diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml similarity index 100% rename from kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml rename to kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml b/kubernetes/apps/cert-manager/cert-manager/app/externalsecret.yaml similarity index 100% rename from kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml rename to kubernetes/apps/cert-manager/cert-manager/app/externalsecret.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml new file mode 100644 index 000000000..279457220 --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml @@ -0,0 +1,11 @@ +--- +crds: + enabled: true +enableCertificateOwnerRef: true +dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query +dns01RecursiveNameserversOnly: true +prometheus: + enabled: true + servicemonitor: + enabled: true + prometheusInstance: observability diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml index 2528a9d7b..bbbfbc34a 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -1,41 +1,40 @@ --- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: cert-manager +spec: + interval: 5m + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy + ref: + tag: v1.17.1 + url: oci://ghcr.io/home-operations/charts-mirror/cert-manager + verify: + provider: cosign + matchOIDCIdentity: + - issuer: "^https://token.actions.githubusercontent.com$" + subject: "^https://github.com/home-operations/charts-mirror.*$" +--- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: cert-manager - namespace: cert-manager spec: - interval: 30m - chart: - spec: - chart: cert-manager - version: v1.17.1 - sourceRef: - kind: HelmRepository - name: jetstack - namespace: flux-system - maxHistory: 2 + interval: 1h + chartRef: + kind: OCIRepository + name: cert-manager install: - createNamespace: true - crds: CreateReplace remediation: - retries: 3 + retries: -1 upgrade: cleanupOnFail: true - crds: CreateReplace remediation: retries: 3 - uninstall: - keepHistory: false - values: - crds: - enabled: true - enableCertificateOwnerRef: true - dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query - dns01RecursiveNameserversOnly: true - prometheus: - enabled: true - servicemonitor: - enabled: true - prometheusInstance: observability + valuesFrom: + - kind: ConfigMap + name: cert-manager-values diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml index b91d14961..34da1561b 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -4,14 +4,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: cert-manager resources: + - ./externalsecret.yaml + - ./clusterissuer.yaml - ./helmrelease.yaml - ./prometheusrule.yaml -# configMapGenerator: -# - name: cert-manager-dashboard -# files: -# - cert-manager-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json -# generatorOptions: -# disableNameSufs -# kustomize.toolkit.fluxcd.io/substitute: disabled -# labels: -# grafana_dashboard: "true" +configMapGenerator: + - name: cert-manager-values + files: + - values.yaml=./helm/values.yaml +configurations: + - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml deleted file mode 100644 index d6adbe135..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./helmrelease.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index f0c4f294d..9095de191 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -10,42 +10,22 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: cert-manager + healthCheckExprs: + - apiVersion: cert-manager.io/v1 + kind: ClusterIssuer + failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False') + current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True') + interval: 1h path: ./kubernetes/apps/cert-manager/cert-manager/app prune: true + retryInterval: 2m sourceRef: kind: GitRepository name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m + namespace: flux-system timeout: 5m - postBuild: - substitute: - APP: *app ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cert-manager-issuers - namespace: flux-system -spec: - targetNamespace: cert-manager - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager - - name: external-secrets-stores - path: ./kubernetes/apps/cert-manager/cert-manager/issuers - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml new file mode 100644 index 000000000..056ebc787 --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml @@ -0,0 +1,21 @@ +--- +installCRDs: true +replicaCount: 1 +leaderElect: true +image: + repository: ghcr.io/external-secrets/external-secrets +webhook: + image: + repository: ghcr.io/external-secrets/external-secrets + serviceMonitor: + enabled: true + interval: 1m +certController: + image: + repository: ghcr.io/external-secrets/external-secrets + serviceMonitor: + enabled: true + interval: 1m +serviceMonitor: + enabled: true + interval: 1m diff --git a/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml b/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml new file mode 100644 index 000000000..91f99b495 --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: external-secrets +spec: + interval: 5m + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy + ref: + tag: 0.15.1 + url: oci://ghcr.io/external-secrets/charts/external-secrets + verify: + provider: cosign + matchOIDCIdentity: + - issuer: ^https://token.actions.githubusercontent.com$ + subject: ^https://github.com/external-secrets/external-secrets.*$ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: external-secrets +spec: + interval: 1h + chartRef: + kind: OCIRepository + name: external-secrets + install: + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: external-secrets-values diff --git a/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml b/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml similarity index 62% rename from kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml rename to kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml index 1af0c2237..b02dacf25 100644 --- a/kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml +++ b/kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml @@ -5,3 +5,9 @@ kind: Kustomization namespace: kube-system resources: - ./helmrelease.yaml +configMapGenerator: + - name: external-secrets-values + files: + - values.yaml=./helm/values.yaml +configurations: + - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/external-secrets/external-secrets/ks.yaml b/kubernetes/apps/external-secrets/external-secrets/ks.yaml new file mode 100644 index 000000000..ea2500ba1 --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/ks.yaml @@ -0,0 +1,52 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-secrets + namespace: &namespace flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: external-secrets + interval: 1h + path: ./kubernetes/apps/external-secrets/external-secrets/app + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + namespace: *namespace + targetNamespace: external-secrets + timeout: 15m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app external-secrets-stores + namespace: &namespace flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + healthCheckExprs: + - apiVersion: external-secrets.io/v1beta1 + kind: ClusterSecretStore + failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False') + current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True') + interval: 1h + path: ./kubernetes/apps/external-secrets/external-secrets/stores + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + namespace: *namespace + targetNamespace: external-secrets + timeout: 15m diff --git a/kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/kustomization.yaml similarity index 100% rename from kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml rename to kubernetes/apps/external-secrets/external-secrets/stores/kustomization.