initial network argocd project

Co-authored-by: Marcel Straub <m@straubs.eu>
Reviewed-on: #8

02-k8s/.gitignore

@@ -0,0 +1,3 @@
+# Kube Seal backup
+kubeseal.cert
+kubeseal.key

02-k8s/README.md

@@ -14,6 +14,12 @@ Deployment of ArgoCD itself:
 kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f -
 ```
 
+You can uninstall it with the command
+
+```shell
+kustomize build --enable-helm infra/controllers/argocd | kubectl delete -f -
+```
+
 Configure ArgoCD to pull our setup from this repo:
 
 ```shell
@@ -34,4 +40,19 @@ kubectl port-forward svc/argocd-server -n argocd 8080:443
 1. CLI Login with previously retrieved password and username ``admin``:
 ```shell
 argocd login localhost:8080 --insecure
+```
+
+## Other
+
+### What's keepign a namespace in state deleting?
+
+```shell
+kubectl api-resources --verbs=list --namespaced -o name \
+  | xargs -n 1 kubectl get --show-kind --ignore-not-found -n argocd
+```
+
+### Delete ArgoCD applications stuck in dependencies
+
+```shell
+kubectl -nargocd patch applications/controllers  -p '{"metadata": {"finalizers": null}}' --type merge
 ```

02-k8s/fetch_kubeseal_certs.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+
+rm kubeseal.cert kubeseal.key 2> /dev/null
+
+# public cert
+(umask 0077 && kubeseal --controller-namespace=sealed-secrets --fetch-cert > kubeseal.cert)
+
+# full cert backup
+(umask 0077 && kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > kubeseal.key)

02-k8s/infra/application-set.yaml

@@ -4,7 +4,7 @@ metadata:
   name: infrastructure
   namespace: argocd
   labels:
-    dev.stonegarden: infrastructure
+    s5b.org: infrastructure
 spec:
   generators:
     - git:
@@ -16,7 +16,7 @@ spec:
     metadata:
       name: '{{ path.basename }}'
       labels:
-        dev.stonegarden: infrastructure
+        s5b.org: infrastructure
     spec:
       project: infrastructure
       source:

02-k8s/infra/controllers/argocd/values.yaml

@@ -7,12 +7,9 @@ configs:
     create: true
     application.resourceTrackingMethod: annotation+label
     admin.enabled: true
-    kustomize.buildOptions: --enable-helm
+    kustomize.buildOptions: "--enable-helm --load-restrictor LoadRestrictionsNone --enable-alpha-plugins --enable-exec"
     # url: https://gitops.prod.k8.eis-mk8.de.s5b.org
-      
 
-  cmp:
-    create: true
   params:
     controller.diff.server.side: true
     server.insecure: false
@@ -84,12 +81,6 @@ repoServer:
       enabled: true
   containerSecurityContext:
     readOnlyRootFilesystem: true
-  volumes:
-    - name: cmp-kustomize-build-with-helm
-      configMap:
-        name: argocd-cmp-cm
-    - name: cmp-tmp
-      emptyDir: { }
   resources:
     requests:
       cpu: 100m

02-k8s/infra/controllers/sealed-secrets/kustomization.yaml

@@ -1,10 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+resources:
+  - ns.yaml
+
 helmCharts:
   - name: sealed-secrets
     repo: oci://registry-1.docker.io/bitnamicharts
-    version: 2.17.4
+    version: 2.5.19
     releaseName: sealed-secrets-controller
     namespace: sealed-secrets
     includeCRDs: true

02-k8s/infra/controllers/sealed-secrets/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sealed-secrets

02-k8s/infra/network/application-set.yaml

@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: network
+  namespace: argocd
+  labels:
+    s5b.org: network
+spec:
+  generators:
+    - git:
+        repoURL: https://git.straubintra.net/s5b-public/k8s.git
+        revision: HEAD
+        directories:
+          - path: 02-k8s/infra/network/*
+  template:
+    metadata:
+      name: '{{ path.basename }}'
+      labels:
+        s5b.org: network
+    spec:
+      project: network
+      source:
+        repoURL: https://git.straubintra.net/s5b-public/k8s.git
+        targetRevision: HEAD
+        path: '{{ path }}'
+      destination:
+        name: in-cluster
+        namespace: argocd
+      syncPolicy:
+        automated:
+          selfHeal: true
+          prune: true
+        syncOptions:
+          - ServerSideApply=true

02-k8s/infra/network/cilium/announce.yaml

@@ -0,0 +1,8 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: default-l2-announcement-policy
+  namespace: kube-system
+spec:
+  externalIPs: true
+  loadBalancerIPs: true

02-k8s/infra/network/cilium/ip-pool.yaml

@@ -0,0 +1,8 @@
+apiVersion: cilium.io/v2
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: internal-v4
+spec:
+  blocks:
+    - start: 10.51.10.64
+      stop: 10.51.10.71

02-k8s/infra/network/cilium/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - announce.yaml
+  - ip-pool.yaml
+
+helmCharts:
+  - name: cilium
+    repo: https://helm.cilium.io
+    version: 1.18.0 # renovate: github-releases=cilium/cilium
+    releaseName: "cilium"
+    includeCRDs: true
+    namespace: kube-system
+    valuesFile: values.yaml

02-k8s/infra/network/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  s5b.org: network
+  app.kubernetes.io/managed-by: argocd
+
+resources:
+  - project.yaml
+  - application-set.yaml

02-k8s/infra/network/project.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: network
+  namespace: argocd
+spec:
+  sourceRepos:
+    - 'https://git.straubintra.net/s5b-public/k8s.git'
+  destinations:
+    - namespace: 'argocd'
+      server: '*'
+    - namespace: 'kube-system'
+      server: '*'
+    - namespace: 'cilium-secrets'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'