ -29,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/grafana/ks.yaml b/kubernetes/apps/observability/grafana/ks.yaml index 76acded16..fdf9b343f 100644 --- a/kubernetes/apps/observability/grafana/ks.yaml +++ b/kubernetes/apps/observability/grafana/ks.yaml @@ -8,9 +8,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/observability/grafana/app prune: true @@ -21,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/karma/app/helmrelease.yaml b/kubernetes/apps/observability/karma/app/helmrelease.yaml index 53d8ab15a..6a5831b05 100644 --- a/kubernetes/apps/observability/karma/app/helmrelease.yaml +++ b/kubernetes/apps/observability/karma/app/helmrelease.yaml @@ -19,8 +19,6 @@ spec: values: controllers: karma: - replicas: 2 - strategy: RollingUpdate containers: app: image: @@ -28,6 +26,7 @@ spec: tag: v0.121@sha256:9f0ad820df1b1d0af562de3b3c545a52ddfce8d7492f434a2276e45f3a1f7e28 env: ALERTMANAGER_URI: http://alertmanager-operated.observability.svc.cluster.local:9093 + LISTEN_PORT: &port 80 probes: liveness: &probes enabled: true @@ -35,7 +34,7 @@ spec: spec: httpGet: path: /health - port: &port 8080 + port: *port initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 @@ -46,6 +45,7 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 diff --git a/kubernetes/apps/observability/karma/ks.yaml b/kubernetes/apps/observability/karma/ks.yaml index 61d5b2a09..4c22ee942 100644 --- a/kubernetes/apps/observability/karma/ks.yaml +++ b/kubernetes/apps/observability/karma/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/keda/app/helmrelease.yaml b/kubernetes/apps/observability/keda/app/helmrelease.yaml index e4c5afcf4..7e43e014a 100644 --- a/kubernetes/apps/observability/keda/app/helmrelease.yaml +++ b/kubernetes/apps/observability/keda/app/helmrelease.yaml @@ -22,12 +22,10 @@ spec: kind: OCIRepository name: keda install: - crds: CreateReplace remediation: retries: -1 upgrade: cleanupOnFail: true - crds: CreateReplace remediation: retries: 3 values: diff --git a/kubernetes/apps/observability/keda/ks.yaml b/kubernetes/apps/observability/keda/ks.yaml index a77808797..8238ee9dd 100644 --- a/kubernetes/apps/observability/keda/ks.yaml +++ b/kubernetes/apps/observability/keda/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/kromgo/app/helmrelease.yaml b/kubernetes/apps/observability/kromgo/app/helmrelease.yaml index a1e6ef215..6c84cb4aa 100644 --- a/kubernetes/apps/observability/kromgo/app/helmrelease.yaml +++ b/kubernetes/apps/observability/kromgo/app/helmrelease.yaml @@ -29,9 +29,9 @@ spec: repository: ghcr.io/kashalls/kromgo tag: v0.7.1@sha256:d8fca4ff9b696abc4ca019c76fa629c39e844e4d9435f4afac87a97b1eeae152 env: + HEALTH_PORT: &healthPort 8080 PROMETHEUS_URL: http://prometheus-operated.observability.svc.cluster.local:9090 - HEALTH_PORT: &healthPort 8888 - SERVER_PORT: &port 8080 + SERVER_PORT: &port 80 probes: liveness: &probes enabled: true @@ -50,6 +50,7 @@ spec: readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -57,18 +58,11 @@ spec: persistence: config: type: configMap - name: kromgo-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /kromgo/config.yaml subPath: config.yaml readOnly: true - service: - app: - ports: - http: - port: *port - health: - port: *healthPort route: app: hostnames: @@ -77,6 +71,17 @@ spec: - name: external namespace: kube-system sectionName: https + rules: + - backendRefs: + - identifier: app + port: *port + service: + app: + ports: + http: + port: *port + health: + port: *healthPort serviceMonitor: app: endpoints: diff --git a/kubernetes/apps/observability/kromgo/ks.yaml b/kubernetes/apps/observability/kromgo/ks.yaml index ba6ba2609..b57d08323 100644 --- a/kubernetes/apps/observability/kromgo/ks.yaml +++ b/kubernetes/apps/observability/kromgo/ks.yaml @@ -24,4 +24,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml index a8c609a96..4fa380125 100644 --- a/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml @@ -11,8 +11,6 @@ spec: dependsOn: - name: democratic-csi namespace: democratic-csi - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/observability/kube-prometheus-stack/app prune: true @@ -23,4 +21,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/loki/ks.yaml b/kubernetes/apps/observability/loki/ks.yaml index cc490ff52..58cc5a0a2 100644 --- a/kubernetes/apps/observability/loki/ks.yaml +++ b/kubernetes/apps/observability/loki/ks.yaml @@ -21,4 +21,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/silence-operator/ks.yaml b/kubernetes/apps/observability/silence-operator/ks.yaml index 51c200b5c..531d4b940 100644 --- a/kubernetes/apps/observability/silence-operator/ks.yaml +++ b/kubernetes/apps/observability/silence-operator/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/observability/silence-operator/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -42,4 +46,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/smartctl-exporter/ks.yaml b/kubernetes/apps/observability/smartctl-exporter/ks.yaml index 3366c59f0..984edba66 100644 --- a/kubernetes/apps/observability/smartctl-exporter/ks.yaml +++ b/kubernetes/apps/observability/smartctl-exporter/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/snmp-exporter/ks.yaml b/kubernetes/apps/observability/snmp-exporter/ks.yaml index 3727c0eda..aa6ae5f0e 100644 --- a/kubernetes/apps/observability/snmp-exporter/ks.yaml +++ b/kubernetes/apps/observability/snmp-exporter/ks.yaml @@ -18,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/observability/unpoller/app/helmrelease.yaml b/kubernetes/apps/observability/unpoller/app/helmrelease.yaml index 40108651f..9ec04db55 100644 --- a/kubernetes/apps/observability/unpoller/app/helmrelease.yaml +++ b/kubernetes/apps/observability/unpoller/app/helmrelease.yaml @@ -28,23 +28,33 @@ spec: tag: v2.15.4@sha256:788a890f2dc5aef3e99ce430917221c43b4e084464d38bc6537a8c7294ef8770 env: TZ: America/New_York + UP_INFLUXDB_DISABLE: true + UP_PROMETHEUS_HTTP_LISTEN: 0.0.0.0:8080 UP_UNIFI_DEFAULT_ROLE: k8s-gitops UP_UNIFI_DEFAULT_URL: https://unifi.internal UP_UNIFI_DEFAULT_VERIFY_SSL: false - UP_INFLUXDB_DISABLE: true envFrom: - secretRef: - name: unpoller-secret + name: "{{ .Release.Name }}-secret" probes: - liveness: - enabled: true - readiness: + liveness: &probes enabled: true + custom: true + spec: + httpGet: + path: /health + port: &port 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 @@ -53,7 +63,7 @@ spec: app: ports: http: - port: 9130 + port: *port serviceMonitor: app: endpoints: diff --git a/kubernetes/apps/observability/unpoller/ks.yaml b/kubernetes/apps/observability/unpoller/ks.yaml index a8bd4633e..49163db48 100644 --- a/kubernetes/apps/observability/unpoller/ks.yaml +++ b/kubernetes/apps/observability/unpoller/ks.yaml @@ -8,9 +8,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: onepassword-store - namespace: external-secrets interval: 1h path: ./kubernetes/apps/observability/unpoller/app prune: true @@ -21,4 +18,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml index b605cbcab..085c65c08 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml @@ -19,8 +19,6 @@ spec: values: controllers: system-upgrade-controller: - strategy: RollingUpdate - replicas: 2 containers: app: image: @@ -28,11 +26,8 @@ spec: tag: v0.16.2@sha256:ae933d9d81e9c42e316989a0ce7b1fb0dfe93afe5469631b8f384141b89b106a env: SYSTEM_UPGRADE_CONTROLLER_LEADER_ELECT: true - SYSTEM_UPGRADE_CONTROLLER_NAME: *app - SYSTEM_UPGRADE_CONTROLLER_NAMESPACE: - valueFrom: - fieldRef: - fieldPath: metadata.namespace + SYSTEM_UPGRADE_CONTROLLER_NAME: "{{ .Release.Name }}" + SYSTEM_UPGRADE_CONTROLLER_NAMESPACE: "{{ .Release.Namespace }}" SYSTEM_UPGRADE_CONTROLLER_NODE_NAME: valueFrom: fieldRef: @@ -45,6 +40,7 @@ spec: serviceAccount: name: *app defaultPodOptions: + hostUsers: false securityContext: runAsNonRoot: true runAsUser: 568 diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml index 3e8f90de3..40ee00790 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app prune: true @@ -18,7 +23,6 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -34,12 +38,6 @@ spec: namespace: *namespace interval: 1h path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans - postBuild: - substitute: - # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet - KUBERNETES_VERSION: v1.34.0 - # renovate: datasource=docker depName=ghcr.io/siderolabs/installer - TALOS_VERSION: v1.11.0 prune: true retryInterval: 2m sourceRef: @@ -48,4 +46,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml index bce10fd38..4246025c1 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml @@ -4,7 +4,8 @@ kind: Plan metadata: name: kubernetes spec: - version: ${KUBERNETES_VERSION} + # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet + version: v1.34.0 concurrency: 1 exclusive: true serviceAccountName: system-upgrade-controller @@ -17,7 +18,7 @@ spec: - key: node-role.kubernetes.io/control-plane operator: Exists upgrade: - image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION} + image: ghcr.io/siderolabs/talosctl:v1.11.0 args: - --nodes=$(SYSTEM_UPGRADE_NODE_NAME) - upgrade-k8s diff --git a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml index 6c656e1e3..ffca8bf87 100644 --- a/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml +++ b/kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml @@ -4,7 +4,8 @@ kind: Plan metadata: name: talos spec: - version: ${TALOS_VERSION} + # renovate: datasource=docker depName=ghcr.io/siderolabs/installer + version: v1.11.0 concurrency: 1 exclusive: true serviceAccountName: system-upgrade-controller diff --git a/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml b/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml index ad45db352..36df19123 100644 --- a/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml +++ b/kubernetes/apps/volsync-system/snapshot-controller/ks.yaml @@ -8,6 +8,11 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/volsync-system/snapshot-controller/app prune: true @@ -18,4 +23,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/apps/volsync-system/volsync/ks.yaml b/kubernetes/apps/volsync-system/volsync/ks.yaml index 2d22306a2..72fb6a713 100644 --- a/kubernetes/apps/volsync-system/volsync/ks.yaml +++ b/kubernetes/apps/volsync-system/volsync/ks.yaml @@ -11,6 +11,11 @@ spec: dependsOn: - name: snapshot-controller namespace: *namespace + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace interval: 1h path: ./kubernetes/apps/volsync-system/volsync/app prune: true @@ -21,4 +26,3 @@ spec: namespace: flux-system targetNamespace: *namespace timeout: 5m - wait: true diff --git a/kubernetes/components/gatus/kustomization.yaml b/kubernetes/components/gatus/kustomization.yaml index f86af1419..2e3142f6f 100644 --- a/kubernetes/components/gatus/kustomization.yaml +++ b/kubernetes/components/gatus/kustomization.yaml @@ -4,7 +4,7 @@ kind: Component configMapGenerator: - name: ${APP}-gatus-ep files: - - ./config.yaml + - ./resources/config.yaml options: labels: gatus.io/enabled: "true" diff --git a/kubernetes/components/gatus/config.yaml b/kubernetes/components/gatus/resources/config.yaml similarity index 100% rename from kubernetes/components/gatus/config.yaml