meta: initial commit

Signed-off-by: Dennis Marttinen <[email protected]>

.conform.yaml

@@ -0,0 +1,38 @@
+policies:
+  - type: commit
+    spec:
+      header:
+        length: 89
+        imperative: true
+        case: lower
+        invalidLastCharacters: .
+      dco: true
+      gpg:
+        required: true
+#        identity:
+#          gitHubOrganization: supernetes
+      spellcheck:
+        locale: US
+      maximumOfOneCommit: true
+      conventional:
+        types:
+          - ci
+          - docs
+          - meta
+          - refactor
+          - release
+          - test
+  - type: license
+    spec:
+      skipPaths:
+        - .git/
+      includeSuffixes:
+        - container
+        - cpouta
+      allowPrecedingComments: true
+      header: |
+        # SPDX-License-Identifier: MPL-2.0
+        #
+        # This Source Code Form is subject to the terms of the Mozilla Public
+        # License, v. 2.0. If a copy of the MPL was not distributed with this
+        # file, You can obtain one at http://mozilla.org/MPL/2.0/.

.github/workflows/check.yaml

@@ -0,0 +1,29 @@
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+name: Check
+jobs:
+  conform:
+    name: Conformance
+    runs-on: ubuntu-latest
+    container:
+      image: golang:1
+      options: --user 1001 # https://github.com/actions/runner/issues/2033#issuecomment-1598547465
+    steps:
+      - name: Check out sources
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+      - name: Fetch master branch for reference
+        # The main branch detection of siderolabs/conform relies on the branch tracking the "origin" remote, see
+        # https://github.com/siderolabs/conform/blob/2feadaa74eef93dd35f303582f2e82afa62a119d/cmd/conform/enforce.go#L74
+        run: git checkout master && git checkout -
+        if: github.ref_name != 'master'
+      - name: Install siderolabs/conform
+        run: go install github.com/siderolabs/conform/cmd/conform@latest
+      - name: Run siderolabs/conform
+        run: conform enforce

.gitignore

@@ -0,0 +1,10 @@
+/private/**
+!/private/**/
+!/private/**/.gitkeep
+
+/work/**
+!/work/**/
+!/work/cpouta
+!/work/supernetes-cluster.yaml
+!/work/patch/cilium.yaml
+!/work/patch/single-node.yaml

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "bootstrap"]
+	path = bootstrap
+	url = https://github.com/twelho/talos-bootstrap.git

