steps towards a completely managed cluster

2024-03-20 23:45:08 +01:00 · 2024-03-20 23:45:08 +01:00 · 443da20ff9
commit 443da20ff9
parent 84a47b15b6
19 changed files with 223 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,6 @@
 # Kubernetes secrets
 *.secret.yaml
 main.key
 # Helm Chart files
 charts/
--- a/README.md
+++ b/README.md
@ -1,7 +1,6 @@
 # Kluster setup and IaaC using argoCD
 ### Initial setup
 #### Requirements:
 - A running k3s instance
@ -28,5 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
    - immich
    - ...
 #### Recap
 - install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
    ```bash
    kubectl apply -k infrastructure/sealedsecrets
    kubectl apply -f infrastructure/sealedsecrets/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    ```
 - install argocd
    ```bash
    kubectl apply -k infrastructure/argocd
    ```
 - wait...
 ### Adding an application
 todo
--- a/apps/ocis/deployment.yaml
+++ b/apps/ocis/deployment.yaml
@ -0,0 +1,48 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: ocis-statefulset
 spec:
  selector:
    matchLabels:
      app: ocis
  serviceName: ocis-web
  replicas: 1
  template:
    metadata:
      labels:
        app: ocis
    spec:
      containers:
      - name: ocis
        image: ocis
        resources:
          limits:
            memory: "1Gi"
            cpu: "1000m"
        env:
        - name: OCIS_INSECURE
          value: "true"
        - name: OCIS_URL
          value: "https://ocis.kluster.moll.re"
        - name: OCIS_LOG_LEVEL
          value: "debug"
        ports:
        - containerPort: 9200
        volumeMounts:
        - name: ocis-config
          mountPath: /etc/ocis
        # - name: ocis-config-file
        #   mountPath: /etc/ocis/config.yaml
        - name: ocis-data
          mountPath: /var/lib/ocis
      volumes:
      # - name: ocis-config
      #   persistentVolumeClaim:
      #     claimName: ocis-config
      - name: ocis-config
        secret:
          secretName: ocis-config
      - name: ocis-data
        persistentVolumeClaim:
          claimName: ocis-data
--- a/apps/ocis/ingress.yaml
+++ b/apps/ocis/ingress.yaml
@ -0,0 +1,18 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: ocis-ingressroute
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`ocis.kluster.moll.re`)
    kind: Rule
    services:
    - name: ocis-web
      port: 9200
      scheme: https
  tls:
    certResolver: default-tls 
--- a/apps/ocis/kustomization.yaml
+++ b/apps/ocis/kustomization.yaml
@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: 
  - namespace.yaml
  - ingress.yaml
  - service.yaml
  - pvc.yaml
  - deployment.yaml
  - ocis-config.sealedsecret.yaml
 namespace: ocis
 images:
  - name: ocis
    newName: owncloud/ocis
    newTag: "5.0"
--- a/apps/ocis/namespace.yaml
+++ b/apps/ocis/namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: placeholder
--- a/apps/ocis/ocis-config.sealedsecret.yaml
+++ b/apps/ocis/ocis-config.sealedsecret.yaml
--- a/apps/ocis/pvc.yaml
+++ b/apps/ocis/pvc.yaml
@ -0,0 +1,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: ocis-data
 spec:
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 100Gi
--- a/apps/ocis/service.yaml
+++ b/apps/ocis/service.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: ocis-web
 spec:
  selector:
    app: ocis
  ports:
  - port: 9200
    targetPort: 9200
--- a/infrastructure/external/kustomization.yaml
+++ b/infrastructure/external/kustomization.yaml
@ -0,0 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: external
 resources:
  - omv-s3.ingress.yaml
  - openmediavault.ingress.yaml
  - proxmox.ingress.yaml
--- a/infrastructure/external/omv-s3.ingress.yaml
+++ b/infrastructure/external/omv-s3.ingress.yaml
@ -2,7 +2,6 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
  name: omv-s3-ingressroute
  namespace: external
 spec:
  entryPoints:
    - websecure
@ -20,7 +19,6 @@ apiVersion: v1
 kind: Endpoints
 metadata:
  name: omv-s3
  namespace: external
 subsets:
  - addresses:
      - ip: 192.168.1.157
@ -31,7 +29,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: omv-s3