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/clustersecretstore.yaml similarity index 92% rename from kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml rename to kubernetes/apps/external-secrets/external-secrets/stores/onepassword/clustersecretstore.yaml index 17b0daa31..c8e45dca2 100644 --- a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml +++ b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/clustersecretstore.yaml @@ -15,4 +15,4 @@ spec: connectTokenSecretRef: name: onepassword-connect-secret key: token - namespace: kube-system + namespace: external-secrets diff --git a/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/kustomizeconfig.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml new file mode 100644 index 000000000..fab9b001d --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml @@ -0,0 +1,111 @@ +--- +controllers: + onepassword-connect: + annotations: + reloader.stakater.com/auto: "true" + pod: + securityContext: + runAsUser: 999 + runAsGroup: 999 + containers: + app: + image: + # repository: docker.io/1password/connect-api + repository: ghcr.io/haraldkoch/onepassword-connect-api + tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1 + env: + OP_BUS_PORT: "11220" + OP_BUS_PEERS: localhost:11221 + OP_HTTP_PORT: &port 8080 + OP_SESSION: + valueFrom: + secretKeyRef: + name: onepassword-connect-secret + key: onepassword-credentials.json + probes: + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /heartbeat + port: *port + initialDelaySeconds: 15 + periodSeconds: 30 + failureThreshold: 3 + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /health + port: *port + initialDelaySeconds: 15 + startup: + enabled: false + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + memory: 100Mi + sync: + # image: docker.io/1password/connect-sync:1.7.0 + image: + repository: ghcr.io/haraldkoch/onepassword-sync + tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982 + env: + - { name: OP_HTTP_PORT, value: &sport 8081 } + - { name: OP_BUS_PORT, value: "11221" } + - { name: OP_BUS_PEERS, value: localhost:11220 } + - name: OP_SESSION + valueFrom: + secretKeyRef: + name: onepassword-connect-secret + key: onepassword-credentials.json + probes: + readiness: + enabled: true + custom: true + spec: + httpGet: + path: /health + port: *sport + initialDelaySeconds: 15 + liveness: + enabled: true + custom: true + spec: + httpGet: + path: /heartbeat + port: *sport + failureThreshold: 3 + periodSeconds: 30 + initialDelaySeconds: 15 +service: + app: + controller: onepassword-connect + ports: + http: + port: *port +# ingress: +# app: +# enabled: true +# className: internal +# annotations: +# hajimari.io/enable: "false" +# hosts: +# - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" +# paths: +# - path: / +# service: +# identifier: app +# port: http +# tls: +# - hosts: +# - *host +persistence: + shared: + type: emptyDir + globalMounts: + - path: /home/opuser/.op/data diff --git a/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml new file mode 100644 index 000000000..0a43358b0 --- /dev/null +++ b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app onepassword-connect +spec: + interval: 30m + chartRef: + kind: OCIRepository + name: app-template + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + uninstall: + keepHistory: false + valuesFrom: + - kind: ConfigMap + name: external-secrets-stores-values diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/kustomization.yaml similarity index 64% rename from kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml rename to kubernetes/apps/external-secrets/external-secrets/stores/onepassword/kustomization.yaml index cc5475a51..94f10a215 100644 --- a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml +++ b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/kustomization.yaml @@ -6,3 +6,9 @@ resources: - ./clustersecretstore.yaml - ./helmrelease.yaml - ./secret.sops.yaml +configMapGenerator: + - name: external-secrets-stores-values + files: + - values.yaml=./helm/values.yaml +configurations: + - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml b/kubernetes/apps/external-secrets/external-secrets/stores/onepassword/secret.sops.yaml similarity index 100% rename from kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml rename to kubernetes/apps/external-secrets/external-secrets/stores/onepassword/secret.sops.yaml diff --git a/kubernetes/apps/flux-system/capacitor/app/kustomization.yaml b/kubernetes/apps/external-secrets/kustomization.yaml similarity index 66% rename from kubernetes/apps/flux-system/capacitor/app/kustomization.yaml rename to kubernetes/apps/external-secrets/kustomization.yaml index 430075e35..fdb5e2929 100644 --- a/kubernetes/apps/flux-system/capacitor/app/kustomization.yaml +++ b/kubernetes/apps/external-secrets/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: external-secrets resources: - - ./helmrelease.yaml - - ./rbac.yaml - - ../../../../templates/gatus/guarded + - ./external-secrets/ks.yaml diff --git a/kubernetes/apps/flux-system/addons/ks.yaml b/kubernetes/apps/flux-system/addons/ks.yaml deleted file mode 100644 index ecbb2094a..000000000 --- a/kubernetes/apps/flux-system/addons/ks.yaml +++ /dev/null @@ -1,72 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app flux-monitoring - namespace: flux-system -spec: - targetNamespace: flux-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/flux-system/addons/monitoring - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app flux-notifications - namespace: flux-system -spec: - targetNamespace: flux-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/flux-system/addons/notifications - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app flux-webhooks - namespace: flux-system -spec: - targetNamespace: flux-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/flux-system/addons/webhooks - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml b/kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml deleted file mode 100644 index f346688a0..000000000 --- a/kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: flux-system -resources: - - ./podmonitor.yaml - - ./prometheusrule.yaml diff --git a/kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml b/kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml deleted file mode 100644 index 1ce26ebf0..000000000 --- a/kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: flux-system - namespace: flux-system - labels: - app.kubernetes.io/part-of: flux - app.kubernetes.io/component: monitoring -spec: - namespaceSelector: - matchNames: - - flux-system - selector: - matchExpressions: - - key: app - operator: In - values: - - helm-controller - - source-controller - - kustomize-controller - - notification-controller - - image-automation-controller - - image-reflector-controller - podMetricsEndpoints: - - port: http-prom - relabelings: - # https://github.com/prometheus-operator/prometheus-operator/issues/4816 - - sourceLabels: [__meta_kubernetes_pod_phase] - action: keep - regex: Running diff --git a/kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml b/kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml deleted file mode 100644 index 6b26576b6..000000000 --- a/kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: flux - namespace: flux-system -spec: - groups: - - name: flux.rules - rules: - - alert: FluxComponentAbsent - annotations: - summary: Flux component has disappeared from Prometheus target discovery. - expr: | - absent(up{job=~".*flux-system.*"} == 1) - for: 15m - labels: - severity: critical diff --git a/kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml b/kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml deleted file mode 100644 index 6ce1fac76..000000000 --- a/kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: github-token - namespace: flux-system -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: github-token-secret - creationPolicy: Owner - template: - engineVersion: v2 - data: - token: '{{ .GITHUB_NOTIFICATION_TOKEN }}' - dataFrom: - - extract: - key: flux diff --git a/kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml b/kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml deleted file mode 100644 index 1312fc072..000000000 --- a/kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./notification.yaml diff --git a/kubernetes/apps/flux-system/addons/notifications/github/notification.yaml b/kubernetes/apps/flux-system/addons/notifications/github/notification.yaml deleted file mode 100644 index 8c782d549..000000000 --- a/kubernetes/apps/flux-system/addons/notifications/github/notification.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json -apiVersion: notification.toolkit.fluxcd.io/v1beta3 -kind: Provider -metadata: - name: github - namespace: flux-system -spec: - type: github - address: https://github.com/auricom/home-ops - secretRef: - name: github-token-secret ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json -apiVersion: notification.toolkit.fluxcd.io/v1beta3 -kind: Alert -metadata: - name: github - namespace: flux-system -spec: - providerRef: - name: github - eventSeverity: info - eventSources: - - kind: Kustomization - name: "*" diff --git a/kubernetes/apps/flux-system/addons/notifications/kustomization.yaml b/kubernetes/apps/flux-system/addons/notifications/kustomization.yaml deleted file mode 100644 index 8fa25526c..000000000 --- a/kubernetes/apps/flux-system/addons/notifications/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./github diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml deleted file mode 100644 index bd685f5ae..000000000 --- a/kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./externalsecret.yaml - - ./ingress.yaml - - ./receiver.yaml diff --git a/kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml b/kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml deleted file mode 100644 index 8fa25526c..000000000 --- a/kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./github diff --git a/kubernetes/apps/flux-system/alerts/alertmanager/alert.yaml b/kubernetes/apps/flux-system/alerts/alertmanager/alert.yaml new file mode 100644 index 000000000..e765952eb --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/alertmanager/alert.yaml @@ -0,0 +1,30 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Alert +metadata: + name: alertmanager + namespace: flux-system +spec: + providerRef: + name: alertmanager + eventSeverity: error + eventSources: + # - kind: FluxInstance + # name: "*" + - kind: GitRepository + name: "*" + - kind: HelmRelease + name: "*" + - kind: HelmRepository + name: "*" + - kind: Kustomization + name: "*" + - kind: OCIRepository + name: "*" + exclusionList: + - "error.*lookup github\\.com" + - "error.*lookup raw\\.githubusercontent\\.com" + - "dial.*tcp.*timeout" + - "waiting.*socket" + suspend: false diff --git a/kubernetes/apps/flux-system/alerts/alertmanager/kustomization.yaml b/kubernetes/apps/flux-system/alerts/alertmanager/kustomization.yaml new file mode 100644 index 000000000..a39198cb6 --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/alertmanager/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./alert.yaml + - ./provider.yaml diff --git a/kubernetes/apps/flux-system/alerts/alertmanager/provider.yaml b/kubernetes/apps/flux-system/alerts/alertmanager/provider.yaml new file mode 100644 index 000000000..578acd83b --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/alertmanager/provider.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Provider +metadata: + name: alertmanager + namespace: flux-system +spec: + type: alertmanager + address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/ diff --git a/kubernetes/apps/flux-system/alerts/github-status/alert.yaml b/kubernetes/apps/flux-system/alerts/github-status/alert.yaml new file mode 100644 index 000000000..38c6bcc39 --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/github-status/alert.yaml @@ -0,0 +1,13 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Alert +metadata: + name: github-status + namespace: flux-system +spec: + providerRef: + name: github-status + eventSources: + - kind: Kustomization + name: "*" diff --git a/kubernetes/apps/flux-system/alerts/github-status/externalsecret.yaml b/kubernetes/apps/flux-system/alerts/github-status/externalsecret.yaml new file mode 100644 index 000000000..9555c84a2 --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/github-status/externalsecret.