From 1dc27ea37f30e12888df5c25d1a5625b554b4e90 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Sat, 1 Feb 2025 12:02:39 -0500 Subject: [PATCH 1/8] wip --- kustomize/dns/coredns/etcd/certificates.yaml | 56 ++++++++++++++++++ .../dns/coredns/etcd/ha/kustomization.yaml | 4 ++ .../coredns/etcd/ha/patches/helm-release.yaml | 17 ++++++ kustomize/dns/coredns/etcd/helm-release.yaml | 59 +++++++++++++++++++ .../dns/coredns/etcd/helm-repository.yaml | 10 ++++ kustomize/dns/coredns/etcd/kustomization.yaml | 14 +++++ kustomize/dns/coredns/etcd/patches/patch.yaml | 17 ++++++ kustomize/dns/kustomization.yaml | 2 + kustomize/dns/namespace.yaml | 9 +++ 9 files changed, 188 insertions(+) create mode 100644 kustomize/dns/coredns/etcd/certificates.yaml create mode 100644 kustomize/dns/coredns/etcd/ha/kustomization.yaml create mode 100644 kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml create mode 100644 kustomize/dns/coredns/etcd/helm-release.yaml create mode 100644 kustomize/dns/coredns/etcd/helm-repository.yaml create mode 100644 kustomize/dns/coredns/etcd/kustomization.yaml create mode 100644 kustomize/dns/coredns/etcd/patches/patch.yaml create mode 100644 kustomize/dns/kustomization.yaml create mode 100644 kustomize/dns/namespace.yaml diff --git a/kustomize/dns/coredns/etcd/certificates.yaml b/kustomize/dns/coredns/etcd/certificates.yaml new file mode 100644 index 00000000..c3eb1d8c --- /dev/null +++ b/kustomize/dns/coredns/etcd/certificates.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: etcd-peer + namespace: system-dns +spec: + secretName: etcd-peer-tls + issuerRef: + name: private + kind: ClusterIssuer + commonName: etcd-peer-coredns + dnsNames: + - "etcd-coredns.system-dns.svc.cluster.local" + - "*.etcd-coredns.system-dns.svc.cluster.local" + - "etcd-coredns-headless.system-dns.svc.cluster.local" + - "*.etcd-coredns-headless.system-dns.svc.cluster.local" + usages: + - digital signature + - key encipherment + - server auth + - client auth +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: etcd-server + namespace: system-dns +spec: + secretName: etcd-server-tls + issuerRef: + name: private + kind: ClusterIssuer + commonName: etcd-coredns + dnsNames: + - "etcd-coredns.system-dns.svc.cluster.local" + - "*.etcd-coredns.system-dns.svc.cluster.local" + - "etcd-coredns-headless.system-dns.svc.cluster.local" + - "*.etcd-coredns-headless.system-dns.svc.cluster.local" + usages: + - server auth + - client auth +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: etcd-client + namespace: system-dns +spec: + secretName: etcd-client-tls + issuerRef: + name: private + kind: ClusterIssuer + commonName: etcd-coredns + usages: + - client auth diff --git a/kustomize/dns/coredns/etcd/ha/kustomization.yaml b/kustomize/dns/coredns/etcd/ha/kustomization.yaml new file mode 100644 index 00000000..8138d116 --- /dev/null +++ b/kustomize/dns/coredns/etcd/ha/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: patches/helm-release.yaml diff --git a/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml b/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml new file mode 100644 index 00000000..d44aee22 --- /dev/null +++ b/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml @@ -0,0 +1,17 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: etcd-coredns + namespace: system-dns +spec: + values: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "app.kubernetes.io/name" + operator: In + values: + - etcd + topologyKey: "kubernetes.io/hostname" diff --git a/kustomize/dns/coredns/etcd/helm-release.yaml b/kustomize/dns/coredns/etcd/helm-release.yaml new file mode 100644 index 00000000..1ad38b08 --- /dev/null +++ b/kustomize/dns/coredns/etcd/helm-release.yaml @@ -0,0 +1,59 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: etcd-coredns + namespace: system-dns +spec: + interval: 5m + timeout: 10m + chart: + spec: + chart: etcd + # renovate: datasource=helm depName=etcd package=etcd helmRepo=https://charts.bitnami.com/bitnami + version: 10.2.6 + sourceRef: + kind: HelmRepository + name: coredns-etcd-bitnami + namespace: system-gitops + values: + global: + storageClass: single + replicaCount: 3 + securityContext: + fsGroup: 