Compare commits
6 Commits
b531c675ed
...
ae5519bb39
| Author | SHA1 | Date | |
|---|---|---|---|
|
ae5519bb39
|
||
|
|
795216d989
|
||
|
|
26cbb79960
|
||
|
|
b129bf5e3e
|
||
|
|
9beffb46b6
|
||
|
|
70f180f3c8
|
@@ -11,13 +11,14 @@
|
||||
];
|
||||
#+end_src
|
||||
* IP Ranges
|
||||
| | IPv4 | IPv6 |
|
||||
|------------------------------+-----------------------------+-----------------------------------------|
|
||||
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
|
||||
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
|
||||
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
|
||||
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
|
||||
| PowerDNS from inside cluster | 10.215.1.211 | |
|
||||
| | IPv4 | IPv6 |
|
||||
|--------------------------------+-----------------------------+-----------------------------------------|
|
||||
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
|
||||
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
|
||||
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
|
||||
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
|
||||
| Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 |
|
||||
| PowerDNS from inside cluster | 10.215.1.211 | |
|
||||
* Healthcheck
|
||||
** Check cilium status
|
||||
#+begin_src bash
|
||||
|
||||
@@ -6,10 +6,10 @@ metadata:
|
||||
name: flux-operator-web
|
||||
namespace: flux-system
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
spec:
|
||||
policyTypes:
|
||||
@@ -32,10 +32,10 @@ metadata:
|
||||
name: flux-operator
|
||||
namespace: flux-system
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
automountServiceAccountToken: true
|
||||
---
|
||||
@@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
controller-gen.kubebuilder.io/version: v0.20.0
|
||||
helm.sh/resource-policy: keep
|
||||
labels:
|
||||
app.kubernetes.io/instance: 'flux-operator'
|
||||
app.kubernetes.io/managed-by: 'Helm'
|
||||
app.kubernetes.io/name: 'flux-operator'
|
||||
app.kubernetes.io/version: 'v0.37.1'
|
||||
helm.sh/chart: 'flux-operator-0.37.1'
|
||||
app.kubernetes.io/version: 'v0.48.0'
|
||||
helm.sh/chart: 'flux-operator-0.48.0'
|
||||
name: fluxinstances.fluxcd.controlplane.io
|
||||
spec:
|
||||
group: fluxcd.controlplane.io
|
||||
@@ -205,7 +205,11 @@ spec:
|
||||
components:
|
||||
description: |-
|
||||
Components is the list of controllers to install.
|
||||
Defaults to a commonly used subset.
|
||||
Defaults to the core Flux controllers:
|
||||
- source-controller
|
||||
- kustomize-controller
|
||||
- helm-controller
|
||||
- notification-controller
|
||||
items:
|
||||
description: Component is the name of a controller to install.
|
||||
enum:
|
||||
@@ -661,14 +665,14 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
controller-gen.kubebuilder.io/version: v0.20.0
|
||||
helm.sh/resource-policy: keep
|
||||
labels:
|
||||
app.kubernetes.io/instance: 'flux-operator'
|
||||
app.kubernetes.io/managed-by: 'Helm'
|
||||
app.kubernetes.io/name: 'flux-operator'
|
||||
app.kubernetes.io/version: 'v0.37.1'
|
||||
helm.sh/chart: 'flux-operator-0.37.1'
|
||||
app.kubernetes.io/version: 'v0.48.0'
|
||||
helm.sh/chart: 'flux-operator-0.48.0'
|
||||
name: fluxreports.fluxcd.controlplane.io
|
||||
spec:
|
||||
group: fluxcd.controlplane.io
|
||||
@@ -828,7 +832,7 @@ spec:
|
||||
failing:
|
||||
description: |-
|
||||
Failing is the number of reconciled
|
||||
resources in the Failing state.
|
||||
resources in the Failing state and not Suspended.
