diff --git a/.devcontainer/ci/features/install.sh b/.devcontainer/ci/features/install.sh index a41d9ab19..82bd4162e 100644 --- a/.devcontainer/ci/features/install.sh +++ b/.devcontainer/ci/features/install.sh @@ -24,6 +24,7 @@ for app in \ "direnv/direnv!!?as=direnv&type=script" \ "fluxcd/flux2!!?as=flux&type=script" \ "go-task/task!!?as=task&type=script" \ + "helmfile/helmfile!!?as=helmfile&type=script" \ "kubecolor/kubecolor!!?as=kubecolor&type=script" \ "kubernetes-sigs/krew!!?as=krew&type=script" \ "kubernetes-sigs/kustomize!!?as=kustomize&type=script" \ @@ -40,7 +41,7 @@ done mkdir -p /home/vscode/.config/fish/{completions,conf.d} # Setup autocompletions for fish -for tool in cilium flux helm k9s kubectl kustomize talhelper talosctl; do +for tool in cilium flux helm helmfile k9s kubectl kustomize talhelper talosctl; do $tool completion fish > /home/vscode/.config/fish/completions/$tool.fish done gh completion --shell fish > /home/vscode/.config/fish/completions/gh.fish diff --git a/.gitattributes b/.gitattributes index 07f507f78..56ac7921f 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,3 @@ * text=auto eol=lf *.yaml.j2 linguist-language=YAML *.sops.* diff=sopsdiffer -*.sops.toml linguist-language=JSON diff --git a/.github/tests/config-k3s-ipv4.yaml b/.github/tests/config-k3s-ipv4.yaml index 606b45874..7948fee58 100644 --- a/.github/tests/config-k3s-ipv4.yaml +++ b/.github/tests/config-k3s-ipv4.yaml @@ -1,46 +1,32 @@ --- skip_tests: true -distribution: - type: k3s - -timezone: Etc/UTC - -nodes: - host_network: 10.10.10.0/24 - dns_servers: ["1.1.1.1"] - search_domain: "fake" - inventory: - - name: k8s-controller-0 - address: 10.10.10.100 - controller: true - ssh_username: fake - - name: k8s-worker-0 - address: 10.10.10.101 - controller: false - ssh_username: fake - - -cluster: - pod_network: 10.69.0.0/16 - service_network: 10.96.0.0/16 - endpoint_vip: 10.10.10.254 - tls_sans: ["fake"] - -flux: - enabled: true - github: - username: onedr0p - address: https://github.com/onedr0p/cluster-template - branch: main - webhook: - enabled: true - token: fake - private: - enabled: false - sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY - -cloudflare: +bootstrap_timezone: Etc/UTC +bootstrap_distribution: k3s +bootstrap_node_network: 10.10.10.0/24 +bootstrap_node_default_gateway: 10.10.10.1 +bootstrap_node_inventory: + - name: k8s-controller-0 + address: 10.10.10.100 + controller: true + ssh_user: fake + - name: k8s-worker-0 + address: 10.10.10.101 + controller: false + ssh_user: fake +bootstrap_dns_servers: ["1.1.1.1"] +bootstrap_search_domain: "fake" +bootstrap_pod_network: 10.69.0.0/16 +bootstrap_service_network: 10.96.0.0/16 +bootstrap_controllers_vip: 10.10.10.254 +bootstrap_tls_sans: ["fake"] +bootstrap_sops_age_pubkey: $BOOTSTRAP_AGE_PUBLIC_KEY +bootstrap_bgp: + enabled: false +bootstrap_github_address: https://github.com/onedr0p/cluster-template +bootstrap_github_branch: main +bootstrap_github_webhook_token: fake +bootstrap_cloudflare: enabled: true domain: fake token: take diff --git a/.github/tests/config-k3s-ipv6.yaml b/.github/tests/config-k3s-ipv6.yaml index f97137e2f..5efa50c6c 100644 --- a/.github/tests/config-k3s-ipv6.yaml +++ b/.github/tests/config-k3s-ipv6.yaml @@ -1,45 +1,32 @@ --- skip_tests: true -distribution: - type: k3s - -timezone: Etc/UTC - -nodes: - host_network: 10.10.10.0/24 - dns_servers: ["1.1.1.1"] - search_domain: "fake" - inventory: - - name: k8s-controller-0 - address: 10.10.10.100 - controller: true - ssh_username: fake - - name: k8s-worker-0 - address: 10.10.10.101 - controller: false - ssh_username: fake - -cluster: - pod_network: 10.42.0.0/16,fd7f:8f5:e87c:a::/64 - service_network: 10.43.0.0/16,fd7f:8f5:e87c:e::/112 - endpoint_vip: 10.10.10.254 - tls_sans: ["fake"] - -flux: - enabled: true - github: - username: onedr0p - address: https://github.com/onedr0p/cluster-template - branch: main - webhook: - enabled: true - token: fake - private: - enabled: false - sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY - -cloudflare: +bootstrap_timezone: Etc/UTC +bootstrap_distribution: k3s +bootstrap_node_network: 10.10.10.0/24 +bootstrap_node_default_gateway: 10.10.10.1 +bootstrap_node_inventory: + - name: k8s-controller-0 + address: 10.10.10.100 + controller: true + ssh_user: fake + - name: k8s-worker-0 + address: 10.10.10.101 + controller: false + ssh_user: fake +bootstrap_dns_servers: ["1.1.1.1"] +bootstrap_search_domain: "fake" +bootstrap_pod_network: 10.42.0.0/16,fd7f:8f5:e87c:a::/64 +bootstrap_service_network: 10.43.0.0/16,fd7f:8f5:e87c:e::/112 +bootstrap_controllers_vip: 10.10.10.254 +bootstrap_tls_sans: ["fake"] +bootstrap_sops_age_pubkey: $BOOTSTRAP_AGE_PUBLIC_KEY +bootstrap_bgp: + enabled: false +bootstrap_github_address: https://github.com/onedr0p/cluster-template +bootstrap_github_branch: main +bootstrap_github_webhook_token: fake +bootstrap_cloudflare: enabled: true domain: fake token: take @@ -53,6 +40,3 @@ cloudflare: ingress_vip: 10.10.10.252 ingress_vip: 10.10.10.251 gateway_vip: 10.10.10.253 - -feature_gates: - dual_stack_ipv4_first: true diff --git a/.github/tests/config-talos.yaml b/.github/tests/config-talos.yaml index ab1ea6289..545a54694 100644 --- a/.github/tests/config-talos.yaml +++ b/.github/tests/config-talos.yaml @@ -1,47 +1,34 @@ --- skip_tests: true -distribution: - type: talos - talos: - schematicID: "df491c50a5acc05b977ef00c32050e1ceb0df746e40b33c643ac8a9bfb7c7263" - -timezone: Etc/UTC - -nodes: - host_network: 10.10.10.0/24 - dns_servers: ["1.1.1.1"] - search_domain: "fake" - inventory: - - name: k8s-controller-0 - address: 10.10.10.100 - controller: true - talos_disk_device: fake - - name: k8s-worker-0 - address: 10.10.10.101 - controller: false - talos_disk_device: fake - -cluster: - pod_network: 10.69.0.0/16 - service_network: 10.96.0.0/16 - endpoint_vip: 10.10.10.254 - tls_sans: ["fake"] - -flux: - enabled: true - github: - username: onedr0p - address: https://github.com/onedr0p/cluster-template - branch: main - webhook: - enabled: true - token: fake - private: - enabled: false - sops_age_public_key: $BOOTSTRAP_AGE_PUBLIC_KEY - -cloudflare: +bootstrap_timezone: Etc/UTC +bootstrap_distribution: talos +boostrap_talos: + schematic_id: "df491c50a5acc05b977ef00c32050e1ceb0df746e40b33c643ac8a9bfb7c7263" +bootstrap_node_network: 10.10.10.0/24 +bootstrap_node_default_gateway: 10.10.10.1 +bootstrap_node_inventory: + - name: k8s-controller-0 + address: 10.10.10.100 + controller: true + talos_disk: fake + - name: k8s-worker-0 + address: 10.10.10.101 + controller: false + talos_disk: fake +bootstrap_dns_servers: ["1.1.1.1"] +bootstrap_search_domain: "fake" +bootstrap_pod_network: 10.69.0.0/16 +bootstrap_service_network: 10.96.0.0/16 +bootstrap_controllers_vip: 10.10.10.254 +bootstrap_tls_sans: ["fake"] +bootstrap_sops_age_pubkey: $BOOTSTRAP_AGE_PUBLIC_KEY +bootstrap_bgp: + enabled: false +bootstrap_github_address: https://github.com/onedr0p/cluster-template +bootstrap_github_branch: main +bootstrap_github_webhook_token: fake +bootstrap_cloudflare: enabled: true domain: fake token: take diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/Flux/Taskfile.yaml index 22f49fc5f..628154356 100644 --- a/.taskfiles/Flux/Taskfile.yaml +++ b/.taskfiles/Flux/Taskfile.yaml @@ -7,7 +7,7 @@ vars: PROMETHEUS_OPERATOR_VERSION: v0.71.2 CLUSTER_SECRET_SOPS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml" CLUSTER_SETTINGS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml" - GITHUB_DEPLOY_KEY_FILE: "{{.KUBERNETES_DIR}}/bootstrap/github-deploy-key.sops.yaml" + GITHUB_DEPLOY_KEY_FILE: "{{.KUBERNETES_DIR}}/bootstrap/flux/github-deploy-key.sops.yaml" tasks: @@ -18,7 +18,7 @@ tasks: - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml - - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --kustomize {{.KUBERNETES_DIR}}/bootstrap + - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --kustomize {{.KUBERNETES_DIR}}/bootstrap/flux - cat {{.AGE_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename - - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename {{.CLUSTER_SETTINGS_FILE}} diff --git a/.taskfiles/Kubernetes/Taskfile.yaml b/.taskfiles/Kubernetes/Taskfile.yaml index 2f410cde9..e4f52e0cb 100644 --- a/.taskfiles/Kubernetes/Taskfile.yaml +++ b/.taskfiles/Kubernetes/Taskfile.yaml @@ -26,10 +26,7 @@ tasks: kubeconform: desc: Validate Kubernetes manifests with kubeconform - cmd: | - if [ -d "{{.KUBERNETES_DIR}}/flux" ]; then - bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}} - fi + cmd: bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}} preconditions: - { msg: "Missing kubeconform script", sh: "test -f {{.KUBECONFORM_SCRIPT}}" } diff --git a/.taskfiles/Talos/Taskfile.yaml b/.taskfiles/Talos/Taskfile.yaml index aa25bfb52..6ad1a58a7 100644 --- a/.taskfiles/Talos/Taskfile.yaml +++ b/.taskfiles/Talos/Taskfile.yaml @@ -3,7 +3,7 @@ version: "3" vars: - TALOS_DIR: "{{.KUBERNETES_DIR}}/talos" + TALOS_DIR: "{{.KUBERNETES_DIR}}/bootstrap/talos" TALHELPER_SECRET_FILE: "{{.TALOS_DIR}}/talhelper.sops.yaml" TALHELPER_CONFIG_FILE: "{{.TALOS_DIR}}/talconfig.yaml" @@ -21,7 +21,7 @@ tasks: - task: bootstrap-apply - task: bootstrap-install - task: fetch-kubeconfig - - task: bootstrap-core-apps + - task: bootstrap-apps - talosctl health --server=false bootstrap-gensecret: @@ -61,14 +61,13 @@ tasks: preconditions: - { msg: "Missing talhelper config file", sh: "test -f {{.TALHELPER_CONFIG_FILE}}" } - bootstrap-core-apps: - desc: Bootstrap Helm apps + bootstrap-apps: + desc: Bootstrap core apps needed for Talos dir: "{{.TALOS_DIR}}" cmds: - - until kubectl wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done - - kubectl --kubeconfig {{.KUBECONFIG_FILE}} kustomize --enable-helm ./cilium | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename - - - kubectl --kubeconfig {{.KUBECONFIG_FILE}} kustomize --enable-helm ./kubelet-csr-approver | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename - - - until kubectl wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done + - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done + - helmfile --file ./apps/helmfile.yaml apply + - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done preconditions: - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" } @@ -95,13 +94,13 @@ tasks: soft-nuke: desc: Resets nodes back to maintenance mode so you can re-deploy again straight after - prompt: "This will destroy your cluster and reset the nodes back to maintenance mode. Are you sure?" + prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue? dir: "{{.TALOS_DIR}}" cmd: talhelper gencommand reset --extra-flags "--reboot --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL --graceful=false --wait=false" | bash hard-nuke: desc: Resets nodes back completely and reboots them - prompt: "This will destroy your cluster and reset the nodes. Are you sure?" + prompt: This will destroy your cluster and reset the nodes... continue? dir: "{{.TALOS_DIR}}" cmd: talhelper gencommand reset --extra-flags "--reboot --graceful=false --wait=false" | bash diff --git a/.taskfiles/Workstation/Archfile b/.taskfiles/Workstation/Archfile index 419895de7..b1ad3160c 100644 --- a/.taskfiles/Workstation/Archfile +++ b/.taskfiles/Workstation/Archfile @@ -5,6 +5,7 @@ flux-bin go-task go-yq helm +helmfile jq kubeconform kubectl-bin diff --git a/.taskfiles/Workstation/Brewfile b/.taskfiles/Workstation/Brewfile index 82f85c607..0d31dc678 100644 --- a/.taskfiles/Workstation/Brewfile +++ b/.taskfiles/Workstation/Brewfile @@ -7,6 +7,7 @@ brew "direnv" brew "fluxcd/tap/flux" brew "go-task/tap/go-task" brew "helm" +brew "helmfile" brew "jq" brew "kubeconform" brew "kubernetes-cli" diff --git a/.taskfiles/Workstation/Taskfile.yaml