1000 + # Modifies the liveness probe to behave like the other probes. Endpoint healthchecks with mTLS are not supported by k8s. + customLivenessProbe: + exec: + command: + - /opt/bitnami/scripts/etcd/healthcheck.sh + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + auth: + rbac: + create: false + allowNoneAuthentication: true + peer: + useAutoTLS: false + secureTransport: true + enableAuthentication: true + certFilename: tls.crt + certKeyFilename: tls.key + caFilename: ca.crt + existingSecret: etcd-peer-tls + client: + secureTransport: true + enableAuthentication: true + certFilename: tls.crt + certKeyFilename: tls.key + caFilename: ca.crt + existingSecret: etcd-server-tls + persistence: + enabled: true + size: 256Mi + resources: + requests: + cpu: 200m + memory: 256Mi diff --git a/kustomize/dns/coredns/etcd/helm-repository.yaml b/kustomize/dns/coredns/etcd/helm-repository.yaml new file mode 100644 index 00000000..77b7fa10 --- /dev/null +++ b/kustomize/dns/coredns/etcd/helm-repository.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: coredns-etcd-bitnami + namespace: system-gitops +spec: + interval: 10m + timeout: 3m + url: https://charts.bitnami.com/bitnami diff --git a/kustomize/dns/coredns/etcd/kustomization.yaml b/kustomize/dns/coredns/etcd/kustomization.yaml new file mode 100644 index 00000000..3638156d --- /dev/null +++ b/kustomize/dns/coredns/etcd/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - certificates.yaml + - helm-repository.yaml + - helm-release.yaml +patches: + - path: patches/patch.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: coredns + namespace: system-dns diff --git a/kustomize/dns/coredns/etcd/patches/patch.yaml b/kustomize/dns/coredns/etcd/patches/patch.yaml new file mode 100644 index 00000000..f99092b3 --- /dev/null +++ b/kustomize/dns/coredns/etcd/patches/patch.yaml @@ -0,0 +1,17 @@ +- op: add + path: /spec/dependsOn/- + value: + name: etcd-coredns + namespace: system-dns +- op: add + path: /spec/values/extraVolumes/- + value: + name: etcd-client-tls + secret: + secretName: etcd-client-tls +- op: add + path: /spec/values/extraVolumeMounts/- + value: + name: etcd-client-tls + mountPath: /etc/coredns/tls + readOnly: true diff --git a/kustomize/dns/kustomization.yaml b/kustomize/dns/kustomization.yaml new file mode 100644 index 00000000..e8aa5f88 --- /dev/null +++ b/kustomize/dns/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - namespace.yaml diff --git a/kustomize/dns/namespace.yaml b/kustomize/dns/namespace.yaml new file mode 100644 index 00000000..91870ec5 --- /dev/null +++ b/kustomize/dns/namespace.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: system-dns + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/audit: baseline + pod-security.kubernetes.io/warn: baseline From 1f44395fc62ec5c1c0a02ce1eb7b1815f4d752b3 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Sat, 1 Feb 2025 12:12:09 -0500 Subject: [PATCH 2/8] template certificate cluster domain --- kustomize/dns/coredns/etcd/certificates.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kustomize/dns/coredns/etcd/certificates.yaml b/kustomize/dns/coredns/etcd/certificates.yaml index c3eb1d8c..b8b48aca 100644 --- a/kustomize/dns/coredns/etcd/certificates.yaml +++ b/kustomize/dns/coredns/etcd/certificates.yaml @@ -11,10 +11,10 @@ spec: kind: ClusterIssuer commonName: etcd-peer-coredns dnsNames: - - "etcd-coredns.system-dns.svc.cluster.local" - - "*.etcd-coredns.system-dns.svc.cluster.local" - - "etcd-coredns-headless.system-dns.svc.cluster.local" - - "*.etcd-coredns-headless.system-dns.svc.cluster.local" + - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" usages: - digital signature - key encipherment @@ -33,10 +33,10 @@ spec: kind: ClusterIssuer commonName: etcd-coredns dnsNames: - - "etcd-coredns.system-dns.svc.cluster.local" - - "*.etcd-coredns.system-dns.svc.cluster.local" - - "etcd-coredns-headless.system-dns.svc.cluster.local" - - "*.etcd-coredns-headless.system-dns.svc.cluster.local" + - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" usages: - server auth - client auth From 6296f77627948ce148e054f8ced29d11564c2b57 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Sat, 1 Feb 2025 15:23:42 -0500 Subject: [PATCH 3/8] wip --- contexts/default/blueprint.