|
||||
type: integer
|
||||
running:
|
||||
description: |-
|
||||
@@ -965,14 +969,14 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
controller-gen.kubebuilder.io/version: v0.20.0
|
||||
helm.sh/resource-policy: keep
|
||||
labels:
|
||||
app.kubernetes.io/instance: 'flux-operator'
|
||||
app.kubernetes.io/managed-by: 'Helm'
|
||||
app.kubernetes.io/name: 'flux-operator'
|
||||
app.kubernetes.io/version: 'v0.37.1'
|
||||
helm.sh/chart: 'flux-operator-0.37.1'
|
||||
app.kubernetes.io/version: 'v0.48.0'
|
||||
helm.sh/chart: 'flux-operator-0.48.0'
|
||||
name: resourcesetinputproviders.fluxcd.controlplane.io
|
||||
spec:
|
||||
group: fluxcd.controlplane.io
|
||||
@@ -1029,9 +1033,9 @@ spec:
|
||||
- a PEM-encoded CA certificate (`ca.crt`)
|
||||
- a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
|
||||
|
||||
When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate
|
||||
must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
|
||||
When connecting to an OCI provider that supports client certificates (mTLS), the client certificate
|
||||
When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,
|
||||
the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
|
||||
When connecting to a provider that supports client certificates (mTLS), the client certificate
|
||||
and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
|
||||
properties:
|
||||
name:
|
||||
@@ -1102,6 +1106,11 @@ spec:
|
||||
Supported only for tags at the moment.
|
||||
type: string
|
||||
type: object
|
||||
insecure:
|
||||
description: |-
|
||||
Insecure allows connecting to an ExternalService or OCIArtifactTag provider
|
||||
over plain HTTP without TLS. When not set, the URL must use HTTPS.
|
||||
type: boolean
|
||||
schedule:
|
||||
description: Schedule defines the schedules for the input provider
|
||||
to run.
|
||||
@@ -1129,13 +1138,16 @@ spec:
|
||||
type: array
|
||||
secretRef:
|
||||
description: |-
|
||||
SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
|
||||
SecretRef specifies the Kubernetes Secret containing the credentials
|
||||
to access the input provider.
|
||||
When connecting to a Git provider, the secret must contain the keys
|
||||
'username' and 'password', and the password should be a personal access token
|
||||
that grants read-only access to the repository.
|
||||
When connecting to an OCI provider, the secret must contain a Kubernetes
|
||||
Image Pull Secret, as if created by `kubectl create secret docker-registry`.
|
||||
When connecting to an ExternalService provider, the secret must contain either
|
||||
a 'token' key for bearer token authentication, or 'username' and 'password'
|
||||
keys for basic authentication.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the referent.
|
||||
@@ -1177,10 +1189,14 @@ spec:
|
||||
- AzureDevOpsBranch
|
||||
- AzureDevOpsTag
|
||||
- AzureDevOpsPullRequest
|
||||
- GiteaBranch
|
||||
- GiteaTag
|
||||
- GiteaPullRequest
|
||||
- OCIArtifactTag
|
||||
- ACRArtifactTag
|
||||
- ECRArtifactTag
|
||||
- GARArtifactTag
|
||||
- ExternalService
|
||||
type: string
|
||||
url:
|
||||
description: |-
|
||||
@@ -1206,6 +1222,16 @@ spec:
|
||||
- message: spec.url must start with 'oci://' when spec.type is an OCI
|
||||
provider
|
||||
rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
|
||||
- message: spec.url must start with 'http://' or 'https://' when spec.type
|
||||
is 'ExternalService'
|
||||
rule: self.type != 'ExternalService' || self.url.startsWith('http')
|
||||
- message: spec.insecure can only be set when spec.type is 'ExternalService'
|
||||
or 'OCIArtifactTag'
|
||||
rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService''
|
||||
|| self.type == ''OCIArtifactTag'''
|
||||
- message: spec.url must use 'https://' unless spec.insecure is true
|
||||
rule: self.type != 'ExternalService' || !self.url.startsWith('http://')
|
||||
|| (has(self.insecure) && self.insecure)
|
||||
- message: cannot specify spec.serviceAccountName when spec.type is not
|
||||
one of AzureDevOps* or *ArtifactTag
|
||||
rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
|
||||
@@ -1345,14 +1371,14 @@ apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.19.0
|
||||
controller-gen.kubebuilder.io/version: v0.20.0
|
||||
helm.sh/resource-policy: keep
|
||||
labels:
|
||||
app.kubernetes.io/instance: 'flux-operator'
|
||||
app.kubernetes.io/managed-by: 'Helm'
|
||||
app.kubernetes.io/name: 'flux-operator'
|
||||
app.kubernetes.io/version: 'v0.37.1'
|
||||
helm.sh/chart: 'flux-operator-0.37.1'
|
||||
app.kubernetes.io/version: 'v0.48.0'
|
||||
helm.sh/chart: 'flux-operator-0.48.0'
|
||||
name: resourcesets.fluxcd.controlplane.io
|
||||
spec:
|
||||
group: fluxcd.controlplane.io
|
||||
@@ -1459,6 +1485,15 @@ spec:
|
||||
input provider objects are used. Defaults to flattening all inputs
|
||||
from all providers into a single list of input sets.
