shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

new talos cluster

Browse Source
This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
kubernetes/cluster-0/apps/kube-tools/coredns-nodecache/configmap.yaml Normal file
View File

@@ -0,0 +1,121 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-nodecache-primary
namespace: default
data:
Corefile: |
cluster.local:53 {
errors
cache {
success 9984 30
denial 9984 5
prefetch 3 60s 15%
}
reload
loop
bind 169.254.20.10 # Set your cluster dns to this
nodecache skipteardown
template IN AAAA {
rcode NOERROR
}
forward . 10.96.0.10 { # Kube-DNS IP
force_tcp
}
prometheus :9253
health 169.254.20.10:8080
}
in-addr.arpa:53 {
errors
cache 120
reload
loop
bind 169.254.20.10
nodecache skipteardown
template IN AAAA {
rcode NOERROR
}
forward . /etc/resolv.conf {
force_tcp
}
prometheus :9253
}
.:53 {
errors
cache {
success 9984 86400
denial 9984 300
prefetch 3 60s 15%
}
reload
loop
bind 169.254.20.10
nodecache skipteardown
template IN AAAA {
rcode NOERROR
}
forward . /etc/resolv.conf {
force_tcp
}
prometheus :9253
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-nodecache-secondary
namespace: default
data:
Corefile: |
cluster.local:53 {
errors
cache {
success 9984 30
denial 9984 5
prefetch 3 60s 15%
}
reload
loop
bind 169.254.20.10 # Set your cluster dns to this
template IN AAAA {
rcode NOERROR
}
forward . 10.96.0.10 { # Kube-DNS IP
force_tcp
}
prometheus :9254
health 169.254.20.10:8082
}
in-addr.arpa:53 {
errors
cache 120
reload
loop
bind 169.254.20.10
template IN AAAA {
rcode NOERROR
}
forward . /etc/resolv.conf {
force_tcp
}
prometheus :9254
}
.:53 {
errors
cache {
success 9984 86400
denial 9984 300
prefetch 3 60s 15%
}
reload
loop
bind 169.254.20.10
template IN AAAA {
rcode NOERROR
}
forward . /etc/resolv.conf {
force_tcp
}
prometheus :9254
}

147
kubernetes/cluster-0/apps/kube-tools/coredns-nodecache/daemonset.yaml Normal file
View File

@@ -0,0 +1,147 @@
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: coredns-nodecache-primary
namespace: kube-system
labels:
k8s-app: coredns-nodecache
kubernetes.io/cluster-service: "true"
spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
k8s-app: coredns-nodecache
template:
metadata:
labels:
k8s-app: coredns-nodecache
spec:
priorityClassName: system-node-critical
serviceAccountName: coredns-nodecache
hostNetwork: true
dnsPolicy: Default
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
operator: Exists
containers:
- name: coredns-nodecache
image: contentful/coredns-nodecache:latest
resources:
limits:
memory: 50Mi
requests:
cpu: 25m
memory: 5Mi
args:
- -conf
- /etc/coredns/Corefile
securityContext:
privileged: true
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9253
name: metrics
protocol: TCP
livenessProbe:
httpGet:
host: 169.254.20.10
path: /health
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 5
volumeMounts:
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- name: config-volume
mountPath: /etc/coredns
volumes:
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- name: config-volume
configMap:
name: coredns-nodecache-primary
items:
- key: Corefile
path: Corefile
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: coredns-nodecache-secondary
namespace: kube-system
labels:
k8s-app: coredns-nodecache
kubernetes.io/cluster-service: "true"
spec:
updateStrategy:
rollingUpdate:
maxUnavailable: 10%
selector:
matchLabels:
k8s-app: coredns-nodecache
template:
metadata:
labels:
k8s-app: coredns-nodecache
spec:
priorityClassName: system-node-critical
serviceAccountName: coredns-nodecache
hostNetwork: true
dnsPolicy: Default
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
containers:
- name: coredns-nodecache
image: contentful/coredns-nodecache:latest
resources:
limits:
memory: 50Mi
requests:
cpu: 25m
memory: 5Mi
args:
- -conf
- /etc/coredns/Corefile
securityContext:
privileged: true
ports:
- containerPort: 9254
name: metrics
protocol: TCP
livenessProbe:
httpGet:
host: 169.254.20.10
path: /health
port: 8082
initialDelaySeconds: 60
timeoutSeconds: 5
volumeMounts:
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- name: config-volume
mountPath: /etc/coredns
volumes:
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- name: config-volume
configMap:
name: coredns-nodecache-secondary
items:
- key: Corefile
path: Corefile

