fluencelabs · nahsi · Nov 12, 2024 · Nov 4, 2024 · Nov 4, 2024 · Nov 4, 2024
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -64,7 +64,7 @@ jobs:
           method: jwt
           jwtGithubAudience: "https://github.com/fluencelabs"
           jwtTtl: 300
-          exportToken: false
+          exportToken: true
           secrets: |
             kv/digitalocean/gitops token | DIGITALOCEAN_TOKEN ;
             kv/cloudflare/gitops token | CLOUDFLARE_API_TOKEN ;

diff --git a/Justfile b/Justfile
@@ -1,4 +1,3 @@
 download:
   rm -f kubeconfig talosconfig
   gh run download -n configs
-  nix-direnv-reload
diff --git a/README.md b/README.md
@@ -39,3 +39,10 @@ export KUBECONFIG=./kubeconfig
 #### Start using the cluster
 
 https://kubernetes.io/docs/reference/kubectl/quick-reference/
+
+
+## Misc
+### Accessing kubernetes dashboard
+```
+kubectl -n kubernetes-dashboard create token kubernetes-dashboard-admin
+```
diff --git a/flake.nix b/flake.nix
@@ -32,7 +32,7 @@
             pkgs.kubernetes-helm
             pkgs.kubevirt
             pkgs.cilium-cli
-            pkgs.flux
+            pkgs.fluxcd
             pkgs.terraform
           ];
 

