Rebuild ArgoCD deployment by example on sealed-secrets

- Co-authored-by: Marcel Straub <m@straubs.eu> Reviewed-on: #1
2025-09-07 11:08:10 +02:00
parent 56870c61e6
commit 04cede6f11
17 changed files with 324 additions and 20 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
 # EnvRC files contain secrets that must not be checked in
 .envrc
 # Kustomize artifacts
 **/charts
 # OpenTofu working files
 .terraform*
 output/
--- a/00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml
+++ b/00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml
@@ -28,24 +28,24 @@ kind: ServiceAccount
 metadata:
  name: argocd-installer
  namespace: kube-system
---
+# ---
-apiVersion: batch/v1
+# apiVersion: batch/v1
-kind: Job
+# kind: Job
-metadata:
+# metadata:
-  name: argocd-installer
+#   name: argocd-installer
-  namespace: kube-system
+#   namespace: kube-system
-spec:
+# spec:
-  template:
+#   template:
-    spec:
+#     spec:
-      serviceAccountName: argocd-installer
+#       serviceAccountName: argocd-installer
-      containers:
+#       containers:
-      - name: installer
+#       - name: installer
-        image: bitnami/kubectl:latest
+#         image: bitnami/kubectl:latest
-        command:
+#         command:
-        - /bin/sh
+#         - /bin/sh
-        - -c
+#         - -c
-        - |
+#         - |
-          kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml
+#           kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml
-      restartPolicy: OnFailure
+#       restartPolicy: OnFailure
-  backoffLimit: 3
+#   backoffLimit: 3
--- a/00-infrastructure/01-tofu/talos_cluster.auto.tfvars
+++ b/00-infrastructure/01-tofu/talos_cluster.auto.tfvars
@@ -29,5 +29,6 @@ talos_cluster_config  = {
      "mcr.microsoft.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-mcr.microsoft.com"
      "quay.io" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-quay.io"
      "public.ecr.aws" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws"
      "ecr-public.aws.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws"
    }
 }
--- a/02-k8s/README.md
+++ b/02-k8s/README.md
@@ -0,0 +1,13 @@
 # Kubernetes Setup
 ## Bootstrapping
 ### 1. Deploy Cluster
 Follow documentation at [Deploy Kubernetes Cluster](../00-infrastructure/01-tofu/README.md).
 ### 2. Deploy Argo CD
 ```shell
 kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f -
 ```
--- a/02-k8s/infra/application-set.yaml
+++ b/02-k8s/infra/application-set.yaml
@@ -0,0 +1,32 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: infrastructure
  namespace: argocd
  labels:
    dev.stonegarden: infrastructure
 spec:
  generators:
    - git:
        repoURL: https://git.straubintra.net/s5b-private/k8s/
        revision: HEAD
        directories:
          - path: 02-k8s/infra/*
  template:
    metadata:
      name: '{{ path.basename }}'
      labels:
        dev.stonegarden: infrastructure
    spec:
      project: infrastructure
      source:
        repoURL: https://git.straubintra.net/s5b-private/k8s/
        targetRevision: HEAD
        path: '{{ path }}'
      destination:
        name: in-cluster
        namespace: argocd
      syncPolicy:
        automated:
          selfHeal: true
          prune: true
--- a/02-k8s/infra/controllers/application-set.yaml
+++ b/02-k8s/infra/controllers/application-set.yaml
@@ -0,0 +1,34 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: controllers
  namespace: argocd
  labels:
    s5b.org: controllers
 spec:
  generators:
    - git:
        repoURL: https://git.straubintra.net/s5b-private/k8s/
        revision: HEAD
        directories:
          - path: 02-k8s/infra/controllers/*
  template:
    metadata:
      name: '{{ path.basename }}'
      labels:
        s5b.org: controllers
    spec:
      project: controllers
      source:
        repoURL: https://git.straubintra.net/s5b-private/k8s/
        targetRevision: HEAD
        path: '{{ path }}'
      destination:
        name: in-cluster
        namespace: argocd
      syncPolicy:
        automated:
          selfHeal: true
          prune: true
        syncOptions:
          - ServerSideApply=true
--- a/02-k8s/infra/controllers/argocd/README.md
+++ b/02-k8s/infra/controllers/argocd/README.md
@@ -0,0 +1 @@
 # ArgoCD
--- a/02-k8s/infra/controllers/argocd/kustomization.yaml
+++ b/02-k8s/infra/controllers/argocd/kustomization.yaml
@@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ns.yaml
 helmCharts:
  - name: argo-cd
    repo: https://argoproj.github.io/argo-helm
    version: 8.3.5
    releaseName: "argocd"
