feat(end-of-summer-cleaning): remove storage, modify bootstrap struct…

…ure etc. Signed-off-by: Jordan Jones <me@jordanjones.org>
kashalls · Sep 13, 2024 · 973e3b7 · 973e3b7
1 parent 8dfdff7
commit 973e3b7
Show file tree

Hide file tree

Showing 234 changed files with 356 additions and 4,213 deletions.
diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml
@@ -16,10 +16,10 @@ tasks:
  prompt: Bootstrap Flux into the '{{.cluster}}' cluster ... continue?
  cmds:
  # Install Flux
- - kubectl --context {{.cluster}} apply --server-side --kustomize {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux
+ - kubectl --context {{.cluster}} apply --server-side --kustomize {{.BOOTSTRAP_DIR}}
  # Install secrets and configmaps
- - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/age-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
- - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/github-deploy-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+ - sops --decrypt {{.BOOTSTRAP_DIR}}/age-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+ - sops --decrypt {{.BOOTSTRAP_DIR}}/github-deploy-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
  - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-secrets.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
  - kubectl --context {{.cluster}} apply --server-side --filename {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-settings.yaml
  # Install Flux Kustomization resources
@@ -28,12 +28,12 @@ tasks:
  vars: ["cluster"]
  preconditions:
  - test -f {{.ROOT_DIR}}/age.key
- - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/age-key.secret.sops.yaml
- - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/github-deploy-key.secret.sops.yaml
+ - test -f {{.BOOTSTRAP_DIR}}/age-key.secret.sops.yaml
+ - test -f {{.BOOTSTRAP_DIR}}/github-deploy-key.secret.sops.yaml
  - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-settings.yaml
  - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-secrets.secret.sops.yaml
- - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/age-key.secret.sops.yaml
- - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/github-deploy-key.secret.sops.yaml
+ - sops --decrypt {{.BOOTSTRAP_DIR}}/age-key.secret.sops.yaml
+ - sops --decrypt {{.BOOTSTRAP_DIR}}/github-deploy-key.secret.sops.yaml
  - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-secrets.secret.sops.yaml
 
  apply:

diff --git a/.taskfiles/Talos/Taskfile.yaml b/.taskfiles/Talos/Taskfile.yaml
@@ -16,16 +16,18 @@ tasks:
  apply-config:
  desc: Apply Talos configuration to a node
  cmd: |
- sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/config/{{.hostname}}.secret.sops.yaml | \
+ sops --decrypt {{.TALOS_DIR}}/{{.cluster}}/{{.type}}.secret.sops.yaml | \
  $GOPATH/bin/envsubst | \
- talosctl --context {{.cluster}} apply-config --nodes {{.hostname}} --file /dev/stdin --insecure
+ talosctl --context {{.cluster}} apply-config --nodes {{.node}} --file /dev/stdin --mode={{.mode}} --insecure={{.insecure}}
  env: *vars
  vars:
+ type: '{{.type | default "worker"}}'
  mode: '{{.mode | default "no-reboot"}}'
+ insecure: '{{.insecure | default "false" }}'
  requires:
- vars: ["cluster", "hostname"]
+ vars: ["cluster", "node", "type"]
  preconditions:
- - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/config/{{.hostname}}.secret.sops.yaml
+ - test -f {{.TALOS_DIR}}/{{.cluster}}/{{.type}}.secret.sops.yaml
  #- talosctl --context {{.cluster}} --nodes {{.hostname}} get machineconfig >/dev/null 2>&1
 
  upgrade:
@@ -106,12 +108,12 @@ tasks:
 
  bootstrap-apps:
  desc: Bootstrap core apps needed for Talos
- cmd: helmfile --quiet --kube-context {{.cluster}} --file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/apps/helmfile.yaml apply --skip-diff-on-install --suppress-diff
+ cmd: helmfile --quiet --kube-context {{.cluster}} --file {{.TALOS_DIR}}/{{.cluster}}/helmfile.yaml apply --skip-diff-on-install --suppress-diff
  requires:
  vars: ["cluster"]
  preconditions:
  - talosctl --context {{.cluster}} config info >/dev/null 2>&1
- - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/apps/helmfile.yaml
+ - test -f {{.TALOS_DIR}}/{{.cluster}}/helmfile.yaml
 
