diff --git a/kube/clusters/biohazard/talos/talconfig.yaml b/kube/clusters/biohazard/talos/talconfig.yaml index 6a83f41e..312e69c6 100755 --- a/kube/clusters/biohazard/talos/talconfig.yaml +++ b/kube/clusters/biohazard/talos/talconfig.yaml @@ -568,10 +568,12 @@ controlPlane: enabled: true allowedRoles: - os:admin + - os:operator allowedKubernetesNamespaces: - system-upgrade-controller - talos-backup - code-server + - talosctl-image-pull-agent - &MutatingAdmissionPolicy | cluster: diff --git a/kube/deploy/apps/talosctl-image-pull-agent/app/hr.yaml b/kube/deploy/apps/talosctl-image-pull-agent/app/hr.yaml new file mode 100644 index 00000000..61a728ac --- /dev/null +++ b/kube/deploy/apps/talosctl-image-pull-agent/app/hr.yaml @@ -0,0 +1,115 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.7.3/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app talosctl-image-pull-agent + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.7.3 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + talosctl-image-pull-agent: + type: daemonset + pod: + labels: + ingress.home.arpa/nginx-internal: allow + egress.home.arpa/talos: allow + containers: + main: + image: &img + repository: jank.ing/jjgadgets/talosctl-image-pull-agent + tag: 1.9.5@sha256:9a20301eea99be43777105fbc4094ce4a9a6b357a5bbc6e548efc13c55a54c3f + env: &env + TZ: "${CONFIG_TZ}" + NODE: + fieldRef: + fieldPath: status.hostIP + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "512Mi" + probes: + liveness: + enabled: true + readiness: + enabled: true + service: + talosctl-image-pull-agent: + controller: talosctl-image-pull-agent + ports: + http: + port: 80 + targetPort: 9000 + protocol: HTTP + appProtocol: http + ingress: + main: + className: nginx-internal + annotations: + external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + hosts: + - host: &host "${APP_DNS_TALOSCTL_IMAGE_PULL_AGENT:=talosctl-image-pull-agent}" + paths: &paths + - path: / + pathType: Prefix + service: + identifier: talosctl-image-pull-agent + port: http + tls: + - hosts: [*host] + persistence: + talos-admin: + type: secret + name: "talos" + defaultMode: 0400 + advancedMounts: + talosctl-image-pull-agent: + main: + - path: "/var/run/secrets/talos.dev" + readOnly: true + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + dnsConfig: + options: + - name: ndots + value: "1" + hostUsers: false + securityContext: + runAsNonRoot: true + runAsUser: &uid 65534 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: "{{ .Release.Name }}" + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/{{ .Release.Name }} + operator: DoesNotExist diff --git a/kube/deploy/apps/talosctl-image-pull-agent/app/ns.yaml b/kube/deploy/apps/talosctl-image-pull-agent/app/ns.yaml new file mode 100644 index 00000000..4504c293 --- /dev/null +++ b/kube/deploy/apps/talosctl-image-pull-agent/app/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: talosctl-image-pull-agent + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/apps/talosctl-image-pull-agent/app/talos-serviceaccount.yaml b/kube/deploy/apps/talosctl-image-pull-agent/app/talos-serviceaccount.yaml new file mode 100644 index 00000000..1b1f3229 --- /dev/null +++ b/kube/deploy/apps/talosctl-image-pull-agent/app/talos-serviceaccount.