From c32705ffa0f4e098467cb0edacceda3bde72d1ae Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Thu, 27 Mar 2025 22:54:32 +0100 Subject: [PATCH] Keep migrating things --- common/environments.yaml | 4 +- helmfiles/system.yaml | 60 +++++++ installations/system/helmfile.yaml | 17 -- .../kyverno/etersoft/pvc-patch.yaml | 1 + .../kube-system/namespaces/values.yaml | 1 + .../kube-system/zot-mirror/secrets.yaml | 22 +++ values/badhouseplants/values.zot-mirror.yaml | 14 +- .../kube-system/cert-manager/values.gotmpl | 24 +++ .../kube-system/cert-manager/values.yaml | 25 +++ .../common/kube-system/cilium/values.gotmpl | 15 ++ values/common/kube-system/cilium/values.yaml | 8 + .../metrics-server/values.gotmpl} | 2 +- values/common/registry/zot/values.gotmpl | 161 ++++++++++++++++++ .../etersoft/kube-system/cilium/values.yaml | 8 + .../kube-system/namespaces/values.yaml | 1 + values/etersoft/registry/zot/secrets.yaml | 22 +++ 16 files changed, 364 insertions(+), 21 deletions(-) create mode 100644 values/badhouseplants/kube-system/zot-mirror/secrets.yaml create mode 100644 values/common/kube-system/cert-manager/values.gotmpl create mode 100644 values/common/kube-system/cert-manager/values.yaml create mode 100644 values/common/kube-system/cilium/values.gotmpl create mode 100644 values/common/kube-system/cilium/values.yaml rename values/common/{values.metrics-server.yaml => kube-system/metrics-server/values.gotmpl} (69%) create mode 100644 values/common/registry/zot/values.gotmpl create mode 100644 values/etersoft/kube-system/cilium/values.yaml create mode 100644 values/etersoft/registry/zot/secrets.yaml diff --git a/common/environments.yaml b/common/environments.yaml index 62a4e02..c43d5a0 100644 --- a/common/environments.yaml +++ b/common/environments.yaml @@ -2,7 +2,7 @@ environments: badhouseplants: kubeContext: badhouseplants values: - - ./values/values.badhouseplants.yaml + - ./common/values/values.badhouseplants.yaml - base: enabled: true - velero: @@ -26,7 +26,7 @@ environments: etersoft: kubeContext: etersoft values: - - ./values/values.etersoft.yaml + - ./common/values/values.etersoft.yaml - base: enabled: true - velero: diff --git a/helmfiles/system.yaml b/helmfiles/system.yaml index e1dfeec..e57bbca 100644 --- a/helmfiles/system.yaml +++ b/helmfiles/system.yaml @@ -1,6 +1,14 @@ repositories: - name: coredns url: https://coredns.github.io/helm + - name: zot + url: https://zotregistry.dev/helm-charts/ + - name: cilium + url: https://helm.cilium.io/ + - name: metrics-server + url: https://kubernetes-sigs.github.io/metrics-server/ + - name: jetstack + url: https://charts.jetstack.io releases: - name: coredns @@ -9,3 +17,55 @@ releases: namespace: kube-system inherit: - template: common-values-tpl + + - name: cilium + chart: cilium/cilium + version: 1.17.2 + namespace: kube-system + needs: + - kube-system/coredns + inherit: + - template: common-values + - template: common-values-tpl + + - name: zot + chart: zot/zot + version: 0.1.67 + createNamespace: false + installed: true + namespace: registry + needs: + - kube-system/cilium + inherit: + - template: common-values-tpl + - template: env-secrets + + - name: metrics-server + chart: metrics-server/metrics-server + version: 3.12.2 + namespace: kube-system + needs: + - registry/zot + inherit: + - template: common-values-tpl + + - name: cert-manager + chart: jetstack/cert-manager + version: v1.17.1 + namespace: kube-system + missingFileHandler: Warn + needs: + - kube-system/cilium + inherit: + - template: common-values + - template: common-values-tpl + + #- name: issuer + # chart: '{{ requiredEnv "PWD" }}/charts/issuer' + # namespace: kube-public + # missingFileHandler: Warn + # needs: + # - kube-system/zot-mirror + # inherit: + # - template: common-values + # - template: env-values diff --git a/installations/system/helmfile.yaml b/installations/system/helmfile.yaml index a9649f0..039c8c1 100644 --- a/installations/system/helmfile.yaml +++ b/installations/system/helmfile.yaml @@ -29,23 +29,6 @@ repositories: url: https://zotregistry.dev/helm-charts/ releases: - - name: coredns - chart: coredns/coredns - version: 1.39.1 - namespace: kube-system - inherit: - - template: default-common-values - - - name: cilium - chart: cilium/cilium - version: 1.17.2 - condition: base.enabled - namespace: kube-system - needs: - - kube-system/coredns - inherit: - - template: default-env-values - - name: cert-manager chart: jetstack/cert-manager version: v1.17.1 diff --git a/kustomizations/kyverno/etersoft/pvc-patch.yaml b/kustomizations/kyverno/etersoft/pvc-patch.yaml index fa9f33e..cbf7ec9 100644 --- a/kustomizations/kyverno/etersoft/pvc-patch.yaml +++ b/kustomizations/kyverno/etersoft/pvc-patch.yaml @@ -13,6 +13,7 @@ spec: namespaces: - applications - platform + - registry mutate: patchStrategicMerge: metadata: diff --git a/values/badhouseplants/kube-system/namespaces/values.yaml b/values/badhouseplants/kube-system/namespaces/values.yaml index 11a16f3..6cdd472 100644 --- a/values/badhouseplants/kube-system/namespaces/values.yaml +++ b/values/badhouseplants/kube-system/namespaces/values.yaml @@ -1,4 +1,5 @@ namespaces: + - name: registry - name: kube-system defaultRegcred: true - name: kyverno diff --git a/values/badhouseplants/kube-system/zot-mirror/secrets.yaml b/values/badhouseplants/kube-system/zot-mirror/secrets.yaml new file mode 100644 index 0000000..ff88a50 --- /dev/null +++ b/values/badhouseplants/kube-system/zot-mirror/secrets.yaml @@ -0,0 +1,22 @@ +authHeader: ENC[AES256_GCM,data:nmlP0vRoKJRivvwJArnEO26sqIwFtnK5MYVPJBBCmAGCPpe/U00gYu6JET0gPqGV,iv:+GZwWrxoWw0mAZxZdITBLtHgRKYIyaj/NQwHbD8KppA=,tag:MAer3FiaBxyNwJr0BbDtow==,type:str] +_mirror_password: ENC[AES256_GCM,data:W2xy2RMmD4d6N+DNceIgtDGUpygOGEbWgGa9Icsy,iv:YsQfm/EmBYY35q2irlZ2rmzkbJzlFnfgMSEKq0G1I5o=,tag:7rNG02Wm9g8GUXeM4nTHqA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUlyVFZWcWFuWnEyS2Nv + Tkx6aTZKY1czQ25RTHhKNWNNQ0xIaWJLb1VFCkdoT0RBTW9EWG8zbzYxekdsUEY2 + bE9nQUthV3NCa0kzRnBwZ2U2MWlVNzAKLS0tIFY4RVJDM05ZVmR3NEt5YUlpOWZa + ZVc1bmJnU1o4U3NGaGN0Sk90YTR0ckkK8gmkHty4Gwt4vuVK3xhWWg4h/EgvJULh + Trgn0lzx2pCThg/+82u5J1T/QLXdbbDFFFwGldiMwNjZQfpOmrZpVw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-26T21:04:45Z" + mac: ENC[AES256_GCM,data:cTN6wq1m1XtsfNujCfQ4nKtX1Pkc8MFCipUeScDLJUuZZwg4St0h1OkYtYJBWeVSt3CSjjexQpb7Oi9K8wukboIVevaIj0BTT1hkf2ZUFeIV8W62mtftfdRex0yJ/4h1gTZaYBhHEw+qD6r+XvavDs1m22FF5RuF+5qfGUEWA4I=,iv:RsVuXbLVfZSJ7AkIvEdf7H2auFTiqXgpXLe/LbATAo8=,tag:1V5eIiJzjzv4C1JNNf5Quw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/values/badhouseplants/values.zot-mirror.yaml b/values/badhouseplants/values.zot-mirror.yaml index 1fefa8b..6586b78 100644 --- a/values/badhouseplants/values.zot-mirror.yaml +++ b/values/badhouseplants/values.zot-mirror.yaml @@ -135,6 +135,19 @@ configFiles: ], "onDemand": true, "tlsVerify": true + }, + { + "urls": [ + "https://quay.io" + ], + "content": [ + { + "prefix": "**", + "destination": "/quay" + } + ], + "onDemand": true, + "tlsVerify": true } ] } @@ -145,4 +158,3 @@ secretFiles: htpasswd: |- overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ. mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi - diff --git a/values/common/kube-system/cert-manager/values.gotmpl b/values/common/kube-system/cert-manager/values.gotmpl new file mode 100644 index 0000000..ad8303f --- /dev/null +++ b/values/common/kube-system/cert-manager/values.gotmpl @@ -0,0 +1,24 @@ +{{- if not (env "HELMFILE_BOOTSTRAP") }} +global: + imagePullSecrets: + - name: regcred +image: + repository: {{ .Values.registry }}/quay/jetstack/cert-manager-controller + pullPolicy: Always +cainjector: + image: + repository: {{ .Values.registry }}/quay/jetstack/cert-manager-cainjector + pullPolicy: Always +webhook: + image: + repository: {{ .Values.registry }}/quay/jetstack/cert-manager-webhook + pullPolicy: Always +acmesolver: + image: + repository: {{ .Values.registry }}/quay/jetstack/cert-manager-acmesolver + pullPolicy: Always +startupapicheck: + image: + repository: {{ .Values.registry }}/quay/jetstack/cert-manager-startupapicheck + pullPolicy: Always +{{- end }} diff --git a/values/common/kube-system/cert-manager/values.yaml b/values/common/kube-system/cert-manager/values.yaml new file mode 100644 index 0000000..17c68b2 --- /dev/null +++ b/values/common/kube-system/cert-manager/values.yaml @@ -0,0 +1,25 @@ +crds: + enabled: true + +resources: + requests: + cpu: 30m + memory: 100Mi + limits: + memory: 100Mi + +cainjector: + resources: + requests: + cpu: 20m + memory: 150Mi + limits: + memory: 150Mi + +webhook: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + memory: 150Mi diff --git a/values/common/kube-system/cilium/values.gotmpl b/values/common/kube-system/cilium/values.gotmpl new file mode 100644 index 0000000..c3448bd --- /dev/null +++ b/values/common/kube-system/cilium/values.gotmpl @@ -0,0 +1,15 @@ +{{- if not (env "HELMFILE_BOOTSTRAP") }} +imagePullSecrets: + - name: regcred +image: + repository: {{ .Values.registry }}/quay/cilium/cilium + useDigest: false +envoy: + image: + repository: {{ .Values.registry }}/quay/cilium/cilium-envoy + useDigest: false +operator: + image: + repository: {{ .Values.registry }}/quay/cilium/operator + useDigest: false +{{- end }} diff --git a/values/common/kube-system/cilium/values.yaml b/values/common/kube-system/cilium/values.yaml new file mode 100644 index 0000000..00ab2c7 --- /dev/null +++ b/values/common/kube-system/cilium/values.yaml @@ -0,0 +1,8 @@ +operator: + replicas: 1 +endpointRoutes: + enabled: true +ipam: + ciliumNodeUpdateRate: "15s" + operator: + clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"] diff --git a/values/common/values.metrics-server.yaml b/values/common/kube-system/metrics-server/values.gotmpl similarity index 69% rename from values/common/values.metrics-server.yaml rename to values/common/kube-system/metrics-server/values.gotmpl index 7f48aa7..08f7f7c 100644 --- a/values/common/values.metrics-server.yaml +++ b/values/common/kube-system/metrics-server/values.gotmpl @@ -1,5 +1,5 @@ image: - repository: registry.badhouseplants.net/k8s/metrics-server/metrics-server + repository: {{ .Values.registry }}/k8s/metrics-server/metrics-server imagePullSecrets: - name: regcred apiService: diff --git a/values/common/registry/zot/values.gotmpl b/values/common/registry/zot/values.gotmpl new file mode 100644 index 0000000..fc2487e --- /dev/null +++ b/values/common/registry/zot/values.gotmpl @@ -0,0 +1,161 @@ +image: + repository: ghcr.io/project-zot/zot + tag: v2.1.3-rc4 + +ingress: + enabled: true + className: traefik + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + pathtype: Prefix + hosts: + - host: {{ .Values.registry }} + paths: + - path: / + tls: + - secretName: {{ .Values.registry }} + hosts: + - {{ .Values.registry }} +service: + type: ClusterIP +persistence: true +pvc: + create: true + lavels: + velero.io/exclude-from-backup: true +mountConfig: true +mountSecret: true +configFiles: + config.json: |- + { + "distSpecVersion": "1.1.1", + "storage": { + "dedupe": true, + "gc": true, + "rootDirectory": "/var/lib/registry", + "retention": { + "dryRun": false, + "delay": "24h", + "policies": [ + { + "repositories": [ + "**" + ], + "deleteReferrers": false, + "deleteUntagged": true, + "keepTags": [ + { + "mostRecentlyPulledCount": 2 + } + ] + } + ] + } + }, + "http": { + "address": "0.0.0.0", + "port": "5000", + "externalUrl": "https://{{ .Values.registry }}", + "auth": { + "htpasswd": { + "path": "/secret/htpasswd" + } + }, + "accessControl": { + "metrics": { + "users": [ + "admin" + ] + }, + "repositories": { + "**": { + "anonymousPolicy": [], + "policies": [ + { + "users": [ + "mirror_user", + "overlord" + ], + "actions": [ + "read", + "create", + "update", + "delete" + ] + } + ] + } + } + } + }, + "log": { + "level": "info" + }, + "extensions": { + "scrub": { + "enable": true + }, + "metrics": { + "enable": true, + "prometheus": { + "path": "/metrics" + } + }, + "mgmt": { + "enable": false + }, + "sync": { + "enable": true, + "registries": [ + { + "urls": [ + "https://docker.io/library", + "https://docker.io" + ], + "content": [ + { + "prefix": "**", + "destination": "/dockerhub" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": [ + "https://registry.k8s.io" + ], + "content": [ + { + "prefix": "**", + "destination": "/k8s" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": [ + "https://quay.io" + ], + "content": [ + { + "prefix": "**", + "destination": "/quay" + } + ], + "onDemand": true, + "tlsVerify": true + } + ] + } + } + } + +secretFiles: + htpasswd: |- + overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ. + mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi diff --git a/values/etersoft/kube-system/cilium/values.yaml b/values/etersoft/kube-system/cilium/values.yaml new file mode 100644 index 0000000..00ab2c7 --- /dev/null +++ b/values/etersoft/kube-system/cilium/values.yaml @@ -0,0 +1,8 @@ +operator: + replicas: 1 +endpointRoutes: + enabled: true +ipam: + ciliumNodeUpdateRate: "15s" + operator: + clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"] diff --git a/values/etersoft/kube-system/namespaces/values.yaml b/values/etersoft/kube-system/namespaces/values.yaml index d41f4a7..92b45d5 100644 --- a/values/etersoft/kube-system/namespaces/values.yaml +++ b/values/etersoft/kube-system/namespaces/values.yaml @@ -1,4 +1,5 @@ namespaces: + - name: registry - name: kube-system defaultRegcred: true - name: applications diff --git a/values/etersoft/registry/zot/secrets.yaml b/values/etersoft/registry/zot/secrets.yaml new file mode 100644 index 0000000..551e28a --- /dev/null +++ b/values/etersoft/registry/zot/secrets.yaml @@ -0,0 +1,22 @@ +authHeader: ENC[AES256_GCM,data:BWmu4bpFjlIDStIcWfpsgbm1hfxlvZAK9LabhXuAdArJzflc4VA+Dy5fJRAMu9Mv,iv:+rwtfnjJCZKPmdcUkTfklq19uSgavOKaySK/O/xd2PE=,tag:3yXa+0LbIqMDk6KLWAAN0Q==,type:str] +_mirror_password: ENC[AES256_GCM,data:0aa6fqR3+0ZY5KhRKJa0SKBcBnF/KizHXTIm2NQB,iv:DUB8ItYbT+K31XLbWzi5909RPVn9DG9HRDU120VxbdY=,tag:DniRwku2rQX44ffMn4mU6Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ0U5L01iNFo5Y0t5SFo2 + MXlwVDhQZ2R5QnVlUndmQ0x5L2ppU1h6aEVZCmhaUW1JY0RDMEM0T1JkZkk3TGVD + R0JjaEN0MGxVV1RIZUxkbjgzMTlTMmsKLS0tIFdDNW8xaWsxamFvUGRFaVZsVUV4 + S3ZiYTJGOUFzZlNwSUZvNGtmSFNpczQK/npaHLqHSxMnCXNvDFw0eB9KfMJ7bWfV + ZuteeaXG+eZNX4l1ZY1pLNUv9kui4oXI8payp7sTZJI6WYZCQz6Oaw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-03-27T20:50:16Z" + mac: ENC[AES256_GCM,data:XtX4NUZ9PCdAFckdlygywFQ8vJRAszOjqPItr0MNRM0ndk/PkYYGzY0phMan7FgxY3Cz5XMJcv/MEogLedM+uH5vMbsOpRY49jpILMORL3Ni1tZFG5Px5NbfExGQmjFyefotRzCHlsUSTZEHlBIp4+FeBI41CgBbLw45rEoneL8=,iv:Ilk7TXqKSSV5WYnptLRaOk/lwwHHLesbSslOCarlVEA=,tag:vWXe+r3tHXoMtWYeJN9T0g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4