  fetch-kubeconfig:
  desc: Fetch kubeconfig from Talos controllers

diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -4,6 +4,8 @@ version: "3"
 
 vars:
  KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes"
+ TALOS_DIR: "{{.ROOT_DIR}}/talos"
+ BOOTSTRAP_DIR: "{{.ROOT_DIR}}/bootstrap"
 
 env:
  KUBECONFIG: "{{.KUBERNETES_DIR}}/kubernetes/main/kubeconfig:{{.KUBERNETES_DIR}}/kubernetes/storage/kubeconfig"

diff --git a/bootstrap/README.md b/bootstrap/README.md
@@ -0,0 +1,3 @@
+# ./bootstrap
+
+This folder contains files that are usually required on all of my clusters like the sops encryption key and a encrypted ssh key used for my cluster to authenticate against github.
diff --git a/...n/bootstrap/flux/age-key.secret.sops.yaml → bootstrap/age-key.secret.sops.yaml b/...n/bootstrap/flux/age-key.secret.sops.yaml → bootstrap/age-key.secret.sops.yaml
diff --git a/...p/flux/github-deploy-key.secret.sops.yaml → bootstrap/github-deploy-key.secret.sops.yaml b/...p/flux/github-deploy-key.secret.sops.yaml → bootstrap/github-deploy-key.secret.sops.yaml
diff --git a/...es/main/bootstrap/flux/kustomization.yaml → bootstrap/kustomization.yaml b/...es/main/bootstrap/flux/kustomization.yaml → bootstrap/kustomization.yaml
diff --git a/...pps/default/minio/app/externalsecret.yaml → ...pps/default/minio/app/externalsecret.yaml b/...pps/default/minio/app/externalsecret.yaml → ...pps/default/minio/app/externalsecret.yaml
diff --git a/...e/apps/default/minio/app/helmrelease.yaml → ...n/apps/default/minio/app/helmrelease.yaml b/...e/apps/default/minio/app/helmrelease.yaml → ...n/apps/default/minio/app/helmrelease.yaml
diff --git a/...apps/default/minio/app/kustomization.yaml → ...apps/default/minio/app/kustomization.yaml b/...apps/default/minio/app/kustomization.yaml → ...apps/default/minio/app/kustomization.yaml
diff --git a/...rnetes/storage/apps/default/minio/ks.yaml → kubernetes/main/apps/default/minio/ks.yaml b/...rnetes/storage/apps/default/minio/ks.yaml → kubernetes/main/apps/default/minio/ks.yaml
diff --git a/.../raspi/apps/actions-runner-system/gha-runner-scale-set-controller/app/externalsecret.yaml b/.../raspi/apps/actions-runner-system/gha-runner-scale-set-controller/app/externalsecret.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: actions-runner-controller-auth
+spec:
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ name: actions-runner-controller-auth-secret
+ template:
+ engineVersion: v2
+ data:
+ ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID: |-
+ {{ .ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID }}
+ ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID: |-
+ {{ .ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID }}
+ ACTION_RUNNER_CONTROLLER_GITHUB_PRIVATE_KEY: |-
+ {{ .ACTION_RUNNER_CONTROLLER_GITHUB_PRIVATE_KEY }}
+ ACTION_RUNNER_CONTROLLER_GITHUB_WEBHOOK_SECRET_TOKEN: |-
+ {{ .ACTION_RUNNER_CONTROLLER_GITHUB_WEBHOOK_SECRET_TOKEN }}
+ dataFrom:
+ - extract:
+ key: actions-runner-controller
diff --git a/.../snapshot-controller/app/helmrelease.yaml → ...scale-set-controller/app/helmrelease.yaml b/.../snapshot-controller/app/helmrelease.yaml → ...scale-set-controller/app/helmrelease.yaml
@@ -3,16 +3,16 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
- name: snapshot-controller
+ name: gha-runner-scale-set-controller
 spec:
  interval: 30m
  chart:
  spec:
- chart: snapshot-controller
- version: 3.0.6
+ chart: gha-runner-scale-set-controller
+ version: 0.9.3
  sourceRef:
  kind: HelmRepository
- name: piraeus
+ name: actions-runner-controller
  namespace: flux-system
  install:
  crds: CreateReplace
@@ -25,8 +25,4 @@ spec:
  strategy: rollback
  retries: 3
  values:
- controller:
- serviceMonitor:
- create: true
- webhook:
- enabled: false
+ fullnameOverride: gha-runner-scale-set-controller
diff --git a/...apps/default/samba/app/kustomization.yaml → ...ale-set-controller/app/kustomization.yaml b/...apps/default/samba/app/kustomization.yaml → ...ale-set-controller/app/kustomization.yaml
diff --git a/...s/storage/apps/flux-system/addons/ks.yaml → ...m/gha-runner-scale-set-controller/ks.yaml b/...s/storage/apps/flux-system/addons/ks.yaml → ...m/gha-runner-scale-set-controller/ks.yaml
@@ -3,16 +3,16 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
- name: &app flux-addons
+ name: &app gha-runner-scale-set-controller
  namespace: flux-system
 spec:
- targetNamespace: flux-system
+ targetNamespace: actions-runner-system
  commonMetadata:
  labels:
  app.kubernetes.io/name: *app
  dependsOn:
  - name: external-secrets-stores
- path: ./kubernetes/storage/apps/flux-system/addons/app
+ path: ./kubernetes/main/apps/actions-runner-system/gha-runner-scale-set-controller/app
  prune: true
  sourceRef:
  kind: GitRepository