rename to kubernetes/components/gatus/resources/config.yaml diff --git a/kubernetes/components/nfs-scaler/kustomization.yaml b/kubernetes/components/keda/nfs-scaler/kustomization.yaml similarity index 100% rename from kubernetes/components/nfs-scaler/kustomization.yaml rename to kubernetes/components/keda/nfs-scaler/kustomization.yaml diff --git a/kubernetes/components/nfs-scaler/scaledobject.yaml b/kubernetes/components/keda/nfs-scaler/scaledobject.yaml similarity index 100% rename from kubernetes/components/nfs-scaler/scaledobject.yaml rename to kubernetes/components/keda/nfs-scaler/scaledobject.yaml diff --git a/talos/controlplane/10.0.5.2.yaml b/talos/controlplane/10.0.5.2.yaml index 91e50a3a7..cb5ed6135 100644 --- a/talos/controlplane/10.0.5.2.yaml +++ b/talos/controlplane/10.0.5.2.yaml @@ -1,12 +1,7 @@ --- machine: - disks: - - device: /dev/disk/by-id/ata-CT4000MX500SSD1_2336E873A309 - partitions: [{ mountpoint: /var/mnt/extra }] install: diskSelector: serial: S465NB0K748379B network: hostname: m0.k8s.internal - nodeLabels: - topology.kubernetes.io/zone: m diff --git a/talos/machineconfig.yaml.j2 b/talos/machineconfig.yaml.j2 index ebf9575a6..71ee5b65f 100644 --- a/talos/machineconfig.yaml.j2 +++ b/talos/machineconfig.yaml.j2 @@ -1,19 +1,17 @@ --- version: v1alpha1 -debug: false -persist: true machine: - type: {{ ENV.MACHINE_TYPE }} + type: {{ machinetype }} token: op://K8s/talos/MACHINE_TOKEN ca: crt: op://K8s/talos/MACHINE_CA_CRT - {% if ENV.MACHINE_TYPE == 'controlplane' %} + {% if machinetype == 'controlplane' %} key: op://K8s/talos/MACHINE_CA_KEY {% endif %} features: rbac: true stableHostname: true - {% if ENV.MACHINE_TYPE == 'controlplane' %} + {% if machinetype == 'controlplane' %} kubernetesTalosAPIAccess: enabled: true allowedRoles: ["os:admin"] @@ -29,6 +27,13 @@ machine: resolveMemberNames: true forwardKubeDNSToHost: false files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: | + [plugins."io.containerd.cri.v1.images"] + discard_unpacked_layers = false + [plugins."io.containerd.cri.v1.runtime"] + device_ownership_from_security_context = true - op: overwrite path: /etc/nfsmount.conf permissions: 0o644 @@ -36,31 +41,22 @@ machine: [ NFSMount_Global_Options ] nfsvers=4.1 hard=True - nconnect=16 + nconnect=8 noatime=True rsize=1048576 wsize=1048576 - - op: create - path: /usr/local/etc/nfsrahead/nfs.conf - content: | - [nfsrahead] - nfs4=15360 - default=128 install: - image: factory.talos.dev/metal-installer/{{ ENV.TALOS_SCHEMATIC }}:{{ ENV.TALOS_VERSION }} + image: factory.talos.dev/metal-installer/b9b0b9a4ac99eb6445762f84915f10c9834730e91caa50639b5be203bad1171e:v1.11.0 kernel: modules: - name: thunderbolt - name: thunderbolt_net kubelet: - image: ghcr.io/siderolabs/kubelet:{{ ENV.KUBERNETES_VERSION }} + image: ghcr.io/siderolabs/kubelet:v1.34.0 extraConfig: + featureGates: + ImageVolume: true serializeImagePulls: false - extraMounts: - - destination: /var/mnt/extra - type: bind - source: /var/mnt/extra - options: ["bind", "rshared", "rw"] defaultRuntimeSeccompProfileEnabled: true nodeIP: validSubnets: ["10.0.5.0/24"] @@ -71,13 +67,15 @@ machine: mtu: 1500 dhcp: true vlans: - - { vlanId: 2, dhcp: false, mtu: 1500 } - - { vlanId: 99, dhcp: false, mtu: 1500 } + - # Services VLAN + { vlanId: 2, dhcp: false, mtu: 1500 } + - # IOT VLAN + { vlanId: 99, dhcp: false, mtu: 1500 } nameservers: ["10.0.5.1"] disableSearchDomain: true nodeLabels: - intel.feature.node.kubernetes.io/gpu: true topology.kubernetes.io/region: k8s + topology.kubernetes.io/zone: {{ 'm' if machinetype == 'controlplane' else 'w' }} sysctls: fs.inotify.max_user_watches: 1048576 # Watchdog fs.inotify.max_user_instances: 8192 # Watchdog @@ -90,8 +88,9 @@ machine: net.ipv4.tcp_rmem: 4096 87380 33554432 # 10Gb/s net.ipv4.tcp_wmem: 4096 65536 33554432 # 10Gb/s net.ipv4.tcp_window_scaling: 1 # 10Gb/s + sunrpc.tcp_slot_table_entries: 128 # 10Gb/s | NFS + sunrpc.tcp_max_slot_table_entries: 128 # 10Gb/s | NFS user.max_user_namespaces: 11255 # User Namespaces - vm.nr_hugepages: 1024 # PostgreSQL sysfs: devices.system.cpu.intel_pstate.hwp_dynamic_boost: 1 {% for i in range(0, 4) %} @@ -100,14 +99,10 @@ machine: time: disabled: false servers: ["time.cloudflare.com"] - udev: - rules: - - # Intel GPU - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" cluster: ca: crt: op://K8s/talos/CLUSTER_CA_CRT - {% if ENV.MACHINE_TYPE == 'controlplane' %} + {% if machinetype == 'controlplane' %} key: op://K8s/talos/CLUSTER_CA_KEY {% endif %} clusterName: k8s @@ -116,10 +111,8 @@ cluster: discovery: enabled: true registries: - kubernetes: - disabled: true - service: - disabled: false + kubernetes: { disabled: true } + service: { disabled: false } id: op://K8s/talos/CLUSTER_ID network: cni: @@ -129,43 +122,35 @@ cluster: serviceSubnets: ["10.245.0.0/16"] secret: op://K8s/talos/CLUSTER_SECRET token: op://K8s/talos/CLUSTER_TOKEN - {% if ENV.MACHINE_TYPE == 'controlplane' %} + {% if machinetype == 'controlplane' %} aggregatorCA: crt: op://K8s/talos/CLUSTER_AGGREGATORCA_CRT key: op://K8s/talos/CLUSTER_AGGREGATORCA_KEY allowSchedulingOnControlPlanes: true apiServer: - image: registry.k8s.io/kube-apiserver:{{ ENV.KUBERNETES_VERSION }} + image: registry.k8s.io/kube-apiserver:v1.34.0 extraArgs: enable-aggregator-routing: true + feature-gates: ImageVolume=true certSANs: ["k8s.internal"] disablePodSecurityPolicy: true controllerManager: - image: registry.k8s.io/kube-controller-manager:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - bind-address: 0.0.0.0 - coreDNS: - disabled: true + image: registry.k8s.io/kube-controller-manager:v1.34.0 + extraArgs: { bind-address: 0.0.0.0 } + coreDNS: { disabled: true } etcd: advertisedSubnets: ["10.0.5.0/24"] ca: crt: op://K8s/talos/CLUSTER_ETCD_CA_CRT key: op://K8s/talos/CLUSTER_ETCD_CA_KEY - extraArgs: - listen-metrics-urls: http://0.0.0.0:2381 - extraManifests: - - # renovate: datasource=github-releases depName=kubernetes-sigs/gateway-api - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml - - # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator - https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.85.0/stripped-down-crds.yaml + extraArgs: { listen-metrics-urls: http://0.0.0.0:2381 } proxy: disabled: true - image: registry.k8s.io/kube-proxy:{{ ENV.KUBERNETES_VERSION }} + image: registry.k8s.io/kube-proxy:v1.34.0 secretboxEncryptionSecret: op://K8s/talos/CLUSTER_SECRETBOXENCRYPTIONSECRET scheduler: - image: registry.k8s.io/kube-scheduler:{{ ENV.KUBERNETES_VERSION }} - extraArgs: - bind-address: 0.0.0.0 + image: registry.k8s.io/kube-scheduler:v1.34.0 + extraArgs: { bind-address: 0.0.0.0 } config: apiVersion: kubescheduler.config.k8s.io/v1 kind: KubeSchedulerConfiguration @@ -173,8 +158,7 @@ cluster: - schedulerName: default-scheduler plugins: score: - disabled: - - name: ImageLocality + disabled: [{ name: ImageLocality }] pluginConfig: - name: PodTopologySpread args: @@ -186,3 +170,16 @@ cluster: serviceAccount: key: op://K8s/talos/CLUSTER_SERVICEACCOUNT_KEY {% endif %} +--- +apiVersion: v1alpha1 +kind: UserVolumeConfig +name: local-hostpath +provisioning: + diskSelector: + match: disk.model == "CT4000MX500SSD1" + minSize: 4TB +--- +apiVersion: v1alpha1 +kind: WatchdogTimerConfig +device: /dev/watchdog0 +timeout: 5m diff --git a/talos/schematic.yaml b/talos/schematic.yaml.j2 similarity index 100% rename from talos/schematic.yaml rename to talos/schematic.yaml.j2