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/contexts/default/blueprint.yaml b/contexts/default/blueprint.yaml index 8da455bd..4c1cd961 100644 --- a/contexts/default/blueprint.yaml +++ b/contexts/default/blueprint.yaml @@ -27,6 +27,13 @@ kustomize: - pki-base components: - public-issuer/selfsigned +- name: dns + path: dns + dependsOn: + - pki-base + components: + - coredns + - coredns/etcd - name: lb-base path: lb/base components: From e6962fdfa2fcf32f8b1b93db916b528481963f15 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 4 Feb 2025 21:18:33 -0500 Subject: [PATCH 4/8] Working coredns+etcd --- contexts/default/blueprint.yaml | 10 +++++ kustomize/dns/coredns/etcd/certificates.yaml | 16 +++---- kustomize/dns/coredns/etcd/helm-release.yaml | 8 ++-- kustomize/dns/coredns/helm-release.yaml | 42 +++++++++++++++++++ kustomize/dns/coredns/helm-repository.yaml | 10 +++++ kustomize/dns/coredns/kustomization.yaml | 5 +++ .../base/nginx/coredns/kustomization.yaml | 4 ++ .../nginx/coredns/nodeport/kustomization.yaml | 4 ++ .../nodeport/patches/helm-release.yaml | 16 +++++++ .../nginx/coredns/patches/helm-release.yaml | 15 +++++++ kustomize/pki/resources/kustomization.yaml | 5 ++- .../pki/resources/private-issuer/issuer.yaml | 5 +++ .../private-issuer/kustomization.yaml | 4 ++ .../selfsigned/kustomization.yaml | 4 ++ .../selfsigned/patches/issuer.yaml | 6 +++ .../resources/{ => public-issuer}/issuer.yaml | 0 .../public-issuer/kustomization.yaml | 4 ++ .../selfsigned/kustomization.yaml | 2 +- .../{public-issuer.yaml => issuer.yaml} | 0 19 files changed, 145 insertions(+), 15 deletions(-) create mode 100644 kustomize/dns/coredns/helm-release.yaml create mode 100644 kustomize/dns/coredns/helm-repository.yaml create mode 100644 kustomize/dns/coredns/kustomization.yaml create mode 100644 kustomize/ingress/base/nginx/coredns/kustomization.yaml create mode 100644 kustomize/ingress/base/nginx/coredns/nodeport/kustomization.yaml create mode 100644 kustomize/ingress/base/nginx/coredns/nodeport/patches/helm-release.yaml create mode 100644 kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml create mode 100644 kustomize/pki/resources/private-issuer/issuer.yaml create mode 100644 kustomize/pki/resources/private-issuer/kustomization.yaml create mode 100644 kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml create mode 100644 kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml rename kustomize/pki/resources/{ => public-issuer}/issuer.yaml (100%) create mode 100644 kustomize/pki/resources/public-issuer/kustomization.yaml rename kustomize/pki/resources/public-issuer/selfsigned/patches/{public-issuer.yaml => issuer.yaml} (100%) diff --git a/contexts/default/blueprint.yaml b/contexts/default/blueprint.yaml index 4c1cd961..bb4988db 100644 --- a/contexts/default/blueprint.yaml +++ b/contexts/default/blueprint.yaml @@ -19,42 +19,52 @@ terraform: kustomize: - name: pki-base path: pki/base + force: true components: - cert-manager - name: pki-resources path: pki/resources dependsOn: - pki-base + force: true components: + - private-issuer/selfsigned - public-issuer/selfsigned - name: dns path: dns dependsOn: - pki-base + force: true components: - coredns - coredns/etcd - name: lb-base path: lb/base + force: true components: - metallb - name: lb-resources path: lb/resources dependsOn: - lb-base + force: true components: - metallb/layer2 - name: ingress-base path: ingress/base dependsOn: - pki-resources + force: true components: - nginx - nginx/nodeport-web - nginx/nodeport-flux-webhook + - nginx/coredns + - nginx/coredns/nodeport - name: gitops path: gitops/flux dependsOn: - ingress-base + force: true components: - webhook diff --git a/kustomize/dns/coredns/etcd/certificates.yaml b/kustomize/dns/coredns/etcd/certificates.yaml index b8b48aca..87f93422 100644 --- a/kustomize/dns/coredns/etcd/certificates.yaml +++ b/kustomize/dns/coredns/etcd/certificates.yaml @@ -11,10 +11,10 @@ spec: kind: ClusterIssuer commonName: etcd-peer-coredns dnsNames: - - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" - - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" - - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" - - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" usages: - digital signature - key encipherment @@ -33,10 +33,10 @@ spec: kind: ClusterIssuer commonName: etcd-coredns dnsNames: - - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" - - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" - - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" - - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.internal}" + - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" usages: - server auth - client auth diff --git a/kustomize/dns/coredns/etcd/helm-release.yaml b/kustomize/dns/coredns/etcd/helm-release.yaml index 1ad38b08..bcec714c 100644 --- a/kustomize/dns/coredns/etcd/helm-release.yaml +++ b/kustomize/dns/coredns/etcd/helm-release.yaml @@ -16,8 +16,8 @@ spec: name: coredns-etcd-bitnami namespace: system-gitops values: - global: - storageClass: single + # global: + # storageClass: single replicaCount: 3 securityContext: fsGroup: 1000 @@ -49,10 +49,10 @@ spec: certFilename: tls.crt certKeyFilename: tls.key caFilename: ca.crt + # The server certificate is what etcd serves to clients existingSecret: etcd-server-tls persistence: - enabled: true - size: 256Mi + enabled: false resources: requests: cpu: 200m diff --git a/kustomize/dns/coredns/helm-release.yaml b/kustomize/dns/coredns/helm-release.yaml new file mode 100644 index 00000000..67d60a82 --- /dev/null +++ b/kustomize/dns/coredns/helm-release.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns + namespace: system-dns +spec: + interval: 5m + timeout: 10m + dependsOn: [] + chart: + spec: + chart: coredns + # renovate: datasource=helm depName=coredns package=coredns helmRepo=https://coredns.github.io/helm + version: 1.35.0 + sourceRef: + kind: HelmRepository + name: coredns + namespace: system-gitops + values: + isClusterService: false + extraVolumes: [] + extraVolumeMounts: [] + servers: + - zones: + - zone: . + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: forward + parameters: . 1.1.1.1 8.8.8.8 + - name: ready + - name: prometheus + parameters: 0.0.0.0:9153 + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance diff --git a/kustomize/dns/coredns/helm-repository.yaml b/kustomize/dns/coredns/helm-repository.yaml new file mode 100644 index 00000000..e9176cbc --- /dev/null +++ b/kustomize/dns/coredns/helm-repository.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: coredns + namespace: system-gitops +spec: + interval: 10m + timeout: 3m + url: https://coredns.github.io/helm diff --git a/kustomize/dns/coredns/kustomization.yaml b/kustomize/dns/coredns/kustomization.yaml new file mode 100644 index 00000000..e768af5d --- /dev/null +++ b/kustomize/dns/coredns/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - helm-repository.yaml + - helm-release.yaml diff --git a/kustomize/ingress/base/nginx/coredns/kustomization.yaml b/kustomize/ingress/base/nginx/coredns/kustomization.yaml new file mode 100644 index 00000000..8138d116 --- /dev/null +++ b/kustomize/ingress/base/nginx/coredns/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: patches/helm-release.yaml diff --git a/kustomize/ingress/base/nginx/coredns/nodeport/kustomization.yaml b/kustomize/ingress/base/nginx/coredns/nodeport/kustomization.yaml new file mode 100644 index 00000000..8138d116 --- /dev/null +++ b/kustomize/ingress/base/nginx/coredns/nodeport/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: patches/helm-release.yaml diff --git a/kustomize/ingress/base/nginx/coredns/nodeport/patches/helm-release.yaml b/kustomize/ingress/base/nginx/coredns/nodeport/patches/helm-release.yaml new file mode 100644 index 00000000..2afb4e20 --- /dev/null +++ b/kustomize/ingress/base/nginx/coredns/nodeport/patches/helm-release.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-controller + namespace: system-ingress +spec: + values: + controller: + service: + type: NodePort + nodePorts: + udp: + "53": 30053 + tcp: + "53": 30053 diff --git a/kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml b/kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml new file mode 100644 index 00000000..d43d01dc --- /dev/null +++ b/kustomize/ingress/base/nginx/coredns/patches/helm-release.