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: github-status-token + namespace: flux-system +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword + target: + name: github-status-token-secret + template: + data: + token: "{{ .FLUX_GITHUB_TOKEN }}" + dataFrom: + - extract: + key: flux diff --git a/kubernetes/apps/flux-system/alerts/github-status/kustomization.yaml b/kubernetes/apps/flux-system/alerts/github-status/kustomization.yaml new file mode 100644 index 000000000..b5a9b4e3c --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/github-status/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./alert.yaml + - ./externalsecret.yaml + - ./provider.yaml diff --git a/kubernetes/apps/flux-system/alerts/github-status/provider.yaml b/kubernetes/apps/flux-system/alerts/github-status/provider.yaml new file mode 100644 index 000000000..922c9679a --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/github-status/provider.yaml @@ -0,0 +1,12 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json +apiVersion: notification.toolkit.fluxcd.io/v1beta3 +kind: Provider +metadata: + name: github-status + namespace: flux-system +spec: + type: github + address: https://github.com/auricom/home-ops + secretRef: + name: github-status-token-secret diff --git a/kubernetes/apps/flux-system/alerts/kustomization.yaml b/kubernetes/apps/flux-system/alerts/kustomization.yaml new file mode 100644 index 000000000..3cf1b36cf --- /dev/null +++ b/kubernetes/apps/flux-system/alerts/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./alertmanager + - ./github-status diff --git a/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml b/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml deleted file mode 100644 index 47d2fe9ae..000000000 --- a/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml +++ /dev/null @@ -1,82 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app capacitor -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.7.3 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - uninstall: - keepHistory: false - values: - controllers: - capacitor: - strategy: RollingUpdate - containers: - app: - image: - repository: ghcr.io/gimlet-io/capacitor - tag: v0.4.8@sha256:c999a42cccc523b91086547f890466d09be4755bf05a52763b0d14594bf60782 - resources: - requests: - cpu: 50m - memory: 100Mi - ephemeral-storage: 1Gi - limits: - memory: 200Mi - ephemeral-storage: 2Gi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: {drop: [ALL]} - serviceAccount: - create: true - name: capacitor - service: - app: - controller: *app - ports: - http: - enabled: true - port: 9000 - ingress: - app: - enabled: true - className: internal - annotations: - hajimari.io/icon: mdi:sync - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Capacitor - gethomepage.dev/description: General purpose UI for FluxCD. - gethomepage.dev/group: Applications - gethomepage.dev/icon: capacitor.png - gethomepage.dev/pod-selector: >- - app in ( - capacitor - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host diff --git a/kubernetes/apps/flux-system/capacitor/app/rbac.yaml b/kubernetes/apps/flux-system/capacitor/app/rbac.yaml deleted file mode 100644 index 0b4b29f56..000000000 --- a/kubernetes/apps/flux-system/capacitor/app/rbac.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: capacitor -rules: -- apiGroups: - - networking.k8s.io - - apps - - "" - resources: - - pods - - pods/log - - ingresses - - deployments - - services - - secrets - - events - - configmaps - verbs: - - get - - watch - - list -- apiGroups: - - source.toolkit.fluxcd.io - - kustomize.toolkit.fluxcd.io - - helm.toolkit.fluxcd.io - - infra.contrib.fluxcd.io - resources: - - gitrepositories - - ocirepositories - - buckets - - helmrepositories - - helmcharts - - kustomizations - - helmreleases - - terraforms - verbs: - - get - - watch - - list - - patch # to allow force reconciling by adding an annotation ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: capacitor -subjects: - - kind: ServiceAccount - name: capacitor - namespace: flux-system -roleRef: - kind: ClusterRole - name: capacitor - apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/apps/flux-system/capacitor/ks.yaml b/kubernetes/apps/flux-system/capacitor/ks.yaml deleted file mode 100644 index cbb891543..000000000 --- a/kubernetes/apps/flux-system/capacitor/ks.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app capacitor - namespace: flux-system -spec: - targetNamespace: flux-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/flux-system/capacitor/app - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/apps/flux-system/cluster.yaml similarity index 100% rename from kubernetes/flux/config/cluster.yaml rename to kubernetes/apps/flux-system/cluster.yaml diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml b/kubernetes/apps/flux-system/flux-instance/app/externalsecret.yaml similarity index 79% rename from kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml rename to kubernetes/apps/flux-system/flux-instance/app/externalsecret.yaml index c7c657354..cba0aed65 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/externalsecret.yaml @@ -7,13 +7,12 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: onepassword-connect + name: onepassword target: name: github-webhook-token-secret template: - engineVersion: v2 data: - token: "{{ .GITHUB_SYNC_WEBHOOK_TOKEN }}" + token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}" dataFrom: - extract: key: flux diff --git a/kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml b/kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml b/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml new file mode 100644 index 000000000..c7fe501ef --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml @@ -0,0 +1,104 @@ +--- +instance: + distribution: + # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution + version: 2.5.1 + cluster: + networkPolicy: false + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + sync: + kind: GitRepository + url: https://github.com/auricom/home-ops + ref: refs/heads/main + path: kubernetes/flux + interval: 1h + commonMetadata: + labels: + app.kubernetes.io/name: flux + kustomize: + patches: + - # Add Sops decryption to 'flux-system' Kustomization + patch: | + - op: add + path: /spec/decryption + value: + provider: sops + secretRef: + name: sops-age + target: + group: kustomize.toolkit.fluxcd.io + kind: Kustomization + - # Increase the number of workers + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - # Increase the memory limits + patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: all + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + memory: 2Gi + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - # Enable in-memory kustomize builds + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: temp + emptyDir: + medium: Memory + target: + kind: Deployment + name: kustomize-controller + - # Enable Helm repositories caching + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-max-size=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-ttl=60m + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-purge-interval=5m + target: + kind: Deployment + name: source-controller + - # Flux near OOM detection for Helm + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller diff --git a/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml b/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml new file mode 100644 index 000000000..5f5f68c90 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml @@ -0,0 +1,40 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: flux-instance +spec: + interval: 5m + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy + ref: + tag: 0.18.0 + url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance + verify: + provider: cosign + matchOIDCIdentity: + - issuer: ^https://token.actions.githubusercontent.com$ + subject: ^https://github.com/controlplaneio-fluxcd/charts.