chore: Update HelmRelease schema version to v2 in volsync-system

osnabrugge · Jun 2, 2024 · c0883fa · c0883fa
1 parent 9cd3616
commit c0883fa
Show file tree

Hide file tree

Showing 126 changed files with 717 additions and 520 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -1,4 +1,3 @@
 * text=auto eol=lf
 *.sops.* diff=sopsdiffer
-*.sops.toml linguist-language=JSON
 *.yaml.j2 linguist-language=YAML
diff --git a/.github/labeler.yaml b/.github/labeler.yaml
@@ -26,4 +26,6 @@ area/terraform:
 cluster/main:
   - changed-files:
       - any-glob-to-any-file: "kubernetes/main/**/*"
-
+cluster/storage:
+  - changed-files:
+      - any-glob-to-any-file: "kubernetes/storage/**/*"
diff --git a/.github/labels.yaml b/.github/labels.yaml
@@ -15,6 +15,8 @@
 # Clusters
 - name: cluster/main
   color: "ffc300"
+- name: cluster/storage
+  color: "ffc300"
 # Renovate Types
 - name: renovate/ansible
   color: "027fa0"

diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -23,6 +23,8 @@
   ],
   "dependencyDashboardTitle": "Renovate Dashboard 🤖",
   "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
+  "onboarding": false,
+  "requireConfig": "ignored",
   "ignorePaths": ["**/*.sops.*", "**/.archive/**", "**/resources/**"],
   "flux": {
     "fileMatch": [

diff --git a/.github/renovate/clusters.json5 b/.github/renovate/clusters.json5
@@ -9,6 +9,15 @@
         "**/terraform/main/**"
       ],
       "additionalBranchPrefix": "main-"
+    },
+    {
+      "description": ["Separate PRs for storage cluster"],
+      "matchFileNames": [
+        "**/kubernetes/storage/**",
+        "**/ansible/storage/**",
+        "**/terraform/storage/**"
+      ],
+      "additionalBranchPrefix": "storage-"
     }
   ]
 }
diff --git a/.github/renovate/groups.json5 b/.github/renovate/groups.json5
@@ -4,10 +4,7 @@
     {
       "description": ["Actions Runner Controller Group"],
       "groupName": "Actions Runner Controller",
-      "matchPackagePatterns": [
-        "gha-runner-scale-set-controller",
-        "gha-runner-scale-set"
-      ],
+      "matchPackagePatterns": ["gha-runner-scale-set"],
       "matchDatasources": ["docker", "helm"],
       "group": {
         "commitMessageTopic": "{{{groupName}}} group"
@@ -35,6 +32,16 @@
       },
       "separateMinorPatch": true
     },
+    {
+      description: ["Intel Device Plugins Group"],
+      groupName: "Intel-Device-Plugins",
+      matchPackagePatterns: ["intel-device-plugins"],
+      matchDatasources: ["helm"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+      separateMinorPatch: true,
+    },
     {
       "description": ["Rook-Ceph Group"],
       "groupName": "Rook-Ceph",

diff --git a/.github/renovate/packageRules.json5 b/.github/renovate/packageRules.json5
@@ -5,7 +5,7 @@
       "description": ["Loose versioning for non-semver packages"],
       "matchDatasources": ["docker"],
       "versioning": "loose",
-      "matchPackagePatterns": ["changedetection", "plex", "qbittorrent"]
+      "matchPackagePatterns": ["plex", "qbittorrent"]
     },
     {
       "description": ["Custom versioning for frigate"],
@@ -25,5 +25,11 @@
       "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-(?<compatibility>)$",
       "matchPackagePatterns": ["miniflux"]
     },
+    {
+      "description": ["Custom versioning for minio"],
+      "matchDatasources": ["docker"],
+      "versioning": "regex:^RELEASE\\.(?<major>\\d+)-(?<minor>\\d+)-(?<patch>\\d+)T.*Z$",
+      "matchPackagePatterns": ["minio"]
+    }
   ]
 }
diff --git a/.github/workflows/flux-image-test.yaml b/.github/workflows/flux-image-test.yaml
@@ -137,7 +137,7 @@ jobs:
       max-parallel: 4
       fail-fast: false
     steps:
-      - name: Test Images
+      - name: Pull image
         run: docker pull ${{ matrix.images }}
 
   # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7

diff --git a/.github/workflows/label-sync.yaml b/.github/workflows/label-sync.yaml
@@ -10,26 +10,21 @@ on:
   schedule:
     - cron: "0 0 * * *" # Every day at midnight
 
+permissions:
+  issues: write
+
 jobs:
   label-sync:
     name: Label Sync
     runs-on: ubuntu-latest
     steps:
-      - name: Generate Token
-        uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
-
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          token: "${{ steps.app-token.outputs.token }}"
+          sparse-checkout: .github/labels.yaml
 
