WIP Initial Fluxv2 Migration (#100)

* update to fluxv2 Signed-off-by: Michael Fornaro <[email protected]> * add fullnameOverride to fix pvc char length error Signed-off-by: Michael Fornaro <[email protected]> * udpate virtualservices to match services Signed-off-by: Michael Fornaro <[email protected]> * update certificate api version Signed-off-by: Michael Fornaro <[email protected]> * update cluster issuer api version Signed-off-by: Michael Fornaro <[email protected]> update cert-manager chart Signed-off-by: Michael Fornaro <[email protected]> move back to staging lets encrypt until stable Signed-off-by: Michael Fornaro <[email protected]> move back to staging lets encrypt until stable Signed-off-by: Michael Fornaro <[email protected]> * cert-manager vebosity set to 4 Signed-off-by: Michael Fornaro <[email protected]> * syntax: indentation Signed-off-by: Michael Fornaro <[email protected]> * syntax: indentation Signed-off-by: Michael Fornaro <[email protected]> update cert-manager chart Signed-off-by: Michael Fornaro <[email protected]> * update workflow to remove broken resource checks Signed-off-by: Michael Fornaro <[email protected]> * update workflow and build scripts Signed-off-by: Michael Fornaro <[email protected]>
xunholy · Oct 6, 2020 · 2035f7f · 2035f7f
1 parent ca1da4e
commit 2035f7f
Show file tree

Hide file tree

Showing 86 changed files with 5,517 additions and 3,323 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -19,4 +19,4 @@ Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<is
 
 ## Notes
 
-Add special notes for your reviewer here.
+Add special notes for your reviewer here.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -102,8 +102,9 @@ jobs:
             ${{ steps.conftest-stdout.outputs.result }}
             ```
 
-            ## Conftest Test Results - Helm charts
-            ```
-            ${{ steps.conftest-helm.outputs.result }}
-            ```
+            # TODO: Update with the new fluxv2 resources
+            # ## Conftest Test Results - Helm charts
+            # ```
+            # ${{ steps.conftest-helm.outputs.result }}
+            # ```
           check_for_duplicate_msg: true
diff --git a/.github/workflows/builder-image.yml b/.github/workflows/builder-image.yml
@@ -13,33 +13,44 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+
       - name: Set up Docker Buildx
         id: buildx
-        uses: crazy-max/ghaction-docker-buildx@v1
+        uses: docker/setup-buildx-action@v1
         with:
-          buildx-version: latest
+          install: true
+          version: latest
+          driver-opts: image=moby/buildkit:master
 
-      - name: Login to GitHub Docker Registry
-        run: echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin
-        env:
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - name: Build Container Image
+      - name: Build and Push
         if: github.ref != 'refs/heads/master'
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            --tag raspbernetes/builder:${{ github.sha }} \
-            -f ./scripts/builder/Dockerfile \
-            . --push
-
-      - name: Build Container Image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./build/docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            raspbernetes/builder:${{ github.sha }}
+
+      - name: Build and Push
         if: github.ref == 'refs/heads/master'
-        run: |
-          docker buildx build \
-            --platform linux/amd64,linux/arm64 \
-            --tag raspbernetes/builder:latest \
-            -f ./scripts/builder/Dockerfile \
-            . --push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./build/docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            raspbernetes/builder:latest
 
diff --git a/.github/workflows/helm-operator.yml b/.github/workflows/helm-operator.yml
diff --git a/.secrets/k8s-secret-cloudflare-cert-manager-token.yaml b/.secrets/k8s-secret-cloudflare-cert-manager-token.yaml
diff --git a/.secrets/k8s-secret-dex-helm-values.yaml b/.secrets/k8s-secret-dex-helm-values.yaml
diff --git a/.secrets/k8s-secret-fluxcd-ssh.yaml b/.secrets/k8s-secret-fluxcd-ssh.yaml
diff --git a/bootstrap/install.sh b/bootstrap/install.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+# TODO: automatically update the ~/.kube/config with required context generated.
+KUBECONFIG=~/.kube/config:~/projects/k8s-install/ansible/playbooks/output/k8s-config.yaml kubectl config view --flatten > ~/.kube/config
+
+if [[ ! $(gotk) ]]; then
+  echo "gotk needs to be installed - https://toolkit.fluxcd.io/get-started/#install-the-toolkit-cli"
+  exit 1
+fi
+
+# Untaint master nodes
+# TODO: Enable Ansible to allow configuring the taints to be added/removed.
+[[ ! $(kubectl taint nodes --all node-role.kubernetes.io/master-) ]] && echo "Masters untainted"
+
+# Check the cluster meets the fluxv2 prerequisites
+gotk check --pre
+[[ $? -ne 0 ]] && echo "Prerequisites were not satisfied" && exit 1
+
+gotk install \
+  --version=latest \
+  --components=source-controller,kustomize-controller,helm-controller,notification-controller \
+  --namespace=gitops-system \
+  --network-policy=false \
+  --arch=arm64
+
+if [[ -f .secrets/k8s-secret-fluxcd-ssh.yaml ]]; then
+  echo "Applying existing sealed-secret key"
+  kubectl apply -f .secrets/k8s-secret-sealed-secret-private-key.yaml
+fi
+
+if [[ -f bootstrap/repo.yaml ]]; then
+  echo "Applying Repo Sync"
+  kubectl apply -f bootstrap/repo.yaml
+fi
diff --git a/bootstrap/repo.yaml b/bootstrap/repo.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: k8s-gitops
+  namespace: gitops-system
+spec:
+  interval: 5m
+  ref:
+    branch: fluxv2-init
+  url: https://github.com/raspbernetes/k8s-gitops.git
+  ignore: |
+    # exclude all
+    /*
+    # include deploy dir
+    !/namespaces/
+    /namespaces/**/*.md
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: k8s-gitops
+  namespace: gitops-system
+spec:
+  interval: 5m
+  path: './namespaces/'
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  prune: true
diff --git a/scripts/builder/Dockerfile → build/docker/Dockerfile b/scripts/builder/Dockerfile → build/docker/Dockerfile
diff --git a/scripts/builder/README.md → build/docker/README.md b/scripts/builder/README.md → build/docker/README.md
diff --git a/scripts/validate.sh → build/validate.sh b/scripts/validate.sh → build/validate.sh
diff --git a/cilium/calico-chaining/README.md b/cilium/calico-chaining/README.md
@@ -0,0 +1,116 @@
+# Cilium
+
+## Calico Chaining
+
+Documentation: https://docs.cilium.io/en/v1.8/gettingstarted/cni-chaining-calico/
+
+### Deployment
+
+```bash
+kubectl apply -f cilium/calico-chaining/chaining.yaml
+```
+
+```bash
+helm repo add cilium https://helm.cilium.io/
+```
+
+#### Helm Template (Optional)
+
+```bash
+helm template cilium/cilium --version 1.8.90 \
+  --namespace=kube-system \
+  --values=cilium/calico-chaining/values.yaml > cilium/calico-chaining/cilium.yaml
+```
+
+```bash
+kubectl apply -f cilium/calico-chaining/cilium.yaml
+```
+
+#### Helm Install (Recommended)
+
+```bash
+helm install cilium cilium/cilium --version v1.9.0-rc0 \
+  --namespace=kube-system \
+  --values=cilium/calico-chaining/values.yaml
+```
+
+### Testing
+
+Image: https://hub.docker.com/r/raspbernetes/json-mock
+
+```bash
+kubectl apply -f cilium/calico-chaining/json-mock.yaml
+```
+
+### Cleanup
+
+```bash
+kubectl delete -f cilium/calico-chaining/chaining.yaml
+```
+
+#### Helm Template Cleanup
+
+```bash
+kubectl delete -f cilium/calico-chaining/cilium.yaml
+```
+
+#### Helm Install Cleanup
+
+```bash
+helm uninstall cilium
+```
+
+```bash
+kubectl delete -f cilium/calico-chaining/json-mock.yaml
+```
+
+## Output
+
+```bash
+❯ k get po
+NAME                                                    READY   STATUS    RESTARTS   AGE
+calico-kube-controllers-c9784d67d-pmh2h                 1/1     Running   1          64m
+calico-node-j2ppc                                       1/1     Running   0          64m
+calico-node-m6c74                                       1/1     Running   0          64m
+calico-node-rhlw8                                       1/1     Running   0          64m
+calico-node-rm9nj                                       1/1     Running   0          64m
+cilium-62whg                                            1/1     Running   0          21m
+cilium-7q7bj                                            1/1     Running   1          21m
+cilium-b6zd9                                            1/1     Running   1          21m
+cilium-gwrmj                                            1/1     Running   0          21m
+cilium-operator-5cf59548b6-7vdn4                        1/1     Running   0          21m
+cilium-operator-5cf59548b6-mthbh                        1/1     Running   1          21m
+coredns-f9fd979d6-kh8j9                                 1/1     Running   0          14m
+coredns-f9fd979d6-zzwxk                                 1/1     Running   0          19m
+echo-a-66c7b457cb-5pnqn                                 1/1     Running   0          5m
+echo-b-5cb69b67dd-869ll                                 1/1     Running   0          5m
+echo-b-host-fbccc9bb9-9dgc6                             1/1     Running   0          5m
+etcd-k8s-master-01                                      1/1     Running   0          115m
+etcd-k8s-master-02                                      1/1     Running   1          115m
+etcd-k8s-master-03                                      1/1     Running   0          114m
+host-to-b-multi-node-clusterip-5b7666b85f-fnkn2         0/1     Running   4          4m56s
+host-to-b-multi-node-headless-7788c557df-shn2d          0/1     Running   4          4m55s
+kube-apiserver-k8s-master-01                            1/1     Running   0          115m
+kube-apiserver-k8s-master-02                            1/1     Running   1          115m
+kube-apiserver-k8s-master-03                            1/1     Running   1          114m
+kube-controller-manager-k8s-master-01                   1/1     Running   1          115m
+kube-controller-manager-k8s-master-02                   1/1     Running   2          115m
+kube-controller-manager-k8s-master-03                   1/1     Running   1          113m
+kube-proxy-bvvft                                        1/1     Running   0          115m
+kube-proxy-h6l52                                        1/1     Running   0          115m
+kube-proxy-x6fg9                                        1/1     Running   0          114m
+kube-proxy-zqnw8                                        1/1     Running   0          115m
+kube-scheduler-k8s-master-01                            1/1     Running   1          115m
+kube-scheduler-k8s-master-02                            1/1     Running   2          115m
+kube-scheduler-k8s-master-03                            1/1     Running   1          113m
+metrics-server-64dd4994b-mw8g2                          1/1     Running   1          108m
+pod-to-a-85c9d7755c-29fnd                               0/1     Running   4          4m59s
+pod-to-a-allowed-cnp-655c99c98f-7q84v                   0/1     Running   4          4m58s
+pod-to-a-denied-cnp-7998f5bd67-jrxg7                    1/1     Running   0          4m58s
+pod-to-b-intra-node-nodeport-8d9fb4ccc-gb45d            0/1     Running   4          4m53s
+pod-to-b-multi-node-clusterip-c6b4b97c7-kmgdx           0/1     Running   4          4m57s
+pod-to-b-multi-node-headless-54649b5569-s6rmd           0/1     Running   4          4m56s
+pod-to-b-multi-node-nodeport-75bfddc769-gh4ql           0/1     Running   4          4m54s
+pod-to-external-1111-64cffd6cd7-xmvs5                   1/1     Running   0          4m59s
+pod-to-external-fqdn-allow-google-cnp-95c44f8ff-ftm5b   0/1     Running   4          4m57s
+```
diff --git a/cilium/calico-chaining/chaining.yaml b/cilium/calico-chaining/chaining.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cni-configuration
+  namespace: kube-system
+data:
+  cni-config: |-
+    {
+      "name": "generic-veth",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "calico",
+          "log_level": "info",
+          "datastore_type": "kubernetes",
+          "mtu": 1440,
+          "ipam": {
+              "type": "calico-ipam"
+          },
+          "policy": {
+              "type": "k8s"
+          },
+          "kubernetes": {
+              "kubeconfig": "/etc/cni/net.d/calico-kubeconfig"
+          }
+        },
+        {
+          "type": "portmap",
+          "snat": true,
+          "capabilities": {"portMappings": true}
+        },
+        {
+          "type": "cilium-cni"
+        }
+      ]
+    }