feat: Added gateway api

.gitattributes

@@ -1,2 +1,3 @@
 _secrets.yaml filter=git-crypt diff=git-crypt
 secrets.yaml filter=git-crypt diff=git-crypt
+*.agekey filter=git-crypt diff=git-crypt

.pre-commit-config.yaml

@@ -0,0 +1,28 @@
+default_install_hook_types: [pre-commit, commit-msg]
+exclude: gotk-.*.yaml
+repos:
+  - repo: builtin
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-executables-have-shebangs
+
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.40.0
+    hooks:
+      - id: typos
+
+  - repo: https://github.com/sirwart/ripsecrets
+    rev: v0.1.11
+    hooks:
+      - id: ripsecrets-system
+
+  - repo: https://github.com/crate-ci/committed
+    rev: v1.1.8
+    hooks:
+      - id: committed

.secretsignore

@@ -0,0 +1,3 @@
+_secrets.yaml
+secrets.yaml
+*.agekey

committed.toml

@@ -0,0 +1,2 @@
+style = "conventional"
+ignore_author_re = "Flux"

nodes/_defaults.yaml

@@ -29,5 +29,15 @@ patches:
   - !patch vip
   - !patch tailscale
   - !patch cilium
+  - !patch spegel
+  - !patch longhorn
+  - !patch longhorn-user-volume
+  - !patch local-path-provisioner-volume
+  - !patch limit-ephemeral
+  - !patch metrics
 patchesControlPlane:
   - !patch allow-control-plane-workloads
+  - !patch sops
+  - !patch cluster-variables
+  - !patch metrics-cluster
+  - !patch gateway-api

nodes/testing/_defaults.yaml

@@ -4,5 +4,7 @@ installDisk: /dev/vda
 autoInstall: true
 cluster:
   name: testing
+  production: false
   controlPlaneIp: 192.168.1.100
   secretsFile: !realpath _secrets.yaml
+  sopsKeyFile: !realpath _age.agekey

nodes/titan/_defaults.yaml

@@ -3,5 +3,7 @@ gateway: 10.0.0.1
 installDisk: /dev/sda
 cluster:
   name: titan
+  production: true
   controlPlaneIp: 10.0.2.1
   secretsFile: !realpath _secrets.yaml
+  sopsKeyFile: !realpath _age.agekey

patches/cluster-variables.yaml

@@ -0,0 +1,16 @@
+cluster:
+  inlineManifests:
+    - name: cluster-variables
+      contents: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: cluster-variables
+          namespace: flux-system
+        data:
+          cluster_env: {%- if node.cluster.production %} production {%- else %} staging {%- endif %}

patches/gateway-api.yaml

@@ -0,0 +1,3 @@
+cluster:
+  extraManifests:
+    - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml

patches/limit-ephemeral.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1alpha1
+kind: VolumeConfig
+name: EPHEMERAL
+provisioning:
+  maxSize: 30GB

patches/local-path-provisioner-volume.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: local-path-provisioner
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 10GB

patches/longhorn-user-volume.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: longhorn
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 2000GB

patches/longhorn.yaml

@@ -0,0 +1,10 @@
+machine:
+  kubelet:
+    extraMounts:
+      - destination: /var/lib/longhorn
+        type: bind
+        source: /var/lib/longhorn
+        options:
+          - bind
+          - rshared
+          - rw

patches/metrics-cluster.yaml

@@ -0,0 +1,4 @@
+cluster:
+  extraManifests:
+    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

patches/metrics.yaml

@@ -0,0 +1,4 @@
+machine:
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: true

patches/openebs.yaml

@@ -0,0 +1,16 @@
+machine:
+  # This is only needed on nodes that will have storage
+  sysctls:
+    vm.nr_hugepages: "1024"
+  nodeLabels:
+    openebs.io/engine: mayastor
+  # This is needed on ALL nodes
+  kubelet:
+    extraMounts:
+      - destination: /var/local
+        type: bind
+        source: /var/local
+        options:
+          - bind
+          - rshared
+          - rw

patches/sops.yaml

@@ -0,0 +1,17 @@
+cluster:
+  inlineManifests:
+    - name: sops-key
+      contents: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: sops-gpg
+          namespace: flux-system
+        data:
+          age.agekey: |
+            {{ helper.load_secret(node.cluster.sopsKeyFile) }}

patches/spegel.yaml

@@ -0,0 +1,7 @@
+machine:
+  files:
+    - path: /etc/cri/conf.d/20-customization.part
+      op: create
+      content: |
+        [plugins."io.containerd.cri.v1.images"]
+          discard_unpacked_layers = false

patches/tailscale.yaml

@@ -3,7 +3,5 @@ kind: ExtensionServiceConfig
 name: tailscale
 environment:
   - TS_AUTHKEY={{ config.tailscale.authKey }}
-  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags "tag:cluster-{{ node.cluster.name }}"
-  {% if node.advertiseRoutes %}
-  - TS_ROUTES={{ helper.tailscale_subnet(node.gateway, node.netmask) }}
-  {% endif %}
+  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags=tag:cluster-{{ node.cluster.name }}
+  - TS_ROUTES={% if node.advertiseRoutes -%} {{ helper.tailscale_subnet(node.gateway, node.netmask) }} {%- endif %}

tools/render

@@ -3,6 +3,7 @@
 
 # Adapted from: https://enix.io/en/blog/pxe-talos/
 
+import base64
 import functools
 import json
 import pathlib
@@ -71,6 +72,9 @@ def tailscale_subnet(gateway: str, netmask: str):
     netmask_bits = IPAddress(netmask).netmask_bits()
     return f"{IPAddress(gateway) & IPAddress(netmask)}/{netmask_bits}"
 
+def load_secret(path: str):
+    with open(path) as f:
+        return base64.b64encode(f.read().encode()).decode()
 
 @functools.cache
 def get_schematic_id(schematic: str):
@@ -165,7 +169,7 @@ def main():
     template_args = {
         "config": config,
         "root": ROOT,
-        "helper": {"tailscale_subnet": tailscale_subnet},
+        "helper": {"tailscale_subnet": tailscale_subnet, "load_secret": load_secret},
     }
 
     nodes = []

tools/vm

@@ -3,9 +3,9 @@ set -euo pipefail
 ROOT=$(git rev-parse --show-toplevel)
 
 VM_NAME="talos-vm"
-VCPUS="2"
-RAM_MB="2048"
-DISK_GB="10"
+VCPUS="6"
+RAM_MB="16384"
+DISK_GB="100"
 NETWORK=talos
 CONNECTION="qemu:///system"