       - name: Sync Labels
         uses: EndBug/label-sync@v2
         with:
-          token: "${{ steps.app-token.outputs.token }}"
           config-file: .github/labels.yaml
           delete-other-labels: true
diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -15,15 +15,7 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Generate Token
-        uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: "${{ secrets.BOT_APP_ID }}"
-          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
-
       - name: Labeler
         uses: actions/labeler@v5
         with:
-          repo-token: "${{ steps.app-token.outputs.token }}"
           configuration-path: .github/labeler.yaml
diff --git a/.taskfiles/Talos/Taskfile.yaml b/.taskfiles/Talos/Taskfile.yaml
@@ -3,15 +3,12 @@
 version: "3"
 
 vars:
-  VYOS_ADDR: vyos.turbo.ac
-  VYOS_USER: devin
-  VYOS_MATCHBOX_DIR: /config/containers/matchbox/data
-  VYOS_MATCHBOX_GROUPS_DIR: "{{.VYOS_MATCHBOX_DIR}}/groups"
-  VYOS_MATCHBOX_PROFILES_DIR: "{{.VYOS_MATCHBOX_DIR}}/profiles"
-  VYOS_MATCHBOX_ASSETS_DIR: "{{.VYOS_MATCHBOX_DIR}}/assets"
-  VYOS_MATCHBOX_ADDR: matchbox.turbo.ac
+  # Ref: https://github.com/osnabrugge/home-service
+  HOME_SERVICE_ADDR: svc01.in.homeops.ca
+  HOME_SERVICE_USER: devin
+  HOME_SERVICE_MATCHBOX_DIR: /var/opt/home-service/apps/matchbox/data/config
   # renovate: datasource=docker depName=ghcr.io/siderolabs/installer
-  TALOS_VERSION: v1.7.4
+  TALOS_VERSION: v1.7.2
   TALOS_SCHEMATIC_ID: d715f723f882b1e1e8063f1b89f237dcc0e3bd000f9f970243af59c8baae0100
   # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
   KUBERNETES_VERSION: v1.30.1
@@ -52,14 +49,14 @@ tasks:
     desc: Bootstrap core apps needed for Talos
     cmds:
       - until kubectl --context {{.cluster}} wait --for=condition=Ready=False nodes --all --timeout=10m; do sleep 10; done
-      - helmfile --quiet --kube-context {{.cluster}} --file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/apps/helmfile.yaml apply --skip-diff-on-install --suppress-diff
+      - helmfile --quiet --kube-context {{.cluster}} --file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff
       - until kubectl --context {{.cluster}} wait --for=condition=Ready nodes --all --timeout=10m; do sleep 10; done
     requires:
       vars: ["cluster"]
     preconditions:
       - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
       - talosctl --context {{.cluster}} config info >/dev/null 2>&1
-      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/apps/helmfile.yaml
+      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml
 
   fetch-kubeconfig:
     desc: Fetch kubeconfig from Talos controllers
@@ -77,23 +74,23 @@ tasks:
 
   apply-config:
     desc: Apply Talos configuration to a node
-    cmd: |
-      sops -d {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/matchbox/assets/{{.role | replace "controlplane" "controller"}}.secret.sops.yaml | \
-          envsubst | \
-              talosctl --context {{.cluster}} apply-config --mode=reboot --nodes {{.node}} --file /dev/stdin
     env:
       TALOS_VERSION: "{{.TALOS_VERSION}}"
       TALOS_SCHEMATIC_ID: "{{.TALOS_SCHEMATIC_ID}}"
       KUBERNETES_VERSION: "{{.KUBERNETES_VERSION}}"
+    cmd: |
+      sops -d {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/assets/{{.hostname}}.secret.sops.yaml | \
+          envsubst | \
+              talosctl --context {{.cluster}} apply-config --mode={{.mode}} --nodes {{.node}} --file /dev/stdin
     vars:
-      role:
-        sh: talosctl --context {{.cluster}} --nodes {{.node}} get machineconfig -o jsonpath='{.spec.machine.type}'
+      mode: '{{.mode | default "no-reboot"}}'
+      hostname:
+        sh: talosctl --context {{.cluster}} --nodes {{.node}} get machineconfig -o jsonpath='{.spec.machine.network.hostname}'
     requires:
       vars: ["cluster", "node"]
     preconditions:
       - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
-      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/matchbox/assets/controller.secret.sops.yaml
-      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/matchbox/assets/worker.secret.sops.yaml
+      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/assets/{{.hostname}}.secret.sops.yaml
       - talosctl --context {{.cluster}} --nodes {{.node}} get machineconfig >/dev/null 2>&1
 
