feat: Migrate sys applications to helmfile

Move most of helmfiles into temp to test only velero. File structure: ```bash / ├── helmfile.d/ # Helmfiles, *.yaml.gotmpl ├── charts/ # Our own charts, e.g `Atlantis` ├── values # Values for helmfiles │ ├── <chart> │ │ ├── values.yaml.gotmpl # Values to be templated in `values/` │ │ ├── kustomize # Kustomizations per environment │ │ ├── manifests # Raw manifests │ │ │ ├── <chart>.yaml # Argo App for bootstrap │ │ │ ├── dashboards # Grafana dashboards │ │ │ │ └── <chart>-metrics.yaml │ │ │ └── policies # Cilium and Kyverno policies │ │ │ ├── CiliumNetworkPolicy-allow-api-server.yaml │ │ │ └── KyvernoPolicy-regred-secret.yaml │ │ └── values # Values for each environment │ │ ├── <chart>-staging.yaml.gotmpl # Values for staging environment │ │ ├── <chart>-prod.yaml.gotmpl # Values for prod environment │ │ └── <chart>.yaml.gotmpl # Standard values for all environments │ │ │ ├── values.yaml # Standard values for all cluster │ ├── values-oceanbox.yaml # Values overrides for oceanbox │ ├── values-ekman.yaml # Values overrides for ekman ```
2025-06-04 13:18:18 +02:00
parent a0a0f8586d
commit 1bb720840d
102 changed files with 9862 additions and 106 deletions
@@ -0,0 +1,38 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: cert-manager
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/cert-manager
+    plugin:
+      name: helmfile
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      # - ServerSideApply=true
+    {{- if .Values.cert_manager.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server-to-cert-manager
+  namespace: cert-manager
+spec:
+  description: Allow the API server to communicate with the cert-manager pods
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cert-manager
+spec:
+  description: Allow the Kube API server to communicate with cert-manager
+  egress:
+    - toEntities:
+        - kube-apiserver
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: cert-manager
+spec:
+  description: Allow Prometheus metrics
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "9402"
+              protocol: TCP
@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-traffic
+  namespace: cert-manager
+spec:
+  description: Allow the world to communicate with cert-manager
+  egress:
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,225 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: letsencrypt-production
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.cluster_config.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.cluster_config.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: ca-issuer
+spec:
+  ca:
+    secretName: cluster-ca
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: selfsigning-issuer
+spec:
+  selfSigned: {}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: front-proxy-client
+subjects:
+  - kind: User
+    name: front-proxy-client
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: front-proxy-client
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: front-proxy-client
+rules:
+- apiGroups:
+  - "webhook.cert-manager.io"
+  resources:
+  - mutations
+  - validations
+  verbs: [ "*" ]
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+
+{{ if .Values.cluster_config.initca }}
+
+# Pod to update certificates from master nodes
+# only runs on control plane nodes (etcd)
+# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
+# Always create certs on initial creation,
+# Otherwise, cert creation would not happen until cronJob runs
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-create
+  namespace: cert-manager
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+        block-egress: "true"
+      annotations:
+        linkerd.io/inject: disabled
+    spec:
+      restartPolicy: Never
+      serviceAccountName: cert-secret-updater
+      securityContext:
+        runAsUser: 12000
+        runAsGroup: 13000
+        fsGroup: 10000
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io
+                operator: In
+                values:
+                - control-plane
+      tolerations:
+      - key: unschedulable
+        value: "true"
+        effect: NoSchedule
+      containers:
+      - image: bitnami/kubectl:1.24
+        name: kubectl
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+        command: 
+        - "/bin/sh" 
+        - -c
+        - /tmp/renew-certs/renew-certs.sh
+        volumeMounts:
+          - name: ca-pem
+            mountPath: /tmp/ca.pem
+          - name: ca-key-pem
+            mountPath: /tmp/ca-key.pem
+          - name: certs-script
+            mountPath: /tmp/renew-certs
+      volumes:
+        - name: ca-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca.pem
+            type: File
+        - name: ca-key-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca-key.pem
+            type: File
+        - name: certs-script
+          configMap:
+            name: renew-certs-script
+            defaultMode: 0755
+---
+apiVersion: v1
+data:
+  renew-certs.sh: |
+    #! /bin/bash
+    kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
+    kubectl apply -f /tmp/new-secret.yaml
+kind: ConfigMap
+metadata:
+  name: renew-certs-script
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-secret-updater
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-secret-updater-role
+  namespace: cert-manager
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cluster-ca
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-secret-updater-rbinding
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-secret-updater-role
+subjects:
+- kind: ServiceAccount
+  name: cert-secret-updater
+  namespace: cert-manager
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-egress
+  namespace: cert-manager
+spec:
+  podSelector: 
+    matchLabels:
+      block-egress: "true"
+  policyTypes:
+  - Egress
+---
+{{ end }}
@@ -0,0 +1,3 @@
+cert_manager:
+ enabled: true
+ autosync: true
@@ -0,0 +1,5 @@
+installCRDs: true
+enableCertificateOwnerRef: true
+startupapicheck:
+  podAnnotations:
+    linkerd.io/inject: disabled