chore: reorganize helmfile flux apps #8890
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets
@@ -25,8 +25,8 @@
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
valuesFrom:
- kind: ConfigMap
- name: external-secrets-helm-values-h9g78hg67k
+ name: external-secrets-values-h9g78hg67k
--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-helm-values-h9g78hg67k
@@ -1,34 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- installCRDs: true
- replicaCount: 1
- leaderElect: true
- image:
- repository: ghcr.io/external-secrets/external-secrets
- webhook:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- certController:
- image:
- repository: ghcr.io/external-secrets/external-secrets
- serviceMonitor:
- enabled: true
- interval: 1m
- serviceMonitor:
- enabled: true
- interval: 1m
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/name: external-secrets
- kustomize.toolkit.fluxcd.io/namespace: external-secrets
- name: external-secrets-helm-values-h9g78hg67k
- namespace: external-secrets
-
--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-values-h9g78hg67k
+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets ConfigMap: external-secrets/external-secrets-values-h9g78hg67k
@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ installCRDs: true
+ replicaCount: 1
+ leaderElect: true
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ webhook:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ certController:
+ image:
+ repository: ghcr.io/external-secrets/external-secrets
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+ serviceMonitor:
+ enabled: true
+ interval: 1m
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/name: external-secrets
+ kustomize.toolkit.fluxcd.io/namespace: external-secrets
+ name: external-secrets-values-h9g78hg67k
+ namespace: external-secrets
+
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
@@ -1,35 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance
- namespace: flux-system
-spec:
- chart:
- spec:
- chart: flux-instance
- sourceRef:
- kind: HelmRepository
- name: controlplaneio
- namespace: flux-system
- version: 0.16.0
- dependsOn:
- - name: flux-operator
- namespace: flux-system
- install:
- remediation:
- retries: 3
- interval: 30m
- upgrade:
- cleanupOnFail: true
- remediation:
- retries: 3
- strategy: rollback
- valuesFrom:
- - kind: ConfigMap
- name: flux-instance-helm-values-8649hgb9mc
-
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
@@ -1,31 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance-rules
- namespace: flux-system
-spec:
- groups:
- - name: flux-instance.rules
- rules:
- - alert: FluxInstanceAbsent
- annotations:
- summary: Flux instance metric is missing
- expr: |
- absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
- for: 5m
- labels:
- severity: critical
- - alert: FluxInstanceNotReady
- annotations:
- summary: Flux instance {{ $labels.name }} is not ready
- expr: |
- flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
- for: 5m
- labels:
- severity: critical
-
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -1,23 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: github-webhook-token
- namespace: flux-system
-spec:
- dataFrom:
- - extract:
- key: flux
- secretStoreRef:
- kind: ClusterSecretStore
- name: onepassword
- target:
- name: github-webhook-token-secret
- template:
- data:
- token: '{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}'
-
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/github-webhook
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Ingress: flux-system/github-webhook
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: github-webhook
- namespace: flux-system
-spec:
- ingressClassName: external
- rules:
- - host: flux-webhook.devbu.io
- http:
- paths:
- - backend:
- service:
- name: webhook-receiver
- port:
- number: 80
- path: /hook/
- pathType: Prefix
-
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/github-webhook
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance Receiver: flux-system/github-webhook
@@ -1,27 +0,0 @@
----
-apiVersion: notification.toolkit.fluxcd.io/v1
-kind: Receiver
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: github-webhook
- namespace: flux-system
-spec:
- events:
- - ping
- - push
- resources:
- - apiVersion: source.toolkit.fluxcd.io/v1
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- - apiVersion: kustomize.toolkit.fluxcd.io/v1
- kind: Kustomization
- name: flux-system
- namespace: flux-system
- secretRef:
- name: github-webhook-token-secret
- type: github
-
--- kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-8649hgb9mc
+++ kubernetes/apps/flux-system/flux-operator/instance Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-helm-values-8649hgb9mc
@@ -1,117 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- instance:
- distribution:
- # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution
- version: 2.5.1
- cluster:
- networkPolicy: false
- components:
- - source-controller
- - kustomize-controller
- - helm-controller
- - notification-controller
- sync:
- kind: GitRepository
- url: https://github.com/onedr0p/home-ops
- ref: refs/heads/main
- path: kubernetes/flux/cluster
- interval: 1h
- commonMetadata:
- labels:
- app.kubernetes.io/name: flux
- kustomize:
- patches:
- - # Add Sops decryption to 'flux-system' Kustomization
- patch: |
- - op: add
- path: /spec/decryption
- value:
- provider: sops
- secretRef:
- name: sops-age
- target:
- group: kustomize.toolkit.fluxcd.io
- kind: Kustomization
- - # Increase the number of workers
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --concurrent=10
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --requeue-dependency=5s
- target:
- kind: Deployment
- name: (kustomize-controller|helm-controller|source-controller)
- - # Increase the memory limits
- patch: |
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: all
- spec:
- template:
- spec:
- containers:
- - name: manager
- resources:
- limits:
- memory: 2Gi
- target:
- kind: Deployment
- name: (kustomize-controller|helm-controller|source-controller)
- - # Enable in-memory kustomize builds
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --concurrent=20
- - op: replace
- path: /spec/template/spec/volumes/0
- value:
- name: temp
- emptyDir:
- medium: Memory
- target:
- kind: Deployment
- name: kustomize-controller
- - # Enable Helm repositories caching
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-max-size=10
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-ttl=60m
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --helm-cache-purge-interval=5m
- target:
- kind: Deployment
- name: source-controller
- - # Flux near OOM detection for Helm
- patch: |
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --feature-gates=OOMWatch=true
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --oom-watch-memory-threshold=95
- - op: add
- path: /spec/template/spec/containers/0/args/-
- value: --oom-watch-interval=500ms
- target:
- kind: Deployment
- name: helm-controller
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/name: flux-instance
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-instance-helm-values-8649hgb9mc
- namespace: flux-system
-
--- kubernetes/apps/kube-system/coredns/app Kustomization: kube-system/coredns HelmRelease: kube-system/coredns
+++ kubernetes/apps/kube-system/coredns/app Kustomization: kube-system/coredns HelmRelease: kube-system/coredns
@@ -25,8 +25,8 @@
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
valuesFrom:
- kind: ConfigMap
- name: coredns-helm-values-72bthf6577
+ name: coredns-values-72bthf6577
--- kubernetes/apps/kube-system/coredns/app Kustomization: kube-system/coredns ConfigMap: kube-system/coredns-helm-values-72bthf6577
+++ kubernetes/apps/kube-system/coredns/app Kustomization: kube-system/coredns ConfigMap: kube-system/coredns-helm-values-72bthf6577
@@ -1,64 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- fullnameOverride: coredns
- replicaCount: 2
- k8sAppLabelOverride: kube-dns
- serviceAccount:
- create: true
- service:
- name: kube-dns
- clusterIP: 10.43.0.10
- servers:
- - zones:
- - zone: .
- scheme: dns://
- use_tcp: true
- port: 53
- plugins:
- - name: errors
- - name: health
- configBlock: |-
- lameduck 5s
- - name: ready
- - name: log
- configBlock: |-
- class error
- - name: prometheus
- parameters: 0.0.0.0:9153
- - name: kubernetes
- parameters: cluster.local in-addr.arpa ip6.arpa
- configBlock: |-
- pods insecure
- fallthrough in-addr.arpa ip6.arpa
- - name: forward
- parameters: . /etc/resolv.conf
- - name: cache
- parameters: 30
- - name: loop
- - name: reload
- - name: loadbalance
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: node-role.kubernetes.io/control-plane
- operator: Exists
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - key: node-role.kubernetes.io/control-plane
- operator: Exists
- effect: NoSchedule
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: coredns
- kustomize.toolkit.fluxcd.io/name: coredns
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: coredns-helm-values-72bthf6577
- namespace: kube-system
-
--- kubernetes/apps/kube-system/coredns/app Kustomization: kube-system/coredns ConfigMap: kube-system/coredns-values-72bthf6577
+++ kubernetes/apps/kube-system/coredns/app Kustomization: kube-system/coredns ConfigMap: kube-system/coredns-values-72bthf6577
@@ -0,0 +1,64 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ fullnameOverride: coredns
+ replicaCount: 2
+ k8sAppLabelOverride: kube-dns
+ serviceAccount:
+ create: true
+ service:
+ name: kube-dns
+ clusterIP: 10.43.0.10
+ servers:
+ - zones:
+ - zone: .