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: ingress-nginx-controller + namespace: system-ingress +spec: + values: + controller: + service: + enableUDP: true + udp: + "53": "system-dns/coredns:53" + tcp: + "53": "system-dns/coredns:53" diff --git a/kustomize/pki/resources/kustomization.yaml b/kustomize/pki/resources/kustomization.yaml index e78cf9a6..100ce215 100644 --- a/kustomize/pki/resources/kustomization.yaml +++ b/kustomize/pki/resources/kustomization.yaml @@ -1,2 +1,3 @@ -resources: - - issuer.yaml +components: + - private-issuer + - public-issuer diff --git a/kustomize/pki/resources/private-issuer/issuer.yaml b/kustomize/pki/resources/private-issuer/issuer.yaml new file mode 100644 index 00000000..672aeafa --- /dev/null +++ b/kustomize/pki/resources/private-issuer/issuer.yaml @@ -0,0 +1,5 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: private +spec: {} diff --git a/kustomize/pki/resources/private-issuer/kustomization.yaml b/kustomize/pki/resources/private-issuer/kustomization.yaml new file mode 100644 index 00000000..4bcf4511 --- /dev/null +++ b/kustomize/pki/resources/private-issuer/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - issuer.yaml diff --git a/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml b/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml new file mode 100644 index 00000000..ee2903d3 --- /dev/null +++ b/kustomize/pki/resources/private-issuer/selfsigned/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: patches/issuer.yaml diff --git a/kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml b/kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml new file mode 100644 index 00000000..d36ac5f6 --- /dev/null +++ b/kustomize/pki/resources/private-issuer/selfsigned/patches/issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: private +spec: + selfSigned: {} diff --git a/kustomize/pki/resources/issuer.yaml b/kustomize/pki/resources/public-issuer/issuer.yaml similarity index 100% rename from kustomize/pki/resources/issuer.yaml rename to kustomize/pki/resources/public-issuer/issuer.yaml diff --git a/kustomize/pki/resources/public-issuer/kustomization.yaml b/kustomize/pki/resources/public-issuer/kustomization.yaml new file mode 100644 index 00000000..4bcf4511 --- /dev/null +++ b/kustomize/pki/resources/public-issuer/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - issuer.yaml diff --git a/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml b/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml index e1e62721..ee2903d3 100644 --- a/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml +++ b/kustomize/pki/resources/public-issuer/selfsigned/kustomization.yaml @@ -1,4 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component patches: - - path: patches/public-issuer.yaml + - path: patches/issuer.yaml diff --git a/kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml b/kustomize/pki/resources/public-issuer/selfsigned/patches/issuer.yaml similarity index 100% rename from kustomize/pki/resources/public-issuer/selfsigned/patches/public-issuer.yaml rename to kustomize/pki/resources/public-issuer/selfsigned/patches/issuer.yaml From 87875517bd9065da9ba768619b3e1d934d0eaa5a Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Tue, 4 Feb 2025 21:55:30 -0500 Subject: [PATCH 5/8] wip --- contexts/default/blueprint.yaml | 3 ++ .../external-dns/coredns/kustomization.yaml | 10 +++++ .../coredns/patches/helm-release.yaml | 45 +++++++++++++++++++ kustomize/dns/external-dns/helm-release.yaml | 26 +++++++++++ .../dns/external-dns/helm-repository.yaml | 10 +++++ .../external-dns/ingress/kustomization.yaml | 4 ++ .../ingress/patches/helm-release.yaml | 10 +++++ kustomize/dns/external-dns/kustomization.yaml | 5 +++ 8 files changed, 113 insertions(+) create mode 100644 kustomize/dns/external-dns/coredns/kustomization.yaml create mode 100644 kustomize/dns/external-dns/coredns/patches/helm-release.yaml create mode 100644 kustomize/dns/external-dns/helm-release.yaml create mode 100644 kustomize/dns/external-dns/helm-repository.yaml create mode 100644 kustomize/dns/external-dns/ingress/kustomization.yaml create mode 100644 