   upgrade:
@@ -173,25 +170,18 @@ tasks:
       - talosctl --context {{.cluster}} --nodes {{.nodes}} get machineconfig >/dev/null 2>&1
 
   bootstrap-matchbox:
-    desc: Bootstrap required Matchbox configuration to Vyos for PXE Boot
-    dir: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/matchbox"
+    desc: Bootstrap required Matchbox configuration to PXE Boot machine
+    dir: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos"
     cmds:
-      - ssh -l {{.VYOS_USER}} {{.VYOS_ADDR}} "sudo mkdir -p {{.VYOS_MATCHBOX_DIR}}/{groups,profiles,assets}"
-      - ssh -l {{.VYOS_USER}} {{.VYOS_ADDR}} "sudo chown -R {{.VYOS_USER}}:users {{.VYOS_MATCHBOX_DIR}}/{groups,profiles,assets}"
       - for: ["kernel-amd64", "initramfs-amd64.xz"]
         cmd: |
           curl -skL https://factory.talos.dev/image/{{.TALOS_SCHEMATIC_ID}}/{{.TALOS_VERSION}}/{{.ITEM}} | \
-              curl -skT - -u "{{.VYOS_USER}}:" \
-                  sftp://{{.VYOS_ADDR}}/{{.VYOS_MATCHBOX_ASSETS_DIR}}/{{.ITEM}}
-      - for: ["controller.secret.sops.yaml", "worker.secret.sops.yaml"]
-        cmd: |
-          sops -d assets/{{.ITEM}} | \
-              envsubst | curl -skT - -u "{{.VYOS_USER}}:" \
-                  sftp://{{.VYOS_ADDR}}/{{.VYOS_MATCHBOX_ASSETS_DIR}}/{{.ITEM | replace ".secret.sops.yaml" ".yaml"}}
-      - find ./groups -type f | xargs -I{} curl -skT {} -u "{{.VYOS_USER}}:" sftp://{{.VYOS_ADDR}}/{{.VYOS_MATCHBOX_GROUPS_DIR}}/
-      - find ./profiles -type f | xargs -I{} curl -skT {} -u "{{.VYOS_USER}}:" sftp://{{.VYOS_ADDR}}/{{.VYOS_MATCHBOX_PROFILES_DIR}}/
-      - ssh -l {{.VYOS_USER}} {{.VYOS_ADDR}} -t /opt/vyatta/bin/vyatta-op-cmd-wrapper "restart container matchbox"
-      - curl --silent --output /dev/null --connect-timeout 10 --retry 10 --retry-delay 2 http://{{.VYOS_MATCHBOX_ADDR}}/assets/controller.yaml
+              curl -skT - -u "{{.HOME_SERVICE_USER}}:" \
+                  sftp://{{.HOME_SERVICE_ADDR}}/{{.HOME_SERVICE_MATCHBOX_DIR}}/assets/{{.ITEM}}
+      - find ./assets -type f | xargs -I{} sh -c "sops -d {} | envsubst | curl -skT - -u "{{.HOME_SERVICE_USER}}:" sftp://{{.HOME_SERVICE_ADDR}}/{{.HOME_SERVICE_MATCHBOX_DIR}}/assets/\$(basename {} | sed 's/\.secret\.sops//')"
+      - find ./groups -type f | xargs -I{} curl -skT {} -u "{{.HOME_SERVICE_USER}}:" sftp://{{.HOME_SERVICE_ADDR}}/{{.HOME_SERVICE_MATCHBOX_DIR}}/groups/
+      - find ./profiles -type f | xargs -I{} curl -skT {} -u "{{.HOME_SERVICE_USER}}:" sftp://{{.HOME_SERVICE_ADDR}}/{{.HOME_SERVICE_MATCHBOX_DIR}}/profiles/
+      - ssh -l {{.HOME_SERVICE_USER}} {{.HOME_SERVICE_ADDR}} "cd /var/opt/home-service ; go-task restart-matchbox"
     env:
       TALOS_VERSION: "{{.TALOS_VERSION}}"
       TALOS_SCHEMATIC_ID: "{{.TALOS_SCHEMATIC_ID}}"

diff --git a/.taskfiles/VolSync/Taskfile.yaml b/.taskfiles/VolSync/Taskfile.yaml
@@ -76,6 +76,7 @@ tasks:
       - envsubst < <(cat {{.VOLSYNC_TEMPLATES_DIR}}/unlock.tmpl.yaml) | kubectl --context {{.cluster}} apply -f -
       - bash {{.VOLSYNC_SCRIPTS_DIR}}/wait-for-job.sh {{.job}} {{.ns}} {{.cluster}}
       - kubectl --context {{.cluster}} -n {{.ns}} wait job/{{.job}} --for condition=complete --timeout=1m
+      - kubectl --context {{.cluster}} -n {{.ns}} logs job/{{.job}} --container minio
       - kubectl --context {{.cluster}} -n {{.ns}} logs job/{{.job}} --container r2
       - kubectl --context {{.cluster}} -n {{.ns}} delete job {{.job}}
     env: *env

