feat(kube-nas): add bootstrap and initial setup

tyriis · Oct 15, 2023 · 5d82e79 · 5d82e79
1 parent 0ea12ed
commit 5d82e79
Show file tree

Hide file tree

Showing 26 changed files with 8,631 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -52,3 +52,6 @@ megalinter-reports/
 # talos configs
 infra/talos/clusterconfig/*.yaml
 infra/talos/clusterconfig/talosconfig
+
+# bootstrap helm charts
+kubernetes/**/bootstrap/**/charts
diff --git a/.sops.yaml b/.sops.yaml
@@ -1,6 +1,10 @@
 ---
 creation_rules:
-  - path_regex: (archive|kubernetes)/.*\.ya?ml
+  - path_regex: kubernetes/kube-nas/.*\.ya?ml
+    encrypted_regex: "^(data|stringData)$"
+    age: >-
+      age1clg0rd6ca86h3lnfnjyqsc9stgr0cnyp3l5uswtusxppjq9h2vcsaqckec
+  - path_regex: (archive|kubernetes/talos-flux)/.*\.ya?ml
     encrypted_regex: "^(data|stringData)$"
     age: >-
       age16zqeqx5y6ay3flwz0d06rn83yjv9ckys3j8tpkysf9v6295fhc6sf4r0uj

diff --git a/kubernetes/kube-nas/bootstrap/README.md b/kubernetes/kube-nas/bootstrap/README.md
@@ -0,0 +1,51 @@
+# Bootstrap
+
+## Cilium
+
+```bash
+kubectl kustomize --enable-helm kubernetes/kube-nas/bootstrap/cilium | kubectl apply -n kube-system -f -
+```
+
+## Coredns
+
+```bash
+kubectl kustomize --enable-helm kubernetes/kube-nas/bootstrap/coredns | kubectl apply -n kube-system -f -
+```
+
+## Metrics Server
+
+```bash
+kubectl kustomize --enable-helm kubernetes/kube-nas/bootstrap/metrics-server | kubectl apply -n kube-system -f -
+```
+
+## Kubelet CSR approver
+
+```bash
+kubectl kustomize --enable-helm kubernetes/kube-nas/bootstrap/kubelet-csr-approver | kubectl apply -n kube-system -f -
+```
+
+## Flux
+
+```bash
+kubectl apply -k kubernetes/kube-nas/flux/flux-manifests
+```
+
+### age key
+
+```bash
+sops --decrypt kubernetes/kube-nas/flux/config/age-key.sops.yaml | kubectl apply -f -
+```
+
+### GitRepo
+
+when flux is up and running, we can apply our manifests
+
+```bash
+kubectl apply --server-side -f  kubernetes/kube-nas/flux/repositories/git/home-ops.yaml
+```
+
+### Reconcilation
+
+```bash
+kubectl apply --server-side -f  kubernetes/kube-nas/flux/flux-sync.yaml
+```
diff --git a/kubernetes/kube-nas/bootstrap/cilium/kustomization.yaml b/kubernetes/kube-nas/bootstrap/cilium/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: cilium
+    repo: https://helm.cilium.io/
+    version: 1.14.2
+    releaseName: cilium
+    namespace: kube-system
+    valuesFile: values.yaml
+commonAnnotations:
+  meta.helm.sh/release-name: cilium
+  meta.helm.sh/release-namespace: kube-system
+commonLabels:
+  app.kubernetes.io/managed-by: Helm
diff --git a/kubernetes/kube-nas/bootstrap/cilium/l2.yaml b/kubernetes/kube-nas/bootstrap/cilium/l2.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: policy
+spec:
+  loadBalancerIPs: true
+  interfaces:
+    - ^eno.*|^wlp.*
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: linux
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/cilium.io/ciliumloadbalancerippool_v2alpha1.json
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: pool
+spec:
+  cidrs:
+    - cidr: 192.168.1.243/31
diff --git a/kubernetes/kube-nas/bootstrap/cilium/values.yaml b/kubernetes/kube-nas/bootstrap/cilium/values.yaml
@@ -0,0 +1,46 @@
+---
+# autoDirectNodeRoutes: true
+# bpf:
+#   masquerade: true
+# bgp:
+#   enabled: false
+# cluster:
+#   name: kube-nas
+#   id: 1
+# containerRuntime:
+#   integration: containerd
+#   socketPath: /var/run/k3s/containerd/containerd.sock
+# endpointRoutes:
+#   enabled: true
+# hubble:
+#   enabled: false
+# ipam:
+#   mode: kubernetes
+# ipv4NativeRoutingCIDR: 10.32.0.0/16
