diff --git a/bootstrap/templates/kubernetes/apps/openebs-system/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/openebs-system/kustomization.yaml.j2 deleted file mode 100644 index 9cd8d4e4..00000000 --- a/bootstrap/templates/kubernetes/apps/openebs-system/kustomization.yaml.j2 +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./openebs/ks.yaml diff --git a/bootstrap/templates/kubernetes/apps/openebs-system/namespace.yaml.j2 b/bootstrap/templates/kubernetes/apps/openebs-system/namespace.yaml.j2 deleted file mode 100644 index f173c6c9..00000000 --- a/bootstrap/templates/kubernetes/apps/openebs-system/namespace.yaml.j2 +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: openebs-system - labels: - kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 deleted file mode 100644 index bf0afcd1..00000000 --- a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2 +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: openebs -spec: - interval: 30m - chart: - spec: - chart: openebs - version: 3.10.0 - sourceRef: - kind: HelmRepository - name: openebs - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - ndm: - enabled: false - localprovisioner: - enabled: true - deviceClass: - enabled: false - hostpathClass: - enabled: true - name: openebs-hostpath - isDefaultClass: false - basePath: /var/openebs/local diff --git a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml.j2 deleted file mode 100644 index 5dd7baca..00000000 --- a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml.j2 +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/ks.yaml.j2 b/bootstrap/templates/kubernetes/apps/openebs-system/openebs/ks.yaml.j2 deleted file mode 100644 index 170feca9..00000000 --- a/bootstrap/templates/kubernetes/apps/openebs-system/openebs/ks.yaml.j2 +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app openebs - namespace: flux-system -spec: - targetNamespace: openebs-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/openebs-system/openebs/app - prune: true - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 index 64528822..a28b8ed8 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 @@ -8,7 +8,7 @@ spec: chart: spec: chart: app-template - version: 2.6.0 + version: 3.1.0 sourceRef: kind: HelmRepository name: bjw-s @@ -20,14 +20,12 @@ spec: cleanupOnFail: true remediation: retries: 3 - uninstall: - keepHistory: false values: controllers: - main: + system-upgrade-controller: strategy: RollingUpdate containers: - main: + app: image: repository: docker.io/rancher/system-upgrade-controller tag: v0.13.4 @@ -50,35 +48,31 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } - seccompProfile: - type: RuntimeDefault - pod: - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - runAsNonRoot: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - - key: node-role.kubernetes.io/master - operator: Exists - effect: NoSchedule + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: { type: RuntimeDefault } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule serviceAccount: create: true name: system-upgrade - service: - main: - enabled: false persistence: tmp: type: emptyDir diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/.mjfilter.py b/bootstrap/templates/kubernetes/bootstrap/talos/.mjfilter.py deleted file mode 100644 index 3ace63df..00000000 --- a/bootstrap/templates/kubernetes/bootstrap/talos/.mjfilter.py +++ /dev/null @@ -1 +0,0 @@ -main = lambda data: data.get("bootstrap_distribution", "k3s") in ["talos"] diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/apps/cilium-values.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/apps/cilium-values.yaml.j2 deleted file mode 100644 index ecaa0917..00000000 --- a/bootstrap/templates/kubernetes/bootstrap/talos/apps/cilium-values.yaml.j2 +++ /dev/null @@ -1,4 +0,0 @@ ---- -#% filter indent(width=0, first=True) %# -#% include 'partials/cilium-values-init.partial.yaml.j2' %# -#% endfilter %# diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/apps/helmfile.