7
kubernetes/cluster-0/apps/kube-tools/coredns-nodecache/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service-account.yaml
- configmap.yaml
- daemonset.yaml

8
kubernetes/cluster-0/apps/kube-tools/coredns-nodecache/service-account.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns-nodecache
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"

103
kubernetes/cluster-0/apps/kube-tools/descheduler/helm-release.yaml Normal file
View File

@@ -0,0 +1,103 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app descheduler
namespace: default
spec:
interval: 15m
chart:
spec:
chart: *app
version: 0.25.2
sourceRef:
kind: HelmRepository
name: descheduler
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
kind: Deployment
replicas: 1
leaderElection:
enabled: true
leaseDuration: 15s
renewDeadline: 10s
retryPeriod: 2s
resourceLock: "leases"
resourceName: "descheduler"
resourceNamescape: "kube-system"
deschedulerPolicy:
strategies:
RemoveDuplicates:
enabled: true
RemovePodsViolatingNodeTaints:
enabled: true
RemovePodsViolatingNodeAffinity:
enabled: true
params:
nodeAffinityType:
- requiredDuringSchedulingIgnoredDuringExecution
RemovePodsViolatingTopologySpreadConstraint:
enabled: true
params:
includeSoftConstraints: true
RemovePodsViolatingInterPodAntiAffinity:
enabled: true
params:
nodeFit: true
LowNodeUtilization:
enabled: true
params:
nodeResourceUtilizationThresholds:
thresholds:
cpu: 40
memory: 40
pods: 40
targetThresholds:
cpu: 80
memory: 80
pods: 70
RemoveFailedPods:
enabled: true
params:
failedPods:
includingInitContainers: true
excludeOwnerKinds:
- "Job"
minPodLifetimeSeconds: 3600
RemovePodsHavingTooManyRestarts:
enabled: true
params:
podsHavingTooManyRestarts:
podRestartThreshold: 100
includingInitContainers: true
service:
enabled: true
serviceMonitor:
enabled: true
podAnnotations:
configmap.reloader.stakater.com/reload: *app
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: [*app]
topologyKey: kubernetes.io/hostname
resources:
requests:
cpu: 15m
memory: 105Mi
limits:
cpu: 100m
memory: 512Mi

5
kubernetes/cluster-0/apps/kube-tools/descheduler/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

68
kubernetes/cluster-0/apps/kube-tools/intel-gpu-exporter/helm-release.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app intel-gpu-exporter
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: intel-gpu-plugin
namespace: default
values:
controller:
type: daemonset
image:
repository: ghcr.io/onedr0p/intel-gpu-exporter
tag: rolling@sha256:1c84020b442e0f95e2e6a46281d3bfc6199902d3d91b10515fc000e43c9a7421
service:
main:
ports:
http:
port: 8080
serviceMonitor:
main:
enabled: true
endpoints:
- port: http
scheme: http
path: /metrics
interval: 1m
scrapeTimeout: 10s
relabelings:
- sourceLabels: [__meta_kubernetes_pod_node_name]
targetLabel: node
securityContext:
privileged: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: feature.node.kubernetes.io/custom-intel-gpu
operator: In
values:
- "true"
resources:
requests:
gpu.intel.com/i915: 1
cpu: 15m
memory: 105Mi
limits:
gpu.intel.com/i915: 1
memory: 105Mi

5
kubernetes/cluster-0/apps/kube-tools/intel-gpu-exporter/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

81
kubernetes/cluster-0/apps/kube-tools/intel-gpu-plugin/helm-release.yaml Normal file
View File

@@ -0,0 +1,81 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app intel-gpu-plugin
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: node-feature-discovery
namespace: default
values:
controller:
type: daemonset
strategy: RollingUpdate
image:
repository: docker.io/intel/intel-gpu-plugin
tag: 0.25.0
pullPolicy: IfNotPresent
args:
- -shared-dev-num
- "4"
service:
main:
enabled: false
# TODO(intel-gpu-plugin): Write probes to check for something to tell if it's working
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
persistence:
devfs:
enabled: true
type: hostPath
hostPath: /dev/dri
hostPathType: Directory
readOnly: true
sysfs:
enabled: true
type: hostPath
hostPath: /sys/class/drm
hostPathType: Directory
readOnly: true
kubeletsockets:
enabled: true
type: hostPath
hostPathType: Directory
hostPath: /var/lib/kubelet/device-plugins
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: feature.node.kubernetes.io/custom-intel-gpu
operator: In
values:
- "true"
resources:
requests:
cpu: 15m
memory: 105Mi
limits:
memory: 105Mi