+ scheme: dns://
+ use_tcp: true
+ port: 53
+ plugins:
+ - name: errors
+ - name: health
+ configBlock: |-
+ lameduck 5s
+ - name: ready
+ - name: log
+ configBlock: |-
+ class error
+ - name: prometheus
+ parameters: 0.0.0.0:9153
+ - name: kubernetes
+ parameters: cluster.local in-addr.arpa ip6.arpa
+ configBlock: |-
+ pods insecure
+ fallthrough in-addr.arpa ip6.arpa
+ - name: forward
+ parameters: . /etc/resolv.conf
+ - name: cache
+ parameters: 30
+ - name: loop
+ - name: reload
+ - name: loadbalance
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ effect: NoSchedule
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: coredns
+ kustomize.toolkit.fluxcd.io/name: coredns
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: coredns-values-72bthf6577
+ namespace: kube-system
+
--- kubernetes/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
+++ kubernetes/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator HelmRelease: flux-system/flux-operator
@@ -25,8 +25,8 @@
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
valuesFrom:
- kind: ConfigMap
- name: flux-operator-helm-values-fb7h5gm7k8
+ name: flux-operator-values-fb7h5gm7k8
--- kubernetes/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
+++ kubernetes/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-helm-values-fb7h5gm7k8
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- serviceMonitor:
- create: true
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/name: flux-operator
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: flux-operator-helm-values-fb7h5gm7k8
- namespace: flux-system
-
--- kubernetes/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-values-fb7h5gm7k8
+++ kubernetes/apps/flux-system/flux-operator/app Kustomization: flux-system/flux-operator ConfigMap: flux-system/flux-operator-values-fb7h5gm7k8
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ serviceMonitor:
+ create: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/name: flux-operator
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-operator-values-fb7h5gm7k8
+ namespace: flux-system
+
--- kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config Service: kube-system/kube-api
+++ kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config Service: kube-system/kube-api
@@ -1,24 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- io.cilium/lb-ipam-ips: 192.168.42.120
- labels:
- app.kubernetes.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: kube-api
- namespace: kube-system
-spec:
- externalTrafficPolicy: Cluster
- ports:
- - name: https
- port: 6443
- protocol: TCP
- targetPort: 6443
- selector:
- k8s-app: kube-apiserver
- tier: control-plane
- type: LoadBalancer
-
--- kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config CiliumL2AnnouncementPolicy: kube-system/l2-policy
+++ kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config CiliumL2AnnouncementPolicy: kube-system/l2-policy
@@ -1,18 +0,0 @@
----
-apiVersion: cilium.io/v2alpha1
-kind: CiliumL2AnnouncementPolicy
-metadata:
- labels:
- app.kubernetes.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: l2-policy
- namespace: kube-system
-spec:
- interfaces:
- - ^enp.*
- loadBalancerIPs: true
- nodeSelector:
- matchLabels:
- kubernetes.io/os: linux
-
--- kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config CiliumBGPPeeringPolicy: kube-system/l3-policy
+++ kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config CiliumBGPPeeringPolicy: kube-system/l3-policy
@@ -1,27 +0,0 @@
----
-apiVersion: cilium.io/v2alpha1
-kind: CiliumBGPPeeringPolicy
-metadata:
- labels:
- app.kubernetes.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: l3-policy
- namespace: kube-system
-spec:
- nodeSelector:
- matchLabels:
- kubernetes.io/os: linux
- virtualRouters:
- - exportPodCIDR: false
- localASN: 64514
- neighbors:
- - peerASN: 64513
- peerAddress: 192.168.1.1/32
