From a83eeb933aa00b0b14e7ffb0037e5e0ec6243046 Mon Sep 17 00:00:00 2001 From: Tyler Witlin Date: Thu, 10 Oct 2024 08:29:20 -0400 Subject: [PATCH] fix: remove default ns Signed-off-by: Tyler Witlin --- .../cobra/apps/system-upgrade/namespace.yaml | 2 +- .archive/tetragon-system/namespace.yaml | 2 +- .../Rook/templates/WipeDataJob.tmpl.yaml | 2 +- .../Rook/templates/WipeDiskJob.tmpl.yaml | 2 +- .../apps/auth/keycloak/cluster/keycloak.yaml | 4 + .../cert-manager/app/helmrelease.yaml | 22 ++- .../sol/apps/cert-manager/namespace.yaml | 2 +- .../default/kopia/app/externalsecret.yaml | 63 --------- .../apps/default/kopia/app/helmrelease.yaml | 133 ------------------ .../apps/default/kopia/app/kustomization.yaml | 7 - kubernetes/sol/apps/default/kopia/ks.yaml | 21 --- .../sol/apps/default/kustomization.yaml | 10 -- .../default/minio/app/externalsecret.yaml | 21 --- .../apps/default/minio/app/helmrelease.yaml | 121 ---------------- .../apps/default/minio/app/kustomization.yaml | 7 - kubernetes/sol/apps/default/minio/ks.yaml | 21 --- kubernetes/sol/apps/default/namespace.yaml | 9 -- talos/talconfig.yaml | 63 ++++----- 18 files changed, 51 insertions(+), 461 deletions(-) delete mode 100644 kubernetes/sol/apps/default/kopia/app/externalsecret.yaml delete mode 100644 kubernetes/sol/apps/default/kopia/app/helmrelease.yaml delete mode 100644 kubernetes/sol/apps/default/kopia/app/kustomization.yaml delete mode 100644 kubernetes/sol/apps/default/kopia/ks.yaml delete mode 100644 kubernetes/sol/apps/default/kustomization.yaml delete mode 100644 kubernetes/sol/apps/default/minio/app/externalsecret.yaml delete mode 100644 kubernetes/sol/apps/default/minio/app/helmrelease.yaml delete mode 100644 kubernetes/sol/apps/default/minio/app/kustomization.yaml delete mode 100644 kubernetes/sol/apps/default/minio/ks.yaml delete mode 100644 kubernetes/sol/apps/default/namespace.yaml diff --git a/.archive/cobra/apps/system-upgrade/namespace.yaml b/.archive/cobra/apps/system-upgrade/namespace.yaml index 7705040eb2..c937358706 100644 --- a/.archive/cobra/apps/system-upgrade/namespace.yaml +++ b/.archive/cobra/apps/system-upgrade/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled annotations: - istio-injection: enabled + diff --git a/.archive/tetragon-system/namespace.yaml b/.archive/tetragon-system/namespace.yaml index 244c7671e5..efe7d30c1e 100644 --- a/.archive/tetragon-system/namespace.yaml +++ b/.archive/tetragon-system/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled annotations: - istio-injection: enabled + diff --git a/.taskfiles/Rook/templates/WipeDataJob.tmpl.yaml b/.taskfiles/Rook/templates/WipeDataJob.tmpl.yaml index 2bdccc321a..be14bf60fb 100644 --- a/.taskfiles/Rook/templates/WipeDataJob.tmpl.yaml +++ b/.taskfiles/Rook/templates/WipeDataJob.tmpl.yaml @@ -13,7 +13,7 @@ spec: nodeName: ${node} containers: - name: main - image: docker.io/library/alpine:latest + image: docker.io/library/alpine:3.20.3 command: ["/bin/sh", "-c"] args: ["rm -rf /mnt/host_var/lib/rook"] volumeMounts: diff --git a/.taskfiles/Rook/templates/WipeDiskJob.tmpl.yaml b/.taskfiles/Rook/templates/WipeDiskJob.tmpl.yaml index badd67de01..e807676b2c 100644 --- a/.taskfiles/Rook/templates/WipeDiskJob.tmpl.yaml +++ b/.taskfiles/Rook/templates/WipeDiskJob.tmpl.yaml @@ -13,7 +13,7 @@ spec: nodeName: ${node} containers: - name: main - image: docker.io/library/alpine:latest + image: docker.io/library/alpine:3.20.3 command: ["/bin/sh", "-c"] args: - apk add --no-cache sgdisk util-linux util-linux-misc parted device-mapper; diff --git a/kubernetes/kyak/apps/auth/keycloak/cluster/keycloak.yaml b/kubernetes/kyak/apps/auth/keycloak/cluster/keycloak.yaml index a49d6694b2..36e5d5fd6a 100644 --- a/kubernetes/kyak/apps/auth/keycloak/cluster/keycloak.yaml +++ b/kubernetes/kyak/apps/auth/keycloak/cluster/keycloak.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema= apiVersion: k8s.keycloak.org/v2alpha1 kind: Keycloak metadata: @@ -79,3 +81,5 @@ spec: annotations: external-dns.alpha.kubernetes.io/target: external.