From 04cede6f1160fe177ba201248aaabcc90d02d859 Mon Sep 17 00:00:00 2001 From: Marcel Straub Date: Sun, 7 Sep 2025 11:08:10 +0200 Subject: [PATCH] Rebuild ArgoCD deployment by example on sealed-secrets - Co-authored-by: Marcel Straub Reviewed-on: https://git.straubintra.net/s5b-public/k8s/pulls/1 --- .gitignore | 3 + .../inline-manifests/argocd_install.yaml | 40 +++--- .../01-tofu/talos_cluster.auto.tfvars | 1 + 02-k8s/README.md | 13 ++ 02-k8s/infra/application-set.yaml | 32 +++++ 02-k8s/infra/controllers/application-set.yaml | 34 +++++ 02-k8s/infra/controllers/argocd/README.md | 1 + .../controllers/argocd/kustomization.yaml | 13 ++ 02-k8s/infra/controllers/argocd/ns.yaml | 4 + 02-k8s/infra/controllers/argocd/values.yaml | 125 ++++++++++++++++++ 02-k8s/infra/controllers/kustomization.yaml | 9 ++ 02-k8s/infra/controllers/project.yaml | 18 +++ .../sealed-secrets/kustomization.yaml | 11 ++ .../controllers/sealed-secrets/values.yaml | 10 ++ 02-k8s/infra/kustomization.yaml | 9 ++ 02-k8s/infra/project.yaml | 16 +++ .../get_cilium_cli.sh => install_clis.sh | 5 + 17 files changed, 324 insertions(+), 20 deletions(-) create mode 100644 02-k8s/README.md create mode 100644 02-k8s/infra/application-set.yaml create mode 100644 02-k8s/infra/controllers/application-set.yaml create mode 100644 02-k8s/infra/controllers/argocd/README.md create mode 100644 02-k8s/infra/controllers/argocd/kustomization.yaml create mode 100644 02-k8s/infra/controllers/argocd/ns.yaml create mode 100644 02-k8s/infra/controllers/argocd/values.yaml create mode 100644 02-k8s/infra/controllers/kustomization.yaml create mode 100644 02-k8s/infra/controllers/project.yaml create mode 100644 02-k8s/infra/controllers/sealed-secrets/kustomization.yaml create mode 100644 02-k8s/infra/controllers/sealed-secrets/values.yaml create mode 100644 02-k8s/infra/kustomization.yaml create mode 100644 02-k8s/infra/project.yaml rename 00-infrastructure/01-tofu/get_cilium_cli.sh => install_clis.sh (92%) diff --git a/.gitignore b/.gitignore index 588fc17..d3cdcc2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,9 @@ # EnvRC files contain secrets that must not be checked in .envrc +# Kustomize artifacts +**/charts + # OpenTofu working files .terraform* output/ diff --git a/00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml b/00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml index d391418..029f499 100644 --- a/00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml +++ b/00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml @@ -28,24 +28,24 @@ kind: ServiceAccount metadata: name: argocd-installer namespace: kube-system ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: argocd-installer - namespace: kube-system -spec: - template: - spec: - serviceAccountName: argocd-installer - containers: - - name: installer - image: bitnami/kubectl:latest - command: - - /bin/sh - - -c - - | - kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml - restartPolicy: OnFailure - backoffLimit: 3 +# --- +# apiVersion: batch/v1 +# kind: Job +# metadata: +# name: argocd-installer +# namespace: kube-system +# spec: +# template: +# spec: +# serviceAccountName: argocd-installer +# containers: +# - name: installer +# image: bitnami/kubectl:latest +# command: +# - /bin/sh +# - -c +# - | +# kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml +# restartPolicy: OnFailure +# backoffLimit: 3 diff --git a/00-infrastructure/01-tofu/talos_cluster.auto.tfvars b/00-infrastructure/01-tofu/talos_cluster.auto.tfvars index 94056d2..5e01401 100644 --- a/00-infrastructure/01-tofu/talos_cluster.auto.tfvars +++ b/00-infrastructure/01-tofu/talos_cluster.auto.tfvars @@ -29,5 +29,6 @@ talos_cluster_config = { "mcr.microsoft.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-mcr.microsoft.com" "quay.io" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-quay.io" "public.ecr.aws" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws" + "ecr-public.aws.