feat: add spegel

kube/clusters/biohazard/flux/kustomization.yaml

@@ -43,6 +43,7 @@ resources:
   # - ../../../deploy/apps/renovate/
   # - ../../../deploy/apps/kubevirt/
   - ../../../deploy/apps/default/
+  - ../../../deploy/apps/spegel/
   - ../../../deploy/apps/whoogle/
   - ../../../deploy/apps/searxng/
   - ../../../deploy/apps/cyberchef/

kube/clusters/biohazard/talos/talconfig.yaml

@@ -84,9 +84,11 @@ nodes:
     hostname: "chise.${DNS_CLUSTER}" # M720q, i3 4C4T, 32GB RAM, 512GB OS NVMe
     ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}3"
     networkInterfaces:
-      - interface: "enp1s0d1"
-        mtu: 9000 # TODO: switch to 9000 once M720q risers arrive
+      - mtu: 9000 # TODO: switch to 9000 once M720q risers arrive
         dhcp: false
+        deviceSelector:
+          driver: "mlx4_core"
+          hardwareAddr: "*:80"
         vlans:
           - <<: *m720q-v58
             addresses: ["${IP_ROUTER_VLAN_K8S_PREFIX}3/28"]
@@ -227,6 +229,20 @@ controlPlane:
               wsize=131072
               nconnect=8
 
+    # patch containerd for spegel (discard) 
+    - &containerdPatches |-
+      machine:
+        files:
+          - op: create
+            path: /etc/nfsmount.conf
+            permissions: 0o644
+            content: |
+              [plugins."io.containerd.grpc.v1.cri"]
+                enable_unprivileged_ports = true
+                enable_unprivileged_icmp = true
+              [plugins."io.containerd.grpc.v1.cri".containerd]
+                discard_unpacked_layers = false
+
 worker:
   patches:
     - *kubeletExtraArgs
@@ -238,3 +254,4 @@ worker:
     # TODO: https://github.com/siderolabs/talos/issues/3129
     - *encryptedOSD
     - *nfsMountOptions
+    - *containerdPatches

kube/deploy/apps/spegel/app/hr.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app spegel
+  namespace: *app
+spec:
+  chart:
+    spec:
+      chart: spegel
+      version: 2.0.3
+      sourceRef:
+        name: spegel
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    spegel:
+      containerdSock: /run/containerd/containerd.sock
+      containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+    serviceMonitor:
+      enabled: true

kube/deploy/apps/spegel/ks.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: spegel-app
+  namespace: flux-system
+spec:
+  path: ./kube/deploy/apps/spegel/app
+  dependsOn: []

kube/deploy/apps/spegel/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - repo.yaml
+  - ks.yaml

kube/deploy/apps/spegel/repo.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: spegel
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  timeout: 3m0s
+  type: oci
+  url: oci://ghcr.io/xenitab/helm-charts

kube/deploy/core/monitoring/grafana/app/hr.yaml

@@ -153,6 +153,11 @@ spec:
         kubernetes-pods:
           url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json
           datasource: Prometheus
+        spegel:
+          # renovate: depName="Spegel"
+          gnetId: 18089
+          revision: 1
+          datasource: Prometheus
       nginx:
         nginx:
           url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json