+# k8sServiceHost: 192.168.1.242
+# k8sServicePort: 6443
+# kubeProxyReplacement: true
+# kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+# l2announcements:
+#   enabled: true
+#   leaseDuration: 120s
+#   leaseRenewDeadline: 60s
+#   leaseRetryPeriod: 1s
+# loadBalancer:
+#   algorithm: maglev
+#   mode: dsr
+# localRedirectPolicy: true
+# operator:
+#   rollOutPods: true
+# rollOutCiliumPods: true
+# securityContext:
+#   privileged: true
+# tunnel: disabled
+
+containerRuntime:
+  integration: containerd
+  socketPath: /var/run/k3s/containerd/containerd.sock
+
+kubeProxyReplacement: strict
+operator:
+  replicas: 1
diff --git a/kubernetes/kube-nas/bootstrap/coredns/kustomization.yaml b/kubernetes/kube-nas/bootstrap/coredns/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: coredns
+    repo: https://coredns.github.io/helm
+    version: 1.27.1
+    releaseName: coredns
+    namespace: kube-system
+    valuesFile: values.yaml
+commonAnnotations:
+  meta.helm.sh/release-name: coredns
+  meta.helm.sh/release-namespace: kube-system
+commonLabels:
+  app.kubernetes.io/managed-by: Helm
diff --git a/kubernetes/kube-nas/bootstrap/coredns/values.yaml b/kubernetes/kube-nas/bootstrap/coredns/values.yaml
@@ -0,0 +1,63 @@
+---
+fullnameOverride: coredns
+replicaCount: 1
+k8sAppLabelOverride: kube-dns
+service:
+  name: kube-dns
+  clusterIP: 10.43.0.10
+serviceAccount:
+  create: true
+deployment:
+  annotations:
+    reloader.stakater.com/auto: "true"
+servers:
+  - zones:
+      - zone: .
+        scheme: dns://
+        use_tcp: true
+    port: 53
+    plugins:
+      - name: log
+      - name: errors
+      - name: health
+        configBlock: |-
+          lameduck 5s
+      - name: ready
+      - name: kubernetes
+        parameters: cluster.local in-addr.arpa ip6.arpa
+        configBlock: |-
+          pods insecure
+          fallthrough in-addr.arpa ip6.arpa
+          ttl 30
+      - name: prometheus
+        parameters: 0.0.0.0:9153
+      - name: forward
+        parameters: . /etc/resolv.conf
+      - name: cache
+        parameters: 30
+      - name: loop
+      - name: reload
+      - name: loadbalance
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
+tolerations:
+  - key: CriticalAddonsOnly
+    operator: Exists
+  - key: node-role.kubernetes.io/control-plane
+    operator: Exists
+    effect: NoSchedule
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+    effect: NoSchedule
+topologySpreadConstraints:
+  - maxSkew: 1
+    topologyKey: kubernetes.io/hostname
+    whenUnsatisfiable: DoNotSchedule
+    labelSelector:
+      matchLabels:
+        app.kubernetes.io/instance: coredns
diff --git a/kubernetes/kube-nas/bootstrap/kubelet-csr-approver/kustomization.yaml b/kubernetes/kube-nas/bootstrap/kubelet-csr-approver/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: kubelet-csr-approver
+    repo: https://postfinance.github.io/kubelet-csr-approver
+    version: 1.0.5
+    releaseName: kubelet-csr-approver
+    namespace: kube-system
+    valuesFile: values.yaml
+commonAnnotations:
+  meta.helm.sh/release-name: kubelet-csr-approver
+  meta.helm.sh/release-namespace: kube-system
+commonLabels:
+  app.kubernetes.io/managed-by: Helm
diff --git a/kubernetes/kube-nas/bootstrap/kubelet-csr-approver/values.yaml b/kubernetes/kube-nas/bootstrap/kubelet-csr-approver/values.yaml
@@ -0,0 +1,4 @@
+---
+providerRegex: |
+  ^(kube-nas)$
+replicas: 1
diff --git a/kubernetes/kube-nas/bootstrap/metrics-server/kustomization.yaml b/kubernetes/kube-nas/bootstrap/metrics-server/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: metrics-server
