diff --git a/.gitignore b/.gitignore index f11b0d6..6d1a9ba 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,9 @@ .vagrant/ */**/charts/ */**/requirements.lock +*.key argocd-pw +ca.crt gateway-password.txt kubeconfig notes diff --git a/apps/Chart.yaml b/apps/Chart.yaml index 3510e2a..f79be5c 100644 --- a/apps/Chart.yaml +++ b/apps/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 appVersion: "1.0" -description: Applications -name: applications +description: Cluster infrastructure Stage 1 +name: cluster-infra-stage-1 version: 0.1.0 diff --git a/apps/values.yaml b/apps/values.yaml index 9eccd30..3c77bef 100644 --- a/apps/values.yaml +++ b/apps/values.yaml @@ -3,4 +3,5 @@ spec: server: https://kubernetes.default.svc source: repoURL: https://github.com/genebean/kubebag - targetRevision: HEAD + # targetRevision: HEAD + targetRevision: redo diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100644 index 0000000..5bfdf3f --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,80 @@ +IPADDRESS=192.168.122.118 +ssh -o UserKnownHostsFile=/dev/null $IPADDRESS cat /etc/rancher/k3s/k3s.yaml |sed 's/default/k3s/g' |sed "s/127\.0\.0\.1/$IPADDRESS/" > ~/.kube/config + +# If not already installed..... +# +# CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt) +# CLI_ARCH=amd64 +# if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi +# curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum} +# sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum +# sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin +# rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum} + +helm repo add argo https://argoproj.github.io/argo-helm +helm repo add cilium https://helm.cilium.io/ + +helm repo update + +helm upgrade --install cilium cilium/cilium --version 1.16.0 \ + --namespace kube-system \ + --set bpf.datapathMode=netkit \ + --set cni.exclusive=false \ + --set envoy.enabled=false \ + --set ipam.operator.clusterPoolIPv4PodCIDRList="10.42.0.0/16" \ + --set k8sServiceHost=127.0.0.1 \ + --set k8sServicePort=6443 \ + --set kubeProxyReplacement=true \ + --set operator.replicas=1 \ + --set securityContext.privileged=true \ + --set securityContext.privileged=true + +cilium status --wait + +sleep 5 + +kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,HOSTNETWORK:.spec.hostNetwork --no-headers=true | grep '' | awk '{print "-n "$1" "$2}' | xargs -L 1 -r kubectl delete pod + +sleep 30 + +helm upgrade --install --namespace argocd --create-namespace argocd argo/argo-cd --set configs.params."server.insecure"=true + +helm template ./infra-stage-1 |kubectl apply -f - + +# Generate trust anchor +step certificate create root.linkerd.cluster.local ca.crt ca.key \ +--profile root-ca --no-password --insecure --not-after=87600h + +# create, save, and apply sealed secret for trust anchor +kubectl -n linkerd create secret tls \ + linkerd-trust-anchor \ + --cert=ca.crt \ + --key=ca.key \ + --dry-run=client -o yaml | \ +kubeseal --controller-name=sealed-secrets \ +--controller-namespace=kubeseal -o yaml > infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml + +#################################################################### +# update ca cert in linkerd-control-plane with one generated above # +# commit to