-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
19 changed files
with
428 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,9 @@ | ||
.vagrant/ | ||
*/**/charts/ | ||
*/**/requirements.lock | ||
*.key | ||
argocd-pw | ||
ca.crt | ||
gateway-password.txt | ||
kubeconfig | ||
notes | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
apiVersion: v1 | ||
appVersion: "1.0" | ||
description: Applications | ||
name: applications | ||
description: Cluster infrastructure Stage 1 | ||
name: cluster-infra-stage-1 | ||
version: 0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
IPADDRESS=192.168.122.118 | ||
ssh -o UserKnownHostsFile=/dev/null $IPADDRESS cat /etc/rancher/k3s/k3s.yaml |sed 's/default/k3s/g' |sed "s/127\.0\.0\.1/$IPADDRESS/" > ~/.kube/config | ||
|
||
# If not already installed..... | ||
# | ||
# CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) | ||
# CLI_ARCH=amd64 | ||
# if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi | ||
# curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum} | ||
# sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum | ||
# sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin | ||
# rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum} | ||
|
||
helm repo add argo https://argoproj.github.io/argo-helm | ||
helm repo add cilium https://helm.cilium.io/ | ||
|
||
helm repo update | ||
|
||
helm upgrade --install cilium cilium/cilium --version 1.16.0 \ | ||
--namespace kube-system \ | ||
--set bpf.datapathMode=netkit \ | ||
--set cni.exclusive=false \ | ||
--set envoy.enabled=false \ | ||
--set ipam.operator.clusterPoolIPv4PodCIDRList="10.42.0.0/16" \ | ||
--set k8sServiceHost=127.0.0.1 \ | ||
--set k8sServicePort=6443 \ | ||
--set kubeProxyReplacement=true \ | ||
--set operator.replicas=1 \ | ||
--set securityContext.privileged=true \ | ||
--set securityContext.privileged=true | ||
|
||
cilium status --wait | ||
|
||
sleep 5 | ||
|
||
kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,HOSTNETWORK:.spec.hostNetwork --no-headers=true | grep '<none>' | awk '{print "-n "$1" "$2}' | xargs -L 1 -r kubectl delete pod | ||
|
||
sleep 30 | ||
|
||
helm upgrade --install --namespace argocd --create-namespace argocd argo/argo-cd --set configs.params."server.insecure"=true | ||
|
||
helm template ./infra-stage-1 |kubectl apply -f - | ||
|
||
# Generate trust anchor | ||
step certificate create root.linkerd.cluster.local ca.crt ca.key \ | ||
--profile root-ca --no-password --insecure --not-after=87600h | ||
|
||
# create, save, and apply sealed secret for trust anchor | ||
kubectl -n linkerd create secret tls \ | ||
linkerd-trust-anchor \ | ||
--cert=ca.crt \ | ||
--key=ca.key \ | ||
--dry-run=client -o yaml | \ | ||
kubeseal --controller-name=sealed-secrets \ | ||
--controller-namespace=kubeseal -o yaml > infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml | ||
|
||
#################################################################### | ||
# update ca cert in linkerd-control-plane with one generated above # | ||
# commit to git and push # | ||
#################################################################### | ||
|
||
helm template ./infra-stage-2 |kubectl apply -f - | ||
|
||
# In another terminal | ||
kubectl port-forward service/argocd-server -n argocd 8080:443 | ||
|
||
# In original terminal | ||
ARGOCD_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) | ||
|
||
~/argocd login localhost:8080 --insecure --username admin --password $ARGOCD_PW | ||
~/argocd account update-password --current-password $ARGOCD_PW | ||
|
||
# checked out viz dashboard via laptop | ||
# will need to enforce the that the following annotation is on everything but cert-manager | ||
# linkerd.io/inject: enabled | ||
# | ||
# Will need to setup LB IPAM like what is talked about in | ||
# https://blog.stonegarden.dev/articles/2024/02/bootstrapping-k3s-with-cilium/#enable-ssh-server-optional | ||
# | ||
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
appVersion: "1.0" | ||
description: Cluster infrastructure Stage 1 | ||
name: infra-stage-1 | ||
version: 0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: infra-stage-1 | ||
namespace: argocd | ||
spec: | ||
destination: | ||
namespace: argocd | ||
server: https://kubernetes.default.svc | ||
project: infra | ||
source: | ||
helm: | ||
path: infra-stage-1 | ||
repoURL: https://github.com/genebean/kubebag.git | ||
