Added cilium

2025-11-12 05:46:48 +01:00
29 changed files with 75 additions and 158 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,2 @@
 _secrets.yaml filter=git-crypt diff=git-crypt
 secrets.yaml filter=git-crypt diff=git-crypt
 *.agekey filter=git-crypt diff=git-crypt
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,28 +0,0 @@
 default_install_hook_types: [pre-commit, commit-msg]
 exclude: gotk-.*.yaml
 repos:
  - repo: builtin
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
        args:
          - --allow-multiple-documents
      - id: check-added-large-files
      - id: check-merge-conflict
      - id: check-executables-have-shebangs
  - repo: https://github.com/crate-ci/typos
    rev: v1.40.0
    hooks:
      - id: typos
  - repo: https://github.com/sirwart/ripsecrets
    rev: v0.1.11
    hooks:
      - id: ripsecrets-system
  - repo: https://github.com/crate-ci/committed
    rev: v1.1.8
    hooks:
      - id: committed
--- a/.secretsignore
+++ b/.secretsignore
@@ -1,3 +0,0 @@
 _secrets.yaml
 secrets.yaml
 *.agekey
--- a/committed.toml
+++ b/committed.toml
@@ -1,2 +0,0 @@
 style = "conventional"
 ignore_author_re = "Flux"
--- a/nodes/_cilium_values.yaml
+++ b/nodes/_cilium_values.yaml
@@ -0,0 +1,31 @@
 ipam:
  mode: kubernetes
 kubeProxyReplacement: true
 securityContext:
  capabilities:
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_RAW
      - IPC_LOCK
      - SYS_ADMIN
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    cleanCiliumState:
      - NET_ADMIN
      - SYS_ADMIN
      - SYS_RESOURCE
 cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup
 k8sServiceHost: localhost
 k8sServicePort: 7445
 gatewayAPI:
  enabled: true
  enableAlpn: true
  enableAppProtocol: true
--- a/nodes/_defaults.yaml
+++ b/nodes/_defaults.yaml
@@ -2,6 +2,10 @@ schematicId: !schematic default
 arch: amd64
 talosVersion: v1.11.3
 kubernesVersion: v1.34.1
 cluster:
  cilium:
    version: 1.18.3
    valuesFile: !realpath _cilium_values.yaml
 kernelArgs:
  - talos.platform=metal
  - console=tty0
@@ -21,7 +25,6 @@ dns:
 ntp: nl.pool.ntp.org
 install: true
 autoInstall: false
 advertiseRoutes: true
 patches:
  - !patch hostname
  - !patch install-disk
@@ -29,15 +32,5 @@ patches:
  - !patch vip
  - !patch tailscale
  - !patch cilium
  - !patch spegel
  - !patch longhorn
  - !patch longhorn-user-volume
  - !patch local-path-provisioner-volume
  - !patch limit-ephemeral
  - !patch metrics
 patchesControlPlane:
  - !patch allow-control-plane-workloads
  - !patch sops
  - !patch cluster-variables
  - !patch metrics-cluster
  - !patch gateway-api
--- a/nodes/hellas/_defaults.yaml
+++ b/nodes/hellas/_defaults.yaml
@@ -2,8 +2,6 @@ netmask: 255.255.252.0
 gateway: 10.0.0.1
 installDisk: /dev/sda
 cluster:
-  name: titan
+  name: hellas
  production: true
  controlPlaneIp: 10.0.2.1
  secretsFile: !realpath _secrets.yaml
  sopsKeyFile: !realpath _age.agekey
--- a/nodes/hellas/_secrets.yaml
+++ b/nodes/hellas/_secrets.yaml
--- a/nodes/hellas/helios.yaml
+++ b/nodes/hellas/helios.yaml
--- a/nodes/hellas/hyperion.yaml
+++ b/nodes/hellas/hyperion.yaml
--- a/nodes/hellas/selene.yaml
+++ b/nodes/hellas/selene.yaml
--- a/nodes/testing/_age.agekey
+++ b/nodes/testing/_age.agekey
--- a/nodes/testing/_defaults.yaml
+++ b/nodes/testing/_defaults.yaml
@@ -4,7 +4,5 @@ installDisk: /dev/vda
 autoInstall: true
 cluster:
  name: testing
  production: false
  controlPlaneIp: 192.168.1.100
  secretsFile: !realpath _secrets.yaml
  sopsKeyFile: !realpath _age.agekey
--- a/nodes/titan/_age.agekey
+++ b/nodes/titan/_age.agekey
--- a/patches/cluster-variables.yaml
+++ b/patches/cluster-variables.yaml
@@ -1,16 +0,0 @@
 cluster:
  inlineManifests:
    - name: cluster-variables
      contents: |
        apiVersion: v1
        kind: Namespace
        metadata:
          name: flux-system
        ---
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: cluster-variables
          namespace: flux-system
        data:
          cluster_env: {%- if node.cluster.production %} production {%- else %} staging {%- endif %}
--- a/patches/gateway-api.yaml
+++ b/patches/gateway-api.yaml
@@ -1,3 +0,0 @@
 cluster:
  extraManifests:
    - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml
--- a/patches/limit-ephemeral.yaml
+++ b/patches/limit-ephemeral.yaml
@@ -1,5 +0,0 @@
 apiVersion: v1alpha1
 kind: VolumeConfig
 name: EPHEMERAL
 provisioning:
  maxSize: 30GB
--- a/patches/local-path-provisioner-volume.yaml
+++ b/patches/local-path-provisioner-volume.yaml
@@ -1,8 +0,0 @@
 apiVersion: v1alpha1
 kind: UserVolumeConfig
 name: local-path-provisioner
 provisioning:
  diskSelector:
    match: system_disk
  grow: true
  maxSize: 10GB
--- a/patches/longhorn-user-volume.yaml
+++ b/patches/longhorn-user-volume.yaml
@@ -1,8 +0,0 @@
 apiVersion: v1alpha1
 kind: UserVolumeConfig
 name: longhorn
 provisioning:
  diskSelector:
    match: system_disk
  grow: true
  maxSize: 2000GB
--- a/patches/longhorn.yaml
+++ b/patches/longhorn.yaml
@@ -1,10 +0,0 @@
 machine:
  kubelet:
    extraMounts:
      - destination: /var/lib/longhorn
        type: bind
        source: /var/lib/longhorn
        options:
          - bind
          - rshared
          - rw
--- a/patches/metrics-cluster.yaml
+++ b/patches/metrics-cluster.yaml
@@ -1,4 +0,0 @@
 cluster:
  extraManifests:
    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
--- a/patches/metrics.yaml
+++ b/patches/metrics.yaml
@@ -1,4 +0,0 @@
 machine:
  kubelet:
    extraArgs:
      rotate-server-certificates: true
--- a/patches/openebs.yaml
+++ b/patches/openebs.yaml
@@ -1,16 +0,0 @@
 machine:
  # This is only needed on nodes that will have storage
  sysctls:
    vm.nr_hugepages: "1024"
  nodeLabels:
    openebs.io/engine: mayastor
  # This is needed on ALL nodes
  kubelet:
    extraMounts:
      - destination: /var/local
        type: bind
        source: /var/local
        options:
          - bind
          - rshared
          - rw
--- a/patches/sops.yaml
+++ b/patches/sops.yaml
@@ -1,17 +0,0 @@
 cluster:
  inlineManifests:
    - name: sops-key
      contents: |
        apiVersion: v1
        kind: Namespace
        metadata:
          name: flux-system
        ---
        apiVersion: v1
        kind: Secret
        metadata:
          name: sops-gpg
          namespace: flux-system
        data:
          age.agekey: |
            {{ helper.load_secret(node.cluster.sopsKeyFile) }}
--- a/patches/spegel.yaml
+++ b/patches/spegel.yaml
@@ -1,7 +0,0 @@
 machine:
  files:
    - path: /etc/cri/conf.d/20-customization.part
      op: create
      content: |
        [plugins."io.containerd.cri.v1.images"]
          discard_unpacked_layers = false
--- a/patches/tailscale.yaml
+++ b/patches/tailscale.yaml
@@ -3,5 +3,5 @@ kind: ExtensionServiceConfig
 name: tailscale
 environment:
  - TS_AUTHKEY={{ config.tailscale.authKey }}
-  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags=tag:cluster-{{ node.cluster.name }}
+  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }}
-  - TS_ROUTES={% if node.advertiseRoutes -%} {{ helper.tailscale_subnet(node.gateway, node.netmask) }} {%- endif %}
+  - TS_ROUTES={{ helper.tailscale_subnet(node.gateway, node.netmask) }}
--- a/templates/generate_configs.sh
+++ b/templates/generate_configs.sh
@@ -2,6 +2,36 @@
 set -euo pipefail
 CONFIGS={{ root }}/configs
 function create_inline_manifest() {
 	# Add indentation
 	CONTENT=$(echo "$3" | sed 's/^/        /')
 	# Create inline manifest patch
 	cat > $2 << EOF
 cluster:
  inlineManifests:
    - name: ${1}
      contents: |
 ${CONTENT}
 EOF
 }
 helm repo add cilium https://helm.cilium.io/
 helm repo update
 {% for cluster in clusters -%}
 {% if "cilium" in cluster -%}
 # Generate manifests
 CONTENT=$(helm template \
    cilium \
    cilium/cilium \
    --version {{ cluster.cilium.version }} \
    --namespace kube-system \
 	--values {{ cluster.cilium.valuesFile }})
 create_inline_manifest cilium ${CONFIGS}/{{cluster.name}}/cilium.yaml "${CONTENT}"
 {% endif %}
 {%- endfor %}
 # Generate the configuration for each node
 {% for node in nodes -%}
 talosctl gen config {{ node.cluster.name }} https://{{ node.cluster.controlPlaneIp }}:6443 -f \
@@ -17,6 +47,9 @@ talosctl gen config {{ node.cluster.name }} https://{{ node.cluster.controlPlane
 	{% for patch in node.patchesControlPlane -%}
 		--config-patch-control-plane {{ patch|tojson|tojson }} \
 	{% endfor -%}
 	{% if "cilium" in node.cluster -%}
 		--config-patch-control-plane "@${CONFIGS}/{{node.cluster.name}}/cilium.yaml" \
 	{%- endif %}
 	--with-docs=false \
 	--with-examples=false \
 	-o ${CONFIGS}/{{ node.filename }}.yaml
--- a/tools/render
+++ b/tools/render
@@ -3,7 +3,6 @@
 # Adapted from: https://enix.io/en/blog/pxe-talos/
 import base64
 import functools
 import json
 import pathlib
@@ -72,9 +71,6 @@ def tailscale_subnet(gateway: str, netmask: str):
    netmask_bits = IPAddress(netmask).netmask_bits()
    return f"{IPAddress(gateway) & IPAddress(netmask)}/{netmask_bits}"
 def load_secret(path: str):
    with open(path) as f:
        return base64.b64encode(f.read().encode()).decode()
@functools.cache
 def get_schematic_id(schematic: str):
@@ -169,7 +165,7 @@ def main():
    template_args = {
        "config": config,
        "root": ROOT,
-        "helper": {"tailscale_subnet": tailscale_subnet, "load_secret": load_secret},
+        "helper": {"tailscale_subnet": tailscale_subnet},
    }
    nodes = []
--- a/tools/vm
+++ b/tools/vm
@@ -3,9 +3,9 @@ set -euo pipefail
 ROOT=$(git rev-parse --show-toplevel)
 VM_NAME="talos-vm"
-VCPUS="6"
+VCPUS="2"
-RAM_MB="16384"
+RAM_MB="2048"
-DISK_GB="100"
+DISK_GB="10"
 NETWORK=talos
 CONNECTION="qemu:///system"
		`@@ -1,2 +0,0 @@`
			`style = "conventional"`
			`ignore_author_re = "Flux"`