feat(storage): introduce storage cluster

README.md

@@ -72,7 +72,8 @@ This Git repository contains the following directories under [Kubernetes](./kube
 ├── 📁 apps           # applications
 └── 📁 clusters       # clusters
     ├── 📁 deedee     # main cluster
-    └── 📁 dexter     # development cluster, deployed on VMs
+    ├── 📁 dexter     # development cluster, deployed on VMs
+    └── 📁 meemee     # storage cluster
 📁 opentofu           # opentofu scripts for external services (cloudflare)
 📁 talos              # talhelper scripts to bootstrap Talos
 ```

Taskfile.yaml

@@ -17,6 +17,47 @@ tasks:
       - "sh -c 'go-task -l || task -l'"
 
   # yamllint disable rule:line-length
+  'bootstrap:meemee':
+    desc: >-
+      Install core manifests
+    cmds:
+      # necessary CRDs
+      - kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
+      - kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
+      - kubectl apply -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
+
+      # apps
+      - kubectl apply -f https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+
+      - helm dependency build kubernetes/clusters/meemee/argocd/argocd/
+      - kubectl create namespace argocd
+      - helm template -n argocd argo-cd kubernetes/clusters/meemee/argocd/argocd/ | kubectl apply -n argocd -f -
+      - kubectl -n argocd rollout status deployment argo-cd-argocd-redis --timeout=1800s
+      - kubectl -n argocd rollout status deployment argo-cd-argocd-server --timeout=1800s
+      - kubectl -n argocd rollout status deployment argo-cd-argocd-repo-server --timeout=1800s
+
+      - kubectl apply -f kubernetes/clusters/meemee/kube-system/metrics-server/application.yaml
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.sync.status}=Synced' application metrics-server
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.health.status}=Healthy' application metrics-server
+
+      - kubectl apply -f kubernetes/clusters/meemee/cert-manager/cert-manager/application.yaml
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.sync.status}=Synced' application cert-manager
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.health.status}=Healthy' application cert-manager
+      - kubectl apply -f kubernetes/clusters/meemee/networking/ingress-nginx/application.yaml
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.sync.status}=Synced' application ingress-nginx
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.health.status}=Healthy' application ingress-nginx
+
+      - kubectl apply -f kubernetes/apps/kube-system/reloader/application.yaml
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.sync.status}=Synced' application reloader
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.health.status}=Healthy' application reloader
+
+      - kubectl apply -f kubernetes/clusters/meemee/networking/smtp-relay/application.yaml
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.sync.status}=Synced' application smtp-relay
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.health.status}=Healthy' application smtp-relay
+      - kubectl apply -f kubernetes/clusters/meemee/monitoring/kube-prometheus-stack/application.yaml
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.sync.status}=Synced' application kube-prometheus-stack
+      - kubectl -n argocd wait --timeout=1800s --for=jsonpath='{.status.health.status}=Healthy' application kube-prometheus-stack
+
   'bootstrap:stage1':
     desc: >-
       Install core manifests for CNI, storage and GitOps (ex. task bootstrap:stage1 cluster=deedee)

kubernetes/apps/external/ingress-nginx/values.yaml

@@ -74,23 +74,23 @@ ingress-nginx:
       log-format-escape-json: "true"
       log-format-upstream: >
         {
-          "time": "$time_iso8601",
-          "remote_addr": "$proxy_protocol_addr",
-          "x_forwarded_for": "$proxy_add_x_forwarded_for",
-          "request_id": "$req_id",
-          "remote_user": "$remote_user",
-          "bytes_sent": $bytes_sent,
-          "request_time": $request_time,
-          "status": $status,
-          "vhost": "$host",
-          "request_proto": "$server_protocol",
-          "path": "$uri",
-          "request_query": "$args",
-          "request_length": $request_length,
-          "duration": $request_time,
-          "method": "$request_method",
