configure argocd project for infra and infra/controllers

.gitignore

@@ -1,6 +1,9 @@
 # EnvRC files contain secrets that must not be checked in
 .envrc
 
+# Kustomize artifacts
+**/charts
+
 # OpenTofu working files
 .terraform*
 output/

00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml

@@ -28,24 +28,24 @@ kind: ServiceAccount
 metadata:
   name: argocd-installer
   namespace: kube-system
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: argocd-installer
-  namespace: kube-system
-spec:
-  template:
-    spec:
-      serviceAccountName: argocd-installer
-      containers:
-      - name: installer
-        image: bitnami/kubectl:latest
-        command:
-        - /bin/sh
-        - -c
-        - |
-          kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml
-      restartPolicy: OnFailure
-  backoffLimit: 3
+# ---
+# apiVersion: batch/v1
+# kind: Job
+# metadata:
+#   name: argocd-installer
+#   namespace: kube-system
+# spec:
+#   template:
+#     spec:
+#       serviceAccountName: argocd-installer
+#       containers:
+#       - name: installer
+#         image: bitnami/kubectl:latest
+#         command:
+#         - /bin/sh
+#         - -c
+#         - |
+#           kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml
+#       restartPolicy: OnFailure
+#   backoffLimit: 3
 

00-infrastructure/01-tofu/talos_cluster.auto.tfvars

@@ -29,5 +29,6 @@ talos_cluster_config  = {
       "mcr.microsoft.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-mcr.microsoft.com"
       "quay.io" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-quay.io"
       "public.ecr.aws" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws"
+      "ecr-public.aws.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws"
     }
 }

02-k8s/README.md

@@ -0,0 +1,13 @@
+# Kubernetes Setup
+
+## Bootstrapping
+
+### 1. Deploy Cluster
+
+Follow documentation at [Deploy Kubernetes Cluster](../00-infrastructure/01-tofu/README.md).
+
+### 2. Deploy Argo CD
+
+```shell
+kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f -
+```

02-k8s/infra/application-set.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: infrastructure
+  namespace: argocd
+  labels:
+    dev.stonegarden: infrastructure
+spec:
+  generators:
+    - git:
+        repoURL: https://git.straubintra.net/s5b-private/k8s/
+        revision: HEAD
+        directories:
+          - path: 02-k8s/infra/*
+  template:
+    metadata:
+      name: '{{ path.basename }}'
+      labels:
+        dev.stonegarden: infrastructure
+    spec:
+      project: infrastructure
+      source:
+        repoURL: https://git.straubintra.net/s5b-private/k8s/
+        targetRevision: HEAD
+        path: '{{ path }}'
+      destination:
+        name: in-cluster
+        namespace: argocd
+      syncPolicy:
+        automated:
+          selfHeal: true
+          prune: true

02-k8s/infra/controllers/application-set.yaml

@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: controllers
+  namespace: argocd
+  labels:
+    s5b.org: controllers
+spec:
+  generators:
+    - git:
+        repoURL: https://git.straubintra.net/s5b-private/k8s/
+        revision: HEAD
+        directories:
+          - path: 02-k8s/infra/controllers/*
+  template:
+    metadata:
+      name: '{{ path.basename }}'
+      labels:
+        s5b.org: controllers
+    spec:
+      project: controllers
+      source:
+        repoURL: https://git.straubintra.net/s5b-private/k8s/
+        targetRevision: HEAD
+        path: '{{ path }}'
+      destination:
+        name: in-cluster
+        namespace: argocd
+      syncPolicy:
+        automated:
+          selfHeal: true
+          prune: true
+        syncOptions:
+          - ServerSideApply=true

02-k8s/infra/controllers/argocd/README.md

@@ -0,0 +1 @@
+# ArgoCD

02-k8s/infra/controllers/argocd/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ns.yaml
+
+helmCharts:
+  - name: argo-cd
+    repo: https://argoproj.github.io/argo-helm
+    version: 8.3.5
+    releaseName: "argocd"
+    namespace: argocd
+    valuesFile: values.yaml

02-k8s/infra/controllers/argocd/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd

02-k8s/infra/controllers/argocd/values.yaml

@@ -0,0 +1,125 @@
+# https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
+global:
+  domain: https://gitops.prod.k8.eis-mk8.de.s5b.org
+
+configs:
+  cm:
+    create: true
+    application.resourceTrackingMethod: annotation+label
+    admin.enabled: true
+    kustomize.buildOptions: --enable-helm
+    # url: https://gitops.prod.k8.eis-mk8.de.s5b.org
+      
+
+  cmp:
+    create: true
+  params:
+    controller.diff.server.side: true
+    server.insecure: false
+
+crds:
+  install: true
+  # -- Keep CRDs on chart uninstall
+  keep: false
+
+controller:
+  replicas: 1
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    requests:
+      cpu: 100m
+      memory: 700Mi
+    limits:
+      memory: 4Gi
+
+dex:
+  enabled: false
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+    limits:
+      memory: 128Mi
+
+redis-ha:
+  enabled: true
+
+redis:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    requests:
+      cpu: 100m
+      memory: 64Mi
+    limits:
+      memory: 1Gi
+
+server:
+  replicas: 2
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      memory: 1Gi
+
+repoServer:
+  replicas: 2
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+  volumes:
+    - name: cmp-kustomize-build-with-helm
+      configMap:
+        name: argocd-cmp-cm
+    - name: cmp-tmp
+      emptyDir: { }
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      memory: 2Gi
+
+applicationSet:
+  replicas: 2
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      memory: 1Gi
+
+notifications:
+  enabled: false
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  resources:
+    requests:
+      cpu: 100m
+      memory: 64Mi
+    limits:
+      cpu: 1000m
+      memory: 128Mi

02-k8s/infra/controllers/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  s5b.org: controllers
+  app.kubernetes.io/managed-by: argocd
+
+resources:
+  - project.yaml
+  - application-set.yaml

02-k8s/infra/controllers/project.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: controllers
+  namespace: argocd
+spec:
+  sourceRepos:
+    - 'https://git.straubintra.net/s5b-private/k8s/'
+  destinations:
+    - namespace: 'argocd'
+      server: '*'
+    - namespace: 'kube-system'
+      server: '*'
+    - namespace: 'sealed-secrets'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'

02-k8s/infra/controllers/sealed-secrets/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+helmCharts:
+  - name: sealed-secrets
+    repo: oci://registry-1.docker.io/bitnamicharts
+    version: 2.17.4
+    releaseName: sealed-secrets-controller
+    namespace: sealed-secrets
+    includeCRDs: true
+    valuesFile: values.yaml

02-k8s/infra/controllers/sealed-secrets/values.yaml

@@ -0,0 +1,10 @@
+namespace: sealed-secrets
+keyrenewperiod: 8766h # ~ 1 year
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 64Mi
+  requests:
+    cpu: 10m
+    memory: 32Mi

02-k8s/infra/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  s5b.org: infrastructure
+  app.kubernetes.io/managed-by: argocd
+
+resources:
+  - project.yaml
+  - application-set.yaml

02-k8s/infra/project.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: infrastructure
+  namespace: argocd
+spec:
+  sourceRepos:
+    - 'https://git.straubintra.net/s5b-private/k8s/'
+  destinations:
+    - namespace: 'kube-system'
+      server: '*'
+    - namespace: 'argocd'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'

install_clis.sh

@@ -27,3 +27,8 @@ sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
 sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
 rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
 
+# Install kustomize
+brew install kustomize
+
+# Install kubeseal
+brew install kubeseal