feat(f5): incept CIS and IPAM

Signed-off-by: Ben Dronen <[email protected]>

kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: f5-ipam-controller
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: "https://github.com/dronenb/HomeLab.git"
+    targetRevision: HEAD
+    path: kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: f5-ipam-controller
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false

kubernetes/workloads/argocd-olm/manifests/applications/k8s-bigip-ctlr.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: k8s-bigip-ctlr
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: "https://github.com/dronenb/HomeLab.git"
+    targetRevision: HEAD
+    path: kubernetes/workloads/k8s-bigip-ctlr/manifests/overlays/fh
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: k8s-bigip-ctlr
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false

kubernetes/workloads/argocd-olm/manifests/applications/kustomization.yaml

@@ -4,7 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 resources:
   - argocd.yaml
   - cilium.yaml
+  - f5-ipam-controller.yaml
   - gateway-api.yaml
+  - k8s-bigip-ctlr.yaml
   - kube-vip.yaml
   - nfs-subdir-external-provisioner.yaml
   - olm.yaml

kubernetes/workloads/f5-ipam-controller/create_manifests.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+shopt -s failglob
+
+NAMESPACE=f5-ipam-controller
+
+mkdir -p manifests/base
+pushd manifests/base > /dev/null || exit 1
+
+helm repo add f5-ipam-stable https://f5networks.github.io/f5-ipam-controller/helm-charts/stable
+helm repo update
+helm template --include-crds f5-ipam-stable f5-ipam-stable/f5-ipam-controller -f ../../values.yaml | \
+    yq --no-colors --prettyPrint '... comments=""' | \
+    kubectl-slice -o . --template "{{ .kind | lower }}.yaml"
+
+echo "---" >> namespace.yaml
+kubectl create namespace "${NAMESPACE}" -o yaml --dry-run=client | \
+    kubectl neat \
+    >> namespace.yaml
+
+# Iterate over each yaml file
+files=()
+for file in *.yaml; do
+    if [[ "${file}" == "kustomization.yaml" ]]; then
+        continue
+    fi
+    files+=("${file}")
+    contents="$(cat "${file}")"
+    printf -- "---\n# yamllint disable rule:line-length\n%s" "${contents}" > "${file}"
+done
+
+cat <<EOF > kustomization.yaml
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+namespace: ${NAMESPACE}
+resources:
+$(printf "  - %s\n" "${files[@]}")
+EOF
+
+prettier --write .

kubernetes/workloads/f5-ipam-controller/ipam.yaml

@@ -0,0 +1,9 @@
+apiVersion: fic.f5.com/v1
+kind: IPAM
+metadata:
+  name: testing
+  namespace: kube-system
+spec:
+  hostSpecs:
+    - ipamLabel: test
+      key: test

kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrole.yaml

@@ -0,0 +1,39 @@
+---
+# yamllint disable rule:line-length
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: f5-ipam-stable-f5-ipam-controller
+  labels:
+    app.kubernetes.io/instance: f5-ipam-stable
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: f5-ipam-controller
+    app: f5-ipam-controller
+    chart: f5-ipam-controller-0.0.5
+    release: f5-ipam-stable
+    heritage: Helm
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+      - update
+      - create
+      - patch
+      - delete
+    apiGroups:
+      - fic.f5.com
+    resources:
+      - ipams
+      - ipams/status
+  - verbs:
+      - get
+      - list
+      - watch
+      - update
+      - create
+      - patch
+    apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions

kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrolebinding.yaml

@@ -0,0 +1,23 @@
+---
+# yamllint disable rule:line-length
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: f5-ipam-stable-f5-ipam-controller
+  namespace: f5-ipam-controller
+  labels:
+    app.kubernetes.io/instance: f5-ipam-stable
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: f5-ipam-controller
+    app: f5-ipam-controller
+    chart: f5-ipam-controller-0.0.5
+    release: f5-ipam-stable
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: f5-ipam-stable-f5-ipam-controller
+subjects:
+  - kind: ServiceAccount
+    name: f5-ipam-stable-f5-ipam-controller
+    namespace: f5-ipam-controller

kubernetes/workloads/f5-ipam-controller/manifests/base/deployment.yaml

@@ -0,0 +1,58 @@
+---
+# yamllint disable rule:line-length
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: f5-ipam-stable-f5-ipam-controller
+  namespace: f5-ipam-controller
+  labels:
+    app.kubernetes.io/instance: f5-ipam-stable
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: f5-ipam-controller
+    app: f5-ipam-controller
+    chart: f5-ipam-controller-0.0.5
+    release: f5-ipam-stable
+    heritage: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: f5-ipam-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: f5-ipam-stable
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: f5-ipam-controller
+        app: f5-ipam-controller
+        release: f5-ipam-stable
+    spec:
+      serviceAccountName: f5-ipam-stable-f5-ipam-controller
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: f5-ipam-controller
+          image: f5networks/f5-ipam-controller:0.1.11
+          volumeMounts:
+            - name: fic-volume-mount
+              mountPath: /app/ipamdb
+          imagePullPolicy: Always
+          command:
+            - /app/bin/f5-ipam-controller
+          args:
+            - --orchestration=kubernetes
+            - --ipam-provider=f5-ip-provider
+            - --ip-range={"test":"172.16.1.1-172.16.1.5", "prod":"172.16.1.50-172.16.1.55"}
+          resources:
+            limits:
+              cpu: 100m
+              memory: 512Mi
+            requests:
+              cpu: 100m
+              memory: 512Mi
+      volumes:
+        - name: fic-volume-mount
+          persistentVolumeClaim:
+            claimName: f5-ipam-stable-f5-ipam-controller

kubernetes/workloads/f5-ipam-controller/manifests/base/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+namespace: f5-ipam-controller
+resources:
+  - clusterrole.yaml
+  - clusterrolebinding.yaml
+  - deployment.yaml
+  - namespace.yaml
+  - persistentvolumeclaim.yaml
+  - serviceaccount.yaml

kubernetes/workloads/f5-ipam-controller/manifests/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+# yamllint disable rule:line-length
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: f5-ipam-controller

kubernetes/workloads/f5-ipam-controller/manifests/base/persistentvolumeclaim.yaml

@@ -0,0 +1,22 @@
+---
+# yamllint disable rule:line-length
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: f5-ipam-stable-f5-ipam-controller
+  namespace: f5-ipam-controller
+  labels:
+    app.kubernetes.io/instance: f5-ipam-stable
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: f5-ipam-controller
+    app: f5-ipam-controller
+    chart: f5-ipam-controller-0.0.5
+    release: f5-ipam-stable
+    heritage: Helm
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 2Gi

kubernetes/workloads/f5-ipam-controller/manifests/base/serviceaccount.yaml

@@ -0,0 +1,15 @@
+---
+# yamllint disable rule:line-length
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: f5-ipam-stable-f5-ipam-controller
+  namespace: f5-ipam-controller
+  labels:
+    app.kubernetes.io/instance: f5-ipam-stable
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: f5-ipam-controller
+    app: f5-ipam-controller
+    chart: f5-ipam-controller-0.0.5
+    release: f5-ipam-stable
+    heritage: Helm

kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+resources:
+  - ../../base

kubernetes/workloads/f5-ipam-controller/values.yaml

@@ -0,0 +1,81 @@
+rbac:
+  create: true
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+# This namespace is where the Controller lives
+namespace: f5-ipam-controller
+args:
+  # NOTE: helm has difficulty with values using `-`; `_` are used for naming
+  # and are replaced with `-` during rendering.
+  # REQUIRED Params
+  orchestration: "kubernetes"
+  provider: "f5-ip-provider"
+  # provider: "infoblox"
+
+  # REQUIRED Params if provider is infoblox
+  #if you want to set infoblox access credentials through secret uncomment below line.
+  #infoblox_login_secret: infoblox-credentials
+  # REQUIRED Params if provider is f5-ip-provider
+  ip_range: '{"test":"172.16.1.1-172.16.1.5", "prod":"172.16.1.50-172.16.1.55"}'
+
+  # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use.
+  log-level: DEBUG
+  # version
+
+  # OPTIONAL PARAMS if provider is infoblox
+  # infoblox_wapi_port: "443"
+  # insecure
+
+image:
+  # Use the tag to target a specific version of the Controller
+  user: f5networks
+  repo: f5-ipam-controller
+  pullPolicy: Always
+  version: 0.1.11
+# affinity:
+#   nodeAffinity:
+#     requiredDuringSchedulingIgnoredDuringExecution:
+#       nodeSelectorTerms:
+#       - matchExpressions:
+#         - key: kubernetes.io/arch
+#           operator: Exists
+# securityContext:
+#   runAsUser: 1000
+#   runAsGroup: 3000
+#   fsGroup: 2000
+# If you want to specify resources, uncomment the following
+# limits_cpu: 100m
+# limits_memory: 512Mi
+# requests_cpu: 100m
+# requests_memory: 512Mi
+
+# updateStrategy is used to set the update strategy for f5-ipam-controller deployment.
+# The default update strategy is RollingUpdate, however if you want to set it to Recreate then uncomment the following line.
+# Note: Setting updateStrategy to Recreate may have some downtime during the update.
+#updateStrategy: Recreate
+
+pvc:
+  # set create tag to true to create new persistent volume claim and set storageClassName,accessMode and storage
+  create: true
+
+  #name of the  persistent volume claim to be used
+  # If not set and create is true, a name is generated using the fullname template
+
+  #if create set to false below parameters will be ignored
+  storageClassName: nfs-client
+  accessMode: ReadWriteMany
+  storage: 2Gi
+
+volume:
+  mountPath: /app/ipamdb
+  mountName: fic-volume-mount
+# To enable tolerations, uncomment below block and customize key,effect,operator.
+# Below is just an example and different key,value and operators are also supported
+#tolerations:
+#  - key: "node-role.kubernetes.io/master"
+#    effect: "NoSchedule"
+#    operator: "Exists"