5
kubernetes/cluster-0/apps/kube-tools/intel-gpu-plugin/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

13
kubernetes/cluster-0/apps/kube-tools/kustomization.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# - coredens-nodecache
- descheduler
- intel-gpu-exporter
- intel-gpu-plugin
- kyverno
- metrics-server
- node-feature-discovery
- rbac
- reloader

41
kubernetes/cluster-0/apps/kube-tools/kyverno/helm-release.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kyverno
namespace: kyverno
spec:
interval: 15m
chart:
spec:
chart: kyverno
version: 2.6.1
sourceRef:
kind: HelmRepository
name: kyverno
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
installCRDs: false
replicaCount: 3
serviceMonitor:
enabled: true
resources:
requests:
cpu: 247m
memory: 443M
limits:
memory: 1336M
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/instance: kyverno

6
kubernetes/cluster-0/apps/kube-tools/kyverno/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- policies

322
kubernetes/cluster-0/apps/kube-tools/kyverno/policies/helm-release.yaml Normal file
View File

@@ -0,0 +1,322 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kyverno-policies
namespace: kyverno
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: kyverno
namespace: kyverno
values:
resources:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: kyverno
namespace: kyverno
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: apply-ingress-auth-annotations
annotations:
policies.kyverno.io/title: Apply Ingress Auth Annotations
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
This policy creates auth annotations on ingresses. When
the `auth.home.arpa/enabled` annotation is `true` it
applies the nginx auth annotations for use with Authelia.
spec:
mutateExistingOnPolicyUpdate: true
generateExistingOnPolicyUpdate: true
rules:
- name: auth
match:
any:
- resources:
kinds: ["Ingress"]
annotations:
auth.home.arpa/enabled: "true"
mutate:
patchStrategicMerge:
metadata:
annotations:
+(nginx.ingress.kubernetes.io/auth-method): GET
+(nginx.ingress.kubernetes.io/auth-url): |-
http://authelia.default.svc.cluster.local./api/verify
+(nginx.ingress.kubernetes.io/auth-signin): |-
https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
+(nginx.ingress.kubernetes.io/auth-response-headers): |-
Remote-User,Remote-Name,Remote-Groups,Remote-Email
+(nginx.ingress.kubernetes.io/auth-snippet): |
proxy_set_header X-Forwarded-Method $request_method;
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: apply-ingress-external-dns-annotations
annotations:
policies.kyverno.io/title: Apply Ingress External-DNS Annotations
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
This policy creates external-dns annotations on ingresses.
When the `external-dns.home.arpa/enabled` annotation is `true`
it applies the external-dns annotations for use with external
application access.
spec:
mutateExistingOnPolicyUpdate: true
generateExistingOnPolicyUpdate: true
rules:
- name: external-dns
match:
any:
- resources:
kinds: ["Ingress"]
annotations:
external-dns.home.arpa/enabled: "true"
mutate:
patchStrategicMerge:
metadata:
annotations:
+(external-dns.alpha.kubernetes.io/target): |-
services.${SECRET_DOMAIN}.
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: apply-ingress-whitelist-annotations
annotations:
policies.kyverno.io/title: Apply Ingress Whitelist Annotations
policies.kyverno.io/subject: Ingress
policies.kyverno.io/description: >-
This policy creates annotations on ingresses. When
the `external-dns.home.arpa/enabled` annotation is not
set it applies the nginx annotations for use with only
internal application access.
spec:
mutateExistingOnPolicyUpdate: true
generateExistingOnPolicyUpdate: true
rules:
- name: whitelist
match:
any:
- resources:
kinds: ["Ingress"]
exclude:
any:
- resources:
annotations:
external-dns.home.arpa/enabled: "true"
mutate:
patchStrategicMerge:
metadata:
annotations:
+(nginx.ingress.kubernetes.io/whitelist-source-range): |-
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: delete-cpu-limits
annotations:
policies.kyverno.io/title: Delete CPU limits
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy deletes CPU limits from all Pods.
spec:
mutateExistingOnPolicyUpdate: true
generateExistingOnPolicyUpdate: true
rules:
- name: delete-cpu-limits
match:
any:
- resources:
kinds: ["Pod"]
exclude:
any:
- resources:
namespaces:
- calico-system
- tigera-operator
- resources:
kinds: ["Pod"]
selector:
matchLabels:
job-name: "*"
- resources:
kinds: ["Pod"]
selector:
matchLabels:
statefulset.kubernetes.io/pod-name: "*"
- resources:
annotations:
kyverno.io/ignore: "true"
mutate:
patchStrategicMerge:
spec:
initContainers:
- (name): "*"
resources:
limits:
cpu: null
containers:
- (name): "*"
