From 7f8014b20b42af506df3f9ff82d9ee6395b828ad Mon Sep 17 00:00:00 2001 From: V Date: Sat, 15 Nov 2025 17:03:21 +0000 Subject: [PATCH] Initial commit - working through the Flux D1 reference architecture@ --- README.md | 1 + .../admission/config/base/kustomization.yaml | 5 ++ .../config/base/sync-configmaps.yaml | 29 +++++++++++ .../admission/config/base/sync-git-token.yaml | 27 ++++++++++ .../controllers/base/kustomization.yaml | 6 +++ .../admission/controllers/base/kyverno.yaml | 51 +++++++++++++++++++ .../admission/controllers/base/namespace.yaml | 8 +++ .../admission/controllers/base/rbac.yaml | 24 +++++++++ .../controllers/dev-amd64/kustomization.yaml | 4 ++ .../controllers/dev-arm64/kustomization.yaml | 4 ++ update/automation.yaml | 38 ++++++++++++++ update/kustomization.yaml | 10 ++++ update/sync.yaml | 13 +++++ 13 files changed, 220 insertions(+) create mode 100644 README.md create mode 100644 components/admission/config/base/kustomization.yaml create mode 100644 components/admission/config/base/sync-configmaps.yaml create mode 100644 components/admission/config/base/sync-git-token.yaml create mode 100644 components/admission/controllers/base/kustomization.yaml create mode 100644 components/admission/controllers/base/kyverno.yaml create mode 100644 components/admission/controllers/base/namespace.yaml create mode 100644 components/admission/controllers/base/rbac.yaml create mode 100644 components/admission/controllers/dev-amd64/kustomization.yaml create mode 100644 components/admission/controllers/dev-arm64/kustomization.yaml create mode 100644 update/automation.yaml create mode 100644 update/kustomization.yaml create mode 100644 update/sync.yaml diff --git a/README.md b/README.md new file mode 100644 index 0000000..f8cd662 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +Repo for storing the home lab's K8s GitOps setup. WIP... \ No newline at end of file diff --git a/components/admission/config/base/kustomization.yaml b/components/admission/config/base/kustomization.yaml new file mode 100644 index 0000000..27a8060 --- /dev/null +++ b/components/admission/config/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - sync-configmaps.yaml + - sync-git-token.yaml \ No newline at end of file diff --git a/components/admission/config/base/sync-configmaps.yaml b/components/admission/config/base/sync-configmaps.yaml new file mode 100644 index 0000000..4e19eb6 --- /dev/null +++ b/components/admission/config/base/sync-configmaps.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-flux-configmaps + annotations: + kustomize.toolkit.fluxcd.io/force: "Enabled" +spec: + validationFailureAction: Enforce + background: false + generateExisting: true + rules: + # This rule ensures that all namespaces + # have a copy of the flux-runtime-info configmap from the flux-system namespace. + - name: sync-configmaps + match: + any: + - resources: + kinds: + - v1/Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + namespace: flux-system + kinds: + - v1/ConfigMap + selector: + matchLabels: + toolkit.fluxcd.io/runtime: "true" \ No newline at end of file diff --git a/components/admission/config/base/sync-git-token.yaml b/components/admission/config/base/sync-git-token.yaml new file mode 100644 index 0000000..24d8152 --- /dev/null +++ b/components/admission/config/base/sync-git-token.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-git-token +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: copy-token-from-password + match: + any: + - resources: + kinds: + - Secret + names: + - flux-system + namespaces: + - flux-system + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: flux-system + namespace: flux-system + patchesJson6902: |- + - op: add + path: "/data/token" + value: "{{ request.object.data.password }}" \ No newline at end of file diff --git a/components/admission/controllers/base/kustomization.yaml b/components/admission/controllers/base/kustomization.yaml new file mode 100644 index 0000000..91b05ce --- /dev/null +++ b/components/admission/controllers/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - rbac.yaml + - kyverno.yaml \ No newline at end of file diff --git a/components/admission/controllers/base/kyverno.yaml b/components/admission/controllers/base/kyverno.yaml new file mode 100644 index 0000000..bd66583 --- /dev/null +++ b/components/admission/controllers/base/kyverno.yaml @@ -0,0 +1,51 