chore: cleanup

.github/workflows/check-kubeconform.yaml

@@ -25,4 +25,4 @@ jobs:
 
     - name: Run kubeconform
       shell: bash
-      run: bash ./scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }}
+      run: bash ./.github/workflows/resources/kubeconform.sh ${{ env.KUBERNETES_DIR }}

.gitignore

@@ -939,10 +939,11 @@ trunk/tmp
 ##################################################
 
 .TODO*
+*.TODO/
 
 
 ##################################################
 ##                                              ##
 ##                     End                      ##
 ##                                              ##
-##################################################
+##################################################

.taskfiles/Bootstrap/Taskfile.yaml

@@ -0,0 +1,128 @@
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+vars:
+  BOOTSTRAP_RESOURCES_DIR: "{{.ROOT_DIR}}/.taskfiles/bootstrap/resources"
+
+tasks:
+
+  kubernetes:
+    desc: Bootstrap a Talos Kubernetes cluster backed by flux, sops, and rook
+    prompt: Bootstrap a Talos Kubernetes cluster ... continue?
+    summary: |
+      cluster: Cluster to run command against (default: main)
+      nodes: Nodes in the cluster to reset Rook on (required, comma delimited, e.g. k8s-0,k8s-1)
+      disk: Disk to reset Rook on (required, e.g. /dev/nvme0n1)
+    vars: &vars
+      cluster: '{{.cluster | default "main"}}'
+      nodes: '{{.nodes}}'
+      disk: '{{.disk}}'
+    cmds:
+    - {task: etcd, vars: *vars}
+    - {task: kubeconfig, vars: *vars}
+    - {task: apps, vars: *vars}
+    - {task: rook, vars: *vars}
+    - {task: flux, vars: *vars}
+    requires:
+      vars: ["nodes", "disk"]
+    preconditions:
+    - talosctl --context {{.cluster}} config info >/dev/null 2>&1
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
+
+  etcd:
+    internal: true
+    cmd: until talosctl --context {{.cluster}} --nodes {{.CONTROLLER}} bootstrap; do sleep 10; done
+    preconditions:
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
+    - talosctl --context {{.cluster}} config info >/dev/null 2>&1
+
+  apps:
+    internal: true
+    cmds:
+    - until kubectl --context {{.cluster}} wait --for=condition=Ready=False nodes --all --timeout=10m; do sleep 10; done
+    - helmfile --quiet --kube-context {{.cluster}} --file {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff
+    - until kubectl --context {{.cluster}} wait --for=condition=Ready nodes --all --timeout=10m; do sleep 10; done
+    preconditions:
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/helmfile.yaml
+    - talosctl --context {{.cluster}} config info >/dev/null 2>&1
+
+  kubeconfig:
+    internal: true
+    cmd: |
+      talosctl --context {{.cluster}} kubeconfig --nodes {{.CONTROLLER}} \
+          --force --force-context-name {{.cluster}} {{.KUBERNETES_DIR}}/{{.cluster}}
+    preconditions:
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/talosconfig
+    - talosctl --context {{.cluster}} config info >/dev/null 2>&1
+
+  flux:
+    internal: true
+    cmds:
+    - kubectl --context {{.cluster}} apply --server-side --kustomize {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux
+    - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/age-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+    - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/github-deploy-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+    - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-secrets.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+    - kubectl --context {{.cluster}} apply --server-side --filename {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-settings.yaml
+    - kubectl --context {{.cluster}} apply --server-side --kustomize {{.KUBERNETES_DIR}}/{{.cluster}}/flux/config
+    preconditions:
+    - test -f {{.ROOT_DIR}}/age.key
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/age-key.secret.sops.yaml
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/github-deploy-key.secret.sops.yaml
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-secrets.secret.sops.yaml
+    - test -f {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-settings.yaml
+    - sops filestatus {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/age-key.secret.sops.yaml | jq --exit-status '.encrypted'
+    - sops filestatus {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/flux/github-deploy-key.secret.sops.yaml | jq --exit-status '.encrypted'
+    - sops filestatus {{.KUBERNETES_DIR}}/{{.cluster}}/flux/vars/cluster-secrets.secret.sops.yaml | jq --exit-status '.encrypted'
+
+  rook:
+    internal: true
+    vars: &vars
+      cluster: '{{.cluster}}'
+      node: '{{.ITEM}}'
+      disk: '{{.disk}}'
+    cmds:
+    - for: {var: nodes}
+      task: rook-data
+      vars: *vars
+    - for: {var: nodes}
+      task: rook-disk
+      vars: *vars
+
+  rook-disk:
+    internal: true
+    cmds:
+    - $GOPATH/bin/envsubst < <(cat {{.BOOTSTRAP_RESOURCES_DIR}}/rook-disk-job.tmpl.yaml) | kubectl --context {{.cluster}} apply -f -
+    - bash {{.BOOTSTRAP_RESOURCES_DIR}}/wait-for-job.sh {{.job}} default {{.cluster}}
+    - kubectl --context {{.cluster}} --namespace default wait job/{{.job}} --for condition=complete --timeout=1m
+    - kubectl --context {{.cluster}} --namespace default logs job/{{.job}}
+    - kubectl --context {{.cluster}} --namespace default delete job {{.job}}
+    env:
+      disk: '{{.disk}}'
+      job: '{{.job}}'
+      node: '{{.node}}'
+    vars:
+      job: wipe-disk-{{.node}}
+    preconditions:
+    - test -f $GOPATH/bin/envsubst
+    - test -f {{.BOOTSTRAP_RESOURCES_DIR}}/wait-for-job.sh
+    - test -f {{.BOOTSTRAP_RESOURCES_DIR}}/rook-disk-job.tmpl.yaml
+
+  rook-data:
+    internal: true
+    cmds:
+    - $GOPATH/bin/envsubst < <(cat {{.BOOTSTRAP_RESOURCES_DIR}}/rook-data-job.tmpl.yaml) | kubectl --context {{.cluster}} apply -f -
+    - bash {{.BOOTSTRAP_RESOURCES_DIR}}/wait-for-job.sh {{.job}} default {{.cluster}}
+    - kubectl --context {{.cluster}} --namespace default wait job/{{.job}} --for condition=complete --timeout=1m
+    - kubectl --context {{.cluster}} --namespace default logs job/{{.job}}
+    - kubectl --context {{.cluster}} --namespace default delete job {{.job}}
+    env:
+      disk: '{{.disk}}'
+      job: '{{.job}}'
+      node: '{{.node}}'
+    vars:
+      job: wipe-data-{{.node}}
+    preconditions:
+    - test -f $GOPATH/bin/envsubst
+    - test -f {{.BOOTSTRAP_RESOURCES_DIR}}/wait-for-job.sh
+    - test -f {{.BOOTSTRAP_RESOURCES_DIR}}/rook-data-job.tmpl.yaml

.taskfiles/Bootstrap/resources/rook-data-job.tmpl.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://k8s-schemas.pages.dev/kubernetes/master/job-batch-v1.json
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ${job}
+  namespace: default
+spec:
+  ttlSecondsAfterFinished: 3600
+  template:
+    spec:
+      automountServiceAccountToken: false
+      restartPolicy: Never
+      nodeName: ${node}
+      containers:
+      - name: main
+        image: docker.io/library/alpine:latest
+        command: ["/bin/sh", "-c"]
+        args: ["rm -rf /mnt/host_var/lib/rook"]
+        volumeMounts:
+        - mountPath: /mnt/host_var
+          name: host-var
+        securityContext:
+          privileged: true
+        resources: {}
+      volumes:
+      - name: host-var
+        hostPath:
+          path: /var