4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2025-01-21 22:23:54 +00:00
Commit graph

394 commits

Author SHA1 Message Date
87f6a9d1c3 cluster/registry: bump registry to v2.8.3 (latest)
Change-Id: I16958556db3b11456184da1c80f2c2faf1c2f9b7
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2014
Reviewed-by: informatic <informatic@hackerspace.pl>
2024-11-02 08:15:02 +00:00
93b5080a4d cluster/registry: clean up jsonnet
Refactoring registry to use newer syntax/jsonnet helpers/conventions, in line with the rest of the codebase.

Change-Id: I20508c8f6ef9a2d0e8faa7de3d3b9efcf2c91af3
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2013
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-11-01 17:32:43 +00:00
5c0e878266 cluster/k0: fix birb/metallb bgp mess
This fixes cluster routing, which broke for some reason at some point.
It ensures cluster routes get propagated correctly across nodes.

This is a mess. We should replace this.

Change-Id: Ic749a529da620fa201ec9cd71a6a8eed664e2d0f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2012
Reviewed-by: radex <radex@hackerspace.pl>
2024-10-31 21:02:41 +00:00
bd48de1e12 cluster/kube: bump coredns, metallb
These changes were already live but were not committed

Change-Id: Ib0590964ad8521d06ad2219b51751e65b6f9742f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2011
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-10-31 21:02:26 +00:00
80e3003542 cluster/metrics: reuse vendored manifests yaml
Change-Id: I83592266d5af39307af2774eb24a0b08229864cb
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2010
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-10-31 21:02:20 +00:00
cf8032a636 cluster/metrics: update to v0.5.1
This brings the code up to date with what was already deployed

Change-Id: I8e47787df8d421857f8a011ce3d6ab29488f980a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2009
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-10-31 21:01:55 +00:00
6da7d2b75f cluster/nginx: bump to v0.51.0
Forked Dockerfile is no longer necessary, as 0.51.0 has a newer openssl

This is the newest version of n-i-c we can use with current k8s version. v1.0.0 requires k8s at least v1.19

Change-Id: Ibb244482cef2624274817ea6c62f190587a03f97
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2006
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-10-26 15:17:07 +00:00
85060c5fa6 cluster/k0: give radex cluster-admin
TODO: emergency/admin credentials

Change-Id: I89d55b14a5aacbd01dc00c36be7076014cfb0b56
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2005
Reviewed-by: informatic <informatic@hackerspace.pl>
Reviewed-by: radex <radex@hackerspace.pl>
2024-10-26 08:08:04 +00:00
e433c3c929 cluster/machines/dcr03s16: tapes and tape accessories
Change-Id: Ib93fd85d0b09177d6e29bc3b4d68b999a1db3eaa
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1994
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-10-19 08:43:50 +00:00
2f93220889 hswaw: add kasownik
Change-Id: I48739f9d4ecb8244a2baff5d38a308f7612940eb
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1990
Reviewed-by: informatic <informatic@hackerspace.pl>
2024-07-25 07:50:29 +00:00
15e7348a0b cluster: remove dead machines
Change-Id: I3ff6680bc7212341ca626b0f560e1fe93efe3a35
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1987
Reviewed-by: ar <ar@hackerspace.pl>
2024-07-20 12:18:00 +00:00
6bb11a98ed cluster/admittomatic: admit additional annotations
Change-Id: Ic80a97d6969c46335a83ca0bcfc7833b74cf578a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1960
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-05-28 13:49:27 +00:00
fd505b8154 cluster/kube: add labelmaker namespace and dns
Change-Id: I3f2651e2c9528db50f81abb4d3876fa79c6ef3a0
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1896
Reviewed-by: informatic <informatic@hackerspace.pl>
2024-02-02 18:23:52 +00:00
1dd60c3fbd cluster/kube: add printservant namespace
Change-Id: I514a41ffe52c42377370b1b3b43c8679edf23cc6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1889
Reviewed-by: informatic <informatic@hackerspace.pl>
2024-01-31 19:24:11 +00:00
3a3b425ddf app/codehosting: forgejo deployment
Change-Id: Icfe6e0b17932a3248e1bdb807f431c59c48430de
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1685
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-01-30 21:16:33 +00:00
de83f4904f cluster/machines: replace disk in dcr01s22
Change-Id: I22fefc9ff68295e33ab0a1f26ab2aeb02fb75210
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1854
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: implr <implr@hackerspace.pl>
2024-01-24 18:51:09 +00:00
a84e9bb884 cluster/machines: replace disk in dcr01s24
Change-Id: I144f23c571267543568a1bd132aea5a8a75db8f2
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1853
Reviewed-by: q3k <q3k@hackerspace.pl>
Reviewed-by: implr <implr@hackerspace.pl>
2024-01-24 18:51:09 +00:00
86d9b23743 cluster/kube/k0.libsonnet: add s3 bucket for inventory
Change-Id: I44f3ab787e751abd7558e6e91eccb25fc0e5101b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1844
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-01-24 18:51:09 +00:00
4e46d5017a cluster/kube: fix common missing namespace-admin permissions
Change-Id: I6ee4ede0b4e9db80559c009a1e86fbd2721f3d05
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1841
Reviewed-by: radex <radex@hackerspace.pl>
2024-01-18 23:47:20 +00:00
viq
3727b27339 cluster/kube/cluster.libsonnet: allow users to list RoleBindings
Change-Id: Ifa4289ea8c4d48171bc8ce61150a0c9f736b0fe5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1835
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-01-08 20:35:59 +00:00
viq
d693a60dc0 cluster/kube/k0.libsonnet: access for viq to monitoring-global-k0
Since `ops/monitoring` operates on both `monitoring-cluster` and
`monitoring-global-k0` namespaces, working properly using the tooling
requires access to both.
While there, add access to `monitoring-external-k0` for potential
working with external targets.