    namespace: argocd
    valuesFile: values.yaml
--- a/02-k8s/infra/controllers/argocd/ns.yaml
+++ b/02-k8s/infra/controllers/argocd/ns.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: argocd
--- a/02-k8s/infra/controllers/argocd/values.yaml
+++ b/02-k8s/infra/controllers/argocd/values.yaml
@@ -0,0 +1,125 @@
 # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
 global:
  domain: https://gitops.prod.k8.eis-mk8.de.s5b.org
 configs:
  cm:
    create: true
    application.resourceTrackingMethod: annotation+label
    admin.enabled: true
    kustomize.buildOptions: --enable-helm
    # url: https://gitops.prod.k8.eis-mk8.de.s5b.org
  cmp:
    create: true
  params:
    controller.diff.server.side: true
    server.insecure: false
 crds:
  install: true
  # -- Keep CRDs on chart uninstall
  keep: false
 controller:
  replicas: 1
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    requests:
      cpu: 100m
      memory: 700Mi
    limits:
      memory: 4Gi
 dex:
  enabled: false
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    requests:
      cpu: 10m
      memory: 32Mi
    limits:
      memory: 128Mi
 redis-ha:
  enabled: true
 redis:
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    requests:
      cpu: 100m
      memory: 64Mi
    limits:
      memory: 1Gi
 server:
  replicas: 2
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      memory: 1Gi
 repoServer:
  replicas: 2
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  containerSecurityContext:
    readOnlyRootFilesystem: true
  volumes:
    - name: cmp-kustomize-build-with-helm
      configMap:
        name: argocd-cmp-cm
    - name: cmp-tmp
      emptyDir: { }
  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      memory: 2Gi
 applicationSet:
  replicas: 2
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      memory: 1Gi
 notifications:
  enabled: false
  metrics:
    enabled: true
    serviceMonitor:
      enabled: true
  resources:
    requests:
      cpu: 100m
      memory: 64Mi
    limits:
      cpu: 1000m
      memory: 128Mi
--- a/02-k8s/infra/controllers/kustomization.yaml
+++ b/02-k8s/infra/controllers/kustomization.yaml
@@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 commonLabels:
  s5b.org: controllers
  app.kubernetes.io/managed-by: argocd
 resources:
  - project.yaml
  - application-set.yaml
--- a/02-k8s/infra/controllers/project.yaml
+++ b/02-k8s/infra/controllers/project.yaml
@@ -0,0 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
  name: controllers
  namespace: argocd
 spec:
  sourceRepos:
    - 'https://git.straubintra.net/s5b-private/k8s/'
  destinations:
    - namespace: 'argocd'
      server: '*'
    - namespace: 'kube-system'
      server: '*'
    - namespace: 'sealed-secrets'
      server: '*'
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
--- a/02-k8s/infra/controllers/sealed-secrets/kustomization.yaml
+++ b/02-k8s/infra/controllers/sealed-secrets/kustomization.yaml
@@ -0,0 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 helmCharts:
  - name: sealed-secrets
    repo: oci://registry-1.docker.io/bitnamicharts
    version: 2.17.4
    releaseName: sealed-secrets-controller
    namespace: sealed-secrets
    includeCRDs: true
    valuesFile: values.yaml
--- a/02-k8s/infra/controllers/sealed-secrets/values.yaml
+++ b/02-k8s/infra/controllers/sealed-secrets/values.yaml
@@ -0,0 +1,10 @@
 namespace: sealed-secrets
 keyrenewperiod: 8766h # ~ 1 year
 resources:
  limits:
    cpu: 100m
    memory: 64Mi
  requests:
    cpu: 10m
    memory: 32Mi
--- a/02-k8s/infra/kustomization.yaml
+++ b/02-k8s/infra/kustomization.yaml
@@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 commonLabels:
  s5b.org: infrastructure
  app.kubernetes.io/managed-by: argocd
 resources:
  - project.yaml
  - application-set.yaml
--- a/02-k8s/infra/project.yaml
+++ b/02-k8s/infra/project.yaml
@@ -0,0 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
  name: infrastructure
  namespace: argocd
 spec:
  sourceRepos:
    - 'https://git.straubintra.net/s5b-private/k8s/'
  destinations:
    - namespace: 'kube-system'
      server: '*'
    - namespace: 'argocd'
      server: '*'
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
--- a/00-infrastructure/01-tofu/get_cilium_cli.sh
+++ b/00-infrastructure/01-tofu/get_cilium_cli.sh
@@ -27,3 +27,8 @@ sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
 sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
 rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
 # Install kustomize
 brew install kustomize
 # Install kubeseal
 brew install kubeseal