chore: Refactor infrastructure

2025-02-05 12:34:39 -08:00 · 2025-02-05 12:34:39 -08:00 · 43818c79a3
commit 43818c79a3
parent ab47950137
27 changed files with 202 additions and 105 deletions
--- a/k8s/apps/kube-prometheus-stack/kustomization.yaml
+++ b/k8s/apps/kube-prometheus-stack/kustomization.yaml
@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
--- a/k8s/apps/kube-prometheus-stack/repository.yaml
+++ b/k8s/apps/kube-prometheus-stack/repository.yaml
@ -5,6 +5,6 @@ metadata:
  name: prometheus-community
  namespace: kube-prometheus-stack
 spec:
-  interval: 1m
+  interval: 10m
  url: https://prometheus-community.github.io/helm-charts

--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - kube-prometheus-stack
-
+  - uptime-kuma
+  - rancher
--- a/k8s/infrastructure/02/kustomization.yaml
+++ b/k8s/infrastructure/02/kustomization.yaml
@ -2,6 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cluster-secret-store.yaml
-  - cluster-issuer.yaml
-  - certificate.yaml
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
--- a/k8s/apps/rancher/namespace.yaml
+++ b/k8s/apps/rancher/namespace.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cattle-system
+
--- a/k8s/infrastructure/04/rancher.yaml
+++ b/k8s/infrastructure/04/rancher.yaml
@ -1,19 +1,3 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cattle-system
-
---
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: rancher-stable
-  namespace: cattle-system
-spec:
-  interval: 1m
-  url: https://releases.rancher.com/server-charts/stable
-
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
--- a/k8s/apps/rancher/repository.yaml
+++ b/k8s/apps/rancher/repository.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: rancher-stable
+  namespace: cattle-system
+spec:
+  interval: 1m
+  url: https://releases.rancher.com/server-charts/stable
--- a/k8s/infrastructure/04/kustomization.yaml
+++ b/k8s/infrastructure/04/kustomization.yaml
@ -2,5 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - rancher.yaml
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml

--- a/k8s/apps/uptime-kuma/namespace.yaml
+++ b/k8s/apps/uptime-kuma/namespace.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: uptime-kuma
+
--- a/k8s/apps/uptime-kuma/release.yaml
+++ b/k8s/apps/uptime-kuma/release.yaml
@ -0,0 +1,40 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+spec:
+  interval: 10m0s
+  chart:
+    spec:
+      chart: uptime-kuma
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: uptime-kuma
+        namespace: uptime-kuma
+  values:
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: le-cf-issuer
+        kubernetes.io/ingress.class: traefik
+      hosts:
+        - host: uptime.dolo.mnke.org
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+    resources:
+      limits:
+        cpu: 200m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+    volume:
+      enabled: true
+      accessMode: ReadWriteMany
+      size: 1Gi
+      storageClassName: longhorn
+
--- a/k8s/apps/uptime-kuma/repository.yaml
+++ b/k8s/apps/uptime-kuma/repository.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: uptime-kuma
+  namespace: uptime-kuma
+spec:
+  interval: 10m0s
+  url: https://helm.irsigler.cloud
--- a/k8s/clusters/dolo/apps.yaml
+++ b/k8s/clusters/dolo/apps.yaml
@ -6,8 +6,9 @@ metadata:
  namespace: flux-system
 spec:
  interval: 10m0s
+  retryInterval: 1m
  dependsOn:
-    - name: infrastructure-04
+    - name: infrastructure
  sourceRef:
    kind: GitRepository
    name: flux-system
--- a/k8s/clusters/dolo/infrastructure.yaml
+++ b/k8s/clusters/dolo/infrastructure.yaml
@ -2,7 +2,7 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infrastructure-01
+  name: external-secrets
  namespace: flux-system
 spec:
  interval: 1h
@ -11,65 +11,112 @@ spec:
  sourceRef:
    kind: GitRepository
    name: flux-system
-  path: ./k8s/infrastructure/01
-  prune: true
+  path: ./k8s/infrastructure/external-secrets
  wait: true
+  prune: true

 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infrastructure-02
+  name: secrets
  namespace: flux-system
 spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./k8s/infrastructure/secrets
+  wait: true
+  prune: true
  dependsOn:
-    - name: infrastructure-01
-  interval: 1h
-  retryInterval: 1m
-  timeout: 5m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./k8s/infrastructure/02
-  prune: true
-  wait: true
+    - name: external-secrets

 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infrastructure-03
+  name: cert-manager
  namespace: flux-system
 spec:
-  dependsOn:
-    - name: infrastructure-02
  interval: 1h
  retryInterval: 1m
  timeout: 5m
  sourceRef:
    kind: GitRepository
    name: flux-system
-  path: ./k8s/infrastructure/03
-  prune: true
+  path: ./k8s/infrastructure/cert-manager
  wait: true
+  prune: true
+  dependsOn:
+    - name: secrets

 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infrastructure-04
+  name: traefik
  namespace: flux-system
 spec:
-  dependsOn:
-    - name: infrastructure-03
  interval: 1h
  retryInterval: 1m
  timeout: 5m
  sourceRef:
    kind: GitRepository
    name: flux-system
-  path: ./k8s/infrastructure/04
-  prune: true
+  path: ./k8s/infrastructure/traefik
  wait: true
+  prune: true
+  dependsOn:
+    - name: cert-manager
+    - name: secrets