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/apps/helmfile.yaml.j2 deleted file mode 100644 index bea96763..00000000 --- a/bootstrap/templates/kubernetes/bootstrap/talos/apps/helmfile.yaml.j2 +++ /dev/null @@ -1,22 +0,0 @@ ---- -repositories: - - name: cilium - url: https://helm.cilium.io - - name: postfinance - url: https://postfinance.github.io/kubelet-csr-approver - -releases: - - name: cilium - namespace: kube-system - chart: cilium/cilium - version: 1.15.1 - wait: true - values: - - ./cilium-values.yaml - - name: kubelet-csr-approver - namespace: kube-system - chart: postfinance/kubelet-csr-approver - version: 1.0.7 - wait: true - values: - - ./kubelet-csr-approver-values.yaml diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/apps/kubelet-csr-approver-values.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/apps/kubelet-csr-approver-values.yaml.j2 deleted file mode 100644 index d63b9845..00000000 --- a/bootstrap/templates/kubernetes/bootstrap/talos/apps/kubelet-csr-approver-values.yaml.j2 +++ /dev/null @@ -1,4 +0,0 @@ ---- -#% filter indent(width=0, first=True) %# -#% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# -#% endfilter %# diff --git a/bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2 b/bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2 deleted file mode 100644 index c8774cea..00000000 --- a/bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2 +++ /dev/null @@ -1,244 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json ---- -# renovate: datasource=docker depName=ghcr.io/siderolabs/installer -talosVersion: v1.6.7 -# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet -kubernetesVersion: v1.29.3 - -clusterName: &cluster home-kubernetes -endpoint: https://#{ bootstrap_controllers_vip }#:6443 -clusterPodNets: - - "#{ bootstrap_pod_network.split(',')[0] }#" -clusterSvcNets: - - "#{ bootstrap_service_network.split(',')[0] }#" -additionalApiServerCertSans: &sans - - "#{ bootstrap_controllers_vip }#" - - 127.0.0.1 # KubePrism - #% for item in bootstrap_tls_sans %# - - "#{ item }#" - #% endfor %# -additionalMachineCertSans: *sans -cniConfig: - name: none - -nodes: - #% for item in bootstrap_node_inventory %# - - hostname: "#{ item.name }#" - ipAddress: "#{ item.address }#" - #% if item.talos_disk.startswith('/') %# - installDisk: "#{ item.talos_disk }#" - #% else %# - installDiskSelector: - serial: "#{ item.talos_disk }#" - #% endif %# - #% if bootstrap_talos.secureboot.enabled %# - machineSpec: - secureboot: true - talosImageURL: factory.talos.dev/installer-secureboot/#{ bootstrap_talos.schematic_id }# - #% else %# - talosImageURL: factory.talos.dev/installer/#{ bootstrap_talos.schematic_id }# - #% endif %# - controlPlane: #{ (item.controller) | string | lower }# - networkInterfaces: - - interface: eth0 - dhcp: false - #% if bootstrap_talos.vlan %# - vlans: - - vlanId: #{ bootstrap_talos.vlan }# - addresses: - - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#" - mtu: 1500 - routes: - - network: 0.0.0.0/0 - #% if bootstrap_node_default_gateway %# - gateway: "#{ bootstrap_node_default_gateway }#" - #% else %# - gateway: "#{ bootstrap_node_network | nthhost(1) }#" - #% endif %# - #% if item.controller %# - vip: - ip: "#{ bootstrap_controllers_vip }#" - #% endif %# - #% else %# - addresses: - - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#" - mtu: 1500 - routes: - - network: 0.0.0.0/0 - #% if bootstrap_node_default_gateway %# - gateway: "#{ bootstrap_node_default_gateway }#" - #% else %# - gateway: "#{ bootstrap_node_network | nthhost(1) }#" - #% endif %# - #% if item.controller %# - vip: - ip: "#{ bootstrap_controllers_vip }#" - #% endif %# - #% endif %# - #% if bootstrap_talos.user_patches %# - patches: - - "@./patches/node_#{ item.name }#.yaml" - #% endif %# - #% endfor %# - -patches: - # Configure containerd - - |- - machine: - files: - - op: create - path: /etc/cri/conf.d/20-customization.part - content: |- - [plugins."io.containerd.grpc.v1.cri"] - enable_unprivileged_ports = true - enable_unprivileged_icmp = true - [plugins."io.containerd.grpc.v1.cri".containerd] - discard_unpacked_layers = false - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - discard_unpacked_layers = false - - # Disable search domain everywhere - - |- - machine: - network: - disableSearchDomain: true - - # Enable cluster