*$ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: flux-instance +spec: + interval: 1h + chartRef: + kind: OCIRepository + name: flux-instance + install: + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: flux-instance-values diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml b/kubernetes/apps/flux-system/flux-instance/app/ingress.yaml similarity index 100% rename from kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml rename to kubernetes/apps/flux-system/flux-instance/app/ingress.yaml diff --git a/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml b/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml new file mode 100644 index 000000000..9570b71f6 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml @@ -0,0 +1,16 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml + - ./ingress.yaml + - ./prometheusrule.yaml + - ./receiver.yaml +configMapGenerator: + - name: flux-instance-values + files: + - values.yaml=./helm/values.yaml +configurations: + - ./helm/kustomizeconfig.yaml diff --git a/kubernetes/apps/flux-system/flux-instance/app/prometheusrule.yaml b/kubernetes/apps/flux-system/flux-instance/app/prometheusrule.yaml new file mode 100644 index 000000000..195ffb783 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/app/prometheusrule.yaml @@ -0,0 +1,30 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: flux-instance-rules + namespace: flux-system +spec: + groups: + - name: flux-instance.rules + rules: + - alert: FluxInstanceAbsent + expr: | + absent(flux_instance_info{exported_namespace="flux-system", name="flux"}) + for: 5m + annotations: + summary: >- + Flux instance metric is missing + labels: + severity: critical + + - alert: FluxInstanceNotReady + expr: | + flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"} + for: 5m + annotations: + summary: >- + Flux instance {{ $labels.name }} is not ready + labels: + severity: critical diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml b/kubernetes/apps/flux-system/flux-instance/app/receiver.yaml similarity index 51% rename from kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml rename to kubernetes/apps/flux-system/flux-instance/app/receiver.yaml index 4c2239910..75564540d 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/receiver.yaml @@ -1,26 +1,18 @@ --- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1beta2.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1.json apiVersion: notification.toolkit.fluxcd.io/v1 kind: Receiver metadata: - name: home-ops-kubernetes + name: github-webhook spec: type: github - events: - - ping - - push + events: ["ping", "push"] secretRef: name: github-webhook-token-secret resources: - apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository - name: home-ops-kubernetes - namespace: flux-system + name: flux-system - apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization - name: apps - namespace: flux-system - - apiVersion: kustomize.toolkit.fluxcd.io/v1 - kind: Kustomization - name: flux-cluster - namespace: flux-system + name: flux-system diff --git a/kubernetes/apps/flux-system/flux-instance/ks.yaml b/kubernetes/apps/flux-system/flux-instance/ks.yaml new file mode 100644 index 000000000..247523e58 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/ks.yaml @@ -0,0 +1,32 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app flux-instance + namespace: &namespace flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: flux-operator + namespace: *namespace + interval: 1h + path: ./kubernetes/apps/flux-system/flux-instance/app + prune: true + retryInterval: 2m + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + namespace: *namespace + targetNamespace: *namespace + timeout: 5m + postBuild: + substituteFrom: + - kind: ConfigMap + name: cluster-settings + optional: false + - kind: Secret + name: cluster-secrets + optional: false diff --git a/kubernetes/apps/flux-system/kustomization.yaml b/kubernetes/apps/flux-system/kustomization.yaml index bf3137e32..213cba71a 100644 --- a/kubernetes/apps/flux-system/kustomization.yaml +++ b/kubernetes/apps/flux-system/kustomization.yaml @@ -5,9 +5,10 @@ kind: Kustomization resources: # Pre Flux-Kustomizations - ./namespace.yaml - # Flux-Kustomizations - - ./addons/ks.yaml - - ./capacitor/ks.yaml # Standard Resources - # - ./flux-instance/ks.yaml + - ./alerts + - ./cluster.yaml + - ./flux-instance/ks.yaml - ./flux-operator/ks.yaml + - ./repositories + - ./vars diff --git a/kubernetes/flux/repositories/helm/actions-runner-controller.yaml b/kubernetes/apps/flux-system/repositories/helm/actions-runner-controller.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/actions-runner-controller.yaml rename to kubernetes/apps/flux-system/repositories/helm/actions-runner-controller.yaml diff --git a/kubernetes/flux/repositories/helm/aqua.yaml b/kubernetes/apps/flux-system/repositories/helm/aqua.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/aqua.yaml rename to kubernetes/apps/flux-system/repositories/helm/aqua.yaml diff --git a/kubernetes/flux/repositories/helm/backube.yaml b/kubernetes/apps/flux-system/repositories/helm/backube.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/backube.yaml rename to kubernetes/apps/flux-system/repositories/helm/backube.yaml diff --git a/kubernetes/flux/repositories/helm/bjw-s.yaml b/kubernetes/apps/flux-system/repositories/helm/bjw-s.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/bjw-s.yaml rename to kubernetes/apps/flux-system/repositories/helm/bjw-s.yaml diff --git a/kubernetes/flux/repositories/helm/cert-manager-webhook-ovh.yaml b/kubernetes/apps/flux-system/repositories/helm/cert-manager-webhook-ovh.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/cert-manager-webhook-ovh.yaml rename to kubernetes/apps/flux-system/repositories/helm/cert-manager-webhook-ovh.yaml diff --git a/kubernetes/flux/repositories/helm/cilium.yaml b/kubernetes/apps/flux-system/repositories/helm/cilium.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/cilium.yaml rename to kubernetes/apps/flux-system/repositories/helm/cilium.yaml diff --git a/kubernetes/flux/repositories/helm/cloudnative-pg.yaml b/kubernetes/apps/flux-system/repositories/helm/cloudnative-pg.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/cloudnative-pg.yaml rename to kubernetes/apps/flux-system/repositories/helm/cloudnative-pg.yaml diff --git a/kubernetes/flux/repositories/helm/coredns.yaml b/kubernetes/apps/flux-system/repositories/helm/coredns.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/coredns.yaml rename to kubernetes/apps/flux-system/repositories/helm/coredns.yaml diff --git a/kubernetes/flux/repositories/helm/crowdsec.yaml b/kubernetes/apps/flux-system/repositories/helm/crowdsec.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/crowdsec.yaml rename to kubernetes/apps/flux-system/repositories/helm/crowdsec.yaml diff --git a/kubernetes/flux/repositories/helm/crunchydata.yaml b/kubernetes/apps/flux-system/repositories/helm/crunchydata.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/crunchydata.yaml rename to kubernetes/apps/flux-system/repositories/helm/crunchydata.yaml diff --git a/kubernetes/flux/repositories/helm/descheduler.yaml b/kubernetes/apps/flux-system/repositories/helm/descheduler.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/descheduler.yaml rename to kubernetes/apps/flux-system/repositories/helm/descheduler.yaml diff --git a/kubernetes/flux/repositories/helm/dysnix.yaml b/kubernetes/apps/flux-system/repositories/helm/dysnix.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/dysnix.yaml rename to kubernetes/apps/flux-system/repositories/helm/dysnix.yaml diff --git a/kubernetes/flux/repositories/helm/emxq.yaml b/kubernetes/apps/flux-system/repositories/helm/emxq.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/emxq.yaml rename to kubernetes/apps/flux-system/repositories/helm/emxq.yaml diff --git a/kubernetes/flux/repositories/helm/external-dns.yaml b/kubernetes/apps/flux-system/repositories/helm/external-dns.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/external-dns.yaml rename to kubernetes/apps/flux-system/repositories/helm/external-dns.yaml diff --git a/kubernetes/flux/repositories/helm/external-secrets.yaml b/kubernetes/apps/flux-system/repositories/helm/external-secrets.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/external-secrets.yaml rename to kubernetes/apps/flux-system/repositories/helm/external-secrets.yaml diff --git a/kubernetes/flux/repositories/helm/gitea.yaml b/kubernetes/apps/flux-system/repositories/helm/gitea.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/gitea.yaml rename to kubernetes/apps/flux-system/repositories/helm/gitea.yaml diff --git a/kubernetes/flux/repositories/helm/grafana.yaml b/kubernetes/apps/flux-system/repositories/helm/grafana.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/grafana.yaml rename to kubernetes/apps/flux-system/repositories/helm/grafana.yaml diff --git a/kubernetes/flux/repositories/helm/hajimari.yaml b/kubernetes/apps/flux-system/repositories/helm/hajimari.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/hajimari.yaml rename to kubernetes/apps/flux-system/repositories/helm/hajimari.yaml diff --git a/kubernetes/flux/repositories/helm/ingress-nginx.yaml b/kubernetes/apps/flux-system/repositories/helm/ingress-nginx.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/ingress-nginx.yaml rename to kubernetes/apps/flux-system/repositories/helm/ingress-nginx.yaml diff --git a/kubernetes/flux/repositories/helm/intel.yaml b/kubernetes/apps/flux-system/repositories/helm/intel.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/intel.yaml rename to kubernetes/apps/flux-system/repositories/helm/intel.yaml diff --git a/kubernetes/flux/repositories/helm/jetstack.yaml b/kubernetes/apps/flux-system/repositories/helm/jetstack.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/jetstack.yaml rename to kubernetes/apps/flux-system/repositories/helm/jetstack.yaml diff --git a/kubernetes/flux/repositories/helm/k8s-gateway.yaml b/kubernetes/apps/flux-system/repositories/helm/k8s-gateway.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/k8s-gateway.yaml rename to kubernetes/apps/flux-system/repositories/helm/k8s-gateway.yaml diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/apps/flux-system/repositories/helm/kustomization.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/kustomization.yaml rename to kubernetes/apps/flux-system/repositories/helm/kustomization.yaml diff --git a/kubernetes/flux/repositories/helm/kyverno.yaml b/kubernetes/apps/flux-system/repositories/helm/kyverno.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/kyverno.yaml rename to kubernetes/apps/flux-system/repositories/helm/kyverno.yaml diff --git a/kubernetes/flux/repositories/helm/metrics-server.yaml b/kubernetes/apps/flux-system/repositories/helm/metrics-server.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/metrics-server.yaml rename to kubernetes/apps/flux-system/repositories/helm/metrics-server.yaml diff --git a/kubernetes/flux/repositories/helm/node-feature-discovery.yaml b/kubernetes/apps/flux-system/repositories/helm/node-feature-discovery.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/node-feature-discovery.yaml rename to kubernetes/apps/flux-system/repositories/helm/node-feature-discovery.yaml diff --git a/kubernetes/flux/repositories/helm/openebs.yaml b/kubernetes/apps/flux-system/repositories/helm/openebs.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/openebs.yaml rename to kubernetes/apps/flux-system/repositories/helm/openebs.yaml diff --git a/kubernetes/flux/repositories/helm/piraeus.yaml b/kubernetes/apps/flux-system/repositories/helm/piraeus.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/piraeus.yaml rename to kubernetes/apps/flux-system/repositories/helm/piraeus.yaml diff --git a/kubernetes/flux/repositories/helm/postfinance.yaml b/kubernetes/apps/flux-system/repositories/helm/postfinance.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/postfinance.yaml rename to kubernetes/apps/flux-system/repositories/helm/postfinance.yaml diff --git a/kubernetes/flux/repositories/helm/prometheus-community.yaml b/kubernetes/apps/flux-system/repositories/helm/prometheus-community.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/prometheus-community.yaml rename to kubernetes/apps/flux-system/repositories/helm/prometheus-community.yaml diff --git a/kubernetes/flux/repositories/helm/rook-ceph.yaml b/kubernetes/apps/flux-system/repositories/helm/rook-ceph.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/rook-ceph.yaml rename to kubernetes/apps/flux-system/repositories/helm/rook-ceph.yaml diff --git a/kubernetes/flux/repositories/helm/spegel.yaml b/kubernetes/apps/flux-system/repositories/helm/spegel.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/spegel.yaml rename to kubernetes/apps/flux-system/repositories/helm/spegel.yaml diff --git a/kubernetes/flux/repositories/helm/stakater.yaml b/kubernetes/apps/flux-system/repositories/helm/stakater.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/stakater.yaml rename to kubernetes/apps/flux-system/repositories/helm/stakater.yaml diff --git a/kubernetes/flux/repositories/helm/stevehipwell.yaml b/kubernetes/apps/flux-system/repositories/helm/stevehipwell.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/stevehipwell.yaml rename to kubernetes/apps/flux-system/repositories/helm/stevehipwell.yaml diff --git a/kubernetes/flux/repositories/helm/vector.yaml b/kubernetes/apps/flux-system/repositories/helm/vector.