diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 47dd17a3..dfd4d5d7 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -73,6 +73,16 @@ }, "separateMinorPatch": true }, + { + "description": ["System Upgrade Controller Group"], + "groupName": "System Upgrade Controller", + "matchPackagePatterns": ["system-upgrade-controller"], + "matchDatasources": ["docker", "github-releases"], + "group": { + "commitMessageTopic": "{{{groupName}}} group" + }, + "separateMinorPatch": true + }, // custom versioning { "description": ["Use custom versioning for k3s"], diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml index 5e942518..7548800f 100644 --- a/.github/workflows/flux-diff.yaml +++ b/.github/workflows/flux-diff.yaml @@ -40,8 +40,8 @@ jobs: args: >- diff ${{ matrix.resources }} --unified 6 - --path /github/workspace/pull/${{ matrix.paths }} - --path-orig /github/workspace/default/${{ matrix.paths }} + --path /github/workspace/pull/${{ matrix.paths }}/flux + --path-orig /github/workspace/default/${{ matrix.paths }}/flux --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart" --limit-bytes 10000 --all-namespaces diff --git a/README.md b/README.md index 8b6dd091..a37ecbb0 100644 --- a/README.md +++ b/README.md @@ -318,7 +318,7 @@ You have two different options for setting up your local workstation. 2. Install Flux and sync the cluster to the Git repository - 📍 _Run `task flux:github-deploy-key` first if using a private repository._ + 📍 _Run `task flux:github-deploy-key` first if using a private repository._ ```sh task flux:bootstrap diff --git a/Taskfile.yaml b/Taskfile.yaml index c510d73d..8b02c190 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -36,6 +36,9 @@ includes: talos: .taskfiles/Talos/Taskfile.yaml sops: .taskfiles/Sops/Taskfile.yaml workstation: .taskfiles/Workstation/Taskfile.yaml + user: + taskfile: .taskfiles/User + optional: true tasks: diff --git a/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 index bf1aeb1b..01ec2ba5 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 @@ -18,6 +18,6 @@ k3s_registries: k3s_release_version: v1.29.1+k3s2 k3s_server_manifests_templates: - custom-cilium-helmchart.yaml - - kube-vip-ds.yaml - - kube-vip-rbac.yaml + - custom-kube-vip-ds.yaml + - custom-kube-vip-rbac.yaml k3s_use_unsupported_config: true diff --git a/bootstrap/templates/ansible/inventory/hosts.yaml.j2 b/bootstrap/templates/ansible/inventory/hosts.yaml.j2 index 8960a23d..4df83a28 100644 --- a/bootstrap/templates/ansible/inventory/hosts.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/hosts.yaml.j2 @@ -8,6 +8,9 @@ kubernetes: "#{ item.name }#": ansible_user: "#{ item.ssh_user }#" ansible_host: "#{ item.address }#" + #% if item.ssh_key %# + ansible_ssh_private_key_file: "#{ item.ssh_key }#" + #% endif %# #% endif %# #% endfor %# #% if bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length %# @@ -18,6 +21,9 @@ kubernetes: "#{ item.name }#": ansible_user: "#{ item.ssh_user }#" ansible_host: "#{ item.address }#" + #% if item.ssh_key %# + ansible_ssh_private_key_file: "#{ item.ssh_key }#" + #% endif %# #% endif %# #% endfor %# #% endif %# diff --git a/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 index 54c2f87a..ccbeaba6 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 @@ -50,6 +50,7 @@ wait_timeout: 360 loop: - { name: cilium, kind: HelmChart, namespace: kube-system } + - { name: kube-vip, kind: DaemonSet, namespace: kube-system } - name: Cilium when: k3s_primary_control_node diff --git a/bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-ds.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-ds.yaml.j2 new file mode 100644 index 00000000..f62cab4d --- /dev/null +++ b/bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-ds.yaml.j2 @@ -0,0 +1,2 @@ +--- +#% include 'partials/kube-vip-ds.partial.yaml.j2' %# diff --git a/bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-rbac.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-rbac.yaml.j2 new file mode 100644 index 00000000..481c2e82 --- /dev/null +++ b/bootstrap/templates/ansible/playbooks/templates/custom-kube-vip-rbac.yaml.j2 @@ -0,0 +1,2 @@ +--- +#% include 'partials/kube-vip-rbac.partial.yaml.j2' %# diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2 index 34b1a211..02a576dc 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: installCRDs: true dns01RecursiveNameservers: 1.1.1.1:53,9.9.9.9:53 diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 index 2acdaf57..eadc13d0 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: #% filter indent(width=4, first=True) %# #% include 'partials/cilium-values-full.partial.yaml.j2' %# diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/.mjfilter.py b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/.mjfilter.py new file mode 100644 index 00000000..0979f9a6 --- /dev/null +++ b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/.mjfilter.py @@ -0,0 +1 @@ +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["k3s"] diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/daemonset.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/daemonset.yaml.j2 new file mode 100644 index 00000000..f62cab4d --- /dev/null +++ b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/daemonset.yaml.j2 @@ -0,0 +1,2 @@ +--- +#% include 'partials/kube-vip-ds.partial.yaml.j2' %# diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/kustomization.yaml.j2 new file mode 100644 index 00000000..cbede828 --- /dev/null +++ b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/kustomization.yaml.j2 @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./rbac.yaml + - ./daemonset.yaml diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/rbac.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/rbac.yaml.j2 new file mode 100644 index 00000000..481c2e82 --- /dev/null +++ b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/app/rbac.yaml.j2 @@ -0,0 +1,2 @@ +--- +#% include 'partials/kube-vip-rbac.partial.yaml.j2' %# diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/ks.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/ks.yaml.j2 new file mode 100644 index 00000000..fcd2c8ad --- /dev/null +++ b/bootstrap/templates/kubernetes/apps/kube-system/kube-vip/ks.yaml.j2 @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-vip + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/kube-vip/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 index de34fa4c..dec622a0 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: #% filter indent(width=4, first=True) %# #% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 index f1547936..289af80e 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 @@ -4,11 +4,12 @@ kind: Kustomization resources: - ./namespace.yaml - ./cilium/ks.yaml - #% if bootstrap_distribution in ["talos"] %# - - ./kubelet-csr-approver/ks.yaml - #% endif %# - ./metrics-server/ks.yaml + - ./reloader/ks.yaml #% if bootstrap_distribution in ["talos"] %# + - ./kubelet-csr-approver/ks.yaml - ./spegel/ks.yaml #% endif %# - - ./reloader/ks.yaml + #% if bootstrap_distribution in ["k3s"] %# + - ./kube-vip/ks.yaml + #% endif %# diff --git a/bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2 index 1c435f4e..2ea3acf2 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: args: - --kubelet-insecure-tls diff --git a/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 index 8f636562..9bbc0b4a 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: fullnameOverride: reloader reloader: diff --git a/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 index 50c00d47..e1439970 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: spegel: containerdSock: /run/containerd/containerd.sock diff --git a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 index 0a515b4c..c188ee70 100644 --- a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: controllers: main: diff --git a/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 index 95bb9b6b..7980dc80 100644 --- a/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: controllers: main: diff --git a/bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2 index 76f90410..33679812 100644 --- a/bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: fullnameOverride: *app provider: cloudflare diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 index 597ccbb8..001ec0e1 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false dependsOn: - name: cloudflared namespace: network diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 index 97134fb5..ae666a60 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 @@ -21,8 +21,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: fullnameOverride: ingress-nginx-internal controller: diff --git a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 index 4349ac30..421c48d7 100644 --- a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: fullnameOverride: k8s-gateway domain: "${SECRET_DOMAIN}" diff --git a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 index bf0afcd1..35eefea8 100644 --- a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: ndm: enabled: false diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/app/plan.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/app/plan.yaml.j2 index 5412ea57..38784cd5 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/app/plan.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/app/plan.yaml.j2 @@ -45,6 +45,6 @@ spec: operator: DoesNotExist prepare: image: rancher/k3s-upgrade - args: ["prepare", "server"] + args: ["prepare", "controllers"] upgrade: image: rancher/k3s-upgrade diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 index f7718c38..2d86e7b9 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 @@ -20,8 +20,6 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: controllers: main: @@ -30,7 +28,7 @@ spec: main: image: repository: docker.io/rancher/system-upgrade-controller - tag: v0.13.3 + tag: v0.13.4 env: SYSTEM_UPGRADE_CONTROLLER_DEBUG: false SYSTEM_UPGRADE_CONTROLLER_THREADS: 2 diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 index f1935fac..49f35511 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: # renovate: datasource=github-releases depName=rancher/system-upgrade-controller - - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.3/crd.yaml + - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.4/crd.yaml - helmrelease.yaml - rbac.yaml diff --git a/config.sample.yaml b/config.sample.yaml index 309daa7c..890f11d3 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -49,11 +49,12 @@ bootstrap_node_default_gateway: "" # (Required) Use only 1, 3 or more ODD number of controller nodes, recommended is 3 # Worker nodes are optional bootstrap_node_inventory: [] - # - name: "" # Name of the node (must match [a-z0-9-\.]+) - # address: "" # IP address of the node - # controller: true # (Required) Set to true if this is a controller node - # ssh_user: "" # (Required: k3s) SSH username of the node - # talos_disk: "" # (Required: Talos) Device path or serial number of the disk for this node + # - name: "" # (Required) Name of the node (must match [a-z0-9-\.]+) + # address: "" # (Required) IP address of the node + # controller: true # (Required) Set to true if this is a controller node + # ssh_user: "" # (Required: k3s) SSH username of the node + # talos_disk: "" # (Required: Talos) Device path or serial number of the disk for this node + # ssh_key: "" # (Optional: k3s) Set specific SSH key for this node # ... # (Optional) The DNS server to use for the cluster, this can be an existing