|
||||
properties:
|
||||
includeEmptyProviders:
|
||||
description: |-
|
||||
IncludeEmptyProviders controls how input providers that export no
|
||||
inputs are treated. Only applies when Name is Permute. When true, if
|
||||
any provider has zero inputs the resulting permutation set is empty
|
||||
(mathematically correct Cartesian product behavior). When false or
|
||||
unset (default), providers with zero inputs are silently skipped and
|
||||
the remaining providers still permute among themselves.
|
||||
type: boolean
|
||||
name:
|
||||
description: |-
|
||||
Name defines how the inputs are combined when multiple
|
||||
@@ -1481,6 +1516,9 @@ spec:
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-validations:
|
||||
- message: includeEmptyProviders only applies when name is Permute
|
||||
rule: '!has(self.includeEmptyProviders) || self.name == ''Permute'''
|
||||
inputs:
|
||||
description: Inputs contains the list of ResourceSet inputs.
|
||||
items:
|
||||
@@ -1659,6 +1697,16 @@ spec:
|
||||
- type
|
||||
type: object
|
||||
type: array
|
||||
externalChecksumRefs:
|
||||
description: |-
|
||||
ExternalChecksumRefs lists the ConfigMap and Secret references
|
||||
discovered in checksumFrom annotations on the last reconciliation
|
||||
that point to objects not rendered by this ResourceSet. Each entry
|
||||
has the form "Kind/namespace/name". It is used to trigger a
|
||||
reconciliation when one of the referenced objects changes.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
history:
|
||||
description: |-
|
||||
History contains the reconciliation history of the ResourceSet
|
||||
@@ -1764,10 +1812,10 @@ metadata:
|
||||
labels:
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
rules:
|
||||
- apiGroups:
|
||||
@@ -1791,10 +1839,10 @@ metadata:
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
rules:
|
||||
- apiGroups:
|
||||
@@ -1807,16 +1855,86 @@ rules:
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
# Source: flux-operator/templates/web-standard-roles.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: flux-web-user
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
rules:
|
||||
- apiGroups: ["*"]
|
||||
resources: ["*"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
# Source: flux-operator/templates/web-standard-roles.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: flux-web-admin
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
rules:
|
||||
- apiGroups: ["*"]
|
||||
resources: ["*"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups:
|
||||
- fluxcd.controlplane.io
|
||||
- source.toolkit.fluxcd.io
|
||||
- source.extensions.fluxcd.io
|
||||
- kustomize.toolkit.fluxcd.io
|
||||
- helm.toolkit.fluxcd.io
|
||||
- image.toolkit.fluxcd.io
|
||||
- notification.toolkit.fluxcd.io
|
||||
resources: ["*"]
|
||||
verbs:
|
||||
- patch
|
||||
- reconcile
|
||||
- suspend
|
||||
- resume
|
||||
- download
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
- deployments
|
||||
- statefulsets
|
||||
- daemonsets
|
||||
verbs:
|
||||
- patch
|
||||
- restart
|
||||
- apiGroups:
|
||||
- batch
|
||||
resources:
|
||||
- cronjobs
|
||||
- jobs
|
||||
verbs:
|
||||
- create
|
||||
- restart
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- delete
|
||||
---
|
||||
# Source: flux-operator/templates/admin-clusterrole.yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: flux-operator
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
@@ -1834,10 +1952,10 @@ metadata:
|
||||
name: flux-operator
|
||||
namespace: flux-system
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
spec:
|
||||
ports:
|
||||
@@ -1860,10 +1978,10 @@ metadata:
|
||||
name: flux-operator
|
||||
namespace: flux-system
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
spec:
|
||||
selector:
|
||||
@@ -1877,10 +1995,10 @@ spec:
|
||||
prometheus.io/port: "8080"
|
||||
prometheus.io/path: "/metrics"
|
||||
labels:
|