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: storage
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./k8s/infrastructure/storage
+  wait: true
+  prune: true

+---
+# What I want is one single unit that the rest of my applications relying on
+# general infrastructure stuff can use `dependsOn` for by creating a single
+# logical unit around the infrastructure kustomizations. I'm not sure how
+# to do this other than creating a dummy Kustomization that doesn't actually
+# apply anything meaningful, but just depends on everything else on this file.
+# Maybe [components](https://fluxcd.io/flux/components/kustomize/kustomizations/#components)
+# would help with this, but I'm not sure how it works and there's currently a
+# warning that this feature is experimental and might change soon.
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./k8s/infrastructure/dummy
+  wait: true
+  prune: false
+  dependsOn:
+    - name: external-secrets
+    - name: secrets
+    - name: cert-manager
+    - name: traefik
+    - name: storage
--- a/k8s/infrastructure/01/kustomization.yaml
+++ b/k8s/infrastructure/01/kustomization.yaml
@ -1,9 +0,0 @@
---
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - external-secrets.yaml
-  - cert-manager.yaml
-  - longhorn.yaml
-  - nfs-subdir-external-provisioner.yaml
-  - traefik.yaml
--- a/k8s/infrastructure/01/traefik.yaml
+++ b/k8s/infrastructure/01/traefik.yaml
@ -1,21 +0,0 @@
-# This is kind of strange, but we only create the namespace and repository
-# at this step. We want a wildcard certificate to use as the default, so we
-# have to postpone the release until we actually have the secret
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: traefik
-  labels:
-    external-secrets.io/secrets.cloudflare: require
-
---
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: traefik
-  namespace: traefik
-spec:
-  interval: 1m
-  url: https://helm.traefik.io/traefik
-
--- a/k8s/infrastructure/cert-manager/cert-manager.yaml
+++ b/k8s/infrastructure/cert-manager/cert-manager.yaml
@ -44,3 +44,4 @@ spec:
      nameservers:
        - 1.1.1.1
        - 9.9.9.9
+
--- a/k8s/infrastructure/cert-manager/cluster-issuer.yaml
+++ b/k8s/infrastructure/cert-manager/cluster-issuer.yaml
@ -1,28 +1,3 @@
---
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterExternalSecret
-metadata:
-  name: cloudflare
-spec:
-  externalSecretName: cloudflare
-
-  namespaceSelectors:
-    - matchLabels:
-        external-secrets.io/secrets.cloudflare: require
-
-  externalSecretSpec:
-    secretStoreRef:
-      kind: ClusterSecretStore
-      name: infisical
-
-    target:
-      name: cloudflare
-
-    data:
-      - secretKey: dns-api-token
-        remoteRef:
-          key: cf-dns-api-token
-
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
--- a/k8s/infrastructure/dummy/kustomization.yaml
+++ b/k8s/infrastructure/dummy/kustomization.yaml
@ -1,6 +1,4 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources:
-  - traefik.yaml
-
+resources: []
--- a/k8s/infrastructure/external-secrets/external-secrets.yaml
+++ b/k8s/infrastructure/external-secrets/external-secrets.yaml
@ -30,3 +30,4 @@ spec:
        name: external-secrets
        namespace: external-secrets
      interval: 10m
+
--- a/k8s/infrastructure/secrets/cloudflare.yaml
+++ b/k8s/infrastructure/secrets/cloudflare.yaml
@ -0,0 +1,25 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: cloudflare
+spec:
+  externalSecretName: cloudflare
+
+  namespaceSelectors:
+    - matchLabels:
+        external-secrets.io/secrets.cloudflare: require
+
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: infisical
+
+    target:
+      name: cloudflare
+
+    data:
+      - secretKey: dns-api-token
+        remoteRef:
+          key: cf-dns-api-token
+
--- a/k8s/infrastructure/secrets/cluster-external-secrets.yaml
+++ b/k8s/infrastructure/secrets/cluster-external-secrets.yaml
--- a/k8s/infrastructure/storage/longhorn.yaml
+++ b/k8s/infrastructure/storage/longhorn.yaml
@ -30,3 +30,4 @@ spec:
        name: longhorn
        namespace: longhorn-system
      interval: 10m
+
--- a/k8s/infrastructure/storage/nfs-subdir-external-provisioner.yaml
+++ b/k8s/infrastructure/storage/nfs-subdir-external-provisioner.yaml
@ -39,3 +39,4 @@ spec:
      name: nfs-client
      defaultClass: false

+
--- a/k8s/infrastructure/traefik/certificate.yaml
+++ b/k8s/infrastructure/traefik/certificate.yaml
@ -12,3 +12,4 @@ spec:
  issuerRef:
    name: le-cf-issuer
    kind: ClusterIssuer
+
--- a/k8s/infrastructure/traefik/traefik.yaml
+++ b/k8s/infrastructure/traefik/traefik.yaml
@ -1,3 +1,21 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    external-secrets.io/secrets.cloudflare: require
+
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 1m
+  url: https://helm.traefik.io/traefik
+
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
--- a/k8s/pre-infrastructure/.gitignore
+++ b/k8s/pre-infrastructure/.gitignore
--- a/k8s/pre-infrastructure/dns-config-map.yaml
+++ b/k8s/pre-infrastructure/dns-config-map.yaml