chore(deps): update ghcr.io/fluxcd/image-automation-controller docker tag to v0.39.0

Reviewed-on: #33

README.md

@@ -18,23 +18,25 @@
 
 ### Infrastructure
 
-- ![Kubernetes][k8s]
-- ![Helm][helm]
-- ![Traefik][traefik]
-- ![Cert Manager][cert-manager]
-- ![Metallb][metallb]
-- ![NFS][nfs]
-- ![FluxCD][fluxcd]
+- [Kubernetes][k8s] - Isn't it obvious?
+- [Helm][helm] - Easily deploy and manage Kubernetes applications
+- [Traefik][traefik] - Web reverse proxy
+- [Cert Manager][cert-manager] - Generates LetsEncrypt certificates
+- [Metallb][metallb] - Load Balancer
+- [NFS][nfs] - Remote Storage for PVs
+- [FluxCD][fluxcd] - GitOps
+- [Spegel][spegel] - Local Docker registry cache
+- [Eraser][eraser] - Automated cleanup of old docker images
 
 ### Services
 
-See [services](./apps/production/) for a list of services that I use in my homelab.
+See [services](./kubernetes/apps/production/) for a list of services that I use in my homelab.
 
 <!-- TODO -->
 
 ## Todo
 
-Nothing !
+- [ ] Setup Grafana and Traefik metrics
 
 ### Backlog
 
@@ -60,10 +62,12 @@ Don't forget to give the project a star! Thanks again!
 <!-- MARKDOWN LINKS & IMAGES -->
 <!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->
 
-[fluxcd]: https://fluxcd.io
-[k8s]: https://kubernetes.io
-[helm]: https://helm.sh
-[traefik]: https://traefik.io
-[cert-manager]: https://cert-manager.io
-[metallb]: https://metallb.org
-[nfs]: https://nfs.fascinated.cc
+[fluxcd]: https://fluxcd.io/
+[k8s]: https://kubernetes.io/
+[helm]: https://helm.sh/
+[traefik]: https://traefik.io/
+[cert-manager]: https://cert-manager.io/
+[metallb]: https://metallb.org/
+[nfs]: https://nfs.fascinated.cc/
+[spegel]: https://github.com/spegel-org/spegel/
+[eraser]: https://github.com/eraser-dev/eraser/

kubernetes/apps/production/flyimg/deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: flyimg-container
-          image: flyimg/flyimg:1.4.12
+          image: flyimg/flyimg:1.4.13
           securityContext:
             allowPrivilegeEscalation: false
           ports:

kubernetes/clusters/production/apps.yaml

@@ -5,7 +5,7 @@ metadata:
   name: apps
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   dependsOn:
     - name: infrastructure
   sourceRef:

kubernetes/clusters/production/flux-system/gotk-components.yaml

@@ -14258,7 +14258,7 @@ spec:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/image-automation-controller:v0.38.0
+        image: ghcr.io/fluxcd/image-automation-controller:v0.39.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

kubernetes/clusters/production/infrastructure.yaml

@@ -5,7 +5,7 @@ metadata:
   name: infrastructure
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   sourceRef:
     kind: GitRepository
     name: flux-system

