Merge pull request #4 from jaxxstorm/homelab

Homelab

clusters/homelab/cluster.jsonnet

@@ -8,7 +8,28 @@
   },
   _components+: {
     sealed_secrets: { path: 'components/sealed_secrets' },
+    metallb: { path: 'components/metallb' },
+    nginx_ingress: { path: 'components/nginx_ingress' },
   },
 
   sealed_secrets+: (import 'sealed-secret.key'),
+  metallb+: {
+    addresses: ['192.168.1.250-192.168.1.254'],
+  },
+  external_dns+: {
+    extraEnv: {
+      CF_API_KEY: 'AgCgrv1ZTNkFgTltvs64JPYXFj4/4E9qfejWpN4prz+/PYeE2QW9ChSHX9Xn4fYDk5iOo7UFl4ay/rr7B60sSmfabcpB/fir9zGGk3BCcPGgaQu2fZEjxR9rDc9hKr6kAkOR7dczaOYRt2jvcN+0naLbAAMi+l0FzIhjBUKTgEm98n2QvCUHclETR/h0P5V6zcDE/+T04fEdopG0Poh966GtUSZqV/zPp76uUOjTpWca3k3Vdx4clW3mezitq8yRsEkqYo0cuOGpopvdMDGgyKlbpczoQPHora4BwCqsBu+fZhuNxy9Duhtu9cSzGbJ2QeU7Wl/lwmUD3+/RCKShZTTAVNI6zyXQWu1Qb8eJlSsNJ5ZnQJEk5n3KUGtN9USDSLjJseyuTQmz8ohIjcbRsGn7rC78vwxUdewquiq46njgJHg0HjTlHHPuh6sZxNaQeZaj/emIO+2QNE5mfM8JgzOD01wLNXSb2U0L2m2C/Bl0HU2a++EoJANg9PD3axog+6Gd7W5f4oaUGzSgF6ShIOCk/OboO7+JKj7kGJ1ef/g1hDxWDTBa1JEn7+ZA4taunHug2zFmQq8nm38ZpM035jAlgvVlLIMSGsISfQuoSewkvWo8yW0jN4w3cBI4tfCqGd3JfstYt+KzmcGNBj1SBJsGvIxvf+VBOchqdV1wi4knSdnxpOtbN2dx8snR4nWKYKNiDROcqaXeYa8ed9kF8C32xHckfeycuoRQlwNckgbBjZeuT7/+',
+      CF_API_EMAIL: 'AgC5co+qqrPTRLidzdMWPi0mw8kYLyeyGTiX9Gwuz+LohmB+cxbs4arVa4w3aZfuC5CHnkbwCTyIb3Ia1ZGDZQHuNjA6+xPCO0+Yxk42qErdRnRo7BvZQko3C3PsC0xO9++/jKmnWfsigxZIxmyGBQlq0j0RHa24mUSdsUnT6P4Oealu6b66cfim8fnitWVQxMsq/Q2UTThF9oZM4aXZbujy6afVth+9nsqyKrtyfTMt9ypEumtEy79P8IiB/pGkq+A7ULZuhp1DSulP9NyxFvJ1WUdDEsU+eZOiN27KxAZfaMOHMm1DrHjmtFShEjeA5yTd46XSCsx0O61MIhVkhr8YpfkH/PEKQFhUlIgz/h7ypnO5YLgMZUemqdPrD8jsvd5PbvjI/UnmiiAP6zgXxIdwPQEla6waUqzVZrfJdXSOfgcyVuklbg5ueXZn4L2w+Q6jNxJIq+7RR07uNCbyULK0y4k5a14T1kEjKd5eqOWzX0CHrCH9GgWl75NXB96PKa93Mv6XNJIJPxQiC9f9xVG5jJ3mNFfB649VLCtZy+bgYlMq6rJZ0qRv/mgw8SQHzvzOMRKVYNXwyoplu8k+7Huhh7NLJqPJnzfCwuLgmuyx2yedh635QvhPY89V+FUrTxmimkkoUMeHY1Y742xp1bIWI9mqOxBiH2paOUbdaRfWvbkTC+U5idc0pjXMXkZMYLG4vVTjx28JG6a5UwoS0b26cF8h',
+    },
+
+    provider: 'cloudflare',
+    txtPrefix: 'homelab',
+    txtOwnerId: 'lbrlabs',
+    domainFilters: [
+      'lbrlabs.com',
+      'briggs.io',
+      'briggs.work',
+    ],
+    tolerateMasters: true,
+  },
 }

