gitops: assorted leftovers and fixes

gitops/home-kubernetes/external-secrets/cloudsecretstore-vault.yaml

@@ -6,13 +6,13 @@ metadata:
 spec:
   provider:
     vault:
-      server: "https://vault.hrajfrisbee.cz:8200"
+      server: "https://vault.hrajfrisbee.cz"
       path: "secret"
       version: "v2"
       auth:
         appRole:
           path: "approle"
-          roleId: "8833d0f8-d35d-d7ea-658b-c27837d121ab"  # or reference a secret
+          roleId: "864e352d-2064-2bf9-2c73-dbd676a95368"  # or reference a secret
           secretRef:
             name: vault-approle
             key: secret-id

gitops/home-kubernetes/external-secrets/secret-approle.yaml

@@ -6,5 +6,5 @@ metadata:
   annotations:
     kustomize.toolkit.fluxcd.io/reconcile: disabled  
 type: Opaque
-data:
+stringData:
-  secret-id: # --- find me in keepass bro ---
+  secret-id: --- fill in the secret_id ---

gitops/home-kubernetes/kube-system-overrides/configmap_coredns.yaml

@@ -17,7 +17,7 @@ data:
            ttl 30
         }
         hosts {
-           192.168.0.30 vault.hrajfrisbee.cz
+           # 192.168.0.30 vault.hrajfrisbee.cz
            fallthrough
         }        
         prometheus :9153

gitops/home-kubernetes/oauth-proxy/secret.yaml

@@ -4,7 +4,7 @@ metadata:
   name: oauth2-proxy-secrets
   namespace: oauth2-proxy
   annotations:
-    kustomize.toolkit.fluxcd.io/reconcile: disabled  
+    kustomize.toolkit.fluxcd.io/reconcile: disabled
 stringData:
   client-id: oauth2-proxy
   client-secret: <REPLACE_WITH_KANIDM_SECRET>

gitops/home-kubernetes/tetragon/helmrelease.yaml

@@ -0,0 +1,24 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tetragon
+  namespace: kube-system
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: tetragon
+      version: "1.6.0"
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+        namespace: flux-system
+  values:
+    export:
+      stdout:
+        enabledEvents:
+          - PROCESS_EXEC
+          - PROCESS_EXIT
+          - PROCESS_TRACEPOINT # required for oom tracepoint
+    tetragon:
+      btf: /sys/kernel/btf/vmlinux

gitops/home-kubernetes/tetragon/tracing_policy-oomkill.yaml

@@ -0,0 +1,16 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: oom-kill
+spec:
+  tracepoints:
+    - subsystem: oom
+      # event: oom_kill
+      event: mark_victim
+      args:
+        - index: 4
+          type: int32
+          label: killed_pid
+        - index: 5
+          type: string
+          label: killed_comm

kubernetes-kvm-terraform/kubernetes-deployments/flux.md

@@ -0,0 +1,13 @@
+```bash
+flux bootstrap gitea \
+  --owner=kacerr \
+  --repository=home-kubernetes \
+  --branch=main \
+  --path=gitops/home-kubernetes \
+  --hostname=gitea.home.hrajfrisbee.cz \
+  --personal \
+  --token-auth
+
+
+flux token: 0917566fe2c7d11cb7b46618f076003f92477352
+```

kubernetes-kvm-terraform/kubernetes-deployments/metrics-server

@@ -0,0 +1,3 @@
+```bash
+kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+```

kubernetes-kvm-terraform/kubernetes-deployments/readme.md

@@ -34,8 +34,8 @@ driver:
           targetGroupInitiatorGroup: 1
           targetGroupAuthType: "None"      
     zfs:
-      datasetParentName: "pool-6g/tank/k8s/vols"
+      datasetParentName: "raid-1-4g/tank/k8s/vols"
-      detachedSnapshotsDatasetParentName: "pool-6g/tank/k8s/snaps"
+      detachedSnapshotsDatasetParentName: "raid-1-4g/tank/k8s/snaps"
 
