diff --git a/nix/kubernetes/README.org b/nix/kubernetes/README.org index 4e1aa19e..6cf08ee0 100644 --- a/nix/kubernetes/README.org +++ b/nix/kubernetes/README.org @@ -11,13 +11,14 @@ ]; #+end_src * IP Ranges -| | IPv4 | IPv6 | -|------------------------------+-----------------------------+-----------------------------------------| -| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | -| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | -| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | -| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | -| PowerDNS from inside cluster | 10.215.1.211 | | +| | IPv4 | IPv6 | +|--------------------------------+-----------------------------+-----------------------------------------| +| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | +| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | +| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | +| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | +| Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 | +| PowerDNS from inside cluster | 10.215.1.211 | | * Healthcheck ** Check cilium status #+begin_src bash diff --git a/nix/kubernetes/keys/package/k8s-secret-generic/package.nix b/nix/kubernetes/keys/package/k8s-secret-generic/package.nix index 6aea5e01..c708d249 100644 --- a/nix/kubernetes/keys/package/k8s-secret-generic/package.nix +++ b/nix/kubernetes/keys/package/k8s-secret-generic/package.nix @@ -16,19 +16,29 @@ secret_name, secret_namespace, secret_values ? { }, + secret_type ? null, + secret_annotations ? null, ... }: let toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64; + metadata = { + name = "${secret_name}"; + namespace = "${secret_namespace}"; + } + // lib.optionalAttrs (secret_annotations != null) { + "annotations" = secret_annotations; + }; secret_yaml = { apiVersion = "v1"; kind = "Secret"; - metadata = { - name = "${secret_name}"; - namespace = "${secret_namespace}"; - }; + metadata = metadata; data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values); + } + // lib.optionalAttrs (secret_type != null) { + "type" = secret_type; }; + settingsFormat = pkgs.formats.yaml { }; yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml; yaml_file = pkgs.writeTextFile { diff --git a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix index a97fcb50..3663bc49 100644 --- a/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix +++ b/nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix @@ -13,13 +13,33 @@ let ( secret_namespace: secrets: (builtins.mapAttrs ( - secret_name: secret_values: + secret_name: original_secret_values: + let + secret_type = original_secret_values."__type" or null; + secret_annotations = original_secret_values."__annotations" or null; + secret_values = removeAttrs original_secret_values [ + "__type" + "__annotations" + ]; + in (callPackage ../../package/k8s-secret-generic/package.nix { - inherit secret_name secret_namespace secret_values; + inherit + secret_name + secret_namespace + secret_values + secret_type + secret_annotations + ; }) ) secrets) ) { + "archive-box" = { + "archive-box-auth" = { + "username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}"); + "password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}"); + }; + }; "cert-manager" = { "rfc2136" = { "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); @@ -37,6 +57,11 @@ let ); }; }; + "flux-system" = { + "webhook-token" = { + "token" = generate_key 64 "flux-system.webhook-token.token"; + }; + }; "gitea" = { "gitea-env" = { "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); @@ -59,6 +84,29 @@ let ); }; }; + "tekton-gateway" = { + "oauth2-env" = oauth2_env { dex_id = "tekton"; }; + }; + "webhook-bridge" = { + "webhook-bridge" = { + "HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}"); + "OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}"); + }; + "deployer-key" = { + "__annotations" = { + "tekton.dev/git-0" = "code.fizz.buzz"; + }; + "__type" = "kubernetes.io/ssh-auth"; + "ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}"); + "ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}"); + }; + "gitea" = { + "token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}"); + }; + "harbor-plain" = { + "config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}"); + }; + }; }; encrypted_secrets = ( builtins.mapAttrs ( @@ -101,8 +149,31 @@ let dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out" '' ); - helm_json_escape = json: builtins.toJSON json; - + # helm_json_escape = json: builtins.toJSON json; + helm_json_escape = + json: + builtins.replaceStrings + [ + "=" + "[" + "]" + "," + "." + "\"" + "{" + "}" + ] + [ + "\\=" + "\\[" + "\\]" + "\\," + "\\." + "\\\"" + "\\{" + "\\}" + ] + json; ## dex get_dex_config = client_id: diff --git a/nix/kubernetes/roles/kubelet/default.nix b/nix/kubernetes/roles/kubelet/default.nix index 5f4e78e6..a226bc44 100644 --- a/nix/kubernetes/roles/kubelet/default.nix +++ b/nix/kubernetes/roles/kubelet/default.nix @@ -32,7 +32,7 @@ let containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock"; enableServer = true; failSwapOn = false; - maxPods = 16; + maxPods = 110; memorySwap = { swapBehavior = "NoSwap"; };