wip: more or less working argo and cilium helmfile setup

2025-05-16 15:30:01 +02:00
parent ddc95aad80
commit 223149ecdd
37 changed files with 582 additions and 100 deletions
@@ -1,59 +0,0 @@
-bases:
- - ../base/environments.yaml.gotmpl
-
-repositories:
- name: argo
-  url: https://argoproj.github.io/argo-helm
-
-releases:
- name: argocd
-  namespace: argocd
-  chart: argo/argo-cd
-  version: 7.5.2
-  values:
-  - values/argocd.yaml.gotmpl
-  - values/argocd-{{ .Environment.Name }}.yaml.gotmpl
-  - values/argocd-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  postRenderer: ../../bin/kustomizer
-  postRendererArgs:
-  - kustomize/{{ .Environment.Name }}
-  missingFileHandler: Info
- name: argocd-apps
-  namespace: argocd
-  chart: argo/argocd-apps
-  version: 0.0.1
-  condition: install.argo.apps.enabled
-  values:
-  - values/apps.yaml.gotmpl
-  - values/apps-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  missingFileHandler: Info
- name: argo-rollouts
-  namespace: argocd
-  chart: argo/argo-rollouts
-  version: 2.35.2
-  condition: install.argo.rollouts.enabled
-  values:
-  - values/rollouts.yaml.gotmpl
-  - values/rollouts-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  missingFileHandler: Info
- name: argo-workflows
-  namespace: argocd
-  chart: argo/argo-workflows
-  version: 0.45.0
-  condition: install.argo.workflows.enabled
-  values:
-  - values/workflows.yaml.gotmpl
-  - values/workflows-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
-  missingFileHandler: Info
- name: manifests
-  namespace: argocd
-  chart: _manifests
-  hooks:
-  - events: [ prepare, cleanup ]
-    showlogs: true
-    command: ../../bin/helmify
-    args:
-    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
-    - '{{`{{ .Release.Chart }}`}}'
-    - '{{`{{ .Environment.Name }}`}}'
-
@@ -0,0 +1,35 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: argocd
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/argocd
+    plugin:
+      name: helmfile
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.argocd.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -1,3 +1,12 @@
+argo:
+  enabled: true
+  apps:
+    enabled: true
+  rollouts:
+    enabled: false
+  workflows:
+    enabled: false
+
 argocd:
  anyNamespaces:
    enabled: false
@@ -0,0 +1,22 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cilium-test
+spec:
+  egress:
+    - toEndpoints:
+        - {}
+    - toEntities:
+        - cluster
+    - toEntities:
+        - remote-node
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - cluster
+    - fromEntities:
+        - world
@@ -0,0 +1,57 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cilium
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: kube-system
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/cilium
+    plugin:
+      name: helmfile
+      env:
+        - name: CLUSTER_NAME
+          value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    syncOptions:
+    - ServerSideApply=true
+    {{- if .Values.cilium.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+  ignoreDifferences:
+    - group: apps
+      jqPathExpressions:
+        - .spec.volumeClaimTemplates
+      kind: StatefulSet
+      name: spire-server
+    - group: monitoring.coreos.com
+      jqPathExpressions:
+        - .spec.endpoints[]?.relabelings[]?.action
+      kind: ServiceMonitor
+    - group: ''
+      jsonPointers:
+        - /data/ca.crt
+      kind: ConfigMap
+      name: hubble-ca-cert
+    - group: ''
+      jsonPointers:
+        - /data/ca.crt
+        - /data/ca.key
+      kind: Secret
+      name: cilium-ca
+    - group: ''
+      jqPathExpressions:
+        - .spec.ports[]?.nodePort
+      kind: Service
+      name: cilium-ingress
+{{- end }}
@@ -0,0 +1,23 @@
+{{if .Values.cilium.loadbalancerPool.enabled }}
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "loadbalancer"
+spec:
+  blocks:
+  {{- range .Values.cilium.loadbalancerPool.cidr }}
+  - cidr: {{ . }}
+  {{- end }}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: policy
+spec:
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/control-plane
+        operator: DoesNotExist
+  externalIPs: true
+  loadBalancerIPs: true
+{{- end}}
@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-acme-solvers
+spec:
+  description: Policy for ingress for Acme Solvers.
