home_lab/k8s_flux_infra
home_lab/k8s_flux_infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit - working through the Flux D1 reference architecture@

Browse Source
This commit is contained in:
V 2025-11-15 17:03:21 +00:00
commit 7f8014b20b
13 changed files with 220 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md Normal file
View File

@ -0,0 +1 @@
Repo for storing the home lab's K8s GitOps setup. WIP...

5
components/admission/config/base/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- sync-configmaps.yaml
- sync-git-token.yaml

29
components/admission/config/base/sync-configmaps.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-flux-configmaps
annotations:
kustomize.toolkit.fluxcd.io/force: "Enabled"
spec:
validationFailureAction: Enforce
background: false
generateExisting: true
rules:
# This rule ensures that all namespaces
# have a copy of the flux-runtime-info configmap from the flux-system namespace.
- name: sync-configmaps
match:
any:
- resources:
kinds:
- v1/Namespace
generate:
namespace: "{{request.object.metadata.name}}"
synchronize: true
cloneList:
namespace: flux-system
kinds:
- v1/ConfigMap
selector:
matchLabels:
toolkit.fluxcd.io/runtime: "true"

27
components/admission/config/base/sync-git-token.yaml Normal file
View File

@ -0,0 +1,27 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-git-token
spec:
mutateExistingOnPolicyUpdate: true
rules:
- name: copy-token-from-password
match:
any:
- resources:
kinds:
- Secret
names:
- flux-system
namespaces:
- flux-system
mutate:
targets:
- apiVersion: v1
kind: Secret
name: flux-system
namespace: flux-system
patchesJson6902: |-
- op: add
path: "/data/token"
value: "{{ request.object.data.password }}"

6
components/admission/controllers/base/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- rbac.yaml
- kyverno.yaml

51
components/admission/controllers/base/kyverno.yaml Normal file
View File

@ -0,0 +1,51 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: kyverno
namespace: kyverno
spec:
interval: 12h
type: oci
url: oci://ghcr.io/kyverno/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: kyverno
namespace: kyverno
spec:
serviceAccountName: flux
interval: 1h
chart:
spec:
version: "3.6.0" # {"$imagepolicy": "flux-system:kyverno:tag"}
chart: kyverno
sourceRef:
kind: HelmRepository
name: kyverno
interval: 12h
install:
crds: Create
timeout: 9m
upgrade:
crds: CreateReplace
timeout: 9m
values:
admissionController:
serviceMonitor:
enabled: true
rbac:
clusterRole:
extraResources:
- apiGroups: [""]
resources: [secrets]
verbs: [get, list]
backgroundController:
serviceMonitor:
enabled: true
rbac:
clusterRole:
extraResources:
- apiGroups: [""]
resources: [secrets]
verbs: [get, list, create, update, delete]

8
components/admission/controllers/base/namespace.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: kyverno
labels:
app.kubernetes.io/component: admission
toolkit.fluxcd.io/tenant: platform-team
pod-security.kubernetes.io/enforce: baseline

24
components/admission/controllers/base/rbac.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission
toolkit.fluxcd.io/tenant: platform-team
name: flux-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: flux
namespace: kyverno
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flux
namespace: kyverno
labels:
app.kubernetes.io/component: admission
toolkit.fluxcd.io/tenant: platform-team

4
components/admission/controllers/dev-amd64/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base

4
components/admission/controllers/dev-arm64/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base

38
update/automation.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: image.toolkit.fluxcd.io/v1
kind: ImageUpdateAutomation
metadata:
name: flux-infra
spec:
interval: 30m
sourceRef:
kind: GitRepository
name: flux-infra
git:
checkout:
ref:
branch: ${GIT_BRANCH}
commit:
author:
email: home-lab-fluxcd-bot@users.noreply.home.lab
name: home-lab-fluxcd-bot
messageTemplate: |
Automated image update
Files:
{{ range $filename, $_ := .Changed.FileChanges -}}
- {{ $filename }}
{{ end -}}
Objects:
{{ range $resource, $changes := .Changed.Objects -}}
- {{ $resource.Kind }} {{ $resource.Name }}
Changes:
{{- range $_, $change := $changes }}
- {{ $change.OldValue }} -> {{ $change.NewValue }}
{{ end -}}
{{ end -}}
push:
branch: ${GIT_BRANCH}
update:
path: "./components"
strategy: Setters

10
update/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: flux-system
resources:
- sync.yaml
- automation.yaml
labels:
- pairs:
toolkit.fluxcd.io/tenant: infra
toolkit.fluxcd.io/role: automation

13
update/sync.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: flux-infra-update-policies
spec:
serviceAccountName: flux-infra
interval: 12h
retryInterval: 3m
path: ./update
prune: true
sourceRef:
kind: GitRepository
name: flux-infra