Dev/talos-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
109 Commits 1 Branch 0 Tags
cd8b8e7830b55a42fc6fc45989e9889f10c7de48
Commit Graph

109 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Laur IVAN
cd8b8e7830 feat(tuppr): add sops secret for talosconfig 2026-02-27 04:35:08 +01:00
Laur IVAN
4119ef475e fix(tuppr): patch ServiceAccount apiVersion in HelmRelease 2026-02-27 04:25:28 +01:00
Laur IVAN
c2fbc5cd70 feat: add system-upgrade namespace definition and reference it in kustomization.yaml 2026-02-27 04:21:56 +01:00
Laur IVAN
5c5cec7911 feat: Introduce tuppr system-upgrade application with configurations for managing Talos and Kubernetes upgrades. 2026-02-27 04:10:00 +01:00
Laur IVAN
265ffe8509 chore: update openebs dependency namespace from openebs-system to storage-system 2026-02-27 02:36:11 +01:00
Laur IVAN
2de34900f4 fix(grafana): Add missing secrets. 2026-02-27 02:19:31 +01:00
Laur IVAN
c9bca320ac fix(grafana): Proper secret name 2026-02-27 02:03:37 +01:00
Laur IVAN
ae78db86ec refactor: relocate Grafana dashboard definition from app to instance kustomization. 2026-02-27 01:54:55 +01:00
Laur IVAN
832a05a356 fix(components): typo 2026-02-27 01:47:21 +01:00
Laur IVAN
471f35b7f7 feat: add sops component to observability kustomization and reorder existing components 2026-02-27 01:14:45 +01:00
Laur IVAN
422e0610f4 refactor: migrate observability applications to Flux v2 HelmRelease and OCI repository definitions. 2026-02-27 00:18:56 +01:00
Laur IVAN
8859860893 Remove Plex initContainer and simplify volume mounts for cache and logs. 2026-02-26 23:17:37 +01:00
Laur IVAN
0da1022f90 fix: Ensure Plex can write to its configuration and log directories by adding an init container and setting readOnlyRootFilesystem to false. 2026-02-26 23:09:01 +01:00
Laur IVAN
119593876b chore: remove GPU resource claims and node selector from Plex Helm release. 2026-02-26 21:54:35 +01:00
Laur IVAN
8953cc8ac1 chore: Add common app-template. 2026-02-26 20:11:05 +01:00
Laur IVAN
6db7c6c20a chore: Remove dependency 2026-02-26 19:59:19 +01:00
Laur IVAN
1d2c59d756 chore: Remove externalsecrets.external-secrets.io from health checks and move volsync deployment to storage-system namespace. 2026-02-26 19:53:24 +01:00
Laur IVAN
2f33e71298 feat: introduce Flux health checks for CRDs and storage components, and adjust Plex PVC storage request. 2026-02-26 19:42:23 +01:00
Laur IVAN
dc41e2d5ab fix(volsync): use destinationPVC instead of dataSourceRef for better provisioner compatibility 2026-02-26 18:50:21 +01:00
Laur IVAN
00b50ec592 fix(volsync): add RESTIC_REGION for Garage 2026-02-26 17:26:22 +01:00
Laur IVAN
f90d381630 fix(volsync): remove incorrect /buckets/ prefix from S3 URL 2026-02-26 17:22:07 +01:00
Laur IVAN
8828aed442 fix(volsync): use correct S3 API port for Garage 2026-02-26 17:17:42 +01:00
Laur IVAN
359f878134 chore: fix for volsync 2026-02-26 17:00:30 +01:00
Laur IVAN
2a327d40f6 refactor: Default VolSync storage class and capacity parameters, removing explicit application overrides. 2026-02-26 16:52:39 +01:00
Laur IVAN
809df95f0e chore: add default values for storage class and capacity to VolSync PVC. 2026-02-26 16:47:45 +01:00
Laur IVAN
659039b375 fix(volsync): use plain variables for reliable Flux substitution 2026-02-26 16:46:22 +01:00
Laur IVAN
50ba546736 fix(navidrome): use existing ceph-block storage class 2026-02-26 16:41:20 +01:00
Laur IVAN
4e3c17c7c9 fix(volsync): replace ExternalSecret with direct SOPS secret 2026-02-26 16:36:09 +01:00
Laur IVAN
cddd7e98ff fix: Rename secret.sops.yaml to secrets.sops.yaml in VolSync kustomization. 2026-02-26 16:27:58 +01:00
Laur IVAN
d7eca9dd40 refactor: Rename VolSync replica-source and replica-destination files to replication-source and replication-destination. 2026-02-26 16:24:49 +01:00
Laur IVAN
d5d08a97c6 feat: add Plex media server to homelab Kubernetes cluster. 2026-02-26 16:20:39 +01:00
Laur IVAN
00fa9429e5 fix(navidrome):Update navidrome path. 2026-02-26 16:17:07 +01:00
Laur IVAN
c77768f3bc fix(navidrome): Missing kustomixation. 2026-02-26 13:08:03 +01:00
Laur IVAN
d2890162a0 chore: Add missing namespace. 2026-02-26 13:01:47 +01:00
Laur IVAN
fdbcde49f6 feat: Add Navidrome application and VolSync components, migrating media apps from beta. 2026-02-26 13:00:52 +01:00
Laur IVAN
2be2941343 refactor: move infisical Kubernetes manifests from apps to beta directory 2026-02-26 11:30:24 +01:00
Laur IVAN
f49eafab4e config: Set API server logging level to None to reduce CPU load. 2026-02-26 11:28:15 +01:00
Laur IVAN
aed9e8f8d0 fix(mysql-operator): correct kustomization path and namespace 2026-02-26 02:48:47 +01:00
Laur IVAN
b850960fb0 chore: Attempt to install mysql 2026-02-26 02:39:50 +01:00
Laur IVAN
fb213ed399 fix(infisical): use specific Bitnami tags for MongoDB and Redis 2026-02-26 02:14:21 +01:00
Laur IVAN
d09565bdaa refactor: remove PostgreSQL database configuration from Infisical deployment. 2026-02-25 23:01:08 +01:00
Laur IVAN
a2f045b80c Configure Postgres for Infisical 2026-02-25 22:47:51 +01:00
Laur IVAN
59895c0211 chore: readd security and infisical. 2026-02-25 21:50:42 +01:00
Laur IVAN
2d6fb4e201 fix(rook): Fixed port issue preventing the rook-ceph dashboard from showing. 2026-02-25 18:27:32 +01:00
Laur IVAN
17a18c335b doc: Add FAQ on invalid internal config. 2026-02-25 18:20:59 +01:00
Laur IVAN
3f50782f58 chore: Add echo-internal.laurivan.com to make sure the internal sites are accessible. 2026-02-25 15:55:45 +01:00
Laur IVAN
fcc7397a2b feat: Add rook-ceph 2026-02-25 13:36:52 +01:00
Laur IVAN
f7e635e3f1 talos: tune kube-apiserver audit policy to reduce CPU overhead 
Add targeted audit policy rules that suppress high-frequency, low-value
requests which were generating ~570k audit events per 10 hours and
causing kube-apiserver to consume 260-316m CPU per node.