+    repo: https://kubernetes-sigs.github.io/metrics-server
+    version: 3.11.0
+    releaseName: metrics-server
+    namespace: kube-system
+    valuesFile: values.yaml
+commonAnnotations:
+  meta.helm.sh/release-name: metrics-server
+  meta.helm.sh/release-namespace: kube-system
+commonLabels:
+  app.kubernetes.io/managed-by: Helm
diff --git a/kubernetes/kube-nas/bootstrap/metrics-server/values.yaml b/kubernetes/kube-nas/bootstrap/metrics-server/values.yaml
@@ -0,0 +1,5 @@
+---
+metrics:
+  enabled: false
+serviceMonitor:
+  enabled: false
diff --git a/kubernetes/kube-nas/flux/apps-sync.yaml b/kubernetes/kube-nas/flux/apps-sync.yaml
@@ -0,0 +1,48 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: apps-sync
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: flux-sync
+  interval: 10m
+  path: ./kubernetes/kube-nas/apps
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
+  patches:
+    - patch: |-
+        apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+        kind: Kustomization
+        metadata:
+          name: not-used
+        spec:
+          decryption:
+            provider: sops
+            secretRef:
+              name: sops-age
+          postBuild:
+            substituteFrom:
+              - kind: ConfigMap
+                name: cluster-settings
+              - kind: Secret
+                name: cluster-secrets
+      target:
+        group: kustomize.toolkit.fluxcd.io
+        version: v1beta2
+        kind: Kustomization
+        labelSelector: substitution.flux.home.arpa/disabled notin (true)
diff --git a/kubernetes/kube-nas/flux/config/cluster-secrets.sops.yaml b/kubernetes/kube-nas/flux/config/cluster-secrets.sops.yaml
@@ -0,0 +1,32 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+    labels:
+        kustomize.toolkit.fluxcd.io/prune: disabled
+stringData:
+    SECRET_DOMAIN: ENC[AES256_GCM,data:DpuaBIH6BtrSv6j0,iv:gycRX/M0gKInB3NN5mylITlIVR3zboiuKIY1rcVRPa0=,tag:LgO2YPD4MDhFZ9wM4m0TDQ==,type:str]
+    SECRET_CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:LWGDmudeJQ/7ZHy75DXYGfik3UY=,iv:27CI1znsOuw3tvhd39AN/CLTboXXp5V0yfpGiVgsPzs=,tag:cmifoigmu1Uq8yeI14dnSg==,type:str]
+    SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:V8jIdBxr6/Y+J1VWeaB18sL3DakdmF9enIwMExvPuNTyiSMk,iv:7tsv/BlfmCc5QrqhIJbIbT/xIDbBnf8ITKityQ55wGs=,tag:2AhU/1t9LvyaBgLanlBdbw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1clg0rd6ca86h3lnfnjyqsc9stgr0cnyp3l5uswtusxppjq9h2vcsaqckec
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVlFoYmgyTDZHNFdNQnZM
+            UlpKYTFDWGVtWEhRUmZEemp3TFRUTkV2VTFBCjdhWnBhSGR5ZU01aGxRYWhIc0Ew
+            QUtYM2s2WWZVREptV1lsRXIrdHIyV1kKLS0tICtVKzZ3TXpyYjFRa0dsbVdsYkpP
+            SHlHS1N5UWRLbGRZWkFQa2ZORk91bXcKi0d9metxL4K26w7fLNn25O/4/wJPYwpK
+            DDUb3MaTsNARCtgqiqAaJEb3awE3MMWQTwqKcGANpDIivIrUsh5CNA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-15T21:39:01Z"
+    mac: ENC[AES256_GCM,data:cpyR7RJd0BIFQwbcJS2gkhEj1whfrTLJdOWU4XdQG4z3T8NHAEO2xYCL5rad0ZHkcv8dMZvrQ4XGQZ8D5yNt8BvCEzeDH/KkcWgV4/+MDRqI+Ew35lOOM9MeqIVD3UDczftuHmu3QXbv6AUc5wrQpOJIJ2UE4ZK+6bbC/O3xIIg=,iv:HwZNsPwxI5HX4R1FU9N+Yl/ZMJ7Z3REIZ8dpu5ofKk8=,tag:CnlNuzOMoIeoRy+kukXrag==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.0
diff --git a/kubernetes/kube-nas/flux/config/cluster-settings.yaml b/kubernetes/kube-nas/flux/config/cluster-settings.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cluster-settings
+  namespace: flux-system
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+data:
+  SETTING_CLUSTERNAME: kube-nas
+  SETTING_TZ: Europe/Vienna
+  SETTING_GATEWAY: 192.168.1.1