Sync with upstream

.github/renovate.json5

@@ -73,6 +73,16 @@
       },
       "separateMinorPatch": true
     },
+    {
+      "description": ["System Upgrade Controller Group"],
+      "groupName": "System Upgrade Controller",
+      "matchPackagePatterns": ["system-upgrade-controller"],
+      "matchDatasources": ["docker", "github-releases"],
+      "group": {
+        "commitMessageTopic": "{{{groupName}}} group"
+      },
+      "separateMinorPatch": true
+    },
     // custom versioning
     {
       "description": ["Use custom versioning for k3s"],

.github/workflows/flux-diff.yaml

@@ -40,8 +40,8 @@ jobs:
           args: >-
             diff ${{ matrix.resources }}
             --unified 6
-            --path /github/workspace/pull/${{ matrix.paths }}
-            --path-orig /github/workspace/default/${{ matrix.paths }}
+            --path /github/workspace/pull/${{ matrix.paths }}/flux
+            --path-orig /github/workspace/default/${{ matrix.paths }}/flux
             --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
             --limit-bytes 10000
             --all-namespaces

README.md

@@ -318,7 +318,7 @@ You have two different options for setting up your local workstation.
 
 2. Install Flux and sync the cluster to the Git repository
 
-  📍 _Run `task flux:github-deploy-key` first if using a private repository._
+    📍 _Run `task flux:github-deploy-key` first if using a private repository._
 
     ```sh
     task flux:bootstrap

Taskfile.yaml

@@ -36,6 +36,9 @@ includes:
   talos: .taskfiles/Talos/Taskfile.yaml
   sops: .taskfiles/Sops/Taskfile.yaml
   workstation: .taskfiles/Workstation/Taskfile.yaml
+  user:
+    taskfile: .taskfiles/User
+    optional: true
 
 tasks:
 

bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2

@@ -18,6 +18,6 @@ k3s_registries:
 k3s_release_version: v1.29.1+k3s2
 k3s_server_manifests_templates:
   - custom-cilium-helmchart.yaml
-  - kube-vip-ds.yaml
-  - kube-vip-rbac.yaml
+  - custom-kube-vip-ds.yaml
+  - custom-kube-vip-rbac.yaml
 k3s_use_unsupported_config: true

bootstrap/templates/ansible/inventory/hosts.yaml.j2

@@ -8,6 +8,9 @@ kubernetes:
         "#{ item.name }#":
           ansible_user: "#{ item.ssh_user }#"
           ansible_host: "#{ item.address }#"
+          #% if item.ssh_key %#
+          ansible_ssh_private_key_file: "#{ item.ssh_key }#"
+          #% endif %#
         #% endif %#
         #% endfor %#
     #% if bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length %#
@@ -18,6 +21,9 @@ kubernetes:
         "#{ item.name }#":
           ansible_user: "#{ item.ssh_user }#"
           ansible_host: "#{ item.address }#"
+          #% if item.ssh_key %#
+          ansible_ssh_private_key_file: "#{ item.ssh_key }#"
+          #% endif %#
         #% endif %#
         #% endfor %#
     #% endif %#

bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2

@@ -50,6 +50,7 @@
         wait_timeout: 360
       loop:
         - { name: cilium, kind: HelmChart, namespace: kube-system }
+        - { name: kube-vip, kind: DaemonSet, namespace: kube-system }
 
     - name: Cilium
       when: k3s_primary_control_node

bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-ds.yaml.j2

@@ -0,0 +1,2 @@
+---
+#% include 'partials/kube-vip-ds.partial.yaml.j2' %#

bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-rbac.yaml.j2

@@ -0,0 +1,2 @@
+---
+#% include 'partials/kube-vip-rbac.partial.yaml.j2' %#

bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     installCRDs: true
     dns01RecursiveNameservers: 1.1.1.1:53,9.9.9.9:53

bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     #% filter indent(width=4, first=True) %#
     #% include 'partials/cilium-values-full.partial.yaml.j2' %#

bootstrap/templates/kubernetes/apps/kube-system/kube-vip/.mjfilter.py

@@ -0,0 +1 @@
+main = lambda data: data.get("bootstrap_distribution", "k3s") in ["k3s"]

bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/daemonset.yaml.j2

@@ -0,0 +1,2 @@
+---
+#% include 'partials/kube-vip-ds.partial.yaml.j2' %#

bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/kustomization.yaml.j2

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./rbac.yaml
+  - ./daemonset.yaml

bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/rbac.yaml.j2

@@ -0,0 +1,2 @@
+---
+#% include 'partials/kube-vip-rbac.partial.yaml.j2' %#

bootstrap/templates/kubernetes/apps/kube-system/kube-vip/ks.yaml.j2

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kube-vip
+  namespace: flux-system
+spec:
+  targetNamespace: kube-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/kube-system/kube-vip/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     #% filter indent(width=4, first=True) %#
     #% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %#

bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2

@@ -4,11 +4,12 @@ kind: Kustomization
 resources:
   - ./namespace.yaml
   - ./cilium/ks.yaml
-  #% if bootstrap_distribution in ["talos"] %#
-  - ./kubelet-csr-approver/ks.yaml
-  #% endif %#
   - ./metrics-server/ks.yaml
+  - ./reloader/ks.yaml
   #% if bootstrap_distribution in ["talos"] %#
+  - ./kubelet-csr-approver/ks.yaml
   - ./spegel/ks.yaml
   #% endif %#
-  - ./reloader/ks.yaml
+  #% if bootstrap_distribution in ["k3s"] %#
+  - ./kube-vip/ks.yaml
+  #% endif %#

bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     args:
       - --kubelet-insecure-tls

bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     fullnameOverride: reloader
     reloader:

bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     spegel:
       containerdSock: /run/containerd/containerd.sock

bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     controllers:
       main:

bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     controllers:
       main:

bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     fullnameOverride: *app
     provider: cloudflare

bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   dependsOn:
     - name: cloudflared
       namespace: network

bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2

@@ -21,8 +21,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     fullnameOverride: ingress-nginx-internal
     controller:

bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     fullnameOverride: k8s-gateway
     domain: "${SECRET_DOMAIN}"

bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     ndm:
       enabled: false

bootstrap/templates/kubernetes/apps/system-upgrade/k3s/app/plan.yaml.j2

@@ -45,6 +45,6 @@ spec:
         operator: DoesNotExist
   prepare:
     image: rancher/k3s-upgrade
-    args: ["prepare", "server"]
+    args: ["prepare", "controllers"]
   upgrade:
     image: rancher/k3s-upgrade

bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2

@@ -20,8 +20,6 @@ spec:
     cleanupOnFail: true
     remediation:
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     controllers:
       main:
@@ -30,7 +28,7 @@ spec:
           main:
             image:
               repository: docker.io/rancher/system-upgrade-controller
-              tag: v0.13.3
+              tag: v0.13.4
             env:
               SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
               SYSTEM_UPGRADE_CONTROLLER_THREADS: 2

bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2

@@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   # renovate: datasource=github-releases depName=rancher/system-upgrade-controller
-  - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.3/crd.yaml
+  - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.4/crd.yaml
   - helmrelease.yaml
   - rbac.yaml

config.sample.yaml

@@ -49,11 +49,12 @@ bootstrap_node_default_gateway: ""
 # (Required) Use only 1, 3 or more ODD number of controller nodes, recommended is 3
 #   Worker nodes are optional
 bootstrap_node_inventory: []
-    # - name: ""          # Name of the node (must match [a-z0-9-\.]+)
-    #   address: ""       # IP address of the node
-    #   controller: true  # (Required) Set to true if this is a controller node
-    #   ssh_user: ""      # (Required: k3s) SSH username of the node
-    #   talos_disk: ""    # (Required: Talos) Device path or serial number of the disk for this node
+    # - name: ""           # (Required) Name of the node (must match [a-z0-9-\.]+)
+    #   address: ""        # (Required) IP address of the node
+    #   controller: true   # (Required) Set to true if this is a controller node
+    #   ssh_user: ""       # (Required: k3s) SSH username of the node
+    #   talos_disk: ""     # (Required: Talos) Device path or serial number of the disk for this node
+    #   ssh_key: ""        # (Optional: k3s) Set specific SSH key for this node
     # ...
 
 # (Optional) The DNS server to use for the cluster, this can be an existing