diff --git a/apps/base/artifactapi/resources/conf.d/remote-docker.yaml b/apps/base/artifactapi/resources/conf.d/remote-docker.yaml index 3806c9b..6ed384f 100644 --- a/apps/base/artifactapi/resources/conf.d/remote-docker.yaml +++ b/apps/base/artifactapi/resources/conf.d/remote-docker.yaml @@ -6,6 +6,7 @@ remotes: immutable_patterns: - "^cloudnative-pg/cloudnative-pg" - "^emberstack/helm-charts" + - "^open-webui/open-webui" - "^openvoxproject/" - "^stakater/reloader" - "^stalwartlabs/stalwart" diff --git a/apps/base/priority-classes/kustomization.yaml b/apps/base/priority-classes/kustomization.yaml new file mode 100644 index 0000000..e831aca --- /dev/null +++ b/apps/base/priority-classes/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - priorityclasses.yaml diff --git a/apps/base/priority-classes/priorityclasses.yaml b/apps/base/priority-classes/priorityclasses.yaml new file mode 100644 index 0000000..057883d --- /dev/null +++ b/apps/base/priority-classes/priorityclasses.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: low +value: 100 +preemptionPolicy: Never +globalDefault: false +description: "Low-importance workloads. Can be evicted under pressure but will not preempt other pods." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: power +value: 100 +preemptionPolicy: Never +globalDefault: false +description: "Compute-heavy workloads with low scheduling importance. Evictable under pressure." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: medium +value: 10000 +preemptionPolicy: PreemptLowerPriority +globalDefault: false +description: "Standard workloads. Will preempt low-priority pods if the cluster is under pressure." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: high +value: 100000 +preemptionPolicy: PreemptLowerPriority +globalDefault: false +description: "High-importance services. Will preempt medium- and low-priority pods if necessary." diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 2c2b5da..aa4c1ab 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - gateway.yaml - httproute.yaml + - role_k8s-service-registration.yaml diff --git a/apps/base/vault/role_k8s-service-registration.yaml b/apps/base/vault/role_k8s-service-registration.yaml new file mode 100644 index 0000000..68427ef --- /dev/null +++ b/apps/base/vault/role_k8s-service-registration.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-k8s-service-registration + namespace: vault +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-k8s-service-registration + namespace: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-k8s-service-registration +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/apps/overlays/au-syd1/priority-classes/kustomization.yaml b/apps/overlays/au-syd1/priority-classes/kustomization.yaml new file mode 100644 index 0000000..0de8a0c --- /dev/null +++ b/apps/overlays/au-syd1/priority-classes/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/priority-classes diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index d1f646a..95744bb 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,9 +40,7 @@ server: } } - service_registration "consul" { - address = "consul-server.consul.svc.cluster.local:8500" - } + service_registration "kubernetes" {} dataStorage: enabled: true @@ -50,6 +48,14 @@ server: storageClass: cephrbd-fast-delete accessMode: ReadWriteOnce + extraEnv: + - name: VAULT_K8S_NAMESPACE + value: vault + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + statefulSet: securityContext: container: diff --git a/apps/overlays/au-syd1/woodpecker/values.yaml b/apps/overlays/au-syd1/woodpecker/values.yaml index f0a5575..c89853b 100644 --- a/apps/overlays/au-syd1/woodpecker/values.yaml +++ b/apps/overlays/au-syd1/woodpecker/values.yaml @@ -2,6 +2,7 @@ agent: replicaCount: 3 env: WOODPECKER_MAX_WORKFLOWS: "8" + WOODPECKER_BACKEND_K8S_PRIORITY_CLASS: power WOODPECKER_BACKEND_K8S_STORAGE_CLASS: cephrbd-fast-delete WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G WOODPECKER_BACKEND_K8S_STORAGE_RWX: false diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 9b538c9..7023960 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -22,6 +22,7 @@ spec: - path: apps/overlays/*/jfrog - path: apps/overlays/*/kanidm - path: apps/overlays/*/node-feature-discovery + - path: apps/overlays/*/priority-classes - path: apps/overlays/*/puppet - path: apps/overlays/*/purelb - path: apps/overlays/*/reflector-system diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index 67d125c..ceaa1d7 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -31,6 +31,8 @@ spec: server: https://kubernetes.default.svc - namespace: 'node-feature-discovery' server: https://kubernetes.default.svc + - namespace: 'priority-classes' + server: https://kubernetes.default.svc - namespace: 'purelb' server: https://kubernetes.default.svc - namespace: 'puppet'