git and push # +#################################################################### + +helm template ./infra-stage-2 |kubectl apply -f - + +# In another terminal +kubectl port-forward service/argocd-server -n argocd 8080:443 + +# In original terminal +ARGOCD_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d) + +~/argocd login localhost:8080 --insecure --username admin --password $ARGOCD_PW +~/argocd account update-password --current-password $ARGOCD_PW + +# checked out viz dashboard via laptop +# will need to enforce the that the following annotation is on everything but cert-manager +# linkerd.io/inject: enabled +# +# Will need to setup LB IPAM like what is talked about in +# https://blog.stonegarden.dev/articles/2024/02/bootstrapping-k3s-with-cilium/#enable-ssh-server-optional +# +# diff --git a/infra-stage-1/Chart.yaml b/infra-stage-1/Chart.yaml new file mode 100644 index 0000000..c707191 --- /dev/null +++ b/infra-stage-1/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: Cluster infrastructure Stage 1 +name: infra-stage-1 +version: 0.1.0 diff --git a/infra-stage-1/templates/app-infra-stage-1.yaml b/infra-stage-1/templates/app-infra-stage-1.yaml new file mode 100644 index 0000000..71fccd7 --- /dev/null +++ b/infra-stage-1/templates/app-infra-stage-1.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: infra-stage-1 + namespace: argocd +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: infra + source: + helm: + path: infra-stage-1 + repoURL: https://github.com/genebean/kubebag.git + targetRevision: redo + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/infra-stage-1/templates/apps/app-argocd.yaml b/infra-stage-1/templates/apps/app-argocd.yaml new file mode 100644 index 0000000..d3a3461 --- /dev/null +++ b/infra-stage-1/templates/apps/app-argocd.yaml @@ -0,0 +1,27 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-100" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: argocd + server: "https://kubernetes.default.svc" + project: infra + source: + chart: argo-cd + repoURL: https://argoproj.github.io/argo-helm + targetRevision: 7.3.11 + helm: + valuesObject: + configs: + params: + "server.insecure": true + syncPolicy: + automated: + prune: true + selfHeal: true \ No newline at end of file diff --git a/infra-stage-1/templates/apps/app-cert-manager.yaml b/infra-stage-1/templates/apps/app-cert-manager.yaml new file mode 100644 index 0000000..338650f --- /dev/null +++ b/infra-stage-1/templates/apps/app-cert-manager.yaml @@ -0,0 +1,27 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-90" +spec: + project: infra + source: + chart: cert-manager + repoURL: https://charts.jetstack.io + targetRevision: v1.15.2 + helm: + valuesObject: + installCRDs: "true" + extraArgs: + - '--enable-gateway-api' + destination: + namespace: cert-manager + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra-stage-1/templates/apps/app-linkerd-cni.yaml b/infra-stage-1/templates/apps/app-linkerd-cni.yaml new file mode 100644 index 0000000..6a5a193 --- /dev/null +++ b/infra-stage-1/templates/apps/app-linkerd-cni.