kustomize/dns/external-dns/ingress/patches/helm-release.yaml create mode 100644 kustomize/dns/external-dns/kustomization.yaml diff --git a/contexts/default/blueprint.yaml b/contexts/default/blueprint.yaml index bb4988db..08725700 100644 --- a/contexts/default/blueprint.yaml +++ b/contexts/default/blueprint.yaml @@ -38,6 +38,9 @@ kustomize: components: - coredns - coredns/etcd + - external-dns + - external-dns/coredns + - external-dns/ingress - name: lb-base path: lb/base force: true diff --git a/kustomize/dns/external-dns/coredns/kustomization.yaml b/kustomize/dns/external-dns/coredns/kustomization.yaml new file mode 100644 index 00000000..25e5cb2a --- /dev/null +++ b/kustomize/dns/external-dns/coredns/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: external-dns + namespace: system-dns + path: patches/helm-release.yaml diff --git a/kustomize/dns/external-dns/coredns/patches/helm-release.yaml b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml new file mode 100644 index 00000000..87e40864 --- /dev/null +++ b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml @@ -0,0 +1,45 @@ +- op: add + path: /spec/dependsOn/- + value: + name: etcd-coredns + namespace: system-dns +- op: add + path: /spec/values/provider + value: coredns +- op: add + path: /spec/values/env/- + value: + name: ETCD_URLS + value: https://etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}:2379 +- op: add + path: /spec/values/env/- + value: + name: ETCD_CA_FILE + value: /etc/external-dns/tls/ca.crt +- op: add + path: /spec/values/env/- + value: + name: ETCD_CERT_FILE + value: /etc/external-dns/tls/tls.crt +- op: add + path: /spec/values/env/- + value: + name: ETCD_KEY_FILE + value: /etc/external-dns/tls/tls.key +- op: add + path: /spec/values/env/- + value: + name: ETCD_TLS_SERVER_NAME + value: etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local} +- op: add + path: /spec/values/extraVolumes/- + value: + name: etcd-tls + secret: + secretName: etcd-client-tls +- op: add + path: /spec/values/extraVolumeMounts/- + value: + name: etcd-tls + mountPath: /etc/external-dns/tls + readOnly: true diff --git a/kustomize/dns/external-dns/helm-release.yaml b/kustomize/dns/external-dns/helm-release.yaml new file mode 100644 index 00000000..b4a14e3c --- /dev/null +++ b/kustomize/dns/external-dns/helm-release.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: external-dns + namespace: system-dns +spec: + interval: 5m + timeout: 10m + dependsOn: [] + chart: + spec: + chart: external-dns + # renovate: datasource=helm depName=external-dns package=external-dns helmRepo=https://kubernetes-sigs.github.io/external-dns/ + version: 1.15.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: system-gitops + values: + env: [] + extraVolumes: [] + extraVolumeMounts: [] + sources: [] + domainFilters: + - "${DOMAIN}" diff --git a/kustomize/dns/external-dns/helm-repository.yaml b/kustomize/dns/external-dns/helm-repository.yaml new file mode 100644 index 00000000..fd0c9420 --- /dev/null +++ b/kustomize/dns/external-dns/helm-repository.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-dns + namespace: system-gitops +spec: + interval: 10m + timeout: 3m + url: https://kubernetes-sigs.github.io/external-dns/ diff --git a/kustomize/dns/external-dns/ingress/kustomization.yaml b/kustomize/dns/external-dns/ingress/kustomization.yaml new file mode 100644 index 00000000..8138d116 --- /dev/null +++ b/kustomize/dns/external-dns/ingress/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +patches: + - path: patches/helm-release.yaml diff --git a/kustomize/dns/external-dns/ingress/patches/helm-release.yaml b/kustomize/dns/external-dns/ingress/patches/helm-release.yaml new file mode 100644 index 00000000..c89614ca --- /dev/null +++ b/kustomize/dns/external-dns/ingress/patches/helm-release.