Merge branch 'main' of https://github.com/rajsinghtech/kubernetes-manifests

Author: rajsinghtech

.gitignore

@@ -6,9 +6,11 @@ tf/**/alpo-*.yaml
 tf/**/kubeconfig_*
 tfplan
 charts
-**/talos/*.yaml
+**/talos/clusterconfig/
 **/talos/*.iso
 **/talos/talosconfig
+!**/talos/talconfig.yaml
+**/talos/talsecret.yaml
 **/talos/aurora
 **/talos/.DS_Store
 

clusters/talos-ottawa/.mise.toml

@@ -57,4 +57,141 @@ description = "Reset cluster (DESTRUCTIVE)"
 
 [tasks.cleanup-thunderbolt-debug]
 run = "task -d bootstrap/talos cleanup-thunderbolt-debug"
-description = "Remove Thunderbolt debug DaemonSet"
+description = "Remove Thunderbolt debug DaemonSet"
+
+# Additional Talos management tasks (converted from Makefile)
+
+[tasks.disk]
+run = """
+for node in rei asuka kaji; do
+  echo "=== Discovered volumes on $node ==="
+  talosctl -e $node -n $node get discoveredvolumes
+done
+"""
+description = "Show discovered volumes on all nodes"
+
+[tasks.etcd]
+run = "talosctl service etcd -n rei -e rei"
+description = "Check etcd service status"
+
+[tasks.static]
+run = "talosctl get staticpods -n rei -e rei"
+description = "List static pods"
+
+[tasks.link]
+run = """
+for node in rei asuka kaji; do
+  echo "=== Link status on $node ==="
+  talosctl get linkstatus -n $node -e $node
+done
+"""
+description = "Show network link status on all nodes"
+
+[tasks.addresses]
+run = """
+for node in rei asuka kaji; do
+  echo "=== Addresses on $node ==="
+  talosctl get addresses -n $node -e $node
+done
+"""
+description = "Show IP addresses on all nodes"
+
+[tasks.service]
+run = """
+for node in rei asuka kaji; do
+  echo "=== Services on $node ==="
+  talosctl service -n $node -e $node
+done
+"""
+description = "List services on all nodes"
+
+[tasks.reboot]
+run = """
+echo "WARNING: This will reboot nodes! Press Ctrl+C to cancel..."
+sleep 5
+for node in rei asuka kaji; do
+  echo "Rebooting $node..."
+  talosctl -e $node -n $node reboot --debug
+  echo "Waiting 30 seconds before next node..."
+  sleep 30
+done
+"""
+description = "Reboot all nodes (DISRUPTIVE)"
+
+[tasks.reset-node]
+run = """
+echo "WARNING: This will reset a node! Usage: mise run reset-node <nodename>"
+echo "Example: mise run reset-node rei"
+echo ""
+if [ -z "$1" ]; then
+  echo "Error: Node name required"
+  exit 1
+fi
+echo "Resetting node $1 in 5 seconds... Press Ctrl+C to cancel"
+sleep 5
+talosctl -e $1 -n $1 reset --system-labels-to-wipe EPHEMERAL,STATE --graceful=false --reboot
+"""
+description = "Reset a single node to maintenance mode (DESTRUCTIVE)"
+
+[tasks.upgrade]
+run = """
+TALOS_VERSION="${1:-v1.10.6}"
+echo "Upgrading cluster to Talos $TALOS_VERSION"
+for node in rei asuka kaji; do
+  echo "Upgrading $node..."
+  talosctl upgrade --nodes $node --image ghcr.io/siderolabs/installer:${TALOS_VERSION} -e $node --wait --debug
+  echo "Waiting for node to be ready..."
+  sleep 60
+done
+"""
+description = "Upgrade Talos version on all nodes"
+
+[tasks.k9s]
+run = "k9s --context [email protected]"
+description = "Launch k9s with cluster context"
+
+[tasks.iso]
+run = """
+echo "Generating ISO from talconfig schematic..."
+SCHEMATIC_ID=$(talhelper genurl installer --config-file bootstrap/talos/talconfig.yaml | grep -oE 'factory.talos.dev/installer/[^:]+' | cut -d'/' -f3)
+TALOS_VERSION=$(grep talosVersion bootstrap/talos/talconfig.yaml | awk '{print $2}')
+echo "Schematic ID: $SCHEMATIC_ID"
+echo "Talos Version: $TALOS_VERSION"
+echo "Downloading ISO..."
+curl -O "https://factory.talos.dev/image/${SCHEMATIC_ID}/${TALOS_VERSION}/metal-amd64.iso"
+echo "ISO downloaded: metal-amd64.iso"
+"""
+description = "Download custom ISO with extensions from talconfig"
+
+[tasks.nodes]
+run = "kubectl get nodes -o wide"
+description = "Show cluster nodes"
+
+[tasks.pods]
+run = "kubectl get pods -A"
+description = "Show all pods in cluster"
+
+[tasks.talos-shell]
+run = """
+NODE="${1:-rei}"
+echo "Opening shell on node: $NODE"
+talosctl -n $NODE -e $NODE shell
+"""
+description = "Open shell on a node (default: rei, or specify: mise run talos-shell asuka)"
+
+[tasks.logs]
+run = """
+SERVICE="${1:-kubelet}"
+NODE="${2:-rei}"
+echo "Showing logs for $SERVICE on $NODE"
+talosctl -n $NODE -e $NODE logs $SERVICE
+"""
+description = "Show service logs (usage: mise run logs [service] [node])"
+
+[tasks.dmesg]
+run = """
+NODE="${1:-rei}"
+echo "Showing kernel logs on $NODE"
+talosctl -n $NODE -e $NODE dmesg
+"""
+description = "Show kernel logs from a node (default: rei)"

