feat: Add traefik to dolo; refactor

k8s/clusters/dolo/apps.yaml

@@ -2,7 +2,7 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infra-controllers
+  name: infrastructure-01
   namespace: flux-system
 spec:
   interval: 1h
@@ -11,7 +11,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
-  path: ./k8s/infrastructure/controllers
+  path: ./k8s/infrastructure/01
   prune: true
   wait: true
 
@@ -19,18 +19,36 @@ spec:
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: infra-configs
+  name: infrastructure-02
   namespace: flux-system
 spec:
   dependsOn:
-    - name: infra-controllers
+    - name: infrastructure-01
   interval: 1h
   retryInterval: 1m
   timeout: 5m
   sourceRef:
     kind: GitRepository
     name: flux-system
-  path: ./k8s/infrastructure/configs
+  path: ./k8s/infrastructure/02
+  prune: true
+
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infrastructure-03
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: infrastructure-02
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./k8s/infrastructure/03
   prune: true
 
 # ---

k8s/infrastructure/00/.gitignore

@@ -0,0 +1,3 @@
+# I just apply this manually before doing other stuff.
+universal-auth-credentials.yaml
+

k8s/infrastructure/00/dns-config-map.yaml

@@ -4,6 +4,8 @@ kind: ConfigMap
 metadata:
   name: coredns
   namespace: kube-system
+  annotations:
+    fluxcd.io/ignore: "true"
 data:
   Corefile: |
     .:53 {
@@ -20,3 +22,4 @@ data:
         reload
         loadbalance
     }
+

k8s/infrastructure/01/cert-manager.yaml

@@ -3,6 +3,8 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: cert-manager
+  labels:
+    external-secrets.io/secrets.cloudflare: require
 
 ---
 apiVersion: source.toolkit.fluxcd.io/v1

k8s/infrastructure/01/kustomization.yaml

@@ -1,5 +1,7 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - external-secrets.yaml
   - cert-manager.yaml
+  - traefik.yaml

k8s/infrastructure/01/traefik.yaml

@@ -0,0 +1,21 @@
+# This is kind of strange, but we only create the namespace and repository
+# at this step. We want a wildcard certificate to use as the default, so we
+# have to postpone the release until we actually have the secret
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: traefik
+  labels:
+    external-secrets.io/secrets.cloudflare: require
+
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 1m
+  url: https://helm.traefik.io/traefik
+

k8s/infrastructure/02/certificate.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-mnke-org
+  namespace: traefik
+spec:
+  secretName: wildcard-mnke-org-tls
+  dnsNames:
+    - "*.mnke.org"
+    - "*.dolo.mnke.org"
+  issuerRef:
+    name: le-cf-issuer
+    kind: ClusterIssuer

k8s/infrastructure/02/cluster-issuer.yaml

@@ -1,21 +1,28 @@
 ---
 apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
+kind: ClusterExternalSecret
 metadata:
   name: cloudflare
-  namespace: cert-manager
 spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: infisical
+  externalSecretName: cloudflare
 
-  target:
-    name: cloudflare
+  namespaceSelectors:
+    - matchLabels:
+        external-secrets.io/secrets.cloudflare: require
+
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: infisical
+
+    target:
+      name: cloudflare
+
+    data:
+      - secretKey: dns-api-token
+        remoteRef:
+          key: cf-dns-api-token
 
-  data:
-    - secretKey: dns-api-token
-      remoteRef:
-        key: cloudflare/dns-api-token
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
@@ -38,4 +45,3 @@ spec:
         selector:
           dnsZones:
             - mnke.org
-

k8s/infrastructure/02/kustomization.yaml

@@ -1,5 +1,7 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cluster-secret-store.yaml
   - cluster-issuer.yaml
+  - certificate.yaml

k8s/infrastructure/03/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - traefik.yaml
+

k8s/infrastructure/03/traefik.yaml

@@ -0,0 +1,81 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik
+  namespace: traefik
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: traefik
+      sourceRef:
+        kind: HelmRepository
+        name: traefik
+        namespace: traefik
+      interval: 10m
+  values:
+    globalArguments:
+      - "--global.sendanonymoususage=false"
+      - "--global.checknewversion=false"
+
+    additionalArguments:
+      - "--serversTransport.insecureSkipVerify=true"
+      - "--log.level=INFO"
+
+    deployment:
+      enabled: true
+      replicas: 3
+      annotations: {}
+      podAnnotations: {}
+      additionalContainers: []
+      initContainers: []
+
+    ports:
+      web:
+        redirections:
+          entrypoint:
+            to: websecure
+            scheme: https
+            permanent: true
+      websecure:
+        http3:
+          enabled: true
+        advertisedPort: 4443
+        tls:
+          enabled: true
+
+    ingressRoute:
+      dashboard:
+        enabled: true
+
+    ingressClass:
+      name: traefik
+    providers:
+      kubernetesCRD:
+        enabled: true
+        ingressClass: traefik
+        allowExternalNameServices: true
+      kubernetesIngress:
+        enabled: true
+        ingressClass: traefik
+        allowExternalNameServices: true
+        publishedService:
+          enabled: false
+
+    rbac:
+      enabled: true
+
+    service:
+      enabled: true
+      type: LoadBalancer
+      annotations: {}
+      labels: {}
+      spec:
+        loadBalancerIP: 10.0.185.128
+      loadBalancerSourceRanges: []
+      externalIPs: []
+    tlsStore:
+      default:
+        defaultCertificate:
+          secretName: wildcard-mnke-org-tls

k8s/infrastructure/configs/.gitignore

@@ -1 +0,0 @@
-universal-auth-credentials.yaml