♻️ flux kustomizations

kubernetes/bootstrap/README.md

@@ -0,0 +1,9 @@
+## :memo:  Bootstrap
+
+1. Deploy [cilium](https://cilium.io/) : `kubectl kustomize --enable-helm ./kubernetes/bootsrap/cilium | kubectl apply -f -`
+2. Deploy [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver) `kubectl kustomize --enable-helm ./kubernetes/bootstrap/kubelet-csr-approver | kubectl apply -f -` to approve csr issued by talos nodes (that will allow to see pods logs).
+3. Deploy [flux](https://github.com/fluxcd/flux2) `kubectl apply --server-side --kustomize ./kubernetes/bootstrap/flux`
+4. Create flux github secret `sops --decrypt ./kubernetes/bootstrap/flux/github-deploy-key.sops.yaml | kubectl apply -f -`
+5. Create sops secret `cat ~/.config/sops/age/keys.txt | kubectl create secret generic sops-age --namespace=flux-system --from-file=age.agekey=/dev/stdin`
+6. Apply flux cluster variables `kubectl apply -f ./kubernetes/flux/vars/cluster-settings.yaml`
+7. Apply flux kustomization `kubectl apply --server-side --kustomize ./kubernetes/flux/config`

kubernetes/bootstrap/cilium/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+helmCharts:
+  - name: cilium
+    repo: https://helm.cilium.io/
+    version: 1.12.5
+    releaseName: cilium
+    namespace: kube-system
+    valuesFile: values.yaml
+commonAnnotations:
+  meta.helm.sh/release-name: cilium
+  meta.helm.sh/release-namespace: kube-system
+commonLabels:
+  app.kubernetes.io/managed-by: Helm

kubernetes/bootstrap/cilium/values.yaml

@@ -0,0 +1,28 @@
+---
+autoDirectNodeRoutes: true
+bgp:
+  announce:
+    loadbalancerIP: true
+  enabled: false
+containerRuntime:
+  integration: containerd
+endpointRoutes:
+  enabled: true
+hubble:
+  enabled: false
+ipam:
+  mode: kubernetes
+ipv4NativeRoutingCIDR: 10.69.0.0/16
+k8sServiceHost: 192.168.9.100
+k8sServicePort: 6443
+kubeProxyReplacement: strict
+loadBalancer:
+  algorithm: maglev
+  mode: dsr
+localRedirectPolicy: true
+operator:
+  rollOutPods: true
+rollOutCiliumPods: true
+securityContext:
+  privileged: true
+tunnel: disabled

