Keep migrating things

2025-03-27 22:54:32 +01:00 · 2025-03-27 22:54:32 +01:00 · c32705ffa0
commit c32705ffa0
parent f8684df5a9
16 changed files with 364 additions and 21 deletions
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -2,7 +2,7 @@ environments:
  badhouseplants:
    kubeContext: badhouseplants
    values:
-      - ./values/values.badhouseplants.yaml
+      - ./common/values/values.badhouseplants.yaml
      - base:
          enabled: true
      - velero:
@ -26,7 +26,7 @@ environments:
  etersoft:
    kubeContext: etersoft
    values:
-      - ./values/values.etersoft.yaml
+      - ./common/values/values.etersoft.yaml
      - base:
          enabled: true
      - velero:
--- a/helmfiles/system.yaml
+++ b/helmfiles/system.yaml
@ -1,6 +1,14 @@
 repositories:
  - name: coredns
    url: https://coredns.github.io/helm
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
+  - name: cilium
+    url: https://helm.cilium.io/
+  - name: metrics-server
+    url: https://kubernetes-sigs.github.io/metrics-server/
+  - name: jetstack
+    url: https://charts.jetstack.io

 releases:
  - name: coredns
@ -9,3 +17,55 @@ releases:
    namespace: kube-system
    inherit:
      - template: common-values-tpl
+
+  - name: cilium
+    chart: cilium/cilium
+    version: 1.17.2
+    namespace: kube-system
+    needs:
+      - kube-system/coredns
+    inherit:
+      - template: common-values
+      - template: common-values-tpl
+
+  - name: zot
+    chart: zot/zot
+    version: 0.1.67
+    createNamespace: false
+    installed: true
+    namespace: registry
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: common-values-tpl
+      - template: env-secrets
+
+  - name: metrics-server
+    chart: metrics-server/metrics-server
+    version: 3.12.2
+    namespace: kube-system
+    needs:
+      - registry/zot
+    inherit:
+      - template: common-values-tpl
+
+  - name: cert-manager
+    chart: jetstack/cert-manager
+    version: v1.17.1
+    namespace: kube-system
+    missingFileHandler: Warn
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: common-values
+      - template: common-values-tpl
+
+      #- name: issuer
+      #  chart: '{{ requiredEnv "PWD" }}/charts/issuer'
+      #  namespace: kube-public
+      #  missingFileHandler: Warn
+      #  needs:
+      #    - kube-system/zot-mirror
+      #  inherit:
+      #    - template: common-values
+      #    - template: env-values
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -29,23 +29,6 @@ repositories:
    url: https://zotregistry.dev/helm-charts/

 releases:
-  - name: coredns
-    chart: coredns/coredns
-    version: 1.39.1
-    namespace: kube-system
-    inherit:
-      - template: default-common-values
-
-  - name: cilium
-    chart: cilium/cilium
-    version: 1.17.2
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/coredns
-    inherit:
-      - template: default-env-values
-
  - name: cert-manager
    chart: jetstack/cert-manager
    version: v1.17.1
--- a/kustomizations/kyverno/etersoft/pvc-patch.yaml
+++ b/kustomizations/kyverno/etersoft/pvc-patch.yaml
@ -13,6 +13,7 @@ spec:
              namespaces:
                - applications
                - platform
+                - registry
      mutate:
        patchStrategicMerge:
          metadata:
--- a/values/badhouseplants/kube-system/namespaces/values.yaml
+++ b/values/badhouseplants/kube-system/namespaces/values.yaml
@ -1,4 +1,5 @@
 namespaces:
+  - name: registry
  - name: kube-system
    defaultRegcred: true
  - name: kyverno
--- a/values/badhouseplants/kube-system/zot-mirror/secrets.yaml
+++ b/values/badhouseplants/kube-system/zot-mirror/secrets.yaml
@ -0,0 +1,22 @@
+authHeader: ENC[AES256_GCM,data:nmlP0vRoKJRivvwJArnEO26sqIwFtnK5MYVPJBBCmAGCPpe/U00gYu6JET0gPqGV,iv:+GZwWrxoWw0mAZxZdITBLtHgRKYIyaj/NQwHbD8KppA=,tag:MAer3FiaBxyNwJr0BbDtow==,type:str]