diff --git a/kubernetes/raspi/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml b/kubernetes/raspi/apps/actions-runner-system/gha-runner-scale-set/app/helmrelease.yaml
@@ -0,0 +1,57 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ name: gha-runner-scale-set
+spec:
+ interval: 30m
+ chart:
+ spec:
+ chart: gha-runner-scale-set
+ version: 0.9.3
+ sourceRef:
+ kind: HelmRepository
+ name: actions-runner-controller
+ namespace: flux-system
+ install:
+ remediation:
+ retries: 3
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ strategy: rollback
+ retries: 3
+ dependsOn:
+ - name: gha-runner-scale-set-controller
+ namespace: actions-runner-system
+ valuesFrom:
+ - targetPath: githubConfigSecret.github_app_id
+ kind: Secret
+ name: actions-runner-controller-auth-secret
+ valuesKey: ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID
+ - targetPath: githubConfigSecret.github_app_installation_id
+ kind: Secret
+ name: actions-runner-controller-auth-secret
+ valuesKey: ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID
+ - targetPath: githubConfigSecret.github_app_private_key
+ kind: Secret
+ name: actions-runner-controller-auth-secret
+ valuesKey: ACTION_RUNNER_CONTROLLER_GITHUB_PRIVATE_KEY
+ values:
+ nameOverride: gha-runner-scale-set
+ runnerScaleSetName: gha-runner-scale-set
+ githubConfigUrl: https://github.com/kashalls/home-cluster
+ minRunners: 1
+ maxRunners: 6
+ containerMode:
+ type: dind
+ template:
+ spec:
+ containers:
+ - name: runner
+ image: ghcr.io/onedr0p/actions-runner:2.319.1@sha256:a4089b96bb4561051c954cc1f9019497dcc166c027b8e1474da7246a16796b43
+ command: ["/home/runner/run.sh"]
+ controllerServiceAccount:
+ name: gha-runner-scale-set-controller
+ namespace: actions-runner-system
diff --git a/...s/external-secrets/app/kustomization.yaml → ...a-runner-scale-set/app/kustomization.yaml b/...s/external-secrets/app/kustomization.yaml → ...a-runner-scale-set/app/kustomization.yaml
diff --git a/...rnetes/storage/apps/default/samba/ks.yaml → ...unner-system/gha-runner-scale-set/ks.yaml b/...rnetes/storage/apps/default/samba/ks.yaml → ...unner-system/gha-runner-scale-set/ks.yaml
@@ -3,16 +3,14 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
- name: &app samba
+ name: &app gha-runner-scale-set
  namespace: flux-system
 spec:
- targetNamespace: default
+ targetNamespace: actions-runner-system
  commonMetadata:
  labels:
  app.kubernetes.io/name: *app
- dependsOn:
- - name: external-secrets-stores
- path: ./kubernetes/storage/apps/default/samba/app
+ path: ./kubernetes/main/apps/actions-runner-system/gha-runner-scale-set/app
  prune: true
  sourceRef:
  kind: GitRepository