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: talos.dev/v1alpha1 +kind: ServiceAccount +metadata: + name: talos + namespace: talosctl-image-pull-agent +spec: + roles: + - os:operator +--- +apiVersion: v1 +kind: Secret +metadata: + name: talos + namespace: talosctl-image-pull-agent + annotations: + kustomize.toolkit.fluxcd.io/ssa: Merge + reloader.stakater.com/match: "false" diff --git a/kube/deploy/apps/talosctl-image-pull-agent/ks.yaml b/kube/deploy/apps/talosctl-image-pull-agent/ks.yaml new file mode 100644 index 00000000..c73abc10 --- /dev/null +++ b/kube/deploy/apps/talosctl-image-pull-agent/ks.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: talosctl-image-pull-agent-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "talosctl-image-pull-agent" +spec: + targetNamespace: "talosctl-image-pull-agent" + commonMetadata: + labels: *l + path: ./kube/deploy/apps/talosctl-image-pull-agent/app + components: + - ../../../core/storage/volsync/component/ + - ../../../core/flux-system/alerts/template/ + dependsOn: + - name: crds + namespace: flux-system diff --git a/kube/deploy/apps/talosctl-image-pull-agent/kustomization.yaml b/kube/deploy/apps/talosctl-image-pull-agent/kustomization.yaml new file mode 100644 index 00000000..45bc3673 --- /dev/null +++ b/kube/deploy/apps/talosctl-image-pull-agent/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + # - ns.yaml + - ks.yaml diff --git a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml index 1d81c989..3157937a 100644 --- a/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml @@ -45,6 +45,24 @@ spec: # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy +metadata: + name: labelled-allow-egress-host +spec: + endpointSelector: + matchLabels: + egress.home.arpa/talos: "allow" + egress: + - toEntities: + - host + - remote-node + toPorts: + - ports: + - port: "50000" + - port: "50001" +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy metadata: name: labelled-allow-egress-world spec: diff --git a/kube/deploy/core/storage/minio-nas/app/hr.yaml b/kube/deploy/core/storage/minio-nas/app/hr.yaml index 4b9557e0..a84eab54 100644 --- a/kube/deploy/core/storage/minio-nas/app/hr.yaml +++ b/kube/deploy/core/storage/minio-nas/app/hr.yaml @@ -1,5 +1,5 @@ --- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 +apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app minio-nas @@ -35,7 +35,7 @@ spec: env: TZ: "${CONFIG_TZ}" MINIO_VOLUMES: "/data" - MINIO_DOMAIN: &s3 "${APP_DNS_MINIO_NAS_S3}" + MINIO_DOMAIN: &s3 "${APP_DNS_MINIO_NAS_S3:=minio-nas}" MINIO_COMPRESSION_ENABLE: "on" MINIO_BROWSER_LOGIN_ANIMATION: "off" MINIO_BROWSER_REDIRECT: "false" @@ -52,7 +52,7 @@ spec: requests: cpu: "100m" limits: - cpu: "3000m" + cpu: "1" memory: "2Gi" ports: - name: s3 @@ -107,8 +107,8 @@ spec: controller: main type: LoadBalancer annotations: - coredns.io/hostname: "${APP_DNS_MINIO_NAS_S3}" - "io.cilium/lb-ipam-ips": "${APP_IP_MINIO_NAS_S3}" + coredns.io/hostname: "${APP_DNS_MINIO_NAS_S3:=minio-nas}" + "io.cilium/lb-ipam-ips": "${APP_IP_MINIO_NAS_S3:=127.0.0.1}" ports: http: port: 443 @@ -126,7 +126,7 @@ spec: proxy_ssl_name ${APP_DNS_MINIO_NAS_S3}; proxy_ssl_server_name on; hosts: - - host: &host "${APP_DNS_MINIO_NAS}" + - host: &host "${APP_DNS_MINIO_NAS:=minio-nas}" paths: &paths - path: / pathType: Prefix @@ -144,8 +144,8 @@ spec: type: "custom" volumeSpec: iscsi: - targetPortal: "${IP_TRUENAS}:3260" - iqn: "${CONFIG_TRUENAS_IQN}:minio" + targetPortal: "${IP_TRUENAS:=127.0.0.1}:3260" + iqn: "${CONFIG_TRUENAS_IQN:=truenas}:minio" lun: 0 fsType: "xfs" # MinIO recommendation globalMounts: @@ -170,7 +170,7 @@ spec: enableServiceLinks: false securityContext: runAsNonRoot: true - runAsUser: &uid ${APP_UID_MINIO_NAS} + runAsUser: &uid ${APP_UID_MINIO_NAS:=1000} runAsGroup: *uid fsGroup: *uid fsGroupChangePolicy: "Always"