Change-Id: I5f37ed306f064ffcced705609aa919b684a46235
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1834
Reviewed-by: informatic <informatic@hackerspace.pl>
2024-01-08 20:35:38 +00:00
viq
bb72db8b86 cluster/kube/k0.libsonnet: allow viq to mess with prometheus
This gives viq admin access to monitoring-cluster namespace to be able
to inspect what's already there and try to extend it.

Change-Id: I48eaba8db6cd6868879da33abd93607ed5de2008
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1829
Reviewed-by: q3k <q3k@hackerspace.pl>
2024-01-03 16:42:25 +00:00
304515b58b bgpwtf/internet: clean up, use unprivileged nginx
Change-Id: I6f1291c2facf35f4871283c28a4e6f771a3b5102
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1813
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-12-04 20:33:56 +00:00
4ffc64d97d kube: add .volume field on PVCs and ConfigMaps
Change-Id: I93eec44bd6df4ecb0044a4797faa9bf6fd26802d
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1811
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-12-04 20:33:37 +00:00
7a4c27d28c kube: clean up (various)
Change-Id: Idc11cf70fa7fd0360f63438270748ef1d9bad989
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1810
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-12-04 20:33:31 +00:00
d45584aa6d kube: clean up SimpleIngress
Rename `target_service` to `target` to mirror Service's `target`; rename `extra_paths` to `extraPaths` to follow the camelCase convention used everywhere except for a few places in kube.upstream (assumed to be a mistake)

Change-Id: Icfcb70ef889e3359bf0391c465034817f4b70cce
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1809
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-12-04 20:33:10 +00:00
9da9df6b7a cluster/kube: admitomatic, admins, owners changes
Change-Id: Ia2f167d84cff999c9ab273db16609d1dec740f25
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1801
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-11-26 15:50:57 +00:00
03365c6de1 cluster/kube: group admitomatic, admins entries by category
Change-Id: I0405fd894c775314059e382a804994184afb0f64
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1800
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-11-26 15:49:37 +00:00
36964dca3b kube: clean up PersistentVolumeClaims
There's no difference as far as jsonnet is concerned, but it may confuse newbies, as Service and SimpleIngress use double colon for its top-level kube helpers. This also removes any ambiguity as to whether this is manifested in final JSON. So we can make that a convention.