diff --git a/...rage/apps/cert-manager/kustomization.yaml → .../actions-runner-system/kustomization.yaml b/...rage/apps/cert-manager/kustomization.yaml → .../actions-runner-system/kustomization.yaml
@@ -6,5 +6,5 @@ resources:
  # Pre Flux-Kustomizations
  - ./namespace.yaml
  # Flux-Kustomizations
- - ./cert-manager/ks.yaml
- - ./certificates/ks.yaml
+ - ./gha-runner-scale-set-controller/ks.yaml
+ - ./gha-runner-scale-set/ks.yaml
diff --git a/...netes/storage/apps/default/namespace.yaml → ...apps/actions-runner-system/namespace.yaml b/...netes/storage/apps/default/namespace.yaml → ...apps/actions-runner-system/namespace.yaml
@@ -2,6 +2,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
- name: default
+ name: actions-runner-system
  labels:
  kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/...ets/external-secrets/app/helmrelease.yaml → ...ets/external-secrets/app/helmrelease.yaml b/...ets/external-secrets/app/helmrelease.yaml → ...ets/external-secrets/app/helmrelease.yaml
@@ -9,18 +9,18 @@ spec:
  chart:
  spec:
  chart: external-secrets
- version: 0.10.3
+ version: 0.10.0
  sourceRef:
  kind: HelmRepository
  name: external-secrets
  namespace: flux-system
- maxHistory: 2
  install:
  remediation:
  retries: 3
  upgrade:
  cleanupOnFail: true
  remediation:
+ strategy: rollback
  retries: 3
  values:
  installCRDs: true

diff --git a/...efault/filebrowser/app/kustomization.yaml → ...s/external-secrets/app/kustomization.yaml b/...efault/filebrowser/app/kustomization.yaml → ...s/external-secrets/app/kustomization.yaml
@@ -2,6 +2,6 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: kube-system
 resources:
- - ./claim.yaml
  - ./helmrelease.yaml
diff --git a/...external-secrets/external-secrets/ks.yaml → ...external-secrets/external-secrets/ks.yaml b/...external-secrets/external-secrets/ks.yaml → ...external-secrets/external-secrets/ks.yaml
@@ -10,7 +10,7 @@ spec:
  commonMetadata:
  labels:
  app.kubernetes.io/name: *app
- path: ./kubernetes/storage/apps/external-secrets/external-secrets/app
+ path: ./kubernetes/main/apps/external-secrets/external-secrets/app
  prune: true
  sourceRef:
  kind: GitRepository
@@ -33,7 +33,7 @@ spec:
  app.kubernetes.io/name: *app
  dependsOn:
  - name: external-secrets
- path: ./kubernetes/storage/apps/external-secrets/external-secrets/stores
+ path: ./kubernetes/main/apps/external-secrets/external-secrets/stores
  prune: true
  sourceRef:
  kind: GitRepository