Suppressed categories (no security impact):
- coordination.k8s.io/leases: controller/node heartbeats (86k GET + 46k PUT/10h)
- /healthz*, /readyz*, /livez*, /openapi*, /version: probe & discovery endpoints
- system:nodes user group: kubelet node status updates
- endpoints + endpointslices GET/LIST/WATCH: Cilium/CoreDNS polling

All other requests continue to be logged at Metadata level.

Result: 76% of audit events suppressed, non-leader apiserver CPU dropped
~50-60% (316m -> 125m on standby nodes). Policy lives in the patch file
so it survives cluster resets via talhelper genconfig.
 2026-02-25 11:56:36 +01:00
Laur IVAN
9b1b3e62a4 chore: removed some apps temporary 2026-02-25 01:12:28 +01:00
Laur IVAN
3402709523 fix(rook-ceph): reduce CPU requests for homelab 4-vCPU VMs 
Default Rook requests (mon=1100m, mgr=700m, CSI sidecars=250-650m)
were consuming 17,860m across an 11,850m cluster, causing ESXi CPU
overcommit stalls that broke kube-apiserver connectivity and lost
leader elections in kube-controller-manager/cilium-operator/openebs.

New values target ~2,500m total Rook CPU requests:
- mon: 200m (was 1100m)
- mgr: 100m (was 700m)
- mds: 100m (was ~500m)
- osd: 200m (was no request, 8Gi memory limit)
- CSI sidecars: 10-50m each (was 100-250m each)
 2026-02-24 23:55:44 +01:00