+_mirror_password: ENC[AES256_GCM,data:W2xy2RMmD4d6N+DNceIgtDGUpygOGEbWgGa9Icsy,iv:YsQfm/EmBYY35q2irlZ2rmzkbJzlFnfgMSEKq0G1I5o=,tag:7rNG02Wm9g8GUXeM4nTHqA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUlyVFZWcWFuWnEyS2Nv
+            Tkx6aTZKY1czQ25RTHhKNWNNQ0xIaWJLb1VFCkdoT0RBTW9EWG8zbzYxekdsUEY2
+            bE9nQUthV3NCa0kzRnBwZ2U2MWlVNzAKLS0tIFY4RVJDM05ZVmR3NEt5YUlpOWZa
+            ZVc1bmJnU1o4U3NGaGN0Sk90YTR0ckkK8gmkHty4Gwt4vuVK3xhWWg4h/EgvJULh
+            Trgn0lzx2pCThg/+82u5J1T/QLXdbbDFFFwGldiMwNjZQfpOmrZpVw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-26T21:04:45Z"
+    mac: ENC[AES256_GCM,data:cTN6wq1m1XtsfNujCfQ4nKtX1Pkc8MFCipUeScDLJUuZZwg4St0h1OkYtYJBWeVSt3CSjjexQpb7Oi9K8wukboIVevaIj0BTT1hkf2ZUFeIV8W62mtftfdRex0yJ/4h1gTZaYBhHEw+qD6r+XvavDs1m22FF5RuF+5qfGUEWA4I=,iv:RsVuXbLVfZSJ7AkIvEdf7H2auFTiqXgpXLe/LbATAo8=,tag:1V5eIiJzjzv4C1JNNf5Quw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/values/badhouseplants/values.zot-mirror.yaml
+++ b/values/badhouseplants/values.zot-mirror.yaml
@ -135,6 +135,19 @@ configFiles:
              ],
              "onDemand": true,
              "tlsVerify": true
+            },
+            {
+              "urls": [
+                "https://quay.io"
+              ],
+              "content": [
+                {
+                  "prefix": "**",
+                  "destination": "/quay"
+                }
+              ],
+              "onDemand": true,
+              "tlsVerify": true
            }
          ]
        }
@ -145,4 +158,3 @@ secretFiles:
  htpasswd: |-
    overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ.
    mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi
-
--- a/values/common/kube-system/cert-manager/values.gotmpl
+++ b/values/common/kube-system/cert-manager/values.gotmpl
@ -0,0 +1,24 @@
+{{- if not (env "HELMFILE_BOOTSTRAP") }}
+global:
+  imagePullSecrets:
+    - name: regcred
+image:
+  repository: {{ .Values.registry }}/quay/jetstack/cert-manager-controller
+  pullPolicy: Always
+cainjector:
+  image:
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-cainjector
+    pullPolicy: Always
+webhook:
+  image:
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-webhook
+    pullPolicy: Always
+acmesolver:
+  image:
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-acmesolver
+    pullPolicy: Always
+startupapicheck:
+  image:
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-startupapicheck
+    pullPolicy: Always
+{{- end }}
--- a/values/common/kube-system/cert-manager/values.yaml
+++ b/values/common/kube-system/cert-manager/values.yaml
@ -0,0 +1,25 @@
+crds:
+  enabled: true
+
+resources:
+  requests:
+    cpu: 30m
+    memory: 100Mi
+  limits:
+    memory: 100Mi
+
+cainjector:
+  resources:
+    requests:
+      cpu: 20m
+      memory: 150Mi
+    limits:
+      memory: 150Mi
+
+webhook:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 150Mi
+    limits:
+      memory: 150Mi
--- a/values/common/kube-system/cilium/values.gotmpl
+++ b/values/common/kube-system/cilium/values.gotmpl
@ -0,0 +1,15 @@
+{{- if not (env "HELMFILE_BOOTSTRAP") }}
+imagePullSecrets:
+  - name: regcred
+image:
+  repository: {{ .Values.registry }}/quay/cilium/cilium
+  useDigest: false
+envoy:
+  image:
+    repository: {{ .Values.registry }}/quay/cilium/cilium-envoy
+    useDigest: false
+operator:
+  image:
+    repository: {{ .Values.registry }}/quay/cilium/operator
+    useDigest: false
+{{- end }}
--- a/values/common/kube-system/cilium/values.yaml
+++ b/values/common/kube-system/cilium/values.yaml
@ -0,0 +1,8 @@
+operator:
+  replicas: 1
+endpointRoutes:
+  enabled: true
+ipam:
+  ciliumNodeUpdateRate: "15s"
+  operator:
+    clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"]
--- a/values/common/kube-system/metrics-server/values.gotmpl
+++ b/values/common/kube-system/metrics-server/values.gotmpl
@ -1,5 +1,5 @@
 image:
-  repository: registry.badhouseplants.net/k8s/metrics-server/metrics-server
+  repository: {{ .Values.registry }}/k8s/metrics-server/metrics-server
 imagePullSecrets:
  - name: regcred
 apiService:
--- a/values/common/registry/zot/values.gotmpl
+++ b/values/common/registry/zot/values.gotmpl
@ -0,0 +1,161 @@
+image:
+  repository: ghcr.io/project-zot/zot
+  tag: v2.1.3-rc4
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+  pathtype: Prefix
+  hosts:
+    - host: {{ .Values.registry }}
+      paths:
+        - path: /
+  tls:
+    - secretName: {{ .Values.registry }}
+      hosts:
+        - {{ .Values.registry }}
+service:
+  type: ClusterIP
+persistence: true
+pvc:
+  create: true
+  lavels:
+    velero.io/exclude-from-backup: true
+mountConfig: true
+mountSecret: true
+configFiles:
+  config.json: |-
+    {
+      "distSpecVersion": "1.1.1",
+      "storage": {
+        "dedupe": true,
+        "gc": true,
+        "rootDirectory": "/var/lib/registry",
+        "retention": {
+          "dryRun": false,
+          "delay": "24h",
+          "policies": [
+            {
+              "repositories": [
+                "**"
+              ],
+              "deleteReferrers": false,
+              "deleteUntagged": true,
+              "keepTags": [
+                {
+                  "mostRecentlyPulledCount": 2
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "http": {
+        "address": "0.0.0.0",
+        "port": "5000",
+        "externalUrl": "https://{{ .Values.registry }}",
+        "auth": {
+          "htpasswd": {
+            "path": "/secret/htpasswd"
+          }
+        },
+        "accessControl": {
+          "metrics": {
+            "users": [
+              "admin"
+            ]
+          },
+          "repositories": {
+            "**": {
+              "anonymousPolicy": [],
+              "policies": [
+                {
+                  "users": [
+                    "mirror_user",
+                    "overlord"
+                  ],
+                  "actions": [
+                    "read",
+                    "create",
+                    "update",
+                    "delete"
+                  ]
+                }
+              ]
+            }
+          }
+        }
+      },
+      "log": {
+        "level": "info"
+      },
+      "extensions": {
+        "scrub": {
+          "enable": true
+        },
+        "metrics": {
+          "enable": true,
+          "prometheus": {
+            "path": "/metrics"
+          }
+        },
+        "mgmt": {
+          "enable": false
+        },
+        "sync": {
+          "enable": true,
+          "registries": [
+            {
+              "urls": [
+                "https://docker.io/library",
+                "https://docker.io"
+              ],
+              "content": [
+                {
+                  "prefix": "**",
+                  "destination": "/dockerhub"
+                }
+              ],
+              "onDemand": true,
+              "tlsVerify": true
+            },
+            {
+              "urls": [
+                "https://registry.k8s.io"
+              ],
+              "content": [
+                {
+                  "prefix": "**",
+                  "destination": "/k8s"
+                }
+              ],
+              "onDemand": true,
+              "tlsVerify": true
+            },
+            {
+              "urls": [
+                "https://quay.io"
+              ],
+              "content": [
+                {
+                  "prefix": "**",
+                  "destination": "/quay"
+                }
+              ],
+              "onDemand": true,
+              "tlsVerify": true
+            }
+          ]
+        }
+      }
+    }
+
+secretFiles:
+  htpasswd: |-
+    overlord:$2y$05$RhAeAsFY32y8h0japhT72.SQTPXgHc54RCp4CZ4Udsg2.iQxJVeZ.