- serviceSelector:
- matchExpressions:
- - key: thisFakeSelector
- operator: NotIn
- values:
- - will-match-and-announce-all-services
-
--- kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config CiliumLoadBalancerIPPool: kube-system/pool
+++ kubernetes/apps/kube-system/cilium/config Kustomization: kube-system/cilium-config CiliumLoadBalancerIPPool: kube-system/pool
@@ -1,15 +0,0 @@
----
-apiVersion: cilium.io/v2alpha1
-kind: CiliumLoadBalancerIPPool
-metadata:
- labels:
- app.kubernetes.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/name: cilium-config
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: pool
- namespace: kube-system
-spec:
- allowFirstLastIPs: 'No'
- blocks:
- - cidr: 192.168.42.0/24
-
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
@@ -28,8 +28,8 @@
strategy: rollback
values:
operator:
tolerations: []
valuesFrom:
- kind: ConfigMap
- name: cilium-helm-values-h89k98cc5h
+ name: cilium-values-h89k98cc5h
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-helm-values-h89k98cc5h
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-helm-values-h89k98cc5h
@@ -1,93 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- autoDirectNodeRoutes: true
- bandwidthManager:
- enabled: true
- bbr: true
- bpf:
- datapathMode: netkit
- masquerade: true
- preallocateMaps: true
- tproxy: true
- bgpControlPlane:
- enabled: true
- cgroup:
- automount:
- enabled: false
- hostRoot: /sys/fs/cgroup
- cluster:
- id: 1
- name: main
- cni:
- exclusive: false
- devices: enp+
- enableIPv4BIGTCP: true
- endpointRoutes:
- enabled: true
- envoy:
- enabled: false
- hubble:
- enabled: false
- ipam:
- mode: kubernetes
- ipv4NativeRoutingCIDR: 10.42.0.0/16
- k8sServiceHost: 127.0.0.1
- k8sServicePort: 7445
- kubeProxyReplacement: true
- kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
- l2announcements:
- enabled: true
- loadBalancer:
- algorithm: maglev
- mode: dsr
- localRedirectPolicy: true
- operator:
- dashboards:
- enabled: true
- prometheus:
- enabled: true
- serviceMonitor:
- enabled: true
- replicas: 2
- rollOutPods: true
- prometheus:
- enabled: true
- serviceMonitor:
- enabled: true
- trustCRDsExist: true
- dashboards:
- enabled: true
- rollOutCiliumPods: true
- routingMode: native
- securityContext:
- capabilities:
- ciliumAgent:
- - CHOWN
- - KILL
- - NET_ADMIN
- - NET_RAW
- - IPC_LOCK
- - SYS_ADMIN
- - SYS_RESOURCE
- - PERFMON
- - BPF
- - DAC_OVERRIDE
- - FOWNER
- - SETGID
- - SETUID
- cleanCiliumState:
- - NET_ADMIN
- - SYS_ADMIN
- - SYS_RESOURCE
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cilium
- kustomize.toolkit.fluxcd.io/name: cilium
- kustomize.toolkit.fluxcd.io/namespace: kube-system
- name: cilium-helm-values-h89k98cc5h
- namespace: kube-system
-
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium CiliumLoadBalancerIPPool: kube-system/pool
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium CiliumLoadBalancerIPPool: kube-system/pool
@@ -0,0 +1,15 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: pool
+ namespace: kube-system
+spec:
+ allowFirstLastIPs: 'No'
+ blocks:
+ - cidr: 192.168.42.0/24
+
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium CiliumL2AnnouncementPolicy: kube-system/l2-policy
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium CiliumL2AnnouncementPolicy: kube-system/l2-policy
@@ -0,0 +1,18 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumL2AnnouncementPolicy
+metadata:
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: l2-policy
+ namespace: kube-system
+spec:
+ interfaces:
+ - ^enp.*
+ loadBalancerIPs: true
+ nodeSelector:
+ matchLabels:
+ kubernetes.io/os: linux
+
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium CiliumBGPPeeringPolicy: kube-system/l3-policy
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium CiliumBGPPeeringPolicy: kube-system/l3-policy
