From 3b3fe1660abd1343bc55d0213f4141e89a8fa5a1 Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Sat, 8 Jul 2023 17:29:57 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20kubernetes-schemas?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/kubeconform.yaml | 14 +- .github/workflows/publish-schemas.yaml | 126 ++++++++++++++++++ .../apps/actions-runner-system/namespace.yaml | 1 + .../default/kubernetes-schemas/app/README.md | 19 +++ .../default/kubernetes-schemas/app/gatus.yaml | 22 +++ .../kubernetes-schemas/app/helmrelease.yaml | 67 ++++++++++ .../kubernetes-schemas/app/kustomization.yaml | 9 ++ .../default/kubernetes-schemas/app/rbac.yaml | 41 ++++++ .../apps/default/kubernetes-schemas/ks.yaml | 19 +++ kubernetes/apps/default/kustomization.yaml | 1 + 10 files changed, 311 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/publish-schemas.yaml create mode 100644 kubernetes/apps/default/kubernetes-schemas/app/README.md create mode 100644 kubernetes/apps/default/kubernetes-schemas/app/gatus.yaml create mode 100644 kubernetes/apps/default/kubernetes-schemas/app/helmrelease.yaml create mode 100644 kubernetes/apps/default/kubernetes-schemas/app/kustomization.yaml create mode 100644 kubernetes/apps/default/kubernetes-schemas/app/rbac.yaml create mode 100644 kubernetes/apps/default/kubernetes-schemas/ks.yaml diff --git a/.github/workflows/kubeconform.yaml b/.github/workflows/kubeconform.yaml index fa0e95a8f..2c88141ef 100644 --- a/.github/workflows/kubeconform.yaml +++ b/.github/workflows/kubeconform.yaml @@ -3,9 +3,6 @@ name: "Kubeconform" on: workflow_dispatch: - push: - branches: ["main"] - paths: ["kubernetes/**"] pull_request: branches: ["main"] paths: ["kubernetes/**"] @@ -35,15 +32,16 @@ jobs: uses: Homebrew/actions/setup-homebrew@master - name: Setup Tools - run: | - brew install fluxcd/tap/flux kubeconform kustomize + shell: bash + run: brew install fluxcd/tap/flux kubeconform kustomize - name: Download CRDs + shell: bash run: | mkdir -p ${{ env.SCHEMA_DIR }} - flux pull artifact oci://ghcr.io/onedr0p/kubernetes-schemas-oci:latest \ + flux pull artifact oci://ghcr.io/auricom/manifests/kubernetes-schemas:latest \ --output=${{ env.SCHEMA_DIR }} - name: Run kubeconform - run: | - bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} ${{ env.SCHEMA_DIR }} + shell: bash + run: bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} ${{ env.SCHEMA_DIR }} diff --git a/.github/workflows/publish-schemas.yaml b/.github/workflows/publish-schemas.yaml new file mode 100644 index 000000000..51f6be0e3 --- /dev/null +++ b/.github/workflows/publish-schemas.yaml @@ -0,0 +1,126 @@ +--- +name: "Publish Schemas" + +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * 0" + push: + branches: ["main"] + paths: [".github/workflows/publish-schemas.yaml"] + +jobs: + publish-manifests: + name: Publish Manifests + runs-on: ["arc-runner-set-home-ops"] + steps: + - name: Setup Flux + uses: fluxcd/flux2/action@9ea0a535eab2c99121fb3ac742e333b4a9f07970 # v2.0.0 + + - name: Setup Kube Tools + uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3 + with: + setup-tools: kubectl + + - name: Setup Python + uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 + with: + python-version: 3.x + + - name: Login to GitHub Container Registry + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + with: + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" + + - name: Setup crd-extractor + uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # v1.8 + with: + repository: datreeio/CRDs-catalog + latest: true + fileName: crd-extractor.zip + + - name: Write kubeconfig + id: kubeconfig + uses: timheuer/base64-to-file@ca9e30baf83f7f26708fb0059af9a0973fe5f27e # v1.2 + with: + encodedString: ${{ secrets.KUBECONFIG }} + fileName: kubeconfig + + - name: Run crd-extractor + env: + KUBECONFIG: ${{ steps.kubeconfig.outputs.filePath }} + shell: bash + run: | + unzip -j $GITHUB_WORKSPACE/crd-extractor.zip -d $GITHUB_WORKSPACE + bash $GITHUB_WORKSPACE/crd-extractor.sh + + - name: Generate tag + id: generate-tag + shell: bash + run: echo "tag=ghcr.io/${{ github.repository_owner }}/manifests/kubernetes-schemas:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}" + + - name: Publish manifests + shell: bash + run: | + flux push artifact oci://${{ steps.generate-tag.outputs.tag }} \ + --path="/home/runner/.datree/crdSchemas" \ + --source="${{ github.repositoryUrl }}" \ + --revision="${{ github.ref_name }}@sha1:$(git rev-parse HEAD)" + + - name: Tag manifests + shell: bash + run: flux tag artifact oci://${{ steps.generate-tag.outputs.tag }} --tag main + + publish-web: + name: Publish Web + runs-on: ubuntu-latest + needs: ["publish-manifests"] + steps: + - name: Setup Flux + uses: fluxcd/flux2/action@9ea0a535eab2c99121fb3ac742e333b4a9f07970 # v2.0.0 + + - name: Setup QEMU + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + + - name: Setup Docker Buildx + id: buildx + uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 + with: + registry: ghcr.io + username: "${{ github.actor }}" + password: "${{ secrets.GITHUB_TOKEN }}" + + - name: Pull manifests + shell: bash + run: | + mkdir -p /home/runner/crdSchemas + flux pull artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kubernetes-schemas:$(git rev-parse --short HEAD) --output /home/runner/crdSchemas + + - name: Write nginx-unprivileged Dockerfile + shell: bash + run: | + cat < /home/runner/crdSchemas/Dockerfile + FROM docker.io/nginxinc/nginx-unprivileged:latest + COPY --chown=nginx:nginx --chmod=755 . /usr/share/nginx/html + USER nginx + EOF + + - name: Publish web container + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 + with: + context: /home/runner/crdSchemas + platforms: linux/amd64,linux/arm64 + file: /home/runner/crdSchemas/Dockerfile + push: true + tags: | + ghcr.io/${{ github.repository_owner }}/kubernetes-schemas:latest + cache-from: type=gha + cache-to: type=gha,mode=max + labels: | + org.opencontainers.image.source="${{ github.repositoryUrl }}" + org.opencontainers.image.authors="Auricom " diff --git a/kubernetes/apps/actions-runner-system/namespace.yaml b/kubernetes/apps/actions-runner-system/namespace.yaml index ba44452ed..3d901f626 100644 --- a/kubernetes/apps/actions-runner-system/namespace.yaml +++ b/kubernetes/apps/actions-runner-system/namespace.yaml @@ -5,3 +5,4 @@ metadata: name: actions-runner-system labels: kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/apps/default/kubernetes-schemas/app/README.md b/kubernetes/apps/default/kubernetes-schemas/app/README.md new file mode 100644 index 000000000..8e44472f0 --- /dev/null +++ b/kubernetes/apps/default/kubernetes-schemas/app/README.md @@ -0,0 +1,19 @@ +extract_ca_crt_from_secret +kubectl get secret kubernetes-schemas-sa -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt + +get_user_token_from_secret +USER_TOKEN=$(kubectl get secret kubernetes-schemas-sa -o json | jq -r '.data["token"]' | base64 -d) + +Create token +context=$(kubectl config current-context) +CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1) +ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}") +kubectl config set-cluster "${CLUSTER_NAME}" --kubeconfig=kubernetes-schemas-config --server="${ENDPOINT}" --certificate-authority="ca.crt" --embed-certs=true +kubectl config set-credentials "kubernetes-schemas-default-${CLUSTER_NAME}" --kubeconfig="kubernetes-schemas-config" --token="${USER_TOKEN}" +kubectl config set-context "kubernetes-schemas-default-${CLUSTER_NAME}" --kubeconfig="kubernetes-schemas-config" --cluster="${CLUSTER_NAME}" --user="kubernetes-schemas-default-${CLUSTER_NAME}" --namespace="default" +kubectl config use-context "kubernetes-schemas-default-${CLUSTER_NAME}" --kubeconfig="kubernetes-schemas-config" + +# Test + +KUBECONFIG=kubernetes-schemas-config kubectl get pods --all-namespaces +KUBECONFIG=kubernetes-schemas-config kubectl get crds diff --git a/kubernetes/apps/default/kubernetes-schemas/app/gatus.yaml b/kubernetes/apps/default/kubernetes-schemas/app/gatus.yaml new file mode 100644 index 000000000..4f985f239 --- /dev/null +++ b/kubernetes/apps/default/kubernetes-schemas/app/gatus.