kubernetes/bootstrap/flux/github-deploy-key.sops.yaml

@@ -0,0 +1,31 @@
+# yamllint disable
+# https://github.com/k8s-at-home/template-cluster-k3s/issues/324
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-deploy-key
+    namespace: flux-system
+stringData:
+    identity: ENC[AES256_GCM,data:9W1QtXKVHOZtK/flmsoU5+h1BTmG46s+JY98Qk9Qxt/WccZIeqtiwHozp2popqJSwOqMTzbMJuFiELOrzxY8mc7vntTuLhsguRNPPHfsXPS+ScIio32jP/cxKUl2f6myphnSWwvSmRcH1L/ixzHI5UQC1Jh6GHU/I78esqNcaucjBHqSuu118dYd0eiGfK3eLyyuUFAXP/f5UzetPsP/Mq6V2ha3svop9ZGVdVo/VjWqR2JJ/BBYzL3GLqFB6hnifLZxQ+cKun2KQKbhvhcFXkPll3ZAvgpIYm62fwfqVws98Lsn6uuByWKdEuPMgl9WtU4lfJeWso9G+sWGyinfFRzodOHk8exSsAT0g68x2IAGY7ZjQTgF5RDmii40OQBLC/I0VIjgb3C7/O3CbnU+IBr7,iv:Z9C1WbJLa5dULnXvT1Z7C5xNbI3wCNsYZtp+mJYBJF8=,tag:/JpI9PsIIV1SbZPhhYzkZg==,type:str]
+    identidy.pub: ENC[AES256_GCM,data:oXByCEAnnEmC2ZZiXjPJqkyh3h6Dqk4SyYchIlsoLr5Y9KKKvGLwZ7yGNIhpSbU7PUYdp8NIO0LMeYrK5xfUEmFKBdZl3uZ6fWQ5IFNW32v/0lwg2ZJqUIdywPLvmbPTUg8+nkcLVMMJVgN8edjWsVz69OdkpIWdbaGf/+j75cIO2QbXIUUNXC0bEzOF46zSTD3UOeQpd86AxO1W4NuRH355bPmw0RytQB7bNG8svKu8/1Ymh4CIZAizDwOqihdu6W71LfiTsNsoENMSiw==,iv:eRNPkhiaoqd+Wit+C1NPxBMM0swqbC2MlRnSsXXx0oA=,tag:zjuKq38HE3Ma134dMhj8iQ==,type:str]
+    known_hosts: ENC[AES256_GCM,data:Lcmee02u0o3QQc+/kvdwUUaSMY6Hz0gAsfagIVbAh2BC/kMHESQDgVBq98SDW68myww5GTzRXsgtxVapXc6KpOmpBF0Fh39tEpe1Q1lvzRdNKSCJ6ffuA/kupM3QUstLr4jpXzQ3mw06vM0xrei7lmyycBzF+HL3P6byE9GtFkS88bQCj4w6phUa6ve3L7ImmqL4u/F+5note0HW4STS4nChWjGielx2vdEvEQ==,iv:grJD1VvcxXLNzZxf6jROx1mGDl/ViHhT6Ht56dQ1lYY=,tag:zQdj6V6p7VS9G3qVIj6eBg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUkcxTmRBUGhLbHFiMmlC
+            RTIzK09EOFByYWladXFZUm4wZHlocmVieEhJCnI2emlSN1hjRGRQdXNueWZiWHpO
+            RHMzSE12S2lHeVF3bkJRQVBZMW5nM3cKLS0tIHhieFpPalp1YXZoQWd4MHlnRkQ3
+            Vm9McjJVUnVrODBzTzVsOEZPODR2c1kKWRxQqDWq+2YsNBLXYB8frfs7YWIo4FaZ
+            tZ7eUewEEhP/sWB5zc96NoVJMQSoE+Obn0A+FBLCQFaA7AY2G9hi1w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-12T20:34:27Z"
+    mac: ENC[AES256_GCM,data:ypR+H3I5o5cVJL4ZJwwfffHm3LuEGC6vOYM3FRwCeP+U7giVCcXNv1qHGSHhuCVynHfZUPXuJTx1gliRk4UvkP877E+nlzJAlRN10uhXS4DNWvs86EIM1cDLVzBmsjWY+q3RhZ1FC5ceVNSLdtihKLeKQz7ICyFuXhBCbuTZko0=,iv:u/EuOR3jRwPdqnMWBAdeY/WF5XrNiuUpPYkkzSqh268=,tag:ShtGtcZaEKiWVkEsqorTiQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/bootstrap/flux/kustomization.yaml

@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - github.com/fluxcd/flux2/manifests/install?ref=v0.38.2
+patches:
+  - target:
+      group: networking.k8s.io
+      version: v1
+      kind: NetworkPolicy
+    patch: |-
+      $patch: delete
+      apiVersion: networking.k8s.io/v1
+      kind: NetworkPolicy
+      metadata:
+        name: not-used

kubernetes/bootstrap/kubelet-csr-approver/kustomization.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+helmCharts:
+  - name: kubelet-csr-approver
+    repo: https://postfinance.github.io/kubelet-csr-approver
+    version: 0.2.4
+    releaseName: kubelet-csr-approver
+    namespace: kube-system
+    valuesInline:
+      providerRegex: |
+        ^node-talos-\w*$
+commonAnnotations:
+  meta.helm.sh/release-name: kubelet-csr-approver
+  meta.helm.sh/release-namespace: kube-system
+commonLabels:
+  app.kubernetes.io/managed-by: Helm