clusters/talos-ottawa/bootstrap/talos/.sops.yaml

@@ -0,0 +1,3 @@
+creation_rules:
+  - path_regex: .*secret.*\.yaml$
+    pgp: FAC8E7C3A2BC7DEE58A01C5928E1AB8AF0CF07A5

clusters/talos-ottawa/bootstrap/talos/Taskfile.yaml

@@ -0,0 +1,173 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+tasks:
+  init:
+    desc: Generate and encrypt Talos secrets
+    cmds:
+      - |
+        if [ ! -f "talsecret.sops.yaml" ]; then
+            echo "Generating new Talos secrets..."
+            talhelper gensecret > talsecret.yaml
+            echo "Encrypting secrets with PGP key..."
+            sops --encrypt --pgp FAC8E7C3A2BC7DEE58A01C5928E1AB8AF0CF07A5 talsecret.yaml > talsecret.sops.yaml
+            rm talsecret.yaml
+            echo "✅ Secrets generated and encrypted"
+        else
+            echo "Secrets file already exists"
+        fi
+
+  genconfig:
+    desc: Generate Talos configuration files
+    cmds:
+      - talhelper genconfig
+    preconditions:
+      - sh: test -f talconfig.yaml
+        msg: Missing talconfig.yaml
+      - sh: test -f talsecret.sops.yaml
+        msg: Missing talsecret.sops.yaml - run 'mise run init' first
+
+  apply:
+    desc: Apply Talos configuration to nodes
+    cmds:
+      - talhelper gencommand apply | bash
+    preconditions:
+      - sh: test -d clusterconfig
+        msg: Missing clusterconfig directory - run 'mise run genconfig' first
+  
+  apply-insecure:
+    desc: Apply Talos configuration to nodes in maintenance mode (initial install)
+    cmds:
+      - talhelper gencommand apply --extra-flags="--insecure" | bash
+    preconditions:
+      - sh: test -d clusterconfig
+        msg: Missing clusterconfig directory - run 'mise run genconfig' first
+
+  bootstrap:
+    desc: Bootstrap the etcd cluster on first node
+    cmds:
+      - talhelper gencommand bootstrap | bash
+    preconditions:
+      - sh: test -d clusterconfig
+        msg: Missing clusterconfig directory - run 'mise run genconfig' first
+
+  kubeconfig:
+    desc: Fetch kubeconfig from Talos cluster  
+    cmds:
+      - talhelper gencommand kubeconfig --extra-flags="../../ --force" | bash
+      - chmod 600 ../../kubeconfig
+    preconditions:
+      - sh: test -d clusterconfig
+        msg: Missing clusterconfig directory
+
+  test-thunderbolt:
+    desc: Test Thunderbolt network connectivity
+    cmds:
+      - echo "Testing Thunderbolt interfaces..."
+      - talosctl --nodes rei get links | grep -E "thunderbolt|169.254" || echo "No Thunderbolt on rei"
+      - talosctl --nodes asuka get links | grep -E "thunderbolt|169.254" || echo "No Thunderbolt on asuka"
+      - talosctl --nodes kaji get links | grep -E "thunderbolt|169.254" || echo "No Thunderbolt on kaji"
+
+  discover-thunderbolt:
+    desc: Discover Thunderbolt interfaces using kubectl-node-shell (requires running cluster)
+    cmds:
+      - |
+        echo "=== Discovering Thunderbolt interfaces on all nodes ==="
+        echo "Note: This requires kubectl-node-shell to be installed"
+        echo ""
+        for node in rei asuka kaji; do
+          echo "=== Node: $node ==="
+          kubectl node-shell $node -- sh -c 'ls -la /sys/bus/thunderbolt/devices/ 2>/dev/null || echo "No Thunderbolt devices found"'
+          echo ""
+          echo "Network interfaces with bus paths:"
+          kubectl node-shell $node -- sh -c 'for iface in $(ls /sys/class/net/); do if [ "$iface" != "lo" ]; then echo -n "$iface: "; readlink /sys/class/net/$iface | grep -oE "[0-9]+-[0-9]+\.[0-9]+" || echo "Not Thunderbolt"; fi; done'
+          echo ""
+        done
+    preconditions:
+      - sh: kubectl get nodes
+        msg: Cluster must be running
+      - sh: which kubectl-node-shell
+        msg: kubectl-node-shell must be installed (kubectl krew install node-shell)
+
+  deploy-thunderbolt-debug:
+    desc: Deploy privileged DaemonSet for Thunderbolt debugging
+    cmds:
+      - kubectl apply -f thunderbolt-debug.yaml
+      - echo "Waiting for pods to start..."
+      - kubectl -n kube-system wait --for=condition=Ready pod -l app=thunderbolt-debug --timeout=60s
+      - echo ""
+      - echo "=== Thunderbolt Debug Pods Running ==="
+      - kubectl -n kube-system get pods -l app=thunderbolt-debug -o wide
+    preconditions:
+      - sh: test -f thunderbolt-debug.yaml
+        msg: thunderbolt-debug.yaml not found
+      - sh: kubectl get nodes
+        msg: Cluster must be running
+
+  cleanup-thunderbolt-debug:
+    desc: Remove Thunderbolt debug DaemonSet
+    cmd: kubectl delete -f thunderbolt-debug.yaml --ignore-not-found=true
+
+  generate-thunderbolt-patch:
+    desc: Generate Thunderbolt patch file based on discovered interfaces
+    cmds:
+      - |
+        echo "After discovering Thunderbolt interfaces, create patches/node/NODE-thunderbolt.yaml"
+        echo "Example patch structure:"
+        echo ""
+        cat <<'EOF'
+        # patches/node/rei-thunderbolt.yaml
+        machine:
+          network:
+            interfaces:
+              - deviceSelector:
+                  busPath: "0-1.0"  # Replace with actual discovered bus path
+                dhcp: false
+                mtu: 65520
+                addresses:
+                  - 169.254.255.101/32
+                routes:
+                  - network: 169.254.255.102/32
+                    metric: 2048
+              - deviceSelector:
+                  busPath: "0-3.0"  # Replace with actual discovered bus path
+                dhcp: false
+                mtu: 65520
+                addresses:
+                  - 169.254.255.101/32
+                routes:
+                  - network: 169.254.255.103/32
+                    metric: 2048
+        EOF
+
+  dashboard:
+    desc: Open Talos dashboard
+    cmd: talosctl dashboard --nodes rei,asuka,kaji
+
+  health:
+    desc: Check cluster health
+    cmd: talosctl health --server=false
+
+  reset:
+    desc: Reset nodes back to maintenance mode (DESTRUCTIVE)
+    prompt: This will destroy your cluster! Continue?
+    cmd: talhelper gencommand reset --extra-flags="--reboot --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL --graceful=false --wait=false" | bash
+
+  upgrade:
+    desc: Upgrade Talos on a node
+    cmd: talosctl --nodes {{.node}} upgrade --image {{.image}} --wait=true --timeout=10m --preserve=true
+    requires:
+      vars: ["node", "image"]
+    preconditions:
+      - msg: Unable to connect to node
+        sh: talosctl --nodes {{.node}} version
+
+  upgrade-k8s:
+    desc: Upgrade Kubernetes across the cluster
+    cmd: talosctl --nodes {{.controller}} upgrade-k8s --to {{.to}}
+    requires:
+      vars: ["controller", "to"]
+    preconditions:
+      - msg: Unable to connect to controller
+        sh: talosctl --nodes {{.controller}} version

clusters/talos-ottawa/bootstrap/talos/irqbalance-daemonset.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: irqbalance
+  namespace: kube-system
+  labels:
+    app: irqbalance
+spec:
+  selector:
+    matchLabels:
+      app: irqbalance
+  template:
+    metadata:
+      labels:
+        app: irqbalance
+    spec:
+      hostNetwork: true
+      hostPID: true
+      hostIPC: true
+      containers:
+      - name: irqbalance
+        image: ghcr.io/home-operations/irqbalance:1.9.4@sha256:86f83ccf82033339f19981697f947d96194539d6b130fa5a4336e887461fe7dc
+        command: ["/usr/sbin/irqbalance"]
+        args: ["--foreground", "--journal"]
+        env:
+        - name: IRQBALANCE_BANNED_CPULIST
+          value: "12-19"
+        resources:
+          requests:
+            cpu: 25m
+            memory: 64Mi
+          limits:
+            memory: 128Mi
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: run
+          mountPath: /run/irqbalance
+      volumes:
+      - name: run
+        emptyDir: {}
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""