resources:
limits:
cpu: null
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: snapshot-cronjob-controller
annotations:
policies.kyverno.io/title: Snapshot CronJob controller
policies.kyverno.io/subject: PersistentVolumeClaim
policies.kyverno.io/description: |
This policy creates a Kopia snapshot CronJob for labeled PersistentVolumeClaims.
The following label on PVCs are required for this to run:
- snapshot.home.arpa/enabled
spec:
generateExistingOnPolicyUpdate: true
mutateExistingOnPolicyUpdate: true
rules:
- name: create-snapshot-cronjob
match:
any:
- resources:
kinds:
- PersistentVolumeClaim
selector:
matchLabels:
app.kubernetes.io/name: "*"
app.kubernetes.io/instance: "*"
snapshot.home.arpa/enabled: "true"
context:
- name: appName
variable:
jmesPath: 'request.object.metadata.labels."app.kubernetes.io/name"'
- name: claimName
variable:
jmesPath: "request.object.metadata.name"
# TODO(kyverno): https://github.com/kyverno/kyverno/pull/4767
# jmesPath: "{{ regex_replace_all('^([^-]*)', {{ request.object.metadata.name }}, '${1}') }}" # 'config' instead of 'config-home-assistant-0'
- name: namespace
variable:
jmesPath: "request.object.metadata.namespace"
- name: nodeAffinity
variable:
value:
labels:
- key: app.kubernetes.io/name
operator: "In"
values:
- '{{ request.object.metadata.labels."app.kubernetes.io/name" }}'
- key: app.kubernetes.io/instance
operator: "In"
values:
- '{{ request.object.metadata.labels."app.kubernetes.io/instance" }}'
generate:
synchronize: true
apiVersion: batch/v1
kind: CronJob
name: "{{ appName }}-{{ claimName }}-snapshot"
namespace: "{{ request.object.metadata.namespace }}"
data:
metadata:
labels:
app.kubernetes.io/name: '{{ request.object.metadata.labels."app.kubernetes.io/name" }}'
app.kubernetes.io/instance: '{{ request.object.metadata.labels."app.kubernetes.io/instance" }}'
ownerReferences:
- apiVersion: "{{ request.object.apiVersion }}"
kind: "{{ request.object.kind }}"
name: "{{ request.object.metadata.name }}"
uid: "{{ request.object.metadata.uid }}"
spec:
schedule: "0 7 * * *"
suspend: false
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 2
jobTemplate:
spec:
# Keep at least one job in completed state in accordance to the schedule
ttlSecondsAfterFinished: 86400
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
# Stagger jobs to run randomly within X seconds to avoid bringing down all apps at once
initContainers:
- name: wait
image: ghcr.io/onedr0p/kopia:0.12.1@sha256:88106e6bb642ee4cb58b61a335ff55992ee2c03493f1aec804422774cf7cf063
command: ["/scripts/sleep.sh"]
args: ["1", "1800"]
containers:
- name: snapshot
image: ghcr.io/onedr0p/kopia:0.12.1@sha256:88106e6bb642ee4cb58b61a335ff55992ee2c03493f1aec804422774cf7cf063
env:
- name: KOPIA_CACHE_DIRECTORY
value: /snapshots/{{ namespace }}/{{ appName }}/{{ claimName }}/cache
- name: KOPIA_LOG_DIR
value: /snapshots/{{ namespace }}/{{ appName }}/{{ claimName }}/logs
- name: KOPIA_PASSWORD
value: "none"
command:
- /bin/bash
- -c
- |-
printf "\e[1;32m%-6s\e[m\n" "[01/10] Create repo ..." && [[ ! -f /snapshots/kopia.repository.f ]] && kopia repository create filesystem --path=/snapshots
printf "\e[1;32m%-6s\e[m\n" "[02/10] Connect to repo ..." && kopia repo connect filesystem --path=/snapshots --override-hostname=cluster --override-username=root
printf "\e[1;32m%-6s\e[m\n" "[03/10] Set policies ..." && kopia policy set /data/{{ namespace }}/{{ appName }}/{{ claimName }} --compression=zstd --keep-latest 14 --keep-hourly 0 --keep-daily 7 --keep-weekly 2 --keep-monthly 0 --keep-annual 0
printf "\e[1;32m%-6s\e[m\n" "[04/10] Freeze {{ claimName }} ..." && fsfreeze -f /data/{{ namespace }}/{{ appName }}/{{ claimName }}
printf "\e[1;32m%-6s\e[m\n" "[05/10] Snapshot {{ claimName }} ..." && kopia snap create /data/{{ namespace }}/{{ appName }}/{{ claimName }}
printf "\e[1;32m%-6s\e[m\n" "[06/10] Unfreeze {{ claimName }} ..." && fsfreeze -u /data/{{ namespace }}/{{ appName }}/{{ claimName }}
printf "\e[1;32m%-6s\e[m\n" "[07/10] List snapshots ..." && kopia snap list /data/{{ namespace }}/{{ appName }}/{{ claimName }}
printf "\e[1;32m%-6s\e[m\n" "[08/10] Show stats ..." && kopia content stats
printf "\e[1;32m%-6s\e[m\n" "[09/10] Show maintenance info ..." && kopia maintenance info
printf "\e[1;32m%-6s\e[m\n" "[10/10] Disconnect from repo ..." && kopia repo disconnect
volumeMounts:
- name: data
mountPath: "/data/{{ namespace }}/{{ appName }}/{{ claimName }}"
- name: snapshots
mountPath: /snapshots
securityContext:
privileged: true
volumes:
- name: data
persistentVolumeClaim:
claimName: "{{ claimName }}"
- name: snapshots
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups/kubernetes
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions: "{{ nodeAffinity.labels }}"