||||
helm.sh/chart: flux-operator-0.37.1
|
||||
helm.sh/chart: flux-operator-0.48.0
|
||||
app.kubernetes.io/name: flux-operator
|
||||
app.kubernetes.io/instance: flux-operator
|
||||
app.kubernetes.io/version: "v0.37.1"
|
||||
app.kubernetes.io/version: "v0.48.0"
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
spec:
|
||||
serviceAccountName: flux-operator
|
||||
@@ -1906,7 +2024,7 @@ spec:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1"
|
||||
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0"
|
||||
imagePullPolicy: "IfNotPresent"
|
||||
ports:
|
||||
- name: http-metrics
|
||||
|
||||
@@ -5,5 +5,13 @@ metadata:
|
||||
namespace: flux-system
|
||||
spec:
|
||||
distribution:
|
||||
version: "2.7.x"
|
||||
version: "2.8.x"
|
||||
registry: "ghcr.io/fluxcd"
|
||||
components:
|
||||
- source-controller
|
||||
- kustomize-controller
|
||||
- helm-controller
|
||||
- notification-controller
|
||||
- image-automation-controller
|
||||
- image-reflector-controller
|
||||
# - source-watcher
|
||||
|
||||
@@ -35,6 +35,10 @@ let
|
||||
"${k8s.cilium-manifest}/cilium.yaml"
|
||||
"${k8s.coredns-manifest}/coredns.yaml"
|
||||
./files/manifests/flux_namespace.yaml
|
||||
|
||||
#
|
||||
# Generate with: helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --namespace flux-system --create-namespace
|
||||
#
|
||||
./files/manifests/flux.yaml
|
||||
./files/manifests/flux_instance.yaml
|
||||
]
|
||||
|
||||
@@ -119,8 +119,6 @@ let
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
|
||||
|
||||
|
||||
''
|
||||
+ (lib.concatMapStringsSep "\n" deploy_file [
|
||||
{
|
||||
@@ -248,7 +246,8 @@ let
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
|
||||
|
||||
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/docker.io
|
||||
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz
|
||||
''
|
||||
+ (lib.concatMapStringsSep "\n" deploy_file [
|
||||
{
|
||||
@@ -291,6 +290,22 @@ let
|
||||
group = 10024;
|
||||
mode = "0600";
|
||||
}
|
||||
{
|
||||
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/docker.io";
|
||||
file = "${./files/containerd/docker.io/hosts.toml}";
|
||||
name = "hosts.toml";
|
||||
owner = 0;
|
||||
group = 0;
|
||||
mode = "0600";
|
||||
}
|
||||
{
|
||||
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz";
|
||||
file = "${./files/containerd/harbor.fizz.buzz/hosts.toml}";
|
||||
name = "hosts.toml";
|
||||
owner = 0;
|
||||
group = 0;
|
||||
mode = "0600";
|
||||
}
|
||||
])
|
||||
)
|
||||
);
|
||||
|
||||
@@ -120,7 +120,7 @@ extendedKeyUsage = clientAuth, serverAuth
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
nsCertType = client
|
||||
nsComment = "worker0 Certificate"
|
||||
subjectAltName = DNS:worker0, IP:127.0.0.1
|
||||
subjectAltName = DNS:worker0, IP:127.0.0.1, IP:10.215.1.224, IP:2620:11f:7001:7:ffff:ffff:ad7:1e0
|
||||
subjectKeyIdentifier = hash
|
||||
|
||||
[worker0_distinguished_name]
|
||||
@@ -141,7 +141,7 @@ extendedKeyUsage = clientAuth, serverAuth
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
nsCertType = client
|
||||
nsComment = "worker1 Certificate"
|
||||
subjectAltName = DNS:worker1, IP:127.0.0.1
|
||||
subjectAltName = DNS:worker1, IP:127.0.0.1, IP:10.215.1.225, IP:2620:11f:7001:7:ffff:ffff:ad7:1e1
|
||||
subjectKeyIdentifier = hash
|
||||
|
||||
[worker1_distinguished_name]
|
||||
@@ -162,7 +162,7 @@ extendedKeyUsage = clientAuth, serverAuth
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
nsCertType = client
|
||||
nsComment = "worker2 Certificate"
|
||||
subjectAltName = DNS:worker2, IP:127.0.0.1
|
||||
subjectAltName = DNS:worker2, IP:127.0.0.1, IP:10.215.1.226, IP:2620:11f:7001:7:ffff:ffff:ad7:1e2
|
||||
subjectKeyIdentifier = hash
|
||||
|
||||
[worker2_distinguished_name]
|
||||
|
||||
@@ -16,19 +16,29 @@
|
||||
secret_name,
|
||||
secret_namespace,
|
||||
secret_values ? { },
|
||||
secret_type ? null,
|
||||
secret_annotations ? null,
|
||||
...