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: linkerd-cni + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-90" +spec: + project: infra + source: + chart: linkerd2-cni + repoURL: https://helm.linkerd.io/edge + targetRevision: 2024.7.5 + helm: + valuesObject: + privileged: "true" + destination: + namespace: linkerd-cni + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra-stage-1/templates/apps/app-linkerd-crds.yaml b/infra-stage-1/templates/apps/app-linkerd-crds.yaml new file mode 100644 index 0000000..6eea7c4 --- /dev/null +++ b/infra-stage-1/templates/apps/app-linkerd-crds.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: linkerd-crds + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-90" +spec: + project: infra + source: + chart: linkerd-crds + repoURL: https://helm.linkerd.io/edge + targetRevision: 2024.7.5 + helm: + valuesObject: + enableHttpRoutes: false + destination: + namespace: linkerd + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra-stage-1/templates/apps/app-sealed-secrets.yaml b/infra-stage-1/templates/apps/app-sealed-secrets.yaml new file mode 100644 index 0000000..0d1e79e --- /dev/null +++ b/infra-stage-1/templates/apps/app-sealed-secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sealed-secrets + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-90" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: infra + source: + chart: sealed-secrets + repoURL: https://bitnami-labs.github.io/sealed-secrets + targetRevision: 2.16.1 + destination: + server: "https://kubernetes.default.svc" + namespace: kubeseal + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra-stage-1/templates/apps/app-traefik.yaml b/infra-stage-1/templates/apps/app-traefik.yaml new file mode 100644 index 0000000..8918e0d --- /dev/null +++ b/infra-stage-1/templates/apps/app-traefik.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-v3 + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-90" +spec: + project: infra + source: + chart: traefik + repoURL: https://traefik.github.io/charts + targetRevision: 30.0.2 + helm: + valuesObject: + ingressClass: + name: traefik + providers: + kubernetesCRD: + ingressClass: traefik + kubernetesIngress: + ingressClass: traefik + destination: + namespace: traefik-v3 + server: https://kubernetes.default.svc + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/infra-stage-1/templates/project-infra.yaml b/infra-stage-1/templates/project-infra.yaml new file mode 100644 index 0000000..88ff9dd --- /dev/null +++ b/infra-stage-1/templates/project-infra.yaml @@ -0,0 +1,14 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: infra + namespace: argocd +spec: + sourceRepos: + - '*' + destinations: + - namespace: '*' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' diff --git a/infra-stage-2/Chart.yaml b/infra-stage-2/Chart.yaml new file mode 100644 index 0000000..4baa56c --- /dev/null +++ b/infra-stage-2/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: Cluster infrastructure Stage 2 +name: infra-stage-2 +version: 0.1.0 diff --git a/infra-stage-2/templates/app-infra-stage-2.yaml b/infra-stage-2/templates/app-infra-stage-2.yaml new file mode 100644 index 0000000..4253aca --- /dev/null +++ b/infra-stage-2/templates/app-infra-stage-2.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: infra-stage-2 + namespace: argocd +spec: + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: infra + source: + helm: + path: infra-stage-2 + repoURL: https://github.com/genebean/kubebag + targetRevision: redo + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml b/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml new file mode 100644 index 0000000..4807f32 --- /dev/null +++ b/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml @@ -0,0 +1,73 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: linkerd-control-plane + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-90" +spec: + project: infra + source: + chart: linkerd-control-plane + repoURL: https://helm.linkerd.io/edge + targetRevision: 2024.7.5 + helm: + parameters: + - name: cniEnabled + value: "true" + - name: identityTrustAnchorsPEM + value: | + -----BEGIN CERTIFICATE----- + MIIBjDCCATOgAwIBAgIQFcdhaMcm8qlAQ0+lCWg0rTAKBggqhkjOPQQDAjAlMSMw + IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDA4MDIyMDQ4 + NTdaFw0zNDA3MzEyMDQ4NTdaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz + dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESXvpCxx+j3BR48uE + JJwM1rURWP7q80gBmfURNCBVFXir4VtAFyNv3oJ1i7SVKP58rHf02gH1gEc5tyJK + VNuGB6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD + VR0OBBYEFJ7If0SpFqAcPhQaKkpiaC3zsNSIMAoGCCqGSM49BAMCA0cAMEQCIDEG + /ymV8+7CRPsQLF3MbpjuFTmkATuSpKcyEURu1XdSAiBpCB44ctX3Ap1pSzYHKAQK + WuGsyFQ92FLhKbt2MWYQ5w== + -----END CERTIFICATE----- + - name: identity.issuer.scheme + value: kubernetes.io/tls + destination: + namespace: linkerd + server: https://kubernetes.default.svc + ignoreDifferences: + - group: "" + kind: Secret + name: linkerd-proxy-injector-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - group: "" + kind: Secret + name: linkerd-sp-validator-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - group: "" + kind: Secret + name: linkerd-policy-validator-k8s-tls + jsonPointers: + - /data/tls.crt + - /data/tls.key + - group: admissionregistration.k8s.io/v1 + kind: MutatingWebhookConfiguration + name: linkerd-proxy-injector-webhook-config + jsonPointers: + - /webhooks/0/clientConfig/caBundle + - group: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + name: linkerd-sp-validator-webhook-config + jsonPointers: + - /webhooks/0/clientConfig/caBundle + - group: admissionregistration.k8s.io/v1 + kind: ValidatingWebhookConfiguration + name: linkerd-policy-validator-webhook-config + jsonPointers: + - /webhooks/0/clientConfig/caBundle + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/infra-stage-2/templates/linkerd/cert-manager-issuer.yaml b/infra-stage-2/templates/linkerd/cert-manager-issuer.yaml new file mode 100644 index 0000000..b6db898 --- /dev/null +++ b/infra-stage-2/templates/linkerd/cert-manager-issuer.yaml @@ -0,0 +1,8 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: linkerd-trust-anchor + namespace: linkerd +spec: + ca: + secretName: linkerd-trust-anchor diff --git a/infra-stage-2/templates/linkerd/certificate-identity.yaml b/infra-stage-2/templates/linkerd/certificate-identity.yaml new file mode 100644 index 0000000..8fd0bc3 --- /dev/null +++ b/infra-stage-2/templates/linkerd/certificate-identity.yaml @@ -0,0 +1,23 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: linkerd-identity-issuer + namespace: linkerd +spec: + secretName: linkerd-identity-issuer + duration: 48h + renewBefore: 