${SECRET_PUBLIC_DOMAIN} cert-manager.io/cluster-issuer: letsencrypt-production + +# https://github.com/wadahiro/keycloak-discord/releases/download/v0.5.0/keycloak-discord-0.5.0.jar diff --git a/kubernetes/sol/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/sol/apps/cert-manager/cert-manager/app/helmrelease.yaml index 9ff5c91150..c091998904 100644 --- a/kubernetes/sol/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/sol/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -24,16 +24,24 @@ spec: uninstall: keepHistory: false values: - installCRDs: true - dns01RecursiveNameservers: 1.1.1.1:53,8.8.8.8:53 + replicaCount: 1 + crds: + enabled: true + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query dns01RecursiveNameserversOnly: true - podDnsPolicy: None - podDnsConfig: - nameservers: - - "1.1.1.1" - - "8.8.8.8" prometheus: enabled: true servicemonitor: enabled: true prometheusInstance: monitoring + webhook: + replicaCount: 1 + cainjector: + replicaCount: 1 + podLabels: + egress.home.arpa/apiserver: allow + egress.home.arpa/kubedns: allow # TODO: Remove when clusterNetworkPolicy is in place + # config: + # apiVersion: controller.config.cert-manager.io/v1alpha1 + # kind: ControllerConfiguration + # enableGatewayAPI: true diff --git a/kubernetes/sol/apps/cert-manager/namespace.yaml b/kubernetes/sol/apps/cert-manager/namespace.yaml index 9aea4d4cd6..1822f41b44 100644 --- a/kubernetes/sol/apps/cert-manager/namespace.yaml +++ b/kubernetes/sol/apps/cert-manager/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled annotations: - istio-injection: enabled + diff --git a/kubernetes/sol/apps/default/kopia/app/externalsecret.yaml b/kubernetes/sol/apps/default/kopia/app/externalsecret.yaml deleted file mode 100644 index 92e7a49290..0000000000 --- a/kubernetes/sol/apps/default/kopia/app/externalsecret.yaml +++ /dev/null @@ -1,63 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: kopia -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: kopia-secret - template: - engineVersion: v2 - data: - KOPIA_PASSWORD: "{{ .KOPIA_PASSWORD }}" - dataFrom: - - extract: - key: kopia ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: kopia-repository -spec: - refreshInterval: 5m - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: kopia-repository-secret - template: - engineVersion: v2 - data: - repository.config: | - { - "storage": { - "type": "s3", - "config": { - "bucket": "kopia-3e0c521bfa2b", - "endpoint": "{{ .CLOUDFLARE_ACCOUNT_TAG }}.r2.cloudflarestorage.com", - "accessKeyID": "{{ .AWS_ACCESS_KEY_ID }}", - "secretAccessKey": "{{ .AWS_SECRET_ACCESS_KEY }}" - } - }, - "caching": { - "cacheDirectory": "/app/cache", - "maxCacheSize": 5242880000, - "maxMetadataCacheSize": 5242880000, - "maxListCacheDuration": 30 - }, - "hostname": "osiris.286k.co", - "username": "twitlin", - "description": "osiris", - "enableActions": false, - "formatBlobCacheDuration": 900000000000 - } - dataFrom: - - extract: - key: kopia - - extract: - key: cloudflare diff --git a/kubernetes/sol/apps/default/kopia/app/helmrelease.yaml b/kubernetes/sol/apps/default/kopia/app/helmrelease.yaml deleted file mode 100644 index 93b7d37f0b..0000000000 --- a/kubernetes/sol/apps/default/kopia/app/helmrelease.yaml +++ /dev/null @@ -1,133 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: kopia -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - kopia: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: docker.io/kopia/kopia - tag: 0.17.0@sha256:51784ce0961940846f4f47cab2d4f58e2e0cb467de357f9a80279b149a00c06e - env: - TZ: America/New_York - envFrom: - - secretRef: - name: kopia-secret - args: - - server - - start - - --insecure - - --address - - 0.0.0.0:80 - - --override-hostname - - osiris.286k.co - - --override-username - - twitlin - - --without-password - - --metrics-listen-addr - - 0.0.0.0:8080 - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: / - port: 80 - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 6 - readiness: *probes - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 100m - limits: - memory: 2Gi - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [10000] - seccompProfile: { type: RuntimeDefault } - service: - app: - controller: kopia - ports: - http: - port: 80 - metrics: - port: 8080 - serviceMonitor: - app: - serviceName: kopia - endpoints: - - port: metrics - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - ingress: - main: - className: internal - hosts: - - host: "{{ .Release.Name }}.286k.co" - paths: - - path: / - service: - identifier: app - port: http - persistence: - config-file: - type: secret - name: kopia-repository-secret - globalMounts: - - path: /app/config/repository.config - subPath: repository.config - readOnly: true - cache: - type: emptyDir - globalMounts: - - path: /app/cache - logs: - type: emptyDir - globalMounts: - - path: /app/logs - media: - type: hostPath - hostPath: /pluto - hostPathType: Directory - globalMounts: - - path: /pluto - readOnly: true diff --git a/kubernetes/sol/apps/default/kopia/app/kustomization.yaml b/kubernetes/sol/apps/default/kopia/app/kustomization.yaml deleted file mode 100644 index 4eed917b96..0000000000 --- a/kubernetes/sol/apps/default/kopia/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/kubernetes/sol/apps/default/kopia/ks.yaml b/kubernetes/sol/apps/default/kopia/ks.yaml deleted file mode 100644 index c82bc6feed..0000000000 --- a/kubernetes/sol/apps/default/kopia/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kopia - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/sol/apps/default/kopia/app - prune: true - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/sol/apps/default/kustomization.yaml b/kubernetes/sol/apps/default/kustomization.yaml deleted file mode 100644 index e450ddc12e..0000000000 --- a/kubernetes/sol/apps/default/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # Pre Flux-Kustomizations - - ./namespace.yaml - # # Flux-Kustomizations - # - ./kopia/ks.yaml - diff --git a/kubernetes/sol/apps/default/minio/app/externalsecret.yaml b/kubernetes/sol/apps/default/minio/app/externalsecret.yaml deleted file mode 100644 index 9c72731db8..0000000000 --- a/kubernetes/sol/apps/default/minio/app/externalsecret.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: minio -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: minio-secret - template: - engineVersion: v2 - data: - # App - MINIO_ROOT_USER: "{{ .MINIO_ROOT_USER }}" - MINIO_ROOT_PASSWORD: "{{ .MINIO_ROOT_PASSWORD }}" - dataFrom: - - extract: - key: minio diff --git a/kubernetes/sol/apps/default/minio/app/helmrelease.yaml b/kubernetes/sol/apps/default/minio/app/helmrelease.yaml deleted file mode 100644 index 2db8404f31..0000000000 --- a/kubernetes/sol/apps/default/minio/app/helmrelease.yaml +++ /dev/null @@ -1,121 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: minio -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.5.1 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - controllers: - minio: - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: quay.io/minio/minio - tag: RELEASE.2024-10-02T17-50-41Z@sha256:ea15e53e66f96f63e12f45509d2d2d8fad774808debb490f48508b3130bd22d3 - env: - MINIO_API_CORS_ALLOW_ORIGIN: https://minio.286k.co,https://s3.286k.co - MINIO_BROWSER_REDIRECT_URL: https://minio.286k.co - MINIO_PROMETHEUS_JOB_ID: minio - MINIO_PROMETHEUS_URL: https://prometheus.286k.co - MINIO_PROMETHEUS_AUTH_TYPE: public - MINIO_SERVER_URL: https://s3.286k.co - MINIO_UPDATE: "off" - envFrom: - - secretRef: - name: minio-secret - args: ["server", "/data", "--console-address", ":9001"] - probes: - liveness: &probes - enabled: true - custom: true - spec: - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 6 - readiness: *probes - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - resources: - requests: - cpu: 100m - limits: - memory: 2Gi - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch - supplementalGroups: [10000] - seccompProfile: { type: RuntimeDefault } - service: - app: - controller: minio - ports: - http: - port: 9001 - s3: - port: 9000 - serviceMonitor: - app: - serviceName: minio - endpoints: - - port: s3 - scheme: http - path: /minio/v2/metrics/cluster - interval: 1m - scrapeTimeout: 10s - ingress: - app: - className: internal - hosts: - - host: &host "{{ .Release.Name }}.286k.co" - paths: - - path: / - service: - identifier: app - port: http - - host: &s3Host