components/external_dns/external-dns-values.jsonnet

@@ -9,7 +9,8 @@ local config = std.extVar('kr8');
   aws: {} + if std.objectHas(config, 'aws') then config.aws else {},
   extraEnv: {} + if std.objectHas(config, 'extraEnv') then config.extraEnv else {},
   [if config.tolerateMasters then 'nodeSelector']: {
-    'node-role.kubernetes.io/master': '',
+    //'node-role.kubernetes.io/master': '',
+    'node-role.kubernetes.io/controlplane': 'true',
   },
   [if config.tolerateMasters then 'tolerations']: [
       {

components/ark/01_namespace.jsonnet → components/metallb/01_namespace.jsonnet

@@ -5,9 +5,6 @@ local config = std.extVar('kr8');
 [
   kube.Namespace(config.namespace) {
     metadata+: {
-      annotations+: {
-        'iam.amazonaws.com/permitted': 'kiam-role-techops-ark-.*',
-      },
     },
   },
 ]

components/metallb/Taskfile.yml

@@ -0,0 +1,24 @@
+version: 2
+
+vars:
+  KR8_COMPONENT: metallb
+  CHART_VER: 0.8.3
+  CHART_NAME: metallb
+
+
+tasks:
+  fetch:
+    desc: "fetch component dependencies"
+    cmds:
+      - rm -fr vendored; mkdir -p vendored
+      - helm fetch --repo https://kubernetes-charts.storage.googleapis.com --untar --untardir ./charts --version "{{.CHART_VER}}" "{{.CHART_NAME}}"
+
+
+  generate:
+    desc: "generate"
+    cmds:
+      - KR8_COMPONENT={{.KR8_COMPONENT}} kr8-helpers clean-output
+      - KR8_COMPONENT={{.KR8_COMPONENT}} kr8-helpers jsonnet-render 01_namespace.jsonnet
+      - KR8_COMPONENT={{.KR8_COMPONENT}} kr8-helpers jsonnet-render config.jsonnet
+      - KR8_COMPONENT={{.KR8_COMPONENT}} kr8-helpers helm-render "{{.CHART_NAME}}"
+

components/metallb/charts/metallb/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

components/metallb/charts/metallb/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+appVersion: 0.7.3
+description: MetalLB is a load-balancer implementation for bare metal Kubernetes clusters
+home: https://metallb.universe.tf
+icon: https://metallb.universe.tf/images/logo.png
+keywords:
+- load-balancer
+- balancer
+- lb
+- bgp
+- arp
+- vrrp
+- vip
+maintainers:
+- email: dave@natulte.net
+  name: danderson
+name: metallb
+version: 0.8.3

components/metallb/charts/metallb/README.md

@@ -0,0 +1,115 @@
+MetalLB
+-------
+
+MetalLB is a load-balancer implementation for bare metal [Kubernetes][k8s-home]
+clusters, using standard routing protocols.
+
+TL;DR;
+------
+
+```console
+$ helm install --name metallb stable/metallb
+```
+
+Introduction
+------------
+
+This chart bootstraps a [MetalLB][metallb-home] installation on
+a [Kubernetes][k8s-home] cluster using the [Helm][helm-home] package manager.
+This chart provides an implementation for LoadBalancer Service objects.
+
+MetalLB is a cluster service, and as such can only be deployed as a
+cluster singleton. Running multiple installations of MetalLB in a
+single cluster is not supported.
+
+Prerequisites
+-------------
+
+-  Kubernetes 1.9+
+
+Installing the Chart
+--------------------
+
+The chart can be installed as follows:
+
+```console
+$ helm install --name metallb stable/metallb
+```
+
+The command deploys MetalLB on the Kubernetes cluster. This chart does
+not provide a default configuration; MetalLB will not act on your
+Kubernetes Services until you provide
+one. The [configuration](#configuration) section lists various ways to
+provide this configuration.
+
+Uninstalling the Chart
+----------------------
+
+To uninstall/delete the `metallb` deployment:
+
+```console
+$ helm delete metallb
+```
+
+The command removes all the Kubernetes components associated with the
+chart, but will not remove the release metadata from `helm` — this will prevent
+you, for example, if you later try to create a release also named `metallb`). To
+fully delete the release and release history, simply [include the `--purge`
+flag][helm-usage]:
+
+```console
+$ helm delete --purge metallb
+```
+
+Configuration
+-------------
+
+See `values.yaml` for configuration notes. Specify each parameter
+using the `--set key=value[,key=value]` argument to `helm
+install`. For example,
+
+```console
+$ helm install --name metallb \
+  --set rbac.create=false \
+    stable/metallb
+```
+
+The above command disables the use of RBAC rules.
+
+Alternatively, a YAML file that specifies the values for the above
+parameters can be provided while installing the chart. For example,
+
+```console
+$ helm install --name metallb -f values.yaml stable/metallb
+```
+
+By default, this chart does not install a configuration for MetalLB, and simply
+warns you that you must follow [the configuration instructions on MetalLB's
+website][metallb-config] to create an appropriate ConfigMap.
+
+If you have a more complex configuration and want Helm to manage it for you, you
+can provide it in the `config` parameter. The configuration format is
+[documented on MetalLB's website][metallb-config].
+
+```console
+$ cat values.yaml
+configInline:
+  peers:
+  - peer-address: 10.0.0.1
+    peer-asn: 64512
+    my-asn: 64512
+  address-pools:
+  - name: default
+    protocol: bgp
+    cidr:
+    - 198.51.100.0/24
+
+$ helm install --name metallb -f values.yaml stable/metallb
+```
+
+[helm-home]: https://helm.sh
+[helm-usage]: https://docs.helm.sh/using_helm/
+[k8s-home]: https://kubernetes.io
+[metallb-arpndp-concepts]: https://metallb.universe.tf/concepts/arp-ndp/
+[metallb-config]: https://metallb.universe.tf/configuration/
+[metallb-home]: https://metallb.universe.tf