b/.taskfiles/Workstation/Taskfile.yaml index 98ad24608..09f309f6c 100644 --- a/.taskfiles/Workstation/Taskfile.yaml +++ b/.taskfiles/Workstation/Taskfile.yaml @@ -56,6 +56,7 @@ tasks: - FiloSottile/age?as=age&type=script - fluxcd/flux2?as=flux&type=script - getsops/sops?as=sops&type=script + - helmfile/helmfile?as=helmfile&type=script - jqlang/jq?as=jq&type=script - kubernetes-sigs/kustomize?as=kustomize&type=script - siderolabs/talos?as=talosctl&type=script diff --git a/LICENSE b/LICENSE index 38d60cac8..ab784eded 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 onedr0p +Copyright (c) 2024 onedr0p Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index afec752ca..6185cd0fe 100644 --- a/README.md +++ b/README.md @@ -6,17 +6,12 @@ At a high level this project makes use of [makejinja](https://github.com/mirkole ## ✨ Features -The features included will depend on the type of configuration you want to use. There are currently **3 different types** of **configurations** available with this template. +The features included will depend on the type of configuration you want to use. There are currently **2 different types** of **configurations** available with this template. -1. **"Bare cluster"** - a Kubernetes distribution of your choosing: [k3s](https://github.com/k3s-io/k3s) or [Talos](https://github.com/siderolabs/talos) +1. **"Flux cluster"** - a Kubernetes distribution of your choosing: [k3s](https://github.com/k3s-io/k3s) or [Talos](https://github.com/siderolabs/talos). Deploys an opinionated implementation of [Flux](https://github.com/fluxcd/flux2) using [GitHub](https://github.com/) as the Git provider and [sops](https://github.com/getsops/sops) to manage secrets. - - **Required:** Debian 12 or Talos Linux installed on bare metal (or VMs) and some knowledge of [Containers](https://opencontainers.org/) and [YAML](https://yaml.org/). - - **Components:** [Cilium](https://github.com/cilium/cilium) and [kube-vip](https://github.com/kube-vip/kube-vip) _(k3s)_ - -2. **"Flux cluster"** - An addition to "**Bare cluster**" that deploys an opinionated implementation of [Flux](https://github.com/fluxcd/flux2) using [GitHub](https://github.com/) as the Git provider and [sops](https://github.com/getsops/sops) to manage secrets. - - - **Required:** Some knowledge of [Git](https://git-scm.com/) practices & terminology. - - **Components:** [flux](https://github.com/fluxcd/flux2), [cert-manager](https://github.com/cert-manager/cert-manager), [spegel](https://github.com/XenitAB/spegel), [reloader](https://github.com/stakater/Reloader), [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller), and [openebs](https://github.com/openebs/openebs). + - **Required:** Debian 12 or Talos Linux installed on bare metal (or VMs) and some knowledge of [Containers](https://opencontainers.org/) and [YAML](https://yaml.org/). Some knowledge of [Git](https://git-scm.com/) practices & terminology is also required. + - **Components:** [Cilium](https://github.com/cilium/cilium) and [kube-vip](https://github.com/kube-vip/kube-vip) _(k3s)_. [flux](https://github.com/fluxcd/flux2), [cert-manager](https://github.com/cert-manager/cert-manager), [spegel](https://github.com/XenitAB/spegel), [reloader](https://github.com/stakater/Reloader), [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller), and [openebs](https://github.com/openebs/openebs). 3. **"Flux cluster with Cloudflare"** - An addition to "**Flux cluster**" that provides DNS and SSL with [Cloudflare](https://www.cloudflare.com/). [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/) is also included to provide external access to certain applications deployed in your cluster. @@ -259,25 +254,20 @@ You have two different options for setting up your local workstation. task ansible:deps ``` -4. Verify Ansible can view your config +4. Verify Ansible can view your config and ping your nodes ```sh task ansible:list - ``` - -5. Verify Ansible can ping your nodes - - ```sh task ansible:ping ``` -6. Run the Ansible prepare playbook (nodes wil reboot when done) +5. Run the Ansible prepare playbook (nodes wil reboot when done) ```sh task ansible:run playbook=cluster-prepare ``` -7. Continue on to ⛵ [**Stage 5**](#-stage-5-install-kubernetes) +6. Continue on to ⛵ [**Stage 5**](#-stage-5-install-kubernetes) ### ⛵ Stage 5: Install Kubernetes @@ -294,7 +284,6 @@ You have two different options for setting up your local workstation. 1. Install Kubernetes depending on the distribution you chose ```sh - # Install k3s task ansible:run playbook=cluster-installation ``` @@ -317,9 +306,6 @@ You have two different options for setting up your local workstation. ### 🔹 Stage 6: Install Flux in your cluster -> [!NOTE] -> Skip this stage if you have **disabled** Flux in the `config.yaml` - 1. Verify Flux can be installed ```sh @@ -332,7 +318,7 @@ You have two different options for setting up your local workstation. 2. Install Flux and sync the cluster to the Git repository - 📍 _Run `task flux:github-deploy-key` first if using a private repository_ + 📍 _Run `task flux:github-deploy-key` first if using a private repository._ ```sh task flux:bootstrap @@ -352,7 +338,7 @@ You have two different options for setting up your local workstation. # source-controller-7d6875bcb4-zqw9f 1/1 Running 0 1h ``` -### 🎤 Flux w/ Cloudflare verification Steps +### 🎤 Verification Steps _Mic check, 1, 2_ - In a few moments applications should be lighting up like Christmas in July 🎄 @@ -378,17 +364,17 @@ The `external-dns` application created in the `networking` namespace will handle #### 🏠 Home DNS -`k8s_gateway` will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for `${bootstrap_cloudflare_domain}` to `${bootstrap_k8s_gateway_addr}` instead of the upstream DNS server(s) it normally uses. This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding). +`k8s_gateway` will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for `${bootstrap_cloudflare.domain}` to `${bootstrap_cloudflare.gateway_vip}` instead of the upstream DNS server(s) it normally uses. This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding). > [!TIP] > Below is how to configure a Pi-hole for split DNS. Other platforms should be similar. > 1. Apply this file on the Pihole server while substituting the variables > ```sh > # /etc/dnsmasq.d/99-k8s-gateway-forward.conf -> server=/${bootstrap_cloudflare_domain}/${bootstrap_k8s_gateway_addr} +> server=/${bootstrap_cloudflare.domain}/${bootstrap_cloudflare.gateway_vip} > ``` > 2. Restart dnsmasq on the server. -> 3. Query an internal-only subdomain from your workstation (any `internal` class ingresses): `dig @${home-dns-server-ip} echo-server-internal.${bootstrap_cloudflare_domain}`. It should resolve to `${bootstrap_internal_ingress_addr}`. +> 3. Query an internal-only subdomain from your workstation (any `internal` class ingresses): `dig @${home-dns-server-ip} echo-server-internal.${bootstrap_cloudflare.domain}`. It should resolve to `${bootstrap_cloudflare.ingress_vip}`. If you're having trouble with DNS be sure to check out these two GitHub discussions: [Internal DNS](https://github.com/onedr0p/cluster-template/discussions/719) and [Pod DNS resolution broken](https://github.com/onedr0p/cluster-template/discussions/635). @@ -418,10 +404,10 @@ By default Flux will periodically check your git repository for changes. In orde 2. Piece together the full URL with the webhook path appended ```text - https://flux-webhook.${bootstrap_cloudflare_domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123 + https://flux-webhook.${bootstrap_cloudflare.domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123 ``` -3. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your `bootstrap_flux_github_webhook_token` secret and save. +3. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your `bootstrap_github_webhook_token` secret and save. ## 💥 Nuke @@ -430,10 +416,8 @@ There might be a situation where you want to destroy your Kubernetes cluster. Th ```sh # k3s: Remove all traces of k3s from the nodes task ansible:run playbook=cluster-nuke - # Talos: Reset your nodes back to maintenance mode and reboot task talos:soft-nuke - # Talos: Comletely format your the Talos installation and reboot task talos:hard-nuke ``` diff --git a/bootstrap/scripts/validation.py b/bootstrap/scripts/validation.py index 500906630..ef3e0bb6c 100644 --- a/bootstrap/scripts/validation.py +++ b/bootstrap/scripts/validation.py @@ -6,7 +6,7 @@ import sys DISTRIBUTIONS = ["k3s", "talos"] -GLOBAL_CLI_TOOLS = ["age", "cloudflared", "flux", "sops", "jq", "kubeconform", "kustomize"] +GLOBAL_CLI_TOOLS = ["age", "cloudflared", "flux", "helmfile", "sops", "jq", "kubeconform", "kustomize"] TALOS_CLI_TOOLS = ["talosctl", "talhelper"] def required(*keys: str): @@ -20,15 +20,6 @@ def wrapper(data: dict, *args, **kwargs) -> None: return wrapper return wrapper_outter -def _validate_network(network: str, family: int) -> str: - try: - network = netaddr.IPNetwork(network) - if network.version != family: - raise ValueError(f"Invalid network family {network.version}") - except netaddr.core.AddrFormatError as e: - raise ValueError(f"Invalid network {network}") from e - return network - def validate_python_version() -> None: required_version = (3, 11, 0) @@ -36,11 +27,10 @@ def validate_python_version() -> None: raise ValueError(f"Python version is below 3.11. Please upgrade.") -@required("distribution") +@required("bootstrap_distribution") def validate_cli_tools(distribution: dict, **_) -> None: - distro = distribution.get("type") - if distro not in DISTRIBUTIONS: - raise ValueError(f"Invalid distribution {distro}") + if distribution not in DISTRIBUTIONS: + raise ValueError(f"Invalid distribution {distribution}") for tool in GLOBAL_CLI_TOOLS: if not which(tool): raise ValueError(f"Missing required CLI tool {tool}") @@ -49,65 +39,20 @@ def validate_cli_tools(distribution: dict, **_) -> None: raise ValueError(f"Missing required CLI tool {tool}") -@required("distribution") +@required("bootstrap_distribution") def validate_distribution(distribution: dict, **_) -> None: - distro = distribution.get("type") - if distro not in DISTRIBUTIONS: - raise ValueError(f"Invalid distribution {distro}") + if distribution not in DISTRIBUTIONS: + raise ValueError(f"Invalid distribution {distribution}") -@required("timezone") +@required("bootstrap_timezone") def validate_timezone(timezone: str, **_) -> None: if timezone not in available_timezones(): raise ValueError(f"Invalid timezone {timezone}") -@required("cluster", "feature_gates") -def validate_cluster_networks(cluster: dict, feature_gates: dict, **_) -> None: - dual_stack_ipv4_first = feature_gates.get("dual_stack_ipv4_first", False) - pod_network = cluster.get("pod_network") - service_network = cluster.get("service_network") - - if pod_network == service_network: - raise ValueError(f"Pod network {pod_network} is the same as service network {service_network}") - - if dual_stack_ipv4_first: - if len(pod_network.split(",")) != 2: - raise ValueError(f"Invalid pod network {pod_network}") - if len(service_network.split(",")) != 2: - raise ValueError(f"Invalid service network {service_network}") - cluster_ipv4, cluster_ipv6 = pod_network.split(",") - _validate_network(cluster_ipv4, 4) - _validate_network(cluster_ipv6, 6) - service_ipv4, service_ipv6 = service_network.split(",") - _validate_network(service_ipv4, 4) - _validate_network(service_ipv6, 6) - return - - if len(pod_network.split(",")) != 1: - raise ValueError(f"Invalid pod network {pod_network}") - if len(service_network.split(",")) != 1: - raise ValueError(f"Invalid service network {service_network}") - - _validate_network(pod_network, 4) - _validate_network(service_network, 4) - - -def massage_config(data: dict) -> dict: - data["distribution"] = data.get("distribution", {}) - data["nodes"] = data.get("nodes", []) - data["cluster"] = data.get("cluster", {}) - data["flux"] = data.get("flux", {}) - data["cloudflare"] = data.get("cloudflare", {}) - data["feature_gates"] = data.get("feature_gates", {}) - return data - - def validate(data: dict) -> None: - user_config = massage_config(data) - validate_python_version() - validate_cli_tools(user_config) - validate_distribution(user_config) - validate_timezone(user_config) - validate_cluster_networks(user_config) + validate_cli_tools(data) + validate_distribution(data) + validate_timezone(data) diff --git a/bootstrap/templates/.sops.yaml.j2 b/bootstrap/templates/.sops.yaml.j2 index 4eba71f0e..4cec52614 100644 --- a/bootstrap/templates/.sops.yaml.j2 +++ b/bootstrap/templates/.sops.yaml.j2 @@ -1,22 +1,20 @@ -{% if flux.enabled %} --- creation_rules: - {% if distribution.type in ["talos"] %} + #% if bootstrap_distribution in ["talos"] %# - # IMPORTANT: This rule MUST be above the others path_regex: talos/.