diff --git a/.taskfiles/VolSync/templates/unlock.tmpl.yaml b/.taskfiles/VolSync/templates/unlock.tmpl.yaml
@@ -11,6 +11,13 @@ spec:
       automountServiceAccountToken: false
       restartPolicy: OnFailure
       containers:
+        - name: minio
+          image: docker.io/restic/restic:0.16.4
+          args: ["unlock", "--remove-all"]
+          envFrom:
+            - secretRef:
+                name: ${app}-volsync-secret
+          resources: {}
         - name: r2
           image: docker.io/restic/restic:0.16.4
           args: ["unlock", "--remove-all"]

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,7 +1,7 @@
 {
     "ansible.ansible.path": ".venv/bin/ansible",
     "ansible.python.activationScript": ".venv/bin/activate",
-    "ansible.python.interpreterPath": "/home/sean/personal-repos/home-ops/.venv/bin/python",
+    "ansible.python.interpreterPath": ".venv/bin/python3",
     "ansible.validation.enabled": true,
     "ansible.validation.lint.arguments": "-c ansible/.ansible-lint",
     "ansible.validation.lint.enabled": true,

diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -11,14 +11,14 @@ env:
   SOPS_AGE_KEY_FILE: "{{.ROOT_DIR}}/age.key"
 
 includes:
-  ansible: .taskfiles/Ansible/Taskfile.yaml
-  bootstrap: .taskfiles/Bootstrap/Taskfile.yaml
-  external-secrets: .taskfiles/ExternalSecrets/Taskfile.yaml
-  flux: .taskfiles/Flux/Taskfile.yaml
-  kubernetes: .taskfiles/Kubernetes/Taskfile.yaml
-  rook: .taskfiles/Rook/Taskfile.yaml
-  # talos: .taskfiles/Talos/Taskfile.yaml
-  volsync: .taskfiles/VolSync/Taskfile.yaml
+  ansible: .taskfiles/Ansible
+  bootstrap: .taskfiles/Bootstrap
+  external-secrets: .taskfiles/ExternalSecrets
+  flux: .taskfiles/Flux
+  kubernetes: .taskfiles/Kubernetes
+  rook: .taskfiles/Rook
+#  talos: .taskfiles/Talos
+  volsync: .taskfiles/VolSync
 
 tasks:
 

diff --git a/ansible/storage/inventory/group_vars/controllers/main.yaml b/ansible/storage/inventory/group_vars/controllers/main.yaml
@@ -0,0 +1,19 @@
+---
+k3s_control_node: true
+k3s_server:
+  cluster-cidr: 10.132.0.0/16
+  disable: ["flannel", "local-storage", "metrics-server", "servicelb", "traefik"]
+  disable-cloud-controller: true
+  disable-kube-proxy: true
+  disable-network-policy: true
+  docker: false
+  etcd-disable-snapshots: true
+  etcd-expose-metrics: true
+  flannel-backend: "none" # quote
+  kube-controller-manager-arg: ["bind-address=0.0.0.0"]
+  kube-scheduler-arg: ["bind-address=0.0.0.0"]
+  node-ip: "{{ ansible_host }}"
+  secrets-encryption: true
+  service-cidr: 10.133.0.0/16
+  tls-san: ["{{ k3s_registration_address }}", "nas01.in.homeops.ca", "nas01"]
+  write-kubeconfig-mode: "0644" # quote
diff --git a/ansible/storage/inventory/group_vars/kubernetes/main.yaml b/ansible/storage/inventory/group_vars/kubernetes/main.yaml
@@ -0,0 +1,10 @@
+---
+k3s_become: true
+k3s_etcd_datastore: true
+k3s_install_hard_links: true
+k3s_registration_address: 192.168.10.45
+# renovate: datasource=github-releases depName=k3s-io/k3s
+k3s_release_version: v1.30.1+k3s1
+k3s_server_manifests_templates:
+  - custom-cilium-helmchart.yaml.j2
+k3s_use_unsupported_config: true
diff --git a/ansible/storage/inventory/hosts.yaml b/ansible/storage/inventory/hosts.yaml
@@ -0,0 +1,10 @@
+---
+kubernetes:
+  vars:
+    ansible_user: sean-admin
+    ansible_ssh_port: 22
+  children:
+    controllers:
+      hosts:
+        nas01:
+          ansible_host: 192.168.10.45