+  endpointSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx
@@ -0,0 +1,24 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-dns
+spec:
+  description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy'
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+        - rules:
+            dns:
+              - matchPattern: '*'
+  endpointSelector:
+    matchExpressions:
+      - key: io.kubernetes.pod.namespace
+        operator: NotIn
+        values:
+          - kube-system
@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-mariadb-operator
+spec:
+  description: allow mariadb instances to be reached by operator
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: mariadb-operator
+            io.kubernetes.pod.namespace: mariadb-operator
+      toPorts:
+        - ports:
+            - port: "3306"
+              protocol: TCP
@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+spec:
+  description: Policy for egress for CNPG Backups.
+  egress:
+    - toFQDNs:
+      {{- range .Values.clusterConfig.s3.hosts }}
+        - matchName: {{ . | quote }}
+      {{- end }}
+      {{- range .Values.clusterConfig.s3.patterns }}
+        - matchPattern: {{ . | quote }}
+      {{- end }}
+    - toCIDR:
+      {{- range .Values.clusterConfig.s3.cidr }}
+        - {{ . | quote }}
+      {{- end }}
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: cilium-health-checks
+spec:
+  description: Health checks
+  egress:
+    - toEntities:
+        - remote-node
+  endpointSelector:
+    matchLabels:
+      reserved:health: ""
+  ingress:
+    - fromEntities:
+        - remote-node
@@ -0,0 +1,9 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: deny-all
+spec:
+  description: Deny all
+  egress: []
+  endpointSelector: {}
+  ingress: []
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cilium-spire
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}
@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-server
+  namespace: cilium-spire
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "8081"
+              protocol: TCP
@@ -0,0 +1,15 @@
+cilium:
+  enabled: true
+  nodePort:
+    enable: true
+  l2announcement:
+    enable: true
+  loadbalancerPool:
+    enabled: true
+    cidr:
+     - 10.255.241.11/32
+     - 10.255.241.12/32
+     - 10.255.241.13/32
+     - 10.255.241.14/32
+     - 10.255.241.15/32
+
@@ -0,0 +1,32 @@
+cilium:
+  enabled: false
+  autosync: true
+  spire:
+    enabled: false
+  envoy:
+    enabled: false
+  hubble:
+    ui: true
+    enabled: false
+  encryption:
+    enabled: true
+    type: wireguard
+  kubeProxyReplacement: true
+  l2announcement:
+    enabled: false
+  nodePort:
+    enabled: false
+  gatewayAPI:
+    enabled: false
+  ingressController:
+    enabled: false
+    defaultClass: false
+    loadbalancerMode: shared
+  policyAuditMode: false
+  upgradeCompatability: 1.15
+  k8sServiceHost: localhost
+  k8sServicePort: 7445
+  loadbalancerPool:
+    enabled: false
+    cidr: []
+
@@ -1,4 +1,6 @@
 clusterConfig:
+  argo:
+    enabled: true
  env: "prod"
  distro: "talos"
  domain: "adm.oceanbox.io"
@@ -27,6 +29,10 @@ clusterConfig:
    secret_ref:
      name: oceanbox-oidc
    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
+  s3:
+    hosts: []
+    patterns: []
+    cidr: []
  nodes: []
  ingress_whitelist_ips:
    #itp internal
@@ -17,6 +17,10 @@ clusterConfig:
  acme_email: ""
  nodenames: []
  nodes: []
+  s3:
+    hosts: []
+    patterns: []
+    cidr: []
  ingress_clusterissuer: "letsencrypt-production"
  ingress_whitelist_ips:
    - 10.0.0.0/8