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubernetes-schemas-gatus-ep + namespace: default + labels: + gatus.io/enabled: "true" +data: + config.yaml: | + endpoints: + - name: kubernetes-schemas + group: external + url: https://kubernetes-schemas.${SECRET_CLUSTER_DOMAIN} + interval: 1m + client: + dns-resolver: tcp://1.1.1.1:53 + insecure: true + conditions: + - "[STATUS] == 200" + alerts: + - type: pushover diff --git a/kubernetes/apps/default/kubernetes-schemas/app/helmrelease.yaml b/kubernetes/apps/default/kubernetes-schemas/app/helmrelease.yaml new file mode 100644 index 000000000..61f61d713 --- /dev/null +++ b/kubernetes/apps/default/kubernetes-schemas/app/helmrelease.yaml @@ -0,0 +1,67 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app kubernetes-schemas + namespace: default +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controller: + replicas: 2 + strategy: RollingUpdate + image: + repository: ghcr.io/auricom/kubernetes-schemas + tag: latest@sha256:7b13c44208301bb787463b2f319cf43d3c67258e034a1dc6a53ec485923f0418 + service: + main: + ports: + http: + port: 8080 + ingress: + main: + enabled: true + ingressClassName: nginx + annotations: + external-dns.home.arpa/enabled: "true" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + resources: + requests: + cpu: 10m + memory: 50Mi + limits: + memory: 100Mi diff --git a/kubernetes/apps/default/kubernetes-schemas/app/kustomization.yaml b/kubernetes/apps/default/kubernetes-schemas/app/kustomization.yaml new file mode 100644 index 000000000..47b3ceb8c --- /dev/null +++ b/kubernetes/apps/default/kubernetes-schemas/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./helmrelease.yaml + - ./gatus.yaml + - ./rbac.yaml diff --git a/kubernetes/apps/default/kubernetes-schemas/app/rbac.yaml b/kubernetes/apps/default/kubernetes-schemas/app/rbac.yaml new file mode 100644 index 000000000..37a7562ec --- /dev/null +++ b/kubernetes/apps/default/kubernetes-schemas/app/rbac.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubernetes-schemas + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubernetes-schemas +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-schemas +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-schemas +subjects: +- kind: ServiceAccount + name: kubernetes-schemas + namespace: default +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: kubernetes-schemas-sa + annotations: + kubernetes.io/service-account.name: "kubernetes-schemas" diff --git a/kubernetes/apps/default/kubernetes-schemas/ks.yaml b/kubernetes/apps/default/kubernetes-schemas/ks.yaml new file mode 100644 index 000000000..a817671e4 --- /dev/null +++ b/kubernetes/apps/default/kubernetes-schemas/ks.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-kubernetes-schemas + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + path: ./kubernetes/apps/default/kubernetes-schemas/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false # no flux ks dependents + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index b8088269f..426bf8157 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -29,6 +29,7 @@ resources: - ./joplin/ks.yaml - ./komf/ks.yaml - ./komga/ks.yaml + - ./kubernetes-schemas/ks.yaml - ./lidarr/ks.yaml - ./libreddit/ks.yaml - ./lychee/ks.yaml