s3.286k.co - paths: - - path: / - service: - identifier: app - port: s3 - tls: - - hosts: - - *host - - *s3Host - persistence: - config: - type: hostPath - hostPath: /pluto/minio - hostPathType: Directory - globalMounts: - - path: /data diff --git a/kubernetes/sol/apps/default/minio/app/kustomization.yaml b/kubernetes/sol/apps/default/minio/app/kustomization.yaml deleted file mode 100644 index 4eed917b96..0000000000 --- a/kubernetes/sol/apps/default/minio/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/kubernetes/sol/apps/default/minio/ks.yaml b/kubernetes/sol/apps/default/minio/ks.yaml deleted file mode 100644 index 11b7fb519d..0000000000 --- a/kubernetes/sol/apps/default/minio/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app minio - namespace: flux-system -spec: - targetNamespace: default - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/sol/apps/default/minio/app - prune: true - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/sol/apps/default/namespace.yaml b/kubernetes/sol/apps/default/namespace.yaml deleted file mode 100644 index b12da497ed..0000000000 --- a/kubernetes/sol/apps/default/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: default - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - annotations: - istio-injection: enabled diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index 07314861f3..2ff1e0512e 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -24,7 +24,7 @@ nodes: controlPlane: true installDisk: /dev/disk/by-id/ata-CT240BX500SSD1_2206E60A4A88 networkInterfaces: - - interface: eth0 + - interface: enp1s0 mtu: 1500 dhcp: true schematic: @@ -42,7 +42,7 @@ nodes: controlPlane: true installDisk: /dev/disk/by-id/ata-CT240BX500SSD1_2148E5EA7AA5 networkInterfaces: - - interface: eth0 + - interface: enp1s0 mtu: 1500 dhcp: true schematic: @@ -60,7 +60,7 @@ nodes: controlPlane: true installDisk: /dev/disk/by-id/ata-WD_easystore_240GB_20215C802161 networkInterfaces: - - interface: eth0 + - interface: enp1s0 mtu: 1500 dhcp: true schematic: @@ -188,7 +188,7 @@ nodes: networkInterfaces: - interface: eno1 mtu: 1500 - dhcp: false + dhcp: true - interface: eno2 mtu: 1500 dhcp: false @@ -198,18 +198,6 @@ nodes: - interface: enp55s0f1 mtu: 1500 dhcp: false - - interface: bond0 - dhcp: true - bond: - mode: 802.3ad - lacpRate: fast - xmitHashPolicy: layer3+4 - miimon: 100 - updelay: 100 - downdelay: 100 - interfaces: - - enp55s0f0 - - enp55s0f1 schematic: customization: systemExtensions: @@ -217,12 +205,11 @@ nodes: - siderolabs/binfmt-misc - siderolabs/fuse3 - siderolabs/intel-ucode - - siderolabs/nonfree-kmod-nvidia-production - - siderolabs/nvidia-fabricmanager-production - - siderolabs/nvidia-container-toolkit-production + # - siderolabs/nonfree-kmod-nvidia-production + # - siderolabs/nvidia-container-toolkit-production - siderolabs/util-linux-tools - extraKernelArgs: - - bond=bond1:eth3,eth4:mode=802.3ad,xmit_hash_policy=layer2+3:1500 + # extraKernelArgs: + # - bond=bond1:eth3,eth4:mode=802.3ad,xmit_hash_policy=layer2+3:1500 patches: - |- - op: add @@ -257,20 +244,20 @@ nodes: permissions: 420 path: /etc/nfsmount.conf op: overwrite - - |- - - op: add - path: /machine/kernel - value: - modules: - - name: nvidia - - name: nvidia_uvm - - name: nvidia_drm - - name: nvidia_modeset - - |- - - op: add - path: /machine/sysctls - value: - net.core.bpf_jit_harden: 1 + # - |- + # - op: add + # path: /machine/kernel + # value: + # modules: + # - name: nvidia + # - name: nvidia_uvm + # - name: nvidia_drm + # - name: nvidia_modeset + # - |- + # - op: add + # path: /machine/sysctls + # value: + # net.core.bpf_jit_harden: 1 controlPlane: patches: @@ -411,13 +398,15 @@ controlPlane: vm.overcommit_memory: "1" kernel.panic: "10" kernel.panic_on_oops: "1" + net.core.rmem_max: "7500000" + net.core.wmem_max: "7500000" - &time |- - op: add path: /machine/time value: disabled: false servers: - - time.nist.gov + - time.cloudflare.com - |- - op: add path: /machine/udev @@ -501,6 +490,8 @@ worker: vm.overcommit_memory: "1" kernel.panic: "10" kernel.panic_on_oops: "1" + net.core.rmem_max: "7500000" + net.core.wmem_max: "7500000" - *time - |- - op: add