Dockerfile

@@ -0,0 +1,104 @@
+# Base environment
+FROM alpine:3 as base
+
+RUN apk --no-cache upgrade && \
+    apk --no-cache add bash bash-completion cosign curl g++ git helm jq k9s kubectl kustomize less linux-headers make moreutils nano nano-syntax openssl pipx python3-dev yq
+
+# Build environment for tooling
+FROM base as build
+
+RUN mkdir /build /out
+WORKDIR /build
+
+# Talos
+FROM build as talos
+
+RUN curl -fL https://talos.dev/install | sh && cp /usr/local/bin/talosctl /out/
+
+# Flux
+FROM build as flux
+
+RUN curl -fL https://fluxcd.io/install.sh | bash && cp /usr/local/bin/flux /out/
+
+# Cilium
+FROM build as cilium
+
+RUN CILIUM_CLI_VERSION=$(curl -fL https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) && \
+    CLI_ARCH=amd64 && if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi && \
+    curl -fL --remote-name-all https://github.com/cilium/cilium-cli/releases/download/"${CILIUM_CLI_VERSION}"/cilium-linux-"${CLI_ARCH}".tar.gz{,.sha256sum} && \
+    sha256sum -c cilium-linux-"${CLI_ARCH}".tar.gz.sha256sum && \
+    tar xzvf cilium-linux-"${CLI_ARCH}".tar.gz -C /out/ && \
+    rm -r /build
+
+# Hubble CLI
+FROM build as hubble
+
+RUN HUBBLE_VERSION=$(curl -fL https://raw.githubusercontent.com/cilium/hubble/master/stable.txt) && \
+    HUBBLE_ARCH=amd64 && if [ "$(uname -m)" = "aarch64" ]; then HUBBLE_ARCH=arm64; fi && \
+    curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/"${HUBBLE_VERSION}"/hubble-linux-"${HUBBLE_ARCH}".tar.gz{,.sha256sum} && \
+    sha256sum -c hubble-linux-"${HUBBLE_ARCH}".tar.gz.sha256sum && \
+    tar xzvf hubble-linux-"${HUBBLE_ARCH}".tar.gz -C /out/ && \
+    rm -r /build
+
+# SOPS
+FROM build as sops
+
+RUN set -x && \
+    SOPS_CLI_VERSION=$(curl -fL https://api.github.com/repos/getsops/sops/releases/latest | jq -r ".tag_name") && \
+    CLI_ARCH=amd64 && if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi && \
+    curl -fL --remote-name-all https://github.com/getsops/sops/releases/download/"${SOPS_CLI_VERSION}"/sops-"${SOPS_CLI_VERSION}".{linux."${CLI_ARCH}",checksums.txt,checksums.pem,checksums.sig} && \
+    cosign verify-blob sops-"${SOPS_CLI_VERSION}".checksums.txt \
+      --certificate sops-"${SOPS_CLI_VERSION}".checksums.pem \
+      --signature sops-"${SOPS_CLI_VERSION}".checksums.sig \
+      --certificate-identity-regexp=https://github.com/getsops \
+      --certificate-oidc-issuer=https://token.actions.githubusercontent.com && \
+    grep sops-"${SOPS_CLI_VERSION}".linux."${CLI_ARCH}" sops-"${SOPS_CLI_VERSION}".checksums.txt > sops-"${SOPS_CLI_VERSION}".checksums.filtered.txt && \
+    sha256sum -c sops-"${SOPS_CLI_VERSION}".checksums.filtered.txt && \
+    mv sops-"${SOPS_CLI_VERSION}".linux."${CLI_ARCH}" /out/sops && chmod +x /out/sops && \
+    rm -r /build
+
+# Krew
+FROM build as krew
+
+RUN CLI_ARCH=amd64 && if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi && KREW=krew-linux_"${CLI_ARCH}" && \
+    curl -fL --remote-name-all https://github.com/kubernetes-sigs/krew/releases/latest/download/"${KREW}".tar.gz{,.sha256} && \
+    echo "$(cat "${KREW}".tar.gz.sha256) ${KREW}.tar.gz" > "${KREW}".tar.gz.sha256sum && \
+    sha256sum -c "${KREW}".tar.gz.sha256sum && \
+    tar xzvf "${KREW}".tar.gz && \
+    ./"${KREW}" install krew && \
+    mv ~/.krew /out/ && \
+    rm -r /build
+
+# Management container image
+FROM base
+
+# Installation
+WORKDIR /usr/local/bin
+COPY --from=talos /out/ .
+COPY --from=flux /out/ .
+COPY --from=cilium /out/ .
+COPY --from=hubble /out/ .
+COPY --from=sops /out/ .
+
+WORKDIR /root
+COPY --from=krew /out/ .
+
+# Configuration
+ENV EDITOR=nano
+ENV HISTCONTROL=ignoreboth
+RUN update-ca-certificates && \
+    talosctl completion bash >> ~/.bashrc && \
+    cilium completion bash >> ~/.bashrc && \
+    hubble completion bash >> ~/.bashrc && \
+    flux completion bash >> ~/.bashrc && \
+    sed -ri 's|^# (set afterends)$|\1|' /etc/nanorc && \
+    sed -ri 's|^# (include "/usr/share/nano/\*\.nanorc")$|\1|' /etc/nanorc && \
+    register-python-argcomplete pipx >> ~/.bashrc && pipx ensurepath && \
+    pipx install python-openstackclient && ~/.local/bin/openstack complete >> ~/.bashrc && \
+    echo "pipx install -e /bootstrap &> /dev/null &" >> ~/.bashrc && \
+    echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> ~/.bashrc
+#    PATH="$HOME/.krew/bin:$PATH" kubectl krew install ...
+
+# Sleep forever, use `exec` to enter the container
+ENTRYPOINT ["/bin/sh", "-c", "trap 'exit 0' INT TERM; sleep infinity & wait"]
+