Redoing my setup after many years

.gitignore

@@ -1,7 +1,9 @@
 .vagrant/
 */**/charts/
 */**/requirements.lock
+*.key
 argocd-pw
+ca.crt
 gateway-password.txt
 kubeconfig
 notes

apps/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 appVersion: "1.0"
-description: Applications
-name: applications
+description: Cluster infrastructure Stage 1
+name: cluster-infra-stage-1
 version: 0.1.0

apps/values.yaml

@@ -3,4 +3,5 @@ spec:
     server: https://kubernetes.default.svc
   source:
     repoURL: https://github.com/genebean/kubebag
-    targetRevision: HEAD
+    # targetRevision: HEAD
+    targetRevision: redo

bootstrap.sh

@@ -0,0 +1,95 @@
+IPADDRESS=192.168.122.118
+ssh -o UserKnownHostsFile=/dev/null $IPADDRESS cat /etc/rancher/k3s/k3s.yaml |sed 's/default/k3s/g' |sed "s/127\.0\.0\.1/$IPADDRESS/" > ~/.kube/config
+
+# If not already installed.....
+#
+# CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
+# CLI_ARCH=amd64
+# if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
+# curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
+# sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
+# sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
+# rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
+
+helm repo add argo https://argoproj.github.io/argo-helm
+helm repo add cilium https://helm.cilium.io/
+
+helm repo update
+
+helm upgrade --install cilium cilium/cilium --version 1.16.0 \
+  --namespace kube-system \
+  --set bpf.datapathMode=netkit \
+  --set cni.exclusive=false \
+  --set envoy.enabled=false \
+  --set ipam.operator.clusterPoolIPv4PodCIDRList="10.42.0.0/16" \
+  --set k8sServiceHost=127.0.0.1 \
+  --set k8sServicePort=6443 \
+  --set kubeProxyReplacement=true \
+  --set operator.replicas=1 \
+  --set securityContext.privileged=true \
+  --set securityContext.privileged=true
+
+cilium status --wait
+
+sleep 5
+
+kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,HOSTNETWORK:.spec.hostNetwork --no-headers=true | grep '<none>' | awk '{print "-n "$1" "$2}' | xargs -L 1 -r kubectl delete pod
+
+sleep 30
+
+helm upgrade --install --namespace argocd --create-namespace argocd argo/argo-cd --set configs.params."server.insecure"=true
+
+# In another terminal
+kubectl port-forward service/argocd-server -n argocd 8080:443
+
+# In original terminal
+ARGOCD_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)
+
+~/argocd login localhost:8080 --insecure --username admin --password $ARGOCD_PW
+~/argocd account update-password
+~/argocd account update-password --help
+~/argocd account update-password --current-password $ARGOCD_PW
+
+kubectl apply -n argocd -f redo/projects/infra.yaml
+kubectl apply -n argocd -f redo/apps/argocd.yaml
+kubectl apply -n argocd -f redo/apps/traefik.yaml
+kubectl apply -n argocd -f redo/apps/cert-manager.yaml
+kubectl apply -n argocd -f redo/apps/sealed-secrets.yaml
+kubectl apply -n argocd -f redo/apps/linkerd-crds.yaml
+kubectl apply -n argocd -f redo/apps/linkerd-cni.yaml
+
+# Generate trust anchor
+step certificate create root.linkerd.cluster.local ca.crt ca.key \
+--profile root-ca --no-password --insecure  --not-after=87600h
+
+# # Generate issuer
+# step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
+# --profile intermediate-ca --not-after 8760h --no-password --insecure \
+# --ca ca.crt --ca-key ca.key
+
+# create, save, and apply sealed secret for trust anchor
+kubectl -n linkerd create secret tls \
+  linkerd-trust-anchor \
+  --cert=ca.crt \
+  --key=ca.key \
+  --dry-run=client -o yaml | \
+kubeseal --controller-name=sealed-secrets --controller-namespace=kubeseal -o yaml | \
+tee redo/manifests/linkerd/sealed-linkerd-trust-anchor.yaml | \
+kubectl apply -f -
+
+kubectl apply -f redo/manifests/linkerd/cert-manager-issuer.yaml
+kubectl apply -f redo/manifests/linkerd/certificate-identity.yaml
+
+
+# update ca cert in linkerd-control-plane with one generated above
+kubectl apply -n argocd redo/apps/linkerd-control-plane.yaml
+
+
+# checked out viz dashboard via laptop
+# will need to enforce the that the following annotation is on everything but cert-manager
+#   linkerd.io/inject: enabled
+#
+# Will need to setup LB IPAM like what is talked about in
+# https://blog.stonegarden.dev/articles/2024/02/bootstrapping-k3s-with-cilium/#enable-ssh-server-optional
+#
+#

