feat(flux): localhost hostNetwork

2026-01-27 10:18:27 +00:00 · 2024-05-17 10:34:52 +08:00
parent 724a1deb2c
commit ad4d1c0220
1 changed files with 260 additions and 0 deletions
--- a/kube/clusters/biohazard/flux/flux-install-localhost.yaml
+++ b/kube/clusters/biohazard/flux/flux-install-localhost.yaml
@@ -0,0 +1,260 @@
+---
+# downloads and installs Flux manifests to cluster
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: flux-manifests
+  namespace: flux-system
+spec:
+  interval: 10m
+  url: oci://ghcr.io/fluxcd/flux-manifests
+  ref:
+    tag: v2.2.3
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zzz-flux
+  # I don't wanna see it on the top lol
+  namespace: flux-system
+  labels:
+    kustomization.flux.home.arpa/name: "flux"
+    kustomization.flux.home.arpa/default: "false"
+    kustomization.flux.home.arpa/helmpatches: "false"
+spec:
+  interval: 10m
+  path: ./
+  prune: true
+  wait: true
+  sourceRef:
+    kind: OCIRepository
+    name: flux-manifests
+  patches:
+    # localhost stuff
+        #- op: add
+        #  path: /metadata/labels/pod-security.kubernetes.io\/enforce
+        #  value: "privileged"
+    - patch: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+          labels:
+            pod-security.kubernetes.io/enforce: privileged
+            pod-security.kubernetes.io/enforce-version: latest
+            pod-security.kubernetes.io/warn: privileged
+            pod-security.kubernetes.io/warn-version: latest
+            pod-security.kubernetes.io/audit: privileged
+            pod-security.kubernetes.io/audit-version: latest
+      target:
+        kind: Namespace
+        name: flux-system
+    - patch: |
+        - op: add
+          path: /spec/template/spec/hostNetwork
+          value: true
+        - op: remove
+          path: /spec/template/spec/containers/0/livenessProbe
+        - op: remove
+          path: /spec/template/spec/containers/0/readinessProbe
+        - op: remove
+          path: /spec/template/spec/containers/0/ports
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: SOURCE_CONTROLLER_LOCALHOST
+            value: 127.0.0.1:9790
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: POD_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+        - op: replace
+          path: /spec/template/spec/containers/0/args
+          value:
+            - --watch-all-namespaces=true
+            - --log-level=debug
+            - --log-encoding=json
+            - --enable-leader-election=false
+            - --metrics-addr=127.0.0.1:$(METRICS_PORT)
+            - --health-addr=127.0.0.1:$(HEALTH_PORT)
+      target:
+        kind: Deployment
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --storage-addr=127.0.0.1:9790
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --storage-path=/data
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --storage-adv-addr=127.0.0.1:9790
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: METRICS_PORT
+            value: "9791"
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: HEALTH_PORT
+            value: "9792"
+      target:
+        kind: Deployment
+        name: source-controller
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: METRICS_PORT
+            value: "9793"
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: HEALTH_PORT
+            value: "9794"
+      target:
+        kind: Deployment
+        name: kustomize-controller
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: METRICS_PORT
+            value: "9795"
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: HEALTH_PORT
+            value: "9796"
+      target:
+        kind: Deployment
+        name: helm-controller
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --events-addr=127.0.0.1:9690
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: METRICS_PORT
+            value: "9798"
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: HEALTH_PORT
+            value: "9799"
+      target:
+        kind: Deployment
+        name: notification-controller
+    # cgroups
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                divisor: "0"
+                resource: limits.cpu
+      target:
+        kind: Deployment
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/env/-
+          value:
+            name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                divisor: "0"
+                resource: limits.memory
+      target:
+        kind: Deployment
+    # scheduling
+    - patch: |
+        - op: add
+          path: /spec/template/spec/tolerations
+          value:
+            - operator: Exists
+      target:
+        kind: Deployment
+    # Increase the number of reconciliations that can be performed in parallel and bump the resources limits
+    # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --events-addr=http://127.0.0.1:9690/
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --concurrent=100
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --kube-api-qps=5000
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --kube-api-burst=10000
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --requeue-dependency=5s
+        - op: add
+          path: /spec/template/spec/volumes/0/emptyDir
+          value:
+            medium: Memory
+      target:
+        kind: Deployment
+        name: "(kustomize-controller|helm-controller|source-controller)"
+    - patch: |
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: not-used
+        spec:
+          template:
+            spec:
+              containers:
+                - name: manager
+                  resources:
+                    limits:
+                      cpu: 2000m
+                      memory: 2Gi
+      target:
+        kind: Deployment
+        name: "(kustomize-controller|helm-controller|source-controller)"
+    # Enable Helm near OOM detection
+    # Enable drift detection for HelmReleases and set the log level to debug
+    # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection
+    - patch: |
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --feature-gates=OOMWatch=true,DetectDrift=true,CorrectDrift=false
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --oom-watch-memory-threshold=95
+        - op: add
+          path: /spec/template/spec/containers/0/args/-
+          value: --oom-watch-interval=500ms
+      target:
+        kind: Deployment
+        name: helm-controller
+    - patch: | # Reloader reloads Flux kustomize-controller to force re-envsubst with new values
+        - op: add
+          path: /metadata/annotations
+          value:
+            secret.reloader.stakater.com/reload: biohazard-vars,biohazard-secrets
+      target:
+        kind: Deployment
+        name: kustomize-controller
+    # delete image-* deployments
+    - patch: |
+        $patch: delete
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: not-used
+      target:
+        kind: Deployment
+        labelSelector: app.kubernetes.io/component in (image-reflector-controller, image-automation-controller)