*\.sops\.ya?ml key_groups: - age: - - "{{ flux.sops_age_public_key }}" - {% endif %} + - "#{ bootstrap_sops_age_pubkey }#" + #% endif %# - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData)$" key_groups: - age: - - "{{ flux.sops_age_public_key }}" - {% if distribution.type in ["k3s"] %} + - "#{ bootstrap_sops_age_pubkey }#" + #% if bootstrap_distribution in ["k3s"] %# - path_regex: ansible/.*\.sops\.ya?ml key_groups: - age: - - "{{ flux.sops_age_public_key }}" - {% endif %} -{% endif %} + - "#{ bootstrap_sops_age_pubkey }#" + #% endif %# diff --git a/bootstrap/templates/ansible/.mjfilter.py b/bootstrap/templates/ansible/.mjfilter.py index c6bb3e8b1..0979f9a64 100644 --- a/bootstrap/templates/ansible/.mjfilter.py +++ b/bootstrap/templates/ansible/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("distribution", {}).get("type", "k3s") in ["k3s"] +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["k3s"] diff --git a/bootstrap/templates/ansible/inventory/group_vars/controllers/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/controllers/main.yaml.j2 index c86767779..a5796e352 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/controllers/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/controllers/main.yaml.j2 @@ -1,13 +1,13 @@ --- k3s_control_node: true k3s_server: - {% if feature_gates.dual_stack_ipv4_first %} - cluster-cidr: "{{ cluster.pod_network.split(',')[0] }},{{ cluster.pod_network.split(',')[1] }}" - service-cidr: "{{ cluster.service_network.split(',')[0] }},{{ cluster.service_network.split(',')[1] }}" - {% else %} - cluster-cidr: "{{ cluster.pod_network }}" - service-cidr: "{{ cluster.service_network }}" - {% endif %} + #% if bootstrap_feature_gates.dual_stack_ipv4_first %# + cluster-cidr: "#{ bootstrap_pod_network.split(',')[0] }#,#{ bootstrap_pod_network.split(',')[1] }#" + service-cidr: "#{ bootstrap_service_network.split(',')[0] }#,#{ bootstrap_service_network.split(',')[1] }#" + #% else %# + cluster-cidr: "#{ bootstrap_pod_network }#" + service-cidr: "#{ bootstrap_service_network }#" + #% endif %# disable: ["flannel", "local-storage", "metrics-server", "servicelb", "traefik"] disable-cloud-controller: true disable-kube-proxy: true @@ -25,16 +25,16 @@ k3s_server: kubelet-arg: - "image-gc-high-threshold=55" - "image-gc-low-threshold=50" - {% if feature_gates.dual_stack_ipv4_first %} - node-ip: "{% raw %}{{ ansible_host }}{% endraw %},{% raw %}{{ ansible_default_ipv6.address }}{% endraw %}" - {% else %} - node-ip: "{% raw %}{{ ansible_host }}{% endraw %}" - {% endif %} + #% if bootstrap_feature_gates.dual_stack_ipv4_first %# + node-ip: "{{ ansible_host }},{{ ansible_default_ipv6.address }}" + #% else %# + node-ip: "{{ ansible_host }}" + #% endif %# pause-image: registry.k8s.io/pause:3.9 secrets-encryption: true tls-san: - - "{{ cluster.endpoint_vip }}" - {% for item in cluster.tls_sans %} - - "{{ item }}" - {% endfor %} + - "#{ bootstrap_controllers_vip }#" + #% for item in bootstrap_tls_sans %# + - "#{ item }#" + #% endfor %# write-kubeconfig-mode: "644" diff --git a/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 index f36ddb374..bf1aeb1ba 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 @@ -2,7 +2,7 @@ k3s_become: true k3s_etcd_datastore: true k3s_install_hard_links: true -k3s_registration_address: "{{ cluster.endpoint_vip }}" +k3s_registration_address: "#{ bootstrap_controllers_vip }#" k3s_registries: mirrors: docker.io: diff --git a/bootstrap/templates/ansible/inventory/group_vars/workers/.mjfilter.py b/bootstrap/templates/ansible/inventory/group_vars/workers/.mjfilter.py index 6de73cf6d..8fb17eac5 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/workers/.mjfilter.py +++ b/bootstrap/templates/ansible/inventory/group_vars/workers/.mjfilter.py @@ -1,9 +1,9 @@ main = lambda data: ( - data.get("distribution").get("type", "k3s") in ["k3s"] and + data.get("bootstrap_distribution", "k3s") in ["k3s"] and len( list( filter( - lambda item: "controller" in item and item["controller"] is False, data.get("nodes").get("inventory") + lambda item: "controller" in item and item["controller"] is False, data.get("bootstrap_node_inventory") ) ) ) > 0 diff --git a/bootstrap/templates/ansible/inventory/group_vars/workers/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/workers/main.yaml.j2 index 8318f037d..428852e04 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/workers/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/workers/main.yaml.j2 @@ -4,9 +4,9 @@ k3s_agent: kubelet-arg: - "image-gc-high-threshold=55" - "image-gc-low-threshold=50" - {% if feature_gates.dual_stack_ipv4_first %} - node-ip: "{% raw %}{{ ansible_host }}{% endraw %},{% raw %}{{ ansible_default_ipv6.address }}{% endraw %}" - {% else %} - node-ip: "{% raw %}{{ ansible_host }}{% endraw %}" - {% endif %} + #% if bootstrap_feature_gates.dual_stack_ipv4_first %# + node-ip: "{{ ansible_host }},{{ ansible_default_ipv6.address }}" + #% else %# + node-ip: "{{ ansible_host }}" + #% endif %# pause-image: registry.k8s.io/pause:3.9 diff --git a/bootstrap/templates/ansible/inventory/hosts.yaml.j2 b/bootstrap/templates/ansible/inventory/hosts.yaml.j2 index 663991cac..8960a23da 100644 --- a/bootstrap/templates/ansible/inventory/hosts.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/hosts.yaml.j2 @@ -3,21 +3,21 @@ kubernetes: children: controllers: hosts: - {% for item in nodes.inventory %} - {% if item.controller %} - "{{ item.name }}": - ansible_user: "{{ item.ssh_username }}" - ansible_host: "{{ item.address }}" - {% endif %} - {% endfor %} - {% if nodes.inventory | selectattr('controller', 'equalto', False) | list | length %} + #% for item in bootstrap_node_inventory %# + #% if item.controller %# + "#{ item.name }#": + ansible_user: "#{ item.ssh_user }#" + ansible_host: "#{ item.address }#" + #% endif %# + #% endfor %# + #% if bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length %# workers: hosts: - {% for item in nodes.inventory %} - {% if not item.controller %} - "{{ item.name }}": - ansible_user: "{{ item.ssh_username }}" - ansible_host: "{{ item.address }}" - {% endif %} - {% endfor %} - {% endif %} + #% for item in bootstrap_node_inventory %# + #% if not item.controller %# + "#{ item.name }#": + ansible_user: "#{ item.ssh_user }#" + ansible_host: "#{ item.address }#" + #% endif %# + #% endfor %# + #% endif %# diff --git a/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 index 8bc095523..54c2f87aa 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 @@ -42,9 +42,9 @@ or k3s_server_manifests_urls | length > 0) kubernetes.core.k8s_info: kubeconfig: /etc/rancher/k3s/k3s.yaml - kind: "{% raw %}{{ item.kind }}{% endraw %}" - name: "{% raw %}{{ item.name }}{% endraw %}" - namespace: "{% raw %}{{ item.namespace | default('') }}{% endraw %}" + kind: "{{ item.kind }}" + name: "{{ item.name }}" + namespace: "{{ item.namespace | default('') }}" wait: true wait_sleep: 10 wait_timeout: 360 diff --git a/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 index e72b6ea66..d3ff98bf6 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 @@ -20,5 +20,5 @@ - name: Upgrade kube-vip ansible.builtin.template: src: templates/kube-vip-ds.yaml.j2 - dest: "{% raw %}{{ k3s_server_manifests_dir }}{% endraw %}/kube-vip-ds.yaml" + dest: "{{ k3s_server_manifests_dir }}/kube-vip-ds.yaml" mode: preserve diff --git a/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 index ea7ea6e56..a99265b89 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 @@ -36,17 +36,17 @@ block: - name: Networking | Delete Cilium links ansible.builtin.command: - cmd: "ip link delete {% raw %}{{ item }}{% endraw %}" - removes: "/sys/class/net/{% raw %}{{ item }}{% endraw %}" + cmd: "ip link delete {{ item }}" + removes: "/sys/class/net/{{ item }}" loop: ["cilium_host", "cilium_net", "cilium_vxlan"] - name: Networking | Flush iptables ansible.builtin.iptables: - table: "{% raw %}{{ item }}{% endraw %}" + table: "{{ item }}" flush: true loop: ["filter", "nat", "mangle", "raw"] - name: Networking | Flush ip6tables ansible.builtin.iptables: - table: "{% raw %}{{ item }}{% endraw %}" + table: "{{ item }}" flush: true ip_version: ipv6 loop: ["filter", "nat", "mangle", "raw"] @@ -86,7 +86,7 @@ - k3s_install_hard_links - not ansible_check_mode ansible.builtin.file: - path: "{% raw %}{{ k3s_install_dir }}{% endraw %}/{% raw %}{{ item }}{% endraw %}" + path: "{{ k3s_install_dir }}/{{ item }}" state: absent loop: ["kubectl", "crictl", "ctr"] diff --git a/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 index 4b667d88d..364418bcf 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 @@ -15,7 +15,7 @@ block: - name: Locale | Set timezone community.general.timezone: - name: "{{ timezone }}" + name: "#{ bootstrap_timezone }#" - name: Packages block: @@ -32,12 +32,12 @@ block: - name: Network Configuration | Set hostname ansible.builtin.hostname: - name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + name: "{{ inventory_hostname }}" - name: Network Configuration | Update hosts ansible.builtin.copy: content: | 127.0.0.1 localhost - 127.0.1.1 {% raw %}{{ inventory_hostname }}{% endraw %} + 127.0.1.1 {{ inventory_hostname }} # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback @@ -61,10 +61,10 @@ mode: '0644' dest: /etc/resolv.conf content: | - search {{ nodes.search_domain|default('.', true) }} - {% for item in nodes.dns_servers | default(['1.1.1.1', '1.0.0.1']) %} - nameserver {{ item }} - {% endfor %} + search #{ bootstrap_search_domain|default('.', true) }# + #% for item in bootstrap_dns_servers | default(['1.1.1.1', '1.0.0.1']) %# + nameserver #{ item }# + #% endfor %# - name: System Configuration notify: Reboot @@ -77,15 +77,15 @@ masked: true - name: System Configuration | Disable swap ansible.posix.mount: - name: "{% raw %}{{ item }}{% endraw %}" + name: "{{ item }}" fstype: swap state: absent loop: ["none", "swap"] - name: System Configuration | Create Kernel modules ansible.builtin.copy: - dest: "/etc/modules-load.d/{% raw %}{{ item }}{% endraw %}.conf" + dest: "/etc/modules-load.d/{{ item }}.conf" mode: "0644" - content: "{% raw %}{{ item }}{% endraw %}" + content: "{{ item }}" loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "nbd", "overlay", "rbd"] register: modules_status - name: System Configuration | Reload Kernel modules # noqa: no-changed-when no-handler @@ -95,11 +95,11 @@ state: restarted - name: System Configuration | Sysctl ansible.posix.sysctl: - name: "{% raw %}{{ item.key }}{% endraw %}" - value: "{% raw %}{{ item.value }}{% endraw %}" + name: "{{ item.key }}" + value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/99-kubernetes.conf reload: true - with_dict: "{% raw %}{{ sysctl_config }}{% endraw %}" + with_dict: "{{ sysctl_config }}" vars: sysctl_config: fs.inotify.max_queued_events: 65536 diff --git a/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 index a6f914159..acad8fd60 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 @@ -11,9 +11,9 @@ seconds: 5 tasks: - name: Details - ansible.builtin.command: "k3s kubectl get node {% raw %}{{ inventory_hostname }}{% endraw %} -o json" + ansible.builtin.command: "k3s kubectl get node {{ inventory_hostname }} -o json" register: kubectl_get_node - delegate_to: "{% raw %}{{ groups['controllers'][0] }}{% endraw %}" + delegate_to: "{{ groups['controllers'][0] }}" failed_when: false changed_when: false @@ -26,14 +26,14 @@ block: - name: Cordon kubernetes.core.k8s_drain: - name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + name: "{{ inventory_hostname }}" kubeconfig: /etc/rancher/k3s/k3s.yaml state: cordon - delegate_to: "{% raw %}{{ groups['controllers'][0] }}{% endraw %}" + delegate_to: "{{ groups['controllers'][0] }}" - name: Drain kubernetes.core.k8s_drain: - name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + name: "{{ inventory_hostname }}" kubeconfig: /etc/rancher/k3s/k3s.yaml state: drain delete_options: @@ -43,7 +43,7 @@ wait_timeout: 900 pod_selectors: - app!