Change-Id: I01ad4ea63f4d5d8ee6e5d41c79637ba186548c6f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1803
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-24 20:37:53 +00:00
8b8f3876a9 kube: add target:: convenience field to Service
Change-Id: If69116d93b6074136a36d98973e1aa997e2ebbef
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1802
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-24 20:37:48 +00:00
f28cd62c0e *: Simplify kube.PersistentVolumeClaims
Change-Id: I0a3e44de9f1c4db146fd1e493741f5fe381da3ae
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1768
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-18 12:36:00 +00:00
ac4f99e2e1 cluster/machines/dcr01s24: pivot to lvm root and efi boot
Change-Id: I2df08a0ff7366607781421e6fe8c0ddce86e57a5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1781
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-12 19:36:25 +00:00
f47d359a28 cluster/machines/dcr01s22: pivot to mirrored efi boot
Change-Id: I673bad18915ee76e0f35c56e689345f360d295dc
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1771
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-12 19:36:25 +00:00
b8ccfa8459 cluster/machines: move common LVM support bits into base.nix
Change-Id: I13e5653241a8245bae67cc7e660312484f1dcaca
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1767
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-12 01:31:39 +00:00
8edc52e619 c/m/dcr01s22: pivot to lvm root
The bootloader is *not* moved yet, machine still boots off the old disk

Change-Id: I8cc92489bb06bfe9581d68503237e08fa8082c7c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1766
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-12 01:30:42 +00:00
b37b70cbd4 cluster/m/m/base: chronyd: enable rtc sync, aggresively step
Change-Id: I61827ec2c77e79ce3e394eb2574372d3c21394d8
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1765
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-12 01:30:42 +00:00
18c27aedca k0: add dcr03s16 OSDs
Change-Id: I654ea780b53970732b735a9f62c7e3ca4d87c088
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1725
Reviewed-by: implr <implr@hackerspace.pl>
2023-11-11 13:55:34 +00:00
4d3a0cc123 cluster/kube-common: avoid full nixpkgs checkouts
fetchGit was unnecessarily fetching full nixpkgs repository during
evaluation.

Change-Id: Ia22a234938014659d4c33e16c5028a63884d476c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1728
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-06 21:55:24 +00:00
934f7d3626 cluster/kube: configure k0 for sourcegraph
Change-Id: I8ac3ca1269527faa98ce6949da066eb74f299c2c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1770
Reviewed-by: implr <implr@hackerspace.pl>
2023-11-03 18:17:08 +00:00
6f1fda4329 cluster/k/l/cockroach: make publicService select *all* nodes
Change-Id: I705b89057f9c191eb62771e3683224376b2207a1
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1762
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-01 23:30:52 +00:00
c783390cf5 cluster/m/m/base: add a bunch of utilities to systemPackages
Change-Id: I8ad61f925011d019b8ef868013fcb266947a9c94
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1755
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-11-01 23:12:07 +00:00
ab2e470bd3 cluster/kube: generate namespaces in NamespaceAdmins
Change-Id: I37981a4d8d7cf9b85b9b9ab8cfdfc6c66eaa4453
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1760
Reviewed-by: radex <radex@hackerspace.pl>
2023-10-31 10:52:01 +00:00
a6592b845c cluster: grant radex access to more namespaces
Change-Id: I4f3df51fbc200f1a69ec1225244621e0c724f95b
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1759
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-30 21:35:46 +00:00
3fdda9c9a3 hswaw/walne: initial deployment
Co-authored-by: Palid <palid@hackerspace.pl>
Change-Id: I7c5ef8a1d310821937c49598c4bd983f80a8fbcb
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1741
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-30 21:35:29 +00:00
caf65fcaaf *: Kill frab, smsgw, toot, covid-formity, voucherchecker
Change-Id: I763c758994008db38b47a7e61d3f1b503685aba6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1750
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-30 19:08:23 +00:00
633fb2e8ce cluster/admitomatic: deploy
Change-Id: Id08c4b428a9c01b310b69396890083f999090928
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1749
Reviewed-by: radex <radex@hackerspace.pl>
2023-10-28 20:12:30 +00:00
f5844311eb */kube: Add kube.SimpleIngress
Change-Id: Iddcac629b9938f228dd93b32e58bb14606d5c6e5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1745
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-28 17:55:48 +00:00
e36beba34c cluster/admitomatic: Regexp-based admission rules
Change-Id: Ic2b1d6a952dc194c0ee2fa1673ceb91c43799308
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1723
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-14 12:21:46 +00:00
a5ba554446 k0: enable fstrim, lower gc thresh for kubelet
fstrim is nice as it might prevent us from killing SSDs so fast.