+    mirror_user:$2y$05$PkvVMY04ZGvuGUXkrez7peyXevl63ugFbdxZ.ON1G/Tof/0Uf5vZi
--- a/values/etersoft/kube-system/cilium/values.yaml
+++ b/values/etersoft/kube-system/cilium/values.yaml
@ -0,0 +1,8 @@
+operator:
+  replicas: 1
+endpointRoutes:
+  enabled: true
+ipam:
+  ciliumNodeUpdateRate: "15s"
+  operator:
+    clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"]
--- a/values/etersoft/kube-system/namespaces/values.yaml
+++ b/values/etersoft/kube-system/namespaces/values.yaml
@ -1,4 +1,5 @@
 namespaces:
+  - name: registry
  - name: kube-system
    defaultRegcred: true
  - name: applications
--- a/values/etersoft/registry/zot/secrets.yaml
+++ b/values/etersoft/registry/zot/secrets.yaml
@ -0,0 +1,22 @@
+authHeader: ENC[AES256_GCM,data:BWmu4bpFjlIDStIcWfpsgbm1hfxlvZAK9LabhXuAdArJzflc4VA+Dy5fJRAMu9Mv,iv:+rwtfnjJCZKPmdcUkTfklq19uSgavOKaySK/O/xd2PE=,tag:3yXa+0LbIqMDk6KLWAAN0Q==,type:str]
+_mirror_password: ENC[AES256_GCM,data:0aa6fqR3+0ZY5KhRKJa0SKBcBnF/KizHXTIm2NQB,iv:DUB8ItYbT+K31XLbWzi5909RPVn9DG9HRDU120VxbdY=,tag:DniRwku2rQX44ffMn4mU6Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ0U5L01iNFo5Y0t5SFo2
+            MXlwVDhQZ2R5QnVlUndmQ0x5L2ppU1h6aEVZCmhaUW1JY0RDMEM0T1JkZkk3TGVD
+            R0JjaEN0MGxVV1RIZUxkbjgzMTlTMmsKLS0tIFdDNW8xaWsxamFvUGRFaVZsVUV4
+            S3ZiYTJGOUFzZlNwSUZvNGtmSFNpczQK/npaHLqHSxMnCXNvDFw0eB9KfMJ7bWfV
+            ZuteeaXG+eZNX4l1ZY1pLNUv9kui4oXI8payp7sTZJI6WYZCQz6Oaw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-27T20:50:16Z"
+    mac: ENC[AES256_GCM,data:XtX4NUZ9PCdAFckdlygywFQ8vJRAszOjqPItr0MNRM0ndk/PkYYGzY0phMan7FgxY3Cz5XMJcv/MEogLedM+uH5vMbsOpRY49jpILMORL3Ni1tZFG5Px5NbfExGQmjFyefotRzCHlsUSTZEHlBIp4+FeBI41CgBbLw45rEoneL8=,iv:Ilk7TXqKSSV5WYnptLRaOk/lwwHHLesbSslOCarlVEA=,tag:vWXe+r3tHXoMtWYeJN9T0g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4