feat: overhaul

kubernetes/bootstrap/apps/helmfile.yaml

@@ -0,0 +1,56 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/helmfile
+
+# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
+kubeVersion: v1.32.0
+
+helmDefaults:
+  force: true
+  recreatePods: true
+  timeout: 600
+  wait: true
+  waitForJobs: true
+
+repositories:
+  - name: cilium
+    url: https://helm.cilium.io
+
+  - name: coredns
+    url: https://coredns.github.io/helm
+
+  - name: postfinance
+    url: https://postfinance.github.io/kubelet-csr-approver
+
+releases:
+  - name: kube-prometheus-stack-crds
+    namespace: observability
+    chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds
+    version: 17.0.2
+
+  - name: cilium
+    namespace: kube-system
+    chart: cilium/cilium
+    version: 1.16.5
+    values: ["../../apps/kube-system/cilium/app/helm-values.yaml"]
+    needs: ["observability/kube-prometheus-stack-crds"]
+
+  - name: coredns
+    namespace: kube-system
+    chart: coredns/coredns
+    version: 1.37.0
+    values: ["../../apps/kube-system/coredns/app/helm-values.yaml"]
+    needs: ["kube-system/cilium"]
+
+  - name: kubelet-csr-approver
+    namespace: kube-system
+    chart: postfinance/kubelet-csr-approver
+    version: 1.2.4
+    values: ["../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"]
+    needs: ["kube-system/coredns"]
+
+  - name: spegel
+    namespace: kube-system
+    chart: oci://ghcr.io/spegel-org/helm-charts/spegel
+    version: v0.0.28
+    values: ["../../apps/kube-system/spegel/app/helm-values.yaml"]
+    needs: ["kube-system/kubelet-csr-approver"]

kubernetes/bootstrap/cilium/kustomization.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-helmCharts:
-  - name: cilium
-    repo: https://helm.cilium.io/
-    version: 1.16.5
-    releaseName: cilium
-    namespace: kube-system
-    valuesFile: values.yaml
-commonAnnotations:
-  meta.helm.sh/release-name: cilium
-  meta.helm.sh/release-namespace: kube-system
-commonLabels:
-  app.kubernetes.io/managed-by: Helm

kubernetes/bootstrap/cilium/values.yaml

@@ -1,48 +0,0 @@
----
-autoDirectNodeRoutes: true
-bgp:
-  announce:
-    loadbalancerIP: true
-  enabled: false
-containerRuntime:
-  integration: containerd
-endpointRoutes:
-  enabled: true
-hubble:
-  enabled: false
-ipam:
-  mode: kubernetes
-ipv4NativeRoutingCIDR: 10.69.0.0/16
-k8sServiceHost: localhost
-k8sServicePort: 7445
-kubeProxyReplacement: strict
-loadBalancer:
-  algorithm: maglev
-  mode: dsr
-localRedirectPolicy: true
-operator:
-  rollOutPods: true
-rollOutCiliumPods: true
-securityContext:
-  capabilities:
-    ciliumAgent:
-      - CHOWN
-      - KILL
-      - NET_ADMIN
-      - NET_RAW
-      - IPC_LOCK
-      - SYS_ADMIN
-      - SYS_RESOURCE
-      - DAC_OVERRIDE
-      - FOWNER
-      - SETGID
-      - SETUID
-    cleanCiliumState:
-      - NET_ADMIN
-      - SYS_ADMIN
-      - SYS_RESOURCE
-    cgroup:
-      autoMount:
-        enabled: false
-      hostRoot: /sys/fs/cgroup
-tunnel: disabled

kubernetes/bootstrap/flux/kustomization.yaml

@@ -1,17 +1,61 @@
+# IMPORTANT: This file is not tracked by flux and should never be. Its
+# purpose is to only install the Flux components and CRDs into your cluster.
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - github.com/fluxcd/flux2/manifests/install?ref=v2.4.0
 patches:
-  - target:
-      group: networking.k8s.io
-      version: v1
-      kind: NetworkPolicy
-    patch: |
+  # Remove the default network policies
+  - patch: |-
       $patch: delete
       apiVersion: networking.k8s.io/v1
       kind: NetworkPolicy
       metadata:
         name: not-used
+    target:
+      group: networking.k8s.io
+      kind: NetworkPolicy
+  # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests
+  - target:
+      kind: ResourceQuota
+      name: critical-pods
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: critical-pods-flux-system
+  - target:
+      kind: ClusterRoleBinding
+      name: cluster-reconciler
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: cluster-reconciler-flux-system
+  - target:
+      kind: ClusterRoleBinding
+      name: crd-controller
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: crd-controller-flux-system
+  - target:
+      kind: ClusterRole
+      name: crd-controller
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: crd-controller-flux-system
+  - target:
+      kind: ClusterRole
+      name: flux-edit
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: flux-edit-flux-system
+  - target:
+      kind: ClusterRole
+      name: flux-view
+    patch: |
+      - op: replace
+        path: /metadata/name
+        value: flux-view-flux-system

kubernetes/bootstrap/kubelet-csr-approver/kustomization.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kube-system
-helmCharts:
-  - name: kubelet-csr-approver
-    repo: https://postfinance.github.io/kubelet-csr-approver
-    version: 1.2.4
-    releaseName: kubelet-csr-approver
-    namespace: kube-system
-    valuesInline:
-      providerRegex: |
-        ^talos-node-[1-9]$
-commonAnnotations:
-  meta.helm.sh/release-name: kubelet-csr-approver
-  meta.helm.sh/release-namespace: kube-system
-commonLabels:
-  app.kubernetes.io/managed-by: Helm