discovery - - |- - cluster: - discovery: - registries: - kubernetes: - disabled: false - service: - disabled: false - - # Configure kubelet - - |- - machine: - kubelet: - extraArgs: - image-gc-low-threshold: 50 - image-gc-high-threshold: 55 - rotate-server-certificates: true - nodeIP: - validSubnets: - - "#{ bootstrap_node_network }#" - - # Force nameserver - - |- - machine: - network: - nameservers: - #% for item in bootstrap_dns_servers | default(['1.1.1.1', '1.0.0.1']) %# - - #{ item }# - #% endfor %# - - # Configure NTP - - |- - machine: - time: - disabled: false - servers: - - time.cloudflare.com - - # Custom sysctl settings - - |- - machine: - sysctls: - fs.inotify.max_queued_events: 65536 - fs.inotify.max_user_watches: 524288 - fs.inotify.max_user_instances: 8192 - - # Mount openebs-hostpath in kubelet - - |- - machine: - kubelet: - extraMounts: - - destination: /var/openebs/local - type: bind - source: /var/openebs/local - options: - - bind - - rshared - - rw - - # Disable predictable NIC naming - - |- - machine: - install: - extraKernelArgs: - - net.ifnames=0 - - #% if bootstrap_talos.secureboot.enabled and bootstrap_talos.secureboot.encrypt_disk_with_tpm %# - # Encrypt system disk with TPM - - |- - machine: - systemDiskEncryption: - ephemeral: - provider: luks2 - keys: - - slot: 0 - tpm: {} - state: - provider: luks2 - keys: - - slot: 0 - tpm: {} - #% endif %# - #% if bootstrap_talos.user_patches %# - # User specified global patches - - "@./patches/global.yaml" - #% endif %# - -controlPlane: - patches: - # Cluster configuration - - |- - cluster: - allowSchedulingOnMasters: true - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - proxy: - disabled: true - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - # ETCD configuration - - |- - cluster: - etcd: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2381 - advertisedSubnets: - - "#{ bootstrap_node_network }#" - - # Disable default API server admission plugins. - - |- - - op: remove - path: /cluster/apiServer/admissionControl - - # Enable K8s Talos API Access - - |- - machine: - features: - kubernetesTalosAPIAccess: - enabled: true - allowedRoles: - - os:admin - allowedKubernetesNamespaces: - - system-upgrade - - #% if bootstrap_talos.user_patches %# - # User specified controlPlane patches - - "@./patches/controlPlane.yaml" - #% endif %# - -#% if ((bootstrap_talos.user_patches) and (bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length)) %# -worker: - patches: - # User specified worker patches - - "@./patches/worker.yaml" -#% endif %# diff --git a/kubernetes/apps/media/prowlarr/app/helmrelease.yaml b/kubernetes/apps/media/prowlarr/app/helmrelease.yaml index 9f4cb0a2..14eb9554 100644 --- a/kubernetes/apps/media/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/media/prowlarr/app/helmrelease.yaml @@ -9,8 +9,10 @@ spec: interval: 30m chart: spec: + # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 3.1.0 + interval: 30m sourceRef: kind: HelmRepository name: bjw-s @@ -28,35 +30,46 @@ spec: prowlarr: annotations: reloader.stakater.com/auto: "true" + pod: + securityContext: + runAsUser: 2000 + runAsGroup: 2000 + runAsNonRoot: true + fsGroup: 2000 + fsGroupChangePolicy: OnRootMismatch containers: app: image: - repository: ghcr.io/onedr0p/prowlarr-develop - tag: 1.17.0.4448 + repository: ghcr.io/onedr0p/prowlarr-nightly + tag: 1.17.2.4498@sha256:2d2eae4f357d22ffeb8b41e57d09879481528438a4b6a22097def8e6b8921c73 env: PROWLARR__INSTANCE_NAME: Prowlarr - PROWLARR__PORT: &port 80 + PROWLARR__PORT: &port 9696 PROWLARR__LOG_LEVEL: info PROWLARR__THEME: dark + PROWLARR__ANALYTICS_ENABLED: "False" TZ: "${TIMEZONE}" probes: - liveness: &probes + liveness: + enabled: true + readiness: + enabled: true + startup: enabled: true - custom: true spec: - httpGet: - path: /ping - port: *port - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - readiness: *probes + failureThreshold: 30 + periodSeconds: 5 resources: requests: cpu: 10m limits: memory: 1Gi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL service: app: controller: prowlarr @@ -79,6 +92,7 @@ spec: - *host persistence: config: + enabled: true type: emptyDir tmp: type: emptyDir