@@ -0,0 +1,27 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeeringPolicy
+metadata:
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: l3-policy
+ namespace: kube-system
+spec:
+ nodeSelector:
+ matchLabels:
+ kubernetes.io/os: linux
+ virtualRouters:
+ - exportPodCIDR: false
+ localASN: 64514
+ neighbors:
+ - peerASN: 64513
+ peerAddress: 192.168.1.1/32
+ serviceSelector:
+ matchExpressions:
+ - key: thisFakeSelector
+ operator: NotIn
+ values:
+ - will-match-and-announce-all-services
+
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium Service: kube-system/kube-api
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium Service: kube-system/kube-api
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ io.cilium/lb-ipam-ips: 192.168.42.120
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: kube-api
+ namespace: kube-system
+spec:
+ externalTrafficPolicy: Cluster
+ ports:
+ - name: https
+ port: 6443
+ protocol: TCP
+ targetPort: 6443
+ selector:
+ k8s-app: kube-apiserver
+ tier: control-plane
+ type: LoadBalancer
+
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-values-h89k98cc5h
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium ConfigMap: kube-system/cilium-values-h89k98cc5h
@@ -0,0 +1,93 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ autoDirectNodeRoutes: true
+ bandwidthManager:
+ enabled: true
+ bbr: true
+ bpf:
+ datapathMode: netkit
+ masquerade: true
+ preallocateMaps: true
+ tproxy: true
+ bgpControlPlane:
+ enabled: true
+ cgroup:
+ automount:
+ enabled: false
+ hostRoot: /sys/fs/cgroup
+ cluster:
+ id: 1
+ name: main
+ cni:
+ exclusive: false
+ devices: enp+
+ enableIPv4BIGTCP: true
+ endpointRoutes:
+ enabled: true
+ envoy:
+ enabled: false
+ hubble:
+ enabled: false
+ ipam:
+ mode: kubernetes
+ ipv4NativeRoutingCIDR: 10.42.0.0/16
+ k8sServiceHost: 127.0.0.1
+ k8sServicePort: 7445
+ kubeProxyReplacement: true
+ kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+ l2announcements:
+ enabled: true
+ loadBalancer:
+ algorithm: maglev
+ mode: dsr
+ localRedirectPolicy: true
+ operator:
+ dashboards:
+ enabled: true
+ prometheus:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ replicas: 2
+ rollOutPods: true
+ prometheus:
+ enabled: true
+ serviceMonitor:
+ enabled: true
+ trustCRDsExist: true
+ dashboards:
+ enabled: true
+ rollOutCiliumPods: true
+ routingMode: native
+ securityContext:
+ capabilities:
+ ciliumAgent:
+ - CHOWN
+ - KILL
+ - NET_ADMIN
+ - NET_RAW
+ - IPC_LOCK
+ - SYS_ADMIN
+ - SYS_RESOURCE
+ - PERFMON
+ - BPF
+ - DAC_OVERRIDE
+ - FOWNER
+ - SETGID
+ - SETUID
+ cleanCiliumState:
+ - NET_ADMIN
+ - SYS_ADMIN
+ - SYS_RESOURCE
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cilium
+ kustomize.toolkit.fluxcd.io/name: cilium
+ kustomize.toolkit.fluxcd.io/namespace: kube-system
+ name: cilium-values-h89k98cc5h
+ namespace: kube-system
+
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager HelmRelease: cert-manager/cert-manager
@@ -25,8 +25,8 @@
cleanupOnFail: true
remediation:
retries: 3
strategy: rollback
valuesFrom:
- kind: ConfigMap
- name: cert-manager-helm-values-hgg6hf7kh2
+ name: cert-manager-values-hgg6hf7kh2
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-helm-values-hgg6hf7kh2
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-data:
- values.yaml: |
- ---
- crds:
- enabled: true
- replicaCount: 1
- dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
- dns01RecursiveNameserversOnly: true
- prometheus:
- enabled: true
- servicemonitor:
- enabled: true
-kind: ConfigMap
-metadata:
- labels:
- app.kubernetes.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/name: cert-manager
- kustomize.toolkit.fluxcd.io/namespace: cert-manager
- name: cert-manager-helm-values-hgg6hf7kh2
- namespace: cert-manager
-
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-values-hgg6hf7kh2
+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: cert-manager/cert-manager ConfigMap: cert-manager/cert-manager-values-hgg6hf7kh2