|
||||
}:
|
||||
let
|
||||
toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
|
||||
metadata = {
|
||||
name = "${secret_name}";
|
||||
namespace = "${secret_namespace}";
|
||||
}
|
||||
// lib.optionalAttrs (secret_annotations != null) {
|
||||
"annotations" = secret_annotations;
|
||||
};
|
||||
secret_yaml = {
|
||||
apiVersion = "v1";
|
||||
kind = "Secret";
|
||||
metadata = {
|
||||
name = "${secret_name}";
|
||||
namespace = "${secret_namespace}";
|
||||
};
|
||||
metadata = metadata;
|
||||
data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
|
||||
}
|
||||
// lib.optionalAttrs (secret_type != null) {
|
||||
"type" = secret_type;
|
||||
};
|
||||
|
||||
settingsFormat = pkgs.formats.yaml { };
|
||||
yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
|
||||
yaml_file = pkgs.writeTextFile {
|
||||
|
||||
@@ -13,13 +13,33 @@ let
|
||||
(
|
||||
secret_namespace: secrets:
|
||||
(builtins.mapAttrs (
|
||||
secret_name: secret_values:
|
||||
secret_name: original_secret_values:
|
||||
let
|
||||
secret_type = original_secret_values."__type" or null;
|
||||
secret_annotations = original_secret_values."__annotations" or null;
|
||||
secret_values = removeAttrs original_secret_values [
|
||||
"__type"
|
||||
"__annotations"
|
||||
];
|
||||
in
|
||||
(callPackage ../../package/k8s-secret-generic/package.nix {
|
||||
inherit secret_name secret_namespace secret_values;
|
||||
inherit
|
||||
secret_name
|
||||
secret_namespace
|
||||
secret_values
|
||||
secret_type
|
||||
secret_annotations
|
||||
;
|
||||
})
|
||||
) secrets)
|
||||
)
|
||||
{
|
||||
"archive-box" = {
|
||||
"archive-box-auth" = {
|
||||
"username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
|
||||
"password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
|
||||
};
|
||||
};
|
||||
"cert-manager" = {
|
||||
"rfc2136" = {
|
||||
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
|
||||
@@ -37,6 +57,27 @@ let
|
||||
);
|
||||
};
|
||||
};
|
||||
"flux-system" = {
|
||||
"registry-credentials" =
|
||||
(generate_docker_secret {
|
||||
username = builtins.readFile "${./secrets/flux-system/registry-credentials/username}";
|
||||
password = builtins.readFile "${./secrets/flux-system/registry-credentials/password}";
|
||||
email = builtins.readFile "${./secrets/flux-system/registry-credentials/email}";
|
||||
})
|
||||
// {
|
||||
# "__annotations" = {
|
||||
# "tekton.dev/docker-0" = "https://harbor.fizz.buzz";
|
||||
# };
|
||||
};
|
||||
"webhook-token" = {
|
||||
# This token is used for gitea webhooks
|
||||
"token" = generate_key 64 "flux-system.webhook-token.token";
|
||||
};
|
||||
"harbor-webhook-token" = {
|
||||
# This token is used for harbor webhooks
|
||||
"token" = generate_key 64 "flux-system.harbor-webhook-token.token";
|
||||
};
|
||||
};
|
||||
"gitea" = {
|
||||
"gitea-env" = {
|
||||
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
|
||||
@@ -59,6 +100,29 @@ let
|
||||
);
|
||||
};
|
||||
};
|
||||
"tekton-gateway" = {
|
||||
"oauth2-env" = oauth2_env { dex_id = "tekton"; };
|
||||
};
|
||||
"webhook-bridge" = {
|
||||
"webhook-bridge" = {
|
||||
"HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
|
||||
"OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
|
||||
};
|
||||
"deployer-key" = {
|
||||
"__annotations" = {
|
||||
"tekton.dev/git-0" = "code.fizz.buzz";
|
||||
};
|
||||
"__type" = "kubernetes.io/ssh-auth";
|
||||
"ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
|
||||
"ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
|
||||
};
|
||||
"gitea" = {
|
||||
"token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
|
||||
};
|
||||
"harbor-plain" = {
|
||||
"config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
|
||||
};
|
||||
};
|
||||
};
|
||||
encrypted_secrets = (
|
||||
builtins.mapAttrs (
|
||||
@@ -92,6 +156,7 @@ let
|
||||
|
||||
## Utilities
|
||||
inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
|
||||
inherit (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }) toBase64;
|
||||
generate_key =
|
||||
len: name:
|
||||
builtins.readFile (
|
||||
@@ -101,8 +166,46 @@ let
|
||||
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
|
||||
''
|
||||
);
|
||||
helm_json_escape = json: builtins.toJSON json;
|
||||
|
||||
# helm_json_escape = json: builtins.toJSON json;
|
||||
helm_json_escape =
|
||||
json:
|
||||
builtins.replaceStrings
|
||||
[
|
||||
"="
|
||||
"["
|
||||
"]"
|
||||
","
|
||||
"."