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/vector.yaml rename to kubernetes/apps/flux-system/repositories/helm/vector.yaml diff --git a/kubernetes/flux/repositories/helm/windmill.yaml b/kubernetes/apps/flux-system/repositories/helm/windmill.yaml similarity index 100% rename from kubernetes/flux/repositories/helm/windmill.yaml rename to kubernetes/apps/flux-system/repositories/helm/windmill.yaml diff --git a/kubernetes/flux/repositories/kustomization.yaml b/kubernetes/apps/flux-system/repositories/kustomization.yaml similarity index 100% rename from kubernetes/flux/repositories/kustomization.yaml rename to kubernetes/apps/flux-system/repositories/kustomization.yaml diff --git a/kubernetes/flux/repositories/oci/app-template.yaml b/kubernetes/apps/flux-system/repositories/oci/app-template.yaml similarity index 100% rename from kubernetes/flux/repositories/oci/app-template.yaml rename to kubernetes/apps/flux-system/repositories/oci/app-template.yaml diff --git a/kubernetes/flux/repositories/oci/kustomization.yaml b/kubernetes/apps/flux-system/repositories/oci/kustomization.yaml similarity index 100% rename from kubernetes/flux/repositories/oci/kustomization.yaml rename to kubernetes/apps/flux-system/repositories/oci/kustomization.yaml diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/apps/flux-system/vars/cluster-secrets.sops.yaml similarity index 100% rename from kubernetes/flux/vars/cluster-secrets.sops.yaml rename to kubernetes/apps/flux-system/vars/cluster-secrets.sops.yaml diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/apps/flux-system/vars/cluster-settings.yaml similarity index 100% rename from kubernetes/flux/vars/cluster-settings.yaml rename to kubernetes/apps/flux-system/vars/cluster-settings.yaml diff --git a/kubernetes/flux/vars/kustomization.yaml b/kubernetes/apps/flux-system/vars/kustomization.yaml similarity index 100% rename from kubernetes/flux/vars/kustomization.yaml rename to kubernetes/apps/flux-system/vars/kustomization.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml deleted file mode 100644 index c7b0d3987..000000000 --- a/kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: external-secrets - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: external-secrets - version: 0.15.0 - sourceRef: - kind: HelmRepository - name: external-secrets - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - installCRDs: true - serviceMonitor: - enabled: true - interval: 1m - webhook: - serviceMonitor: - enabled: true - interval: 1m - certController: - serviceMonitor: - enabled: true - interval: 1m diff --git a/kubernetes/apps/kube-system/external-secrets/ks.yaml b/kubernetes/apps/kube-system/external-secrets/ks.yaml deleted file mode 100644 index d7a3c8263..000000000 --- a/kubernetes/apps/kube-system/external-secrets/ks.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app external-secrets - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/kube-system/external-secrets/app - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: external-secrets-stores - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: &app external-secrets - dependsOn: - - name: external-secrets - path: ./kubernetes/apps/kube-system/external-secrets/stores - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml deleted file mode 100644 index 5faf9f270..000000000 --- a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml +++ /dev/null @@ -1,139 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app onepassword-connect -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.7.3 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - uninstall: - keepHistory: false - values: - controllers: - onepassword-connect: - annotations: - reloader.stakater.com/auto: "true" - pod: - securityContext: - runAsUser: 999 - runAsGroup: 999 - containers: - app: - image: - # repository: docker.io/1password/connect-api - repository: ghcr.io/haraldkoch/onepassword-connect-api - tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1 - env: - OP_BUS_PORT: "11220" - OP_BUS_PEERS: localhost:11221 - OP_HTTP_PORT: &port 8080 - OP_SESSION: - valueFrom: - secretKeyRef: - name: onepassword-connect-secret - key: onepassword-credentials.json - probes: - liveness: - enabled: true - custom: true - spec: - httpGet: - path: /heartbeat - port: *port - initialDelaySeconds: 15 - periodSeconds: 30 - failureThreshold: 3 - readiness: - enabled: true - custom: true - spec: - httpGet: - path: /health - port: *port - initialDelaySeconds: 15 - startup: - enabled: false - resources: - requests: - cpu: 5m - memory: 10Mi - limits: - memory: 100Mi - sync: - # image: docker.io/1password/connect-sync:1.7.0 - image: - repository: ghcr.io/haraldkoch/onepassword-sync - tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982 - env: - - { name: OP_HTTP_PORT, value: &sport 8081 } - - { name: OP_BUS_PORT, value: "11221" } - - { name: OP_BUS_PEERS, value: localhost:11220 } - - name: OP_SESSION - valueFrom: - secretKeyRef: - name: onepassword-connect-secret - key: onepassword-credentials.json - probes: - readiness: - enabled: true - custom: true - spec: - httpGet: - path: /health - port: *sport - initialDelaySeconds: 15 - liveness: - enabled: true - custom: true - spec: - httpGet: - path: /heartbeat - port: *sport - failureThreshold: 3 - periodSeconds: 30 - initialDelaySeconds: 15 - service: - app: - controller: *app - ports: - http: - port: *port - ingress: - app: - enabled: true - className: internal - annotations: - hajimari.io/enable: "false" - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - shared: - type: emptyDir - globalMounts: - - path: /home/opuser/.op/data diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 35a649d45..8e8e79ff7 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -9,7 +9,6 @@ resources: - ./cilium/ks.yaml - ./coredns/ks.yaml - ./descheduler/ks.yaml - - ./external-secrets/ks.yaml - ./fstrim/ks.yaml - ./intel-device-plugin/ks.yaml # - ./k8s-ycl/ks.yaml diff --git a/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml b/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml index e57e07591..b5c553188 100644 --- a/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml +++ b/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml @@ -25,7 +25,6 @@ spec: strategy: rollback retries: 3 values: - fullnameOverride: *app provider: name: cloudflare env: diff --git a/kubernetes/apps/network/nginx/ks.yaml b/kubernetes/apps/network/nginx/ks.yaml index eb0fb7137..4a3e5be27 100644 --- a/kubernetes/apps/network/nginx/ks.yaml +++ b/kubernetes/apps/network/nginx/ks.yaml @@ -11,7 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: - - name: cert-manager-issuers + - name: cert-manager path: ./kubernetes/apps/network/nginx/certificates prune: true sourceRef: diff --git a/kubernetes/bootstrap/README.md b/kubernetes/bootstrap/README.md index 86af3de0f..40a3d6dac 100644 --- a/kubernetes/bootstrap/README.md +++ b/kubernetes/bootstrap/README.md @@ -5,7 +5,7 @@ 3. Deploy [flux](https://github.com/fluxcd/flux2) `kubectl apply --server-side --kustomize ./kubernetes/bootstrap/flux` 4. Create flux github secret `sops --decrypt ./kubernetes/bootstrap/flux/github-deploy-key.sops.yaml | kubectl apply -f -` 5. Create sops secret `cat ~/.config/sops/age/keys.txt | kubectl create secret generic sops-age --namespace=flux-system --from-file=age.agekey=/dev/stdin` -6. Apply flux cluster variables `kubectl apply -k ./kubernetes/flux/vars/cluster-settings.yaml` -6. Apply flux cluster secrets `sops --decrypt ./kubernetes/flux/vars/cluster-secrets.sops.yaml | kubectl apply -f -` +6. Apply flux cluster variables `kubectl apply -f ./kubernetes/apps/flux-system/vars/cluster-settings.yaml` +6. Apply flux cluster secrets `sops --decrypt ./kubernetes/apps/flux-system/vars/cluster-secrets.sops.yaml | kubectl apply -f -` 7. Apply prometheus CRDs `kubectl apply -f https://raw.githubusercontent.com/prometheus-community/helm-charts/main/charts/kube-prometheus-stack/crds/crd-prometheuses.yaml` -7. Apply flux kustomization `kubectl apply --server-side --kustomize ./kubernetes/flux/config` +7. Apply flux kustomization `kubectl apply --server-side --kustomize ./kubernetes/apps/flux-system` diff --git a/kubernetes/bootstrap/apps/helmfile.yaml b/kubernetes/bootstrap/apps/helmfile.yaml index f5ff1b87a..bc299b568 100644 --- a/kubernetes/bootstrap/apps/helmfile.yaml +++ b/kubernetes/bootstrap/apps/helmfile.yaml @@ -12,12 +12,6 @@ helmDefaults: waitForJobs: true repositories: - - name: cilium - url: https://helm.cilium.io - - - name: coredns - url: https://coredns.github.io/helm - - name: postfinance url: https://postfinance.github.io/kubelet-csr-approver @@ -29,20 +23,31 @@ releases: - name: cilium namespace: kube-system - chart: cilium/cilium + atomic: true + chart: oci://ghcr.io/home-operations/charts-mirror/cilium version: 1.17.2 values: ["../../apps/kube-system/cilium/app/helm-values.yaml"] + hooks: + - # Wait for cilium CRDs to be available + events: ['postsync'] + command: bash + args: + - -c + - until kubectl get crd ciliumbgppeeringpolicies.cilium.io ciliuml2announcementpolicies.cilium.io ciliumloadbalancerippools.cilium.io &>/dev/null; do sleep 10; done + showlogs: true needs: ["observability/kube-prometheus-stack-crds"] - name: coredns namespace: kube-system - chart: coredns/coredns + atomic: true + chart: oci://ghcr.io/coredns/charts/coredns version: 1.39.2 values: ["../../apps/kube-system/coredns/app/helm-values.yaml"] needs: ["kube-system/cilium"] - name: kubelet-csr-approver namespace: kube-system + atomic: true chart: postfinance/kubelet-csr-approver version: 1.2.6 values: ["../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"] @@ -50,7 +55,48 @@ releases: - name: spegel namespace: kube-system + atomic: true chart: oci://ghcr.io/spegel-org/helm-charts/spegel - version: v0.0.30 + version: 0.1.1 values: ["../../apps/kube-system/spegel/app/helm-values.yaml"] needs: ["kube-system/kubelet-csr-approver"] + + - name: cert-manager + namespace: cert-manager + atomic: true + chart: oci://ghcr.io/home-operations/charts-mirror/cert-manager + version: v1.17.1 + values: ['../../apps/cert-manager/cert-manager/app/helm/values.yaml'] + needs: ['kube-system/spegel'] + + - name: external-secrets + namespace: flux-system + atomic: true + chart: oci://ghcr.io/external-secrets/charts/external-secrets + version: 0.15.1 + values: ['../../apps/external-secrets/external-secrets/app/helm/values.yaml'] + needs: ['cert-manager/cert-manager'] + + - name: onepassword-connect + namespace: external-secrets + atomic: true + chart: oci://ghcr.io/bjw-s/helm/app-template + version: 3.7.3 + values: ['../../apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml'] + needs: ['external-secrets/external-secrets'] + + - name: flux-operator + namespace: flux-system + atomic: true + chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator + version: 0.18.0 + values: ['../../apps/flux-system/flux-operator/app/helm/values.yaml'] + needs: ['external-secrets/external-secrets'] + + - name: flux-instance + namespace: flux-system + atomic: true + chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance + version: 0.18.0 + values: ['../../apps/flux-system/flux-instance/app/helm/values.yaml'] + needs: ['flux-system/flux-operator'] diff --git a/kubernetes/flux/config/flux.yaml b/kubernetes/flux/config/flux.yaml deleted file mode 100644 index fa3f5055f..000000000 --- a/kubernetes/flux/config/flux.yaml +++ /dev/null @@ -1,88 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: OCIRepository -metadata: - name: flux-manifests - namespace: flux-system -spec: - interval: 10m - url: oci://ghcr.io/fluxcd/flux-manifests - ref: - tag: v2.5.1@sha256:3ad46381a9efb9e4ab491d76f3cc02389284ef38a7ecf3f5f3e3c186ded63255 ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: flux-installation - namespace: flux-system -spec: - interval: 10m - path: ./ - prune: true - wait: true - sourceRef: - kind: OCIRepository - name: flux-manifests - patches: - # Remove the network policies - - patch: | - $patch: delete - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: not-used - target: - group: networking.k8s.io - kind: NetworkPolicy - # Increase the number of reconciliations that can be performed in parallel and bump the resources limits - # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers - - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=8 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --kube-api-qps=500 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --kube-api-burst=1000 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --requeue-dependency=5s - target: - kind: Deployment - name: (kustomize-controller|helm-controller|source-controller) - - patch: | - apiVersion: apps/v1 - kind: Deployment - metadata: - name: not-used - spec: - template: - spec: - containers: - - name: manager - resources: - limits: - cpu: 2000m - memory: 2Gi - target: - kind: Deployment - name: (kustomize-controller|helm-controller|source-controller) - # Enable Helm near OOM detection - # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection - - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --feature-gates=OOMWatch=true - - op: add - path: /spec/template/spec/containers/0/args/- - value: --oom-watch-memory-threshold=95 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --oom-watch-interval=500ms - target: - kind: Deployment - name: helm-controller diff --git a/kubernetes/flux/config/kustomization.yaml b/kubernetes/flux/config/kustomization.yaml deleted file mode 100644 index 8365c6cac..000000000 --- a/kubernetes/flux/config/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./flux.yaml - - ./cluster.yaml diff --git a/kubernetes/flux/apps.yaml b/kubernetes/flux/ks.yaml similarity index 92% rename from kubernetes/flux/apps.yaml rename to kubernetes/flux/ks.yaml index e905709cd..c8808c50f 100644 --- a/kubernetes/flux/apps.yaml +++ b/kubernetes/flux/ks.yaml @@ -24,7 +24,8 @@ spec: - kind: Secret name: cluster-secrets patches: - - patch: |- + - # Add Sops decryption to child Kustomizations + patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -43,4 +44,3 @@ spec: target: group: kustomize.toolkit.fluxcd.io kind: Kustomization - labelSelector: substitution.flux.home.arpa/disabled notin (true)