fix multi-cluster contexts with talos

Author: brettinternet

.envrc

@@ -1,13 +1,8 @@
 #shellcheck disable=SC2148,SC2155
-export ANSIBLE_CONFIG=$(expand_path ./ansible.cfg)
-export ANSIBLE_HOST_KEY_CHECKING="False"
+export KUBECONFIG="$(expand_path ./kubeconfig)"
 export SOPS_AGE_KEY_FILE=$(expand_path ~/.config/sops/age/keys.txt)
+
 export LOCAL_ANSIBLE_PYTHON_INTERPRETER=$(which python)
-# Venv
 PATH_add "$(expand_path ./.venv/bin)"
 export VIRTUAL_ENV="$(expand_path ./.venv)"
 export PYTHONDONTWRITEBYTECODE="1"
-# Talos
-export TALOSCONFIG="$(expand_path ./kubernetes/bootstrap/talos/clusterconfig/talosconfig)"
-# Bin
-PATH_add "$(expand_path ./.bin)"

.sops.yaml

@@ -1,12 +1,10 @@
 ---
 creation_rules:
-  - # IMPORTANT: Keep this rule first
-    path_regex: talos/.+\.secret(\.sops)?\.ya?ml
-    input_type: yaml
-    encrypted_regex: ^(token|crt|key|id|secret|secretboxEncryptionSecret|ca)$
+  - # IMPORTANT: This rule MUST be above the others
+    path_regex: talos/.*\.sops\.ya?ml
     key_groups:
       - age:
-          - age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
+          - "age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs"
   - path_regex: kubernetes/.*\.sops\.ya?ml
     encrypted_regex: "^(data|stringData)$"
     key_groups:

.taskfiles/kubernetes.yaml

@@ -4,13 +4,14 @@ version: "3"
 
 vars:
   KUBECONFORM_SCRIPT: "{{.SCRIPTS_DIR}}/kubeconform.sh"
+  KUBECTL_CMD: "kubectl --context {{.cluster}}"
 
 tasks:
   resources:
     desc: Gather common resources in your cluster, useful when asking for support
     cmds:
       - for: { var: resource }
-        cmd: kubectl --context {{.cluster}} get {{.ITEM}} {{.CLI_ARGS | default "-A"}}
+        cmd: '{{.KUBECTL_CMD}} get {{.ITEM}} {{.CLI_ARGS | default "-A"}}'
     vars:
       resource: >-
         nodes
@@ -40,8 +41,8 @@ tasks:
   top:
     desc: List top metrics
     cmds:
-      - kubectl --context {{.cluster}} top node
-      - kubectl --context {{.cluster}} top pod -A
+      - "{{.KUBECTL_CMD}} top node"
+      - "{{.KUBECTL_CMD}} top pod -A"
     requires:
       vars: ["cluster"]
 
@@ -53,7 +54,7 @@ tasks:
         ns: Namespace to browse PersistentVolumeClaims in (default: default)
         claim: PersistentVolumeClaim to browse (required)
     interactive: true
-    cmd: kubectl browse-pvc --context {{.cluster}} --namespace {{.ns}} {{.claim}}
+    cmd: "{{.KUBECTL_CMD}} browse-pvc --namespace {{.ns}} {{.claim}}"
     vars:
       ns: '{{.ns | default "default"}}'
     requires:
@@ -65,7 +66,7 @@ tasks:
       Args:
         cluster: Cluster to run command against (required)
         node: Node to drain (required)
-    cmd: kubectl --context {{.cluster}} drain {{.node}} --ignore-daemonsets --delete-local-data --force
+    cmd: "{{.KUBECTL_CMD}} drain {{.node}} --ignore-daemonsets --delete-local-data --force"
     requires:
       vars: ["cluster", "node"]
 
@@ -76,6 +77,6 @@ tasks:
         cluster: Cluster to run command against (required)
     cmds:
       - for: ["Evicted", "Failed", "Succeeded"]
-        cmd: kubectl --context {{.cluster}} delete pods --field-selector status.phase={{.ITEM}} -A --ignore-not-found=true
+        cmd: "{{.KUBECTL_CMD}} delete pods --field-selector status.phase={{.ITEM}} -A --ignore-not-found=true"
     requires:
       vars: ["cluster"]

