s5b-public/k8s
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: s5b-public:feature/sealed-secrets
Branches Tags
s5b-public:main s5b-public:docs/howto-bootstrap-cluster s5b-public:feature/cilium-ipv6 s5b-public:feature/fix-cilium-network s5b-public:feature/argocd-network s5b-public:feature/kubeseal-config s5b-public:fix/sealed-secrets-ns s5b-public:fixing/argocd-part-3 s5b-public:fixing/argocd-part-2 s5b-public:feature/sealed-secrets
...
pull from: s5b-public:feature/argocd-network
Branches Tags
s5b-public:docs/howto-bootstrap-cluster s5b-public:feature/cilium-ipv6 s5b-public:feature/fix-cilium-network s5b-public:main s5b-public:feature/argocd-network s5b-public:feature/kubeseal-config s5b-public:fix/sealed-secrets-ns s5b-public:fixing/argocd-part-3 s5b-public:fixing/argocd-part-2 s5b-public:feature/sealed-secrets

9 Commits
feature/se ... feature/ar

Author SHA1 Message Date
Marcel Straub
bbb52178c2 initial network argocd project 2025-09-07 16:04:30 +02:00
Marcel Straub
b3b4bb6361 Define kustomize config for Cilium inlcuding an L2 load balancer pool (#8) 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #8
 2025-09-07 15:58:09 +02:00
Marcel Straub
0bf1a4b536 Added small shell tool for fetching certs of SealedSecrets for backup purpose (#7) 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #7
 2025-09-07 15:49:23 +02:00
Marcel Straub
456692fae3 Added creation of sealed-secrets namespace (#6) 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #6
 2025-09-07 15:30:33 +02:00
Marcel Straub
daa76476a1 Sealed secrets, correct helm-chart version (#5) 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #5
 2025-09-07 15:27:13 +02:00
Marcel Straub
5d758337fd Try other kustomiz.buildOptions for ArgoCd (#4) 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #4
 2025-09-07 15:19:53 +02:00
Marcel Straub
1a685314be Try fixing ArgoCD with Helm+Kustomize (#3) 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #3
 2025-09-07 11:51:36 +02:00
Marcel Straub
1c2ed174cf Fixing ArgoCD by moving to right repository 
Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #2
 2025-09-07 11:32:40 +02:00
Marcel Straub
04cede6f11 Rebuild ArgoCD deployment by example on sealed-secrets 
-

Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #1
 2025-09-07 11:08:10 +02:00
26 changed files with 471 additions and 20 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -1,6 +1,9 @@
# EnvRC files contain secrets that must not be checked in
.envrc
# Kustomize artifacts
**/charts
# OpenTofu working files
.terraform*
output/

40
00-infrastructure/01-tofu/talos/inline-manifests/argocd_install.yaml
View File

@@ -28,24 +28,24 @@ kind: ServiceAccount
metadata:
name: argocd-installer
namespace: kube-system
---
apiVersion: batch/v1
kind: Job
metadata:
name: argocd-installer
namespace: kube-system
spec:
template:
spec:
serviceAccountName: argocd-installer
containers:
- name: installer
image: bitnami/kubectl:latest
command:
- /bin/sh
- -c
- |
kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml
restartPolicy: OnFailure
backoffLimit: 3
# ---
# apiVersion: batch/v1
# kind: Job
# metadata:
# name: argocd-installer
# namespace: kube-system
# spec:
# template:
# spec:
# serviceAccountName: argocd-installer
# containers:
# - name: installer
# image: bitnami/kubectl:latest
# command:
# - /bin/sh
# - -c
# - |
# kubectl apply -n argocd -f https://git.straubintra.net/marcel/argo-cd/raw/tag/stable/manifests/ha/install.yaml
# restartPolicy: OnFailure
# backoffLimit: 3

1
00-infrastructure/01-tofu/talos_cluster.auto.tfvars
View File

@@ -29,5 +29,6 @@ talos_cluster_config = {
"mcr.microsoft.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-mcr.microsoft.com"
"quay.io" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-quay.io"
"public.ecr.aws" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws"
"ecr-public.aws.com" = "https://harbor.prod.eis-mk8.de.s5b.org/v2/proxy-public.ecr.aws"
}
}

3
02-k8s/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
# Kube Seal backup
kubeseal.cert
kubeseal.key

58
02-k8s/README.md Normal file
View File

@@ -0,0 +1,58 @@
# Kubernetes Setup
## Bootstrapping
### 1. Deploy Cluster
Follow documentation at [Deploy Kubernetes Cluster](../00-infrastructure/01-tofu/README.md).
### 2. Deploy Argo CD
Deployment of ArgoCD itself:
```shell
kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f -
```
You can uninstall it with the command
```shell
kustomize build --enable-helm infra/controllers/argocd | kubectl delete -f -
```
Configure ArgoCD to pull our setup from this repo:
```shell
kubectl apply -k infra
```
#### Temporary legacy admin user
Configure Admin users:
1. Get random password:
```shell
argocd admin initial-password -n argocd
```
1. Establish UI forward:
```shell
kubectl port-forward svc/argocd-server -n argocd 8080:443
```
1. CLI Login with previously retrieved password and username ``admin``:
```shell
argocd login localhost:8080 --insecure
```
## Other
### What's keepign a namespace in state deleting?
```shell
kubectl api-resources --verbs=list --namespaced -o name \
| xargs -n 1 kubectl get --show-kind --ignore-not-found -n argocd
```
### Delete ArgoCD applications stuck in dependencies
```shell
kubectl -nargocd patch applications/controllers -p '{"metadata": {"finalizers": null}}' --type merge
```

9
02-k8s/fetch_kubeseal_certs.sh Executable file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/bash
rm kubeseal.cert kubeseal.key 2> /dev/null
# public cert
(umask 0077 && kubeseal --controller-namespace=sealed-secrets --fetch-cert > kubeseal.cert)
# full cert backup
(umask 0077 && kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > kubeseal.key)

32
02-k8s/infra/application-set.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: infrastructure
namespace: argocd
labels:
s5b.org: infrastructure
spec:
generators:
- git:
repoURL: https://git.straubintra.net/s5b-public/k8s.git
revision: HEAD
directories:
- path: 02-k8s/infra/*
template:
metadata:
name: '{{ path.basename }}'
labels:
s5b.org: infrastructure
spec:
project: infrastructure
source:
repoURL: https://git.straubintra.net/s5b-public/k8s.git
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: argocd
syncPolicy:
automated:
selfHeal: true
prune: true

34
02-k8s/infra/controllers/application-set.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: controllers
namespace: argocd
labels:
s5b.org: controllers
spec:
generators:
- git:
repoURL: https://git.straubintra.net/s5b-public/k8s.git
revision: HEAD
directories:
- path: 02-k8s/infra/controllers/*
template:
metadata:
name: '{{ path.basename }}'
labels:
s5b.org: controllers
spec:
project: controllers
source:
repoURL: https://git.straubintra.net/s5b-public/k8s.git
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: argocd
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- ServerSideApply=true

1
02-k8s/infra/controllers/argocd/README.md Normal file
View File

@@ -0,0 +1 @@
# ArgoCD

13
02-k8s/infra/controllers/argocd/kustomization.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
helmCharts:
- name: argo-cd
repo: https://argoproj.github.io/argo-helm
version: 8.3.5
releaseName: "argocd"
namespace: argocd
valuesFile: values.yaml

4
02-k8s/infra/controllers/argocd/ns.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: argocd

116
02-k8s/infra/controllers/argocd/values.yaml Normal file
View File

@@ -0,0 +1,116 @@
# https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
global:
domain: https://gitops.prod.k8.eis-mk8.de.s5b.org
configs:
cm:
create: true
application.resourceTrackingMethod: annotation+label
admin.enabled: true
kustomize.buildOptions: "--enable-helm --load-restrictor LoadRestrictionsNone --enable-alpha-plugins --enable-exec"
# url: https://gitops.prod.k8.eis-mk8.de.s5b.org
params:
controller.diff.server.side: true
server.insecure: false
crds:
install: true
# -- Keep CRDs on chart uninstall
keep: false
controller:
replicas: 1
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 700Mi
limits:
memory: 4Gi
dex:
enabled: false
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 128Mi
redis-ha:
enabled: true
redis:
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
memory: 1Gi
server:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 1Gi
repoServer:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
containerSecurityContext:
readOnlyRootFilesystem: true
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 2Gi
applicationSet:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 1Gi
notifications:
enabled: false
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 1000m
memory: 128Mi

9
02-k8s/infra/controllers/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
s5b.org: controllers
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml

18
02-k8s/infra/controllers/project.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: controllers
namespace: argocd
spec:
sourceRepos:
- 'https://git.straubintra.net/s5b-public/k8s.git'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'kube-system'
server: '*'
- namespace: 'sealed-secrets'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

14
02-k8s/infra/controllers/sealed-secrets/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
helmCharts:
- name: sealed-secrets
repo: oci://registry-1.docker.io/bitnamicharts
version: 2.5.19
releaseName: sealed-secrets-controller
namespace: sealed-secrets
includeCRDs: true
valuesFile: values.yaml

4
02-k8s/infra/controllers/sealed-secrets/ns.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: sealed-secrets

10
02-k8s/infra/controllers/sealed-secrets/values.yaml Normal file
View File

@@ -0,0 +1,10 @@
namespace: sealed-secrets
keyrenewperiod: 8766h # ~ 1 year
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 10m
memory: 32Mi

9
02-k8s/infra/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
s5b.org: infrastructure
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml

34
02-k8s/infra/network/application-set.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: network
namespace: argocd
labels:
s5b.org: network
spec:
generators:
- git:
repoURL: https://git.straubintra.net/s5b-public/k8s.git
revision: HEAD
directories:
- path: 02-k8s/infra/network/*
template:
metadata:
name: '{{ path.basename }}'
labels:
s5b.org: network
spec:
project: network
source:
repoURL: https://git.straubintra.net/s5b-public/k8s.git
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: argocd
syncPolicy:
automated:
selfHeal: true
prune: true
syncOptions:
- ServerSideApply=true

8
02-k8s/infra/network/cilium/announce.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: cilium.io/v2alpha1
kind: CiliumL2AnnouncementPolicy
metadata:
name: default-l2-announcement-policy
namespace: kube-system
spec:
externalIPs: true
loadBalancerIPs: true

8
02-k8s/infra/network/cilium/ip-pool.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: cilium.io/v2
kind: CiliumLoadBalancerIPPool
metadata:
name: internal-v4
spec:
blocks:
- start: 10.51.10.64
stop: 10.51.10.71

15
02-k8s/infra/network/cilium/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- announce.yaml
- ip-pool.yaml
helmCharts:
- name: cilium
repo: https://helm.cilium.io
version: 1.18.0 # renovate: github-releases=cilium/cilium
releaseName: "cilium"
includeCRDs: true
namespace: kube-system
valuesFile: values.yaml

9
02-k8s/infra/network/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
s5b.org: network
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml

18
02-k8s/infra/network/project.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: network
namespace: argocd
spec:
sourceRepos:
- 'https://git.straubintra.net/s5b-public/k8s.git'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'kube-system'
server: '*'
- namespace: 'cilium-secrets'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

16
02-k8s/infra/project.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: infrastructure
namespace: argocd
spec:
sourceRepos:
- 'https://git.straubintra.net/s5b-public/k8s.git'
destinations:
- namespace: 'kube-system'
server: '*'
- namespace: 'argocd'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

5
00-infrastructure/01-tofu/get_cilium_cli.sh → install_clis.sh
View File

@@ -27,3 +27,8 @@ sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
# Install kustomize
brew install kustomize
# Install kubeseal
brew install kubeseal