25h + issuerRef: + name: linkerd-trust-anchor + kind: Issuer + commonName: identity.linkerd.cluster.local + dnsNames: + - identity.linkerd.cluster.local + isCA: true + privateKey: + algorithm: ECDSA + usages: + - cert sign + - crl sign + - server auth + - client auth diff --git a/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml b/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml new file mode 100644 index 0000000..af9dd29 --- /dev/null +++ b/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: linkerd-trust-anchor + namespace: linkerd +spec: + encryptedData: + tls.crt: AgCaC0kMEyxMN25o80pDA+2ZXardKBwnCfbJ2Edh3HWFGug8lDJRIVn8gkERWiXWZvWY0fopIIXpbjcvhMtHevllLFVJmGC3vtmVhro47cMqFY98CJkE9/J5yBNHi+rNq/iaY7CmcTt6JWxT5apXyAIHiowb/2ZvWfTNgkB0oqYnIC4MnaXora33YerZtZiEM8go48nAzNQ5/ivyN2y2qPBtmi3R0NfpCo6msm++CenwRwUD2MyyQ0IhjSj0oPjq1geGMOqmoKPynyp5dYIg+sQ2ESd2gk3uYdDQYqQBWS/Z9Fe1BxzsxrVTHNURf24vDaEuLz+UQwqH/VVYpc59d330TKlxn1DEgxXyhkBbTXsjmMdK6DQGt/1PJr07X+tYtCiCQvYUALN1Y6wdLeoIuOgIMVVjfWUOJQQxJ1OEpPT/47xuZ5iMFcVDrCIcLeYBykv04TKV7hF5fSjRNmGhaE0FSIgTn7KgsKkIcnpzqb2xH3WSuYrrspRSKLpXtL0atS8p0e4NnxOt4vcjoXOCKYzR9im2SNKueCUIhRtbfGFhgUh6E5Cf/8YIzJo2NAZSGQd35FG7a9P+JjJDsIYuLseNaUWYyyTvcIfJ2ood8Pi7k7NZx0bXz9Ae3O3knQu5KGun/AgbGi2j0bsEJZ2ize3+1MiyBiuwiOWixZOy5HxEUWt4ohZpJ5DYL5K2sOG2oOOd4qHiHWem0xNsMn8pxeJ+2fIDxwGhqrsx2U/vLSTcdU/mtWM9yzU0x67em4iDIG7vvijPMGKg6IDh07Y6DXpciMlafggkFnhJ6rS4L1fAm8IVfPjAtZB1fBxLNM+VW9SVrZXgByvdKFPYo7lVwxZ1wq2sG691KcVLNv3nZjdCMoLGqPz1qWhkH68ODEsnFqyRgPlJuNKER+bPvh7i03FzpvDe3+1QSmA7+fk5zsgu70/QFS6A70+s4TRCf+DQPN/iSZ/BsxHGFcuVg3rT3yf/PR6eaQc5WKy6wtPC0Qw4c0sRdSLfH99fSMPf5sXtcKs8xdvopono2oI3pBHBDOXQdLrzzHXJOjVdHGuNuggVZMRozK8ZosVEEMiWz2MzU/Nl5sqOsacyUEqbMhaxWlQudbANf90RTkS9ITPk4m7YcnD8a2i3S0vZffVL1cX9simGCgZDDbV0xmtEpBf3rtCdtn43N1OL3rlmrgrUk/8+q0aGFSNZMGkpmficzYFVEtm/m3oeN0DfJ3eKu1LzGkX/wSNahWe5M+58m3hrkaG3TIwvIXkOBMB776yCnsHNffVhwDC4JYYm3hM/nBVI1d748948blShh0Cpre6y7xxKCJQpzd9Mr4sKy8dgaTCfwzxTwZwpMbJWib9b6RoocNU3miLVe0iXX7BhOmH5jNbIP/6JCR9OR3KnwWiqkcQwb5yvQrOaAqsEhIgIVlhxlcdJUP29VOKjNF/eEaFilMkoRFP7qmUqgqaXtbHjKgpLL+G+9erTB1uxX2Y5g3oH4Jgz6CFZAv2HqA== + tls.key: AgAE4DkEl82kkjLuaqhJjJ4J3RVqAD88KZRuW/odDm7Qg1vFVnqeF3avRRejcA/AINOJGu50ez1MZcuLfoxx6Y9lmCfsCzMI/YeD9l8SproNe6+xjqd19OHQ/d9DowjUmOwtSl/j9MU6gs2ExQILQTB6zqNklUEadpdxgk8Xl+YS09A58Vefy6dgoJzGav/S0BRymxvfXZWWLIY0h3QD1hVL9uoV+L8H6aovu+ZGmMwdSzbV/6qFoJHt/PBZEkC5G3BesJX21T2LTh7BsIvyvPOaZrG7BoRfu9oAtBQHqhoBtgv1hsvmjs9MFNtSUnPD2srYqG70YDpdQnp7pzOk/4Hx5Jkr29HM+0m/46Y3vI4XK7/HOoOuxNEz4UWhHhJHUVJF0E4DJp9DSd50QhBRP0X8/oXZLtyLR3xWRKrlds/XmSyUaMOKNwDKzKbmUTleSBALdgSafk21A/TnrfGt5uGoPjo1HyRSIaBsX4incJJFPR9D1t0F7+hku5KxJBfHJMmL84M2e+a6eVf3zJvhGy45EHIORqcY30NFcpaqvFSZXYwzjnB+zQVmyzY50NwhYZyN51GkwK89aIMFehTDj8mE6KHFH54f245sLOCkjvgN0Uey+s/U6ktVDcjldvmFOErmk33Tx1CQpL+VP1bnTYK3GYjxUXZ3D1/IJuUxbL+GGQJ8OA1eMwF85v1ndxiDZn2OHpifLTLA0GQEd0X+xQfbDljEWQHVOSOLgZepjO5zkwd5RawO1LXZ9MTAIZizrjWATEN3K7Kv5Ph/VB7ZchAkM7qaqwlP7mVsbbYm1ZoWkcM6dFmkir0Jl81CnF6lHvalgaCDY8XtwyMbs+EeLt9A15OpgqbPcuF9pRzHXdy2tj3uJWJ3JDhq+xiupdTgJaqS+4phluS49kNJsZnPa5uFCl2iNzQxqgXxGmJXClF5WVPoo+15u09UiqKBzshtQ0LgzPOPq6jKMpZooU+0HYzIdaAcFvLbgXd3HhaD7lBN0QZ0bQ== + template: + metadata: + creationTimestamp: null + name: linkerd-trust-anchor + namespace: linkerd + type: kubernetes.io/tls