A lower GC threshold for kubelet is nice as we run non-kubelet services
on these nodes, and they need their space. Notably, Ceph's mons tend to
be extremely claustrophobic, firing alerts at 70% disk usage or so.

Change-Id: I94c1787e62f82a02f107d04a87575327d3d79c01
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1724
Reviewed-by: implr <implr@hackerspace.pl>
2023-10-13 11:47:36 +00:00
0776a79df3 cluster/kube: Centralize namespace admin RoleBindings
Change-Id: Iec3505b2f4a1647e67cf47cf189c77534b5be6ac
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1696
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-10 17:34:22 +00:00
63ce423ebb hswaw/site: post-deploy changes
This deploys the changes in Id64cccadcd1e109035ed09f62086772fa615dd72
and I34163bbb62ba792d359a5f5e72de1024c0109eab .

Turns out the site actually serves at new.hackerspace.pl and is being
proxy-passed from boston-packets, as that for legacy reasons still has
to live at hackerspace.pl.

Change-Id: Ieaa3e8b6f9c4ced14db83c121e30c9cbaa416b00
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1700
Reviewed-by: radex <radex@hackerspace.pl>
2023-10-10 06:06:06 +00:00
43b6db895d k0: fully disable kube control/data plane on bc01n01,n02
Change-Id: I103f41059d75aa6b3ce318fd6f863f50ad013160
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1697
Reviewed-by: implr <implr@hackerspace.pl>
2023-10-09 23:32:26 +00:00
6534969549 k0: crdb: remove bc01n02, add dcr03s16
Change-Id: I75da414cee50dcdf951cb8968dc56a4873a023fd
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1694
Reviewed-by: implr <implr@hackerspace.pl>
2023-10-09 23:32:17 +00:00
3ca8454555 hswaw/capacifier: migrate deployment away from mirko
Change-Id: Ic15945ae0489cfc3026f4cb11123b8e6b575d471
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1688
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-09 21:22:55 +00:00
a364934d33 hswaw/site: migrate away from mirko
Change-Id: I34163bbb62ba792d359a5f5e72de1024c0109eab
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1631
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-09 21:10:10 +00:00
6e10e46f96 gerrit-qa: deploy
A little QA environment, currently without any data populated.

Change-Id: Ifbe5e97f312376ca64222a3754fe6fa29d7fda79
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1643
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-09 19:11:02 +00:00
bae9499880 cluster/machines: enable controlplane on dcr03s16, disable on bc01n01
Change-Id: I199f66ac60c522c29fe4900702eb9eed48749cfe
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1692
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-09 19:10:19 +00:00
9a88f28805 cluster/{machines,certs}: add dcr03s16.hswaw.net
Also make dataplane-only nodes actually work:
- make kubeproxy use the same package as kubelet
- disable firewall

Change-Id: I7babbb749656e6f75151c8eda6e3f09f3c6bff5f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1686
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-10-09 19:02:18 +00:00
e4519b1419 cluster-k0/admitomatic: add codehosting-prod
Change-Id: If6cd75e2fce73bdc92a3f313f39603616a343fd0
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1684
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-10-08 21:16:39 +00:00
ba81655145 cluster: cleanup CephObjectStoreUser creation, add codehosting bucket
Change-Id: I6f41ef3d4775b52c43953f1133e56e69c4c462b8
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1683
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-10-08 21:16:39 +00:00
b8d4a8a902 ldapweb: migrate from mirko to standalone
Change-Id: I169598232b39b99bfd2d4ff3799b44083ba77e84
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1623
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 21:54:20 +00:00
97b5cd7b58 go: re-do the entire thing
This is a mega-change, but attempting to split this up further is
probably not worth the effort.

