initial argo apps + bootstrap

Bootstrap.md

@@ -0,0 +1,15 @@
+
+
+$ helm dep update apps/system/nginx-ingress
+$ helm template --name nginx-ingress --namespace nginx-ingress apps/system/nginx-ingress | kubectl --context=gullfaxi --namespace nginx-ingress apply -f -
+
+$ helm repoadd jetstack https://charts.jetstack.io
+$ helm dep update apps/system/cert-manager
+$ helm template --name cert-manager --namespace cert-manager apps/system/cert-manager | kubectl --context=gullfaxi --namespace cert-manager apply -f -
+
+$ kubectl --context=gullfaxi apply -k apps/argocd
+# add dex.github.clientId and dex.github.clientSecret into argo-secret
+$ kubectl --context=gullfaxi -n argocd edit secret argocd-secret
+
+(optional)
+$ kubectl --context=gullfaxi apply -k apps/system/sealed-secrets

apps/argocd/ingress.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata: 
+  name: argocd
+spec:
+  secretName: argocd-secret
+  dnsNames: 
+  - argocd.gorilych.ru
+  - argocd-grpc.gorilych.ru
+  acme:
+    config:
+    - http01:
+        ingressClass: nginx
+      domains:
+      - argocd.gorilych.ru
+      - argocd-grpc.gorilych.ru
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: argocd-server-http-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: argocd-server
+          servicePort: http
+    host: argocd.gorilych.ru
+  tls:
+  - hosts:
+    - argocd.gorilych.ru
+    secretName: argocd-secret
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: argocd-server-grpc-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/backend-protocol: GRPC
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: argocd-server
+          servicePort: http
+    host: argocd-grpc.gorilych.ru
+  tls:
+  - hosts:
+    - argocd-grpc.gorilych.ru
+    secretName: argocd-secret
+

apps/argocd/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+commonLabels:
+  app.kubernetes.io/version: v1.3.0-rc2
+  app.kubernetes.io/managed-by: argocd
+resources:
+- namespace.yaml
+# from https://raw.githubusercontent.com/argoproj/argo-cd/v1.3.0-rc2/manifests/install.yaml
+- install.yaml
+- ingress.yaml
+patchesStrategicMerge:
+- patches/argocd-server.yaml
+- patches/argocd-cm.yaml
+- patches/argocd-rbac-cm.yaml

apps/argocd/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd

apps/argocd/patches/argocd-cm.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: https://argocd.gorilych.ru
+  statusbadge.enabled: 'true'
+  dex.config: |
+    connectors:
+    - type: github
+      id: github
+      name: GitHub
+      config:
+        clientID: $dex.github.clientId
+        clientSecret: $dex.github.clientSecret

apps/argocd/patches/argocd-rbac-cm.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  policy.csv: |
+    # sub for gorilych github account with id 7404372
+    g, Cgc3NDA0MzcyEgZnaXRodWI, role:admin

apps/argocd/patches/argocd-server.yaml

@@ -0,0 +1,14 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-server
+spec:
+  template:
+    spec:
+      containers:
+      - name: argocd-server
+        command:
+        - argocd-server
+        - --staticassets
+        - /shared/app
+        - --insecure

apps/system/cert-manager/.gitignore

@@ -0,0 +1,2 @@
+requirements.lock
+charts/

apps/system/cert-manager/Chart.yaml

@@ -0,0 +1 @@
+name: cert-manager

apps/system/cert-manager/requirements.yaml

@@ -0,0 +1,4 @@
+dependencies:
+- name: cert-manager
+  version: v0.10.1
+  repository: https://charts.jetstack.io

apps/system/cert-manager/templates/clusterissuer.yaml

@@ -0,0 +1,11 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: gorilych@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt
+    http01: {}

apps/system/cert-manager/templates/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

apps/system/nginx-ingress/.gitignore

@@ -0,0 +1,2 @@
+requirements.lock
+charts/

apps/system/nginx-ingress/Chart.yaml

@@ -0,0 +1 @@
+name: nginx-ingress

apps/system/nginx-ingress/requirements.yaml

@@ -0,0 +1,4 @@
+dependencies:
+- name: nginx-ingress
+  version: 1.24.4
+  repository: '@stable'

apps/system/nginx-ingress/templates/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nginx-ingress

apps/system/nginx-ingress/values.yaml

@@ -0,0 +1,8 @@
+nginx-ingress:
+  controller:
+    service:
+      type: NodePort
+      nodePorts:
+        # port forwarding on router
+        http: 30080
+        https: 30443

apps/system/sealed-secrets/controller.yaml

@@ -0,0 +1,222 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+  namespace: kube-system
+spec:
+  minReadySeconds: 30
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      name: sealed-secrets-controller
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations: {}
+      labels:
+        name: sealed-secrets-controller
+    spec:
+      containers:
+      - args: []
+        command:
+        - controller
+        env: []
+        image: quay.io/bitnami/sealed-secrets-controller:v0.9.2
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+        name: sealed-secrets-controller
+        ports:
+        - containerPort: 8080
+          name: http
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: http
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1001
+        stdin: false
+        tty: false
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp
+      imagePullSecrets: []
+      initContainers: []
+      serviceAccountName: sealed-secrets-controller
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: tmp
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: sealedsecrets.bitnami.com
+spec:
+  group: bitnami.com
+  names:
+    kind: SealedSecret
+    listKind: SealedSecretList
+    plural: sealedsecrets
+    singular: sealedsecret
+  scope: Namespaced
+  version: v1alpha1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+  namespace: kube-system
+spec:
+  ports:
+  - port: 8080
+    targetPort: 8080
+  selector:
+    name: sealed-secrets-controller
+  type: ClusterIP
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-service-proxier
+  name: sealed-secrets-service-proxier
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sealed-secrets-service-proxier
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-service-proxier
+  name: sealed-secrets-service-proxier
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - 'http:sealed-secrets-controller:'
+  - sealed-secrets-controller
+  resources:
+  - services/proxy
+  verbs:
+  - create
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-key-admin
+  name: sealed-secrets-key-admin
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - list
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: sealed-secrets-key-admin
+subjects:
+- kind: ServiceAccount
+  name: sealed-secrets-controller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    name: sealed-secrets-controller
+  name: sealed-secrets-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secrets-unsealer
+subjects:
+- kind: ServiceAccount
+  name: sealed-secrets-controller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    name: secrets-unsealer
+  name: secrets-unsealer
+rules:
+- apiGroups:
+  - bitnami.com
+  resources:
+  - sealedsecrets
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

apps/system/sealed-secrets/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: sealedsecrets
+commonLabels:
+  app.kubernetes.io/name: sealedsecrets
+  app.kubernetes.io/version: 0.9.2
+  app.kubernetes.io/managed-by: argocd
+resources:
+- namespace.yaml
+# from https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.2/controller.yaml
+- controller.yaml

apps/system/sealed-secrets/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sealedsecrets