5
kubernetes/cluster-0/apps/kube-tools/kyverno/policies/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

33
kubernetes/cluster-0/apps/kube-tools/metrics-server/helm-release.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: metrics-server
namespace: default
spec:
interval: 15m
chart:
spec:
chart: metrics-server
version: 3.8.2
sourceRef:
kind: HelmRepository
name: metrics-server
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
args:
- --kubelet-insecure-tls
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
metrics:
enabled: true
serviceMonitor:
enabled: true

5
kubernetes/cluster-0/apps/kube-tools/metrics-server/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

76
kubernetes/cluster-0/apps/kube-tools/node-feature-discovery/helm-release.yaml Normal file
View File

@@ -0,0 +1,76 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: node-feature-discovery
namespace: default
spec:
interval: 15m
chart:
spec:
chart: node-feature-discovery
version: 0.11.3
sourceRef:
kind: HelmRepository
name: node-feature-discovery
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
nodeFeatureRule:
createCRD: true
worker:
annotations:
configmap.reloader.stakater.com/reload: node-feature-discovery-worker-conf
config:
core:
sources:
- custom
- pci
- usb
sources:
usb:
deviceClassWhitelist:
- "02"
- "03"
- "0e"
- "ef"
- "fe"
- "ff"
deviceLabelFields:
- class
- vendor
- device
custom:
- name: "zwave"
matchOn:
- usbId:
class: ["02"]
vendor: ["0658"]
device: ["0200"]
- name: "zigbee"
matchOn:
- usbId:
class: ["ff"]
vendor: ["1a86"]
device: ["7523"]
- name: "rflink"
matchOn:
- usbId:
class: ["02"]
vendor: ["2341"]
device: ["0042"]
- name: "coral-tpu"
matchOn:
- usbId:
vendor: ["1a6e", "18d1"]
- name: "intel-gpu"
matchOn:
- pciId:
class: ["0300"]
vendor: ["8086"]

5
kubernetes/cluster-0/apps/kube-tools/node-feature-discovery/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

19
kubernetes/cluster-0/apps/kube-tools/rbac/jobs.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jobs
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jobs-edit
namespace: default
subjects:
- kind: ServiceAccount
name: jobs
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io

5
kubernetes/cluster-0/apps/kube-tools/rbac/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- jobs.yaml

30
kubernetes/cluster-0/apps/kube-tools/reloader/helm-release.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &name reloader
namespace: &namespace default
spec:
interval: 15m
chart:
spec:
chart: *name
version: v0.0.124
sourceRef:
kind: HelmRepository
name: stakater
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
fullnameOverride: *name
reloader:
reloadStrategy: annotations
podMonitor:
enabled: true
namespace: *namespace

5
kubernetes/cluster-0/apps/kube-tools/reloader/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml