refactor!: project updates (#1326)

* refactor!: flux is required again Signed-off-by: Devin Buhl <devin@buhl.casa> * fix: delimiter that chomps Signed-off-by: Devin Buhl <devin@buhl.casa> * fix: bootstrap_cloudflare logic Signed-off-by: Devin Buhl <devin@buhl.casa> * fix: update tests Signed-off-by: Devin Buhl <devin@buhl.casa> * fix: remove last quote Signed-off-by: Devin Buhl <devin@buhl.casa> * chore: update readme Signed-off-by: Devin Buhl <devin@buhl.casa> --------- Signed-off-by: Devin Buhl <devin@buhl.casa>
onedr0p · Feb 16, 2024 · c17d543 · c17d543
1 parent 04ff4ef
commit c17d543
Show file tree

Hide file tree

Showing 93 changed files with 588 additions and 752 deletions.
diff --git a/.devcontainer/ci/features/install.sh b/.devcontainer/ci/features/install.sh
@@ -24,6 +24,7 @@ for app in \
     "direnv/direnv!!?as=direnv&type=script" \
     "fluxcd/flux2!!?as=flux&type=script" \
     "go-task/task!!?as=task&type=script" \
+    "helmfile/helmfile!!?as=helmfile&type=script" \
     "kubecolor/kubecolor!!?as=kubecolor&type=script" \
     "kubernetes-sigs/krew!!?as=krew&type=script" \
     "kubernetes-sigs/kustomize!!?as=kustomize&type=script" \
@@ -40,7 +41,7 @@ done
 mkdir -p /home/vscode/.config/fish/{completions,conf.d}
 
 # Setup autocompletions for fish
-for tool in cilium flux helm k9s kubectl kustomize talhelper talosctl; do
+for tool in cilium flux helm helmfile k9s kubectl kustomize talhelper talosctl; do
     $tool completion fish > /home/vscode/.config/fish/completions/$tool.fish
 done
 gh completion --shell fish > /home/vscode/.config/fish/completions/gh.fish

diff --git a/.gitattributes b/.gitattributes
@@ -1,4 +1,3 @@
 * text=auto eol=lf
 *.yaml.j2 linguist-language=YAML
 *.sops.* diff=sopsdiffer
-*.sops.toml linguist-language=JSON
diff --git a/.github/tests/config-k3s-ipv4.yaml b/.github/tests/config-k3s-ipv4.yaml
@@ -1,46 +1,32 @@
 ---
 skip_tests: true
 
-distribution:
-  type: k3s
-
-timezone: Etc/UTC
-
-nodes:
-  host_network: 10.10.10.0/24
-  dns_servers: ["1.1.1.1"]
-  search_domain: "fake"
-  inventory:
-    - name: k8s-controller-0
-      address: 10.10.10.100
-      controller: true
-      ssh_username: fake
-    - name: k8s-worker-0
-      address: 10.10.10.101
-      controller: false
-      ssh_username: fake
-
-
-cluster:
-  pod_network: 10.69.0.0/16
-  service_network: 10.96.0.0/16
-  endpoint_vip: 10.10.10.254
-  tls_sans: ["fake"]
-
-flux:
-  enabled: true
-  github:
-    username: onedr0p
-    address: https://github.com/onedr0p/cluster-template
-    branch: main
-    webhook:
-      enabled: true
-      token: fake
-    private:
-      enabled: false
-  sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
-
-cloudflare:
+bootstrap_timezone: Etc/UTC
+bootstrap_distribution: k3s
+bootstrap_node_network: 10.10.10.0/24
+bootstrap_node_default_gateway: 10.10.10.1
+bootstrap_node_inventory:
+  - name: k8s-controller-0
+    address: 10.10.10.100
+    controller: true
+    ssh_user: fake
+  - name: k8s-worker-0
+    address: 10.10.10.101
+    controller: false
+    ssh_user: fake
+bootstrap_dns_servers: ["1.1.1.1"]
+bootstrap_search_domain: "fake"
+bootstrap_pod_network: 10.69.0.0/16
+bootstrap_service_network: 10.96.0.0/16
+bootstrap_controllers_vip: 10.10.10.254
+bootstrap_tls_sans: ["fake"]
+bootstrap_sops_age_pubkey: $BOOTSTRAP_AGE_PUBLIC_KEY
+bootstrap_bgp:
+  enabled: false
+bootstrap_github_address: https://github.com/onedr0p/cluster-template
+bootstrap_github_branch: main
+bootstrap_github_webhook_token: fake
+bootstrap_cloudflare:
   enabled: true
   domain: fake
   token: take

diff --git a/.github/tests/config-k3s-ipv6.yaml b/.github/tests/config-k3s-ipv6.yaml
@@ -1,45 +1,32 @@
 ---
 skip_tests: true
 