=rook-ceph-osd # Rook Ceph - delegate_to: "{% raw %}{{ groups['controllers'][0] }}{% endraw %}" + delegate_to: "{{ groups['controllers'][0] }}" - name: Update ansible.builtin.apt: @@ -64,7 +64,7 @@ - name: Uncordon kubernetes.core.k8s_drain: - name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + name: "{{ inventory_hostname }}" kubeconfig: /etc/rancher/k3s/k3s.yaml state: uncordon - delegate_to: "{% raw %}{{ groups['controllers'][0] }}{% endraw %}" + delegate_to: "{{ groups['controllers'][0] }}" diff --git a/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 b/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 index 18b757502..736974763 100644 --- a/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 @@ -3,7 +3,7 @@ block: - name: Cruft | Get list of custom manifests ansible.builtin.find: - paths: "{% raw %}{{ k3s_server_manifests_dir }}{% endraw %}" + paths: "{{ k3s_server_manifests_dir }}" file_type: file use_regex: true patterns: ["^custom-.*"] @@ -11,9 +11,9 @@ - name: Cruft | Delete custom manifests ansible.builtin.file: - path: "{% raw %}{{ item.path }}{% endraw %}" + path: "{{ item.path }}" state: absent - loop: "{% raw %}{{ custom_manifest.files }}{% endraw %}" + loop: "{{ custom_manifest.files }}" - name: Cruft | Get list of custom addons kubernetes.core.k8s_info: @@ -24,8 +24,8 @@ - name: Cruft | Delete addons kubernetes.core.k8s: kubeconfig: /etc/rancher/k3s/k3s.yaml - name: "{% raw %}{{ item.metadata.name }}{% endraw %}" + name: "{{ item.metadata.name }}" kind: Addon namespace: kube-system state: absent - loop: "{% raw %}{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}{% endraw %}" + loop: "{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}" diff --git a/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 b/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 index a3a0681aa..56bf684e5 100644 --- a/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 @@ -13,7 +13,7 @@ when: k3s_primary_control_node ansible.builtin.fetch: src: /etc/rancher/k3s/k3s.yaml - dest: "{% raw %}{{ repository_path.stdout }}{% endraw %}/kubeconfig" + dest: "{{ repository_path.stdout }}/kubeconfig" flat: true - name: Update kubeconfig with the correct load balancer address @@ -21,6 +21,6 @@ become: false run_once: true ansible.builtin.replace: - path: "{% raw %}{{ repository_path.stdout }}{% endraw %}/kubeconfig" + path: "{{ repository_path.stdout }}/kubeconfig" regexp: https://127.0.0.1:6443 - replace: "https://{% raw %}{{ k3s_registration_address }}{% endraw %}:6443" + replace: "https://{{ k3s_registration_address }}:6443" diff --git a/bootstrap/templates/ansible/playbooks/tasks/version-check.yaml.j2 b/bootstrap/templates/ansible/playbooks/tasks/version-check.yaml.j2 index 87ea13351..56e567026 100644 --- a/bootstrap/templates/ansible/playbooks/tasks/version-check.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/tasks/version-check.yaml.j2 @@ -9,10 +9,9 @@ - name: Extract k3s version ansible.builtin.set_fact: - current_k3s_version: "{% raw %}{{ k3s_version.stdout | regex_replace('(?im)k3s version (?P[a-z0-9\\.\\+]+).*\n.*', '\\g') }}{% endraw %}" + current_k3s_version: "{{ k3s_version.stdout | regex_replace('(?im)k3s version (?P[a-z0-9\\.\\+]+).*\n.*', '\\g') }}" - name: Check if upgrades are allowed ansible.builtin.assert: - that: - - "k3s_release_version is version(current_k3s_version, '>=')" + that: ["k3s_release_version is version(current_k3s_version, '>=')"] fail_msg: "Unable to upgrade k3s because the deployed version is higher than the one specified in the configuration" diff --git a/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 index 42cb3bfdc..12aa10103 100644 --- a/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 @@ -12,6 +12,6 @@ spec: targetNamespace: kube-system bootstrap: true valuesContent: |- - {% filter indent(width=4, first=True) %} - {% include 'partials/cilium-values-init.partial.yaml.j2' %} - {% endfilter %} + #% filter indent(width=4, first=True) %# + #% include 'partials/cilium-values-init.partial.yaml.j2' %# + #% endfilter %# diff --git a/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 index 9cc432a25..f62cab4d9 100644 --- a/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 @@ -1,2 +1,2 @@ --- -{% include 'partials/kube-vip-ds.partial.yaml.j2' %} +#% include 'partials/kube-vip-ds.partial.yaml.j2' %# diff --git a/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 index eadbb9994..481c2e822 100644 --- a/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 @@ -1,2 +1,2 @@ --- -{% include 'partials/kube-vip-rbac.partial.yaml.j2' %} +#% include 'partials/kube-vip-rbac.partial.yaml.j2' %# diff --git a/bootstrap/templates/kubernetes/apps/.mjfilter.py b/bootstrap/templates/kubernetes/apps/.mjfilter.py deleted file mode 100644 index a9625e1a6..000000000 --- a/bootstrap/templates/kubernetes/apps/.mjfilter.py +++ /dev/null @@ -1 +0,0 @@ -main = lambda data: data.get("flux", {}).get("enabled", False) == True diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/.mjfilter.py b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/.mjfilter.py index b3d526461..d9ae82b4b 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("cloudflare", {}).get("enabled", False) == True +main = lambda data: data.get("bootstrap_cloudflare", {}).get("enabled", False) == True diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 index f967fe678..f5bf887f9 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 @@ -4,4 +4,4 @@ kind: Secret metadata: name: cert-manager-secret stringData: - api-token: "{{ cloudflare.token }}" + api-token: "#{ bootstrap_cloudflare.token }#" diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 index 04d30f4e5..3efe99d81 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 @@ -18,7 +18,7 @@ spec: interval: 30m retryInterval: 1m timeout: 5m -{% if cloudflare.enabled %} +#% if bootstrap_cloudflare.enabled %# --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -41,4 +41,4 @@ spec: interval: 30m retryInterval: 1m timeout: 5m -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2 index 7c03d1c3a..10587f8c9 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2 @@ -3,6 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - {% if flux.github.webhook.enabled %} - ./webhooks/ks.yaml - {% endif %} diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/.mjfilter.py b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/.mjfilter.py deleted file mode 100644 index 7efae3a27..000000000 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/.mjfilter.py +++ /dev/null @@ -1,6 +0,0 @@ -main = lambda data: ( - data.get("flux", {}) - .get("github", {}) - .get("webhook", {}) - .get("enabled", False) == True -) diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 index 37e3d4545..e704eed33 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 @@ -1,4 +1,4 @@ -{% if cloudflare.enabled %} +#% if bootstrap_cloudflare.enabled %# --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -22,4 +22,4 @@ spec: tls: - hosts: - *host -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 index 2002134e4..75fc5841c 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 @@ -3,7 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./secret.sops.yaml - {% if cloudflare.enabled %} + #% if bootstrap_cloudflare.enabled %# - ./ingress.yaml - {% endif %} + #% endif %# - ./receiver.yaml diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 index a0ede054c..34ac7daff 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 @@ -4,4 +4,4 @@ kind: Secret metadata: name: github-webhook-token-secret stringData: - token: "{{ flux.github.webhook.token }}" + token: "#{ bootstrap_github_webhook_token }#" diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/cilium-bgp.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/cilium-bgp.yaml.j2 index ccd6eb750..7e15b6f65 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/cilium-bgp.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/cilium-bgp.yaml.j2 @@ -9,21 +9,21 @@ spec: matchLabels: kubernetes.io/os: linux virtualRouters: - - localASN: {{ distribution.talos.bgp.local_asn }} + - localASN: #{ bootstrap_bgp.local_asn }# neighbors: - {% if distribution.talos.bgp.peers %} - {% for item in distribution.talos.bgp.peers %} - - peerAddress: "{{ item }}/32" - peerASN: {{ distribution.talos.bgp.peer_asn }} - {% endfor %} - {% else %} - {% if nodes.default_gateway %} - - peerAddress: "{{ nodes.default_gateway }}/32" - {% else %} - - peerAddress: "{{ nodes.host_network | nthhost(1) }}/32" - {% endif %} - peerASN: {{ distribution.talos.bgp.peer_asn }} - {% endif %} + #% if bootstrap_bgp.peers %# + #% for item in bootstrap_bgp.peers %# + - peerAddress: "#{ item }#/32" + peerASN: #{ bootstrap_bgp.peer_asn }# + #% endfor %# + #% else %# + #% if bootstrap_node_default_gateway %# + - peerAddress: "#{ bootstrap_node_default_gateway }#/32" + #% else %# + - peerAddress: "#{ bootstrap_node_network | nthhost(1) }#/32" + #% endif %# + peerASN: #{ bootstrap_bgp.peer_asn }# + #% endif %# serviceSelector: matchExpressions: - {key: somekey, operator: NotIn, values: ['never-used-value']} @@ -34,4 +34,4 @@ metadata: name: pool spec: cidrs: - - cidr: "${LOADBALANCER_CIDR}" + - cidr: "${BGP_ADVERTISED_CIDR}" diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 index 3d27ee055..48450c341 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 @@ -23,6 +23,6 @@ spec: uninstall: keepHistory: false values: - {% filter indent(width=4, first=True) %} - {% include 'partials/cilium-values-full.partial.yaml.j2' %} - {% endfilter %} + #% filter indent(width=4, first=True) %# + #% include 'partials/cilium-values-full.partial.yaml.j2' %# + #% endfilter %# diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 index dc9673c8e..7da0fa0df 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 @@ -2,11 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - {% if distribution.talos.bgp.enabled %} + #% if bootstrap_bgp.enabled %# - ./cilium-bgp.yaml - {% endif %} - {% if ( (not distribution.talos.bgp.enabled) and - (not feature_gates.dual_stack_ipv4_first) ) %} + #% endif %# + #% if ((not bootstrap_bgp.enabled) and (not bootstrap_feature_gates.dual_stack_ipv4_first)) %# - ./cilium-l2.yaml - {% endif %} + #% endif %# - ./helmrelease.yaml diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py index 5af77870d..3ace63dfa 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("distribution", {}).get("type", "k3s") in ["talos"] +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["talos"] diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 index 21bc72f40..aacef0003 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 @@ -23,9 +23,9 @@ spec: uninstall: keepHistory: false values: - {% filter indent(width=4, first=True) %} - {% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %} - {% endfilter %} + #% filter indent(width=4, first=True) %# + #% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# + #% endfilter %# metrics: enable: true serviceMonitor: diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 index 76b195865..f15479365 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 @@ -4,11 +4,11 @@ kind: Kustomization resources: - ./namespace.yaml - ./cilium/ks.yaml - {% if distribution.type in ["talos"] %} + #% if bootstrap_distribution in ["talos"] %# - ./kubelet-csr-approver/ks.yaml - {% endif %} + #% endif %# - ./metrics-server/ks.yaml - {% if distribution.type in ["talos"] %} + #% if bootstrap_distribution in ["talos"] %# - ./spegel/ks.yaml - {% endif %} + #% endif %# - ./reloader/ks.yaml diff --git a/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 index fd5305df4..a02c72ade 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2 @@ -28,4 +28,4 @@ spec: readOnlyRootFileSystem: true podMonitor: enabled: true - namespace: "{% raw %}{{ .Release.Namespace }}{% endraw %}" + namespace: "{{ .Release.Namespace }}" diff --git a/bootstrap/templates/kubernetes/apps/kube-system/spegel/.mjfilter.py b/bootstrap/templates/kubernetes/apps/kube-system/spegel/.mjfilter.py index 5af77870d..3ace63dfa 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/spegel/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/kube-system/spegel/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("distribution", {}).get("type", "k3s") in ["talos"] +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["talos"] diff --git a/bootstrap/templates/kubernetes/apps/network/.mjfilter.py b/bootstrap/templates/kubernetes/apps/network/.mjfilter.py index b3d526461..d9ae82b4b 100644 --- a/bootstrap/templates/kubernetes/apps/network/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/network/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("cloudflare", {}).get("enabled", False) == True +main = lambda data: data.get("bootstrap_cloudflare", {}).get("enabled", False) == True diff --git a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 index 779d0bed9..67d169ed7 100644 --- a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 @@ -4,10 +4,10 @@ kind: Secret metadata: name: cloudflared-secret stringData: - TUNNEL_ID: "{{ cloudflare.tunnel.id }}" + TUNNEL_ID: "#{ bootstrap_cloudflare.tunnel.id }#" credentials.json: | { - "AccountTag": "{{ cloudflare.tunnel.account_id }}", - "TunnelSecret": "{{ cloudflare.tunnel.secret }}", - "TunnelID": "{{ cloudflare.tunnel.id }}" + "AccountTag": "#{ bootstrap_cloudflare.tunnel.account_id }#", + "TunnelSecret": "#{ bootstrap_cloudflare.tunnel.secret }#", + "TunnelID": "#{ bootstrap_cloudflare.tunnel.id }#" } diff --git a/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 index 4b1bd66de..b99d1e8bd 100644 --- a/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 @@ -82,7 +82,7 @@ spec: annotations: external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" hosts: - - host: &host "{% raw %}{{ .Release.Name }}{% endraw %}-external.${SECRET_DOMAIN}" + - host: &host "{{ .Release.Name }}-external.${SECRET_DOMAIN}" paths: - path: / service: @@ -95,7 +95,7 @@ spec: enabled: true className: internal hosts: - - host: &host "{% raw %}{{ .Release.Name }}{% endraw %}-internal.${SECRET_DOMAIN}" + - host: &host "{{ .Release.Name }}-internal.${SECRET_DOMAIN}" paths: - path: / service: diff --git a/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 index ac7d97d61..c067b3293 100644 --- a/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 @@ -4,4 +4,4 @@ kind: Secret metadata: name: external-dns-secret stringData: - api-token: "{{ cloudflare.token }}" + api-token: "#{ bootstrap_cloudflare.token }#" diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 index 8f9c76132..94d1afbf2 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./staging.yaml - {% if cloudflare.acme.production %} + #% if bootstrap_cloudflare.acme.production %# - ./production.yaml - {% endif %} + #% endif %# diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 index edf9b4fe4..7fbdb8056 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 @@ -32,7 +32,7 @@ spec: service: annotations: external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" - io.cilium/lb-ipam-ips: "{{ cloudflare.tunnel.ingress_vip }}" + io.cilium/lb-ipam-ips: "#{ bootstrap_cloudflare.tunnel.ingress_vip }#" externalTrafficPolicy: Cluster ingressClassResource: name: external @@ -70,11 +70,11 @@ spec: namespaceSelector: any: true extraArgs: - {% if cloudflare.acme.production %} + #% if bootstrap_cloudflare.acme.production %# default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" - {% else %} + #% else %# default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" - {% endif %} + #% endif %# topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 index a0f3e09b6..21d863907 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 @@ -29,7 +29,7 @@ spec: replicaCount: 1 service: annotations: - io.cilium/lb-ipam-ips: "{{ cloudflare.ingress_vip }}" + io.cilium/lb-ipam-ips: "#{ bootstrap_cloudflare.ingress_vip }#" externalTrafficPolicy: Cluster ingressClassResource: name: internal @@ -67,11 +67,11 @@ spec: namespaceSelector: any: true extraArgs: - {% if cloudflare.acme.production %} + #% if bootstrap_cloudflare.acme.production %# default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" - {% else %} + #% else %# default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" - {% endif %} + #% endif %# topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname diff --git a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 index f8fa00c6d..4349ac308 100644 --- a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 @@ -30,5 +30,5 @@ spec: type: LoadBalancer port: 53 annotations: - io.cilium/lb-ipam-ips: "{{ cloudflare.gateway_vip }}" + io.cilium/lb-ipam-ips: "#{ bootstrap_cloudflare.gateway_vip }#" externalTrafficPolicy: Cluster diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/.mjfilter.py b/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/.mjfilter.py index c6bb3e8b1..0979f9a64 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/k3s/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("distribution", {}).get("type", "k3s") in ["k3s"] +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["k3s"] diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/kustomization.yaml.j2 index 88ad5b6ea..7800ccb05 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/kustomization.yaml.j2 @@ -3,12 +3,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - {% if distribution.type in ['k3s', 'talos'] %} + #% if bootstrap_distribution in ['k3s', 'talos'] %# - ./system-upgrade-controller/ks.yaml - {% endif %} - {% if distribution.type in ["k3s"] %} + #% endif %# + #% if bootstrap_distribution in ["k3s"] %# - ./k3s/ks.yaml - {% endif %} - {% if distribution.type in ["talos"] and distribution.talos.schematicID %} + #% endif %# + #% if bootstrap_distribution in ["talos"] and bootstrap_talos.schematic_id %# - ./talos/ks.yaml - {% endif %} + #% endif %# diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/.mjfilter.py b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/.mjfilter.py index ef1254e5a..394f9d1e9 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/.mjfilter.py @@ -1 +1 @@ -main = lambda data: data.get("distribution", {}).get("type", "k3s") in ['k3s', 'talos'] +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["k3s", "talos"] diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml.j2 index b6c655351..ddc6127fa 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml.j2 @@ -11,7 +11,7 @@ subjects: - kind: ServiceAccount name: system-upgrade namespace: system-upgrade -{% if distribution.type in ["talos"] %} +#% if bootstrap_distribution in ["talos"] %# --- apiVersion: talos.dev/v1alpha1 kind: ServiceAccount @@ -20,4 +20,4 @@ metadata: spec: roles: - os:admin -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/talos/.mjfilter.py b/bootstrap/templates/kubernetes/apps/system-upgrade/talos/.mjfilter.py index 45d7879a6..82712ee6c 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/talos/.mjfilter.py +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/talos/.mjfilter.py @@ -1,6 +1,4 @@ main = lambda data: ( - data.get("distribution", {}).get("type", "k3s") in ["talos"] and - data.get("distribution", {}) - .get("talos", {}) - .get("schematicID", {}) + data.get("bootstrap_distribution", "k3s") in ["talos"] and + data.get("talos", {}).get("schematic_id", {}) ) diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/talos/app/plan.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/talos/app/plan.yaml.j2 index 4e54ecd6f..88228c881 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/talos/app/plan.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/talos/app/plan.yaml.j2 @@ -88,6 +88,6 @@ spec: args: - --nodes=$(NODE_IP) - upgrade - - --image=factory.talos.dev/installer/{{ distribution.talos.schematicID }}:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) + - --image=factory.talos.dev/installer/#{ bootstrap_talos.schematic_id }#:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) - --preserve=true - --wait=false diff --git a/bootstrap/templates/kubernetes/bootstrap/.mjfilter.py b/bootstrap/templates/kubernetes/bootstrap/.mjfilter.py deleted file mode 100644 index a9625e1a6..000000000 --- a/bootstrap/templates/kubernetes/bootstrap/.mjfilter.py +++ /dev/null @@ -1 +0,0 @@ -main = lambda data: data.get("flux", {}).get("enabled", False) == True diff --git a/bootstrap/templates/kubernetes/bootstrap/github-deploy-key.sops.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/flux/github-deploy-key.sops.yaml.j2 similarity index 86% rename from bootstrap/templates/kubernetes/bootstrap/github-deploy-key.sops.yaml.j2 rename to bootstrap/templates/kubernetes/bootstrap/flux/github-deploy-key.sops.yaml.j2 index cd9ce2896..0ef1f6e8d 100644 --- a/bootstrap/templates/kubernetes/bootstrap/github-deploy-key.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/bootstrap/flux/github-deploy-key.sops.yaml.j2 @@ -1,4 +1,4 @@ -{% if flux.github.private.enabled %} +#% if bootstrap_github_private_key %# --- apiVersion: v1 kind: Secret @@ -7,11 +7,11 @@ metadata: namespace: flux-system stringData: identity: | - {% filter indent(width=4, first=False) %} - {{ flux.github.private.key }} - {%- endfilter %} + #% filter indent(width=4, first=False) %# + #{ bootstrap_github_private_key }# + #%- endfilter %# known_hosts: | github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/bootstrap/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/flux/kustomization.yaml.j2 similarity index 100% rename from bootstrap/templates/kubernetes/bootstrap/kustomization.yaml.j2 rename to bootstrap/templates/kubernetes/bootstrap/flux/kustomization.yaml.j2 diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/.mjfilter.py b/bootstrap/templates/kubernetes/bootstrap/talos/.mjfilter.py new file mode 100644 index 000000000..3ace63dfa --- /dev/null +++ b/bootstrap/templates/kubernetes/bootstrap/talos/.mjfilter.py @@ -0,0 +1 @@ +main = lambda data: data.get("bootstrap_distribution", "k3s") in ["talos"] diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/apps/cilium-values.