feat(k8s/magiclove): spegel

uhthomas · uhthomas · commit 242493478dd1 · 2025-09-17T01:14:18.000+01:00
diff --git a/k8s/magiclove/list.cue b/k8s/magiclove/list.cue
@@ -43,6 +43,7 @@ import (
 	"github.com/uhthomas/automata/k8s/magiclove/snapscheduler"
 	"github.com/uhthomas/automata/k8s/magiclove/snapshot_controller"
 	"github.com/uhthomas/automata/k8s/magiclove/speedtest_exporter"
+	"github.com/uhthomas/automata/k8s/magiclove/spegel"
 	"github.com/uhthomas/automata/k8s/magiclove/thomas"
 	// "github.com/uhthomas/automata/k8s/magiclove/trivy_system"
 	// "github.com/uhthomas/automata/k8s/magiclove/vector"
@@ -124,6 +125,7 @@ _items: [
 	snapscheduler.#List.items,
 	snapshot_controller.#List.items,
 	speedtest_exporter.#List.items,
+	spegel.#List.items,
 	thomas.#List.items,
 	// trivy_system.#List.items,
 	// vector.#List.items,
diff --git a/k8s/magiclove/spegel/README.md b/k8s/magiclove/spegel/README.md
@@ -0,0 +1,9 @@
+# Spegel
+
+[https://spegel.dev](https://spegel.dev)
+
+[https://github.com/spegel-org/spegel](https://github.com/spegel-org/spegel)
+
+## Talos
+
+[https://spegel.dev/docs/getting-started/#talos](https://spegel.dev/docs/getting-started/#talos)
diff --git a/k8s/magiclove/spegel/daemon_set_list.cue b/k8s/magiclove/spegel/daemon_set_list.cue
@@ -0,0 +1,171 @@
+package spegel
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/api/core/v1"
+)
+
+#DaemonSetList: appsv1.#DaemonSetList & {
+	apiVersion: "apps/v1"
+	kind:       "DaemonSetList"
+	items: [...{
+		apiVersion: "apps/v1"
+		kind:       "DaemonSet"
+	}]
+}
+
+#DaemonSetList: items: [{
+	spec: {
+		selector: matchLabels: "app.kubernetes.io/name": #Name
+		template: {
+			metadata: labels: "app.kubernetes.io/name": #Name
+			spec: {
+				volumes: [{
+					name: "containerd-sock"
+					hostPath: {
+						path: "/run/containerd/containerd.sock"
+						type: v1.#HostPathSocket
+					}
+				}, {
+					name: "containerd-content"
+					hostPath: {
+						path: "/var/lib/containerd/io.containerd.content.v1.content"
+						type: v1.#HostPathDirectory
+					}
+				}, {
+					name: "containerd-config"
+					hostPath: {
+						path: "/etc/cri/conf.d/hosts"
+						type: v1.#HostPathDirectoryOrCreate
+					}
+				}]
+				initContainers: [{
+					name:  "config"
+					image: _image.reference
+					args: [
+						"configuration",
+						"--log-level=INFO",
+						"--containerd-registry-config-path=/etc/cri/conf.d/hosts",
+						"--mirror-targets",
+						"http://$(NODE_IP):30020",
+						"--resolve-tags=true",
+						"--prepend-existing=false",
+					]
+					env: [{
+						name: "NODE_IP"
+						valueFrom: fieldRef: fieldPath: "status.hostIP"
+					}]
+					resources: limits: {
+						cpu:    "100m"
+						memory: "128Mi"
+					}
+					volumeMounts: [{
+						name:      "containerd-config"
+						mountPath: "/etc/cri/conf.d/hosts"
+					}]
+					imagePullPolicy: v1.#PullIfNotPresent
+					securityContext: {
+						capabilities: drop: ["ALL"]
+						readOnlyRootFilesystem:   true
+						allowPrivilegeEscalation: false
+					}
+				}]
+				containers: [{
+					name:  "spegel"
+					image: _image.reference
+					args: [
+						"registry",
+						"--log-level=INFO",
+						"--mirror-resolve-retries=3",
+						"--mirror-resolve-timeout=20ms",
+						"--registry-addr=:5000",
+						"--router-addr=:5001",
+						"--metrics-addr=:9090",
+						"--containerd-sock=/run/containerd/containerd.sock",
+						"--containerd-namespace=k8s.io",
+						"--containerd-registry-config-path=/etc/cri/conf.d/hosts",
+						"--bootstrap-kind=dns",
+						"--dns-bootstrap-domain=\(#Name)-bootstrap.\(#Namespace).svc.cluster.local.",
+						"--resolve-latest-tag=true",
+						"--containerd-content-path=/var/lib/containerd/io.containerd.content.v1.content",
+						"--debug-web-enabled=true",
+					]
+					env: [{
+						name:  "DATA_DIR"
+						value: ""
+					}, {
+						name: "NODE_IP"
+						valueFrom: fieldRef: fieldPath: "status.hostIP"
+					}, {
+						name: "GOMEMLIMIT"
+						valueFrom: resourceFieldRef: {
+							resource: "limits.memory"
+							divisor:  1
+						}
+					}]
+					ports: [{
+						name:          "registry"
+						containerPort: 5000
+					}, {
+						name:          "router"
+						containerPort: 5001
+					}, {
+						name:          "metrics"
+						containerPort: 9090
+					}]
+					resources: limits: {
+						(v1.#ResourceCPU):    "300m"
+						(v1.#ResourceMemory): "128Mi"
