feat: add Talos image pull agent

2026-01-27 18:18:26 +00:00 · 2025-05-03 04:31:18 +08:00
parent 80b02bea94
commit 900934d4ec
8 changed files with 197 additions and 9 deletions
--- a/kube/clusters/biohazard/talos/talconfig.yaml
+++ b/kube/clusters/biohazard/talos/talconfig.yaml
@@ -568,10 +568,12 @@ controlPlane:
            enabled: true
            allowedRoles:
              - os:admin
+              - os:operator
            allowedKubernetesNamespaces:
              - system-upgrade-controller
              - talos-backup
              - code-server
+              - talosctl-image-pull-agent

    - &MutatingAdmissionPolicy |
      cluster:
--- a/kube/deploy/apps/talosctl-image-pull-agent/app/hr.yaml
+++ b/kube/deploy/apps/talosctl-image-pull-agent/app/hr.yaml
@@ -0,0 +1,115 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.7.3/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app talosctl-image-pull-agent
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.3
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      talosctl-image-pull-agent:
+        type: daemonset
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: allow
+            egress.home.arpa/talos: allow
+        containers:
+          main:
+            image: &img
+              repository: jank.ing/jjgadgets/talosctl-image-pull-agent
+              tag: 1.9.5@sha256:9a20301eea99be43777105fbc4094ce4a9a6b357a5bbc6e548efc13c55a54c3f
+            env: &env
+              TZ: "${CONFIG_TZ}"
+              NODE:
+                fieldRef:
+                  fieldPath: status.hostIP
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+              limits:
+                cpu: "1"
+                memory: "512Mi"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+    service:
+      talosctl-image-pull-agent:
+        controller: talosctl-image-pull-agent
+        ports:
+          http:
+            port: 80
+            targetPort: 9000
+            protocol: HTTP
+            appProtocol: http
+    ingress:
+      main:
+        className: nginx-internal
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        hosts:
+          - host: &host "${APP_DNS_TALOSCTL_IMAGE_PULL_AGENT:=talosctl-image-pull-agent}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: talosctl-image-pull-agent
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      talos-admin:
+        type: secret
+        name: "talos"
+        defaultMode: 0400
+        advancedMounts:
+          talosctl-image-pull-agent:
+            main:
+              - path: "/var/run/secrets/talos.dev"
+                readOnly: true
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 65534
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: "{{ .Release.Name }}"
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/{{ .Release.Name }}
+                    operator: DoesNotExist
--- a/kube/deploy/apps/talosctl-image-pull-agent/app/ns.yaml
+++ b/kube/deploy/apps/talosctl-image-pull-agent/app/ns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: talosctl-image-pull-agent
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps
--- a/kube/deploy/apps/talosctl-image-pull-agent/app/talos-serviceaccount.yaml
+++ b/kube/deploy/apps/talosctl-image-pull-agent/app/talos-serviceaccount.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: talos.dev/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: talos
+  namespace: talosctl-image-pull-agent
+spec:
+  roles:
+    - os:operator
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: talos
+  namespace: talosctl-image-pull-agent
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: Merge
+    reloader.stakater.com/match: "false"
--- a/kube/deploy/apps/talosctl-image-pull-agent/ks.yaml
+++ b/kube/deploy/apps/talosctl-image-pull-agent/ks.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: talosctl-image-pull-agent-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "talosctl-image-pull-agent"
+spec:
+  targetNamespace: "talosctl-image-pull-agent"
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/talosctl-image-pull-agent/app
+  components:
+    - ../../../core/storage/volsync/component/
+    - ../../../core/flux-system/alerts/template/
+  dependsOn:
+    - name: crds
+      namespace: flux-system
--- a/kube/deploy/apps/talosctl-image-pull-agent/kustomization.yaml
+++ b/kube/deploy/apps/talosctl-image-pull-agent/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # - ns.yaml
+  - ks.yaml
--- a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml
+++ b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml
@@ -45,6 +45,24 @@ spec:
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: labelled-allow-egress-host
+spec:
+  endpointSelector:
+    matchLabels:
+      egress.home.arpa/talos: "allow"
+  egress:
+    - toEntities:
+        - host
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "50000"
+            - port: "50001"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: labelled-allow-egress-world
 spec:
--- a/kube/deploy/core/storage/minio-nas/app/hr.yaml
+++ b/kube/deploy/core/storage/minio-nas/app/hr.yaml
@@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: &app minio-nas
@@ -35,7 +35,7 @@ spec:
            env:
              TZ: "${CONFIG_TZ}"
              MINIO_VOLUMES: "/data"
-              MINIO_DOMAIN: &s3 "${APP_DNS_MINIO_NAS_S3}"
+              MINIO_DOMAIN: &s3 "${APP_DNS_MINIO_NAS_S3:=minio-nas}"
              MINIO_COMPRESSION_ENABLE: "on"
              MINIO_BROWSER_LOGIN_ANIMATION: "off"
              MINIO_BROWSER_REDIRECT: "false"
@@ -52,7 +52,7 @@ spec:
              requests:
                cpu: "100m"
              limits:
-                cpu: "3000m"
+                cpu: "1"
                memory: "2Gi"
            ports:
              - name: s3
@@ -107,8 +107,8 @@ spec:
        controller: main
        type: LoadBalancer
        annotations:
-          coredns.io/hostname: "${APP_DNS_MINIO_NAS_S3}"
-          "io.cilium/lb-ipam-ips": "${APP_IP_MINIO_NAS_S3}"
+          coredns.io/hostname: "${APP_DNS_MINIO_NAS_S3:=minio-nas}"
+          "io.cilium/lb-ipam-ips": "${APP_IP_MINIO_NAS_S3:=127.0.0.1}"
        ports:
          http:
            port: 443
@@ -126,7 +126,7 @@ spec:
            proxy_ssl_name ${APP_DNS_MINIO_NAS_S3};
            proxy_ssl_server_name on;
        hosts:
-          - host: &host "${APP_DNS_MINIO_NAS}"
+          - host: &host "${APP_DNS_MINIO_NAS:=minio-nas}"
            paths: &paths
              - path: /
                pathType: Prefix
@@ -144,8 +144,8 @@ spec:
        type: "custom"
        volumeSpec:
          iscsi:
-            targetPortal: "${IP_TRUENAS}:3260"
-            iqn: "${CONFIG_TRUENAS_IQN}:minio"
+            targetPortal: "${IP_TRUENAS:=127.0.0.1}:3260"
+            iqn: "${CONFIG_TRUENAS_IQN:=truenas}:minio"
            lun: 0
            fsType: "xfs" # MinIO recommendation
        globalMounts:
@@ -170,7 +170,7 @@ spec:
      enableServiceLinks: false
      securityContext:
        runAsNonRoot: true
-        runAsUser: &uid ${APP_UID_MINIO_NAS}
+        runAsUser: &uid ${APP_UID_MINIO_NAS:=1000}
        runAsGroup: *uid
        fsGroup: *uid
        fsGroupChangePolicy: "Always"