-          "http_referrer": "$http_referer",
-          "http_user_agent": "$http_user_agent"
+        "time": "$time_iso8601",
+        "remote_addr": "$proxy_protocol_addr",
+        "x_forwarded_for": "$proxy_add_x_forwarded_for",
+        "request_id": "$req_id",
+        "remote_user": "$remote_user",
+        "bytes_sent": $bytes_sent,
+        "request_time": $request_time,
+        "status": $status,
+        "vhost": "$host",
+        "request_proto": "$server_protocol",
+        "path": "$uri",
+        "request_query": "$args",
+        "request_length": $request_length,
+        "duration": $request_time,
+        "method": "$request_method",
+        "http_referrer": "$http_referer",
+        "http_user_agent": "$http_user_agent"
         }
       proxy-body-size: 0
       proxy-buffer-size: 16k

kubernetes/apps/monitoring/kube-prometheus-stack/values.yaml

@@ -16,10 +16,10 @@ kube-prometheus-stack:
         gethomepage.dev/icon: alertmanager.png
         gethomepage.dev/description: Alerts Management
       hosts:
-        - &host "alertmanager.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+        - "alertmanager.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
       tls:
         - hosts:
-            - *host
+            - "alertmanager.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
       path: /
     config:
       global:
@@ -213,10 +213,10 @@ kube-prometheus-stack:
         gethomepage.dev/icon: prometheus.png
         gethomepage.dev/description: Metrics Collector
       hosts:
-        - &host "prometheus.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
+        - "prometheus.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
       tls:
         - hosts:
-            - *host
+            - "prometheus.<path:kubernetes/data/internal/base#ROOT_DOMAIN>"
       path: /
     thanosService:
       enabled: true

kubernetes/apps/networking/ingress-nginx/values.yaml

@@ -85,23 +85,23 @@ ingress-nginx:
       log-format-escape-json: "true"
       log-format-upstream: >
         {
-          "time": "$time_iso8601",
-          "remote_addr": "$proxy_protocol_addr",
-          "x_forwarded_for": "$proxy_add_x_forwarded_for",
-          "request_id": "$req_id",
-          "remote_user": "$remote_user",
-          "bytes_sent": $bytes_sent,
-          "request_time": $request_time,
-          "status": $status,
-          "vhost": "$host",
-          "request_proto": "$server_protocol",
-          "path": "$uri",
-          "request_query": "$args",
-          "request_length": $request_length,
-          "duration": $request_time,
-          "method": "$request_method",
-          "http_referrer": "$http_referer",
-          "http_user_agent": "$http_user_agent"
+        "time": "$time_iso8601",
+        "remote_addr": "$proxy_protocol_addr",
+        "x_forwarded_for": "$proxy_add_x_forwarded_for",
+        "request_id": "$req_id",
+        "remote_user": "$remote_user",
+        "bytes_sent": $bytes_sent,
+        "request_time": $request_time,
+        "status": $status,
+        "vhost": "$host",
+        "request_proto": "$server_protocol",
+        "path": "$uri",
+        "request_query": "$args",
+        "request_length": $request_length,
+        "duration": $request_time,
+        "method": "$request_method",
+        "http_referrer": "$http_referer",
+        "http_user_agent": "$http_user_agent"
         }
       proxy-body-size: 0
       proxy-buffer-size: 16k

kubernetes/clusters/meemee/argocd/app-of-apps/application.yaml

@@ -0,0 +1,32 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/argoproj.io/application_v1alpha1.json
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: app-of-apps
+  namespace: argocd
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  sources:
+    - path: kubernetes/clusters/meemee
+      repoURL: https://github.com/deedee-ops/home-ops.git
+      targetRevision: master
+      directory:
+        recurse: true
+        include: "*/application.yaml"
+        exclude: "*/app-of-apps/application.yaml"
+  syncPolicy:
+    automated:
+      allowEmpty: false
+      selfHeal: false
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: -1
+      backoff:
+        duration: 10s
+        factor: 1