-distribution:
-  type: k3s
-
-timezone: Etc/UTC
-
-nodes:
-  host_network: 10.10.10.0/24
-  dns_servers: ["1.1.1.1"]
-  search_domain: "fake"
-  inventory:
-    - name: k8s-controller-0
-      address: 10.10.10.100
-      controller: true
-      ssh_username: fake
-    - name: k8s-worker-0
-      address: 10.10.10.101
-      controller: false
-      ssh_username: fake
-
-cluster:
-  pod_network: 10.42.0.0/16,fd7f:8f5:e87c:a::/64
-  service_network: 10.43.0.0/16,fd7f:8f5:e87c:e::/112
-  endpoint_vip: 10.10.10.254
-  tls_sans: ["fake"]
-
-flux:
-  enabled: true
-  github:
-    username: onedr0p
-    address: https://github.com/onedr0p/cluster-template
-    branch: main
-    webhook:
-      enabled: true
-      token: fake
-    private:
-      enabled: false
-  sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
-
-cloudflare:
+bootstrap_timezone: Etc/UTC
+bootstrap_distribution: k3s
+bootstrap_node_network: 10.10.10.0/24
+bootstrap_node_default_gateway: 10.10.10.1
+bootstrap_node_inventory:
+  - name: k8s-controller-0
+    address: 10.10.10.100
+    controller: true
+    ssh_user: fake
+  - name: k8s-worker-0
+    address: 10.10.10.101
+    controller: false
+    ssh_user: fake
+bootstrap_dns_servers: ["1.1.1.1"]
+bootstrap_search_domain: "fake"
+bootstrap_pod_network: 10.42.0.0/16,fd7f:8f5:e87c:a::/64
+bootstrap_service_network: 10.43.0.0/16,fd7f:8f5:e87c:e::/112
+bootstrap_controllers_vip: 10.10.10.254
+bootstrap_tls_sans: ["fake"]
+bootstrap_sops_age_pubkey: $BOOTSTRAP_AGE_PUBLIC_KEY
+bootstrap_bgp:
+  enabled: false
+bootstrap_github_address: https://github.com/onedr0p/cluster-template
+bootstrap_github_branch: main
+bootstrap_github_webhook_token: fake
+bootstrap_cloudflare:
   enabled: true
   domain: fake
   token: take
@@ -53,6 +40,3 @@ cloudflare:
     ingress_vip: 10.10.10.252
   ingress_vip: 10.10.10.251
   gateway_vip: 10.10.10.253
-
-feature_gates:
-  dual_stack_ipv4_first: true
diff --git a/.github/tests/config-talos.yaml b/.github/tests/config-talos.yaml
@@ -1,47 +1,34 @@
 ---
 skip_tests: true
 
-distribution:
-  type: talos
-  talos:
-    schematicID: "df491c50a5acc05b977ef00c32050e1ceb0df746e40b33c643ac8a9bfb7c7263"
-
-timezone: Etc/UTC
-
-nodes:
-  host_network: 10.10.10.0/24
-  dns_servers: ["1.1.1.1"]
-  search_domain: "fake"
-  inventory:
-    - name: k8s-controller-0
-      address: 10.10.10.100
-      controller: true
-      talos_disk_device: fake
-    - name: k8s-worker-0
-      address: 10.10.10.101
-      controller: false
-      talos_disk_device: fake
-
-cluster:
-  pod_network: 10.69.0.0/16
-  service_network: 10.96.0.0/16
-  endpoint_vip: 10.10.10.254
-  tls_sans: ["fake"]
-
-flux:
-  enabled: true
-  github:
-    username: onedr0p
-    address: https://github.com/onedr0p/cluster-template
-    branch: main
-    webhook:
-      enabled: true
-      token: fake
-    private:
-      enabled: false
-  sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY
-
-cloudflare:
+bootstrap_timezone: Etc/UTC
+bootstrap_distribution: talos
+boostrap_talos:
+  schematic_id: "df491c50a5acc05b977ef00c32050e1ceb0df746e40b33c643ac8a9bfb7c7263"
+bootstrap_node_network: 10.10.10.0/24
+bootstrap_node_default_gateway: 10.10.10.1
+bootstrap_node_inventory:
+  - name: k8s-controller-0
+    address: 10.10.10.100
+    controller: true
+    talos_disk: fake
+  - name: k8s-worker-0
+    address: 10.10.10.101
+    controller: false
+    talos_disk: fake
+bootstrap_dns_servers: ["1.1.1.1"]
+bootstrap_search_domain: "fake"
+bootstrap_pod_network: 10.69.0.0/16
+bootstrap_service_network: 10.96.0.0/16
+bootstrap_controllers_vip: 10.10.10.254
+bootstrap_tls_sans: ["fake"]
+bootstrap_sops_age_pubkey: $BOOTSTRAP_AGE_PUBLIC_KEY
+bootstrap_bgp:
+  enabled: false
+bootstrap_github_address: https://github.com/onedr0p/cluster-template
+bootstrap_github_branch: main
+bootstrap_github_webhook_token: fake
+bootstrap_cloudflare:
   enabled: true
   domain: fake
   token: take

diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml
@@ -7,7 +7,7 @@ vars:
   PROMETHEUS_OPERATOR_VERSION: v0.71.2
   CLUSTER_SECRET_SOPS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml"
   CLUSTER_SETTINGS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml"
-  GITHUB_DEPLOY_KEY_FILE: "{{.KUBERNETES_DIR}}/bootstrap/github-deploy-key.sops.yaml"
+  GITHUB_DEPLOY_KEY_FILE: "{{.KUBERNETES_DIR}}/bootstrap/flux/github-deploy-key.sops.yaml"
 
 tasks:
 
@@ -18,7 +18,7 @@ tasks:
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
-      - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --kustomize {{.KUBERNETES_DIR}}/bootstrap
+      - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --kustomize {{.KUBERNETES_DIR}}/bootstrap/flux
       - cat {{.AGE_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin
       - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename {{.CLUSTER_SETTINGS_FILE}}

diff --git a/.taskfiles/Kubernetes/Taskfile.yaml b/.taskfiles/Kubernetes/Taskfile.yaml
@@ -26,10 +26,7 @@ tasks:
 
   kubeconform:
     desc: Validate Kubernetes manifests with kubeconform
-    cmd: |
-      if [ -d "{{.KUBERNETES_DIR}}/flux" ]; then
-          bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}}
-      fi
+    cmd: bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}}
     preconditions:
       - { msg: "Missing kubeconform script", sh: "test -f {{.KUBECONFORM_SCRIPT}}" }
 

diff --git a/.taskfiles/Talos/Taskfile.yaml b/.taskfiles/Talos/Taskfile.yaml
@@ -3,7 +3,7 @@
 version: "3"
 
 vars:
-  TALOS_DIR: "{{.KUBERNETES_DIR}}/talos"
+  TALOS_DIR: "{{.KUBERNETES_DIR}}/bootstrap/talos"
   TALHELPER_SECRET_FILE: "{{.TALOS_DIR}}/talhelper.sops.yaml"
   TALHELPER_CONFIG_FILE: "{{.TALOS_DIR}}/talconfig.yaml"
 
@@ -21,7 +21,7 @@ tasks:
       - task: bootstrap-apply
       - task: bootstrap-install
       - task: fetch-kubeconfig
-      - task: bootstrap-core-apps
+      - task: bootstrap-apps
       - talosctl health --server=false
 
   bootstrap-gensecret:
@@ -61,14 +61,13 @@ tasks:
     preconditions:
       - { msg: "Missing talhelper config file", sh: "test -f {{.TALHELPER_CONFIG_FILE}}" }
 
-  bootstrap-core-apps:
-    desc: Bootstrap Helm apps
+  bootstrap-apps:
+    desc: Bootstrap core apps needed for Talos
     dir: "{{.TALOS_DIR}}"
     cmds:
-      - until kubectl wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done
-      - kubectl --kubeconfig {{.KUBECONFIG_FILE}} kustomize --enable-helm ./cilium | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
-      - kubectl --kubeconfig {{.KUBECONFIG_FILE}} kustomize --enable-helm ./kubelet-csr-approver | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
-      - until kubectl wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done
+      - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done
+      - helmfile --file ./apps/helmfile.yaml apply
+      - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done
     preconditions:
       - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" }
 
@@ -95,13 +94,13 @@ tasks:
 
   soft-nuke:
     desc: Resets nodes back to maintenance mode so you can re-deploy again straight after
-    prompt: "This will destroy your cluster and reset the nodes back to maintenance mode. Are you sure?"
+    prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue?
     dir: "{{.TALOS_DIR}}"
     cmd: talhelper gencommand reset --extra-flags "--reboot --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL --graceful=false --wait=false" | bash
 
   hard-nuke:
     desc: Resets nodes back completely and reboots them
-    prompt: "This will destroy your cluster and reset the nodes. Are you sure?"
+    prompt: This will destroy your cluster and reset the nodes... continue?
     dir: "{{.TALOS_DIR}}"
     cmd: talhelper gencommand reset --extra-flags "--reboot --graceful=false --wait=false" | bash
 

diff --git a/.taskfiles/Workstation/Archfile b/.taskfiles/Workstation/Archfile
@@ -5,6 +5,7 @@ flux-bin
 go-task
 go-yq
 helm
+helmfile
 jq
 kubeconform
 kubectl-bin

diff --git a/.taskfiles/Workstation/Brewfile b/.taskfiles/Workstation/Brewfile
@@ -7,6 +7,7 @@ brew "direnv"
 brew "fluxcd/tap/flux"
 brew "go-task/tap/go-task"
 brew "helm"
+brew "helmfile"
 brew "jq"
 brew "kubeconform"
 brew "kubernetes-cli"

diff --git a/.taskfiles/Workstation/Taskfile.yaml b/.taskfiles/Workstation/Taskfile.yaml
@@ -56,6 +56,7 @@ tasks:
           - FiloSottile/age?as=age&type=script
           - fluxcd/flux2?as=flux&type=script
           - getsops/sops?as=sops&type=script
+          - helmfile/helmfile?as=helmfile&type=script
           - jqlang/jq?as=jq&type=script
           - kubernetes-sigs/kustomize?as=kustomize&type=script
           - siderolabs/talos?as=talosctl&type=script

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 onedr0p
+Copyright (c) 2024 onedr0p
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal