diff --git a/.github/renovate.json b/.github/renovate.json index 0d9a264a..671c24c2 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -62,6 +62,18 @@ "packageNameTemplate": "windsorcli/blueprint", "lookupNameTemplate": "windsorcli/blueprint", "versioningTemplate": "semver" + }, + { + "customType": "regex", + "fileMatch": ["^.*\\.ya?ml$", "^.*\\.tf$", "^.*\\.tfvars$"], + "matchStrings": [ + "\\s*#\\s*renovate:\\s*datasource=(?[^\\s]+)\\s*depName=(?[^\\s]+)\\s*package=(?[^\\s]+)(\\s*helmRepo=(?[^\\s]+))?.*\n.*(?\\d+\\.\\d+\\.\\d+(-[a-zA-Z0-9]+)?)" + ], + "versioningTemplate": "semver", + "datasourceTemplate": "{{datasource}}", + "registryUrlTemplate": "{{#if helmRepo}}{{helmRepo}}{{/if}}", + "packageNameTemplate": "{{package}}", + "depNameTemplate": "{{depName}}" } ], "platformAutomerge": true, diff --git a/contexts/local/Corefile b/contexts/local/Corefile deleted file mode 100644 index e6ed417c..00000000 --- a/contexts/local/Corefile +++ /dev/null @@ -1,18 +0,0 @@ - -test:53 { - hosts { - 10.5.0.2 controlplane-1.test - 10.5.0.9 registry-1.docker.test - 10.5.0.10 registry.k8s.test - 10.5.0.3 dns.test - 10.5.0.6 git.test - 10.5.0.4 gcr.test - 10.5.0.8 registry.test - 10.5.0.11 worker-1.test - 10.5.0.5 ghcr.test - 10.5.0.7 quay.test - fallthrough - } - - forward . 1.1.1.1 8.8.8.8 -} diff --git a/contexts/local/blueprint.yaml b/contexts/local/blueprint.yaml index ccca8838..492ec205 100644 --- a/contexts/local/blueprint.yaml +++ b/contexts/local/blueprint.yaml @@ -12,10 +12,17 @@ sources: - name: core url: github.com/windsorcli/core ref: - tag: v0.1.1 + tag: v0.1.2 terraform: -- path: cluster/talos -- path: gitops/flux +- source: core + path: cluster/talos +- source: core + path: gitops/flux kustomize: - name: local path: "" +- name: ingress-base + path: ingress/base + components: + - nginx + - nginx/nodeport diff --git a/contexts/local/compose.yaml b/contexts/local/compose.yaml deleted file mode 100644 index 442fc931..00000000 --- a/contexts/local/compose.yaml +++ /dev/null @@ -1,241 +0,0 @@ -services: - controlplane-1.test: - container_name: controlplane-1.test - environment: - PLATFORM: container - TALOSSKU: 2CPU-2048RAM - hostname: controlplane-1.test - image: ghcr.io/siderolabs/talos:v1.9.2 - networks: - windsor-local: - ipv4_address: 10.5.0.2 - privileged: true - read_only: true - restart: always - security_opt: - - seccomp=unconfined - tmpfs: - - /run - - /system - - /tmp - volumes: - - type: volume - source: controlplane_1_system_state - target: /system/state - - type: volume - source: controlplane_1_var - target: /var - - type: volume - source: controlplane_1_etc_cni - target: /etc/cni - - type: volume - source: controlplane_1_etc_kubernetes - target: /etc/kubernetes - - type: volume - source: controlplane_1_usr_libexec_kubernetes - target: /usr/libexec/kubernetes - - type: volume - source: controlplane_1_opt - target: /opt - dns.test: - command: - - -conf - - /etc/coredns/Corefile - container_name: dns.test - image: coredns/coredns:1.12.0 - labels: - context: local - managed_by: windsor - role: dns - networks: - windsor-local: - ipv4_address: 10.5.0.3 - restart: always - volumes: - - type: bind - source: ./Corefile - target: /etc/coredns/Corefile - gcr.test: - container_name: gcr.test - environment: - REGISTRY_PROXY_REMOTEURL: https://gcr.io - image: registry:2.8.3 - labels: - context: local - managed_by: windsor - role: registry - networks: - windsor-local: - ipv4_address: 10.5.0.4 - restart: always - volumes: - - type: bind - source: /Users/ryanvangundy/Developer/windsorcli/core/.docker-cache - target: /var/lib/registry - ghcr.test: - container_name: ghcr.test - environment: - REGISTRY_PROXY_REMOTEURL: https://ghcr.io - image: registry:2.8.3 - labels: - context: local - managed_by: windsor - role: registry - networks: - windsor-local: - ipv4_address: 10.5.0.5 - restart: always - volumes: - - type: bind - source: /Users/ryanvangundy/Developer/windsorcli/core/.docker-cache - target: /var/lib/registry - git.test: - container_name: git.test - environment: - GIT_PASSWORD: local - GIT_USERNAME: local - RSYNC_EXCLUDE: .docker-cache,.terraform,data,.volumes,.tf_modules,.venv - RSYNC_PROTECT: flux-system - VERIFY_SSL: "false" - WEBHOOK_URL: http://flux-webhook.private.test - image: ghcr.io/windsorcli/git-livereload-server:v0.2.1 - labels: - context: local - managed_by: windsor - role: git-repository - networks: - windsor-local: - ipv4_address: 10.5.0.6 - restart: always - volumes: - - type: bind - source: ${WINDSOR_PROJECT_ROOT} - target: /repos/mount/core - quay.test: - container_name: quay.test - environment: - REGISTRY_PROXY_REMOTEURL: https://quay.io - image: registry:2.8.3 - labels: - context: local - managed_by: windsor - role: registry - networks: - windsor-local: - ipv4_address: 10.5.0.7 - restart: always - volumes: - - type: bind - source: /Users/ryanvangundy/Developer/windsorcli/core/.docker-cache - target: /var/lib/registry - registry-1.docker.test: - container_name: registry-1.docker.test - environment: - REGISTRY_PROXY_LOCALURL: https://docker.io - REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io - image: registry:2.8.3 - labels: - context: local - managed_by: windsor - role: registry - networks: - windsor-local: - ipv4_address: 10.5.0.9 - restart: always - volumes: - - type: bind - source: /Users/ryanvangundy/Developer/windsorcli/core/.docker-cache - target: /var/lib/registry - registry.k8s.test: - container_name: registry.k8s.test - environment: - REGISTRY_PROXY_REMOTEURL: https://registry.k8s.io - image: registry:2.8.3 - labels: - context: local - managed_by: windsor - role: registry - networks: - windsor-local: - ipv4_address: 10.5.0.10 - restart: always - volumes: - - type: bind - source: /Users/ryanvangundy/Developer/windsorcli/core/.docker-cache - target: /var/lib/registry - registry.test: - container_name: registry.test - image: registry:2.8.3 - labels: - context: local - managed_by: windsor - role: registry - networks: - windsor-local: - ipv4_address: 10.5.0.8 - restart: always - volumes: - - type: bind - source: /Users/ryanvangundy/Developer/windsorcli/core/.docker-cache - target: /var/lib/registry - worker-1.test: - container_name: worker-1.test - environment: - PLATFORM: container - TALOSSKU: 4CPU-4096RAM - hostname: worker-1.test - image: ghcr.io/siderolabs/talos:v1.9.2 - networks: - windsor-local: - ipv4_address: 10.5.0.11 - privileged: true - read_only: true - restart: always - security_opt: - - seccomp=unconfined - tmpfs: - - /run - - /system - - /tmp - volumes: - - type: volume - source: worker_1_system_state - target: /system/state - - type: volume - source: worker_1_var - target: /var - - type: volume - source: worker_1_etc_cni - target: /etc/cni - - type: volume - source: worker_1_etc_kubernetes - target: /etc/kubernetes - - type: volume - source: worker_1_usr_libexec_kubernetes - target: /usr/libexec/kubernetes - - type: volume - source: worker_1_opt - target: /opt - - type: bind - source: ${WINDSOR_PROJECT_ROOT}/.volumes - target: /var/local -networks: - windsor-local: - driver: bridge - ipam: - driver: default - config: - - subnet: 10.5.0.0/16 -volumes: - controlplane_1_etc_cni: {} - controlplane_1_etc_kubernetes: {} - controlplane_1_opt: {} - controlplane_1_system_state: {} - controlplane_1_usr_libexec_kubernetes: {} - controlplane_1_var: {} - worker_1_etc_cni: {} - worker_1_etc_kubernetes: {} - worker_1_opt: {} - worker_1_system_state: {} - worker_1_usr_libexec_kubernetes: {} - worker_1_var: {} diff --git a/contexts/local/terraform/cluster/talos.tfvars b/contexts/local/terraform/cluster/talos.tfvars index 015da69a..d5fd34f4 100644 --- a/contexts/local/terraform/cluster/talos.tfvars +++ b/contexts/local/terraform/cluster/talos.tfvars @@ -1,7 +1,8 @@ // Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. +// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=v0.1.2 // The external controlplane API endpoint of the kubernetes API -cluster_endpoint = "https://10.5.0.2:6443" +cluster_endpoint = "https://127.0.0.1:6443" // The name of the cluster cluster_name = "talos" @@ -12,47 +13,55 @@ cluster: apiServer: certSANs: - localhost - - 10.5.0.2 + - 127.0.0.1 + extraManifests: + - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml machine: certSANs: - localhost - - 10.5.0.2 + - 127.0.0.1 features: hostDNS: forwardKubeDNSToHost: true + kubelet: + extraArgs: + rotate-server-certificates: "true" network: interfaces: - ignore: true interface: eth0 registries: mirrors: - gcr.test: + gcr.io: endpoints: - - https://gcr.io - ghcr.test: + - http://gcr.test:5000 + ghcr.io: endpoints: - - https://ghcr.io - quay.test: + - http://ghcr.test:5000 + quay.io: endpoints: - - https://quay.io - registry-1.docker.test: + - http://quay.test:5000 + registry-1.docker.io: endpoints: - - https://docker.io - registry.k8s.test: + - http://registry-1.docker.test:5000 + registry.k8s.io: endpoints: - - https://registry.k8s.io + - http://registry.k8s.test:5000 + registry.test: + endpoints: + - http://registry.test:5000 EOF // Machine config details for control planes controlplanes = [{ - endpoint = "10.5.0.2:50000" + endpoint = "127.0.0.1:50000" hostname = "controlplane-1.test" - node = "10.5.0.2" + node = "127.0.0.1" }] // Machine config details for workers workers = [{ - endpoint = "10.5.0.11:50000" + endpoint = "127.0.0.1:50001" hostname = "worker-1.test" - node = "10.5.0.11" + node = "127.0.0.1" }] diff --git a/contexts/local/terraform/gitops/flux.tfvars b/contexts/local/terraform/gitops/flux.tfvars index 9b13a4ef..559c9708 100644 --- a/contexts/local/terraform/gitops/flux.tfvars +++ b/contexts/local/terraform/gitops/flux.tfvars @@ -1,3 +1,8 @@ // Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. -git_username = "local" +// Module source: github.com/windsorcli/core//terraform/gitops/flux?ref=v0.1.2 + +// The git password or PAT used to authenticate with the git provider git_password = "local" + +// The git user to use to authenticate with the git provider +git_username = "local" diff --git a/kustomize/ingress/base/kustomization.yaml b/kustomize/ingress/base/kustomization.yaml new file mode 100644 index 00000000..736967b1 --- /dev/null +++ b/kustomize/ingress/base/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - namespace.yaml diff --git a/kustomize/ingress/base/namespace.yaml b/kustomize/ingress/base/namespace.yaml new file mode 100644 index 00000000..30be8390 --- /dev/null +++ b/kustomize/ingress/base/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: system-ingress + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/audit: baseline + pod-security.kubernetes.io/warn: baseline diff --git a/kustomize/ingress/base/nginx/helm-release.yaml b/kustomize/ingress/base/nginx/helm-release.yaml new file mode 100644 index 00000000..a3c486d4 --- /dev/null +++ b/kustomize/ingress/base/nginx/helm-release.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-controller + namespace: system-ingress +spec: + interval: 5m + timeout: 10m + chart: + spec: + chart: ingress-nginx + # renovate: datasource=helm depName=ingress-nginx package=ingress-nginx helmRepo=https://kubernetes.github.io/ingress-nginx + version: 4.12.0 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: system-ingress diff --git a/kustomize/ingress/base/nginx/helm-repository.yaml b/kustomize/ingress/base/nginx/helm-repository.yaml new file mode 100644 index 00000000..04e7fa47 --- /dev/null +++ b/kustomize/ingress/base/nginx/helm-repository.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: system-ingress +spec: + interval: 10m + timeout: 3m + url: https://kubernetes.github.io/ingress-nginx diff --git a/kustomize/ingress/base/nginx/kustomization.yaml b/kustomize/ingress/base/nginx/kustomization.yaml new file mode 100644 index 00000000..c21e0b5c --- /dev/null +++ b/kustomize/ingress/base/nginx/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - helm-release.yaml + - helm-repository.yaml diff --git a/kustomize/ingress/base/nginx/nodeport/kustomization.yaml b/kustomize/ingress/base/nginx/nodeport/kustomization.yaml new file mode 100644 index 00000000..8138d116 --- /dev/null +++ b/kustomize/ingress/base/nginx/nodeport/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: patches/helm-release.yaml diff --git a/kustomize/ingress/base/nginx/nodeport/patches/helm-release.yaml b/kustomize/ingress/base/nginx/nodeport/patches/helm-release.yaml new file mode 100644 index 00000000..f64bce6a --- /dev/null +++ b/kustomize/ingress/base/nginx/nodeport/patches/helm-release.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-controller + namespace: system-ingress +spec: + values: + controller: + service: + type: NodePort + nodePorts: + http: 30080 + https: 30443 diff --git a/windsor.yaml b/windsor.yaml index bf809f3b..8c80daaf 100644 --- a/windsor.yaml +++ b/windsor.yaml @@ -25,7 +25,7 @@ contexts: password: local webhook_url: http://flux-webhook.private.test verify_ssl: false - image: ghcr.io/windsorcli/git-livereload:v0.1.0 + image: ghcr.io/windsorcli/git-livereload:v0.1.1 terraform: enabled: true backend: local