targetRevision: redo | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: argocd | ||
namespace: argocd | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "-100" | ||
finalizers: | ||
- resources-finalizer.argocd.argoproj.io | ||
spec: | ||
destination: | ||
namespace: argocd | ||
server: "https://kubernetes.default.svc" | ||
project: infra | ||
source: | ||
chart: argo-cd | ||
repoURL: https://argoproj.github.io/argo-helm | ||
targetRevision: 7.3.11 | ||
helm: | ||
valuesObject: | ||
configs: | ||
params: | ||
"server.insecure": true | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: cert-manager | ||
namespace: argocd | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "-90" | ||
spec: | ||
project: infra | ||
source: | ||
chart: cert-manager | ||
repoURL: https://charts.jetstack.io | ||
targetRevision: v1.15.2 | ||
helm: | ||
valuesObject: | ||
installCRDs: "true" | ||
extraArgs: | ||
- '--enable-gateway-api' | ||
destination: | ||
namespace: cert-manager | ||
server: https://kubernetes.default.svc | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true | ||
syncOptions: | ||
- CreateNamespace=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: linkerd-cni | ||
namespace: argocd | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "-90" | ||
spec: | ||
project: infra | ||
source: | ||
chart: linkerd2-cni | ||
repoURL: https://helm.linkerd.io/edge | ||
targetRevision: 2024.7.5 | ||
helm: | ||
valuesObject: | ||
privileged: "true" | ||
destination: | ||
namespace: linkerd-cni | ||
server: https://kubernetes.default.svc | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true | ||
syncOptions: | ||
- CreateNamespace=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: linkerd-crds | ||
namespace: argocd | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "-90" | ||
spec: | ||
project: infra | ||
source: | ||
chart: linkerd-crds | ||
repoURL: https://helm.linkerd.io/edge | ||
targetRevision: 2024.7.5 | ||
helm: | ||
valuesObject: | ||
enableHttpRoutes: false | ||
destination: | ||
namespace: linkerd | ||
server: https://kubernetes.default.svc | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true | ||
syncOptions: | ||
- CreateNamespace=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: sealed-secrets | ||
namespace: argocd | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "-90" | ||
finalizers: | ||
- resources-finalizer.argocd.argoproj.io | ||
spec: | ||
project: infra | ||
source: | ||
chart: sealed-secrets | ||
repoURL: https://bitnami-labs.github.io/sealed-secrets | ||
targetRevision: 2.16.1 | ||
destination: | ||
server: "https://kubernetes.default.svc" | ||
namespace: kubeseal | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true | ||
syncOptions: | ||
- CreateNamespace=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: traefik-v3 | ||
namespace: argocd | ||
annotations: | ||
argocd.argoproj.io/sync-wave: "-90" | ||
spec: | ||
project: infra | ||
source: | ||
chart: traefik | ||
repoURL: https://traefik.github.io/charts | ||
targetRevision: 30.0.2 | ||
helm: | ||
valuesObject: | ||
ingressClass: | ||
name: traefik | ||
providers: | ||
kubernetesCRD: | ||
ingressClass: traefik | ||
kubernetesIngress: | ||
ingressClass: traefik | ||
destination: | ||
namespace: traefik-v3 | ||
server: https://kubernetes.default.svc | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true | ||
syncOptions: | ||
- CreateNamespace=true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: AppProject | ||
metadata: | ||
name: infra | ||
namespace: argocd | ||
spec: | ||
sourceRepos: | ||
- '*' | ||
destinations: | ||
- namespace: '*' | ||
server: '*' | ||
clusterResourceWhitelist: | ||
- group: '*' | ||
kind: '*' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
appVersion: "1.0" | ||
description: Cluster infrastructure Stage 2 | ||
name: infra-stage-2 | ||
version: 0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: argoproj.io/v1alpha1 | ||
kind: Application | ||
metadata: | ||
name: infra-stage-2 | ||
namespace: argocd | ||
spec: | ||
destination: | ||
namespace: argocd | ||
server: https://kubernetes.default.svc | ||
project: infra | ||
source: | ||
helm: | ||
path: infra-stage-2 | ||
repoURL: https://github.com/genebean/kubebag | ||
targetRevision: redo | ||
syncPolicy: | ||
automated: | ||
prune: true | ||
selfHeal: true |
Oops, something went wrong.