kubernetes/clusters/meemee/argocd/argocd/Chart.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/chart.json
+apiVersion: v2
+name: argo-cd
+version: 1.0.0
+type: application
+dependencies:
+  - name: argo-cd
+    version: 5.51.6
+    repository: https://argoproj.github.io/argo-helm

kubernetes/clusters/meemee/argocd/argocd/application.yaml

@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/argoproj.io/application_v1alpha1.json
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  project: default
+  sources:
+    - repoURL: https://github.com/deedee-ops/home-ops.git
+      path: kubernetes/clusters/meemee/argocd/argocd
+      targetRevision: master
+      helm: {}
+
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+
+  syncPolicy:
+    automated:
+      allowEmpty: true
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

kubernetes/clusters/meemee/argocd/argocd/templates/prometheus_rule.yaml

@@ -0,0 +1,43 @@
+---
+# yaml-language-server: $schema=https://deedee-ops.github.io/schemas/monitoring.coreos.com/prometheusrule_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: argocd
+spec:
+  groups:
+    - name: argocd.rules
+      rules:
+        - alert: ArgocdServiceNotSynced
+          expr: argocd_app_info{sync_status!="Synced"} != 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: ArgoCD service not synced (instance {{`{{ $labels.instance }}`}})
+            description: |-
+              Service {{`{{ $labels.name }}`}} run by argo is currently not in sync.
+                VALUE = {{`{{ $value }}`}}
+                LABELS = {{`{{ $labels }}`}}
+        - alert: ArgocdServiceUnhealthy
+          expr: argocd_app_info{health_status!~"Healthy|Suspended"} != 0
+          for: 15m
+          labels:
+            severity: warning
+          annotations:
+            summary: ArgoCD service unhealthy (instance {{`{{ $labels.instance }}`}})
+            description: |-
+              Service {{`{{ $labels.name }}`}} run by argo is currently not healthy.
+                VALUE = {{`{{ $value }}`}}
+                LABELS = {{`{{ $labels }}`}}
+        - alert: ArgocdImageUpdaterError
+          expr: increase(argocd_image_updater_k8s_api_errors_total[5m]) > 0
+          for: 0m
+          labels:
+            severity: warning
+          annotations:
+            summary: Argocd image updater failed
+            description: |-
+              Argocd image updater failed, check the updater pod logs.
+                VALUE = {{`{{ $value }}`}}
+                LABELS = {{`{{ $labels }}`}}

kubernetes/clusters/meemee/argocd/argocd/values.yaml

@@ -0,0 +1,100 @@
+---
+argo-cd:
+  global:
+    deploymentStrategy:
+      type: RollingUpdate
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 999
+      runAsGroup: 999
+      seccompProfile:
+        type: RuntimeDefault
+  configs:
+    params:
+      # by default argocd handles SSL termination on its own, which breaks TLS termination on nginx,
+      # causing infinite loop
+      "server.insecure": true
+    repositories:
+      deedee-ops-home-ops:
+        name: home-ops
+        type: git
+        url: https://github.com/deedee-ops/home-ops.git
+
+  controller:
+    replicas: 1
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+
+  dex:
+    enabled: false
+
+  notifications:
+    enabled: false
+
+  server:
+    replicas: 1
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+    autoscaling:
+      enabled: false
+    ingress:
+      enabled: true
+      ingressClassName: internal
+      hosts:
+        - "argocd.nas.rzegocki.dev"
+      tls:
+        - hosts:
+            - "argocd.nas.rzegocki.dev"
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+
+  repoServer:
+    replicas: 1
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+    autoscaling:
+      enabled: false
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+    serviceAccount:
+      automountServiceAccountToken: true
+
+  applicationSet:
+    enabled: false
+
+  redis:
+    enabled: true
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true

kubernetes/clusters/meemee/cert-manager/cert-manager/Chart.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/chart.json
+apiVersion: v2
+name: cert-manager
+version: 1.0.0
+type: application
+dependencies:
+  - name: cert-manager
+    version: v1.13.3
+    repository: https://charts.jetstack.io