diff --git a/...xternal-secrets/stores/kustomization.yaml → ...xternal-secrets/stores/kustomization.yaml b/...xternal-secrets/stores/kustomization.yaml → ...xternal-secrets/stores/kustomization.yaml
@@ -2,5 +2,6 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: kube-system
 resources:
  - ./onepassword
diff --git a/...tores/onepassword/clustersecretstore.yaml → ...tores/onepassword/clustersecretstore.yaml b/...tores/onepassword/clustersecretstore.yaml → ...tores/onepassword/clustersecretstore.yaml
diff --git a/...crets/stores/onepassword/helmrelease.yaml → ...crets/stores/onepassword/helmrelease.yaml b/...crets/stores/onepassword/helmrelease.yaml → ...crets/stores/onepassword/helmrelease.yaml
@@ -9,7 +9,7 @@ spec:
  chart:
  spec:
  chart: app-template
- version: 3.4.0
+ version: 3.3.2
  sourceRef:
  kind: HelmRepository
  name: bjw-s
@@ -122,8 +122,10 @@ spec:
  ingress:
  api:
  className: internal
+ annotations:
+ external-dns.alpha.kubernetes.io/target: "internal.ok8.sh"
  hosts:
- - host: &host "onepassword-connect.outsideour.casa"
+ - host: &host "onepassword-connect.ok8.sh"
  paths:
  - path: /
  service:

diff --git a/...ets/stores/onepassword/kustomization.yaml → ...ets/stores/onepassword/kustomization.yaml b/...ets/stores/onepassword/kustomization.yaml → ...ets/stores/onepassword/kustomization.yaml
@@ -2,6 +2,7 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: kube-system
 resources:
  - ./secret.sops.yaml
  - ./helmrelease.yaml

diff --git a/...crets/stores/onepassword/secret.sops.yaml → ...crets/stores/onepassword/secret.sops.yaml b/...crets/stores/onepassword/secret.sops.yaml → ...crets/stores/onepassword/secret.sops.yaml
diff --git a/.../apps/external-secrets/kustomization.yaml → .../apps/external-secrets/kustomization.yaml b/.../apps/external-secrets/kustomization.yaml → .../apps/external-secrets/kustomization.yaml
@@ -5,5 +5,6 @@ kind: Kustomization
 resources:
  # Pre Flux-Kustomizations
  - ./namespace.yaml
+ - ./notifications.yaml
  # Flux-Kustomizations
  - ./external-secrets/ks.yaml
diff --git a/...rage/apps/external-secrets/namespace.yaml → ...aspi/apps/external-secrets/namespace.yaml b/...rage/apps/external-secrets/namespace.yaml → ...aspi/apps/external-secrets/namespace.yaml
@@ -3,5 +3,5 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: external-secrets
- annotations:
+ labels:
  kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/...ge/apps/volsync-system/notifications.yaml → .../apps/external-secrets/notifications.yaml b/...ge/apps/volsync-system/notifications.yaml → .../apps/external-secrets/notifications.yaml
@@ -4,7 +4,7 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
  name: alert-manager
- namespace: volsync-system
+ namespace: external-secrets
 spec:
  type: alertmanager
  address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/
@@ -14,7 +14,7 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
  name: alert-manager
- namespace: volsync-system
+ namespace: external-secrets
 spec:
  providerRef:
  name: alert-manager

diff --git a/...s/kube-system/cilium/app/helm-values.yaml → ...s/kube-system/cilium/app/helm-values.yaml b/...s/kube-system/cilium/app/helm-values.yaml → ...s/kube-system/cilium/app/helm-values.yaml
@@ -11,22 +11,19 @@ cgroup:
  enabled: false
  hostRoot: /sys/fs/cgroup
 cluster:
- id: 2
- name: storage
-containerRuntime:
- integration: containerd
-devices:
- - enp+
- - eno+
- - enx+
+ id: 1
+ name: main
+devices: enp+
 enableRuntimeDeviceDetection: true
 endpointRoutes:
  enabled: true
 hubble:
  enabled: false
+envoy:
+ enabled: false
 ipam:
  mode: kubernetes
-ipv4NativeRoutingCIDR: 172.32.0.0/16
+ipv4NativeRoutingCIDR: 172.30.0.0/16
 k8sServiceHost: 127.0.0.1
 k8sServicePort: 7445
 kubeProxyReplacement: true