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: kyverno + namespace: kyverno +spec: + interval: 12h + type: oci + url: oci://ghcr.io/kyverno/charts +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kyverno + namespace: kyverno +spec: + serviceAccountName: flux + interval: 1h + chart: + spec: + version: "3.6.0" # {"$imagepolicy": "flux-system:kyverno:tag"} + chart: kyverno + sourceRef: + kind: HelmRepository + name: kyverno + interval: 12h + install: + crds: Create + timeout: 9m + upgrade: + crds: CreateReplace + timeout: 9m + values: + admissionController: + serviceMonitor: + enabled: true + rbac: + clusterRole: + extraResources: + - apiGroups: [""] + resources: [secrets] + verbs: [get, list] + backgroundController: + serviceMonitor: + enabled: true + rbac: + clusterRole: + extraResources: + - apiGroups: [""] + resources: [secrets] + verbs: [get, list, create, update, delete] \ No newline at end of file diff --git a/components/admission/controllers/base/namespace.yaml b/components/admission/controllers/base/namespace.yaml new file mode 100644 index 0000000..805a921 --- /dev/null +++ b/components/admission/controllers/base/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno + labels: + app.kubernetes.io/component: admission + toolkit.fluxcd.io/tenant: platform-team + pod-security.kubernetes.io/enforce: baseline \ No newline at end of file diff --git a/components/admission/controllers/base/rbac.yaml b/components/admission/controllers/base/rbac.yaml new file mode 100644 index 0000000..6bc64b2 --- /dev/null +++ b/components/admission/controllers/base/rbac.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission + toolkit.fluxcd.io/tenant: platform-team + name: flux-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: flux + namespace: kyverno +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flux + namespace: kyverno + labels: + app.kubernetes.io/component: admission + toolkit.fluxcd.io/tenant: platform-team \ No newline at end of file diff --git a/components/admission/controllers/dev-amd64/kustomization.yaml b/components/admission/controllers/dev-amd64/kustomization.yaml new file mode 100644 index 0000000..82e7d71 --- /dev/null +++ b/components/admission/controllers/dev-amd64/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../base \ No newline at end of file diff --git a/components/admission/controllers/dev-arm64/kustomization.yaml b/components/admission/controllers/dev-arm64/kustomization.yaml new file mode 100644 index 0000000..82e7d71 --- /dev/null +++ b/components/admission/controllers/dev-arm64/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../base \ No newline at end of file diff --git a/update/automation.yaml b/update/automation.yaml new file mode 100644 index 0000000..93667e5 --- /dev/null +++ b/update/automation.yaml @@ -0,0 +1,38 @@ +apiVersion: image.toolkit.fluxcd.io/v1 +kind: ImageUpdateAutomation +metadata: + name: flux-infra +spec: + interval: 30m + sourceRef: + kind: GitRepository + name: flux-infra + git: + checkout: + ref: + branch: ${GIT_BRANCH} + commit: + author: + email: home-lab-fluxcd-bot@users.noreply.home.lab + name: home-lab-fluxcd-bot + messageTemplate: | + Automated image update + + Files: + {{ range $filename, $_ := .Changed.FileChanges -}} + - {{ $filename }} + {{ end -}} + + Objects: + {{ range $resource, $changes := .Changed.Objects -}} + - {{ $resource.Kind }} {{ $resource.Name }} + Changes: + {{- range $_, $change := $changes }} + - {{ $change.OldValue }} -> {{ $change.NewValue }} + {{ end -}} + {{ end -}} + push: + branch: ${GIT_BRANCH} + update: + path: "./components" + strategy: Setters \ No newline at end of file diff --git a/update/kustomization.yaml b/update/kustomization.yaml new file mode 100644 index 0000000..685f99b --- /dev/null +++ b/update/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: flux-system +resources: + - sync.yaml + - automation.yaml +labels: + - pairs: + toolkit.fluxcd.io/tenant: infra + toolkit.fluxcd.io/role: automation \ No newline at end of file diff --git a/update/sync.yaml b/update/sync.yaml new file mode 100644 index 0000000..b37e1a4 --- /dev/null +++ b/update/sync.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: flux-infra-update-policies +spec: + serviceAccountName: flux-infra + interval: 12h + retryInterval: 3m + path: ./update + prune: true + sourceRef: + kind: GitRepository + name: flux-infra \ No newline at end of file