From 2882406750b880da3a56c3668e8d57edd2373448 Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Mon, 29 Jan 2024 16:57:43 -0500 Subject: [PATCH 1/3] feat: update jinja delimiters back to default Signed-off-by: Devin Buhl --- bootstrap/templates/.sops.yaml.j2 | 18 +++--- .../group_vars/kubernetes/main.yaml.j2 | 2 +- .../inventory/group_vars/master/main.yaml.j2 | 30 +++++----- .../inventory/group_vars/worker/main.yaml.j2 | 10 ++-- .../templates/ansible/inventory/hosts.yaml.j2 | 32 +++++----- .../playbooks/cluster-installation.yaml.j2 | 10 ++-- .../playbooks/cluster-kube-vip.yaml.j2 | 12 ++-- .../ansible/playbooks/cluster-nuke.yaml.j2 | 14 ++--- .../ansible/playbooks/cluster-prepare.yaml.j2 | 30 +++++----- .../playbooks/cluster-rollout-update.yaml.j2 | 42 +++++++------- .../ansible/playbooks/tasks/cruft.yaml.j2 | 10 ++-- .../playbooks/tasks/kubeconfig.yaml.j2 | 6 +- .../templates/custom-cilium-helmchart.yaml.j2 | 6 +- .../playbooks/templates/kube-vip-ds.yaml.j2 | 2 +- .../playbooks/templates/kube-vip-rbac.yaml.j2 | 2 +- .../templates/ansible/requirements.yaml.j2 | 4 +- .../cert-manager/app/prometheusrule.yaml.j2 | 8 +-- .../cert-manager/issuers/secret.sops.yaml.j2 | 2 +- .../apps/cert-manager/cert-manager/ks.yaml.j2 | 4 +- .../webhooks/app/github/ingress.yaml.j2 | 4 +- .../webhooks/app/github/kustomization.yaml.j2 | 4 +- .../webhooks/app/github/secret.sops.yaml.j2 | 2 +- .../cilium/app/helmrelease.yaml.j2 | 6 +- .../cilium/app/kustomization.yaml.j2 | 4 +- .../app/helmrelease.yaml.j2 | 6 +- .../apps/kube-system/kustomization.yaml.j2 | 8 +-- .../spegel/app/helmrelease.yaml.j2 | 6 +- .../cloudflared/app/secret.sops.yaml.j2 | 8 +-- .../echo-server/app/helmrelease.yaml.j2 | 4 +- .../external-dns/app/secret.sops.yaml.j2 | 2 +- .../certificates/kustomization.yaml.j2 | 4 +- .../external/helmrelease.yaml.j2 | 8 +-- .../internal/helmrelease.yaml.j2 | 8 +-- .../k8s-gateway/app/helmrelease.yaml.j2 | 2 +- .../kubernetes/flux/config/cluster.yaml.j2 | 8 +-- .../repositories/helm/external-dns.yaml.j2 | 4 +- .../repositories/helm/ingress-nginx.yaml.j2 | 4 +- .../repositories/helm/k8s-gateway.yaml.j2 | 4 +- .../repositories/helm/kustomization.yaml.j2 | 12 ++-- .../repositories/helm/postfinance.yaml.j2 | 4 +- .../flux/repositories/helm/xenitab.yaml.j2 | 4 +- .../flux/vars/cluster-secrets.sops.yaml.j2 | 10 ++-- .../flux/vars/cluster-settings.yaml.j2 | 12 ++-- .../templates/kubernetes/k0s/k0sctl.yaml.j2 | 58 +++++++++---------- .../k0s/scripts/apply-kube-vip.sh.j2 | 4 +- .../kubernetes/k0s/scripts/apply-system.sh.j2 | 10 ++-- .../kubernetes/talos/cilium/values.yaml.j2 | 6 +- .../kustomization.yaml.j2 | 6 +- .../kubernetes/talos/talconfig.yaml.j2 | 58 +++++++++---------- .../cilium-values-full.partial.yaml.j2 | 30 +++++----- .../cilium-values-init.partial.yaml.j2 | 28 ++++----- .../partials/kube-vip-ds.partial.yaml.j2 | 2 +- ...ubelet-csr-approver-values.partial.yaml.j2 | 2 +- makejinja.toml | 15 ++--- 54 files changed, 299 insertions(+), 302 deletions(-) diff --git a/bootstrap/templates/.sops.yaml.j2 b/bootstrap/templates/.sops.yaml.j2 index 225a2153110..6825476e263 100644 --- a/bootstrap/templates/.sops.yaml.j2 +++ b/bootstrap/templates/.sops.yaml.j2 @@ -1,22 +1,22 @@ -#% if flux.enabled %# +{% if flux.enabled %} --- creation_rules: - #% if distribution in ['talos'] %# + {% if distribution in ['talos'] %} - # IMPORTANT: This rule MUST be above the others path_regex: talos/.*\.sops\.ya?ml key_groups: - age: - - "#{ flux.sops_age_public_key }#" - #% endif %# + - "{{ flux.sops_age_public_key }}" + {% endif %} - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData)$" key_groups: - age: - - "#{ flux.sops_age_public_key }#" - #% if distribution in ['k0s', 'k3s'] %# + - "{{ flux.sops_age_public_key }}" + {% if distribution in ['k0s', 'k3s'] %} - path_regex: ansible/.*\.sops\.ya?ml key_groups: - age: - - "#{ flux.sops_age_public_key }#" - #% endif %# -#% endif %# + - "{{ flux.sops_age_public_key }}" + {% endif %} +{% endif %} diff --git a/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 index 1a40bf9c3aa..9eba13c605a 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2 @@ -2,7 +2,7 @@ k3s_become: true k3s_etcd_datastore: true k3s_install_hard_links: true -k3s_registration_address: "#{ cluster.endpoint_vip }#" +k3s_registration_address: "{{ cluster.endpoint_vip }}" # renovate: datasource=github-releases depName=k3s-io/k3s k3s_release_version: v1.29.0+k3s1 k3s_server_manifests_templates: diff --git a/bootstrap/templates/ansible/inventory/group_vars/master/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/master/main.yaml.j2 index 885e3af2a54..9969c8ccdb3 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/master/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/master/main.yaml.j2 @@ -1,13 +1,13 @@ --- k3s_control_node: true k3s_server: - #% if feature_gates.dual_stack_ipv4_first %# - cluster-cidr: "#{ cluster.pod_network.split(',')[0] }#,#{ cluster.pod_network.split(',')[1] }#" - service-cidr: "#{ cluster.service_network.split(',')[0] }#,#{ cluster.service_network.split(',')[1] }#" - #% else %# - cluster-cidr: "#{ cluster.pod_network }#" - service-cidr: "#{ cluster.service_network }#" - #% endif %# + {% if feature_gates.dual_stack_ipv4_first %} + cluster-cidr: "{{ cluster.pod_network.split(',')[0] }},{{ cluster.pod_network.split(',')[1] }}" + service-cidr: "{{ cluster.service_network.split(',')[0] }},{{ cluster.service_network.split(',')[1] }}" + {% else %} + cluster-cidr: "{{ cluster.pod_network }}" + service-cidr: "{{ cluster.service_network }}" + {% endif %} disable: ["flannel", "local-storage", "metrics-server", "servicelb", "traefik"] disable-cloud-controller: true disable-kube-proxy: true @@ -24,16 +24,16 @@ k3s_server: kubelet-arg: - "image-gc-high-threshold=55" - "image-gc-low-threshold=50" - #% if feature_gates.dual_stack_ipv4_first %# - node-ip: "{{ ansible_host }},{{ ansible_default_ipv6.address }}" - #% else %# - node-ip: "{{ ansible_host }}" - #% endif %# + {% if feature_gates.dual_stack_ipv4_first %} + node-ip: "{% raw %}{{ ansible_host }}{% endraw %},{% raw %}{{ ansible_default_ipv6.address }}{% endraw %}" + {% else %} + node-ip: "{% raw %}{{ ansible_host }}{% endraw %}" + {% endif %} pause-image: registry.k8s.io/pause:3.9 secrets-encryption: true tls-san: - - "#{ cluster.endpoint_vip }#" - #% for item in cluster.tls_sans %# + - "{{ cluster.endpoint_vip }}" + {% for item in cluster.tls_sans %} - "{{ item }}" - #% endfor %# + {% endfor %} write-kubeconfig-mode: "644" diff --git a/bootstrap/templates/ansible/inventory/group_vars/worker/main.yaml.j2 b/bootstrap/templates/ansible/inventory/group_vars/worker/main.yaml.j2 index b372aca9257..8318f037ddb 100644 --- a/bootstrap/templates/ansible/inventory/group_vars/worker/main.