 storageClasses:
 - name: freenas-iscsi

kubernetes-kvm-terraform/kubernetes-deployments/values.yaml

@@ -27,8 +27,8 @@ driver:
           targetGroupInitiatorGroup: 1
           targetGroupAuthType: "None"      
     zfs:
-      datasetParentName: "pool-6g/tank/k8s/vols"
+      datasetParentName: "raid-1-4g/tank/k8s/vols"
-      detachedSnapshotsDatasetParentName: "pool-6g/tank/k8s/snaps"
+      detachedSnapshotsDatasetParentName: "raid-1-4g/tank/k8s/snaps"
 
 storageClasses:
 - name: freenas-iscsi

kubernetes-kvm-terraform/master.tf

@@ -229,9 +229,9 @@ resource "libvirt_volume" "cloudinit" {
 resource "libvirt_domain" "master" {
   provider = libvirt.kvm-homer
   name   = local.master_vm_name
-  memory = "2048"
+  memory = "4096"
   memory_unit = "MiB" 
-  vcpu   = 2
+  vcpu   = 3
   type   = "kvm"
   autostart = true
   running   = true

kubernetes-kvm-terraform/nodes-on-beelink.tf

@@ -131,7 +131,18 @@ locals {
         content: |
           alias k='kubectl'
           source <(kubectl completion bash)
-          complete -o default -F __start_kubectl k          
+          complete -o default -F __start_kubectl k
+
+      - path: /etc/systemd/system/kubelet.service.d/10-containerd.conf
+        content: |
+          [Unit]
+          After=containerd.service
+          Requires=containerd.service
+
+          [Service]
+          ExecStartPre=/bin/bash -c 'until [ -S /var/run/containerd/containerd.sock ]; do sleep 1; done'
+          ExecStartPre=/usr/bin/crictl info
+
 
     runcmd:
       - systemctl enable --now qemu-guest-agent
@@ -151,6 +162,16 @@ locals {
       - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
       - echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
       - apt-get update && apt-get install -y containerd.io
+      - |
+        cat > /etc/containerd/config.toml <<'CONTAINERD'
+        version = 2
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            SystemdCgroup = true
+        [plugins."io.containerd.grpc.v1.cri".registry]
+          config_path = "/etc/containerd/certs.d"
+        CONTAINERD
       - systemctl restart containerd
 
       # kubeadm/kubelet/kubectl v1.32
@@ -215,6 +236,10 @@ resource "libvirt_domain" "node_02" {
   autostart = true
   running   = true
 
+  cpu = {
+    mode = "host-passthrough"
+  }
+
   os = {
     type         = "hvm"
     type_arch    = "x86_64"

kubernetes-kvm-terraform/nodes-on-homer.tf

@@ -131,7 +131,18 @@ locals {
         content: |
           alias k='kubectl'
           source <(kubectl completion bash)
-          complete -o default -F __start_kubectl k          
+          complete -o default -F __start_kubectl k
+
+      - path: /etc/systemd/system/kubelet.service.d/10-containerd.conf
+        content: |
+          [Unit]
+          After=containerd.service
+          Requires=containerd.service
+
+          [Service]
+          ExecStartPre=/bin/bash -c 'until [ -S /var/run/containerd/containerd.sock ]; do sleep 1; done'
+          ExecStartPre=/usr/bin/crictl info
+
 
     runcmd:
       - systemctl enable --now qemu-guest-agent
@@ -151,6 +162,15 @@ locals {
       - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
       - echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
       - apt-get update && apt-get install -y containerd.io
+      - cat > /etc/containerd/config.toml <<'xEOF'
+        version = 2
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          runtime_type = "io.containerd.runc.v2"
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            SystemdCgroup = true
+        [plugins."io.containerd.grpc.v1.cri".registry]
+          config_path = "/etc/containerd/certs.d"
+        xEOF      
       - systemctl restart containerd
 
       # kubeadm/kubelet/kubectl v1.32
@@ -215,6 +235,9 @@ resource "libvirt_domain" "node_01" {
   autostart = true
   running   = true
 
+  cpu = {
+    mode = "host-passthrough"
+  }
   os = {
     type         = "hvm"
     type_arch    = "x86_64"