+					}
+					volumeMounts: [{
+						name:      "containerd-sock"
+						mountPath: "/run/containerd/containerd.sock"
+					}, {
+						name:      "containerd-content"
+						mountPath: "/var/lib/containerd/io.containerd.content.v1.content"
+						readOnly:  true
+					}]
+
+					let probe = {
+						httpGet: {
+							path: "/readyz"
+							port: "registry"
+						}
+					}
+
+					livenessProbe:  probe
+					readinessProbe: probe
+					startupProbe: probe & {
+						periodSeconds:    3
+						failureThreshold: 60
+					}
+
+					imagePullPolicy: v1.#PullIfNotPresent
+					// securityContext: {
+					// 	capabilities: drop: ["ALL"]
+					// 	readOnlyRootFilesystem:   true
+					// 	allowPrivilegeEscalation: false
+					// }
+					securityContext: readOnlyRootFilesystem: true
+				}]
+				// securityContext: {
+				// 	runAsUser:    1000
+				// 	runAsGroup:   3000
+				// 	runAsNonRoot: true
+				// 	fsGroup:      2000
+				// 	seccompProfile: type: v1.#SeccompProfileTypeRuntimeDefault
+				// }
+				tolerations: [{
+					key:      "CriticalAddonsOnly"
+					operator: v1.#TolerationOpExists
+				}, {
+					operator: v1.#TolerationOpExists
+					effect:   v1.#TaintEffectNoExecute
+				}, {
+					operator: v1.#TolerationOpExists
+					effect:   v1.#TaintEffectNoSchedule
+				}]
+			}
+		}
+	}
+}]
diff --git a/k8s/magiclove/spegel/list.cue b/k8s/magiclove/spegel/list.cue
@@ -0,0 +1,45 @@
+package spegel
+
+import (
+	"list"
+
+	"k8s.io/api/core/v1"
+
+	"github.com/uhthomas/automata/tools"
+)
+
+#Name:      "spegel"
+#Namespace: #Name
+
+// renovate: datasource=github-releases depName=spegel-org/spegel extractVersion=^v(?<version>.*)$
+#Version: "0.4.0"
+
+_image: tools.#Image & {
+	name:   "ghcr.io/spegel-org/spegel"
+	tag:    #Version
+	digest: "sha256:a86089ae74c4f9c98ec86c366d196f7a03044c38af09e6582b0661d42a324226"
+}
+
+#List: v1.#List & {
+	apiVersion: "v1"
+	kind:       "List"
+	items: [...{
+		metadata: {
+			name:      string | *#Name
+			namespace: #Namespace
+			labels: {
+				"app.kubernetes.io/name":    #Name
+				"app.kubernetes.io/version": #Version
+			}
+		}
+	}]
+}
+
+#List: items: list.Concat(_items)
+
+_items: [
+	#DaemonSetList.items,
+	#NamespaceList.items,
+	#ServiceList.items,
+	#VMServiceScrapeList.items,
+]
diff --git a/k8s/magiclove/spegel/namespace_list.cue b/k8s/magiclove/spegel/namespace_list.cue
@@ -0,0 +1,14 @@
+package spegel
+
+import "k8s.io/api/core/v1"
+
+#NamespaceList: v1.#NamespaceList & {
+	apiVersion: "v1"
+	kind:       "NamespaceList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "Namespace"
+	}]
+}
+
+#NamespaceList: items: [{metadata: labels: "pod-security.kubernetes.io/enforce": "privileged"}]
diff --git a/k8s/magiclove/spegel/service_list.cue b/k8s/magiclove/spegel/service_list.cue
@@ -0,0 +1,48 @@
+package spegel
+
+import "k8s.io/api/core/v1"
+
+#ServiceList: v1.#ServiceList & {
+	apiVersion: "v1"
+	kind:       "ServiceList"
+	items: [...{
+		apiVersion: "v1"
+		kind:       "Service"
+	}]
+}
+
+#ServiceList: items: [{
+	spec: {
+		ports: [{
+			name:       "http-metrics"
+			port:       9090
+			targetPort: "metrics"
+		}]
+		selector: "app.kubernetes.io/name": #Name
+	}
+}, {
+	metadata: name: "\(#Name)-bootstrap"
+	spec: {
+		ports: [{
+			name:       "router"
+			port:       5001
+			targetPort: "router"
+		}]
+		selector: "app.kubernetes.io/name": #Name
+		clusterIP:                v1.#ClusterIPNone
+		publishNotReadyAddresses: true
+	}
+}, {
+	metadata: name: "\(#Name)-registry"
+	spec: {
+		ports: [{
+			name:       "registry"
+			port:       5000
+			targetPort: "registry"
+			nodePort:   30020
+		}]
+		selector: "app.kubernetes.io/name": #Name
+		type:                v1.#ServiceTypeNodePort
+		trafficDistribution: "PreferSameNode"
+	}
+}]
diff --git a/k8s/magiclove/spegel/vm_service_scrape_list.cue b/k8s/magiclove/spegel/vm_service_scrape_list.cue
@@ -0,0 +1,19 @@
+package spegel
+
+import operatorv1beta1 "github.com/VictoriaMetrics/operator/api/operator/v1beta1"
+
+#VMServiceScrapeList: operatorv1beta1.#VMServiceScrapeList & {
+	apiVersion: "operator.victoriametrics.com/v1beta1"
+	kind:       "VMServiceScrapeList"
+	items: [...{
+		apiVersion: "operator.victoriametrics.com/v1beta1"
+		kind:       "VMServiceScrape"
+	}]
+}
+
+#VMServiceScrapeList: items: [{
+	spec: {
+		endpoints: [{port: "http-metrics"}]
+		selector: matchLabels: "app.kubernetes.io/name": #Name
+	}
+}]