.taskfiles/talos.yaml

@@ -2,126 +2,114 @@
 # yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
-x-vars: &vars
-  TALOS_VERSION:
-    sh: yq 'select(document_index == 1).spec.postBuild.substitute.TALOS_VERSION' {{.KUBERNETES_DIR}}/{{.cluster}}/apps/system-upgrade/system-upgrade-controller/ks.yaml
-  TALOS_SCHEMATIC_ID:
-    sh: yq 'select(document_index == 1).spec.postBuild.substitute.TALOS_SCHEMATIC_ID' {{.KUBERNETES_DIR}}/{{.cluster}}/apps/system-upgrade/system-upgrade-controller/ks.yaml
-  KUBERNETES_VERSION:
-    sh: yq 'select(document_index == 1).spec.postBuild.substitute.KUBERNETES_VERSION' {{.KUBERNETES_DIR}}/{{.cluster}}/apps/system-upgrade/system-upgrade-controller/ks.yaml
-  CONTROLLER:
-    sh: talosctl --context {{.cluster}} config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1
+vars:
+  BOOTSTRAP_TALOS_DIR: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos"
+  TALHELPER_CLUSTER_DIR: "{{.BOOTSTRAP_TALOS_DIR}}/clusterconfig"
+  TALHELPER_SECRET_FILE: "{{.BOOTSTRAP_TALOS_DIR}}/talsecret.sops.yaml"
+  TALHELPER_CONFIG_FILE: "{{.BOOTSTRAP_TALOS_DIR}}/talconfig.yaml"
+  HELMFILE_FILE: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml"
+  TALOSCONFIG_FILE: "{{.TALHELPER_CLUSTER_DIR}}/talosconfig"
+
+env:
+  TALOSCONFIG: "{{.TALOSCONFIG_FILE}}"
 
 tasks:
   bootstrap:
     desc: Bootstrap the Talos cluster
-    dir: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos"
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
     cmds:
       - |
-        if [ ! -f "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talsecret.sops.yaml" ]; then
-            talhelper gensecret > {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talsecret.sops.yaml
-            sops --encrypt --in-place {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talsecret.sops.yaml
+        if [ ! -f "{{.TALHELPER_SECRET_FILE}}" ]; then
+            talhelper gensecret > {{.TALHELPER_SECRET_FILE}}
+            sops --encrypt --in-place {{.TALHELPER_SECRET_FILE}}
         fi
-      - talhelper genconfig --config-file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml --secret-file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talsecret.sops.yaml --out-dir {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/clusterconfig
-      - talhelper gencommand apply --config-file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml --out-dir {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/clusterconfig --extra-flags="--insecure" | bash
-      - until talhelper gencommand bootstrap --config-file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml --out-dir {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/clusterconfig | bash; do sleep 10; done
+      - talhelper genconfig --config-file {{.TALHELPER_CONFIG_FILE}} --secret-file {{.TALHELPER_SECRET_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}}
+      - talhelper gencommand apply --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="--insecure" | bash
+      - until talhelper gencommand bootstrap --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} | bash; do sleep 10; done
       - task: fetch-kubeconfig
       - task: install-helm-apps
-      - talosctl --context {{.cluster}} health --server=false
+      - task: health
     requires:
       vars: ["cluster"]
     preconditions:
       - msg: Missing talhelper config file
-        sh: test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml
+        sh: test -f {{.TALHELPER_CONFIG_FILE}}
       - msg: Missing Sops config file
         sh: test -f {{.SOPS_CONFIG_FILE}}
       - msg: Missing Sops Age key file
         sh: test -f {{.AGE_FILE}}
 
-  fetch-kubeconfig:
-    desc: Fetch kubeconfig
-    dir: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos"
-    cmd: |
-      until talhelper gencommand kubeconfig --config-file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml \
-        --out-dir {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/clusterconfig \
-        --extra-flags="{{.ROOT_DIR}} --force --force-context-name {{.cluster}}" \
-        | bash; do sleep 10; done
+  health:
+    desc: Get Talos cluster health
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
+    cmd: "talosctl health --server=false"
     requires:
       vars: ["cluster"]
     preconditions:
-      - msg: Missing talhelper config file
-        sh: test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml
+      - msg: Missing talosconfig
+        sh: test -f {{.TALOSCONFIG_FILE}}
 