components/metallb/charts/metallb/templates/NOTES.txt

@@ -0,0 +1,11 @@
+
+MetalLB is now running in the cluster.
+{{- if .Values.configInline }}
+LoadBalancer Services in your cluster are now available on the IPs you
+defined in MetalLB's configuration. To see IP assignments,
+try `kubectl get services`.
+{{- else }}
+WARNING: you specified a ConfigMap that isn't managed by
+Helm. LoadBalancer services will not function until you add that
+ConfigMap to your cluster yourself.
+{{- end }}

components/metallb/charts/metallb/templates/_helpers.tpl

@@ -0,0 +1,65 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "metallb.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "metallb.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "metallb.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the controller service account to use
+*/}}
+{{- define "metallb.controllerServiceAccountName" -}}
+{{- if .Values.serviceAccounts.controller.create -}}
+    {{ default (printf "%s-controller" (include "metallb.fullname" .)) .Values.serviceAccounts.controller.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccounts.controller.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the speaker service account to use
+*/}}
+{{- define "metallb.speakerServiceAccountName" -}}
+{{- if .Values.serviceAccounts.speaker.create -}}
+    {{ default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.serviceAccounts.speaker.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccounts.speaker.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the settings ConfigMap to use.
+*/}}
+{{- define "metallb.configMapName" -}}
+{{- if .Values.configInline -}}
+    {{ include "metallb.fullname" . }}
+{{- else -}}
+    {{ .Values.existingConfigMap }}
+{{- end -}}
+{{- end -}}

components/metallb/charts/metallb/templates/config.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.configInline }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "metallb.fullname" . }}
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: {{ template "metallb.chart" . }}
+    app: {{ template "metallb.name" . }}
+data:
+  config: |
+{{ toYaml .Values.configInline | indent 4 }}
+{{- end }}

components/metallb/charts/metallb/templates/controller.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: {{ template "metallb.fullname" . }}-controller
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: {{ template "metallb.chart" . }}
+    app: {{ template "metallb.name" . }}
+    component: controller
+spec:
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: {{ template "metallb.name" . }}
+      component: controller
+      release: {{ .Release.Name | quote }}
+  template:
+    metadata:
+      labels:
+        heritage: {{ .Release.Service | quote }}
+        release: {{ .Release.Name | quote }}
+        chart: {{ template "metallb.chart" . }}
+        app: {{ template "metallb.name" . }}
+        component: controller
+{{- if .Values.prometheus.scrapeAnnotations }}
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "7472"
+{{- end }}
+    spec:
+      serviceAccountName: {{ template "metallb.controllerServiceAccountName" . }}
+      terminationGracePeriodSeconds: 0
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534 # nobody
+    {{- with .Values.controller.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.controller.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.controller.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+      containers:
+      - name: controller
+        image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
+        imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+        args:
+        - --port=7472
+        - --config={{ template "metallb.configMapName" . }}
+        ports:
+        - name: monitoring
+          containerPort: 7472
+        resources:
+{{ toYaml .Values.controller.resources | indent 10 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true