kubernetes/infrastructure/eraser/eraser.yaml

@@ -0,0 +1,549 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: eraser-system
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.0
+  creationTimestamp: null
+  name: imagejobs.eraser.sh
+spec:
+  group: eraser.sh
+  names:
+    kind: ImageJob
+    listKind: ImageJobList
+    plural: imagejobs
+    singular: imagejob
+  scope: Cluster
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: ImageJob is the Schema for the imagejobs API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            status:
+              description: ImageJobStatus defines the observed state of ImageJob.
+              properties:
+                deleteAfter:
+                  description: Time to delay deletion until
+                  format: date-time
+                  type: string
+                desired:
+                  description: desired number of pods
+                  type: integer
+                failed:
+                  description: number of pods that failed
+                  type: integer
+                phase:
+                  description: job running, successfully completed, or failed
+                  type: string
+                skipped:
+                  description: number of nodes that were skipped e.g. because they are not a linux node
+                  type: integer
+                succeeded:
+                  description: number of pods that completed successfully
+                  type: integer
+              required:
+                - desired
+                - failed
+                - phase
+                - skipped
+                - succeeded
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+    - deprecated: true
+      deprecationWarning: v1alpha1 of the eraser API has been deprecated. Please migrate to v1.
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ImageJob is the Schema for the imagejobs API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            status:
+              description: ImageJobStatus defines the observed state of ImageJob.
+              properties:
+                deleteAfter:
+                  description: Time to delay deletion until
+                  format: date-time
+                  type: string
+                desired:
+                  description: desired number of pods
+                  type: integer
+                failed:
+                  description: number of pods that failed
+                  type: integer
+                phase:
+                  description: job running, successfully completed, or failed
+                  type: string
+                skipped:
+                  description: number of nodes that were skipped e.g. because they are not a linux node
+                  type: integer
+                succeeded:
+                  description: number of pods that completed successfully
+                  type: integer
+              required:
+                - desired
+                - failed
+                - phase
+                - skipped
+                - succeeded
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.0
+  creationTimestamp: null
+  name: imagelists.eraser.sh
+spec:
+  group: eraser.sh
+  names:
+    kind: ImageList
+    listKind: ImageListList
+    plural: imagelists
+    singular: imagelist
+  scope: Cluster
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: ImageList is the Schema for the imagelists API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ImageListSpec defines the desired state of ImageList.
+              properties:
+                images:
+                  description: The list of non-compliant images to delete if non-running.
+                  items:
+                    type: string
+                  type: array
+              required:
+                - images
+              type: object
+            status:
+              description: ImageListStatus defines the observed state of ImageList.
+              properties:
+                failed:
+                  description: Number of nodes that failed to run the job
+                  format: int64
+                  type: integer
+                skipped:
+                  description: Number of nodes that were skipped due to a skip selector
+                  format: int64
+                  type: integer
+                success:
+                  description: Number of nodes that successfully ran the job
+                  format: int64
+                  type: integer
+                timestamp:
+                  description: Information when the job was completed.
+                  format: date-time
+                  type: string
+              required:
+                - failed
+                - skipped
+                - success
+                - timestamp
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+    - deprecated: true
+      deprecationWarning: v1alpha1 of the eraser API has been deprecated. Please migrate to v1.
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ImageList is the Schema for the imagelists API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ImageListSpec defines the desired state of ImageList.
+              properties:
+                images:
+                  description: The list of non-compliant images to delete if non-running.
+                  items:
+                    type: string
+                  type: array
+              required:
+                - images
+              type: object
+            status:
+              description: ImageListStatus defines the observed state of ImageList.
+              properties:
+                failed:
+                  description: Number of nodes that failed to run the job
+                  format: int64
+                  type: integer
+                skipped:
+                  description: Number of nodes that were skipped due to a skip selector
+                  format: int64
+                  type: integer
+                success:
+                  description: Number of nodes that successfully ran the job
+                  format: int64
+                  type: integer
+                timestamp:
+                  description: Information when the job was completed.
+                  format: date-time
+                  type: string
+              required:
+                - failed
+                - skipped
+                - success
+                - timestamp
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eraser-controller-manager
+  namespace: eraser-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eraser-imagejob-pods
+  namespace: eraser-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: eraser-imagejob-pods-cluster-role
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: eraser-manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - podtemplates
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagejobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagejobs/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagelists
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagelists/status
+    verbs:
+      - get
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eraser-imagejob-pods-cluster-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: eraser-imagejob-pods-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: eraser-imagejob-pods
+    namespace: eraser-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eraser-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: eraser-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: eraser-controller-manager
+    namespace: eraser-system
+---
+apiVersion: v1
+data:
+  controller_manager_config.yaml: |
+    apiVersion: eraser.sh/v1alpha3
+    kind: EraserConfig
+    manager:
+      runtime:
+        name: containerd
+        address: unix:///run/containerd/containerd.sock
+      otlpEndpoint: ""
+      logLevel: info
+      scheduling:
+        repeatInterval: 24h
+        beginImmediately: true
+      profile:
+        enabled: false
+        port: 6060
+      imageJob:
+        successRatio: 1.0
+        cleanup:
+          delayOnSuccess: 0s
+          delayOnFailure: 24h
+      pullSecrets: [] # image pull secrets for collector/scanner/eraser
+      priorityClassName: "" # priority class name for collector/scanner/eraser
+      nodeFilter:
+        type: exclude # must be either exclude|include
+        selectors:
+          - eraser.sh/cleanup.filter
+          - kubernetes.io/os=windows
+    components:
+      collector:
+        enabled: true
+        image:
+          repo: ghcr.io/eraser-dev/collector
+          tag: v1.4.0-beta.0
+        request:
+          mem: 25Mi
+          cpu: 7m
+        limit:
+          mem: 500Mi
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
+          cpu: 0
+      scanner:
+        enabled: true
+        image:
+          repo: ghcr.io/eraser-dev/eraser-trivy-scanner # supply custom image for custom scanner
+          tag: v1.4.0-beta.0
+        request:
+          mem: 500Mi
+          cpu: 1000m
+        limit:
+          mem: 2Gi
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
+          cpu: 0
+        # The config needs to be passed through to the scanner as yaml, as a
+        # single string. Because we allow custom scanner images, the scanner is
+        # responsible for defining a schema, parsing, and validating.
+        config: |
+          # this is the schema for the provided 'trivy-scanner'. custom scanners
+          # will define their own configuration.
+          cacheDir: /var/lib/trivy
+          dbRepo: ghcr.io/aquasecurity/trivy-db
+          deleteFailedImages: true
+          deleteEOLImages: true
+          vulnerabilities:
+            ignoreUnfixed: true
+            types:
+              - os
+              - library
+            securityChecks:
+              - vuln
+            severities:
+              - CRITICAL
+              - HIGH
+              - MEDIUM
+              - LOW
+            ignoredStatuses:
+          timeout:
+            total: 23h
+            perImage: 1h
+      remover:
+        image:
+          repo: ghcr.io/eraser-dev/remover
+          tag: v1.4.0-beta.0
+        request:
+          mem: 25Mi
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
+          cpu: 0
+        limit:
+          mem: 30Mi
+          cpu: 0
+kind: ConfigMap
+metadata:
+  name: eraser-manager-config
+  namespace: eraser-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: eraser-controller-manager
+  namespace: eraser-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+        - args:
+            - --config=/config/controller_manager_config.yaml
+          command:
+            - /manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: OTEL_SERVICE_NAME
+              value: eraser-manager
+          image: ghcr.io/eraser-dev/eraser-manager:v1.5.0-beta.0
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: 30Mi
+            requests:
+              cpu: 100m
+              memory: 20Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 65532
+            runAsNonRoot: true
+            runAsUser: 65532
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /config
+              name: manager-config
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: eraser-controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - configMap:
+            name: eraser-manager-config
+          name: manager-config

