diff --git a/kube/clusters/biohazard/flux/flux-install-localhost.yaml b/kube/clusters/biohazard/flux/flux-install-localhost.yaml new file mode 100644 index 00000000..c81b96d2 --- /dev/null +++ b/kube/clusters/biohazard/flux/flux-install-localhost.yaml @@ -0,0 +1,260 @@ +--- +# downloads and installs Flux manifests to cluster +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: flux-manifests + namespace: flux-system +spec: + interval: 10m + url: oci://ghcr.io/fluxcd/flux-manifests + ref: + tag: v2.2.3 +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: zzz-flux + # I don't wanna see it on the top lol + namespace: flux-system + labels: + kustomization.flux.home.arpa/name: "flux" + kustomization.flux.home.arpa/default: "false" + kustomization.flux.home.arpa/helmpatches: "false" +spec: + interval: 10m + path: ./ + prune: true + wait: true + sourceRef: + kind: OCIRepository + name: flux-manifests + patches: + # localhost stuff + #- op: add + # path: /metadata/labels/pod-security.kubernetes.io\/enforce + # value: "privileged" + - patch: | + apiVersion: v1 + kind: Namespace + metadata: + name: flux-system + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: privileged + pod-security.kubernetes.io/warn-version: latest + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/audit-version: latest + target: + kind: Namespace + name: flux-system + - patch: | + - op: add + path: /spec/template/spec/hostNetwork + value: true + - op: remove + path: /spec/template/spec/containers/0/livenessProbe + - op: remove + path: /spec/template/spec/containers/0/readinessProbe + - op: remove + path: /spec/template/spec/containers/0/ports + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: SOURCE_CONTROLLER_LOCALHOST + value: 127.0.0.1:9790 + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - op: replace + path: /spec/template/spec/containers/0/args + value: + - --watch-all-namespaces=true + - --log-level=debug + - --log-encoding=json + - --enable-leader-election=false + - --metrics-addr=127.0.0.1:$(METRICS_PORT) + - --health-addr=127.0.0.1:$(HEALTH_PORT) + target: + kind: Deployment + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-addr=127.0.0.1:9790 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-path=/data + - op: add + path: /spec/template/spec/containers/0/args/- + value: --storage-adv-addr=127.0.0.1:9790 + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: METRICS_PORT + value: "9791" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: HEALTH_PORT + value: "9792" + target: + kind: Deployment + name: source-controller + - patch: | + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: METRICS_PORT + value: "9793" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: HEALTH_PORT + value: "9794" + target: + kind: Deployment + name: kustomize-controller + - patch: | + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: METRICS_PORT + value: "9795" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: HEALTH_PORT + value: "9796" + target: + kind: Deployment + name: helm-controller + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=127.0.0.1:9690 + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: METRICS_PORT + value: "9798" + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: HEALTH_PORT + value: "9799" + target: + kind: Deployment + name: notification-controller + # cgroups + - patch: | + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: GOMAXPROCS + valueFrom: + resourceFieldRef: + divisor: "0" + resource: limits.cpu + target: + kind: Deployment + - patch: | + - op: add + path: /spec/template/spec/containers/0/env/- + value: + name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + divisor: "0" + resource: limits.memory + target: + kind: Deployment + # scheduling + - patch: | + - op: add + path: /spec/template/spec/tolerations + value: + - operator: Exists + target: + kind: Deployment + # Increase the number of reconciliations that can be performed in parallel and bump the resources limits + # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --events-addr=http://127.0.0.1:9690/ + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=100 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-qps=5000 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --kube-api-burst=10000 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + - op: add + path: /spec/template/spec/volumes/0/emptyDir + value: + medium: Memory + target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + cpu: 2000m + memory: 2Gi + target: + kind: Deployment + name: "(kustomize-controller|helm-controller|source-controller)" + # Enable Helm near OOM detection + # Enable drift detection for HelmReleases and set the log level to debug + # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true,DetectDrift=true,CorrectDrift=false + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller + - patch: | # Reloader reloads Flux kustomize-controller to force re-envsubst with new values + - op: add + path: /metadata/annotations + value: + secret.reloader.stakater.com/reload: biohazard-vars,biohazard-secrets + target: + kind: Deployment + name: kustomize-controller + # delete image-* deployments + - patch: | + $patch: delete + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + target: + kind: Deployment + labelSelector: app.kubernetes.io/component in (image-reflector-controller, image-automation-controller)