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/group_vars/worker/main.yaml.j2 @@ -4,9 +4,9 @@ k3s_agent: kubelet-arg: - "image-gc-high-threshold=55" - "image-gc-low-threshold=50" - #% if feature_gates.dual_stack_ipv4_first %# - node-ip: "{{ ansible_host }},{{ ansible_default_ipv6.address }}" - #% else %# - node-ip: "{{ ansible_host }}" - #% endif %# + {% if feature_gates.dual_stack_ipv4_first %} + node-ip: "{% raw %}{{ ansible_host }}{% endraw %},{% raw %}{{ ansible_default_ipv6.address }}{% endraw %}" + {% else %} + node-ip: "{% raw %}{{ ansible_host }}{% endraw %}" + {% endif %} pause-image: registry.k8s.io/pause:3.9 diff --git a/bootstrap/templates/ansible/inventory/hosts.yaml.j2 b/bootstrap/templates/ansible/inventory/hosts.yaml.j2 index b8d5b1c998a..b3eeb782a0d 100644 --- a/bootstrap/templates/ansible/inventory/hosts.yaml.j2 +++ b/bootstrap/templates/ansible/inventory/hosts.yaml.j2 @@ -3,21 +3,21 @@ kubernetes: children: master: hosts: - #% for item in cluster.nodes.inventory %# - #% if item.controller %# - "#{ item.name }#": - ansible_user: "#{ item.ssh_username }#" - ansible_host: "#{ item.address }#" - #% endif %# - #% endfor %# - #% if cluster.nodes.inventory | selectattr('controller', 'equalto', False) | list | length %# + {% for item in cluster.nodes.inventory %} + {% if item.controller %} + "{{ item.name }}": + ansible_user: "{{ item.ssh_username }}" + ansible_host: "{{ item.address }}" + {% endif %} + {% endfor %} + {% if cluster.nodes.inventory | selectattr('controller', 'equalto', False) | list | length %} worker: hosts: - #% for item in cluster.nodes.inventory %# - #% if not item.controller %# - "#{ item.name }#": - ansible_user: "#{ item.ssh_username }#" - ansible_host: "#{ item.address }#" - #% endif %# - #% endfor %# - #% endif %# + {% for item in cluster.nodes.inventory %} + {% if not item.controller %} + "{{ item.name }}": + ansible_user: "{{ item.ssh_username }}" + ansible_host: "{{ item.address }}" + {% endif %} + {% endfor %} + {% endif %} diff --git a/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 index 3a8259f1caf..de0c0937f82 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2 @@ -1,4 +1,4 @@ -#% if distribution in ['k3s'] %# +{% if distribution in ['k3s'] %} --- - name: Cluster Installation hosts: kubernetes @@ -39,9 +39,9 @@ or k3s_server_manifests_urls | length > 0) kubernetes.core.k8s_info: kubeconfig: /etc/rancher/k3s/k3s.yaml - kind: "{{ item.kind }}" - name: "{{ item.name }}" - namespace: "{{ item.namespace | default('') }}" + kind: "{% raw %}{{ item.kind }}{% endraw %}" + name: "{% raw %}{{ item.name }}{% endraw %}" + namespace: "{% raw %}{{ item.namespace | default('') }}{% endraw %}" wait: true wait_sleep: 10 wait_timeout: 360 @@ -55,4 +55,4 @@ - name: Cruft when: k3s_primary_control_node ansible.builtin.include_tasks: tasks/cruft.yaml -#% endif %# +{% endif %} diff --git a/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 index 8de99d0d86b..8c69e818220 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2 @@ -10,20 +10,20 @@ ansible.builtin.pause: seconds: 5 tasks: - #% if distribution in ['k3s'] %# + {% if distribution in ['k3s'] %} - name: Ensure Kubernetes is running ansible.builtin.include_role: name: xanmanning.k3s public: true vars: k3s_state: started - #% endif %# + {% endif %} - name: Upgrade kube-vip ansible.builtin.template: src: templates/kube-vip-ds.yaml.j2 - #% if distribution in ['k3s'] %# - dest: "{{ k3s_server_manifests_dir }}/kube-vip-ds.yaml" - #% elif distribution in ['k0s'] %# + {% if distribution in ['k3s'] %} + dest: "{% raw %}{{ k3s_server_manifests_dir }}{% endraw %}/kube-vip-ds.yaml" + {% elif distribution in ['k0s'] %} dest: "/var/lib/k0s/manifests/kube-vip/kube-vip-ds.yaml" - #% endif %# + {% endif %} mode: preserve diff --git a/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 index d1e0e91f08d..3705e2459b2 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2 @@ -1,4 +1,4 @@ -#% if distribution in ['k3s'] %# +{% if distribution in ['k3s'] %} --- - name: Cluster Nuke hosts: kubernetes @@ -37,17 +37,17 @@ block: - name: Networking | Delete Cilium links ansible.builtin.command: - cmd: "ip link delete {{ item }}" - removes: "/sys/class/net/{{ item }}" + cmd: "ip link delete {% raw %}{{ item }}{% endraw %}" + removes: "/sys/class/net/{% raw %}{{ item }}{% endraw %}" loop: ["cilium_host", "cilium_net", "cilium_vxlan"] - name: Networking | Flush iptables ansible.builtin.iptables: - table: "{{ item }}" + table: "{% raw %}{{ item }}{% endraw %}" flush: true loop: ["filter", "nat", "mangle", "raw"] - name: Networking | Flush ip6tables ansible.builtin.iptables: - table: "{{ item }}" + table: "{% raw %}{{ item }}{% endraw %}" flush: true ip_version: ipv6 loop: ["filter", "nat", "mangle", "raw"] @@ -87,7 +87,7 @@ - k3s_install_hard_links - not ansible_check_mode ansible.builtin.file: - path: "{{ k3s_install_dir }}/{{ item }}" + path: "{% raw %}{{ k3s_install_dir }}{% endraw %}/{% raw %}{{ item }}{% endraw %}" state: absent loop: ["kubectl", "crictl", "ctr"] @@ -100,4 +100,4 @@ ansible.builtin.reboot: msg: Rebooting hosts reboot_timeout: 3600 -#% endif %# +{% endif %} diff --git a/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 index 92688cc2373..0d6835e13fc 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 @@ -1,4 +1,4 @@ -#% if distribution in ['k3s'] %# +{% if distribution in ['k3s'] %} --- - name: Prepare System hosts: kubernetes @@ -16,7 +16,7 @@ block: - name: Locale | Set timezone community.general.timezone: - name: "#{ timezone }#" + name: "{{ timezone }}" - name: Packages block: @@ -33,12 +33,12 @@ block: - name: Network Configuration | Set hostname ansible.builtin.hostname: - name: "{{ inventory_hostname }}" + name: "{% raw %}{{ inventory_hostname }}{% endraw %}" - name: Network Configuration | Update hosts ansible.builtin.copy: content: | 127.0.0.1 localhost - 127.0.1.1 {{ inventory_hostname }} + 127.0.1.1 {% raw %}{{ inventory_hostname }}{% endraw %} # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback @@ -62,10 +62,10 @@ mode: '0644' dest: /etc/resolv.conf content: | - search #{ cluster.nodes.search_domain|default('.', true) }# - #% for item in cluster.nodes.dns_servers %# - nameserver #{ item }# - #% endfor %# + search {{ cluster.nodes.search_domain|default('.', true) }} + {% for item in cluster.nodes.dns_servers %} + nameserver {{ item }} + {% endfor %} - name: System Configuration notify: Reboot @@ -78,15 +78,15 @@ masked: true - name: System Configuration | Disable swap ansible.posix.mount: - name: "{{ item }}" + name: "{% raw %}{{ item }}{% endraw %}" fstype: swap state: absent loop: ["none", "swap"] - name: System Configuration | Create Kernel modules ansible.builtin.copy: - dest: "/etc/modules-load.d/{{ item }}.conf" + dest: "/etc/modules-load.d/{% raw %}{{ item }}{% endraw %}.conf" mode: "0644" - content: "{{ item }}" + content: "{% raw %}{{ item }}{% endraw %}" loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "nbd", "overlay", "rbd"] register: modules_status - name: System Configuration | Reload Kernel modules # noqa: no-changed-when no-handler @@ -96,11 +96,11 @@ state: restarted - name: System Configuration | Sysctl ansible.posix.sysctl: - name: "{{ item.key }}" - value: "{{ item.value }}" + name: "{% raw %}{{ item.key }}{% endraw %}" + value: "{% raw %}{{ item.value }}{% endraw %}" sysctl_file: /etc/sysctl.d/99-kubernetes.conf reload: true - with_dict: "{{ sysctl_config }}" + with_dict: "{% raw %}{{ sysctl_config }}{% endraw %}" vars: sysctl_config: fs.inotify.max_queued_events: 65536 @@ -112,4 +112,4 @@ ansible.builtin.reboot: msg: Rebooting hosts reboot_timeout: 3600 -#% endif %# +{% endif %} diff --git a/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 index 66624177538..8c2287fbad2 100644 --- a/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2 @@ -12,13 +12,13 @@ seconds: 5 tasks: - name: Details - #% if distribution in ['k3s'] %# - ansible.builtin.command: "k3s kubectl get node {{ inventory_hostname }} -o json" - #% elif distribution in ['k0s'] %# - ansible.builtin.command: "k0s kubectl get node {{ inventory_hostname }} -o json" - #% endif %# + {% if distribution in ['k3s'] %} + ansible.builtin.command: "k3s kubectl get node {% raw %}{{ inventory_hostname }}{% endraw %} -o json" + {% elif distribution in ['k0s'] %} + ansible.builtin.command: "k0s kubectl get node {% raw %}{{ inventory_hostname }}{% endraw %} -o json" + {% endif %} register: kubectl_get_node - delegate_to: "{{ groups['master'][0] }}" + delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}" failed_when: false changed_when: false @@ -31,23 +31,23 @@ block: - name: Cordon kubernetes.core.k8s_drain: - name: "{{ inventory_hostname }}" - #% if distribution in ['k3s'] %# + name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + {% if distribution in ['k3s'] %} kubeconfig: /etc/rancher/k3s/k3s.yaml - #% elif distribution in ['k0s'] %# + {% elif distribution in ['k0s'] %} kubeconfig: /var/lib/k0s/pki/admin.conf - #% endif %# + {% endif %} state: cordon - delegate_to: "{{ groups['master'][0] }}" + delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}" - name: Drain kubernetes.core.k8s_drain: - name: "{{ inventory_hostname }}" - #% if distribution in ['k3s'] %# + name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + {% if distribution in ['k3s'] %} kubeconfig: /etc/rancher/k3s/k3s.yaml - #% elif distribution in ['k0s'] %# + {% elif distribution in ['k0s'] %} kubeconfig: /var/lib/k0s/pki/admin.conf - #% endif %# + {% endif %} state: drain delete_options: delete_emptydir_data: true @@ -56,7 +56,7 @@ wait_timeout: 900 pod_selectors: - app!=rook-ceph-osd # Rook Ceph - delegate_to: "{{ groups['master'][0] }}" + delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}" - name: Update ansible.builtin.apt: @@ -77,11 +77,11 @@ - name: Uncordon kubernetes.core.k8s_drain: - name: "{{ inventory_hostname }}" - #% if distribution in ['k3s'] %# + name: "{% raw %}{{ inventory_hostname }}{% endraw %}" + {% if distribution in ['k3s'] %} kubeconfig: /etc/rancher/k3s/k3s.yaml - #% elif distribution in ['k0s'] %# + {% elif distribution in ['k0s'] %} kubeconfig: /var/lib/k0s/pki/admin.conf - #% endif %# + {% endif %} state: uncordon - delegate_to: "{{ groups['master'][0] }}" + delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}" diff --git a/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 b/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 index 6714d8b4759..3a37c1a028a 100644 --- a/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/tasks/cruft.yaml.j2 @@ -4,7 +4,7 @@ block: - name: Cruft | Get list of custom manifests ansible.builtin.find: - paths: "{{ k3s_server_manifests_dir }}" + paths: "{% raw %}{{ k3s_server_manifests_dir }}{% endraw %}" file_type: file use_regex: true patterns: ["^custom-.*"] @@ -12,9 +12,9 @@ - name: Cruft | Delete custom manifests ansible.builtin.file: - path: "{{ item.path }}" + path: "{% raw %}{{ item.path }}{% endraw %}" state: absent - loop: "{{ custom_manifest.files }}" + loop: "{% raw %}{{ custom_manifest.files }}{% endraw %}" - name: Cruft | Get list of custom addons kubernetes.core.k8s_info: @@ -25,8 +25,8 @@ - name: Cruft | Delete addons kubernetes.core.k8s: kubeconfig: /etc/rancher/k3s/k3s.yaml - name: "{{ item.metadata.name }}" + name: "{% raw %}{{ item.metadata.name }}{% endraw %}" kind: Addon namespace: kube-system state: absent - loop: "{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}" + loop: "{% raw %}{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}{% endraw %}" diff --git a/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 b/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 index 56bf684e595..a3a0681aaf0 100644 --- a/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/tasks/kubeconfig.yaml.j2 @@ -13,7 +13,7 @@ when: k3s_primary_control_node ansible.builtin.fetch: src: /etc/rancher/k3s/k3s.yaml - dest: "{{ repository_path.stdout }}/kubeconfig" + dest: "{% raw %}{{ repository_path.stdout }}{% endraw %}/kubeconfig" flat: true - name: Update kubeconfig with the correct load balancer address @@ -21,6 +21,6 @@ become: false run_once: true ansible.builtin.replace: - path: "{{ repository_path.stdout }}/kubeconfig" + path: "{% raw %}{{ repository_path.stdout }}{% endraw %}/kubeconfig" regexp: https://127.0.0.1:6443 - replace: "https://{{ k3s_registration_address }}:6443" + replace: "https://{% raw %}{{ k3s_registration_address }}{% endraw %}:6443" diff --git a/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 index 35de3f1565e..a5928be4323 100644 --- a/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/templates/custom-cilium-helmchart.yaml.j2 @@ -13,6 +13,6 @@ spec: targetNamespace: kube-system bootstrap: true valuesContent: |- - #% filter indent(width=4, first=True) %# - #% include 'partials/cilium-values-init.partial.yaml.j2' %# - #% endfilter %# + {% filter indent(width=4, first=True) %} + {% include 'partials/cilium-values-init.partial.yaml.j2' %} + {% endfilter %} diff --git a/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 index f62cab4d99f..9cc432a25ad 100644 --- a/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/templates/kube-vip-ds.yaml.j2 @@ -1,2 +1,2 @@ --- -#% include 'partials/kube-vip-ds.partial.yaml.j2' %# +{% include 'partials/kube-vip-ds.partial.yaml.j2' %} diff --git a/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 b/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 index 481c2e822c8..eadbb999426 100644 --- a/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 +++ b/bootstrap/templates/ansible/playbooks/templates/kube-vip-rbac.yaml.j2 @@ -1,2 +1,2 @@ --- -#% include 'partials/kube-vip-rbac.partial.yaml.j2' %# +{% include 'partials/kube-vip-rbac.partial.yaml.j2' %} diff --git a/bootstrap/templates/ansible/requirements.yaml.j2 b/bootstrap/templates/ansible/requirements.yaml.j2 index 389e8a5f1df..b84e3016f07 100644 --- a/bootstrap/templates/ansible/requirements.yaml.j2 +++ b/bootstrap/templates/ansible/requirements.yaml.j2 @@ -8,9 +8,9 @@ collections: version: 8.2.0 - name: kubernetes.core version: 3.0.0 -#% if distribution in ['k3s'] %# +{% if distribution in ['k3s'] %} roles: - name: xanmanning.k3s src: https://github.com/PyratLabs/ansible-role-k3s version: v3.4.4 -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 index d236526f00f..b96bf13fdc6 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 @@ -28,11 +28,11 @@ spec: severity: warning annotations: description: > - The domain that this cert covers will be unavailable after {{ $value | humanizeDuration }}. - Clients using endpoints that this cert protects will start to fail in {{ $value | humanizeDuration }}. + The domain that this cert covers will be unavailable after {% raw %}{{ $value | humanizeDuration }}{% endraw %}. + Clients using endpoints that this cert protects will start to fail in {% raw %}{{ $value | humanizeDuration }}{% endraw %}. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon summary: | - The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from expiry, it should have renewed over a week ago. + The cert {% raw %}{{ $labels.name }}{% endraw %} is {% raw %}{{ $value | humanizeDuration }}{% endraw %} from expiry, it should have renewed over a week ago. - alert: CertManagerCertNotReady expr: | max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1) @@ -45,7 +45,7 @@ spec: 10m. If the cert is being renewed or there is another valid cert, the ingress controller _may_ be able to serve that instead. runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready - summary: "The cert {{ $labels.name }} is not ready to serve traffic." + summary: "The cert {% raw %}{{ $labels.name }}{% endraw %} is not ready to serve traffic." - alert: CertManagerHittingRateLimits expr: | sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) > 0 diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 index 16e7020fce1..f967fe678eb 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2 @@ -4,4 +4,4 @@ kind: Secret metadata: name: cert-manager-secret stringData: - api-token: "#{ cloudflare.token }#" + api-token: "{{ cloudflare.token }}" diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 index 8a42981bcb0..04d30f4e5ae 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2 @@ -18,7 +18,7 @@ spec: interval: 30m retryInterval: 1m timeout: 5m -#% if cloudflare.enabled %# +{% if cloudflare.enabled %} --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -41,4 +41,4 @@ spec: interval: 30m retryInterval: 1m timeout: 5m -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 index 1bc3dd3f204..37e3d454550 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2 @@ -1,4 +1,4 @@ -#% if cloudflare.enabled %# +{% if cloudflare.enabled %} --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -22,4 +22,4 @@ spec: tls: - hosts: - *host -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 index 95c9dfe59d5..2002134e42a 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2 @@ -3,7 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./secret.sops.yaml - #% if cloudflare.enabled %# + {% if cloudflare.enabled %} - ./ingress.yaml - #% endif %# + {% endif %} - ./receiver.yaml diff --git a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 index 29fdfdd0745..a0ede054c88 100644 --- a/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 @@ -4,4 +4,4 @@ kind: Secret metadata: name: github-webhook-token-secret stringData: - token: "#{ flux.github.webhook.token }#" + token: "{{ flux.github.webhook.token }}" diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 index 48450c3417c..3d27ee05592 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2 @@ -23,6 +23,6 @@ spec: uninstall: keepHistory: false values: - #% filter indent(width=4, first=True) %# - #% include 'partials/cilium-values-full.partial.yaml.j2' %# - #% endfilter %# + {% filter indent(width=4, first=True) %} + {% include 'partials/cilium-values-full.partial.yaml.j2' %} + {% endfilter %} diff --git a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 index e20faf1f3d7..083be0f0216 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - #% if not feature_gates.dual_stack_ipv4_first %# + {% if not feature_gates.dual_stack_ipv4_first %} - ./cilium-l2.yaml - #% endif %# + {% endif %} - ./helmrelease.yaml diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 index bb522914570..33d3ecc440d 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 @@ -23,6 +23,6 @@ spec: uninstall: keepHistory: false values: - #% filter indent(width=4, first=True) %# - #% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# - #% endfilter %# + {% filter indent(width=4, first=True) %} + {% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %} + {% endfilter %} diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 index eb1f8a4f4d1..e2d49a65253 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2 @@ -4,11 +4,11 @@ kind: Kustomization resources: - ./namespace.yaml - ./cilium/ks.yaml - #% if distribution in ['talos'] %# + {% if distribution in ['talos'] %} - ./kubelet-csr-approver/ks.yaml - #% endif %# + {% endif %} - ./metrics-server/ks.yaml - #% if distribution in ['k0s', 'talos'] %# + {% if distribution in ['k0s', 'talos'] %} - ./spegel/ks.yaml - #% endif %# + {% endif %} - ./reloader/ks.yaml diff --git a/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 index f0a4af49abc..059b8b4dada 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2 @@ -24,13 +24,13 @@ spec: keepHistory: false values: spegel: - #% if distribution in ['k0s'] %# + {% if distribution in ['k0s'] %} containerdSock: /run/k0s/containerd.sock containerdRegistryConfigPath: /var/lib/k0s/containerd/certs.d - #% elif distribution in ['talos'] %# + {% elif distribution in ['talos'] %} containerdSock: /run/containerd/containerd.sock containerdRegistryConfigPath: /etc/cri/conf.d/hosts - #% endif %# + {% endif %} service: registry: hostPort: 29999 diff --git a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 index 6a024e253fe..779d0bed95a 100644 --- a/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2 @@ -4,10 +4,10 @@ kind: Secret metadata: name: cloudflared-secret stringData: - TUNNEL_ID: "#{ cloudflare.tunnel.id }#" + TUNNEL_ID: "{{ cloudflare.tunnel.id }}" credentials.json: | { - "AccountTag": "#{ cloudflare.tunnel.account_id }#", - "TunnelSecret": "#{ cloudflare.tunnel.secret }#", - "TunnelID": "#{ cloudflare.tunnel.id }#" + "AccountTag": "{{ cloudflare.tunnel.account_id }}", + "TunnelSecret": "{{ cloudflare.tunnel.secret }}", + "TunnelID": "{{ cloudflare.tunnel.id }}" } diff --git a/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 index 37d428c981c..f60b27cae2a 100644 --- a/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2 @@ -70,7 +70,7 @@ spec: annotations: external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" hosts: - - host: &host "{{ .Release.Name }}-external.${SECRET_DOMAIN}" + - host: &host "{% raw %}{{ .Release.Name }}{% endraw %}-external.${SECRET_DOMAIN}" paths: - path: / service: @@ -83,7 +83,7 @@ spec: enabled: true className: internal hosts: - - host: &host "{{ .Release.Name }}-internal.${SECRET_DOMAIN}" + - host: &host "{% raw %}{{ .Release.Name }}{% endraw %}-internal.${SECRET_DOMAIN}" paths: - path: / service: diff --git a/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 index 4239a8b1892..ac7d97d6103 100644 --- a/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2 @@ -4,4 +4,4 @@ kind: Secret metadata: name: external-dns-secret stringData: - api-token: "#{ cloudflare.token }#" + api-token: "{{ cloudflare.token }}" diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 index 570e0d8de2b..8f9c7613208 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2 @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./staging.yaml - #% if cloudflare.acme.production %# + {% if cloudflare.acme.production %} - ./production.yaml - #% endif %# + {% endif %} diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 index 1c3046c35cb..0487dd91cb5 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 @@ -32,7 +32,7 @@ spec: service: annotations: external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" - io.cilium/lb-ipam-ips: "#{ cloudflare.tunnel.ingress_vip }#" + io.cilium/lb-ipam-ips: "{{ cloudflare.tunnel.ingress_vip }}" externalTrafficPolicy: Cluster ingressClassResource: name: external @@ -64,11 +64,11 @@ spec: proxy-buffer-size: 16k ssl-protocols: TLSv1.3 TLSv1.2 extraArgs: - #% if cloudflare.acme.production %# + {% if cloudflare.acme.production %} default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" - #% else %# + {% else %} default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" - #% endif %# + {% endif %} topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname diff --git a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 index 355a3311a00..2a866d04d5b 100644 --- a/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 @@ -29,7 +29,7 @@ spec: replicaCount: 1 service: annotations: - io.cilium/lb-ipam-ips: "#{ cloudflare.ingress_vip }#" + io.cilium/lb-ipam-ips: "{{ cloudflare.ingress_vip }}" externalTrafficPolicy: Cluster ingressClassResource: name: internal @@ -61,11 +61,11 @@ spec: proxy-buffer-size: 16k ssl-protocols: TLSv1.3 TLSv1.2 extraArgs: - #% if cloudflare.acme.production %# + {% if cloudflare.acme.production %} default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" - #% else %# + {% else %} default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" - #% endif %# + {% endif %} topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname diff --git a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 index 5b0366eadbe..f8fa00c6d55 100644 --- a/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2 @@ -30,5 +30,5 @@ spec: type: LoadBalancer port: 53 annotations: - io.cilium/lb-ipam-ips: "#{ cloudflare.gateway_vip }#" + io.cilium/lb-ipam-ips: "{{ cloudflare.gateway_vip }}" externalTrafficPolicy: Cluster diff --git a/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 b/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 index 894f7bdd877..defff412ed3 100644 --- a/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2 @@ -6,13 +6,13 @@ metadata: namespace: flux-system spec: interval: 30m - url: "#{ flux.github.address }#" - #% if flux.github.address.startswith('ssh://') %# + url: "{{ flux.github.address }}" + {% if flux.github.address.startswith('ssh://') %} secretRef: name: github-deploy-key - #% endif %# + {% endif %} ref: - branch: "#{ flux.github.branch|default('main', true) }#" + branch: "{{ flux.github.branch|default('main', true) }}" ignore: | # exclude all /* diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 index 7bc3d70f768..92649af566b 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2 @@ -1,4 +1,4 @@ -#% if cloudflare.enabled %# +{% if cloudflare.enabled %} --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://kubernetes-sigs.github.io/external-dns -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 index 16c4d05681d..47c1e9a0f9f 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2 @@ -1,4 +1,4 @@ -#% if cloudflare.enabled %# +{% if cloudflare.enabled %} --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://kubernetes.github.io/ingress-nginx -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 index a71ac09cfa9..cf8db0608f6 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2 @@ -1,4 +1,4 @@ -#% if cloudflare.enabled %# +{% if cloudflare.enabled %} --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://ori-edge.github.io/k8s_gateway -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 index bf327ac135c..680a3a768a3 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2 @@ -4,18 +4,18 @@ kind: Kustomization resources: - ./bjw-s.yaml - ./cilium.yaml - #% if cloudflare.enabled %# + {% if cloudflare.enabled %} - ./external-dns.yaml - ./ingress-nginx.yaml - ./k8s-gateway.yaml - #% endif %# + {% endif %} - ./jetstack.yaml - ./metrics-server.yaml - ./openebs.yaml - #% if distribution in ['talos'] %# + {% if distribution in ['talos'] %} - ./postfinance.yaml - #% endif %# + {% endif %} - ./stakater.yaml - #% if distribution in ['k0s', 'talos'] %# + {% if distribution in ['k0s', 'talos'] %} - ./xenitab.yaml - #% endif %# + {% endif %} diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 index fa7b9639e37..6d1eeff215c 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2 @@ -1,4 +1,4 @@ -#% if distribution in ['talos'] %# +{% if distribution in ['talos'] %} --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -8,4 +8,4 @@ metadata: spec: interval: 1h url: https://postfinance.github.io/kubelet-csr-approver -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 b/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 index 6aacb0e47d5..5c98862208a 100644 --- a/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/repositories/helm/xenitab.yaml.j2 @@ -1,4 +1,4 @@ -#% if distribution in ['k0s', 'talos'] %# +{% if distribution in ['k0s', 'talos'] %} --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository @@ -9,4 +9,4 @@ spec: type: oci interval: 5m url: oci://ghcr.io/xenitab/helm-charts -#% endif %# +{% endif %} diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 index 1b8b69175a4..cf5904f5f20 100644 --- a/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2 @@ -6,8 +6,8 @@ metadata: namespace: flux-system stringData: SECRET_EXAMPLE: Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit... - #% if cloudflare.enabled %# - SECRET_DOMAIN: "#{ cloudflare.domain }#" - SECRET_ACME_EMAIL: "#{ cloudflare.acme.email }#" - SECRET_CLOUDFLARE_TUNNEL_ID: "#{ cloudflare.tunnel.id }#" - #% endif %# + {% if cloudflare.enabled %} + SECRET_DOMAIN: "{{ cloudflare.domain }}" + SECRET_ACME_EMAIL: "{{ cloudflare.acme.email }}" + SECRET_CLOUDFLARE_TUNNEL_ID: "{{ cloudflare.tunnel.id }}" + {% endif %} diff --git a/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 b/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 index bfffc99f263..951944b0fac 100644 --- a/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 +++ b/bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2 @@ -5,9 +5,9 @@ metadata: name: cluster-settings namespace: flux-system data: - TIMEZONE: "#{ timezone }#" - CLUSTER_CIDR: "#{ cluster.pod_network.split(',')[0] }#" - NODE_CIDR: "#{ cluster.nodes.host_network }#" - #% if feature_gates.dual_stack_ipv4_first %# - CLUSTER_CIDR_V6: "#{ cluster.pod_network.split(',')[1] }#" - #% endif %# + TIMEZONE: "{{ timezone }}" + CLUSTER_CIDR: "{{ cluster.pod_network.split(',')[0] }}" + NODE_CIDR: "{{ cluster.nodes.host_network }}" + {% if feature_gates.dual_stack_ipv4_first %} + CLUSTER_CIDR_V6: "{{ cluster.pod_network.split(',')[1] }}" + {% endif %} diff --git a/bootstrap/templates/kubernetes/k0s/k0sctl.yaml.j2 b/bootstrap/templates/kubernetes/k0s/k0sctl.yaml.j2 index 9043bfdae78..2324094a7a1 100644 --- a/bootstrap/templates/kubernetes/k0s/k0sctl.yaml.j2 +++ b/bootstrap/templates/kubernetes/k0s/k0sctl.yaml.j2 @@ -5,36 +5,36 @@ metadata: name: home-kubernetes spec: hosts: - #% for item in cluster.nodes.inventory %# - #% if item.controller %# + {% for item in cluster.nodes.inventory %} + {% if item.controller %} - role: controller+worker - #% else %# + {% else %} - role: worker - #% endif %# + {% endif %} ssh: - address: "#{ item.address }#" - user: "#{ item.ssh_username }#" - #% if item.controller %# + address: "{{ item.address }}" + user: "{{ item.ssh_username }}" + {% if item.controller %} installFlags: - --disable-components=metrics-server - --no-taints - #% endif %# + {% endif %} files: - name: bootstrap-scripts src: scripts hooks: apply: before: - - bash ~/apply-system.sh "#{ item.name }#" - #% if item.controller %# + - bash ~/apply-system.sh "{{ item.name }}" + {% if item.controller %} - bash ~/apply-kube-vip.sh - #% endif %# + {% endif %} reset: before: - bash ~/reset-cilium.sh after: - bash ~/reset-system.sh - #% endfor %# + {% endfor %} k0s: # renovate: datasource=github-releases depName=k0sproject/k0s version: v1.29.1+k0s.0 @@ -55,21 +55,21 @@ spec: listen-metrics-urls: http://0.0.0.0:2381 api: sans: - #% if cluster.endpoint_vip %# - - "#{ cluster.endpoint_vip }#" - #% endif %# - #% for item in cluster.tls_sans %# - - "#{ item }#" - #% endfor %# - #% for item in controllers %# - #% if item.controller %# - - "#{ item.address }#" - - "#{ item.name }#" - #% endif %# - #% endfor %# + {% if cluster.endpoint_vip %} + - "{{ cluster.endpoint_vip }}" + {% endif %} + {% for item in cluster.tls_sans %} + - "{{ item }}" + {% endfor %} + {% for item in controllers %} + {% if item.controller %} + - "{{ item.address }}" + - "{{ item.name }}" + {% endif %} + {% endfor %} network: - podCIDR: "#{ cluster.pod_network.split(',')[0] }#" - serviceCIDR: "#{ cluster.service_network.split(',')[0] }#" + podCIDR: "{{ cluster.pod_network.split(',')[0] }}" + serviceCIDR: "{{ cluster.service_network.split(',')[0] }}" provider: custom kubeProxy: disabled: true @@ -88,6 +88,6 @@ spec: version: 1.14.6 namespace: kube-system values: |2 - #% filter indent(width=18, first=True) %# - #% include 'partials/cilium-values-init.partial.yaml.j2' %# - #% endfilter %# + {% filter indent(width=18, first=True) %} + {% include 'partials/cilium-values-init.partial.yaml.j2' %} + {% endfilter %} diff --git a/bootstrap/templates/kubernetes/k0s/scripts/apply-kube-vip.sh.j2 b/bootstrap/templates/kubernetes/k0s/scripts/apply-kube-vip.sh.j2 index bd9f037e9f3..b5d46ee969c 100755 --- a/bootstrap/templates/kubernetes/k0s/scripts/apply-kube-vip.sh.j2 +++ b/bootstrap/templates/kubernetes/k0s/scripts/apply-kube-vip.sh.j2 @@ -9,10 +9,10 @@ mkdir -p /var/lib/k0s/manifests/kube-vip # Create kube-vip rbac cat < /var/lib/k0s/manifests/kube-vip/rbac.yaml -#% include 'partials/kube-vip-rbac.partial.yaml.j2' %# +{% include 'partials/kube-vip-rbac.partial.yaml.j2' %} EOF # Create kube-vip daemonset cat < /var/lib/k0s/manifests/kube-vip/ds.yaml -#% include 'partials/kube-vip-ds.partial.yaml.j2' %# +{% include 'partials/kube-vip-ds.partial.yaml.j2' %} EOF diff --git a/bootstrap/templates/kubernetes/k0s/scripts/apply-system.sh.j2 b/bootstrap/templates/kubernetes/k0s/scripts/apply-system.sh.j2 index d8a08069473..b0fe4c51c77 100755 --- a/bootstrap/templates/kubernetes/k0s/scripts/apply-system.sh.j2 +++ b/bootstrap/templates/kubernetes/k0s/scripts/apply-system.sh.j2 @@ -22,7 +22,7 @@ EOF fi # Timezone -timedatectl set-timezone "#{ timezone }#" +timedatectl set-timezone "{{ timezone }}" # Install Packages apt-get install -y --no-install-recommends \ @@ -35,10 +35,10 @@ apt-get install -y --no-install-recommends \ chattr -i /etc/resolv.conf rm -f /etc/resolv.conf cat < /etc/resolv.conf -search #{ cluster.nodes.search_domain|default('.', true) }# -#% for item in cluster.nodes.dns_servers %# -nameserver #{ item }# -#% endfor %# +search {{ cluster.nodes.search_domain|default('.', true) }} +{% for item in cluster.nodes.dns_servers %} +nameserver {{ item }} +{% endfor %} EOF chattr +i /etc/resolv.conf diff --git a/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 b/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 index ecaa091764b..53ff2ca8308 100644 --- a/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 +++ b/bootstrap/templates/kubernetes/talos/cilium/values.yaml.j2 @@ -1,4 +1,4 @@ --- -#% filter indent(width=0, first=True) %# -#% include 'partials/cilium-values-init.partial.yaml.j2' %# -#% endfilter %# +{% filter indent(width=0, first=True) %} +{% include 'partials/cilium-values-init.partial.yaml.j2' %} +{% endfilter %} diff --git a/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 index 298db36367a..f4e7334b0dd 100644 --- a/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/talos/kubelet-csr-approver/kustomization.yaml.j2 @@ -9,9 +9,9 @@ helmCharts: releaseName: kubelet-csr-approver namespace: kube-system valuesInline: - #% filter indent(width=6, first=True) %# - #% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# - #% endfilter %# + {% filter indent(width=6, first=True) %} + {% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %} + {% endfilter %} commonAnnotations: meta.helm.sh/release-name: kubelet-csr-approver meta.helm.sh/release-namespace: kube-system diff --git a/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 b/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 index f988da1b374..81838d93aa8 100644 --- a/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 +++ b/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 @@ -6,50 +6,50 @@ talosVersion: v1.6.3 kubernetesVersion: v1.29.1 clusterName: &cluster home-kubernetes -endpoint: https://#{ cluster.endpoint_vip }#:6443 +endpoint: https://{{ cluster.endpoint_vip }}:6443 clusterPodNets: - - "#{ cluster.pod_network.split(',')[0] }#" + - "{{ cluster.pod_network.split(',')[0] }}" clusterSvcNets: - - "#{ cluster.service_network.split(',')[0] }#" + - "{{ cluster.service_network.split(',')[0] }}" additionalApiServerCertSans: &sans - - "#{ cluster.endpoint_vip }#" + - "{{ cluster.endpoint_vip }}" - 127.0.0.1 - #% for item in cluster.tls_sans %# - - "#{ item }#" - #% endfor %# + {% for item in cluster.tls_sans %} + - "{{ item }}" + {% endfor %} additionalMachineCertSans: *sans cniConfig: name: none nodes: - #% for item in cluster.nodes.inventory %# - - hostname: "#{ item.name }#" - ipAddress: "#{ item.address }#" - #% if item.talos_disk_device.startswith('/') %# - installDisk: "#{ item.talos_disk_device }#" - #% else %# + {% for item in cluster.nodes.inventory %} + - hostname: "{{ item.name }}" + ipAddress: "{{ item.address }}" + {% if item.talos_disk_device.startswith('/') %} + installDisk: "{{ item.talos_disk_device }}" + {% else %} installDiskSelector: - serial: "#{ item.talos_disk_device }#" - #% endif %# - #% if item.controller %# + serial: "{{ item.talos_disk_device }}" + {% endif %} + {% if item.controller %} controlPlane: true - #% else %# + {% else %} controlPlane: false - #% endif %# + {% endif %} networkInterfaces: - interface: eth0 dhcp: false addresses: - - "#{ item.address }#/#{ cluster.nodes.host_network.split('/') | last }#" + - "{{ item.address }}/{{ cluster.nodes.host_network.split('/') | last }}" mtu: 1500 routes: - network: 0.0.0.0/0 - gateway: "#{ cluster.nodes.host_network | nthhost(1) }#" - #% if item.controller %# + gateway: "{{ cluster.nodes.host_network | nthhost(1) }}" + {% if item.controller %} vip: - ip: "#{ cluster.endpoint_vip }#" - #% endif %# - #% endfor %# + ip: "{{ cluster.endpoint_vip }}" + {% endif %} + {% endfor %} controlPlane: patches: @@ -92,7 +92,7 @@ controlPlane: rotate-server-certificates: true nodeIP: validSubnets: - - "#{ cluster.nodes.host_network }#" + - "{{ cluster.nodes.host_network }}" # Enable KubePrism - &kubePrismPatch |- @@ -107,9 +107,9 @@ controlPlane: machine: network: nameservers: - #% for item in cluster.nodes.dns_servers %# - - #{ item }# - #% endfor %# + {% for item in cluster.nodes.dns_servers %} + - {{ item }} + {% endfor %} # Configure NTP - &ntpPatch |- @@ -147,7 +147,7 @@ controlPlane: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 advertisedSubnets: - - "#{ cluster.nodes.host_network }#" + - "{{ cluster.nodes.host_network }}" # Disable default API server admission plugins. - |- diff --git a/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 b/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 index 5d7187a4a77..af57c5c3d97 100644 --- a/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 +++ b/bootstrap/templates/partials/cilium-values-full.partial.yaml.j2 @@ -8,14 +8,14 @@ cluster: id: 1 containerRuntime: integration: containerd - #% if distribution in ['k3s'] %# + {% if distribution in ['k3s'] %} socketPath: /var/run/k3s/containerd/containerd.sock - #% elif distribution in ['k0s'] %# + {% elif distribution in ['k0s'] %} socketPath: /var/run/k0s/containerd.sock - #% endif %# + {% endif %} endpointRoutes: enabled: true -#% if cloudflare.enabled %# +{% if cloudflare.enabled %} hubble: enabled: true metrics: @@ -50,41 +50,41 @@ hubble: tls: - hosts: - "hubble.${SECRET_DOMAIN}" -#% else %# +{% else %} hubble: enabled: false -#% endif %# +{% endif %} ipam: mode: kubernetes ipv4NativeRoutingCIDR: "${CLUSTER_CIDR}" -#% if feature_gates.dual_stack_ipv4_first %# +{% if feature_gates.dual_stack_ipv4_first %} ipv6NativeRoutingCIDR: "${CLUSTER_CIDR_V6}" ipv6: enabled: true -#% endif %# -#% if distribution in ['k3s'] %# +{% endif %} +{% if distribution in ['k3s'] %} k8sServiceHost: 127.0.0.1 k8sServicePort: 6444 -#% elif distribution in ['k0s'] %# +{% elif distribution in ['k0s'] %} k8sServiceHost: localhost k8sServicePort: 7443 -#% elif distribution in ['talos'] %# +{% elif distribution in ['talos'] %} k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 -#% endif %# +{% endif %} kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: - #% if feature_gates.dual_stack_ipv4_first %# + {% if feature_gates.dual_stack_ipv4_first %} # https://github.com/cilium/cilium/issues/28985 enabled: false - #% else %# + {% else %} enabled: true # https://github.com/cilium/cilium/issues/26586 leaseDuration: 120s leaseRenewDeadline: 60s leaseRetryPeriod: 1s - #% endif %# + {% endif %} loadBalancer: algorithm: maglev mode: dsr diff --git a/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 b/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 index 4951d70305b..42d7b1dd7a3 100644 --- a/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 +++ b/bootstrap/templates/partials/cilium-values-init.partial.yaml.j2 @@ -8,46 +8,46 @@ cluster: id: 1 containerRuntime: integration: containerd - #% if distribution in ['k3s'] %# + {% if distribution in ['k3s'] %} socketPath: /var/run/k3s/containerd/containerd.sock - #% elif distribution in ['k0s'] %# + {% elif distribution in ['k0s'] %} socketPath: /var/run/k0s/containerd.sock - #% endif %# + {% endif %} endpointRoutes: enabled: true hubble: enabled: false ipam: mode: kubernetes -ipv4NativeRoutingCIDR: "#{ cluster.pod_network }#" -#% if feature_gates.dual_stack_ipv4_first %# -ipv6NativeRoutingCIDR: "#{ cluster.pod_network_v6 }#" +ipv4NativeRoutingCIDR: "{{ cluster.pod_network }}" +{% if feature_gates.dual_stack_ipv4_first %} +ipv6NativeRoutingCIDR: "{{ cluster.pod_network_v6 }}" ipv6: enabled: true -#% endif %# -#% if distribution in ['k3s'] %# +{% endif %} +{% if distribution in ['k3s'] %} k8sServiceHost: 127.0.0.1 k8sServicePort: 6444 -#% elif distribution in ['k0s'] %# +{% elif distribution in ['k0s'] %} k8sServiceHost: localhost k8sServicePort: 7443 -#% elif distribution in ['talos'] %# +{% elif distribution in ['talos'] %} k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 -#% endif %# +{% endif %} kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: - #% if feature_gates.dual_stack_ipv4_first %# + {% if feature_gates.dual_stack_ipv4_first %} # https://github.com/cilium/cilium/issues/28985 enabled: false - #% else %# + {% else %} enabled: true # https://github.com/cilium/cilium/issues/26586 leaseDuration: 120s leaseRenewDeadline: 60s leaseRetryPeriod: 1s - #% endif %# + {% endif %} loadBalancer: algorithm: maglev mode: dsr diff --git a/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 b/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 index 7e102df2724..543c275841e 100644 --- a/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 +++ b/bootstrap/templates/partials/kube-vip-ds.partial.yaml.j2 @@ -21,7 +21,7 @@ spec: args: ["manager"] env: - name: address - value: "#{ cluster.endpoint_vip }#" + value: "{{ cluster.endpoint_vip }}" - name: vip_arp value: "true" - name: lb_enable diff --git a/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 b/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 index 30a4311a593..99a41824b09 100644 --- a/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 +++ b/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 @@ -1,2 +1,2 @@ -providerRegex: ^(#{ (nodes | map(attribute='name') | join('|')) }#)$ +providerRegex: ^({{ (nodes | map(attribute='name') | join('|')) }})$ bypassDnsResolution: true diff --git a/makejinja.toml b/makejinja.toml index 7278f2227d9..e748deba2f2 100644 --- a/makejinja.toml +++ b/makejinja.toml @@ -9,13 +9,10 @@ jinja_suffix = ".j2" force = true undefined = "chainable" -# Block and comment delimiters are changed to avoid conflicts with Renovate -# Variable delimiters are changed to avoid conflicts with Renovate and Go templates -# https://github.com/renovatebot/renovate/discussions/18470 [makejinja.delimiter] -block_start = "#%" -block_end = "%#" -comment_start = "#|" -comment_end = "|#" -variable_start = "#{" -variable_end = "}#" +block_start = "{%" +block_end = "%}" +comment_start = "{#" +comment_end = "#}" +variable_start = "{{" +variable_end = "}}" From ed252c0154785b1a1cc142d7713e9b2c8e4b1eb7 Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Mon, 29 Jan 2024 17:05:10 -0500 Subject: [PATCH 2/3] feat: remove cert-manager promrules Signed-off-by: Devin Buhl --- .../cert-manager/app/kustomization.yaml.j2 | 1 - .../cert-manager/app/prometheusrule.yaml.j2 | 59 ------------------- 2 files changed, 60 deletions(-) delete mode 100644 bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml.j2 index 8ae526670a5..5dd7baca73d 100644 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml.j2 +++ b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml.j2 @@ -3,4 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml - - ./prometheusrule.yaml diff --git a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 b/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 deleted file mode 100644 index b96bf13fdc6..00000000000 --- a/bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml.j2 +++ /dev/null @@ -1,59 +0,0 @@ ---- -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: cert-manager.rules -spec: - groups: - - name: cert-manager - rules: - - alert: CertManagerAbsent - expr: | - absent(up{job="cert-manager"}) - for: 15m - labels: - severity: critical - annotations: - description: > - New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back. - runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent - summary: "Cert Manager has dissapeared from Prometheus service discovery." - - name: certificates - rules: - - alert: CertManagerCertExpirySoon - expr: | - avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600) - for: 15m - labels: - severity: warning - annotations: - description: > - The domain that this cert covers will be unavailable after {% raw %}{{ $value | humanizeDuration }}{% endraw %}. - Clients using endpoints that this cert protects will start to fail in {% raw %}{{ $value | humanizeDuration }}{% endraw %}. - runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon - summary: | - The cert {% raw %}{{ $labels.name }}{% endraw %} is {% raw %}{{ $value | humanizeDuration }}{% endraw %} from expiry, it should have renewed over a week ago. - - alert: CertManagerCertNotReady - expr: | - max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1) - for: 15m - labels: - severity: critical - annotations: - description: > - This certificate has not been ready to serve traffic for at least - 10m. If the cert is being renewed or there is another valid cert, the ingress - controller _may_ be able to serve that instead. - runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready - summary: "The cert {% raw %}{{ $labels.name }}{% endraw %} is not ready to serve traffic." - - alert: CertManagerHittingRateLimits - expr: | - sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) > 0 - for: 15m - labels: - severity: critical - annotations: - description: > - Depending on the rate limit, cert-manager may be unable to generate certificates for up to a week. - runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits - summary: "Cert manager hitting LetsEncrypt rate limits." From 9b10b59eca23905e43408c1b5dc5b2659dd59651 Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Mon, 29 Jan 2024 17:08:39 -0500 Subject: [PATCH 3/3] fix: update talos csr approver Signed-off-by: Devin Buhl --- .../partials/kubelet-csr-approver-values.partial.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 b/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 index 99a41824b09..8d8c1f70188 100644 --- a/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 +++ b/bootstrap/templates/partials/kubelet-csr-approver-values.partial.yaml.j2 @@ -1,2 +1,2 @@ -providerRegex: ^({{ (nodes | map(attribute='name') | join('|')) }})$ +providerRegex: ^({{ (cluster.nodes.inventory | map(attribute='name') | join('|')) }})$ bypassDnsResolution: true