wip: merge old serit-platfrom into manifests

charts/sys/templates/pre-cluster/cluster-auth-rbac.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cluster-admin
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  namespace: kube-system
+  name: cluster-admin
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: 'system:masters'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-default
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  namespace: kube-system
+  name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: kubernetes

charts/sys/templates/pre-cluster/kube-flannel-rbac.yaml

@@ -0,0 +1,42 @@
+# Create the clusterrole and clusterrolebinding:
+# $ kubectl create -f kube-flannel-rbac.yml
+# Create the pod using the same namespace used by the flannel serviceaccount:
+# $ kubectl create --namespace kube-system -f kube-flannel-legacy.yml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel-client
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel-client
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel-client
+subjects:
+  - kind: User
+    name: flannel-client
+    apiGroup: rbac.authorization.k8s.io

charts/sys/templates/pre-cluster/kube-proxy-rbac.yaml

@@ -0,0 +1,51 @@
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kube-proxy
+subjects:
+  - kind: User
+    name: kube-proxy
+    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: kube-proxy
+    namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-proxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-proxy
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - events
+      - services
+      - nodes
+    verbs: ["get", "watch", "list"]
+  - nonResourceURLs: ["*"]
+    verbs: ["get", "watch", "list"]
+
+  - apiGroups:
+      - ""
+      - "events.k8s.io"
+    resources:
+      - events
+    verbs: ["*"]
+      
+  - nonResourceURLs: ["*"]
+    verbs: ["*"]
+  - apiGroups:
+    - discovery.k8s.io
+    resources:
+    - endpointslices
+    verbs:
+    - list
+    - watch
+
+

charts/sys/templates/pre-cluster/label-and-taint-nodes.yaml

@@ -0,0 +1,96 @@
+{{ if .Values.cluster_config.nodes }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: label-and-taint-nodes
+  namespace: kube-system
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      annotations:
+        linkerd.io/inject: disable
+    spec:
+      restartPolicy: Never
+      serviceAccountName: label-and-taint-nodes
+      securityContext:
+        runAsUser: 12000
+        runAsGroup: 13000
+        fsGroup: 10000
+      affinity:
+      tolerations:
+      - key: unschedulable
+        value: "true"
+        effect: NoSchedule
+      containers:
+      - image: bitnami/kubectl:1.24
+        name: kubectl
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+        command:
+        - "/bin/sh"
+        - -c
+        - /tmp/scripts/script.sh
+        volumeMounts:
+          - name: scripts
+            mountPath: /tmp/scripts
+      volumes:
+        - name: scripts
+          configMap:
+            name: label-and-taint-scripts
+            defaultMode: 0755
+---
+apiVersion: v1
+data:
+  script.sh: |
+    #! /bin/bash
+{{- range $node := .Values.cluster_config.nodes }}
+  {{- range .labels }}
+    kubectl label nodes --overwrite=true {{ $node.name }} {{ . | quote }}
+  {{- end }}
+  {{- range .taints }}
+    kubectl taint nodes --overwrite=true {{ $node.name }} {{ . | quote }}
+  {{- end }}
+{{- end }}
+kind: ConfigMap
+metadata:
+  name: label-and-taint-scripts
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: label-and-taint-nodes
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: label-and-taint-nodes
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - update
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: label-and-taint-nodes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: label-and-taint-nodes
+subjects:
+- kind: ServiceAccount
+  name: label-and-taint-nodes
+  namespace: kube-system
+{{ end }}