diff --git a/flux/dev/cert-issuer/app/cluster-issuer.yml b/flux/dev/cert-issuer/app/cluster-issuer.yml
@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: kube-system
+spec:
+  acme:
+    email: [email protected]
+    # server: https://acme-v02.api.letsencrypt.org/directory
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          digitalocean:
+            tokenSecretRef:
+              name: digitalocean-token
+              key: token
diff --git a/flux/dev/cert-issuer/app/kustomization.yml b/flux/dev/cert-issuer/app/kustomization.yml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-issuer.yml
diff --git a/flux/dev/cert-issuer/ks.yml b/flux/dev/cert-issuer/ks.yml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: cluster-issuer
+  namespace: flux-system
+spec:
+  interval: 2m0s
+  path: ./flux/dev/cert-issuer/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: spectrum
+    namespace: flux-system
+  dependsOn:
+    - name: cert-manager
diff --git a/flux/dev/cert-issuer/kustomization.yml b/flux/dev/cert-issuer/kustomization.yml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ks.yml
diff --git a/flux/dev/cert-manager/app/helm-release.yml b/flux/dev/cert-manager/app/helm-release.yml
@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: kube-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: flux-system
+      interval: 12h
+  values:
+    installCRDs: true
diff --git a/flux/dev/cert-manager/app/helm-repository.yml b/flux/dev/cert-manager/app/helm-repository.yml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 24h
+  url: https://charts.jetstack.io
diff --git a/flux/dev/cert-manager/app/kustomization.yml b/flux/dev/cert-manager/app/kustomization.yml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-repository.yml
+  - helm-release.yml
diff --git a/flux/dev/cert-manager/ks.yml b/flux/dev/cert-manager/ks.yml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ./flux/dev/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: spectrum
+    namespace: flux-system
diff --git a/flux/dev/cert-manager/kustomization.yml b/flux/dev/cert-manager/kustomization.yml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ks.yml
diff --git a/flux/dev/external-dns/helm-release.yml b/flux/dev/external-dns/helm-release.yml
@@ -0,0 +1,28 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: kube-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: external-dns
+      version: 1.15.0
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    env:
+      - name: DO_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: digitalocean-token
+            key: token
+    txtOwnerId: "${PREFIX}"
+    sources:
+      - ingress
+    policy: sync
+    provider: digitalocean
diff --git a/flux/dev/external-dns/helm-repository.yml b/flux/dev/external-dns/helm-repository.yml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: external-dns-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://kubernetes-sigs.github.io/external-dns
diff --git a/flux/dev/external-dns/kustomization.yml b/flux/dev/external-dns/kustomization.yml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yml
+  - helm-repository.yml
diff --git a/flux/dev/ingress-nginx/helm-release.yml b/flux/dev/ingress-nginx/helm-release.yml
@@ -1,14 +1,8 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
----
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: ingress-nginx
-  namespace: ingress-nginx
+  namespace: kube-system
 spec:
   interval: 30m
   chart:
@@ -18,14 +12,31 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
-        namespace: ingress-nginx
+        namespace: flux-system
       interval: 12h
   values:
     controller:
       kind: DaemonSet
+      publishService:
+        enabled: true
       service:
         type: LoadBalancer
+        externalIPs:
+          - ${LOADBALANCER_IP}
         nodePorts:
           http: 30100
           https: 30101
         externalTrafficPolicy: Local
+    ingress:
+      enabled: true
+      hosts:
+        - kube.${DOMAIN}
+      ingressClassName: nginx
+      useDefaultAnnotations: true
+      pathType: ImplementationSpecific
+      path: /
+      issuer:
+        name: letsencrypt
+        scope: cluster
+      tls:
+        enabled: true
diff --git a/flux/dev/ingress-nginx/helm-repository.yml b/flux/dev/ingress-nginx/helm-repository.yml
@@ -2,7 +2,7 @@ apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
   name: ingress-nginx
-  namespace: ingress-nginx
+  namespace: flux-system
 spec:
   interval: 24h
   url: https://kubernetes.github.io/ingress-nginx
diff --git a/flux/dev/kubernetes-dashboard/helm-release.yml b/flux/dev/kubernetes-dashboard/helm-release.yml
@@ -1,35 +1,11 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: kubernetes-dashboard
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kubernetes-dashboard-admin
-  namespace: kubernetes-dashboard
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard-admin
-    namespace: kubernetes-dashboard
----
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: kubernetes-dashboard
-  namespace: kubernetes-dashboard
+  namespace: kube-system
 spec:
   releaseName: kubernetes-dashboard
+  interval: 5m
   chart:
     spec:
       chart: kubernetes-dashboard
@@ -38,10 +14,20 @@ spec:
         kind: HelmRepository
         name: kubernetes-dashboard
         namespace: flux-system
-  interval: 5m
   values:
     serviceAccount:
       create: true
     rbac:
       create: true
     replicas: 1
+    app:
+      ingress:
+        enabled: true
+        hosts:
+          - dashboard.${DOMAIN}
+        ingressClassName: nginx
+        issuer: 
+          name: letsencrypt
+          scope: cluster
+        tls:
+          enabled: true
diff --git a/flux/dev/kubernetes-dashboard/kustomization.yml b/flux/dev/kubernetes-dashboard/kustomization.yml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - helm-repository.yml
   - helm-release.yml
+  - serviceaccount.yml
diff --git a/flux/dev/kubernetes-dashboard/serviceaccount.yml b/flux/dev/kubernetes-dashboard/serviceaccount.yml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-dashboard-admin
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard-admin
+    namespace: kube-system
diff --git a/flux/dev/kubevirt-manager/kustomization.yml b/flux/dev/kubevirt-manager/kustomization.yml
diff --git a/flux/dev/kustomization.yml b/flux/dev/kustomization.yml
@@ -1,7 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - external-dns
   - ingress-nginx
+  - cert-manager
+  - cert-issuer
   - kubernetes-dashboard
   - kubevirt
-  - kubevirt-manager
diff --git a/terraform/backend.tf b/terraform/backend.tf
@@ -24,6 +24,6 @@ data "cloudflare_zone" "fluence_dev" {
   name = "fluence.dev"
 }
 
-data "cloudflare_accounts" "fluence" {
-  name = "fluence"
+provider "vault" {
+  address = "https://vault.fluence.dev"
 }