Summary:

1. Bump up bazel, rules_go, and others.
2. Switch to new go target naming (bye bye go_default_library)
3. Move go deps to go.mod/go.sum, use make gazelle generate from that
4. Bump up Python deps a bit

And also whatever was required to actually get things to work - loads of
small useless changes.

Tested to work on NixOS and Ubuntu 20.04:

   $ bazel build //...
   $ bazel test //...

Change-Id: I8364bdaa1406b9ae4d0385a6b607f3e7989f98a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1583
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 21:50:19 +00:00
26fb573055 doc: improve cluster/user docs, make it more discoverable
Change-Id: Icbb348865a442a01a3ab191dad88662a88635007
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1565
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-22 20:44:48 +00:00
b6504238e7 *: add gomod placeholders for generated files
Change-Id: I8a4824ff31590185cd45fd43cc065bb8e2fa7bb2
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1580
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-09-01 16:50:48 +00:00
c2c66bf770 cluster/kube: update admitomatic settings for inventory
Change-Id: I62279519f93da338591b1b164878e33027b8f851
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1576
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-08-17 12:39:56 +00:00
8100a2de97 third_party: replace jq with gojq
Building jq portably is annoying, and the way we were doing it (which we
iirc stole from some google project?) sucked. Let's use a Go jq clone
instead.

This is an alternative for 1535. jq is currently used only in one
script, which could really be replaced by a Go program, but let's keep
it simple for now.

Change-Id: Ie25dffadd545df143490f510e9b75a74adf81492
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1540
Reviewed-by: palid <palid@hackerspace.pl>
2023-07-24 14:47:54 +00:00
03c2d996a0 cluster: fix prodvider deploy (after new CA)
Change-Id: Icbdb5e3ac592e9eac3a033ba50af401b706c3e78
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1541
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-07-24 14:15:46 +00:00
10384cd394 cluster/registry: fix common namespaces
Public pull ACL in the middle had priority over our more specific rules
- moving these to the top fixes common registry namespace ACLs.

Change-Id: Ia6f05cef09c0db4eb71155d2c0e2d9944b81f903
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1522
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 23:15:37 +00:00
c1f372561a cluster/admitomatic: implement opt-out namespaces
Change-Id: I32d4b019211fa755e2b3b103b88ea3f4c14e500f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1521
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-06-19 22:54:33 +00:00
9f0e1e88f1 cluster/clustercfg: rewrite it in Go
This replaces the old clustercfg script with a brand spanking new
mostly-equivalent Go reimplementation. But it's not exactly the same,
here are the differences:

 1. No cluster deployment logic anymore - we expect everyone to use ops/
    machine at this point.
 2. All certs/keys are Ed25519 and do not expire by default - but
    support for short-lived certificates is there, and is actually more
    generic and reusable. Currently it's only used for admincreds.
 3. Speaking of admincreds: the new admincreds automatically figure out
    your username.
 4. admincreds also doesn't shell out to kubectl anymore, and doesn't
    override your default context. The generated creds can live
    peacefully alongside your normal prodaccess creds.
 5. gencerts (the new nodestrap without deployment support) now
    automatically generates certs for all nodes, based on local Nix
    modules in ops/.
 6. No secretstore support. This will be changed once we rebuild
    secretstore in Go. For now users are expected to manually run
    secretstore sync on cluster/secrets.

Change-Id: Ida935f44e04fd933df125905eee10121ac078495
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1498
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 22:23:52 +00:00
7e841065b0 *: post-certmanager manifests update
Change-Id: I745c850268c31777c5722a9833c8152a55615aed
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1512
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-06-19 21:20:44 +00:00
3dd3ff5dcd cluster/cert-manager: update to v1.5.0
Change-Id: I7a4cdadc9956141292302bc004d09d6e9e22855e
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1497
Reviewed-by: informatic <informatic@hackerspace.pl>
2023-05-26 10:38:16 +00:00
ffdb97b7dd cluster/prodaccess: fix cert migration bug
Change-Id: I7426e60731b09c571aa7385f5213e998f04675a6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1510
Reviewed-by: ironbound <ironbound@hackerspace.pl>
2023-04-14 08:13:39 +00:00
57df027f28 cluster/kube: add k0-cert-manager.jsonnet view
Change-Id: I4d008839f6d6190d0d88fd3fff44974c4f2db2c0
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1499
Reviewed-by: implr <implr@hackerspace.pl>
2023-04-01 14:58:50 +00:00
9251121fa9 cluster/certs: remove old kube CA
This completes the migration away from the old CA/cert infrastructure.