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws" } } \ No newline at end of file diff --git a/02-k8s/README.md b/02-k8s/README.md new file mode 100644 index 0000000..074cbbf --- /dev/null +++ b/02-k8s/README.md @@ -0,0 +1,13 @@ +# Kubernetes Setup + +## Bootstrapping + +### 1. Deploy Cluster + +Follow documentation at [Deploy Kubernetes Cluster](../00-infrastructure/01-tofu/README.md). + +### 2. Deploy Argo CD + +```shell +kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f - +``` \ No newline at end of file diff --git a/02-k8s/infra/application-set.yaml b/02-k8s/infra/application-set.yaml new file mode 100644 index 0000000..f439680 --- /dev/null +++ b/02-k8s/infra/application-set.yaml @@ -0,0 +1,32 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: infrastructure + namespace: argocd + labels: + dev.stonegarden: infrastructure +spec: + generators: + - git: + repoURL: https://git.straubintra.net/s5b-private/k8s/ + revision: HEAD + directories: + - path: 02-k8s/infra/* + template: + metadata: + name: '{{ path.basename }}' + labels: + dev.stonegarden: infrastructure + spec: + project: infrastructure + source: + repoURL: https://git.straubintra.net/s5b-private/k8s/ + targetRevision: HEAD + path: '{{ path }}' + destination: + name: in-cluster + namespace: argocd + syncPolicy: + automated: + selfHeal: true + prune: true \ No newline at end of file diff --git a/02-k8s/infra/controllers/application-set.yaml b/02-k8s/infra/controllers/application-set.yaml new file mode 100644 index 0000000..5cd8474 --- /dev/null +++ b/02-k8s/infra/controllers/application-set.yaml @@ -0,0 +1,34 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: controllers + namespace: argocd + labels: + s5b.org: controllers +spec: + generators: + - git: + repoURL: https://git.straubintra.net/s5b-private/k8s/ + revision: HEAD + directories: + - path: 02-k8s/infra/controllers/* + template: + metadata: + name: '{{ path.basename }}' + labels: + s5b.org: controllers + spec: + project: controllers + source: + repoURL: https://git.straubintra.net/s5b-private/k8s/ + targetRevision: HEAD + path: '{{ path }}' + destination: + name: in-cluster + namespace: argocd + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - ServerSideApply=true \ No newline at end of file diff --git a/02-k8s/infra/controllers/argocd/README.md b/02-k8s/infra/controllers/argocd/README.md new file mode 100644 index 0000000..4f55150 --- /dev/null +++ b/02-k8s/infra/controllers/argocd/README.md @@ -0,0 +1 @@ +# ArgoCD \ No newline at end of file diff --git a/02-k8s/infra/controllers/argocd/kustomization.yaml b/02-k8s/infra/controllers/argocd/kustomization.yaml new file mode 100644 index 0000000..b529dcd --- /dev/null +++ b/02-k8s/infra/controllers/argocd/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ns.yaml + +helmCharts: + - name: argo-cd + repo: https://argoproj.github.io/argo-helm + version: 8.3.5 + releaseName: "argocd" + namespace: argocd + valuesFile: values.yaml \ No newline at end of file diff --git a/02-k8s/infra/controllers/argocd/ns.yaml b/02-k8s/infra/controllers/argocd/ns.yaml new file mode 100644 index 0000000..96e84ab --- /dev/null +++ b/02-k8s/infra/controllers/argocd/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd \ No newline at end of file diff --git a/02-k8s/infra/controllers/argocd/values.yaml b/02-k8s/infra/controllers/argocd/values.yaml new file mode 100644 index 0000000..c95f406 --- /dev/null +++ b/02-k8s/infra/controllers/argocd/values.yaml @@ -0,0 +1,125 @@ +# https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml +global: + domain: https://gitops.prod.k8.eis-mk8.de.s5b.org + +configs: + cm: + create: true + application.resourceTrackingMethod: annotation+label + admin.enabled: true + kustomize.buildOptions: --enable-helm + # url: https://gitops.prod.k8.eis-mk8.de.s5b.org + + + cmp: + create: true + params: + controller.diff.server.side: true + server.insecure: false + +crds: + install: true + # -- Keep CRDs on chart uninstall + keep: false + +controller: + replicas: 1 + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + requests: + cpu: 100m + memory: 700Mi + limits: + memory: 4Gi + +dex: + enabled: false + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 128Mi + +redis-ha: + enabled: true + +redis: + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + memory: 1Gi + +server: + replicas: 2 + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 1Gi + +repoServer: + replicas: 2 + metrics: + enabled: true + serviceMonitor: + enabled: true + containerSecurityContext: + readOnlyRootFilesystem: true + volumes: + - name: cmp-kustomize-build-with-helm + configMap: + name: argocd-cmp-cm + - name: cmp-tmp + emptyDir: { } + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 2Gi + +applicationSet: + replicas: 2 + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 1Gi + +notifications: + enabled: false + metrics: + enabled: true + serviceMonitor: + enabled: true + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 1000m + memory: 128Mi \ No newline at end of file diff --git a/02-k8s/infra/controllers/kustomization.yaml b/02-k8s/infra/controllers/kustomization.yaml new file mode 100644 index 0000000..0e4e762 --- /dev/null +++ b/02-k8s/infra/controllers/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + s5b.org: controllers + app.kubernetes.io/managed-by: argocd + +resources: + - project.yaml + - application-set.yaml \ No newline at end of file diff --git a/02-k8s/infra/controllers/project.yaml b/02-k8s/infra/controllers/project.yaml new file mode 100644 index 0000000..85dd958 --- /dev/null +++ b/02-k8s/infra/controllers/project.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: controllers + namespace: argocd +spec: + sourceRepos: + - 'https://git.straubintra.net/s5b-private/k8s/' + destinations: + - namespace: 'argocd' + server: '*' + - namespace: 'kube-system' + server: '*' + - namespace: 'sealed-secrets' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' \ No newline at end of file diff --git a/02-k8s/infra/controllers/sealed-secrets/kustomization.yaml b/02-k8s/infra/controllers/sealed-secrets/kustomization.yaml new file mode 100644 index 0000000..2d8b781 --- /dev/null +++ b/02-k8s/infra/controllers/sealed-secrets/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmCharts: + - name: sealed-secrets + repo: oci://registry-1.docker.io/bitnamicharts + version: 2.17.4 + releaseName: sealed-secrets-controller + namespace: sealed-secrets + includeCRDs: true + valuesFile: values.yaml \ No newline at end of file diff --git a/02-k8s/infra/controllers/sealed-secrets/values.yaml b/02-k8s/infra/controllers/sealed-secrets/values.yaml new file mode 100644 index 0000000..f938dde --- /dev/null +++ b/02-k8s/infra/controllers/sealed-secrets/values.yaml @@ -0,0 +1,10 @@ +namespace: sealed-secrets +keyrenewperiod: 8766h # ~ 1 year + +resources: + limits: + cpu: 100m + memory: 64Mi + requests: + cpu: 10m + memory: 32Mi \ No newline at end of file diff --git a/02-k8s/infra/kustomization.yaml b/02-k8s/infra/kustomization.yaml new file mode 100644 index 0000000..ab4f86a --- /dev/null +++ b/02-k8s/infra/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + s5b.org: infrastructure + app.kubernetes.io/managed-by: argocd + +resources: + - project.yaml + - application-set.yaml \ No newline at end of file diff --git a/02-k8s/infra/project.yaml b/02-k8s/infra/project.yaml new file mode 100644 index 0000000..1f99219 --- /dev/null +++ b/02-k8s/infra/project.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: infrastructure + namespace: argocd +spec: + sourceRepos: + - 'https://git.straubintra.net/s5b-private/k8s/' + destinations: + - namespace: 'kube-system' + server: '*' + - namespace: 'argocd' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' \ No newline at end of file diff --git a/00-infrastructure/01-tofu/get_cilium_cli.sh b/install_clis.sh similarity index 92% rename from 00-infrastructure/01-tofu/get_cilium_cli.sh rename to install_clis.sh index 8d6012a..8940f20 100755 --- a/00-infrastructure/01-tofu/get_cilium_cli.sh +++ b/install_clis.sh @@ -27,3 +27,8 @@ sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum} +# Install kustomize +brew install kustomize + +# Install kubeseal +brew install kubeseal