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: external-dns + namespace: system-dns +spec: + values: + sources: + - ingress diff --git a/kustomize/dns/external-dns/kustomization.yaml b/kustomize/dns/external-dns/kustomization.yaml new file mode 100644 index 00000000..e768af5d --- /dev/null +++ b/kustomize/dns/external-dns/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - helm-repository.yaml + - helm-release.yaml From 8a37d42050191f30dd382d62392706c752a945e3 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Wed, 5 Feb 2025 09:44:28 -0500 Subject: [PATCH 6/8] Clean up blueprint --- contexts/default/blueprint.yaml | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/contexts/default/blueprint.yaml b/contexts/default/blueprint.yaml index 71031fcf..ddcaaa19 100644 --- a/contexts/default/blueprint.yaml +++ b/contexts/default/blueprint.yaml @@ -17,6 +17,8 @@ terraform: - path: cluster/talos - path: gitops/flux kustomize: + +# Policy - name: policy-base path: policy/base components: @@ -25,6 +27,8 @@ kustomize: path: policy/resources dependsOn: - policy-base + +# PKI - name: pki-base path: pki/base dependsOn: @@ -41,6 +45,8 @@ kustomize: components: - private-issuer/ca - public-issuer/selfsigned + +# DNS - name: dns path: dns dependsOn: @@ -59,13 +65,8 @@ kustomize: force: true components: - metallb -- name: lb-resources - path: lb/resources - dependsOn: - - lb-base - force: true - components: - - metallb/layer2 + +# Ingress - name: ingress-base path: ingress/base dependsOn: @@ -77,6 +78,17 @@ kustomize: - nginx/nodeport-flux-webhook - nginx/coredns - nginx/coredns/nodeport + +# Load Balancer +- name: lb-resources + path: lb/resources + dependsOn: + - lb-base + force: true + components: + - metallb/layer2 + +# GitOps - name: gitops path: gitops/flux dependsOn: From 6b9e42a52bbca767af32bd5294a84e4e5736bf25 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy Date: Wed, 5 Feb 2025 23:02:45 -0500 Subject: [PATCH 7/8] DNS support on colima and docker-desktop --- contexts/{default => colima}/blueprint.yaml | 36 ++++------ .../colima/terraform/cluster/talos.tfvars | 25 +++++++ .../terraform/gitops/flux.tfvars | 0 .../default/terraform/cluster/talos.tfvars | 67 ------------------- contexts/docker-desktop/blueprint.yaml | 60 +++++++++++++++++ .../terraform/cluster/talos.tfvars | 25 +++++++ .../terraform/gitops/flux.tfvars | 11 +++ .../nginx/coredns/patches/helm-release.yaml | 5 ++ .../kustomization.yaml | 0 .../patches/helm-release.yaml | 1 - .../ingress/base/nginx/helm-release.yaml | 1 + .../kustomization.yaml | 0 .../loadbalancer/patches/helm-release.yaml | 12 ++++ .../kustomization.yaml | 0 .../nodeport/patches/helm-release.yaml | 5 -- .../ingress/base/nginx/web/kustomization.yaml | 4 ++ .../patches/helm-release.yaml | 2 +- windsor.yaml | 61 +++++++++++++++-- 18 files changed, 211 insertions(+), 104 deletions(-) rename contexts/{default => colima}/blueprint.yaml (85%) create mode 100644 contexts/colima/terraform/cluster/talos.tfvars rename contexts/{default => colima}/terraform/gitops/flux.tfvars (100%) delete mode 100644 contexts/default/terraform/cluster/talos.tfvars create mode 100644 contexts/docker-desktop/blueprint.yaml create mode 100644 contexts/docker-desktop/terraform/cluster/talos.tfvars create mode 100644 contexts/docker-desktop/terraform/gitops/flux.tfvars rename kustomize/ingress/base/nginx/{coredns/nodeport => flux-webhook}/kustomization.yaml (100%) rename kustomize/ingress/base/nginx/{nodeport-flux-webhook => flux-webhook}/patches/helm-release.yaml (92%) rename kustomize/ingress/base/nginx/{nodeport-flux-webhook => loadbalancer}/kustomization.yaml (100%) create mode 100644 kustomize/ingress/base/nginx/loadbalancer/patches/helm-release.yaml rename kustomize/ingress/base/nginx/{nodeport-web => nodeport}/kustomization.yaml (100%) rename kustomize/ingress/base/nginx/{coredns => }/nodeport/patches/helm-release.yaml (67%) create mode 100644 kustomize/ingress/base/nginx/web/kustomization.yaml rename kustomize/ingress/base/nginx/{nodeport-web => web}/patches/helm-release.yaml (91%) diff --git a/contexts/default/blueprint.yaml b/contexts/colima/blueprint.yaml similarity index 85% rename from contexts/default/blueprint.yaml rename to contexts/colima/blueprint.yaml index ddcaaa19..bea08de9 100644 --- a/contexts/default/blueprint.yaml +++ b/contexts/colima/blueprint.yaml @@ -1,8 +1,8 @@ kind: Blueprint apiVersion: blueprints.windsorcli.dev/v1alpha1 metadata: - name: default - description: This blueprint outlines resources in the local context + name: colima + description: This blueprint