The tool which was used to generate all these certs will come next. It's
effectively a reimplementation of clustercfg in Go.

We also removed the unused kube-serviceaccounts cert, which was
generated by the old tooling for no good reason (we only need a key for
service accounts, not an actual cert...).

Change-Id: Ied9e5d8fc90c64a6b4b9fdd20c33981410c884b4
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1501
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 13:55:18 +00:00
bdf2fa326f cluster/certs: finish replacing all CAs
This finishes the regeneration of all cluster CAs/certs to be never
expiring ED25519 certs.

We still have leftovers of the old Kube CA (and it's still being
accepted in Kubernetes components). Cleaning that up is the next step.

Change-Id: I883f94fd8cef3e3b5feefdf56ee106e462bb04a9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1500
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 13:55:14 +00:00
989dfa3183 cluster/kube: add k0-prodvider.jsonnet view
Change-Id: I170fbef3008f906c26ed79387858c3c1e4e2e10c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1496
Reviewed-by: implr <implr@hackerspace.pl>
2023-04-01 13:54:49 +00:00
7572f0790c k0: add disks
Already deployed, now rebalancing.

Change-Id: I536a063bc346effd07a1700aeffe598cc35f6f7a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1493
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 11:21:54 +00:00
073d850a95 cluster/prodvider: redeploy
Change-Id: I7a6cce06bb7c2f495d5354d3a2bebef64e307e42
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1491
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-04-01 11:18:25 +00:00
bbc5a43d77 cluster: move kubernetes services to temporary CA bundle
This is already deployed, and it allows Kubernetes components
(temporary) freedom to use the old or new CA cert.

Change-Id: I8ac7f773a333c30fa22902b8edc327c0c700a482
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1490
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
3a6d67e0c4 cluster/prodvider: rewrite against x509 lib for ed25519 support
This gets rid of cfssl for the kubernetes bits of prodvider, instead
using plain crypto/x509. This also allows to support our new fancy
ED25519 CA.

Change-Id: If677b3f4523014f56ea802b87499d1c0eb6d92e9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1489
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
777aab92a9 cluster/prodaccess: use new kube CA cert
Change-Id: I1bff03008a4a212ad93e5eaa112adaa2b0cad3e7
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1488
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
a4f8a459b9 cluster: partial cert bump
Done:

 1. etcd peer CA & certs
 2. etcd client CA & certs
 3. kube CA (currently all components set to accept both new and old CA,
    new CA called ca-kube-new)
 4. kube apiserver
 5. kubelet & kube-proxy
 6. prodvider intermediate

TODO:

 1. kubernetes controller-manager & kubernetes scheduler
 2. kubefront CA
 3. admitomatic?
 4. undo bundle on kube CA components to fully transition away from old
    CA

Change-Id: If529eeaed9a6a2063bed23c9d81c57b36b9a0115
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1487
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-31 22:53:59 +00:00
779727b39e machines/bc01n05: postgres: auth, hba, more ram
Change-Id: Id10b97efa3588a2a9147a349391da559e6cce7e5
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1482
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-28 21:22:50 +00:00
3b0887397a machines/bc01n05: postgres tuning
Change-Id: I30925a84216b45bde9e92b67b007f15b2cdf58e8
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1481
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-26 12:16:20 +00:00
821b839b16 machines/bc01n05: zfsify; initial postgres
Change-Id: I355ac4aa3c56a1e6a564b7a3c7cfc4e67b072dae
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1470
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-11 21:33:14 +00:00
3320155d23 cluster/machines/base: enable microcode loading
This will happen at next boot via early microcode - no risk to currently
running processes.