-  apply-config:
-    desc: Apply Talos configuration to a node
-    cmd: |
-      sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/assets/{{.hostname}}.secret.sops.yaml | \
-          envsubst | \
-              talosctl --context {{.cluster}} apply-config --mode={{.mode}} --nodes {{.hostname}} --file /dev/stdin
-    env: *vars
-    vars:
-      mode: '{{.mode | default "no-reboot"}}'
+  fetch-kubeconfig:
+    desc: Fetch kubeconfig
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
+    cmd: until talhelper gencommand kubeconfig --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="{{.ROOT_DIR}} --force" | bash; do sleep 10; done
     requires:
-      vars: ["cluster", "hostname"]
+      vars: ["cluster"]
     preconditions:
-      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
-      - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/assets/{{.hostname}}.secret.sops.yaml
-      - talosctl --context {{.cluster}} --nodes {{.hostname}} get machineconfig >/dev/null 2>&1
-
+      - msg: Missing talhelper config file
+        sh: test -f {{.TALHELPER_CONFIG_FILE}}
 
   install-helm-apps:
     desc: Bootstrap core apps needed for Talos
-    dir: "{{.KUBERNETES_DIR}}/bootstrap/talos"
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
     cmds:
-      - until kubectl --kube-context {{.cluster}} wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done
-      - helmfile --kube-context {{.cluster}} --file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff
-      - until kubectl --kube-context {{.cluster}} wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done
+      - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done
+      - helmfile --kubeconfig {{.KUBECONFIG_FILE}} --file {{.HELMFILE_FILE}} apply --skip-diff-on-install --suppress-diff
+      - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done
     requires:
       vars: ["cluster"]
     preconditions:
-      - msg: Missing talosconfig
-        sh: test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
-      - msg: Unable to retrieve Talos config
-        sh: talosctl --context {{.cluster}} config info >/dev/null 2>&1
+      - msg: Missing kubeconfig
+        sh: test -f {{.KUBECONFIG_FILE}}
       - msg: Missing helmfile
-        sh: test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml
+        sh: test -f {{.HELMFILE_FILE}}
 
   upgrade:
     desc: Upgrade Talos on a node
-    dir: "{{.KUBERNETES_DIR}}/bootstrap/talos"
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
     cmds:
-      - talosctl --context {{.cluster}} --nodes {{.node}} upgrade --image {{.image}} --wait=true --timeout=10m --preserve=true --reboot-mode={{.mode}}
-      - talosctl --context {{.cluster}} --nodes {{.node}} health --wait-timeout=10m --server=false
+      - "talosctl --nodes {{.node}} upgrade --image {{.image}} --wait=true --timeout=10m --preserve=true --reboot-mode={{.mode}}"
+      - "talosctl --nodes {{.node}} health --wait-timeout=10m --server=false"
     vars:
       mode: '{{.mode | default "default"}}'
     requires:
       vars: ["cluster", "node", "image"]
     preconditions:
       - msg: Missing talosconfig
-        sh: test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
+        sh: test -f {{.TALOSCONFIG_FILE}}
       - msg: Unable to retrieve Talos config
-        sh: talosctl --context {{.cluster}} config info >/dev/null 2>&1
+        sh: "talosctl config info >/dev/null 2>&1"
       - msg: Node not found
-        sh: talosctl --context {{.cluster}} --nodes {{.node}} get machineconfig >/dev/null 2>&1
+        sh: "talosctl --nodes {{.node}} get machineconfig >/dev/null 2>&1"
 
   upgrade-k8s:
     desc: Upgrade Kubernetes across the cluster
-    dir: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos"
-    cmd: talosctl --context {{.cluster}} --nodes {{.controller}} upgrade-k8s --to {{.to}}
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
+    cmd: "talosctl --nodes {{.controller}} upgrade-k8s --to {{.to}}"
     requires:
       vars: ["cluster", "controller", "to"]
     preconditions:
       - msg: Missing talosconfig
-        sh: test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
+        sh: test -f {{.TALOSCONFIG_FILE}}
       - msg: Unable to retrieve Talos config
-        sh: talosctl --context {{.cluster}} config info >/dev/null 2>&1
+        sh: "talosctl config info >/dev/null 2>&1"
       - msg: Node not found
-        sh: talosctl --context {{.cluster}} --nodes {{.controller}} get machineconfig >/dev/null 2>&1
+        sh: "talosctl --nodes {{.controller}} get machineconfig >/dev/null 2>&1"
 
-  nuke:
+  destroy:
     desc: Resets nodes back to maintenance mode
-    dir: "{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos"
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
     prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue?
-    cmd: talhelper gencommand reset --config-file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/talconfig.yaml --out-dir {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/talos/clusterconfig --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash
+    cmd: talhelper gencommand reset --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash
     requires:
       vars: ["cluster"]