configures core for running in a Colima managed VM repository: url: http://git.test/git/core ref: @@ -17,8 +17,6 @@ terraform: - path: cluster/talos - path: gitops/flux kustomize: - -# Policy - name: policy-base path: policy/base components: @@ -27,8 +25,6 @@ kustomize: path: policy/resources dependsOn: - policy-base - -# PKI - name: pki-base path: pki/base dependsOn: @@ -45,8 +41,6 @@ kustomize: components: - private-issuer/ca - public-issuer/selfsigned - -# DNS - name: dns path: dns dependsOn: @@ -65,8 +59,13 @@ kustomize: force: true components: - metallb - -# Ingress +- name: lb-resources + path: lb/resources + dependsOn: + - lb-base + force: true + components: + - metallb/layer2 - name: ingress-base path: ingress/base dependsOn: @@ -74,21 +73,10 @@ kustomize: force: true components: - nginx - - nginx/nodeport-web - - nginx/nodeport-flux-webhook + - nginx/loadbalancer - nginx/coredns - - nginx/coredns/nodeport - -# Load Balancer -- name: lb-resources - path: lb/resources - dependsOn: - - lb-base - force: true - components: - - metallb/layer2 - -# GitOps + - nginx/flux-webhook + - nginx/web - name: gitops path: gitops/flux dependsOn: diff --git a/contexts/colima/terraform/cluster/talos.tfvars b/contexts/colima/terraform/cluster/talos.tfvars new file mode 100644 index 00000000..7d619af7 --- /dev/null +++ b/contexts/colima/terraform/cluster/talos.tfvars @@ -0,0 +1,25 @@ +// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. +// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main + +// The external controlplane API endpoint of the kubernetes API +cluster_endpoint = "https://10.5.0.2:6443" + +// The name of the cluster +cluster_name = "talos" + +// A YAML string of common config patches to apply +common_config_patches = "\"cluster\":\n \"apiServer\":\n \"certSANs\":\n - \"localhost\"\n - \"10.5.0.2\"\n \"extraManifests\":\n - \"https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml\"\n\"machine\":\n \"certSANs\":\n - \"localhost\"\n - \"10.5.0.2\"\n \"features\":\n \"hostDNS\":\n \"forwardKubeDNSToHost\": true\n \"kubelet\":\n \"extraArgs\":\n \"rotate-server-certificates\": \"true\"\n \"network\":\n \"interfaces\":\n - \"ignore\": true\n \"interface\": \"eth0\"\n \"registries\":\n \"mirrors\":\n \"gcr.io\":\n \"endpoints\":\n - \"http://gcr.test:5000\"\n \"ghcr.io\":\n \"endpoints\":\n - \"http://ghcr.test:5000\"\n \"quay.io\":\n \"endpoints\":\n - \"http://quay.test:5000\"\n \"registry-1.docker.io\":\n \"endpoints\":\n - \"http://registry-1.docker.test:5000\"\n \"registry.k8s.io\":\n \"endpoints\":\n - \"http://registry.k8s.test:5000\"\n \"registry.test\":\n \"endpoints\":\n - \"http://registry.test:5000\"" + +// Machine config details for control planes +controlplanes = [{ + endpoint = "10.5.0.2:50000" + hostname = "controlplane-1.test" + node = "10.5.0.2" +}] + +// Machine config details for workers +workers = [{ + endpoint = "10.5.0.11:50000" + hostname = "worker-1.test" + node = "10.5.0.11" +}] diff --git a/contexts/default/terraform/gitops/flux.tfvars b/contexts/colima/terraform/gitops/flux.tfvars similarity index 100% rename from contexts/default/terraform/gitops/flux.tfvars rename to contexts/colima/terraform/gitops/flux.tfvars diff --git a/contexts/default/terraform/cluster/talos.tfvars b/contexts/default/terraform/cluster/talos.tfvars deleted file mode 100644 index 38591164..00000000 --- a/contexts/default/terraform/cluster/talos.tfvars +++ /dev/null @@ -1,67 +0,0 @@ -// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten. -// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main - -// The external controlplane API endpoint of the kubernetes API -cluster_endpoint = "https://127.0.0.1:6443" - -// The name of the cluster -cluster_name = "talos" - -// A YAML string of common config patches to apply -common_config_patches = < Date: Fri, 7 Feb 2025 08:38:28 -0500 Subject: [PATCH 8/8] nodeports => hostports --- windsor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windsor.yaml b/windsor.yaml index 8f28caf5..b362a709 100644 --- a/windsor.yaml +++ b/windsor.yaml @@ -96,7 +96,7 @@ contexts: count: 1 cpu: 4 memory: 4 - nodeports: + hostports: - 8080:30080/tcp - 8443:30443/tcp - 9292:30292/tcp