Change-Id: I88553fa9a1350ebb80aaf978e29e8f1156783a2c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1469
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-11 21:33:05 +00:00
712a5dc3e3 cluster: add bc01n05.hswaw.net
This will be our postgres pet machine.

Change-Id: Ifff6648394ca6407fb5b5daa853f4abc42541703
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1467
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-04 22:26:46 +00:00
3a9562ecfd cluster: k0: remove native ceph
After installing HBJ11s and spreading out the mons we're going full
Rook.

Change-Id: Ia00cbe953548f06cf27343371fc67890619c8262
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1466
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-03-04 22:26:39 +00:00
ef3aab6a14 k0: host os bump wip
This bumps it on bc01n01, but nowhere else yet.

We have to vendor some more kubelet bits unfortunately.

Change-Id: Ifb169dd9c2c19d60f88d946d065d4446141601b1
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1465
Reviewed-by: implr <implr@hackerspace.pl>
2023-03-04 22:26:14 +00:00
0156ab24ca cluster/kube/k0: remove implr-spark bucket, add implr bucket
the spark one has been an abandoned experiment from years ago, and
I could use a personal one right now

Change-Id: I78a706c3371d441b2f8460fd796d0cfd9a198cc6
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1464
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-02-26 16:41:23 +00:00
0173f501d7 cockroach: v20.2 -> v21.1
Following https://www.cockroachlabs.com/docs/v21.1/upgrade-cockroach-version?filters=linux
--logtostderr is deprecated/removed, but AFAICT from the default config
it will still log there: https://www.cockroachlabs.com/docs/v21.1/configure-logs#default-logging-configuration

Change-Id: I7fb3f835693f955b37de24dc581140ea34b11630
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1461
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-01-30 21:16:42 +00:00
3b2a2a2ce1 cluster/k0: add paperless to admitomatic config
Change-Id: I54df444cddca8a05febfb96af07b9e2f614639fc
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1453
Reviewed-by: q3k <q3k@hackerspace.pl>
2023-01-05 09:12:18 +00:00
a2bcfeaf0b cluster: bump vm.max_map_count sysctl tunable to a higher value
This is needed for running some memory-intensive workloads, like
ElasticSearch/OpenSearch.

Change-Id: I7b00ec5faca73ec69bdbf1ca41c025d7efeae55c
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1443
Reviewed-by: implr <implr@hackerspace.pl>
2022-12-11 20:28:51 +00:00
d171263d6e k0: remove waw-hdd-yolo-3
This was never used and only caused scary warnings during OSDs reboots
due to lack of availability.

Change-Id: I14eacd88855bc56e06f2a61cc2d914d985330852
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1423
Reviewed-by: implr <implr@hackerspace.pl>
2022-11-20 12:28:20 +00:00
4d98cf5ca8 calico: move from etcd to crd
Leaving the CRD definitions as YAML, extracted without modifications
from the original install file - this should make upgrades simpler.

Change-Id: I7211d2711e2af014b36dd887a951abb9e1032eb9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1179
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-11-19 21:40:34 +00:00
16842119d1 app/mastodon: deploy
Change-Id: I88c104d1a8d5627355b01a8c48dc235635fca5ed
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1421
Reviewed-by: implr <implr@hackerspace.pl>
2022-11-18 12:15:22 +00:00
ee41e94e0a k0: bump certs
Change-Id: I9d7a48d64de5d1aa82a134a8c22bfc50ba8ad270
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1402
Reviewed-by: informatic <informatic@hackerspace.pl>
2022-10-09 20:22:43 +00:00
3c31f32307 cluster: bump prodvider certs
Change-Id: Ieefe3c733dd40a94c13a5e1c1648dd43d27c180a
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1386
Reviewed-by: implr <implr@hackerspace.pl>
2022-09-10 15:46:39 +00:00
e69e98da47 third_party/py: update rules_python, use pip-compile for requirements
Change-Id: If8309e8e3a4b58142f7479005a9eb4cbb1043cdb
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1324
Reviewed-by: q3k <q3k@hackerspace.pl>
2022-07-05 21:27:31 +00:00