infra-stage-1/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: Cluster infrastructure Stage 1
+name: infra-stage-1
+version: 0.1.0

infra-stage-1/templates/app-infra-stage-1.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infra-stage-1
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+    # server: {{ .Values.spec.destination.server }}
+  project: infra
+  source:
+    helm:
+      valueFiles:
+        - values.yaml
+    path: apps
+    repoURL: {{ .Values.spec.source.repoURL }}
+    targetRevision: {{ .Values.spec.source.targetRevision }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

infra-stage-1/templates/apps/app-argocd.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-100"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: argocd
+    server: "https://kubernetes.default.svc"
+  project: infra
+  source:
+    chart: argo-cd
+    repoURL: https://argoproj.github.io/argo-helm
+    targetRevision: 7.3.11
+    helm:
+      valuesObject:
+        configs:
+          params:
+            "server.insecure": true
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

infra-stage-1/templates/apps/app-cert-manager.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-90"
+spec:
+  project: infra
+  source:
+    chart: cert-manager
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.15.2
+    helm:
+      valuesObject:
+        installCRDs: "true"
+        extraArgs:
+          - '--enable-gateway-api'
+  destination:
+    namespace: cert-manager
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra-stage-1/templates/apps/app-linkerd-cni.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: linkerd-cni
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-90"
+spec:
+  project: infra
+  source:
+    chart: linkerd2-cni
+    repoURL: https://helm.linkerd.io/edge
+    targetRevision: 2024.7.5 
+    helm:
+      valuesObject:
+        privileged: "true"
+  destination:
+    namespace: linkerd-cni
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra-stage-1/templates/apps/app-linkerd-crds.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: linkerd-crds
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-90"
+spec:
+  project: infra
+  source:
+    chart: linkerd-crds
+    repoURL: https://helm.linkerd.io/edge
+    targetRevision: 2024.7.5
+    helm:
+      valuesObject:
+        enableHttpRoutes: false
+  destination:
+    namespace: linkerd
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra-stage-1/templates/apps/app-sealed-secrets.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sealed-secrets
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-90"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: infra
+  source:
+    chart: sealed-secrets
+    repoURL: https://bitnami-labs.github.io/sealed-secrets
+    targetRevision: 2.16.1
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kubeseal
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra-stage-1/templates/apps/app-traefik.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-v3
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-90"
+spec:
+  project: infra
+  source:
+    chart: traefik
+    repoURL: https://traefik.github.io/charts 
+    targetRevision: 30.0.2
+    helm:
+      valuesObject:
+        ingressClass:
+          name: traefik
+        providers:
+          kubernetesCRD:
+            ingressClass: traefik
+          kubernetesIngress:
+            ingressClass: traefik
+  destination:
+    namespace: traefik-v3
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra-stage-1/templates/project-infra.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: infra
+  namespace: argocd
+spec:
+  sourceRepos:
+  - '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'

infra-stage-1/values.yaml

@@ -0,0 +1,7 @@
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: https://github.com/genebean/kubebag
+    # targetRevision: HEAD
+    targetRevision: redo

infra-stage-2/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: Cluster infrastructure Stage 2
+name: infra-stage-2
+version: 0.1.0

infra-stage-2/templates/app-infra-stage-2.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: infra-stage-2
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    server: https://kubernetes.default.svc
+    # server: {{ .Values.spec.destination.server }}
+  project: infra
+  source:
+    helm:
+      valueFiles:
+        - values.yaml
+    path: apps
+    repoURL: {{ .Values.spec.source.repoURL }}
+    targetRevision: {{ .Values.spec.source.targetRevision }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true