From 3990fbfe062791ce8e727654e8c86d8f38182d25 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 May 2026 00:06:56 +1000 Subject: [PATCH 1/4] feat(vault): switch to Kubernetes service registration (#171) Replaces Consul service registration with the native Kubernetes provider so Vault labels its own pods with active/standby/perf-standby status without requiring a Consul dependency. ## Changes - `values.yaml`: swap `service_registration "consul"` for `service_registration "kubernetes" {}`, add `VAULT_K8S_NAMESPACE` and `VAULT_K8S_POD_NAME` env vars via downward API - `role_k8s-service-registration.yaml`: Role + RoleBinding granting the `vault` service account `get`/`update`/`patch` on pods - `kustomization.yaml`: include new RBAC file Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/171 --- apps/base/vault/kustomization.yaml | 1 + .../vault/role_k8s-service-registration.yaml | 24 +++++++++++++++++++ apps/overlays/au-syd1/vault/values.yaml | 12 +++++++--- 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 apps/base/vault/role_k8s-service-registration.yaml diff --git a/apps/base/vault/kustomization.yaml b/apps/base/vault/kustomization.yaml index 2c2b5da..aa4c1ab 100644 --- a/apps/base/vault/kustomization.yaml +++ b/apps/base/vault/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - gateway.yaml - httproute.yaml + - role_k8s-service-registration.yaml diff --git a/apps/base/vault/role_k8s-service-registration.yaml b/apps/base/vault/role_k8s-service-registration.yaml new file mode 100644 index 0000000..68427ef --- /dev/null +++ b/apps/base/vault/role_k8s-service-registration.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-k8s-service-registration + namespace: vault +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-k8s-service-registration + namespace: vault +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-k8s-service-registration +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/apps/overlays/au-syd1/vault/values.yaml b/apps/overlays/au-syd1/vault/values.yaml index d1f646a..95744bb 100644 --- a/apps/overlays/au-syd1/vault/values.yaml +++ b/apps/overlays/au-syd1/vault/values.yaml @@ -40,9 +40,7 @@ server: } } - service_registration "consul" { - address = "consul-server.consul.svc.cluster.local:8500" - } + service_registration "kubernetes" {} dataStorage: enabled: true @@ -50,6 +48,14 @@ server: storageClass: cephrbd-fast-delete accessMode: ReadWriteOnce + extraEnv: + - name: VAULT_K8S_NAMESPACE + value: vault + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + statefulSet: securityContext: container: From f5f713fe86d316a4d1da39448f1d64770aca3635 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 May 2026 23:28:27 +1000 Subject: [PATCH 2/4] feat(artifactapi): add open-webui/open-webui to ghcr immutable patterns (#173) Part of #155 (prerequisite for open-webui deployment PR #172). ## Summary - Adds `^open-webui/open-webui` to the `ghcr` remote's `immutable_patterns` in `remote-docker.yaml` so version-pinned open-webui image pulls are cached indefinitely through artifactapi ## Test plan - artifactapi serves `ghcr.io/open-webui/open-webui:` with `X-Artifact-Source: cache` on second fetch Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/173 --- apps/base/artifactapi/resources/conf.d/remote-docker.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/base/artifactapi/resources/conf.d/remote-docker.yaml b/apps/base/artifactapi/resources/conf.d/remote-docker.yaml index 3806c9b..6ed384f 100644 --- a/apps/base/artifactapi/resources/conf.d/remote-docker.yaml +++ b/apps/base/artifactapi/resources/conf.d/remote-docker.yaml @@ -6,6 +6,7 @@ remotes: immutable_patterns: - "^cloudnative-pg/cloudnative-pg" - "^emberstack/helm-charts" + - "^open-webui/open-webui" - "^openvoxproject/" - "^stakater/reloader" - "^stalwartlabs/stalwart" From ede25a38589f02641835bad7c36215d572e0d462 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 May 2026 23:41:54 +1000 Subject: [PATCH 3/4] feat(platform): add priority-classes app with low/power/medium/high classes (#174) ## Summary - New `apps/base/priority-classes/` app with four `PriorityClass` objects managed via the `platform` ArgoCD project - Adds `apps/overlays/*/priority-classes` to the platform ApplicationSet generator - Adds `priority-classes` namespace to platform AppProject destinations (required even for cluster-scoped resources) | Class | Value | PreemptionPolicy | Intent | |---|---|---|---| | `low` | 100 | Never | Background work; evictable, won't preempt others | | `power` | 100 | Never | Compute-heavy but expendable (e.g. AI/ML workloads) | | `medium` | 10000 | PreemptLowerPriority | Standard services | | `high` | 100000 | PreemptLowerPriority | Critical services; preempts lower-priority pods | `PriorityClass` is already in the platform project's `clusterResourceWhitelist` so no project policy changes were needed. ## Test plan - ArgoCD syncs `platform-priority-classes` successfully - `kubectl get priorityclasses low power medium high` shows all four classes Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/174 --- apps/base/priority-classes/kustomization.yaml | 6 ++++ .../priority-classes/priorityclasses.yaml | 36 +++++++++++++++++++ .../priority-classes/kustomization.yaml | 6 ++++ argocd/applicationsets/platform.yaml | 1 + argocd/projects/platform.yaml | 2 ++ 5 files changed, 51 insertions(+) create mode 100644 apps/base/priority-classes/kustomization.yaml create mode 100644 apps/base/priority-classes/priorityclasses.yaml create mode 100644 apps/overlays/au-syd1/priority-classes/kustomization.yaml diff --git a/apps/base/priority-classes/kustomization.yaml b/apps/base/priority-classes/kustomization.yaml new file mode 100644 index 0000000..e831aca --- /dev/null +++ b/apps/base/priority-classes/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - priorityclasses.yaml diff --git a/apps/base/priority-classes/priorityclasses.yaml b/apps/base/priority-classes/priorityclasses.yaml new file mode 100644 index 0000000..057883d --- /dev/null +++ b/apps/base/priority-classes/priorityclasses.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: low +value: 100 +preemptionPolicy: Never +globalDefault: false +description: "Low-importance workloads. Can be evicted under pressure but will not preempt other pods." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: power +value: 100 +preemptionPolicy: Never +globalDefault: false +description: "Compute-heavy workloads with low scheduling importance. Evictable under pressure." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: medium +value: 10000 +preemptionPolicy: PreemptLowerPriority +globalDefault: false +description: "Standard workloads. Will preempt low-priority pods if the cluster is under pressure." +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: high +value: 100000 +preemptionPolicy: PreemptLowerPriority +globalDefault: false +description: "High-importance services. Will preempt medium- and low-priority pods if necessary." diff --git a/apps/overlays/au-syd1/priority-classes/kustomization.yaml b/apps/overlays/au-syd1/priority-classes/kustomization.yaml new file mode 100644 index 0000000..0de8a0c --- /dev/null +++ b/apps/overlays/au-syd1/priority-classes/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/priority-classes diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 9b538c9..7023960 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -22,6 +22,7 @@ spec: - path: apps/overlays/*/jfrog - path: apps/overlays/*/kanidm - path: apps/overlays/*/node-feature-discovery + - path: apps/overlays/*/priority-classes - path: apps/overlays/*/puppet - path: apps/overlays/*/purelb - path: apps/overlays/*/reflector-system diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index 67d125c..ceaa1d7 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -31,6 +31,8 @@ spec: server: https://kubernetes.default.svc - namespace: 'node-feature-discovery' server: https://kubernetes.default.svc + - namespace: 'priority-classes' + server: https://kubernetes.default.svc - namespace: 'purelb' server: https://kubernetes.default.svc - namespace: 'puppet' From 1b781e0885f15ad7e3701289439db097bcb879b7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Tue, 26 May 2026 23:58:57 +1000 Subject: [PATCH 4/4] feat(woodpecker): set workflow pod priority class to power (#175) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Sets `WOODPECKER_BACKEND_K8S_PRIORITY_CLASS: power` on the Woodpecker agent so all CI pipeline pods are scheduled with the `power` PriorityClass (value 100, preemptionPolicy: Never). This means pipeline pods can be evicted when the cluster is under pressure but won't preempt other workloads. ## Dependency Requires the `power` PriorityClass to exist on the cluster — deploy PR #174 (priority-classes app) first. ## Test plan - Trigger a pipeline run and confirm pods are created with `priorityClassName: power` - `kubectl get pod -n woodpecker -o jsonpath='{.items[*].spec.priorityClassName}'` Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/175 --- apps/overlays/au-syd1/woodpecker/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/overlays/au-syd1/woodpecker/values.yaml b/apps/overlays/au-syd1/woodpecker/values.yaml index f0a5575..c89853b 100644 --- a/apps/overlays/au-syd1/woodpecker/values.yaml +++ b/apps/overlays/au-syd1/woodpecker/values.yaml @@ -2,6 +2,7 @@ agent: replicaCount: 3 env: WOODPECKER_MAX_WORKFLOWS: "8" + WOODPECKER_BACKEND_K8S_PRIORITY_CLASS: power WOODPECKER_BACKEND_K8S_STORAGE_CLASS: cephrbd-fast-delete WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G WOODPECKER_BACKEND_K8S_STORAGE_RWX: false