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/apps/cilium-values.yaml.j2 new file mode 100644 index 000000000..ecaa09176 --- /dev/null +++ b/bootstrap/templates/kubernetes/bootstrap/talos/apps/cilium-values.yaml.j2 @@ -0,0 +1,4 @@ +--- +#% filter indent(width=0, first=True) %# +#% include 'partials/cilium-values-init.partial.yaml.j2' %# +#% endfilter %# diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/apps/helmfile.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/apps/helmfile.yaml.j2 new file mode 100644 index 000000000..bea967639 --- /dev/null +++ b/bootstrap/templates/kubernetes/bootstrap/talos/apps/helmfile.yaml.j2 @@ -0,0 +1,22 @@ +--- +repositories: + - name: cilium + url: https://helm.cilium.io + - name: postfinance + url: https://postfinance.github.io/kubelet-csr-approver + +releases: + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.15.1 + wait: true + values: + - ./cilium-values.yaml + - name: kubelet-csr-approver + namespace: kube-system + chart: postfinance/kubelet-csr-approver + version: 1.0.7 + wait: true + values: + - ./kubelet-csr-approver-values.yaml diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/apps/kubelet-csr-approver-values.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/apps/kubelet-csr-approver-values.yaml.j2 new file mode 100644 index 000000000..d63b98451 --- /dev/null +++ b/bootstrap/templates/kubernetes/bootstrap/talos/apps/kubelet-csr-approver-values.yaml.j2 @@ -0,0 +1,4 @@ +--- +#% filter indent(width=0, first=True) %# +#% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# +#% endfilter %# diff --git a/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2 similarity index 62% rename from bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 rename to bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2 index 01a44dfe8..cff1fa102 100644 --- a/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 +++ b/bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2 @@ -6,80 +6,80 @@ talosVersion: v1.6.4 kubernetesVersion: v1.29.1 clusterName: &cluster home-kubernetes -endpoint: https://{{ cluster.endpoint_vip }}:6443 +endpoint: https://#{ bootstrap_controllers_vip }#:6443 clusterPodNets: - - "{{ cluster.pod_network.split(',')[0] }}" + - "#{ bootstrap_pod_network.split(',')[0] }#" clusterSvcNets: - - "{{ cluster.service_network.split(',')[0] }}" + - "#{ bootstrap_service_network.split(',')[0] }#" additionalApiServerCertSans: &sans - - "{{ cluster.endpoint_vip }}" + - "#{ bootstrap_controllers_vip }#" - 127.0.0.1 # KubePrism - {% for item in cluster.tls_sans %} - - "{{ item }}" - {% endfor %} + #% for item in bootstrap_tls_sans %# + - "#{ item }#" + #% endfor %# additionalMachineCertSans: *sans cniConfig: name: none nodes: - {% for item in nodes.inventory %} - - hostname: "{{ item.name }}" - ipAddress: "{{ item.address }}" - {% if item.talos_disk_device.startswith('/') %} - installDisk: "{{ item.talos_disk_device }}" - {% else %} + #% for item in bootstrap_node_inventory %# + - hostname: "#{ item.name }#" + ipAddress: "#{ item.address }#" + #% if item.talos_disk.startswith('/') %# + installDisk: "#{ item.talos_disk }#" + #% else %# installDiskSelector: - serial: "{{ item.talos_disk_device }}" - {% endif %} - {% if distribution.talos.secureboot.enabled %} + serial: "#{ item.talos_disk }#" + #% endif %# + #% if bootstrap_talos.secureboot.enabled %# machineSpec: secureboot: true - talosImageURL: factory.talos.dev/installer-secureboot/{{ distribution.talos.schematicID }} - {% else %} - talosImageURL: factory.talos.dev/installer/{{ distribution.talos.schematicID }} - {% endif %} - controlPlane: {{ (item.controller) | string | lower }} + talosImageURL: factory.talos.dev/installer-secureboot/#{ bootstrap_talos.schematic_id }# + #% else %# + talosImageURL: factory.talos.dev/installer/#{ bootstrap_talos.schematic_id }# + #% endif %# + controlPlane: #{ (item.controller) | string | lower }# networkInterfaces: - interface: eth0 dhcp: false - {% if distribution.talos.vlan %} + #% if bootstrap_talos.vlan %# vlans: - - vlanId: {{ distribution.talos.vlan }} + - vlanId: #{ bootstrap_talos.vlan }# addresses: - - "{{ item.address }}/{{ nodes.host_network.split('/') | last }}" + - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#" mtu: 1500 routes: - network: 0.0.0.0/0 - {% if nodes.default_gateway %} - gateway: "{{ nodes.default_gateway }}" - {% else %} - gateway: "{{ nodes.host_network | nthhost(1) }}" - {% endif %} - {% if item.controller %} + #% if bootstrap_node_default_gateway %# + gateway: "#{ bootstrap_node_default_gateway }#" + #% else %# + gateway: "#{ bootstrap_node_network | nthhost(1) }#" + #% endif %# + #% if item.controller %# vip: - ip: "{{ cluster.endpoint_vip }}" - {% endif %} - {% else %} + ip: "#{ bootstrap_controllers_vip }#" + #% endif %# + #% else %# addresses: - - "{{ item.address }}/{{ nodes.host_network.split('/') | last }}" + - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#" mtu: 1500 routes: - network: 0.0.0.0/0 - {% if nodes.default_gateway %} - gateway: "{{ nodes.default_gateway }}" - {% else %} - gateway: "{{ nodes.host_network | nthhost(1) }}" - {% endif %} - {% if item.controller %} + #% if bootstrap_node_default_gateway %# + gateway: "#{ bootstrap_node_default_gateway }#" + #% else %# + gateway: "#{ bootstrap_node_network | nthhost(1) }#" + #% endif %# + #% if item.controller %# vip: - ip: "{{ cluster.endpoint_vip }}" - {% endif %} - {% endif %} - {% if distribution.talos.user_patches %} + ip: "#{ bootstrap_controllers_vip }#" + #% endif %# + #% endif %# + #% if bootstrap_talos.user_patches %# patches: - - "@./patches/node_{{ item.name }}.yaml" - {% endif %} - {% endfor %} + - "@./patches/node_#{ item.name }#.yaml" + #% endif %# + #% endfor %# patches: # Configure containerd @@ -123,16 +123,16 @@ patches: rotate-server-certificates: true nodeIP: validSubnets: - - "{{ nodes.host_network }}" + - "#{ bootstrap_node_network }#" # Force nameserver - |- machine: network: nameservers: - {% for item in nodes.dns_servers | default(['1.1.1.1', '1.0.0.1']) %} - - {{ item }} - {% endfor %} + #% for item in bootstrap_dns_servers | default(['1.1.1.1', '1.0.0.1']) %# + - #{ item }# + #% endfor %# # Configure NTP - |- @@ -170,8 +170,7 @@ patches: extraKernelArgs: - net.ifnames=0 - {% if distribution.talos.secureboot.enabled and - distribution.talos.secureboot.encrypt_disk_with_tpm %} + #% if bootstrap_talos.secureboot.enabled and bootstrap_talos.secureboot.encrypt_disk_with_tpm %# # Encrypt system disk with TPM - |- machine: @@ -186,11 +185,11 @@ patches: keys: - slot: 0 tpm: {} - {% endif %} - {% if distribution.talos.user_patches %} + #% endif %# + #% if bootstrap_talos.user_patches %# # User specified global patches - "@./patches/global.yaml" - {% endif %} + #% endif %# controlPlane: patches: @@ -214,7 +213,7 @@ controlPlane: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 advertisedSubnets: - - "{{ nodes.host_network }}" + - "#{ bootstrap_node_network }#" # Disable default API server admission plugins. - |- @@ -232,15 +231,14 @@ controlPlane: allowedKubernetesNamespaces: - system-upgrade - {% if distribution.talos.user_patches %} + #% if bootstrap_talos.user_patches %# # User specified controlPlane patches - "@./patches/controlPlane.yaml" - {% endif %} + #% endif %# -{% if ( (distribution.talos.user_patches) and - (nodes.inventory | selectattr('controller', 'equalto', False) | list | length) ) %} +#% if ((bootstrap_talos.user_patches) and (bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length)) %# worker: patches: # User specified worker patches - "@./patches/worker.yaml" -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/flux/.mjfilter.py b/bootstrap/templates/kubernetes/flux/.mjfilter.py deleted file mode 100644 index a9625e1a6..000000000 --- a/bootstrap/templates/kubernetes/flux/.mjfilter.py +++ /dev/null @@ -1 +0,0 @@ -main = lambda data: data.get("flux", {}).get("enabled", False) == True diff --git a/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 b/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 index 3b24aae43..bae21e831 100644 --- a/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 @@ -6,13 +6,13 @@ metadata: namespace: flux-system spec: interval: 30m - url: "{{ flux.github.address }}" - {% if flux.github.private.enabled %} + url: "#{ bootstrap_github_address }#" + #% if bootstrap_github_private_key %# secretRef: name: github-deploy-key - {% endif %} + #% endif %# ref: - branch: "{{ flux.github.branch|default('main', true) }}" + branch: "#{ bootstrap_github_branch|default('main', true) }#" ignore: | # exclude all /* diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 index 92649af56..78812e543 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 @@ -1,4 +1,4 @@ -{% if cloudflare.enabled %} +#% if bootstrap_cloudflare.enabled %# --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://kubernetes-sigs.github.io/external-dns -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 index 47c1e9a0f..2a991f9ea 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 @@ -1,4 +1,4 @@ -{% if cloudflare.enabled %} +#% if bootstrap_cloudflare.enabled %# --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://kubernetes.github.io/ingress-nginx -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 index cf8db0608..d55abf4d1 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 @@ -1,4 +1,4 @@ -{% if cloudflare.enabled %} +#% if bootstrap_cloudflare.enabled %# --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://ori-edge.github.io/k8s_gateway -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 index 84143819c..706bc8cd3 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 @@ -4,18 +4,18 @@ kind: Kustomization resources: - ./bjw-s.yaml - ./cilium.yaml - {% if cloudflare.enabled %} + #% if bootstrap_cloudflare.enabled %# - ./external-dns.yaml - ./ingress-nginx.yaml - ./k8s-gateway.yaml - {% endif %} + #% endif %# - ./jetstack.yaml - ./metrics-server.yaml - ./openebs.yaml - {% if distribution.type in ["talos"] %} + #% if bootstrap_distribution in ["talos"] %# - ./postfinance.yaml - {% endif %} + #% endif %# - ./stakater.yaml - {% if distribution.type in ["talos"] %} + #% if bootstrap_distribution in ["talos"] %# - ./xenitab.yaml - {% endif %} + #% endif %# diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 index 5e4c596b5..bb9172251 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 @@ -1,4 +1,4 @@ -{% if distribution.type in ["talos"] %} +#% if bootstrap_distribution in ["talos"] %# --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://postfinance.github.io/kubelet-csr-approver -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 index e945ab42d..83f7ddac7 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 @@ -1,4 +1,4 @@ -{% if distribution.type in ["talos"] %} +#% if bootstrap_distribution in ["talos"] %# --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -9,4 +9,4 @@ spec: type: oci interval: 5m url: oci://ghcr.io/xenitab/helm-charts -{% endif %} +#% endif %# diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 index cf5904f5f..71a496d7e 100644 --- a/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 @@ -6,8 +6,8 @@ metadata: namespace: flux-system stringData: SECRET_EXAMPLE: Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit... - {% if cloudflare.enabled %} - SECRET_DOMAIN: "{{ cloudflare.domain }}" - SECRET_ACME_EMAIL: "{{ cloudflare.acme.email }}" - SECRET_CLOUDFLARE_TUNNEL_ID: "{{ cloudflare.tunnel.id }}" - {% endif %} + #% if bootstrap_cloudflare.enabled %# + SECRET_DOMAIN: "#{ bootstrap_cloudflare.domain }#" + SECRET_ACME_EMAIL: "#{ bootstrap_cloudflare.acme.email }#" + SECRET_CLOUDFLARE_TUNNEL_ID: "#{ bootstrap_cloudflare.tunnel.id }#" + #% endif %# diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 index 035792fbc..f176c7f55 