README.md

@@ -42,7 +42,7 @@ task talos:bootstrap
 Install flux.
 
 ```sh
-task flux:{verify,github-deploy-key,bootstrap}
+task flux:{verify,bootstrap}
 ```
 
 Verify the installation.
@@ -55,6 +55,26 @@ kubectl -n flux-system get pods -o wide
 task kubernetes:resources
 ```
 
+#### Github Webhook
+
+Setup a webook to reconcile flux when changes are pushed to Github. Note: this only works with Let's Encrypt Production certificates.
+
+Get webook path:
+
+```sh
+kubectl -n flux-system get receiver github-receiver -o jsonpath='{.status.webhookPath}'
+```
+
+Append to self-hosted domain:
+
+```text
+https://flux-webhook.${DOMAIN}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
+```
+
+Generate a webook token `openssl rand -hex 16` and add to secret: `kubernetes/<cluster>/apps/flux-system/webhooks/app/github/secret.sops.yaml`.
+
+Add the webook to the repository's "Settings/Webhooks" > "Add webhook" button. Add the URL and token.
+
 ### Deployments
 
 Most helm deployments in this repo utilize this useful [`app-template` chart](https://github.com/bjw-s/helm-charts).

kubernetes/main/bootstrap/talos/clusterconfig/.gitignore

@@ -0,0 +1,8 @@
+homelab-k-0.yaml
+homelab-k-1.yaml
+homelab-k-2.yaml
+homelab-k-3.yaml
+homelab-k-4.yaml
+homelab-k-5.yaml
+homelab-k-6.yaml
+talosconfig

kubernetes/main/bootstrap/talos/patches/controller/api-access.yaml

@@ -0,0 +1,8 @@
+machine:
+  features:
+    kubernetesTalosAPIAccess:
+      enabled: true
+      allowedRoles:
+        - os:admin
+      allowedKubernetesNamespaces:
+        - system-upgrade

kubernetes/main/bootstrap/talos/patches/controller/cluster.yaml

@@ -0,0 +1,12 @@
+cluster:
+  allowSchedulingOnControlPlanes: true
+  controllerManager:
+    extraArgs:
+      bind-address: 0.0.0.0
+  coreDNS:
+    disabled: true
+  proxy:
+    disabled: true
+  scheduler:
+    extraArgs:
+      bind-address: 0.0.0.0

kubernetes/main/bootstrap/talos/patches/controller/disable-admission-controller.yaml

@@ -0,0 +1,2 @@
+- op: remove
+  path: /cluster/apiServer/admissionControl

kubernetes/main/bootstrap/talos/patches/controller/etcd.yaml

@@ -0,0 +1,6 @@
+cluster:
+  etcd:
+    extraArgs:
+      listen-metrics-urls: http://0.0.0.0:2381
+    advertisedSubnets:
+      - 10.1.2.0/24

kubernetes/main/bootstrap/talos/patches/global/cluster-discovery.yaml

@@ -0,0 +1,7 @@
+cluster:
+  discovery:
+    registries:
+      kubernetes:
+        disabled: false
+      service:
+        disabled: false

kubernetes/main/bootstrap/talos/patches/global/containerd.yaml

@@ -0,0 +1,12 @@
+machine:
+  files:
+    - op: create
+      path: /etc/cri/conf.d/20-customization.part
+      content: |-
+        [plugins."io.containerd.grpc.v1.cri"]
+          enable_unprivileged_ports = true
+          enable_unprivileged_icmp = true
+        [plugins."io.containerd.grpc.v1.cri".containerd]
+          discard_unpacked_layers = false
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          discard_unpacked_layers = false

kubernetes/main/bootstrap/talos/patches/global/disable-search-domain.yaml

@@ -0,0 +1,3 @@
+machine:
+  network:
+    disableSearchDomain: true

kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml

@@ -0,0 +1,6 @@
+machine:
+  features:
+    hostDNS:
+      enabled: true
+      resolveMemberNames: true
+      forwardKubeDNSToHost: false

kubernetes/main/bootstrap/talos/patches/global/kubelet.yaml

@@ -0,0 +1,7 @@
+machine:
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: true
+    nodeIP:
+      validSubnets:
+        - 10.1.2.0/24

kubernetes/main/bootstrap/talos/patches/global/openebs-local.yaml

@@ -0,0 +1,10 @@
+machine:
+  kubelet:
+    extraMounts:
+      - destination: /var/openebs/local
+        type: bind
+        source: /var/openebs/local
+        options:
+          - bind
+          - rshared
+          - rw