kubernetes/infrastructure/eraser/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: eraser-system
+resources:
+  - eraser.yaml

kubernetes/infrastructure/kustomization.yaml

@@ -13,4 +13,6 @@ resources:
   - capacitor
   - monitoring
   - alerting/flux
+  - eraser
+  - spegel
   #- backup

kubernetes/infrastructure/monitoring/kube-prometheus-stack.yaml

@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: kube-prometheus-stack
-      version: "62.7.0"
+      version: "63.0.0"
       sourceRef:
         kind: HelmRepository
         name: monitoring
@@ -56,3 +56,20 @@ spec:
               resources:
                 requests:
                   storage: 50Gi
+
+    # ServiceMonitor configurations
+    serviceMonitors:
+      node-exporter:
+        metricRelabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+      kubelet:
+        metricRelabelings:
+          - action: replace
+            sourceLabels:
+              - node
+            targetLabel: instance

kubernetes/infrastructure/spegel/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: spegel
+resources:
+  - namespace.yaml
+  - spegel.yaml

kubernetes/infrastructure/spegel/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: spegel
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

kubernetes/infrastructure/spegel/spegel.yaml

@@ -0,0 +1,42 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: spegel
+  namespace: spegel
+spec:
+  type: "oci"
+  interval: 5m0s
+  url: oci://ghcr.io/spegel-org/helm-charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: spegel
+  namespace: spegel
+spec:
+  interval: 1m
+  chart:
+    spec:
+      chart: spegel
+      version: "v0.0.24"
+      interval: 5m
+      sourceRef:
+        kind: HelmRepository
+        name: spegel
+  values:
+    spegel:
+      containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+      registries:
+        [
+          "https://cgr.dev",
+          "https://docker.io",
+          "https://ghcr.io",
+          "https://quay.io",
+          "https://mcr.microsoft.com",
+          "https://public.ecr.aws",
+          "https://gcr.io",
+          "https://registry.k8s.io",
+          "https://k8s.gcr.io",
+          "https://lscr.io",
+          "https://git.fascinated.cc",
+        ]