100644 --- a/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 @@ -5,12 +5,12 @@ metadata: name: cluster-settings namespace: flux-system data: - TIMEZONE: "{{ timezone }}" - CLUSTER_CIDR: "{{ cluster.pod_network.split(',')[0] }}" - NODE_CIDR: "{{ nodes.host_network }}" - {% if feature_gates.dual_stack_ipv4_first %} - CLUSTER_CIDR_V6: "{{ cluster.pod_network.split(',')[1] }}" - {% endif %} - {% if distribution.talos.bgp.enabled %} - LOADBALANCER_CIDR: "{{ distribution.talos.bgp.loadbalancer_network }}" - {% endif %} + TIMEZONE: "#{ bootstrap_timezone }#" + CLUSTER_CIDR: "#{ bootstrap_pod_network.split(',')[0] }#" + NODE_CIDR: "#{ bootstrap_node_network }#" + #% if bootstrap_feature_gates.dual_stack_ipv4_first %# + CLUSTER_CIDR_V6: "#{ bootstrap_pod_network.split(',')[1] }#" + #% endif %# + #% if bootstrap_bgp.enabled %# + BGP_ADVERTISED_CIDR: "#{ bootstrap_bgp.advertised_network }#" + #% endif %# diff --git a/bootstrap/templates/kubernetes/talos/.mjfilter.py b/bootstrap/templates/kubernetes/talos/.mjfilter.py deleted file mode 100644 index 5af77870d..000000000 --- a/bootstrap/templates/kubernetes/talos/.mjfilter.py +++ /dev/null @@ -1 +0,0 @@ -main = lambda data: data.get("distribution", {}).get("type", "k3s") in ["talos"] diff --git a/bootstrap/templates/kubernetes/talos/cilium/.gitignore.j2 b/bootstrap/templates/kubernetes/talos/cilium/.gitignore.j2 deleted file mode 100644 index ee3892e87..000000000 --- a/bootstrap/templates/kubernetes/talos/cilium/.gitignore.j2 +++ /dev/null @@ -1 +0,0 @@ -charts/ diff --git a/bootstrap/templates/kubernetes/talos/cilium/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/talos/cilium/kustomization.yaml.j2 deleted file mode 100644 index a4970c7d4..000000000 --- a/bootstrap/templates/kubernetes/talos/cilium/kustomization.yaml.j2 +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -helmCharts: - - name: cilium - repo: https://helm.cilium.io - version: 1.15.1 - releaseName: cilium - namespace: kube-system - valuesFile: values.yaml -commonAnnotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system -commonLabels: - app.kubernetes.io/managed-by: Helm diff --git a/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 b/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 deleted file mode 100644 index 53ff2ca83..000000000 --- a/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 +++ /dev/null @@ -1,4 +0,0 @@ ---- -{% filter indent(width=0, first=True) %} -{% include 'partials/cilium-values-init.partial.yaml.j2' %} -{% endfilter %} diff --git a/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/.gitignore.j2 b/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/.gitignore.j2 deleted file mode 100644 index ee3892e87..000000000 --- a/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/.gitignore.j2 +++ /dev/null @@ -1 +0,0 @@ -charts/ diff --git a/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 deleted file mode 100644 index f4e7334b0..000000000 --- a/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -helmCharts: - - name: kubelet-csr-approver - repo: https://postfinance.github.io/kubelet-csr-approver - version: 1.0.6 - releaseName: kubelet-csr-approver - namespace: kube-system - valuesInline: - {% filter indent(width=6, first=True) %} - {% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %} - {% endfilter %} -commonAnnotations: - meta.helm.sh/release-name: kubelet-csr-approver - meta.helm.sh/release-namespace: kube-system -commonLabels: - app.kubernetes.io/managed-by: Helm diff --git a/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 b/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 index 32a55b727..968cf6387 100644 --- a/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 +++ b/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 @@ -1,8 +1,6 @@ autoDirectNodeRoutes: true -{% if distribution.talos.bgp.enabled %} bgpControlPlane: enabled: true -{% endif %} bpf: masquerade: true cgroup: @@ -10,19 +8,19 @@ cgroup: enabled: false hostRoot: /sys/fs/cgroup cluster: - name: home-kubernetes id: 1 + name: home-kubernetes containerRuntime: integration: containerd - {% if distribution.type in ["k3s"] %} + #% if bootstrap_distribution in ["k3s"] %# socketPath: /var/run/k3s/containerd/containerd.sock - {% endif %} + #% endif %# # NOTE: This might need to be set if you have more than one active NIC on your hosts # devices: # - eno0 endpointRoutes: enabled: true -{% if cloudflare.enabled %} +#% if bootstrap_cloudflare.enabled %# hubble: enabled: true metrics: @@ -57,35 +55,33 @@ hubble: tls: - hosts: - "hubble.${SECRET_DOMAIN}" -{% else %} +#% else %# hubble: enabled: false -{% endif %} +#% endif %# ipam: mode: kubernetes ipv4NativeRoutingCIDR: "${CLUSTER_CIDR}" -{% if feature_gates.dual_stack_ipv4_first %} +#% if bootstrap_feature_gates.dual_stack_ipv4_first %# ipv6NativeRoutingCIDR: "${CLUSTER_CIDR_V6}" ipv6: enabled: true -{% endif %} -{% if distribution.type in ["k3s"] %} +#% endif %# +#% if bootstrap_distribution in ["k3s"] %# k8sServiceHost: 127.0.0.1 k8sServicePort: 6444 -{% elif distribution.type in ["talos"] %} +#% elif bootstrap_distribution in ["talos"] %# k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 -{% endif %} +#% endif %# kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: - {% if ( (distribution.talos.bgp.enabled) or - (feature_gates.dual_stack_ipv4_first) ) %} - # https://github.com/cilium/cilium/issues/28985 - enabled: false - {% else %} + #% if ((bootstrap_bgp.enabled) or (bootstrap_feature_gates.dual_stack_ipv4_first)) %# + enabled: false # https://github.com/cilium/cilium/issues/28985 + #% else %# enabled: true - {% endif %} + #% endif %# loadBalancer: algorithm: maglev mode: dsr diff --git a/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 b/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 index 8a3041123..cb785f9e1 100644 --- a/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 +++ b/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 @@ -1,8 +1,6 @@ autoDirectNodeRoutes: true -{% if distribution.talos.bgp.enabled %} bgpControlPlane: enabled: true -{% endif %} bpf: masquerade: true cgroup: @@ -10,13 +8,13 @@ cgroup: enabled: false hostRoot: /sys/fs/cgroup cluster: - name: home-kubernetes id: 1 + name: home-kubernetes containerRuntime: integration: containerd - {% if distribution.type in ["k3s"] %} + #% if bootstrap_distribution in ["k3s"] %# socketPath: /var/run/k3s/containerd/containerd.sock - {% endif %} + #% endif %# # NOTE: This might need to be set if you have more than one active NIC on your hosts # devices: # - eno0 @@ -26,29 +24,27 @@ hubble: enabled: false ipam: mode: kubernetes -ipv4NativeRoutingCIDR: "{{ cluster.pod_network }}" -{% if feature_gates.dual_stack_ipv4_first %} -ipv6NativeRoutingCIDR: "{{ cluster.pod_network_v6 }}" +ipv4NativeRoutingCIDR: "#{ bootstrap_pod_network }#" +#% if bootstrap_feature_gates.dual_stack_ipv4_first %# +ipv6NativeRoutingCIDR: "#{ bootstrap_pod_network_v6 }#" ipv6: enabled: true -{% endif %} -{% if distribution.type in ["k3s"] %} +#% endif %# +#% if bootstrap_distribution in ["k3s"] %# k8sServiceHost: 127.0.0.1 k8sServicePort: 6444 -{% elif distribution.type in ["talos"] %} +#% elif bootstrap_distribution in ["talos"] %# k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 -{% endif %} +#% endif %# kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: - {% if ( (distribution.talos.bgp.enabled) or - (feature_gates.dual_stack_ipv4_first) ) %} - # https://github.com/cilium/cilium/issues/28985 - enabled: false - {% else %} + #% if ((bootstrap_bgp.enabled) or (bootstrap_feature_gates.dual_stack_ipv4_first)) %# + enabled: false # https://github.com/cilium/cilium/issues/28985 + #% else %# enabled: true - {% endif %} + #% endif %# loadBalancer: algorithm: maglev mode: dsr diff --git a/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 b/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 index bb650549e..6c9475be4 100644 --- a/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 +++ b/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 @@ -21,7 +21,7 @@ spec: args: ["manager"] env: - name: address - value: "{{ cluster.endpoint_vip }}" + value: "#{ bootstrap_controllers_vip }#" - name: vip_arp value: "true" - name: port diff --git a/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 b/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 index 51b5ec6c7..0bf92493c 100644 --- a/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 +++ b/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 @@ -1,2 +1,2 @@ -providerRegex: ^({{ (nodes.inventory | map(attribute='name') | join('|')) }})$ +providerRegex: ^(#{ (bootstrap_node_inventory | map(attribute='name') | join('|')) }#)$ bypassDnsResolution: true diff --git a/config.sample.yaml b/config.sample.yaml index bf5cafd82..2ee68ad08 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -1,161 +1,149 @@ --- # -# (Required) Distribution represents the Kubernetes distribution layer and any additional customizations +# 1. (Required) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations # -distribution: - # (Required) Distribution can either be k3s, or talos - type: k3s - # (Optional) Talos Specific Options - talos: {} - # # (Required) If you need any additional System Extensions and/or kernel arguments generate a schematic ID. - # # Go to https://factory.talos.dev/ and choose the System Extensions you need and/or add extra kernel arguments. - # # Otherwise use below default. - # schematicID: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba" - # # (Optional) Add vlan tag to network master device - # # See: https://www.talos.dev/latest/advanced/advanced-networking/#vlans - # vlan: 1 - # # (Optional) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments. - # # Needs a BGP capable router setup with the node IPs as peers. - # # See: https://docs.cilium.io/en/latest/network/bgp-control-plane/ - # bgp: - # enabled: true - # # (Optional) If using multiple BGP peers add them here. - # # Default is .1 derrived from host_network: ['x.x.x.1'] - # peers: [] - # # (Required) Set the BGP Autonomous System Number for the router(s) and nodes. - # # If these match, iBGP will be used. If not, eBGP will be used. - # peer_asn: 64512 # Router(s) AS - # local_asn: 64512 # Node(s) AS - # # (Required) The loadbalancer CIDR for the cluster, this must NOT overlap with any - # # existing networks and is usually a /16 (64K IPs). - # # If you want to use IPv6 check the advanced flags below - # loadbalancer_network: 10.123.0.0/16 - # secureboot: - # # (Optional) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode. - # # If you want to use this. Please make sure to boot from secureboot ISO and enroll keys first. - # # See: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot - # enabled: true - # # (Optional) Enable TPM-based disk encryption. Requires TPM 2.0 - # # See: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm - # encrypt_disk_with_tpm: true - # user_patches: true - # # (Optional) Add includes for user provided patches to generated talconfig.yaml. - # # See: https://github.com/budimanjojo/talhelper/blob/179ba9ed42f70069c7842109bea24f769f7af6eb/example/extraKernelArgs-patch.yaml - # # Patches are applied in this order. (global overrides cp/worker which overrides node-specific). - # # Create these files to allow talos:bootstrap-genconfig to complete (empty files are ok). - # # kubernetes/talos/patches/node_.yaml # Patches for individual nodes - # # kubernetes/talos/patches/controlPlane.yaml # Patches for controlplane nodes - # # kubernetes/talos/patches/worker.yaml # Patches for worker nodes - # # kubernetes/talos/patches/global.yaml # Patches for ALL nodes - -# # (Required) Timezone is your IANA formatted timezone (e.g. America/New_York) -# +bootstrap_timezone: "" -timezone: "" +# (Required) Distribution can either be k3s or talos +bootstrap_distribution: k3s -# -# (Required) Nodes represents the physical or virtual machines layer and any additional customizations -# +# (Required: Talos) Talos Specific Options +bootstrap_talos: + # (Required: Talos) If you need any additional System Extensions, and/or add kernel arguments generate a schematic ID. + # Go to https://factory.talos.dev/ and choose the System Extensions, and/or add kernel arguments. + schematic_id: "" + # (Optional: Talos) Add vlan tag to network master device + # See: https://www.talos.dev/latest/advanced/advanced-networking/#vlans + vlan: "" + # (Optional: Talos) Secureboot and TPM-based disk encryption + secureboot: + # (Optional) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode. + # See: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot + enabled: false + # (Optional) Enable TPM-based disk encryption. Requires TPM 2.0 + # See: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm + encrypt_disk_with_tpm: false + # (Optional) Add includes for user provided patches to generated talconfig.yaml. + # See: https://github.com/budimanjojo/talhelper/blob/179ba9ed42f70069c7842109bea24f769f7af6eb/example/extraKernelArgs-patch.yaml + # Patches are applied in this order. (global overrides cp/worker which overrides node-specific). + # Create these files to allow talos:bootstrap-genconfig to complete (empty files are ok). + # kubernetes/talos/patches/node_.yaml # Patches for individual nodes + # kubernetes/talos/patches/controlPlane.yaml # Patches for controlplane nodes + # kubernetes/talos/patches/worker.yaml # Patches for worker nodes + # kubernetes/talos/patches/global.yaml # Patches for ALL nodes + user_patches: false + +# (Required) The CIDR your nodes are on (e.g. 192.168.1.0/24) +bootstrap_node_network: "" -nodes: - # (Required) CIDR your nodes are on (e.g. 192.168.1.0/24) - host_network: "" - # (Optional) Talos only: If your gateway is not on the .1 address of above CIDR you can set it here (e.g. 192.168.1.254) - # default_gateway: "" - # (Optional) The DNS server to use for the cluster, this can be an existing - # local DNS server or a public one. - # Default is ["1.1.1.1", "1.0.0.1"] - # If using a local DNS server make sure it meets the following requirements: - # 1. your nodes can reach it - # 2. it is configured to forward requests to a public DNS server - # 3. you are not force redirecting DNS requests to it - this will break cert generation over DNS01 - # If using multiple DNS servers make sure they are setup the same way, there is no - # guarantee that the first DNS server will always be used for every lookup. - dns_servers: [] - # (Optional) The DNS search domain to use for the nodes. - # Default is "." - # Use the default or leave empty to avoid possible DNS issues inside the cluster. - search_domain: "" - # (Required) Use only 1, 3 or more ODD number of controller nodes, recommended is 3 - # Worker nodes are optional - inventory: [] - # - name: "" # Name of the node (must match [a-z0-9-\.]+) - # address: "" # IP address of the node - # controller: true # (Required) Set to true if this is a controller node - # ssh_username: "" # (Required: k3s) SSH username of the node - # talos_disk_device: "" # (Required: Talos) Device path or serial number of the disk for this node +# (Optional) The default gateway for the nodes +# Default is .1 derrived from bootstrap_node_network: 'x.x.x.1' +bootstrap_node_default_gateway: "" + +# (Required) Use only 1, 3 or more ODD number of controller nodes, recommended is 3 +# Worker nodes are optional +bootstrap_node_inventory: [] + # - name: "" # Name of the node (must match [a-z0-9-\.]+) + # address: "" # IP address of the node + # controller: true # (Required) Set to true if this is a controller node + # ssh_user: "" # (Required: k3s) SSH username of the node + # talos_disk: "" # (Required: Talos) Device path or serial number of the disk for this node # ... -# -# (Required) Cluster represents the Kubernetes cluster layer and any additional customizations -# +# (Optional) The DNS server to use for the cluster, this can be an existing +# local DNS server or a public one. +# Default is ["1.1.1.1", "1.0.0.1"] +# If using a local DNS server make sure it meets the following requirements: +# 1. your nodes can reach it +# 2. it is configured to forward requests to a public DNS server +# 3. you are not force redirecting DNS requests to it - this will break cert generation over DNS01 +# If using multiple DNS servers make sure they are setup the same way, there is no +# guarantee that the first DNS server will always be used for every lookup. +bootstrap_dns_servers: [] -cluster: - # (Required) The pod CIDR for the cluster, this must NOT overlap with any - # existing networks and is usually a /16 (64K IPs). - # If you want to use IPv6 check the advanced flags below - pod_network: 10.69.0.0/16 - # (Required) The service CIDR for the cluster, this must NOT overlap with any +# (Optional) The DNS search domain to use for the nodes. +# Default is "." +# Use the default or leave empty to avoid possible DNS issues inside the cluster. +bootstrap_search_domain: "" + +# (Required) The pod CIDR for the cluster, this must NOT overlap with any +# existing networks and is usually a /16 (64K IPs). +# If you want to use IPv6 check the advanced flags below +bootstrap_pod_network: "10.69.0.0/16" + +# (Required) The service CIDR for the cluster, this must NOT overlap with any +# existing networks and is usually a /16 (64K IPs). +# If you want to use IPv6 check the advanced flags below +bootstrap_service_network: "10.96.0.0/16" + +# (Required) The IP address of the Kube API, choose an available IP in +# your nodes host network that is NOT being used. This is announced over L2. +# For k3s kube-vip is used, built-in functionality is used with Talos +bootstrap_controllers_vip: "" + +# (Optional) Add additional SANs to the Kube API cert, this is useful +# if you want to call the Kube API by hostname rather than IP +bootstrap_tls_sans: [] + +# (Required) Age Public Key (e.g. age1...) +# 1. Generate a new key with the following command: +# > task sops:age-keygen +# 2. Copy the public key and paste it below +bootstrap_sops_age_pubkey: "" + +# (Optional) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments. +# Needs a BGP capable router setup with the node IPs as peers. +# See: https://docs.cilium.io/en/latest/network/bgp-control-plane/ +bootstrap_bgp: + enabled: false + # (Optional) If using multiple BGP peers add them here. + # Default is .1 derrived from host_network: ['x.x.x.1'] + peers: [] + # (Required) Set the BGP Autonomous System Number for the router(s) and nodes. + # If these match, iBGP will be used. If not, eBGP will be used. + peer_asn: "" # Router(s) AS + local_asn: "" # Node(s) AS + # (Required) The advertised CIDR for the cluster, this must NOT overlap with any # existing networks and is usually a /16 (64K IPs). # If you want to use IPv6 check the advanced flags below - service_network: 10.96.0.0/16 - # (Required) The IP address of the Kube API, choose an available IP in - # your nodes host network that is NOT being used. This is announced over L2. - endpoint_vip: "" - # (Optional) Add additional SANs to the Kube API cert, this is useful - # if you want to call the Kube API by hostname rather than IP - tls_sans: [] + advertised_network: "" # -# (Optional) Flux details - Flux is used to manage the cluster configuration. +# 2. (Required) Flux details - Flux is used to manage the cluster configuration. # -flux: - # (Required) Disable to use a different tool (e.g. kubectl, Argo, Kluctl) - enabled: false - # (Required) Age Public Key (e.g. age1...) - # 1. Generate a new key with the following command: - # > task sops:age-keygen - # 2. Copy the public key and paste it below - sops_age_public_key: "" - # (Required) Options for GitHub - github: - # (Required) GitHub repository URL (for private repos use the ssh:// URL) - address: "" - # (Required) GitHub repository branch - branch: main - # (Required) Options for Flux GitHub webhook - webhook: - # (Required) Enable to setup GitHub push-based sync after cluster creation - enabled: true - # Token for GitHub push-based sync - # 1. Generate a new token with the following command: - # > openssl rand -hex 16 - # 2. Copy the token and paste it below - token: "" - # (Required) Private key for Flux to access the GitHub repository - private: - # (Required) Enable to use a private GitHub repository - enabled: false - # Private key for Flux to access the GitHub repository - # 1. Generate a new key with the following command: - # > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P "" - # 2. Make sure to paste public key from "github-deploy.key.pub" into - # the deploy keys section of your repository settings. - # 3. Uncomment and paste the private key below - # key: | - # -----BEGIN OPENSSH PRIVATE KEY----- - # ... - # -----END OPENSSH PRIVATE KEY----- +# (Required) GitHub repository URL (for private repos use the ssh:// URL) +bootstrap_github_address: "" + +# (Required) GitHub repository branch +bootstrap_github_branch: "main" + +# (Required) Token for GitHub push-based sync +# 1. Generate a new token with the following command: +# > openssl rand -hex 16 +# 2. Copy the token and paste it below +bootstrap_github_webhook_token: "" + +# (Optional) Private key for Flux to access the GitHub repository +# 1. Generate a new key with the following command: +# > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P "" +# 2. Make sure to paste public key from "github-deploy.key.pub" into +# the deploy keys section of your repository settings. +# 3. Uncomment and paste the private key below +# 4. Optionally set your repository on GitHub to private +# bootstrap_github_private_key: | +# -----BEGIN OPENSSH PRIVATE KEY----- +# ... +# -----END OPENSSH PRIVATE KEY----- # -# (Optional) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling. +# 3. (Optional) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling. # -cloudflare: +bootstrap_cloudflare: # (Required) Disable to use a different DNS provider enabled: false # (Required) Cloudflare Domain @@ -209,11 +197,11 @@ cloudflare: ingress_vip: "" # (Optional) Feature gates are used to enable experimental features -feature_gates: - # Enable Dual Stack IPv4 first - # IMPORTANT: I am looking for people to help maintain IPv6 support since I cannot test it. - # Ref: https://github.com/onedr0p/cluster-template/issues/1148 - # Keep in mind that Cilium does not currently support IPv6 L2 announcements. - # Make sure you set cluster.pod_cidr and cluster.service_cidr - # to a valid dual stack CIDRs, e.g. "10.42.0.0/16,fd00:10:244::/64" - dual_stack_ipv4_first: false +# bootstrap_feature_gates: +# # Enable Dual Stack IPv4 first +# # IMPORTANT: I am looking for people to help maintain IPv6 support since I cannot test it. +# # Ref: https://github.com/onedr0p/cluster-template/issues/1148 +# # Keep in mind that Cilium does not currently support IPv6 L2 announcements. +# # Make sure you set cluster.pod_cidr and cluster.service_cidr +# # to a valid dual stack CIDRs, e.g. "10.42.0.0/16,fd00:10:244::/64" +# dual_stack_ipv4_first: false diff --git a/makejinja.toml b/makejinja.toml index efedf0a9b..0d6281a10 100644 --- a/makejinja.toml +++ b/makejinja.toml @@ -10,9 +10,9 @@ force = true undefined = "chainable" [makejinja.delimiter] -block_start = "{%" -block_end = "%}" -comment_start = "{#" -comment_end = "#}" -variable_start = "{{" -variable_end = "}}" +block_start = "#%" +block_end = "%#" +comment_start = "#|" +comment_end = "#|" +variable_start = "#{" +variable_end = "}#"