  namespace: external
 spec:
  ports:
    - port: 9000
--- a/infrastructure/nfs/kustomization.yaml
+++ b/infrastructure/nfs/kustomization.yaml
@ -3,8 +3,6 @@ kind: Kustomization
 namespace: nfs-provisioner
 bases:
 resources:
  - github.com/kubernetes-sigs/nfs-subdir-external-provisioner//deploy
  - namespace.yaml
--- a/infrastructure/sealedsecrets/README.md
+++ b/infrastructure/sealedsecrets/README.md
@ -0,0 +1,9 @@
 ### Restoring sealed secrets
 ```bash
 # install the sealed secrets controller
 kubectl kustomize . | kubectl apply -f -
 # restore the sealed secrets
 kubectl apply -f main.key
 # restart pod
 kubectl delete pod -n kube-system -l name=sealed-secrets-controller
 ```
--- a/infrastructure/sealedsecrets/controller.yaml
+++ b/infrastructure/sealedsecrets/controller.yaml
@ -6,7 +6,6 @@ metadata:
  labels:
    name: sealed-secrets-service-proxier
  name: sealed-secrets-service-proxier
  namespace: kube-system
 rules:
 - apiGroups:
  - ""
@ -35,7 +34,6 @@ metadata:
  labels:
    name: sealed-secrets-controller
  name: sealed-secrets-controller
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -43,7 +41,6 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: sealed-secrets-controller
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@ -52,7 +49,6 @@ metadata:
  labels:
    name: sealed-secrets-key-admin
  name: sealed-secrets-key-admin
  namespace: kube-system
 rules:
 - apiGroups:
  - ""
@ -116,7 +112,6 @@ metadata:
  labels:
    name: sealed-secrets-service-proxier
  name: sealed-secrets-service-proxier
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -133,7 +128,6 @@ metadata:
  labels:
    name: sealed-secrets-controller
  name: sealed-secrets-controller
  namespace: kube-system
 spec:
  minReadySeconds: 30
  replicas: 1
@ -157,7 +151,7 @@ spec:
        command:
        - controller
        env: []
-        image: docker.io/bitnami/sealed-secrets-controller:v0.23.1
+        image: controller
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
@ -342,7 +336,6 @@ metadata:
  labels:
    name: sealed-secrets-controller
  name: sealed-secrets-controller
  namespace: kube-system
 spec:
  ports:
  - port: 8080
@ -365,7 +358,6 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: sealed-secrets-controller
  namespace: kube-system
 ---
 apiVersion: v1
 kind: ServiceAccount
@ -374,4 +366,3 @@ metadata:
  labels:
    name: sealed-secrets-controller
  name: sealed-secrets-controller
  namespace: kube-system
--- a/infrastructure/sealedsecrets/kustomization.yaml
+++ b/infrastructure/sealedsecrets/kustomization.yaml
@ -0,0 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 resources:
  - controller.yaml
 images:
  - name: controller
    newName: docker.io/bitnami/sealed-secrets-controller
    newTag: v0.23.1
--- a/kluster-deployments/external-services/application.yaml
+++ b/kluster-deployments/external-services/application.yaml
@ -0,0 +1,19 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: external-application
  namespace: argocd
 spec:
  project: infrastructure
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: infrastructure/external
  destination:
    server: https://kubernetes.default.svc
    namespace: external
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/external-services/kustomization.yaml
+++ b/kluster-deployments/external-services/kustomization.yaml
@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml
--- a/kluster-deployments/ocis/application.yaml
+++ b/kluster-deployments/ocis/application.yaml
@ -0,0 +1,19 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: ocis-application
  namespace: argocd
 spec:
  project: apps
  source:
    repoURL: ssh://git@git.kluster.moll.re:2222/remoll/k3s-infra.git
    targetRevision: main
    path: apps/ocis
  destination:
    server: https://kubernetes.default.svc
    namespace: ocis
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/kluster-deployments/ocis/kustomization.yaml
+++ b/kluster-deployments/ocis/kustomization.yaml
@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - application.yaml