|
||||
"\""
|
||||
"{"
|
||||
"}"
|
||||
]
|
||||
[
|
||||
"\\="
|
||||
"\\["
|
||||
"\\]"
|
||||
"\\,"
|
||||
"\\."
|
||||
"\\\""
|
||||
"\\{"
|
||||
"\\}"
|
||||
]
|
||||
json;
|
||||
generate_docker_secret =
|
||||
{
|
||||
username,
|
||||
password,
|
||||
email,
|
||||
}:
|
||||
let
|
||||
in
|
||||
{
|
||||
"__type" = "kubernetes.io/dockerconfigjson";
|
||||
".dockerconfigjson" = builtins.toJSON {
|
||||
inherit username password email;
|
||||
"auth" = toBase64 "${username}:${password}";
|
||||
};
|
||||
};
|
||||
## dex
|
||||
get_dex_config =
|
||||
client_id:
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
# TODO: Set up a proxy to harbor for OCI compliance: https://github.com/moby/moby/pull/34319#issuecomment-720606627
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
@@ -29,30 +30,43 @@ in
|
||||
|
||||
config = lib.mkIf config.me.containerd.enable {
|
||||
virtualisation.containerd.enable = true;
|
||||
virtualisation.containerd.settings = {
|
||||
virtualisation.containerd.settings = lib.mkForce {
|
||||
"plugins" = {
|
||||
"io.containerd.grpc.v1.cri" = {
|
||||
"io.containerd.cri.v1.images" = {
|
||||
"registry" = {
|
||||
"config_path" = "/.persist/containerd/certs.d";
|
||||
};
|
||||
"snapshotter" = "overlayfs";
|
||||
};
|
||||
"io.containerd.cri.v1.runtime" = {
|
||||
"cni" = {
|
||||
"bin_dir" = "/opt/cni/bin";
|
||||
"bin_dirs" = [
|
||||
"/opt/cni/bin"
|
||||
];
|
||||
"conf_dir" = "/etc/cni/net.d";
|
||||
# "bin_dir" = "${my-cni-plugins}/bin";
|
||||
# "conf_dir" = "${my-cni-configs}";
|
||||
};
|
||||
"containerd" = {
|
||||
"default_runtime_name" = "runc";
|
||||
"runtimes" = {
|
||||
"runc" = {
|
||||
"options" = {
|
||||
"SystemdCgroup" = true;
|
||||
};
|
||||
"runtime_type" = "io.containerd.runc.v2";
|
||||
};
|
||||
};
|
||||
"snapshotter" = "overlayfs";
|
||||
};
|
||||
};
|
||||
"io.containerd.cri.v1.services" = {
|
||||
"containerd" = {
|
||||
"runtimes" = {
|
||||
"runc" = {
|
||||
"options" = {
|
||||
"SystemdCgroup" = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
"version" = 2;
|
||||
"version" = 3;
|
||||
};
|
||||
|
||||
systemd.services.containerd.preStart = ''
|
||||
|
||||
@@ -32,7 +32,7 @@ let
|
||||
containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock";
|
||||
enableServer = true;
|
||||
failSwapOn = false;
|
||||
maxPods = 16;
|
||||
maxPods = 110;
|
||||
memorySwap = {
|
||||
swapBehavior = "NoSwap";
|
||||
};
|
||||
@@ -47,6 +47,7 @@ let
|
||||
"10.197.0.10"
|
||||
"fd00:3e42:e349::10"
|
||||
];
|
||||
imageMaximumGCAge = "24h"; # Delete unused images after 1 day.
|
||||
};
|
||||
kubelet_config_file = (to_yaml_file "kubelet-config.yaml" kubelet_config);
|
||||
in
|
||||
|
||||
Reference in New Issue
Block a user