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ crds:
+ enabled: true
+ replicaCount: 1
+ dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+ dns01RecursiveNameserversOnly: true
+ prometheus:
+ enabled: true
+ servicemonitor:
+ enabled: true
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/name: cert-manager
+ kustomize.toolkit.fluxcd.io/namespace: cert-manager
+ name: cert-manager-values-hgg6hf7kh2
+ namespace: cert-manager
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-instance
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/flux-instance
@@ -12,14 +12,17 @@
labels:
app.kubernetes.io/name: flux-instance
decryption:
provider: sops
secretRef:
name: sops-age
+ dependsOn:
+ - name: onepassword
+ namespace: external-secrets
interval: 30m
- path: ./kubernetes/apps/flux-system/flux-operator/instance
+ path: ./kubernetes/apps/flux-system/flux-instance/app
prune: false
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: flux-system
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: kube-system/cilium
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: kube-system/cilium
@@ -20,9 +20,9 @@
prune: false
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: kube-system
- timeout: 5m
+ timeout: 15m
wait: false
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: kube-system/cilium-config
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: kube-system/cilium-config
@@ -1,28 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster-apps
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: cilium-config
- namespace: kube-system
-spec:
- commonMetadata:
- labels:
- app.kubernetes.io/name: cilium-config
- decryption:
- provider: sops
- secretRef:
- name: sops-age
- interval: 30m
- path: ./kubernetes/apps/kube-system/cilium/config
- prune: false
- sourceRef:
- kind: GitRepository
- name: flux-system
- namespace: flux-system
- targetNamespace: kube-system
- timeout: 5m
- wait: false
-
--- kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
+++ kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance HelmRelease: flux-system/flux-instance
@@ -0,0 +1,35 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance
+ namespace: flux-system
+spec:
+ chart:
+ spec:
+ chart: flux-instance
+ sourceRef:
+ kind: HelmRepository
+ name: controlplaneio
+ namespace: flux-system
+ version: 0.16.0
+ dependsOn:
+ - name: flux-operator
+ namespace: flux-system
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ valuesFrom:
+ - kind: ConfigMap
+ name: flux-instance-values-8649hgb9mc
+
--- kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
+++ kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance PrometheusRule: flux-system/flux-instance-rules
@@ -0,0 +1,31 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance-rules
+ namespace: flux-system
+spec:
+ groups:
+ - name: flux-instance.rules
+ rules:
+ - alert: FluxInstanceAbsent
+ annotations:
+ summary: Flux instance metric is missing
+ expr: |
+ absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
+ for: 5m
+ labels:
+ severity: critical
+ - alert: FluxInstanceNotReady
+ annotations:
+ summary: Flux instance {{ $labels.name }} is not ready
+ expr: |
+ flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
+ for: 5m
+ labels:
+ severity: critical
+
--- kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
+++ kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance ExternalSecret: flux-system/github-webhook-token
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: github-webhook-token
+ namespace: flux-system
+spec:
+ dataFrom:
+ - extract:
+ key: flux
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword
+ target:
+ name: github-webhook-token-secret
+ template:
+ data:
+ token: '{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}'
+
--- kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance Ingress: flux-system/github-webhook
+++ kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance Ingress: flux-system/github-webhook
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: github-webhook
+ namespace: flux-system
+spec:
+ ingressClassName: external
+ rules:
+ - host: flux-webhook.devbu.io
+ http:
+ paths:
+ - backend:
+ service:
+ name: webhook-receiver
+ port:
+ number: 80
+ path: /hook/
+ pathType: Prefix
+
--- kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance Receiver: flux-system/github-webhook
+++ kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance Receiver: flux-system/github-webhook
@@ -0,0 +1,27 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: github-webhook
+ namespace: flux-system
+spec:
+ events:
+ - ping
+ - push
+ resources:
+ - apiVersion: source.toolkit.fluxcd.io/v1
+ kind: GitRepository
+ name: flux-system
+ namespace: flux-system
+ - apiVersion: kustomize.toolkit.fluxcd.io/v1
+ kind: Kustomization
+ name: flux-system
+ namespace: flux-system
+ secretRef:
+ name: github-webhook-token-secret
+ type: github
+
--- kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-values-8649hgb9mc
+++ kubernetes/apps/flux-system/flux-instance/app Kustomization: flux-system/flux-instance ConfigMap: flux-system/flux-instance-values-8649hgb9mc
@@ -0,0 +1,117 @@
+---
+apiVersion: v1
+data:
+ values.yaml: |
+ ---
+ instance:
+ distribution:
+ # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution
+ version: 2.5.1
+ cluster:
+ networkPolicy: false
+ components:
+ - source-controller
+ - kustomize-controller
+ - helm-controller
+ - notification-controller
+ sync:
+ kind: GitRepository
+ url: https://github.com/onedr0p/home-ops
+ ref: refs/heads/main
+ path: kubernetes/flux/cluster
+ interval: 1h
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: flux
+ kustomize:
+ patches:
+ - # Add Sops decryption to 'flux-system' Kustomization
+ patch: |
+ - op: add
+ path: /spec/decryption
+ value:
+ provider: sops
+ secretRef:
+ name: sops-age
+ target:
+ group: kustomize.toolkit.fluxcd.io
+ kind: Kustomization
+ - # Increase the number of workers
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --concurrent=10
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --requeue-dependency=5s
+ target:
+ kind: Deployment
+ name: (kustomize-controller|helm-controller|source-controller)
+ - # Increase the memory limits
+ patch: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: all
+ spec:
+ template:
+ spec:
+ containers:
+ - name: manager
+ resources:
+ limits:
+ memory: 2Gi
+ target:
+ kind: Deployment
+ name: (kustomize-controller|helm-controller|source-controller)
+ - # Enable in-memory kustomize builds
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --concurrent=20
+ - op: replace
+ path: /spec/template/spec/volumes/0
+ value:
+ name: temp
+ emptyDir:
+ medium: Memory
+ target:
+ kind: Deployment
+ name: kustomize-controller
+ - # Enable Helm repositories caching
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-max-size=10
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-ttl=60m
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --helm-cache-purge-interval=5m
+ target:
+ kind: Deployment
+ name: source-controller
+ - # Flux near OOM detection for Helm
+ patch: |
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --feature-gates=OOMWatch=true
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --oom-watch-memory-threshold=95
+ - op: add
+ path: /spec/template/spec/containers/0/args/-
+ value: --oom-watch-interval=500ms
+ target:
+ kind: Deployment
+ name: helm-controller
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/name: flux-instance
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: flux-instance-values-8649hgb9mc
+ namespace: flux-system
+ |
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.